Wednesday, August 19, 2015

Telco security in Canada

This morning, I was checking up on some old security holes, just to see if any had been patched or not.  I looked at Rogers and I looked at Bell Canada.  Usually, not much changes, but this morning I noted that both had tackled some very very low hanging security fruit.

It may be coincidence that they both did this around the same time.  It may also be a case of one noticed that the other had "upped their game" and followed suit.  Either way, both of these flaws were schoolboy errors that allowed someone to start poking around in areas where the general public shouldn't be.

In the case of Rogers, you could access network infrastructure information that wasn't for public consumption.  In the case of Bell Canada, you could see what their PR machine was going to announce before they announced it.  After a little more poking around, I discovered Rogers still had a hole, so I've reached out for the them to contact me and I'll re-explain it to them.

Now, here's the kicker:  Both holes are visible in Google's caching mechanism, meaning you don't need to even touch or access their networks.  You just wait for Google's bots to crawl through the holes and report to Google what it found, then you just go and read it on Google where it's all spat out for all and sundry to see (if you know what to look for).

As you can see, this is schoolboy level stuff.  Luckily, in either case, it wasn't spewing out customer data - but each flaw does point to a bigger problem with security...

In Rogers case, it's usually that unless something involves billing or customer facing sales, websites and portals become neglected and forgotten - at which point security moves on and certain Rogers sites become relics of the past which are prime targets for problems like this.

In Bell Canada's case, their security problem is that they parade around saying how safe they are, pointing at firewalls and technological expenditures and monitoring equipment, then undermine all this with policy.  As I've said before, Bell can add as many guns as it thinks it needs to the decks of its battleship, but it doesn't make the blindest bit of difference to fixing the existing hole below the waterline.

Further, their myopic legal stance is basically paraphrased that if you report to them something you shouldn't know, they'll respond like you have perpetrated the crime.  This is analogous to you are on one side of the street and notice a burglar breaking into a house on the other side of the street and running off with the TV,  then you get arrested when you tell people you know the TV is missing.

This is what led to the rather silly situation with Bell Canada where nobody tells them what the specifics of their problems are, which reinforces Bell's notion of "Absence of evidence is evidence of absence" where security holes are concerned.  Meanwhile, crooks can run with compromised customer accounts that can't be reported.

So, in conclusion, whilst it's nice to see small incremental changes in security are happening at Canada's two major telco's, there's still bigger issues at play.



Tuesday, July 21, 2015

The Hymn Of Axciom

Today, I was looking again at another runaway data leak, which I am pretty sure originates within Bell Canada, but in order to know that for certain,  I have been tracing the source of the data through many different links in the chain through the usual methods of poking privacy departments, legal teams, etc, for the better part of the last month.

Today, that chain exited Canada as the last privacy team handed over the name of the next team I would be talking to. This turned out into Axciom, in North Little Rock, Arkansas.

If you've not heard of this company, you should go and research them.  This is a large data company who's practices get questioned a lot by privacy advocates.  So much so, there is even a song about them called "The Hymn of Axciom"...

Check it out.



Tuesday, June 30, 2015

IVR Security Hole Redux with CIBC

In January, I was dealing with the bank CIBC over an issue with their IVR system.

To recap, there was a problem with their automated system, where it would call and ask the person who picked up my phone to "press 1" if they were me.  If someone presses 1, the bank would then fail to verify if I'm actually me, or the cleaner, the child-care assistant or the robber that just stole my phone and would rattle off what I consider to be personal information.

Obviously, I wasn't happy about that security hole as I had reported it in early-2014.

Eventually, a dialogue opened up with the bank (after I complained the hole had been there for 9 months since I first reported it) in January 2015, and eventually the solution was rather than fix the issue for everyone the bank would unsubscribe me from it.  This meant I was at least protected, even if nobody else was.

Six months have now passed and CIBC has reversed this security fix and the system called me again today.

Seriously...


Saturday, June 13, 2015

Programmers and Interruptions

As a programmer, the single biggest problem I face is the interruption.  Whilst I can joke and empathise with other programmers about this, it's something that non-programmers don't understand. There's a well-worn cartoon in programming circles that I will share here, just incase you haven't seen it.



The point of the cartoon isn't lost on anyone, but what is lost on non-programmers is the time span that this may have taken place over.  For an average programmer on an average job, you're probably looking at 10-20 minutes.  For a programmer working on a really complicated system, this can be several hours.  Additionally, the mental workload involved can be draining enough that if this happens, say, three times in a day, the entire day can be written off. 

But what's going on here?

The crux of the problem starts with the differences between knowledge workers and non-knowledge workers.  Most people regardless of status in the workplace will work on a schedule where you focus on some thing, get interrupted, switch focus until interrupted again.  It's all about prioritising what is most important and getting these things off your plate as quick as possible.  You hear managers complain that they never get anything done because their day is full of interruptions, but really that is their schedule - it's just a series of interruptions and the only thing they have to worry about is what interruption is coming next.

This means when a manager/house-buddy/spouse walks up to a programmer and asks them "a quick question", they interpret the amount of time being expended by the interrupted is the same as the amount of time spent by the interrupter.  However, this is not the case...

First, let's introduce the programmers mental stack.  It's analogous to this receipt spike:


With a receipt spike, the first item on the spike is the last one to come off.  This spike is known in computer terms as a "stack", but it's the same thing.  For a programmer, the first item (so at the bottom) on the stack is what we are trying to accomplish (fixing a bug, writing a feature, etc).  Then we push onto the stack the next pieces of the puzzle.  

