Repurposing Apple Time Capsule as a Network Drive

(Photo by MockupEditor.com on Pexels.com)

For the past several years I’ve happily used an Apple Time Capsule as my router and one of many backup drives, but it’s been getting a big long in the tooth as the number of items on my network has grown. I recently upgraded to a new router but wanted to continue using my Time Capsule, and it’s very large drive, for LAN backups.

A post in Apple’s discussion forums helpfully kicked off how to reset the wireless settings for the Time Capsule and prepare it to just live on the network as a drive. After following those instructions, all I needed to do was:

  1. Open Time Machine Preferences on my device;
  2. Select ‘Add or Remove Backup Disk…’;
  3. Select the freshly networked disk;
  4. Choose to use the pre-existing backup image, and input the encryption password for the backup.

Voila! And now my disk–with all its data–is available on the network and capable of continuing my Time Machine backups!

The Kaseya Ransomware Attack Is a Really Big Deal

Screen Shot 2021-07-19 at 2.26.52 PM
(Managed Service Provider image by the Canadian Centre for Cybersecurity)

Matt Tait, as normal, has good insights into just why the Kaseya ransomware attack1 was such a big deal:

In short, software supply chain security breaches don’t look like other categories of breaches. A lot of this comes down to the central conundrum of system security: it’s not possible to defend the edges of a system without centralization so that we can pool defensive resources. But this same centralization concentrates offensive action against a few single points of failure that, if breached, cause all of the edges to fall at once. And the more edges that central failure point controls, the more likely the collateral real-world consequences of any breach, but especially a ransomware breach will be catastrophic, and cause overwhelm the defensive cybersecurity industry’s ability to respond.

Managed Service Providers (MSPs) are becoming increasingly common targets. It’s worth noting that the Canadian Centre for Cybersecurity‘s National Cyber Threat Assessment 2020 listed ransomware as well as the exploitation of MSPs as two of the seven key threats to Canadian financial and economic health. The Centre went so far as to state that it expected,

… that over the next two years ransomware campaigns will very likely increasingly target MSPs for the purpose of targeting their clients as a means of scaling targeted ransomware campaigns.

Sadly, if not surprisingly, this assessment has been entirely correct. It remains to be seen what impact the 2020 threats assessment has, or will have, on Canadian organizations and their security postures. Based on conversations I’ve had over the past few months the results are not inspiring and the threat assessment has generally been less effective than hoped in driving change in Canada.

As discussed by Steven Bellovin, part of the broader challenge for the security community in preparing for MSP operations has been that defenders are routinely behind the times; operators modify what and who their campaigns will target and defenders are forced to scramble to catch up. He specifically, and depressingly, recognizes that, “…when it comes to target selection, the attackers have outmaneuvered defenders for almost 30 years.”

These failures are that much more noteworthy given that the United States has trumpeted for years that the NSA will ‘defend forward‘ to identify and hunt threats, and respond to them before they reach ‘American cybershores’.2 The seemingly now routine targeting of both system update mechanisms as well as vendors which provide security or operational controls for wide swathes of organizations demonstrates that things are going to get a lot worse before they’re likely to improve.

A course correction could follow from Western nations developing effective and meaningful cyber-deterrence processes that encourage nations such as Russia, China, Iran, and North Korea to punish computer operators who are behind some of the worst kinds of operations that have emerged in public view. However, this would in part require the American government (and its allies) to actually figure out how they can deter adversaries. It’s been 12 years or so, and counting, and it’s not apparent that any American administration has figured out how to implement a deterrence regime that exceeds issuing toothless threats. The same goes for most of their allies.

Absent an actual deterrence response, such as one which takes action in sovereign states that host malicious operators, Western nations have slowly joined together to issue group attributions of foreign operations. They’ve also come together to recognize certain classes of cyber operations as particularly problematic, including ransomware. Must nations build this shared capacity, first, before they can actually undertake deterrence activities? Should that be the case then it would strongly underscore the need to develop shared norms in advance of sovereign states exercising their latent capacities in cyber and other domains and lend credence to the importance of the Tallinn manual process . If, however, this capacity is built and nothing is still undertaken to deter, then what will the capacity actually be worth? While this is a fascinating scholarly exercise–it’s basically an opportunity to test competing scholarly hypotheses–it’s one that has significant real-world consequences and the danger is that once we recognize which hypothesis is correct, years of time and effort could have been wasted for little apparent gain.

What’s worse is that this even is a scholarly exercise. Given that more than a decade has passed, and that ‘cyber’ is not truly new anymore, why must hypotheses be spun instead of states having developed sufficient capacity to deter? Where are Western states’ muscles after so much time working this problem?


  1. As a point of order, when is an act of ransomware an attack versus an operation? ↩︎
  2. I just made that one up. No, I’m not proud of it. ↩︎

Vaccination, Discrimination, and Canadian Civil Liberties

Photo by Karolina Grabowska on Pexels.com

Civil liberties debates about whether individuals should have to get vaccinated against Covid-19 are on the rise. Civil liberties groups broadly worry that individuals will suffer intrusions into their privacy, or that rights of association or other rights will be unduly abridged, as businesses and employers require individuals to demonstrate proof of vaccination.

