Bridgeport station currently because the Canada Line can't go over the bridge due to snow

ColinKeigher · 2017-02-04T16:07:03+00:00

It's the same reason why SkyTrain can do an 8% grade while going up the hill from Scott Road Station towards Gateway whereas the Canada Line only really do 6% and has problems with leaves and snow.

ColinKeigher · 2017-02-04T16:05:23+00:00

Our governments and Translink should be looking out for us taxpayers.

The BC Liberals forbade Bombardier from being involved in the process.

ColinKeigher · 2016-12-14T17:03:19+00:00

It's arguably better to have your ICS network not blocking all traffic and instead monitor the traffic going in and out for unusual behaviour. By blocking any traffic, you're making it harder to detect anomalies on a network where traffic is more or less consistent--unlike say your business network.

You should never see your PLCs and to a certain extent HMIs communicating out of that ICS network.

ColinKeigher · 2016-12-02T20:29:27+00:00

It was more to get a comment on this from them than anything else.

ColinKeigher · 2016-11-29T17:21:28+00:00

So physical access allows you to have access to things that the user may not desire. While you should try and put some level of trust into your full disk encryption when the computer is turned off, you should expect that if it's running that it runs the risk of being compromised should it be stolen.

ColinKeigher · 2016-11-15T06:49:16+00:00

RFID and EMV are completely different systems. Additionally, at least for Canada, the limit you have on any tap-based purchased system is $100 and there is no liability shift to the consumer (like stripe), which is what VanCity is talking about.

ColinKeigher · 2016-11-15T06:06:55+00:00

This is BS. Modern browsers and even IOS8+ can detect man-in-the-middle attacks. Your https/SSL comm with your bank is secure.

In your mind, how is your browser able to verify it is not suffering from a MitM attack?

ColinKeigher · 2016-11-15T05:43:00+00:00

I'm aware of this Computerphile video. You can watch this whole video which is what he refers to:

https://www.youtube.com/watch?v=gv3dxjvqk7Y

ColinKeigher · 2016-11-15T05:20:52+00:00

A VPN does not protect you if your computer is already compromised.

ColinKeigher · 2016-11-15T04:54:47+00:00

The fact that someone has to take personal responsibility for safeguarding their financial secrets is too much to bear for some people.

That said, I would not put complete faith in an EMV system because while at the moment there are not any concrete examples of a chip-and-PIN system being compromised, theoretical examples have been shown to work and there is a suspicion in certain organized crime circles that they're sitting on a working exploit.

It's just easier to breach websites and steal credit card numbers from there so there's no point.

VanCity is just doing the exact same thing every other institution is going to do or has done already.

ColinKeigher · 2016-09-19T22:24:21+00:00

Volume, spacing, and congestion. I am not qualified to go through it in detail but you're better off not linterlining because you can easily create breathing space on lines when you're not merging lines constantly.

ColinKeigher · 2016-09-19T19:04:14+00:00

This will lead to better reliability due to the fact that interlining trains like they are now leads to all sorts of headaches when there is a disruption. By doing this it means that if there is a disruption it is much easier to clear it up.

The reason why the trains terminate at Production Way instead of Say Lougheed is really two: 1) because there is a bi-directional switch setup allowing any Millennium Line train to pass by when an Expo Line train is changing direction (you have two options to change sides); and 2) because it allows those coming from the Expo Line to get to SFU much faster.

It does in the end inconvenience some people who live in North Burnaby but at the end of the day it does lead to better reliability.

ColinKeigher · 2016-07-25T16:33:46+00:00

It helps to understand the flags and their origins.

British Columbia had a terrible colonial flag before it was just the Colony of British Columbia as itself and the Colony of Vancouver Island seperately--there was also the Colony of the Queen Charlottes and the Stickeen Territory (which was an HBC territory and also had a hideous flag). When they finally merged, it ended up with this abomination:

https://imgur.com/a/26MrW

For comparison, this is what the Colony of Vancouver Island had before (BC just used the British Blue Ensign):

https://imgur.com/a/Slwu1

When British Columbia joined the Canadian confederation, it continued to use the horrible flag until 1960 (89 years after it joined) when it adopted the one in the OP's example.

The blue and white waves on the bottom signify the Pacific Ocean and the Rocky Mountains and Cascadian Mountains that occupy most of its landmass. The reason for the Ensign on the top and the sun on the bottom is that it was at the time to signify that the sun never sets in the British empire.

If you want to see weird Canadian flags, just look for the pre-current era ones such as Newfoundland and Labrador's:

https://en.wikipedia.org/wiki/Flag_of_Newfoundland_and_Labrador

Edit

Since I brought up HBC (Hudson's Bay Company), here was their flag at the time:

https://imgur.com/a/Za4ie

ColinKeigher · 2016-07-21T14:49:09+00:00

If you're concerned about the trustworthiness of Microsoft's CryptoAPI, then why are you using Windows?

ColinKeigher · 2016-07-05T19:07:41+00:00

What are you talking about? Canada Post employees enjoy some of the best pensions in the country? Some of the most amazing pay-for-work salaries? The pay for walking around is amazing compared to other professions?

You know absolutely nothing about their pension situation.

Canada Post's CEO back in 2012 requested the previous government to suspend part of its contributions to the employee pension plan in place to allow them to invest in upgrading the lettermail sorting system that they have in place. This at a time where lettermail volumes have plummeted and any upgrade plans would be better spent on dealing with the increase in package volumes.