A real-life example of what I am talking about...  This is one I had today (remember, it's in reverse order, so start at the bottom) it's about 45 minutes :
  • Trace in my head the flow of the header packets that precede the payload packets to make sure this is the best way of doing things.
  • Double-check logic for endian-ness incompatibility.
  • Packets in wrong order still, so add stuff for that.
  • Rejig classes X1, Y1 and add new functionality to classes X2 and Y2 all in my head.
  • Build packet model in my head.
  • Refresh my head on how the packets are structured. 
  • Looks like a packet issue - maybe if I remodel how I'm dealing with the packets... 
  • Let's trace the code in scenario B and compare to what we just learned in scenario A.
  • Let's trace the code in scenario A to see precisely what's going on.
  • It fails in scenario B - must fix scenario B. 
  • It works in scenario A 
  • The device does not behave how I expected it to.
  • There's bug in my iOS Bluetooth code - must fix it.


Obviously, this is all done mentally in my head, and I'm tracking what changes I haven't yet done as well as concentrating on the actual task I'm working on at this precise moment, whilst making sure to balance the stack in my head so when I finish each task, I can go back to the task I was working on before.  When doing this, I'm not typing a single line of code.  I'm staring at a picture on the wall - probably not even taking in what my eyes are seeing - and my ears hear stuff, but I'm not actually listening.  I've likely got headphones on, just to drown out the things like talking that are happening around me, so I don't lose focus.

This is the moment when people say "Oh, as you're not busy right now, can I just ask a quick question" and then wonder why I'm annoyed.  As the person is still talking to me, my head is scrambling to work out how I'm going to recover from this as I still have about 3/4 of the stack in my head.  As I'm being asked if this was a bad time, my anxiety level is skyrocketing as I try to cling on to what I learned in tracing scenario A in that stack above... Was it header packet 0x02 that had the payload size 0x0400?  Must remember 400... no, it's not 400 as the bytes need to be swapped so 0400 is really 0004...   At this point, I must answer the question I'm being asked - so blurt it out - 4... must remember 4... what packet was that on again? 2? Was that in scenario A? Or B?

Now panic sets in...  If I can't remember whether the payload size 400... no... 4... is the right one or the wrong one, I need to go back and look at that again, which means we're now into another 30 minutes of building up the model in my head again.  Having answered the question, I'm staring at my screen and quickly trying to refresh my head.  This is when you hear the dreaded words "Before you get too engrossed again, can you just...."

Aargh!

Now, I can get back to work in a minute or two if I'm doing something trivial.  However, if I'm working on a really complicated issue (such as the above Bluetooth stack), then it's not uncommon for me to take 30 minutes or longer to get things straight from a cold start.  Really big issues can take 90 minutes to get my mental cache loaded up with the model of what I'm doing and how I'm doing it, plus all the states memorised as to what it's doing right now. 

And I'm not alone.... There's a study (see here) that was done over 10,000 programming sessions to see what the edit lag (how long it takes between interruption and starting to type again) that looks like this...



As you can see it takes a while to get back into things.

There is a retort from some managers (or other house guests if working from home) that we need to "learn to handle interruptions better".  This is just throwing fuel onto the fire as a knowledge worker is busy using concentration and focus to perform a task and interruptions cause a break in this focus, making the comment analogous to tripping up a footballer and telling them that they need to handle unplanned obstacles better.

One last thing I'll leave you with:  Never interrupt a programmer chatting to a rubber duck to ask them what they're doing.  



Thursday, June 11, 2015

A simple RAT C2 experiment...

This morning I was reading a security article in this tweet...

As a quick test for my own sanity, I logged into one of my banks, located somewhere that I could put some freeform text between two delimiters and plant a temporary dummy RAT payload, just to see if the bank filters out the really obvious stuff (like a plain-text IP address, for instance).  

It turns out this bank doesn't.  

Further, I realised this bank also give me the ability to select from a list of banks, so you can further split things up into command (between the hyphens) and payload (between the "DELIM" text).   


Whilst an encoded command would be more difficult to detect (see above article), you'd think they'd regex out IP addresses or anything beginning with "http"...  This is a bank after all and freeform text is bad design in this security context.

To recap what happened here: I just discovered you can leverage millions of dollars of infrastructure behind state-of-the-art security technology, to plant freeform text that can be used to morph a bank into a C2 server. 

Now just let that sink in for a moment.  Yikes!


Tuesday, May 26, 2015

Solving Visual Studio DEP0700 Error Under Parallels

Today I ran into a problem where I was using Windows 8.1 under Parallels for Mac, and I created a brand new Visual Studio project.  Just to make sure everything worked fine, I hit "Run" and went head-first into an error DEP0700.

This is a frustrating error as it's (by design) trying to stop you from running a project who's output is on a network share when in "Local Machine" mode, but of course, it has no idea that this network share is actually on your local machine in the first place, as a result of running in Parallels.

The simple solution is therefore to tell Visual Studio to run the solution on a remote machine, then set the name of the remote machine to "localhost". 



Easy fix to an annoying problem. 


Sunday, May 24, 2015

The Price Of Rushed Software For Apple Watch...