As discussed in a recent article published by the CBC, some individuals are specifically unable to, or concerned about, receiving Covid-19 vaccines on the basis that, “they’re taking immunosuppressant drugs, for example, while others have legitimate concerns about the safety and efficacy of the COVID-19 vaccines or justifiable fears borne from previous negative interactions with the health-care system.” The same expert, Arthur Schafer of the Centre for Professional and Applied Ethics at the University of Manitoba, said, “[w]e should try to accommodate people who have objections, conscientious or scientific or even religious, where we can do so without compromising public safety and without incurring a disproportionate cost to society.”

Other experts, such as Ann Cavoukian, worry that being compelled to disclose vaccination status could jeopardize individuals’ medical information should it be shared with parties who are not equipped to protect it, or who may combine it with other information to discriminate against individuals. For the Canadian Civil Liberties Association, they have taken the stance that individuals should have the freedom to choose to be vaccinated or not, that no compulsions should be applied to encourage vaccination (e.g., requiring vaccination to attend events), and broadly that, “COVID is just another risk now that we have to incorporate into our daily lives.”

In situations where individuals are unable to be vaccinated, either due to potential allergic responses or lack of availability of vaccine (e.g., those under the age of 12), then it is imperative to ensure that individuals do not face discrimination. In these situations, those affected cannot receive a vaccine and it is important to not create castes of the vaccinated and unable-to-be-vaccinated. For individuals who are hesitant due to historical negative experiences with vaccination efforts, or medical experimentation, some accommodations may also be required.

However, in the cases where vaccines are available and there are opportunities to receive said vaccine, then not getting vaccinated does constitute a choice. As it stands, today, in many Canadian schools children are required to received a set of vaccinations in order to attend school and if their parents refuse, then the children are required to use alternate educational systems (e.g., home schooling). When parents make a specific choice they are compelled to deal with the consequences of said decision. (Of course, there is not a vaccine for individuals under 12 years of age at the moment and so we shouldn’t be barring unvaccinated children from schools, but adopting such a requirement in the future might align with how schools regularly require proof of vaccination status to attend public schools.)

The ability to attend a concert, as an example, can and should be predicated on vaccination status where vaccination is an option for attendees. Similarly, if an individual refuses to be vaccinated their decision may have consequences in cases where they are required to be in-person in their workplace. There may be good reasons for why some workers decline to be vaccinated, such as a lack of paid days off and fear that losing a few days of work due to vaccination symptoms may prevent them from paying the rent or getting food; in such cases, accommodations to enable them to get vaccinated are needed. However, once such accommodations are made decisions to continue to not get vaccinated may have consequences.

In assessing whether policies are discriminatory individuals’ liberties as well as those of the broader population must be taken into account, with deliberate efforts made to ensure that group rights do not trample on the rights of minority or disenfranchised members of society. Accommodations must be made so that everyone can get vaccinated; rules cannot be established that apply equally but affect members of society in discriminatory ways. But, at the same time, the protection of rights is conditional and mitigating the spread of a particularly virulent disease that has serious health and economic effects is arguably one of those cases where protecting the community (and, by extension, those individuals who are unable to receive a vaccine for medical reasons) is of heightened importance.

Is this to say that there are no civil liberties concerns that might arise when vaccinating a population? No, obviously not.

In situations where individuals are unhoused or otherwise challenged in keeping or retaining a certification that they have been vaccinated, then it is important to build policies that do not discriminate against these classes of individuals. Similarly, if there is a concern that vaccination passes might present novel security risks that have correlate rights concerns (e.g., a digital system that links presentations of a vaccination credential with locational information) then it is important to carefully assess, critique, and re-develop systems so that they provide the minimum data required to reduce the risk of Covid-19’s spread. Also, as the population of vaccinated persons reaches certain percentages there may simply be less of a need to assess or check that someone is vaccinated. While this means that some ‘free riders’ will succeed, insofar as they will decline to be vaccinated and not suffer any direct consequences, the goal is not to punish people who refuse vaccination and instead to very strongly encourage enough people to get vaccinated so that the population as a whole is well-protected.

However, taking a position that Covid-19 is part of society and that society just has to get used to people refusing to be vaccinated while participating in ‘regular’ social life, and that this is just a cost of enjoying civil liberties, seems like a bad argument and a poor framing of the issue. Making this kind of broader argument risks pushing the majority of Canadians towards discounting all reasons that individuals may present to justify or explain not getting vaccinated, with the effect of inhibiting civil society from getting the public on board to protect the rights of those who would be harmfully affected by mandatory vaccination policies or demands that individuals always carry vaccine passport documents.

Those who have made a choice to opt-out of vaccination may experience resulting social costs, but those who cannot opt to get a vaccine in the first place or who have proven good reasons for avoiding vaccination shouldn’t be unduly disadvantaged. That’s the line in the sand to hold and defend, not that protecting civil liberties means that there should be no cost for voluntarily opting out of life saving vaccination programs.

Building a Strategic Vision to Combat Cybercrime

The Financial Times has a good piece examining the how insurance companies are beginning to recalculate how they assess insurance premiums that are used to cover ransomware payments. In addition to raising fees (and, in some cases, deciding whether to drop insuring against ransomware) some insurers like AIG are adopting stronger underwriting, including:

… an additional 25 detailed questions on clients’ security measures. “If [clients] have very, very low controls, then we may not write coverage at all,” Tracie Grella, AIG’s global head of cyber insurance, told the Financial Times.

