Category: Writing

Categories
Links Writing

CMHC again moves to tighten mortgage insurance rules as housing market cools

The government continues to engage in (somewhat) quiet actions to reduce its exposure to a mortgage or more general financial crisis. At this point we’ve seen shifts in EI, routine concern about Canadian debt levels and risk of increased interest rates, and now tightening of the mortgage insurance rules. CMHC’s decision parallel’s former Minister Flaherty’s earlier comments, summarized as:

Former finance minister Jim Flaherty had also expressed concern that CMHC had become too large a player in the market, needlessly exposing Canadian taxpayers to risk should there be a housing crash. The agency currently has about $560 billion in outstanding mortgage insurance on its books.

When/if there is a mortgage crisis in Canada that leads to substantial job loss, I don’t think Canadians are going to be thrilled by how their social infrastructures have been quietly reshaped around them. Or the relative lack of monetary policies that are the result of long-term low interest rates. Let’s hope nothing happens to make Canadians practically realize the implications of the past 3-4 years EI, monetary, and now CMHC changes.

Categories
Links Writing

Testing for “reverse” Heartbleed

Testing for “reverse” Heartbleed:

The Heartbleed vulnerabilityin OpenSSL allows a malicious TLS implementation to extract random chunks of memory from an unpatched peer. If you’re not up to speed on Heartbleed, check out the excellent documentation on that site andcheck your servers ASAPto see if you might be vulnerable.

Most of the attention around the Heartbleed attack has focused on the simplest and most obvious scenario: a malicious client attacking an HTTPS server to steal cookies, private keys, and other secrets. But this isn’t the only attack possible: a malicious server can also send bad heartbeat packets to a client that uses OpenSSL and extract data from that client. The TLS heartbeats used in this attack aresymmetric: they can be initiated by either the “client” or the “server” in a TLS connection, and both endpoints use the same vulnerable parsing code.

Importantly, even if the server that you are querying (e.g. Tumblr.com) is patched against this OpenSSL vulnerability the servers behind the front-end of the server may not be. As a result, payment gateways, agents responsible for fetching URLs, some identity federation protocols, and so forth may also be vulnerable. In Meldium’s tests, who have they announced was vulnerable?

  • An unnamed top 5 social network (we’re waiting for confirmation of their fix) that fetched our URL to generate a preview. The memory we extracted from their agent included results from internal API calls and snippets of python source code.
  • Reddit, which can use a URL to suggest a name for a new post, used a vulnerable agent that they’ve now patched. The memory we were able to extract from this agent was less sensitive, but we didn’t get as many samples because they patched so quickly (nice work!).
  • We registered a webhook to our malicious URL at rubygems.org to notify us whenever a gem was published. Within a few minutes, we captured chunks of S3 API calls that the Rubygems servers were making. After the disclosure, they quickly updated OpenSSL and are now protected (really nice work, especially from an all-volunteer staff!).

This is just a very, very small snippet of vulnerable parties. And given how many backend systems will simply not be updated for fear of breaking compatibility (e.g. in the case of payment gateways) this will be a long-term vulnerability.

SSL: the solution to a problem that is persistently generating problems unsolvable by SSL itself.

Categories
Links Writing

Stubborn negatives undermine Tories’ shot at another majority

Den Tandt writes:

Third, and most important: The Conservative government, read the prime minister, has ignored this glaring strategic reality: To counter a Trudeau-led Liberal party and a Mulcair-led NDP, the Conservatives needed to curb their anti-democratic tendencies — epitomized by omnibus bills and constant, intransigent resistance to compromise, which looks like the arrogance of long-held power — and make themselves credible on the environment. Unfortunately for their more moderate supporters, they have done neither; if anything, they’ve doubled down.

Core Conservative support, just under 30 per cent of the voting population, has kept the party more than solvent; but it can’t win it a majority. That is a fundamental problem for the Harper team, and one it has precious little time to solve.

While I’d like to agree that the current governing party of Canada’s anti-democratic approaches should cost it seats, if not the election, I have strong doubts. I often speak with Canadians (of various political stripes)  and ask whether they want decisive action (demonstrated in the form of the current government’s omnibus legislation) or a more drawn out periods of action as parties communicate to develop some kind of quasi-consensus on issues (often as characterized in a minority government situation). Save for the extremely rare person, most state a preference for decisiveness and regard omnibus legislation as efficient. The rationale is almost always that ‘government should be doing things, not stuck just talking for a long time and wasting taxpayer monies’.

Personally, I find such responses extremely depressing. But if my anecdotal conversations have any resonance with the broader Canadian public then I’d be doubtful that ‘anti-democratic’ approaches to governance will be what relieves the current governing party from power. Scandal, perhaps, but I don’t even think the Duffy affair is sufficiently scandalous to cost the government too much.

Categories
Links Writing

Should childhood vaccines be mandatory?