See bottom of article for June 25, 2015 Update

The Apple watch has caused a flurry of apps to be quickly updated to support it, sometimes successfully, and other times it would appear that it was done as part of a "look at us too" campaign by some companies shoe-horning their app onto the device.  With the rush to get software out, I am seeing some mistakes slipping through the QA systems of certain apps.  

Recently, I was contacted by one of my banks about a customer service issue, and as I sometimes do with that bank when they reach out to me, I pulled a single item off my pile of security issues and threw them a bonus bone to chew on.  (If they go to the trouble of reaching out to me, the least I can do is give them something to make themselves safer).

I raised this issue with the bank, who accidentally left "Backdoor" (their term, not mine) URL's for the iPad and iPhone in the localization strings under the Watchkit Extension for their app. 

Personally, I don't run this bank's app, but given my history in Canadian mobile banking (I've still got code in the Canadian retail banking pipeline that won't see light of day until 2016 or 2017 in everything from location services, to photo cheque deposit anti-fraud), I do keep an eye on this bank's mobile software to remain aware of the industry. 


Just to clarify for the legally minded, this isn't hacking/reverse-engineering/etc ... Hacking means breaking in or causing software to be coerced into doing something unintended, and reverse-engineering means taking software and getting back to the source to work out how something is done.  In this case, you don't need to even open/run the app, or perform any reverse-engineering...  As this information is left open, you just download the app from the Apple App Store, then open it up in Finder on a Mac and start reading what was left unprotected.  This is no more "hacking or reverse engineering" than reading the pages in a book is "reverse engineering that book".

The bank in question here can easily say "this posed no threat to our operations or customers" and they'd be totally correct... in the same way that leaving a million dollars on the sidewalk or having the entire CxO team dance naked down Bay Street would have little impact on customer privacy or be detrimental to operations - however it's still not something anyone should do willingly.  

What it does point to is a botched rollout where technical mistakes were pushed through to meet management deadlines.  Here's three reasons that led me to this conclusion.

First, URL's, in a bank app shouldn't be public.  As a bank, they're just asking for trouble when script-kiddies find this kind of stuff.   The URL's should be inside the app itself, where no class dumping tools can get to the strings (because they'd be encrypted, but whoever approved this from a security standpoint didn't understand that point when it was OK'd).

Second, from an architectural standpoint, this makes no sense as the iPad and iPhone URL's don't belong in the WatchKit extension (the iPhone/iPad does the internet stuff, not the Watch). At first glance, this looks like a schoolboy error in cut & paste coding.

Third, from a technical standpoint, this is sheer lunacy;  URL's don't belong in the localization strings file because you plug in the parameters of the language at runtime, not hardcode the URL's to the UI localization.

What we can do, is take the information that the bank provided and show what they should have done if they were doing this properly.  They should have created a function like this for the "Registration" url, and buried that in the app itself.

-(NSString*) getLocalisedRegistrationURL {
    NSString *URL = @"/olbtxn/registration/Registration.cibc?register=initRegistration&visitorId=native&locale=%@";
    NSString * locale = [[NSLocale currentLocale] localeIdentifier];
    return [NSString stringWithFormat:@"%@%@", URL, locale];
}

...then repeat this process for any other URL's that must be localised.  That's what should have been done.


Now, having said all the above, we can also take a step back from the technical lunacy and architectural nonsense, and ask if this was actually done deliberately?  

In my mind, this is the more likely scenario... 

In the above links there are instances of what appears to be a possible smoking gun in the form of "visitorId=native".  This gives the impression that under the hood, the app is doing a popular trick in the form of substituting the token flag word "native" for the value returned by identifierForVendor, which allows the bank to identify your device and track you, meaning that the URL is actually very likely being processed further in the app to do substitutions on the URL string. 

This obviously begs the question as to why they didn't substitute the locale when they've had every opportunity to do so?

I think the answer to this question would be that this is a somewhat ham-fisted attempt at casting the possible ISO locale values to force them to either "en_CA" or "fr_CA" because the backend servers don't have any idea what to do with en_US/en_UK, fr_FR, etc.

As you can guess, this problem is also easily solved... if the French language is not the user's primary language, cast the result to Canadian English:

-(NSString*) getEnglishOrFrenchLanguage {
    if([[[NSLocale preferredLanguages] objectAtIndex:0] isEqualToString:@"fr"]) {
        return @"fr_CA";
    } else {
        return @"en_CA";
    }
}

At this point, we've drawn two boxes around two mistakes, been given the preferred tracking mechanism and uncovered what looks like the hallmarks of a rushed rollout that at first glance looks like a schoolboy error and then later looks like back-end issues are being ham-fisted quickly to make deadlines... 

...all for the sake of seven lines of code.


Update - Jun 25, 2015

So the bank said that they would update the app to remove the backdoor URLs.  This week, I noticed that they have updated the app.  I took a look to see if they had removed them as they'd said they would.

This is what I found:


Yes, the word "Backdoor" has been replaced with "BD"...  

*face palm*




Getting Live Environment Canada Weather Using PHP

The other day a little project I had running at home required some live weather data... Nothing fancy, just the current temptation, condition and a quick blurb for the forecast.

I had a number of ways I could've done this, but I chose to do this in PHP (for me, it was just a process that would run and put these three items somewhere else, so nothing major necessary).

The PHP code is here, just in case anyone else needs to do this.