To be sure, there is an ongoing, and chronic, challenge of getting companies to adopt baseline security postures, inclusive of running moderately up-to-date software, adopting multi-factor authorization, employing encryption at rest, and more. In the Canadian context this is made that much harder because the majority of Canadian businesses are small and mid-sized; they don’t have an IT team that can necessarily maintain or improve on their organization’s increasingly complicated security posture.

In the case of larger mid-sized, or just large, companies the activities of insurers like AIG could force them to modify their security practices for the better. Insurance is generally regarded as cheaper than security and so seeing the insurance companies demand better security to receive insurance is a way of incentivizing organizational change. Further change can be incentivized by government adopting policies such as requiring a particular security posture in order to bid on, or receive, government contracts. This governmental incentivization doesn’t necessarily encourage change for small organizations that already find it challenging to contract with government due to the level of bureaucracy involved. For other organizations, however, it will mean that to obtain/maintain government contracts they’ll need to focus on getting the basics right. Again, this is about aligning incentives such that organizations see value in changing their operational policies and postures to close off at least some security vulnerabilities. There may be trickle down effects to these measures, as well, insofar as even small-sized companies may adopt better security postures based on actionable guidance that is made available to the smaller companies responsible for supplying those middle and larger-sized organizations, which do have to abide by insurers’ or governments’ requirements.1

While the aforementioned incentives might improve the cybersecurity stance of some organizations the key driver of ransomware and other criminal activities online is its sheer profitability. The economics of cybercrime have been explored in some depth over the past 20 years or so, and there are a number of conclusions that have been reached that include focusing efforts on actually convicting cybercriminals (this is admittedly hard where countries like Russia and former-Soviet Republic states indemnify criminals that do not target CIS-region organizations or governments) to selectively targeting payment processors or other intermediaries that make it possible to derive revenues from the criminal activities.

Clearly it’s not possible to prevent all cybercrime, nor is it possible to do all things at once: we can’t simultaneously incentivize organizations to adopt better security practices, encourage changes to insurance schemas, and find and address weak links in cybercrime monetization systems with the snap of a finger. However, each of the aforementioned pieces can be done with a strategic vision of enhancing defenders’ postures while impeding the economic incentives that drive online criminal activities. Such a vision is ostensibly shared by a very large number of countries around the world. Consequently, in theory, this kind of strategic vision is one that states can cooperate on across borders and, in the process, build up or strengthen alliances focused on addressing challenging international issues pertaining to finance, crime, and cybersecurity. Surely that’s a vision worth supporting and actively working towards.


  1. To encourage small suppliers to adopt better security practices when they are working with larger organizations that have security requirements placed on them, governments might set aside funds to assist the mid-sized and large-sized vendors to secure down the supply chain and thus relieve small businesses of these costs. ↩︎

Two Thoughts on China’s Draft Privacy Law

Alexa Lee, Samm Sacks, Rogier Creemers, Mingli Shi, and Graham Webster have collectively written a helpful summary of the new Chinese Data Privacy Law over at Stanford’s DigiChina.

There were a pair of features that most jump out to me.

First, that the proposed legislation will compel Chinese companies “to police the personal data practices across their platforms” as part of Article 57. As noted by the team at Stanford,

“the three responsibilities identified for big platform companies here resonate with the “gatekeeper” concept for online intermediaries in Europe, and a requirement for public social responsibility reports echoes the DMA/DSA mandate to provide access to platform data by academic researchers and others. The new groups could also be compared with Facebook’s nominally independent Oversight Board, which the company established to review content moderation decisions.”

I’ll be particularly curious to see the kinds of transparency reporting that emerges out of these companies. I doubt the reports will parallel those in the West, which tend to focus on the processes and number of disclosures from private companies to government and, instead, the Chinese companies’ reports will focus on how companies are being ‘socially responsible’ with how they collect, process, and disclose data to other Chinese businesses. Still, if we see this more consumer-focused approach it will demonstrate yet another transparency report tradition that will be useful to assess in academic and public policy writing.

Second, the Stanford team notes that,

“new drafts of both the PIPL and the DSL added language toughening requirements for Chinese government approval before data holders in China cooperate with foreign judicial or law enforcement requests for data, making failure to gain permission a clear violation punishable by financial penalties up to 1 million RMB.”

While not surprising, this kind of restriction will continue to raise data sovereignty borders around personal information held in China. The effect? Western states will still need to push for Mutual Legal Assistant Treaty (MLAT) reform to successfully extract information from Chinese companies (and, perhaps in all likelihood, fail to conclude these reforms).1

It’s perhaps noteworthy that while China is moving to build up walls there is a simultaneous attempt by the Council of Europe to address issues of law enforcement access to information held by cloud providers (amongst other things). The United States passed the CLOUD Act in 2018 to begin to try and alleviate the issue of states gaining access to information held by cloud providers operating in foreign jurisdictions (though did not address human rights concerns which were mitigated through traditional MLAT processes). Based on the proposed Chinese law, it’s unlikely that the CLOUD Act will gain substantial traction with the Chinese government, though admittedly this wasn’t the aim of the CLOUD Act or an expected outcome of its passage.

