Archive for Canada

« Older Entries

Canada’s Plan To Phase Out Gas Powered Cars By 2035 Is Unworkable… Here’s Why

Posted in Commentary with tags , on March 27, 2024 by itnerd

Last December, the Canadian Government announced a plan to phase out gas powered cars by 2035. In short, what the Canadian Government wants is to have all of us driving zero emission vehicles (which is another way of saying electric vehicles) by that point or shortly after that point. This is an attempt to reduce emissions and allow Canada to hit their climate change goals. Now to be clear, I am all for making the environment better and reducing the effects of climate change. But this plan to shift drivers to electric vehicles is not workable for a number of reasons.

Let’s start with the fact that a robust and easily accessible charging infrastructure doesn’t exist. While some homeowners who own electric vehicles have level 2 chargers at home, there are a lot who don’t or can’t do so. Yours truly for example lives in a condo that doesn’t have any charging infrastructure whatsoever. And that’s the same for those in apartments as well. And many building management companies aren’t willing to budge on that. So what that means is if I want to charge an electric vehicle, it may be a challenge as illustrated by this search that I did on Apple Maps:

You’ll see a lot of big green dots and smaller green dots indicating where a EV charger is located. Compare that to simply searching for gas stations:

There’s a lot more blue dots (gas stations) that are big and small versus green dots (EV chargers) big and small. That means many people will find it a challenge at best to charge an electric vehicle. And that will hamper the sales of electric vehicles because humans will only adopt something if it is as easy or easier than whatever it is replacing. And right now if someone can’t just pop out to a charger that’s a five minute drive down the road and get a charge that gets their car to at least 80% in well under an hour, they’re not going to get an electric vehicle.

That brings me to my next point, electric vehicles are too expensive. Anyone that I know who has an electric vehicle is also someone who is willing and able to spend luxury car money on a gas vehicle. Even the cheapest electric vehicles out there are out of the price range of the average consumer who typically buys a Honda Civic or something in that price range. And that factors in government rebates for buying or leasing an electric vehicle. Now I get why this is the case. Car companies aren’t selling them in high enough volume to enable them to bring the price of these vehicles down to affordable levels. In fact, some companies have shifted away from producing more electric vehicles to producing more hybrids as those are actually selling. Until that changes, the needle on electric vehicle sales is going to move very slowly.

Sidebar: You should take Tesla out of the mix when it comes to companies who are shifting to making more hybrids as all Tesla makes are electric vehicles. Thus they have economies of scale working for them. Unlike every other car company that makes electric vehicles.

The next point that I’d like to bring up is the range of these vehicles. My 2016 Hyundai Tucson gets about 600KM on a single tank of gas. Sometimes more if I drive in a more “subdued” manner. That’s important as buyers like me who want to drive electric vehicles want to get a similar range relative to we get now with. a gas powered vehicle. In fact a KPMG study revealed that 80 per cent of Canadians wouldn’t “consider buying an EV unless it has a minimum 400 km range fully charged.” The problem is that many electric vehicles don’t get that range. Part of that is due to the fact that Canada is very cold for six months of the year. And cold weather has a negative effect on electric vehicles. Part of that is that you get reduced range in cold weather. Some people say about 30% less range. But there’s also the fact that the car might not work at all if it is too cold. I cite this example where many Tesla cars in Chicago wouldn’t work because it was too cold. Another somewhat related factor is that the range that an auto maker gives is often in “ideal” conditions. And none of us drive in “ideal” conditions because those “ideal” conditions are in a lab or a test track. Which is another way of saying that you’re going to be unlikely to see the range that the auto maker says you should get. Thus this is something that needs to be sorted before electric vehicles get adopted broadly.

Finally, there’s reliability. Electric vehicles generally are reliable than gas powered cars and this Consumers Reports article goes into the weeds on that. But let me cut to the chase here. Nobody is going to move to technology that is less reliable than what they have now. And that lack of reliability will slow electric vehicle adoption.

All of this makes Canada’s plan to move to zero emission vehicles by 2035 a non starter in my mind. I honestly would love to be proven wrong on this. But as things stand right now, I don’t think so. The only way I might be proven wrong on this is if there’s a major course correction to make electric vehicles more affordable, more reliable, improve the charging infrastructure, and make the range more in line with gas powered cars. This is something that all parties in this space, meaning government and the car industry need to tackle. And they need to start doing that today if meeting that 2035 deadline is to be achieved.