<?php

$weatherXML = getLiveWeatherXML();

$toronto = simplexml_load_string($weatherXML);
$currentCondition = $toronto->currentConditions->condition;
$currentTemperature = $toronto->currentConditions->temperature;
$forecastCondition = $toronto->forecastGroup->forecast->textSummary;

$arrayData = array(
array('CURRCONDITON' => $currentCondition),
array('CURRTEMP' => $currentTemperature),
array('FORECAST' => $forecastCondition),
);

//Do what you want with the array here...


function getLiveWeatherXML() {
return file_get_contents("http://dd.weather.gc.ca/citypage_weather/xml/ON/s0000458_e.xml");
}

?>

Friday, May 8, 2015

CIBC Reference Number Logic - An Update

Last Saturday, I had a show down with CIBC staff over a situation that got out of hand and today I'd like to present an update.  You can read about it in full here, but the core point of the story is that CIBC were trying to harass me for money that I had every reason to believe they already had in their possession, and their tactic was to try and put the burden of proof on the customer to prove it.  They even tried to get information about other bank accounts, which I'm pretty sure is overstepping the proper bounds of privacy.

As experience has taught me that CIBC is prone to this type of cock-up, I refused to change my stance and it was left with me telling the horrible lady at CIBC that I was doing nothing further, until they call me back on Monday or Tuesday to confirm that there really was a problem because I don't believe them.

Guess what?  CIBC never called back.  

Today I decided to just double-check and see what CIBC was saying now?

Here's the chart from the Credit account.  CIBC shows that had the money one day before they called me, and proves that I was totally correct in my assumption that the customer service was just being unreasonable yet again.




  

Conclusion
I'd like to be surprised, but I'm not.  

When you understand the clearing process within banks, it becomes very apparent that the people trying to squeeze money out of me in the face of the evidence presented to them have not been adequately trained on these same cycles.  


Saturday, May 2, 2015

CIBC and Reference Numbers Logic

Had an interesting run-in with CIBC today.    

The phone rings at 4pm on Saturday afternoon, just as I’m getting the kids down for an afternoon nap.  I’m sitting next to the kids, and thanks to the wonders of iOS 8, even though the phone has been silenced, the laptop I’m using suddenly rings.  The kids wake up and I swear like a sailor.

I call back the number after re-settling the kids.  It’s CIBC.  Their phone system says it doesn’t know my phone number and so I have to punch it in.  After a wait of about 3 minutes, a women answers the phone.  After she confirms my identity, I am informed that she has no idea why I’ve called or why they called to begin with.

What?  

I ask her to put a note on file that I don’t like being called for no reason.  After about another 30 seconds she magically finds the reason they called.  They’re looking for a credit card payment.  

Luckily, my wife had sent the payment they were looking for from TD Bank on the previous Wednesday, so I told CIBC this is just a case of another call from CIBC looking for money that is likely already in their system.  They asked for the reference number, so we gave it to her.  

If you’re not familiar with how Canadian banks work, the worse case is a Canadian tier one bank will take a full working day to process an electronic payment request, so that means TD may have processed it after close of business on Thursday and CIBC would have received it on Friday, so CIBC would process it Friday night.  Unfortunately, this is a Saturday, so it is very highly probable that because CIBC's computers don’t appear to work on weekends, it’s not going to show up on their ledger even if it was now at CIBC until Monday morning.  

I was quite confident that telling CIBC the circumstances would be the end of this.  Unless they’ve some distrust that I don’t know about with other Canadian financial institutions, you’d think that dates and reference numbers of payments would be sufficient proof of payment. After all, why give them out if they're not the equivalent of a receipt?  Next, CIBC then asked for the last 4 digits of my wife’s TD bank account.  

Hell no.  

This is the Bell Canada of banking, and they obviously thought I'd not been poked with the CIBC stick enough.  The lady went on to put the burden on payment on the customer.  Apparently, we customers are now responsible for finding out why CIBC couldn’t see the money.  

I pushed back (I’m not a bank).  
CIBC pushed again.
I asked three times to be escalated.
After not being escalated my patience ran out.  It’s hard to resolve a situation when one party isn’t listening.

Then I finally got escalated.

The new lady that took over also tried to put the burden back on me to find out why my wife’s bank had not sent money from TD.  As things got more heated, she was stating that CIBC as a financial institution cannot do traces on payments initiated by another bank.   The conversation then went like this:

CIBC:  And I’d like to just remind you sir that this conversation is being recorded.
ME:  Good, because I’d love to know why the last lady just asked about the bank account digits at TD?
CIBC?  Err. What? We just told you we can’t trace payments at another institution.
ME: So why the hell are you asking for information that you’re now claiming is of no use to you?  Something is fishy here!

It ended with me irately telling them to check their reports on Monday as there’s sweet nothing that I can do this late on a Saturday.

Conclusion
I’ve stated numerous times that the trust level between CIBC and me is very, very low.  The legitimacy of anything that I hear from them is constantly eroded by foul-ups, conflicting information and a continued sense that they’re just screwing me over.  Today was just another episode in a long and painful journey.

Look at the straight facts of what can happen:
  • CIBC will ask you for reference numbers, stating they are required to prove something is paid for.
  • CIBC now says that it can’t trace payments at other banks.

That right there is conflict in logic, so one of those is clearly a lie.  Banks should not lie.


CIBC overstepped the mark in asking for the TD account info (I’m looking into the privacy rules on this, as I think it’s not supposed to happen under the Canadian charter that the banks have to follow), but CIBC definitely shot themselves in the foot over reference numbers.  

Someone is lying to me, and I’d love to know which is the correct answer.  