The Current ran an excellent piece yesterday on the importance of child vaccinations. Guests included Margaret Somerville (founding director of the McGill Centre for Medicine, Ethics and Law) and Paul Offit (head of Infectious Diseases and Director of the Vaccination Center at the Children’s Hospital of Philadelphia). One of his more memorable statements was:

Is it your inalienable right to catch and transmit a potentially fatal infection? I think the answer is no.

Towards the end of the interview the panelists were asked whether a distrust in authority promotes anti-vaccine attitudes. Both said yes. I tend to agree, but think that this response has to be put in a broader context: distrust in authority must be combined with a devastatingly poor science literacy amongst Americans and Canadians alike to appreciate the pushback against vaccination. In the US in particular there is rampant skepticism about basic truths about the development of the planet, of core scientific theories concerning biology, and a valourization of those who deliberately remain ignorant of these core scientific facts and theories. While the situation isn’t quite bad in Canada there remains pervasive failures in scientific education and distrust in medical doctors.

From a regulatory and public health standpoint the response to the ‘vaccine problem’ might be a more coercive public health agenda that actively works to improve ‘herd immunity’. But that would be correcting a symptom of a much broader problem: trust in authority and understanding of science. And there isn’t a clear political approach that’s likely to address this broader problem absent radical depolarization of the North American political climate and attempts to increase scientific literacy amongst children and their parents.

Categories
Links Writing

Canada’s spy agency helped prepare all-of-government approach in case Idle No More protests ‘escalated’: secret files

The report repeatedly emphasizes that the protests had been peaceful, but considers possible triggers for escalation. The sections of the documents that actually deal with what evidence the government had that the protests might have taken a violent turn, and what it would have done if that had happened, were not disclosed.

The report repeatedly emphasizes that the protests had been peaceful, but considers possible triggers for escalation. The sections of the documents that actually deal with what evidence the government had that the protests might have taken a violent turn, and what it would have done if that had happened, were not disclosed.

Given CSIS’s ongoing efforts to monitor for threats against national oil interests and other resource extraction companies and associated policies, it’s not necessarily a surprise that the security agency was focusing in on Idle No More. Native land is, after all, required to effectively mobilize resources across Canada.

This said, Canadians generally should be mindful that our security agency was “planning for every eventuality, concerned by the decentralized, leaderless nature of the protests and the multiple motivations and influences that drove them.“ Mindfulness is needed for two reasons: first, because CSIS’s concerns will likely lead to enhanced attempts to map communications patterns to divine ‘leaders’ and ‘centralization’ within activist groupings. Second, because CSIS’s activities are known to include stretching or breaking the law by lying to federal justices. CSIS’s targeting of Aboriginal groups shouldn’t be ignored by other Canadian citizens as not ultimately affecting them as well.

What might be most damaging about CSIS’s actions is how they will (continue to) damage relations between Canada and the Aboriginal people’s. Rather than trying to find a way of working with Canada’s native peoples the Canadian government has again classified them as prospective threats: that’s not how you develop a trusted negotiating relationship, let alone try to heal age-old wounds. And no matter how much surveillance CSIS engages in they can’t guard every mile of roads or pipelines that are used in extracting and transporting Canada’s natural resources.

Source: Canada’s spy agency helped prepare all-of-government approach in case Idle No More protests ‘escalated’: secret files

Categories
Writing

Theme Update/Simplified

So, ever since I did my last theme refresh here at Quirks in Tech I’ve actually been disappointed. I mean, the last refresh was better than what it replaced but still had a litany of issues around responsive formatting, header issues, and a lot of ugly cruft that I had to do (the theme that served as its base was…problematic).

The single most infuriating aspect of the previous theme, however, was its inability to properly format quotations. It made me angry each time I saw one at the site (as opposed to on the Tumblr dashboard).

A few days ago I massively revamped how the site looks. There are a few little niggles here and there that i need to tease out (and wow, is Tumblr ever weird to work in as someone more accustomed to dealing with WordPress) but on the whole stuff’s sorted out. It’s much, much more visually minimalistic while simultaneously being functional. And because it’s nice to look at, I’m here a lot more!

Categories
Links Quotations Writing

2014.4.18

In that “Binders Full of Women” program we did, we learned some of the reasons why it’s so hard to find female guests. For example, if we’re doing a debate on economics, 90% of economists are men. So already you’re fishing in a lake where the odds are stacked against you. And unfortunately, it’s the same for foreign affairs, politicians, the sciences, labour issues, and the list goes on. The vast majority of “experts” in the subjects we cover are men.

But we’ve also discovered there also seems to be something in women’s DNA that makes them harder to book. No man will ever say, “Sorry, can’t do your show tonight, I’m taking care of my kids.” The man will find someone to take care of his kids so he can appear on a TV show. Women use that excuse on us all the time.

