Dons Blog

I guess this is a type of 2-factor authentication. Today I got a call from Canada Revenue Agency. No, not that call from some sweatshop scam operator. Before he could talk he needed to verify some info. So I asked how I could verify him. He suggested I go to the website, find general business inquiries number, call that, confirm that his name/number were working my file.

So I did. PS, the CRA hold music is not that good. CRA general inquiries confirmed he was real and on my file, so I called him back, and gave the confirmation.

Now, this was a bit of a circuitous conversation flow. Its actually more or less identical to the steps you take for each https page load (you talk to the site, you talk to the cert authority, then back to site). Now, the cert authority we speed up by OCSP, stapling, pre-cached trust chain, etc.

In hindsight I didn't need to do this (since the Q they needed to identify me were public information). But, its nice to know the system works.

PS, they were verifying that the banking information for deposit had not been changed by some scammer. So double bonus.

Have you ever tried this dance? You get called, and you get them to confirm who they are first? Socially awkward.

Got an hour or so free on May 12, 2020? Want to hear yours truly tell you a story about Cloud Native along with Transit, Ecobee, BioBox? Of course you do.

You can click here to get the meetup invite.

CNCF Eastern Canada online meetup: Cloud Native Stories

Tuesday, May 12, 2020, 12:00 PM

Online event
,

14 Members Attending

Hello Eastern Canadian community! (français en dessous) We are thrilled to be hosting our first online meetup for all five cities of our community. The event is going to last an hour during the day, with some community stories on how folks have been using various CNCF projects in production. Speakers from Transit, Ecobee, Aglicus, and BioBox. We ar...

Check out this Meetup →

PS, last year this was in person, I presented as below. For those who've missed it, my bear joke makes a surprise entry.

So we have this tap, outside, you know, for a garden hose. Copper pipe, copper faucet. Exactly what you don't want exposed outdoor during the typical Ontario winter. Well, its lasted for ~45 years so I guess it was made of hardy stuff. Was being the key word, it has developed some post-nasal drip. More like stream.

Now normally this would not be trouble, you would have disabled it at the indoor shut-off. The one that is not present, its embedded in brick and concrete, heading who knows where but not to an obvious spot in the basement. Hmm.

OK, no fear, I got this, get out the torch and solder and... no 5/8" end-caps. Oh, i forgot to mention that my house, for unknown reasons, uses 5/8" copper instead of 1/2" copper. Drat. So I will... oh wait, during pandemic season most of the stores are either closed or less convenient. And this includes all my favourite hardware stores. Hmmm.

Fortunately I had the foresight about 5 years ago to buy a 3D printer for this exact day, this exact purpose. Let's give it a go, what could go wrong? I mean, brittle old PLA sitting in my drawer and then extruded in layers, that is pressure-rated, right?

Many bots exist which scan your repo's and send you automatic pull requests when some library you use has become vulnerable. Its a good service: it generates a lot of noise, but is better than the alternative of continuing w/ the vulnerable upstream.

Usually I just eyeball, click accept, and go. Its key to do that eyeball, who knows when someone will have a bot that tries to get you to accept bad sw in a PR!

Today I was looking at a vulnerability in Bootstrap, and XSS attack. And, at the bottom, github has helpfully showing all the PR that mention this issue. E.g. the dictionary of all the vulnerable software.

Let's say I'm a lazy attacker. I come into possession of a single exploit. I just watch the issue, and, whenever new sw is appended, I attack it.

I'm not suggesting any change here. A less lazy attacker could scan github themself. The bots are better than the alternative of the bad software getting put in the package requirements and forgotten. Merely musing, it doesn't take much to find low hanging vulnerabilities.

What's sadder, some folks are using decade old vulnerabilities. Bootstrap 2.1.0 was released in 2012, its in the list here. Now, some of these might be dead-forks (e.g. people fork something on github and then let their fork die). This one for example. This is why its important to only use open source from the source, curated, lively, active.

Why was I rearching XSS in Bootstrap? It was for my new feature-length thriller movie, below. Side note: I might have to relocate the recording studio, my downstairs neighbours AC runs through it, and, despite audacity noise reduction filter, comes through. Boo.

I talk a bit more about this on my corporate blog.

So there's a health and safety type course that is required in Canada called WHMIS (Workplace Hazardous Materials Information System). its intended to help people understand what products in their workplace are hazardous in a uniform way through labelling and information sheets. Its a requirement to train your staff on it.

It strikes me that in 2020 many workers are more commonly using the Internet and IT Applications than they are using Solvents and Pesticides. And that there is no standardised requirement for training on the dangers of the World Wide Weirdos.

Perhaps it is time to standardise on training and labelling around risks and make that a national educational requirement for the workforce. How to recognise Phishing, how to use 2-factor authentication, how to report a problem. How to avoid the temptation to insert that USB flash you found in the parking lot into the payroll server.

What do you think? We could probably come up with a 1/2 hour self-paced training course. A standard taxonomy using some of the great work that NIST has done (https://www.nist.gov/cyberframework). Make it mandatory to take it within 30 days of starting work, and annually, for any company with more than 20 team members. I'm not talking PhD multi-year SANS level material here, I'm talking Cyber Security best practises 101 for the front-line.

I think the payback to the national economy would be large. It would reduce effort in policing (less incidents, more standardised reporting of the ones that occur). Cyber espionage would go down, productivity would go up.

Who's in? I'll help develop and deliver the material.