Nevertheless, as competing legal frameworks are established that place the West on one side, and China and Russia on the other, the effect will be further entrenching the legal cultures of the Internet between different economic and political (and security) regimes. At the same time, data will be easily stored anywhere in the world including out of reach of relevant law enforcement agencies by criminal actors that routinely behave with technical and legal savvy.

Ultimately, the raising of regional and national digital borders is a topic to watch, both to keep an eye on what the forthcoming legal regimes will look like and, also, to assess the extents to which we see languages of ‘strong sovereignty’ or nationalism creep functionally into legislation around the world.


  1. For more on MLAT reform, see these pieces from Lawfare ↩︎

Overclassification and Its Impacts

Photo by Wiredsmart on Pexels.com

Jason Healey and Robert Jervis have a thought provoking piece over at the Modern War Institute at West Point. The crux of the argument is that, as a result of overclassification, it’s challenging if not impossible for policymakers or members of the public (to say nothing of individual analysts in the intelligence community or legislators) to truly understand the nature of contemporary cyberconflict. While there’s a great deal written about how Western organizations have been targeted by foreign operators, and how Western governments have been detrimentally affected by foreign operations, there is considerably less written about the effects of Western governments’ own operations towards foreign states because those operations are classified.

To put it another way, there’s no real way of understanding the cause and effect of operations, insofar as it’s not apparent why foreign operators are behaving as they are in what may be reaction to Western cyber operations or perceptions of Western cyber operations. The kinds of communiques provided by American intelligence officials, while somewhat helpful, also tend to obscure as much as they reveal (on good days). Healey and Jervis write:

General Nakasone and others are on solid ground when highlighting the many activities the United States does not conduct, like “stealing intellectual property” for commercial profit or disrupting the Olympic opening ceremonies. There is no moral equivalent between the most aggressive US cyber operations like Stuxnet and shutting down civilian electrical power in wintertime Ukraine or hacking a French television station and trying to pin the blame on Islamic State terrorists. But it clouds any case that the United States is the victim here to include such valid complaints alongside actions the United States does engage in, like geopolitical espionage. The concern of course is a growing positive feedback loop, with each side pursuing a more aggressive posture to impose costs after each fresh new insult by others, a posture that tempts adversaries to respond with their own, even more aggressive posture.

Making things worse, the researchers and academics who are ostensibly charged with better understanding and unpacking what Western intelligence agencies are up to sometimes decline to fulfill their mandate. The reasons are not surprising: engaging in such revelations threaten possible career prospects, endanger the very publication of the research in question, or risk cutting off access to interview subjects in the future. Healey and Jervis focus on the bizarre logics of working and researching the intelligence community in the United States, saying (with emphasis added):

Think-tank staff and academic researchers in the United States often shy away from such material (with exceptions like Ben Buchanan) so as not to hamper their chances of a future security clearance. Even as senior researchers, we were careful not to directly quote NSA’s classified assessment of Iran, but rather paraphrased a derivative article.

A student, working in the Department of Defense, was not so lucky, telling us that to get through the department’s pre-publication review, their thesis would skip US offensive operations and instead focus on defense.

Such examples highlight the distorting effects of censorship or overclassification: authors are incentivized to avoid what patrons want ignored and emphasize what patrons want highlighted or what already exists in the public domain. In paper after paper over the decades, new historical truths are cumulatively established in line with patrons’ preferences because they control the flow and release of information.

What are the implications as written by Healey and Jervis? In intelligence communities the size of the United States’, information gets lost or not passed to whomever it ideally should be presented to. Overclassification also means that policy makers and legislators who aren’t deeply ‘in the know’ will likely engage in decisions based on half-founded facts, at best. In countries such as Canada, where parliamentary committees cannot access classified information, they will almost certainly be confined to working off of rumour, academic reports, government reports that are unclassified, media accounts that divulge secrets or gossip, and the words spoken by the heads of security and intelligence agencies. None of this is ideal for controlling these powerful organizations, and the selective presentation of what Western agencies are up to actually risks compounding broader social ills.

Legislative Ignorance and Law

One of the results of overclassification is that legislators, in particular, become ill-suited to actually understanding national security legislation that is presented before them. It means that members of the intelligence and national security communities can call for powers and members of parliament are largely prevented from asking particularly insightful questions, or truly appreciate the implications of the powers that are being asked for.

Indeed, in the Canadian context it’s not uncommon for parliamentarians to have debated a national security bill in committee for months and, when asked later about elements of the bill, they admit that they never really understood it in the first place. The same is true for Ministers who have, subsequently, signed off on broad classes of operations that have been authorized by said legislation.

Part of that lack of understanding is the absence of examples of how powers have been used in the past, and how they might be used in the future; when engaging with this material entirely in the abstract, it can be tough to grasp the likely or possible implications of any legislation or authorization that is at hand. This is doubly true in situations where new legislation or Ministerial authorization will permit secretive behaviour, often using secretive technologies, to accomplish equally secretive objectives.

Beyond potentially bad legislative debates leading to poorly understood legislation being passed into law and Ministers consenting to operations they don’t understand, what else may follow from overclassification?