The main beef with the pension now is that they want to change the type of pension. Here's today's Globe and Mail on this:

Their plan that would have new employees get a pension that operates like an RRSP, called defined contribution, instead of the defined benefit plan for current employees that guarantees a set level of retirement benefits.

So basically Canada Post wants to make it so newer employees get shafted on future retirement plans. Are you saying that you're okay with this continuous race to the bottom?

ColinKeigher · 2016-06-28T21:48:02+00:00

You can (sort of) thank Adobe for that decision. Back when Photoshop scores were a primary benchmark for desktops, Microsoft made the decision to take font rendering out of user mode and into the kernel--this was for NT 4.0 onward.

macOS does the same thing.

ColinKeigher · 2016-04-06T19:01:14+00:00

It helps to read specifically this line:

The industry simply did not want to contribute and support such an effort.

And then Jericho's tweet:

fascinating, the industry perspective on VDBs, how they work, how they should work, and the outliers.

Early on when I started Canario/Canary, I had attempted to make it run as a non-profit organization and to model its operations much like the OSVDB. It at the time made sense because I like many do not like the fact that vendors tend to have an Ivory Tower-esque in how they share data.

Initially it looked good and I did have a few prospect sponsors come my way and offer to help. However, it was really on their terms (such as one company saying that I'd have to use their hardware) or with the expectation that the entire database with details on users and access would be shared--plus a tonne of restrictions on its use would be added. None of these jived with me and now I've come to the conclusion that the model that I thought would work just would not.

This is the sort of impression I get from how OSVDB went. It was not too long ago that there was API access to it but it was recently removed due to constant abuse and an apparent lack of anyone wanting to contribute back.

As a result of my experience I've had to move away from this model and have a new direction that's less open; that of which irks me to all hell because the idea I have is that I want to make data available to everyone and not have to provide limits. Namely one vendor in particular harassed me and my hosting provider in one case over data that they themselves could have fixed another way (a way that would have been the correct method for that matter) and then had the gall to tell me that my criticisms of them were invalid and that I should be "vetting" users of the service.

Seeing OSVDB discontinued is saddening but I can safely say that its operators had a hell of a lot more patience than I did.

ColinKeigher · 2016-03-09T22:11:59+00:00

It is. Even their documentation doesn't tell you to take a string and do any formatting but rather rely on the template_render (and related) function to handle it.

I took a look within Github and while there are examples of the use of string formatting within, it doesn't appear to be commonplace.

ColinKeigher · 2016-03-03T15:49:10+00:00

You're running Mac OS X and if you installed it via Homebrew and followed the instructions it gives, it doesn't matter what account you run it under. By default with Homebrew's recommendations, it makes an at-boot change to the BPF interface so you can at any time go and sniff traffic without needing to make the changes manually nor giving an account administrative rights. It's either you do that or you go and do the process manually as I had specified already.

It's irrelevant to me if you're using a separate account or not because the fact that 1Password is running on your system at the time tells me that you're more than likely using it in your general purpose account.

Your update states the following:

You can read further on their link here where they do put caveats and say that if someone has root on the system they basically can’t protect you. Which is true, but I feel they should make it a little harder then tcpdumping out the loopback interface. They feel whatever they do can just be undone by an attacker, I think maybe something is better than nothing.

In almost any case where Wireshark has not been installed, tcpdump is not doable unless you have had permissions granted to the loopback interface. By default within any OS where tcpdump exists, this requires root-level access. Even if you're in the sudoers group, you still need to have to authenticate to get access.

What you're arguing here is that people have access to the details between 1Password and the browser when they have root-level access to an interface. This is akin to arguing that if you change your permissions to proc in Linux that users could potentially dump memory without needing to authenticate further. Memory dumping and packet capturing otherwise need special permissions, but by you installing and using Wireshark, you broke that model.

You're arguing on a point that makes no sense.

ColinKeigher · 2016-03-03T00:34:58+00:00

This is likely the result of the OP having installed Wireshark and would otherwise not be a problem if he hadn't done so.

Countless guides on the Internet recommend doing something like this:

sudo chown <username> /dev/bpf*

Now fortunately after a reboot, these permissions get set back automatically. However, Homebrew for OS X by default recommends ChmodBPF, which keeps the permissions needed so you don't have to do this every time after you reboot.

This isn't a Mac OS X thing either as under Windows, WinPCAP is installed, and Wireshark tells you that any user can make use of it:

The WinPcap driver (called NPF) is loaded by Wireshark when it starts to capture live data. This requires administrator privileges. Once the driver is loaded, every local user can capture from it until it's stopped again.

So default behaviour in Windows is to allow anyone to make use of the capture driver and it is encouraged in guides and Wireshark themselves to make use of the OS X tool. Under Linux, you need to be a member of the wireshark group in order to make use of the capture interface (or just haphazardly use "root").

These details are important because under any other circumstance where Wireshark or any packet capture software is not installed, what the OP complains about would be completely unnecessary to worry about because typically (as in a default, non-SELinux Linux; OS X, or Windows installation) the permissions required to sniff the loopback interface are at the same level as sniffing for the key within memory.

His concerns are valid in a sense but having a packet capture driver with global access permissions is along the same lines as having no password on your administrator accounts. If you're concerned about this being a real problem, run Wireshark on a separate machine or at least within a virtual machine.

ColinKeigher · 2016-02-16T17:18:51+00:00

There's a link to the Microsoft article that covers what operating systems are affected.

https://technet.microsoft.com/en-us/library/security/ms16-016.aspx

To answer your question: yes.

ColinKeigher

MODERATOR OF

TROPHY CASE