No man will say, “Sorry, can’t do your show tonight, my roots are showing.” I’m serious. We get that as an excuse for not coming on. But only from women.

No man will say, “Sorry can’t do your show tonight, I’m not an expert in that particular aspect of the story.” They’ll get up to speed on the issue and come on. Women beg off. And worse, they often recommend a male colleague in their place.

Steve Paikin, “Where, Oh Where, Are All the Female Guests?

People are (fairly) critiquing Paikin’s language in his blog post. In particular, his comment that “we’ve also discovered there also seems to be something in women’s DNA that makes them harder to book” is drawing significant ire.

At this point I’ve given hundreds of interviews to journalists from all mediums, and from all over the world. What I’ve learned is that it is critical to simply be direct with a producer (who is often who you’ll be initially speaking with) to suggest how you could contribute to a given piece. A significant element of the interview process is the producer ascertaining if you’re a good ‘fit’ for the medium, if you have something interesting to contribute, and how to shape the story in question. Sometimes you’ll run into a producer who is very explicit about what they want: the narrative has been arranged before to speaking with you and you’re unlikely to change what’s in place very much. Other times you can shape the story as an expert.

I don’t know precisely how TVO tends to generally develop their stories, but in my very anecdotal experiences producers have tended to come with pretty specific stories or narratives in mind and are unable to significantly re-structure the discussion based on my input. The result has been that despite my willingness to do what Paikin suggests – do some side research to get caught up on the specifics of a topic that’s in my field of study – it’s often the case that I cannot ‘fit’. It may just be that I’ve always been a tertiary possible guest (as opposed to the headliner person(s) who might be more successful in shaping the story), or something common with how TVO conducts their operations. I don’t know.

In general, people are sometimes reluctant to deal with the media because the production timelines tend to be compact (e.g. get called in the morning, to appear on live television a few hours later and often with the guest incurring travel or child-care expenses) and people who aren’t used to – or don’t want to accommodate – this kind of chaos and expense might justifiably refuse to participate. Given that women in the workforce are routinely underpaid and expected to engage in equivalent or greater degrees of ‘productive’ work than their male counterparts, there is very practical workplace (to say nothing of home care duty) rationales for waiving off media interviews that have little to no clear benefit, and piles of possible downsides.

If TVO really wants to improve their female guest selection they should simply refuse to run shows where they cannot book at least X% female guests. And then do aggressive outreach with the employers of the women whom they want to have on the show: prove to employers that being on the show matters so that employers free up their female employees to speak on a given topic. It’s not enough to just target high-qualified women, you also have to ensure that the structures limiting their participation are also actively engaged and alleviated. Expecting women to just behave like men both ignores the contributions women can provide (i.e. they’re not men!) and the challenges that women have to overcome on a daily basis as compared to their male counterparts. Paikin should know that, and I suspect he does, but the tone of the post almost entirely devoid of such sensitivities.

In the interests of disclosure: I’ve been interviewed as a possible person to appear on The Agenda a few times, though never ultimately been selected to appear. The Agenda is one of the very few show’s I’ve actively watched for years, and I really really like it and generally respect Paikin and the entire crew. And I routinely suggest female colleagues that TVO (and other journalistic mediums) should speak with. I don’t know the ‘success’ rate of booking those colleagues.

Categories
Links Quotations Writing

2014.3.17

We agree that Cloud Computing, the Internet of Things, and Big Data analytics are all trends that may yield remarkable new correlations, insights, and benefits for society at large. While we have no intention of standing in the way of progress, it is essential that privacy practitioners participate in these efforts to shape trends in a way that is truly constructive, enabling both privacy and Big Data analytics to develop, in tandem.

There is a growing understanding that innovation and competitiveness must be approached from a “design-thinking” perspective — namely, viewing the world to overcome constraints in a way that is holistic, interdisciplinary, integrative, creative and innovative. Privacy must also be approached from the same design-thinking perspective. Privacy and data protection should be incorporated into networked data systems and technologies by default, and become integral to organizational priorities, project objectives, design processes, and planning operations. Ideally, privacy and data protection should be embedded into every standard, protocol, and data practice that touches our lives. This will require skilled privacy engineers, computer scientists, software designers and common methodologies that are now being developed, hopefully to usher in an era of Big Privacy.

We must be careful not to naively trust data users, or unnecessarily expose individuals to new harms, unintended consequences, power imbalances and data paternalism. A “trust me” model will simply not suffice. Trust but verify — embed privacy as the default, thereby growing trust and enabling confirmation of trusted practices.

Ann Cavoukian, Alexander Dix, and Khaled El Emam, “The Unintended Consequences of Privacy Paternalism

I’m generally sympathetic to the arguments made in this article, though there are a series of concerns I have that are (I hope) largely the result of the authors trying to write an inoffensive article that could be acted on by large organizations. To begin, while I understand that Commissioner Cavoukian has developed her reputation on working with partners as opposed to tending to radically oppose corporations’ behaviours I’m left asking: what constitutes ‘progress’ for herself and her German counterpart, Dr. Dix?