Nationalism, Miscalculated Responses, and Racism

To begin with, it creates a situation where ‘we’ in the West are being attacked by ‘them’ in Russia, Iran, China, North Korea, or other distant lands. I think this is problematic because it casts Western nations, and especially those in the Five Eyes, as innocent victims in the broader world of cyber conflict. Of course, individuals with expertise in this space will scoff at the idea–we all know that ‘our side’ is up to tricks and operations as well!–but for the general public or legislators, that doesn’t get communicated using similarly robust or illustrative examples. The result is that the operations of competitor nations can be cast as acts of ‘cyberwar’ without any appreciation that those actions may, in fact, be commensurate with the operations that Five Eyes nations have themselves launched. In creating an Us versus Them, and casting the Five Eyes and West more broadly as victims, a kind of nationalism can be incited where ‘They’ are threats whereas ‘We’ are innocents. In a highly complex and integrated world, these kinds of sharp and inaccurate concepts can fuel hate and socially divisive attitudes, activities, and policies.

At the same time, nations may perceive themselves to be targeted by Five Eyes nations, and deduce effects to Five Eyes operations even when that isn’t the case. When a set of perimeter logs show something strange, or when computers are affected by ransomware or wiperware, or another kind of security event takes place, these less resourced nations may simply assume that they’re being targeted by a Five Eyes operation. The result is that foreign government may both drum up nationalist concerns about ‘the West’ or ‘the Five Eyes’ while simultaneously queuing up their own operations to respond to what may, in fact, have been an activity that was totally divorced from the Five Eyes.

I also worry that the overclassification problem can lead to statements in Western media that demonizes broad swathes of the world as dangerous or bad, or threatening for reasons that are entirely unapparent because Western activities are suppressed from public commentary. Such statements arise with regular frequency, where China is attributed to this or to that, or when Russia or Middle Eastern countries are blamed for the most recent ill on the Internet.

The effect of such statements can be to incite differential degrees of racism. When mainstream newspapers, as an example, constantly beat the drum that the Chinese government (and, by extension, Chinese people) are threats to the stability and development of national economies or world stability, over time this has the effect of teaching people that China’s government and citizens alike are dangerous. Moreover, without information about Western activities, the operations conducted by foreign agencies can be read out of context with the effect that people of certain ethnicities are regarded as inherently suspicious or sneaky as compared to those (principally white) persons who occupy the West. While I would never claim that the overclassification of Western intelligence operations are the root cause of racism in societies I do believe that overclassification can fuel misinformation about the scope of geopolitics and Western intelligence gathering operations, with the consequence of facilitating certain subsequent racist attitudes.

Solutions

A colleague of mine has, in the past, given presentations and taught small courses in some of Canada’s intelligence community. This colleague lacks any access to classified materials and his classes focus on how much high quality information is publicly available when you know how and where to look for it, and how to analyze it. Students are apparently regularly shocked: they have access to the classified materials, but their understandings of the given issues are routinely more myopic and less robust. However, because they have access to classified material they tend to focus as much, or more, on it because the secretive nature of the material makes it ‘special’.

This is not a unique issue and, in fact, has been raised in the academic literature. When someone has access to special or secret knowledge they are often inclined to focus in on that material, on the assumption that it will provide insights in excess of what are available in open source. Sometimes that’s true, but oftentimes less so. And this ‘less so’ becomes especially problematic when operating in an era where governments tend to classify a great deal of material simply because the default is to assume that anything could potentially be revelatory to an agency’s operations. In this kind of era, overvaluing classified materials can lead to less insightful understandings of the issues of the day while simultaneously not appreciating that much of what is classified, and thus cast as ‘special’, really doesn’t provide much of an edge when engaging in analysis.

The solution is not to declassify all materials but, instead, to adopt far more aggressive declassification processes. This could, as just an example, entail tying declassification in some way to organizations’ budgets, such that if they fail to declassify materials their budgets are forced to be realigned in subsequent quarters or years until they make up from the prior year(s)’ shortfalls. Extending the powers of Information Commissioners, which are tasked with forcing government institutions to publish documents when they are requested by members of the public or parliamentarians (preferably subject to a more limited set of exemptions than exist today) might help. And having review agencies which can unpack higher-level workings of intelligence community organizations can also help.

Ultimately, we need to appreciate that national security and intelligence organizations do not exist in a bubble, but that their mandates mean that the externalized problems linked with overclassification are typically not seen as issues that these organizations, themselves, need to solve. Nor, in many cases, will they want to solve them: it can be very handy to keep legislators in the dark and then ask for more powers, all while raising the spectre of the Other and concealing the organizations’ own activities.

We do need security and intelligence organizations, but as they stand today their tendency towards overclassification runs the risk of compounding a range of deleterious conditions. At least one way of ameliorating those conditions almost certainly includes reducing the amount of material that these agencies currently classify as secret and thus kept from public eye. On this point, I firmly agree with Healey and Jervis.

Shifting from Mendeley to Zotero: A Real PITA

(Photo by Andre Hunter on Unsplash)

Over the course of the pandemic I’ve finally built up a good workflow for annotating papers and filing them in a reference manager. Unfortunately, the reference manager that I’ve been using announced this week that they were terminating all support for their mobile and desktop apps and pushing everything into the cloud, which entirely doesn’t work with my workflow.

This means that I’m giving Zotero another shot (I tried them back when I was doing my PhD and the service wasn’t exactly ready for popular use at the time). On the plus side, Zotero has a good set of instructions for how to import my references from Mendeley. On the negative side, Mendeley has made this about as painful as possible: they encrypt the local database so you need to move back to an older version of the application and they then force you to manually download all of the documents which are attached to entries before the full bibliographic entries can be exported to another reference manager like Zotero. They have also entirely falsely asserted that the local encryption is required to comply with the GDPR which is pretty frustrating.