Sunday, April 19, 2015

Thoughts on the Norway FM Radio Switchoff.

Something showed up on my Facebook timeline today, linking to an article which caught my interest.  The reason it caught my interest was I could see the three-way clash of North American culture, worldwide culture and the fact that I've worked in and around radio (and radio related technologies) for most of my life.  What is very apparent to me isn't apparent to everyone, and sometimes I forget that.

A quick primer on radio and I...

  • As a kid I would do DX'ing (listening for radio stations from other countries).
  • As an adult, I've used radio to transmit stuff over vast distances (the most extreme case was using a YAPP packet radio and atmospheric skip to transmit stuff at 300 baud from the UK to a fishing trawler that was south of the Falkland Islands). 
  • I am still an avid radio listener.
  • I was once the sole iOS developer for Clear Channel's "iHeartRadio" app (I worked on it from version 2.45 through to 3.1), which is now called iHeartMedia.
  • I've worked alongside FEMA and their EAS test a few years ago.
I moved to Canada in 1998.  When I came over, I brought my radio/tuner with me - a Sony that was made for the European market (Yes, it runs on 220 volt electricity).  At that point this radio was about 5 years old and it was the second of it's type I'd owned.  In Canada, most of it's features didn't work until about 2004-2005, which I found highly fascinating.  To date, some features still don't work in Canada because Canadian radio hasn't caught up with the early 1990's yet.

Without getting technical, most people (including Canadians) are now aware that modern radios can tell you the name of the station you tuned to - some even tell you the name of the song/artist.  This comes from a system called RDS (Radio Data Service), which has been in Europe for a lot longer than in North America.  There's an advanced version of RDS called EON (Extended Other Networks), which gave us lots more features in the early 1990s that still don't exist in North America today.  I've never been able to switch on a Canadian radio and tell it to "only play Punk" music, or have it jump to a different station if the weather forecast comes on.  

These features don't exist because if you remove choices from the listener, you can create niche stations and so in places like Toronto, where I now live, you can't listen to what you want and still have the weather every 10 minutes - instead you have to tune to a specific type of "talk radio" station where you get the weather every 10 minutes, along with forced traffic (thats a different option in RDS EON) and adverts.  Put another way, whereas European usage of radio gives you a buffet of radio to pick and choose from, the North American model gives you 100 stations and you can only listen to one at a time - and the media companies just looove a captive audience.

This illusion of choice is much like the mechanism you see in Canadian burger restaurants;  Whilst the adverts with their condescending American narratives saying "Have it your way, Canada" are telling you that you have a choice to make things exactly how you want, what they're actually selling you is either a) you can pay X dollars for a fully loaded burger, or b) you can still pay X and skip some toppings.  Obviously, this works in the burger chain's favour as everyone still pays a premium price even if you decide not to have all the toppings you just paid for.

What this broadly translates into is radio turns into these little "islands" of listeners who are being kept away from other stations - and because the audience are not exposed to other stations, no stations have to try to win over new listeners.  Radio in Toronto is crap, and radio across most of North America is bad.  Ask anyone in North America to name a famous radio station where the DJ actually "DJ's" (i.e. spins a 30 minute session of proper mixes, or introduces you to something new) and nobody can name one.  In the UK, people would say "Pete Tong", "John Peel", "Danny Rampling", "Nicky Holloway".... In Canada and the USA, this really just doesn't exist, which is strange when you consider how much music and culture is born here.  

Again, it all comes down to these "silos" or "islands"...  To really ram this point home, lets say you're a Canadian and you're sitting at your computer and you want to listen to CBC Radio 1.... you have to go to cbc.ca to listen to that.  Then you want to listen to Q107, so you go to their website.  If you want to listen to something new, you have to find a new website.  Nothing is tied together even though they're all supposed to answer to the CRTC.  

By contrast, in the UK you just fire up www.radioplayer.co.uk and every station that has a broadcasting license is available there.  Now, there's over 400 radio stations on that site, and this brings us back to the digital radio issue.  In Ontario, there's just over 500 FM stations.  In the UK, there's over 400.  So, imagine cramming 80% of Ontario's radio into 1/6th of the province and you'll have some idea of what the airwaves look like. The radio spectrum is pretty crowded!

Digital Audio Broadcasting (DAB) solves two goals:
  • Free up radio broadcasting spectrum in dense areas.
  • Allow the addition of more features to the radio that RDS EON cannot handle.
When the bulk of people move over to this type of radio, the entire old FM spectrum can be freed up for better uses.

Now, this isn't a one-sided rant, because in North America we're seeing technologies like RDS being used in equally innovative ways that Europe doesn't.  The biggest one that comes to mind in Ontario is electricity grid management.  When your Air Conditioner is being commanded remotely to shed about 10% load in a heatwave because we're running out of electricity, it's RDS radio technology.  

This is really a culture thing;  Norway switching off it's FM radios will be shocking to many people, especially to those who didn't know that many European countries have already done the same with TV.  For instance, the UK switched over three years ago.  In Europe it's normally referred to as DVB (Digital Video Broadcasting), and a quick look down this list will likely shock the average Canadian or American into realising how far behind things are here.  I have always found this interesting.  I know what's going on as well, especially in Canada where two companies run most of the media and also happen to own the cable and broadcasting networks.  

It's a money thing.  Why give the people choice when you can keep them ignorant and gauge them for money?