Specifically, Commissioners Cavoukian and Dix assert that they have no intention to stand in the way of progress and (generally) that a more privacy-protective approach means we can enjoy progress and privacy at the same time. But how do the Commissioners ‘spot’ progress? How do they know what to oppose and not oppose? When must, and mustn’t, they stand in the way of a corporation’s practices?

The question of defining progress is tightly linked with my other concern from this quoted part of their article. Specifically, the Commissioners acknowledge that a ‘positive-sum’ approach to privacy and progress requires “skilled privacy engineers, computer scientists, software designers and common methodologies that are now being developed, hopefully to usher in an era of Big Privacy.” That these groups are important is true. But where are the non-engineers, non-software designers, and (presumably) non-lawyers? Social scientists and arts and humanities scholars and graduates can also contribute to sensitizing organizations’ understandings of privacy, of user interests, and the history of certain decisions.

Privacy isn’t something that is only understandable by lawyers or engineers. And, really, it would be better understood and protected if there were more people involved in the discussion. Potential contributors to the debates shouldn’t be excluded simply because they contest or demand definitions of ‘progress’ or come from a non-lawyerly or computer-development background. Rather, they should be welcomed as expanding the debate outside of the contemporary echo chamber of the usually-counted disciplinary actors.

Categories
Links Quotations Writing

2014.3.14

At its core, respecting the user means that, when designing or deploying an information system, the individual’s privacy rights and interests are accommodated right from the outset. User-centricity means putting the interests, needs, and expectations of people first, not those of the organization or its staff. This is key to delivering the next generation of retail experience because empowering people to play active roles in the management of their personal data helps to mitigate abuses and misuses. To this end, Aislelabs provides an opt out site that allows individuals to choose not to have their retail traffic data included in any anonymous analytics.

Quotation from “Building Privacy into Mobile Location Analytics (MLS) Through Privacy by Design” (.pdf)

It’s incredible that any company – let alone a Canadian Privacy Commissioner – would claim that an opt-out mechanism for hidden and secretive tracking technologies (i.e. monitoring your mobile devices as you walk through the world so retailers can better sell you things) constitutes “putting the interests, needs, and expectations of people first, not those of the organization or its staff.” For such an assertion to be valid the ‘people’ should be given the opportunity to opt-in, not out, of a surveillance system that few will know about and fewer will understand. There are vast bodies of academic and industry literatures which show opt-out mechanisms generally do not work; they’re not effectively centralized and they add considerable levels of friction that hinder consumers’ abilities to express their actual interests. And that’s just fine for many retailers and analytics companies because they’re concerned with turning people into walking piggy banks, not with thinking of individuals as deserving any semblance of a reasonable expectation of privacy.

Categories
Links Writing

Provincial Liberals Policy Launder for Federal Conservatives?

David Eby, formerly with the British Columbia Civil Liberties Association and now a MLA with the NDP, has written a brief piece about forthcoming BC provincial legislation. The Missing Persons Act would let provincial authorities:

issue emergency orders to telephone companies and internet service providers to get access to your browsing history, text messages, e-mail, voice mail, banking records, you name it. If the companies or individuals don’t consent to the access, police can go to court without notice to you to get your records ordered to be handed over. Any record you can think of is covered by the new law.

However, there would be no notice to the individual(s) affected that such a request had been made, regardless of whether it was appropriate.

This kind of concern over finding missing people before they’re formally missing is something that the federal government of Canada has previously used to justify its lawful access legislation. Access to subscriber data (though less expansively than envisioned under the BC legislation) was presented as useful in missing persons’ cases, to return stolen property, and more. To date, the federal government has failed to push through its lawful access legislation, though the recent version (C-13) is scheduled for second reading in the coming weeks.

Of note, the BC Liberal party has a substantial number of past-lieutenants from the Prime Minister’s Office that have passed through. Also, the Chief Constable of Vancouver has been amongst the most fervent advocates for the federal lawful access legislation. As such, I have to wonder how much the proposed BC Act is an attempt to address genuine provincial issues and how much it is meant to quietly start introducing or laundering a flavour of the federal lawful access legislation. I also have to wonder if, after this legislation is passed, the Chief Constable of Vancouver will back off of his federal advocacy: was he trying to solve a particular provincial issue by way of lobbying for changes to federal laws?

It’s quite sad, though, that the meagre consensus that was achieved in the federal lawful access fights – that there would be some reporting system, however sad – was excised by the BC Liberals. It’s hard to claim transparency as a political party when you actively undermine attempts to inject it into new (to say nothing of previously past) legislation.