On the plus side, the manual labour involved in importing the references is done, though it cost me around two hours of time that could have been used for something that was actually productive. And Zotero has an app for iOS coming, and there is another app called PaperShip which interoperates with Zotero, which should cut down on the hopefully-pretty-temporary pain of adopting a new workflow. However, I’m going to need to do a lot of corrections in the database (just to clean up references) and most likely have start paying another yearly subscription service given that the free tier for Zotero doesn’t clearly meet my needs. Two steps backwards, one step forwards, I guess.

Developing a Remote Work System

I have the privilege of working at a place where remote work has been a fact of life for some of our employees and fellows, whereas the bulk of us have worked out of a beautiful workspace. Obviously, the pandemic has forced everyone out of the office and into their homes and, with that, has come a forced realization that its important to get a lot better at handling remote work situations.

For the past few months I’ve been trying to collect and read resources to ensure that remote-based work, works. To date the most helpful resources have definitely been the huge set of resources that Doist has published, and their ‘book’ on leading distributed work forces in particular, as well as some of the publications by Steph Yiu based on her own remote work experiences at Atomattic. I’m also slowly working through some of the work that’s come out of Basecamp, and I’m keen to dig into Remote: Office Not Required over the fall.

Some of the most valuable stuff I’ve picked up has been around re-thinking which communications systems make sense, and which don’t, and how to develop or maintain a team culture with new and old colleagues. And some of these things are really basic: when someone joins an organization, as an example, rather than just saying ‘hi’ or ‘welcome!’ over chat, all members of a team can instead state who they are, their position, some of their areas of responsibility, and one or two personal things. By providing more information the new team members start to get a feeling for what the rest of their team does and, through the personal attributes, a sense of who they are working with.

Given that many of us are likely to be working from our homes for the foreseeable future—and some of us permanently, even after the pandemic—it seems important for employers, managers, and employees alike to think through what they want to change, and how, so that we can not just enjoy the fact that we’re still employed but, also, that we’re working in ways that provide dignity and respect, and which are designed to best help us succeed in our jobs. We’re all 5-6+ months into the pandemic and we should be very seriously asking what kind of world we want to inhabit both throughout the rest of the pandemic, as well as afterwards, and we can’t keep saying that things are ‘unprecedented’ to excuse not trying to make our work environments better suited to the current and future realities we’re within.

Review of Happy City: Transforming Our Lives Through Urban Design

Rating: ⭐️⭐️⭐️⭐️⭐️

Mongomery’s book, Happy City: Transforming Our Lives Through Urban Design, explores how decades of urban design are destructive to human happiness, human life, and the life of the planet itself. He tours the world — focused mostly on Vancouver, Portland, Bogotá, Atlanta, and Hong Kong — to understand the different choices that urban designers historically adopted and why communities are railing against those decisions, now.

The book represents a tour de force, insofar as it carefully and clearly explains that urban sprawl — which presumed that we would all have cars and that we all wanted or needed isolated homes — is incredibly harmful. The focus of the book is, really, on how designing for cars leads to designing for things instead of people, and how efforts to facilitate car traffic has been antithetical to human life and flourishing. His call for happy cities really constitutes calls to, first and foremost, invest in urbanization and densification. Common social utilities, like transit and parks and community spaces, are essential for cities to become happy because these utilities both reduce commutes, increase socialization, and the presence of nature relieves the human mind of urban stresses.

While the book is rife with proposals for how to make things better, Montgomery doesn’t go so far as to argue that such changes are easy or that they can be universally applied everywhere. The infrastructure that exists, now, cannot simply be torn up and replaced. As a result he identifies practical ways that even suburban areas can reinvigorate their community spaces: key, in almost all cases, are finding ways to facilitate human contact by way of re-thinking the structures of urban design itself. These changes depend not only on — indeed, they may barely depend at all upon! — city planners and, instead, demand that citizens advocate for their own interests. Such advocacy needn’t entail using the language of architects and urban designers and can, instead, focus on words or themes such as ‘community’ or ‘safe for children to bike’ or ‘closer to community resources’ or ‘slower streets’ or ‘more green space’. After robustly, and regularly, issuing such calls then the landscape may begin to change to facilitate both human happiness and smaller environmental food prints.

If there is a flaw to this book, it is that many of the examples presume that small scale experiments necessarily are scalable to broad communities. I don’t know that these examples do not scale but, because of the relatively small sample-set and regularity at which Montgomery leverages them, it’s not clear how common or effective the interventions he proposes genuinely are. Nevertheless, this is a though-provoking books that challenges the reader to reflect on how cities are, and should be, built to facilitate and enable the citizens who reside within and beyond their boundaries.

The Roundup for September 3-9, 2018 Edition

(Respects by Christopher Parsons)

Over the years that I’ve been engaging in photography, it’s largely been either a solo activity or undertaken with one or two close friends. I think it’s probably fair to say that, in the time I’m been shooting, I’ve typically been the most enthusiastic photographer when I’ve been out. Most of my learning has been in my own, whether through watching YouTube videos, reading books, being inspired in Instagram, or visiting museums and art galleries.