Thursday, April 9, 2015

Cyber Crime & Fraud In Canada

In this post, I'm going to get something off my chest that has been a long time brewing... in fact, it's been brewing for years.  The subject is about Canada and cyber-crime and fraud prevention where computers and law-enforcement collide.

If you don't know already, I work in IT.  I'm a programmer by trade (for the past 7 years I've concentrated on iOS, but there's 20+ years of Windows developer mileage under this bridge before that).  My code runs in everything from ship inspection systems to SuperMax prisons to the Special Organised Crime Agency (now the NCA) and national banks.  I am JCP certified and I'm found in NATO handbooks H4 & H8.  In short, I'm a registered "good guy" with a vested interest in doing the right thing and maintaining my reputation as trustworthy.

So, onto the story....

In Canada, just as anywhere else, there's two sides to cyber-crime and fraud; There's those with the intent to prevent it and those with the intent to commit it.  Just like in most other civilised places, the legal system tries to protect people from computer related crime - in Canada we have the "Criminal Code Section 342.1" which tries to draw a box around what you're allowed to do and not allowed to do.  So far, everything seems cut and dried and nobody should be surprised by what I've said.

When it comes to fraud prevention, various layers of government and law enforcement inform the public that they are here to help, and the legal framework/laws and public education programs would lead you to believe that you are very well protected in Canada.  The reality is this apparent protection is a double-edged sword that is often as likely to prolong your exposure to fraud as it is to protect you from it.

I'm no expert in the world of cyber-crime/fraud, but I understand way more than the average person - and in the UK and the USA, experience has shown that when I try to help an organisation with a problem, people listen to me... except in Canada.  I've had conversations with Andrews Air Force base about the finer technical points of Air Force One, discussed iPhone-based Missile Impact mapping technologies with Fort Bliss by the White Sands Missile Range and everyone knows I'm a good guy who is on the same side as them.... then I get on the phone to Bell Canada one day to report to Sheilagh Malloy (their privacy bod) that one of Bell Canada's customers has been breached and needs rescuing from a very real chance of identity theft, and demonstrating this to Ms Malloy resulted in the aforementioned section 342.1 rules being read back to me and telling me to never go into Bell's systems again.  

That experience was several years ago.  Amongst the many things I learned in that conversation, I saw what I thought was a blind spot for customer safety and data.  I followed that hunch and a year later, I started a disagreement with Bell Canada about runaway customer data involving my own records that I was now looking into.  

Structuring my argument according to what I'd thought I'd learned in the previous conversation, the disagreement was "resolved" in a stale-mate with Ms Malloy so she'd think that she won her side of the argument about Bell's privacy policy because she didn't have to back down.  Because I'd pushed her into a stalemate position where I remained "dissatisfied" she had no choice but to gave me the escalation path necessary to go to the Privacy Commission of Canada, and this gave me the "green light" to go after Bell Canada's third party link with Yellow Pages Group because it involved them too.  Of course, when I asked YPG if they were willing to stand shoulder-to-shoulder with Ms Malloy at Bell Canada and her position on my data, they collapsed faster than a wet noodle and undermined what Bell Canada had argued.  

Thus, I had successfully secured my own data, and confirmed what I suspected the first time round was blind spot with Bell Canada.  Of course, once you know there is a problem, it's not hard to go looking for signs of it.

Watching Bell Canada customers get compromised is fairly trivial.  In the same way you can watch looters steal televisions from a shop across the street, you just watch the information appear outside of Bell - you don't need to go into Bell Canada's systems, in the same way you don't need to go into a leaky pipe to see that it's leaking.  

You can set up Google to notify you when a breach occurs, which means you're no longer violating Canada's Criminal Code section 342.1 because you're not accessing that data - instead someone else is telling you that data is now available - and if you're not accessing/viewing/transmitting/storing it, then you're not breaking the law.  A bonus to this, is we've gotten ourselves an accidental security canary because we can infer what Bell Canada failed at, and as long as the signals keep appearing that there's a failure, you know Bell Canada hasn't got it's act together.

What I'd like to do is help the people who are almost guaranteed to become victims of identity theft, fraud, etc.  Of course, this means reporting it and when you report it, you need to provide evidence, and under the rules of section 342.1, I can't handle that data or show that it compromises a customer by accessing their details.

As you can guess, this is very frustrating.

So, what are my options?

  • I could talk to Bell, CRTC, etc, but Bell Canada would launch a law-suit against me if I then went on to prove the problem exists because it means proving you can access compromised customers in their system.
  • Let's imagine I want to talk to the Canadian Anti-Fraud Centre:
    • You go to login here (Link) on a Mac and the RCMP securekey login fails...
    • You downgrade to Windows and login, only to find the CAFC requires specific information that you can't provide.  They have no "Contact us for something else" option.
  • I can't deal with the police, as no proof of a crime has happened yet, and again showing that the crime is likely to happen would require me to step over the law and put myself in danger when showing how and where.  

What we need:
Canada needs a program where trusted individuals can demonstrate to law enforcement that there is a cyber-fraud problem and help members of the public to be alerted when it can be proven that they are at risk from fraud/identity theft/etc.  The program should span customers of banks, too, as this is another problem area.  Finally, these whistle-blowers should have immunity from section 342.1 and have no further legal ramifications for cooperating with law enforcement to help the general public become safer by the people who dropped the ball in the first place.

In short, it's my belief that we need a mechanism whereby people can be protected from criminal activity, without those trying to help law enforcement identify the problem being penalized.  Where we stand currently is the very same mechanism to stop cyber-fraud now stops anyone from proving when you are at risk of cyber-fraud.  Of course, those who disregard the law are free to do so because they're now effectively protected by this catch-22 situation.

Tuesday, March 3, 2015

Extreme Hardcore Music

I like music as much as the next person.  I also happen to like music that goes to extremes where other people might not even admit it's musical...

This clip is the perfect example of what I am talking about.  I love it.
https://soundcloud.com/squnto/squnto-x-code-pandorum-wall-of-death-clip



Monday, March 2, 2015

Another security worry at CIBC...

Today I was a confused CIBC customer because I have a letter telling me I "still have time" to activate my Visa credit card.  What do you mean "still"?  The slightly more paranoid side of my brain tells me that the bank is implying that they have previously asked me to activate a new card.

Just to royally mess with my head, there's a new card sitting in front of me with the word "Visa" on it...  Naturally, that one is not a credit card because now CIBC debit cards have "Visa" on them too... You know, just to make things perfectly clear and obvious and distinct from your credit cards.

It was with a heavy heart that I picked up the phone and I dialled CIBC's customer service number.  Naturally, the first person I spoke to tried to upsell me (he wanted to convert my credit card balance to a personal loan - I can only imagine this is so they can get their name back on my personal property deeds since I moved the mortgage away to Scotiabank), but after I told him twice that nothing was going to change, I got passed over to a different desk to deal with the credit card matter.

What transpired was this:
  • CIBC claimed they mailed out a credit card in July 2014.
  • It was never received or activated by me during the next 8 months.
  • 8 months later, I receive a letter telling me I "still have time" to activate the card.
Needless to say, I'm left wondering as to why CIBC's alarm bells failed to go off in the intervening 8 months.  That's a very long time to have customers in the dark and unaware that there is even a problem.

CIBC's safety net continues to suffer some very big holes.

Wednesday, February 25, 2015

The CIBC Canary

Following on from my post last month where CIBC finally opened up a dialog, it's time to post a quick update on the results.

In short, the first item that I had raised (See here for backstory) has been addressed in that sort of way only a bank could deal with it:  Having raised a number of scenarios where it can be shown they've no idea who's on the phone system talking to their credit card system, they agreed to remove me from that system and put me back to paper.  Whilst that solves my problem, in my opinion it does nothing to address the problem for millions of other people.

The other issues I raised in my 7 page report to them (about runaway data, policy failures, etc) were "conveniently" ignored in the letter they sent me in response.  However, I did note today that some of the issues are being addressed in the form of a cleanup operation.  

Of particular note was an example of runaway data when accounts are compromised.  Because compromised accounts don't appear on CIBC's radar, they don't get cleared up.  One example I sent them was this (I've blocked out the cc number as I've no idea if CIBC replaced the card yet):

  
As you can see from the transit code, this is a Commerce Court based account that was compromised.    I've known for a long time it was compromised and used it as an example to CIBC in my report.

Today, that same information is removed.


This is superficially good news - at least Mr Donald J Steadman is now "safer" than he was.  

I say superficially, as some instances have not been cleaned up.  By not explicitly telling CIBC where all the accounts are, the public has a digital "canary".  When the other compromised accounts "die" and disappear from the Internet, we know CIBC has caught up on security and policy enough that they're actually scanning for this type of leak.  If they remain visible, we know that CIBC is still wrestling with the concept of runaway data.

For those with no idea about canary's, an excellent example was Apple's "Warrant Canary". Apple was forbidden with telling the public that it had been subpoenaed for information by the US Gov. So, what it did was put in it's transparency report that it had not been subpoenaed.  When that statement disappeared, it meant that they had been subpoenaed, without them actually saying it.

The same principal applies to CIBC in this instance.  When the cleanup is truly visible, you can infer that CIBC has a grasp on the data issue - but all the time the canary is visible, you know it's still a problem.




Monday, January 26, 2015

Visa Credit Card Security

It's becoming increasingly more common that when you ask people about the security policies and what they think is secure or not, everything security related becomes someone elses problem.  Last week, I posed a loaded security question to Visa Canada where I asked whether something was considered secure given a scenario where something clearly goes wrong in the hypothetical situation. 

Given what I was asking, I had an expectation that someone would either a) think, that maybe it was worth looking into the problem further to see if the hypothetical situation could be plugged, or b) go into a state of denial.  What actually happened was neither - instead, Visa tried to distance itself and put the onus on it's card issuers.  

After a little back and forth (them pushing for info and myself resisting), they issued a statement that said "Our Client financial institutions (the banks) issue cards and are responsible for all billing and account management issues. Visa has no access to or jurisdiction over accounts. Accounts are confidential and proprietary information between the issuing financial institution (the bank) and the cardholder."

This is interesting because it suggests the credit card company is not watching the card issuers (the banks), and at the same time the customer is invisible to the credit card company.  

Put another way, there's no safety net when the bank messes up as Visa puts all the onus on the banks, further there's a blind spot as Visa can't see you either. 

Wednesday, January 21, 2015

Thoughts On Canada Interest Rates at 0.75%

Today, the Bank of Canada dropped it's official rate from 1% to 0.75%.  This is just the day after Obama stepped up to the plate and announced "Tonight, we turn the page," and following on with "The shadow of crisis has passed, and the State of the Union is strong."