I recognize just how amateur my shots are and, also, that I’ve barely scratched the surface of what I even can, let alone alone should or need to, learn, if I’m to improve the quality, kinds, and nature of my images. The past few years have been as much about learning basic camera functionalities, a set of tricks that I find enjoyable, some styling, basic editing methods, and muddling through composition. I have a lot of bad images but, increasingly, more and more that I’m satisfied with (and some I’m even happy with!). I can also see progress in what I’m shooting, year over year, so I’m confident that the images I’m producing are at least becoming more pleasurable for me to look at and enjoy, and that’s great given that I shoot for myself first and foremost.

However, this weekend I did something that was a bit scary for me: I joined a Toronto photography group and wandered around part of Toronto with them. There were a total of five of us, and I was by far the youngest and most amateur person there; some had been shooting for thirteen years longer than I’d been alive! But it was a really positive experience, insofar as I could see how people engaged with the environment according to what they found interesting. It was also an opportunity to see how people go about getting consent to take other persons’ photos: the thing that’s always kind of scared me about street photography is taking other people’s images, but how it’s (responsibly) done is a little bit clearer after the walk. The other reason the walk was great? All of the people who I was on the walk with were super nice and friendly and inviting to me, the newcomer.

I also appreciated the opportunity wander with good company and for the express purpose of taking photos: there was a nice sense of camaraderie that I hadn’t experienced in this way before. That other people planned their recreation around photography — going to different locales, near and far, for the purpose of photographing the world while also enjoying where they were visiting — was inspiring because while I’ve read about, and listened to, people who are so committed to photography I’d never actually met such people in the flesh. In some respects it almost feels like I’ve found my ‘tribe’ of folks, and I’m looking forward to the next walk I’ll have with them to explore my photography (and city!) with the group.


Example of Journalling Style

I’ve been trying another journaling technique over the past week that’s inspired from an application I was referred to. Rather than producing elongated entries (the kind I’ve pretty well always written) I have the date along the left hand side of the paper, and then sentences with a major thing or thought that I had in the day beside it, with each sentence separated by a slash symbol (i.e. ‘/‘). I’ve been finding it pretty useful for speeding up reflections, to the point that it takes about 3-5 minutes, whereas a longer entry has historically taken me 20+ minutes. These shorter journals won’t replace the more occasional longer journals — which tend to be more focused and in-depth on a given subject or issue — but I could see them as becoming a very regular part of my routine.


Inspiring Quotation of the Week

“How well you take criticism depends less on the message and more on your relationship with the messenger. It’s surprisingly easy to hear a hard truth when it comes from someone who believes in your potential and cares about your success.”

  • Adam Grant

Great Photography Shots

On the one hand, I think that Wire Hon’s shots with superheroes in everyday situations are just funny. But from a technical level I find what he’s doing pretty amazing: using forced perspective, he makes the toys appear as life-sized and involved with him, his family, and each other. Hon’s work is a reminder that you can do a lot of impressive work without photoshop if you just prep your scene effectively.

Music I’m Digging

  • ZHU – Ringos Desert // I’m really enjoying this for generally walking about but, in particular, when I’m heading to the gym.
  • Tash Sultana – Flow State // I really can’t get over how amazing the vocals and instrumentals are throughout his this record. While I enjoyed Sulana’s earlier EP, Notion, this record is far more sophisticated.

Neat Podcast Episodes

  • Dissect (Season One) // I’m only partway through the first season of Dissect but I’m already blown away. The thesis of the show is that it will spend one season doing a deep dive analysis on a particular album. The first season kicks things off with a focus on Kendrick Lamar’s ‘To Pimp a Butterfly’. The depth of analysis that takes place on this show is exceptional: it shows how Kendrick’s lyrics build between albums and the relationships between tracks’ lyrics and his life growing up, as well as the playful multiple interpretations that come up routinely across the album. If you like Song Exploder then you’re probably going to love this show.
  • Clear and Vivid – Cheryl Strayed Shares Her Advice on How to Give Advice // I’m continuously impressed with Alan Alda’s work on developing better communication. His episode with Strayed, of Modern Love fame, emphasizes how having compassion and wanting the best for the person whom you’re giving advice to helps to develop empathetic bonds that facilitate communication. She also notes that in presenting oneself as vulnerable, advice that is provided tends to resonate more with the receptive to because both parties are reducing the barriers between themselves.
  • CBC’s Ideas – It’s Alive (Frankenstein at 200) // Like most people, I was first exposed to Frankenstein through visual mediums and it was only much later in life that I read (and…forgot…) the actual novel. In this long-form piece, Ideas unpacks the significance and meanings within Shelley’s masterpiece. I came away from the episode with a deeper appreciation for the work and recognition of just how critical the book was of the scientific activities being undertaken at the time and, arguably, today as well.
  • CBC’s Ideas – The 2017 CBC Massey Lectures: In Search of a Better World, Lecture 5 // This was a beautiful, if hard, episode to listen to. The lecture is given by Payman Akhavan and explores the state of basic human dignity, the challenges faced by persons living in our time, the importance and value of human rights, and the hopefulness that humanity can strive to overcome its darkest impulses.
  • CBC Ideas – The Politics of the Professoriat: Political diversity on campuses // This was a maddening episode, where Ideas largely interviewed conservatives who assert that campuses are overly political biased, and that there are things that students have identified as threats and harms that conservatives themselves scoff at. I include it because it’s important to listen to — and disambiguate — the kinds of issues that some conservatives raise about the problems of campuses; specifically, that social progress, integration, advancement of basic rights, and support for more multicultural and integrated systems are somehow problematic, as opposed to emphasizing the need for social order predicated on police forces and so forth. It was deeply disappointing that instead of opening some of the conservative thinkers’ positions to debate they were, instead, left to make assertions about the state of the academy without challenge.