If the shadow of crisis has passed and the Bank is dropping it's rates, what's going on?  Quite simply, it's all a game of media posturing; There's an old Indian phrase that runs along the lines of "If everyone tells you that you're sick, go and lay down" this same psychology can be used to rally people into believing that "The economy is not sick, so get up and spend!".

So why is it Obama is saying everything is fine, yet the Bank of Canada is reducing rates, Europe is getting ready to inject more printed money, all the shops have been in permanent "Sale" mode for over six years and many North American car manufacturers are still pushing "employee pricing" to normal consumers?

To understand what's actually going on, we need to take a step back and look at the bigger picture by getting above the viewpoints of Canada and the USA, and looking at it through neutral eyes of someone like the BIS.

If you've no idea who the BIS is, a quick history recap follows:

In layman's terms (not 100% accurate, but good enough for the purposes of this article), the BIS was a bank that was setup to deal with Germany's reparation debts after WWI.  It was a central bank to a number of nations that made sure payments went where they needed to go, and because of Switzerland's neutrality in most international affairs, it was located there in a place called Basel.  

As time went by, the BIS superseded that initial role and now it has more member countries and it still tries to keep everyone's money in check between nations - not just the original members money.  This groups largely keeps quiet, but on occasion it will notice that the banking systems in the world are getting a bit screwy, and it makes a recommendation.  These recommendations are not law - they're just impartial advice to banks on how to avoid trouble that doesn't take into account politics.  It's pure economics.

The first recommendation was after the 1974 liquidation of the Herstatt Bank in Cologne, and it was known as the "Basel Accord".  It basically stipulated that in the same way you need to keep money in your account to cover your mortgage whilst your latest pay check clears, banks need to keep a certain amount to cover time differences like when dealing with New York as the counterparty banks still need to be paid on time during the settlement processes if the money hasn't arrived at it's destination yet.  As you can guess, this was before the Internet and we still had to stuff big bags of money on planes and trains, hence the delays.

Then the BIS went quiet again.

The second recommendation was in 2004.  The BIS knew what was coming with the reckless lending that was happening, and basically told banks to shore up reserves to make sure they didn't go under.  This was known as "Basel II" - a term I'm sure you've seen mentioned in the news.  Many banks had trouble meeting this goal, and then the crash of 2008 put the wind up these banks so fast that they quickly locked down all lending and magically "found" the money needed to not go under.  The money was so locked up in this fear, that governments had to print new money to get liquidity going again.

The third recommendation was in 2010-11 as a response to what had happened with the deficiencies found in the financial crisis.  Known as "Basel III", the timeline to implement this started in January 2013.  It's purpose was to increase how much the banks need to hold onto, and to make sure they stand up to a stress-test.

So, now you've got a bit of history explaining how we got to where we are, let's go back to the Bank of Canada.

If we have a low interest rate, this should spur people into borrowing more money.  If people borrow money, they spend it on goods and services, generating income for people, and they owe it back to the lender with interest, generating income there too. This much is common sense.  However, we've had several years of cheaper cars (remember the additional gov rebate to get you to ditch your old cars and get a new one to stop the auto industry collapsing?), and several years of cheaper electronics, and several years of perpetual retail sales.  And many people have moved and got new mortgages using these lower rates. 

In other words - people have bought pretty much everything they want - this leaves very few items (food being a major one) whose prices have not come down as demand has not gone away.

There's one thing missing from the picture so far:  Oil.  

Whilst Alberta makes money from Oil, everyone else buys it.  However, they buy it well in advance of when they need it by locking in a price that they think will reflect the market when it comes time to deliver the oil - this is known as a "futures contract".  So, now everyone in places like Ontario is manufacturing with Oil bought a year ago or 6 months ago at higher prices, and is making things that are coming down in price to try and get demand going again.

And that strategy is just not working - and it hasn't worked for the past 7 years.

So, given that the economy isn't generating the revenue it needs, someone has to do something.  Unfortunately, the only two things they can do is:
1) Print money to devalue the dollar, in the hope that we can export more stuff to other countries because it looks cheaper....
2) Lower interest rates to spur people into borrowing money to cover this slump.

Out of those two options, #1 is not really an option as the dollar is already quite low compared to the US Dollar which international trade is most often done in.  This leaves option #2.

This can go two ways:  It works, which is highly unlikely in my mind because the demand slump problem doesn't go away.  Or, it fails.  This failure is what I think will happen.  We'll see some investment in new facilities, new economic action plan items, etc, but all this does is create more debt that has to be paid back - stretching what little money is available to start with.  

It's basically adding to the problem and then kicking that problem down the road a little bit.  That is dangerous.  There's a pretty good explanation as to why.

The one thing that we don't hear about these days that used to be common sense is the idea of the business cycle.  About every 7 to 8 years we see a slump in the economy, then it rebounds.  We crashed in 2008 - we should have recovered by now but haven't.  

2015 is the next dip in the cycle.  What is the worst that could happen?  Well, here it is in a nutshell.  With the oil so cheap, many nations don't generate income, which means they can't repay their debts - which means other nations go without too.  If everyone tightens their belts, the USA is the biggest victim in a downturn of global spending.  

In Canada, we're highly influenced by what goes on next door (As the joke goes, "the USA sneezes and Canada catches a cold"), but this time around it's quite a lot worse - like orders of magnitude worse.

I'm not going to be surprised if we see a zero interest rate in Canada, and possibly a negative one before this is over.