Good Reads for the Week

  • Lonely City // Xu’s photoessay of longing and loneliness in Taipei felt like it hit all the right notes: the text was minimal and interspersed through a series of photos that were well-curated for the mood he was seeking to convey.
  • How the Dutch Do Sex Ed // In a comparison of Dutch and American policies towards sexual education, Rough finds that effective and comprehensive sexual education both reduces unwanted pregnancies (and decreases abortion rates), the spread of sexually transmitted diseases, and the rates of sexual violence. Given these benefits, it’s particularly heartbreaking that the current government in Ontario is adopting a regressive policy concerning sexual education in public classrooms, largely in a mirror of American politics linked to sex ed.
  • All of Toronto is getting older, but it’s tougher to age in the suburbs // May Warren’s opinion column focuses on the challenges of the elderly living in the suburbs, with a core problem being that those parts of the city were designed in the ‘50s, ‘60s, and ’70s with the assumption that residents will have cars. In effect, urban planning errors — which include not only not building sidewalks, but also failures to invest in transit and separation of living space from social and commercial space — continue to have serious impacts on the persons who try to live in the city. Despite the awareness of the problems in planning, however, Toronto as a city continues to prioritize cars by investing in road systems at the expense of improves cycling and walking spaces: lessons, seemingly, have yet to be learned about what is needed to keep the city itself safe and functional for all users, not just those who ride around in automobiles.
  • Teaching in the Age of School Shootings // Throughout this piece I felt like I was on the verge of tears, as teachers explained what they had done in the immediate aftermath of school shootings and the trauma that they tried to cope with following the event. It never ceases to amaze me that, despite the relative regularity of school shootings in the United States of America as compared to other countries, authors still are obligated to include language such as “[l]ess than 1 percent of all fatal shootings that involve children age 5 to 18 occur in school, and a significant majority of those do not involve indiscriminate rampages or mass casualties.” Despite the empathy of the piece, that the author had to include this language speaks to the fundamental bizarreness of American gun culture as juxtaposed with gun cultures elsewhere in the Westernized world.
  • Do You See Camera As A Photographer’s Tool Or A Gadget? // Robin Wong’s assessment of talking about photography equipment isn’t novel, per se, insofar as the idea that photos are more important than the gear used in making the photos. But he makes this argument with an honesty and enthusiasm that’s infectious and delightful.
  • Ming Thein’s Artist’s Statement, 2018 edition // While I can’t really imagine myself ever engaging in photography at the level that MT does, I find myself routinely inspired by his images and the thoughtfulness that permeates his work.
  • He Asked Permission to Touch, but Not to Ghost // In this Modern Love essay, Sanders recognizes that how ‘consent culture’ in the #metoo era has entered the bedroom can be stiff and challenging: the regular verbal requests for affirmation seem legalistic, as opposed to trying to read the situation and move ahead. And, more broadly, that the consent culture doesn’t extent to caring culture: it’s a caring of not violating physical boundaries, but doesn’t carry with it a caring of another’s emotional wellbeing when someone ghosts following a romantic encounter. With regards to the regular questions concerning consent, I think that some of that is linked with men just starting to figure out/learn what is or isn’t required or appropriate; it’s a social norm and set of behaviours that will evolve as men, who may not have previously sought clear consent, integrate consent into the ways in which they interact with their romantic partners. But the author’s broader issue — that consent culture isn’t caring culture — is an excellent point…depending on what the relationship is intended for; if it’s designated as a particular kind of physical relationship, expecting it to extend to something else is perhaps unfair for the other party involved. But where the relationship is predicated, first and foremost, on the potential or expectation of mutual care then the failure to act in a caring way is a violation of social norms…though not necessary one that is, or should be, satisfied by consent culture.

Cool Things

  • Gluten Free Restaurant Cards: Eat Safely As a Celiac, Anywhere in the World // I know a bunch of people who have severe gluten sensitivities; these cards would be awesome for when they’re travelling the world.
  • Conserve The Sound // As our old technologies fade to the mists of time, this German website is collecting the sounds of classic electronics (mostly from the analogue and early-digital ages) so that we don’t forget their auditory characteristics.
  • Shed of the year 2018 finalists // Some of these sheds are absolutely amazing. But what’s more amazing is that there even is an 11th annual best sheds competition; stumbling across this kind of randomness reminds me of how the Web was once packed full of wackiness.
  • Warren Buffett’s 5/25 Rule Will Help You Focus On The Things That Matter // I appreciate how quickly this video outlines a method of setting goals (make 25, prioritize 5, exclusively work on those top 5 and only add another goal when one of the five is completed) but was left wondering about what constitutes a goal that can be ‘completed’: for open ended projects, aspirations, or goals, do they just get closed at some point? Or is it, instead, key that all goals have definable conclusions/points of ultimate success?