Do you agree with me? Do you disagree with me? Leave a comment below and share your thoughts.

1 Comment »

Canadian Government Wants To Ban The Flipper Zero To Stop Car Thefts… This Isn’t The Solution To This Problem

Posted in Commentary with tags on February 11, 2024 by itnerd

Car theft in many parts of Canada are completely out of control. And to combat this, The Canadian Government has come out with the bright idea of banning the tools that thieves use to steal cars. That includes the Flipper Zero which is a penetration testing tool that has been around for years. It uses  multiple protocols, including RFID, radio, NFC, infrared, and Bluetooth to allow someone to debug hardware or do penetration testing. According to the Canadian Government, this tool is the cause for the surge in car thefts.

You can see here that Flipper Zero isn’t happy with this decision. But the thing is that from my research, I can find lots of ways that a Flipper Zero can be used to steal cars. And I think tools like this are a problem and need some degree of regulation. But there are other ways of stealing cars. Carjackings have become commonplace here in Toronto. Take this example, or this example. Both in the last week. Then there’s the trend of home invasions where criminals break into homes and terrorize residents to steal cars. Such as this recent example. I suspect that carjackings and home invasions have become more prevalent because the preferred method of stealing cars which is a relay attack is becoming less and less effective because of car owners are putting their car key fobs in Faraday cages and keeping them in areas of their homes that make relay attacks less possible. Plus there’s the fact that car companies who are aware of this trend are trying to make their cars harder to steal. Because being known as a car brand that has a theft problem is bad for business. Just ask Hyundai and Kia who have a huge problem with thefts related to “The Kia Boyz” TikTok trend.

Any solution for car theft in Canada needs to be more than just banning stuff. Sure, regulate the tech that is behind these thefts. But carjackings and home invasions are issues that are solved by other means. Like longer jail sentences for example. And there’s the fact that it is disgustingly easy for car thieves to export cars from Canada via Canada’s ports. Something that the Canadian Government kind of admitted and has finally decided to do something about. Fact is that there’s no one solution to this problem, and those in charge here in Canada need to figure that out and take action that means something rather than just picking on tech and calling it a day.

Leave a comment »

The Hack Of Global Affairs Canada Is Actually Pretty Bad

Posted in Commentary with tags , on January 31, 2024 by itnerd

After I posted this story earlier today, I started looking to see if I could find additional details on the pwnage of Global Affairs. And what I did find blew my mind. The National Post has a story that I’ll give you the TL:DR on because you should really go read it for yourself to see how mind blowing this is.

This hack started on December 20th of last year when Global Affair’s VPN was pwned by threat actors. But it wasn’t discovered until January 24th. That’s just over a month. And while that’s nowhere as bad as 23andMe who were pwned for months before they found out, it’s still bad because who knows exactly what these threat actors did in that time. But it is known that the threat actors accessed an unknown number of employees’ emails and data stored on personal and shared servers connected to the VPN. 

Now while the Privacy Commissioner has been notified, there needs to be an investigation as to what in the blue blazes is going on at Global Affairs. I say that because the National Post points out that this is the second time that they’ve been pwned in the last two years. Which of course is bad, and indicates that they perhaps aren’t doing everything possible to keep the bad guys out.

Leave a comment »

Canada’s Global Affairs Department Gets Pwned

Posted in Commentary with tags , on January 31, 2024 by itnerd

This morning, the pwnage hits close to home this morning. Canada’s Global Affairs department which according to their website does the following:

We manage diplomatic relations, promote international trade and provide consular assistance. We lead international development, humanitarian, and peace and security assistance efforts. We also contribute to national security and the development of international law.

Has been pwned in a cyberattack. Here’s the details from CTV News:

There has been a data breach at Global Affairs Canada involving the personal information of some users, including employees, and affecting remote access to the department’s network, according to the department.

The government has confirmed the breach, amid media reports of an extensive cyber incident involving internal systems, citing unnamed sources within the department.

“The Government of Canada deals with ongoing and persistent cyber risks and threats every day,” reads the statement from GAC spokesperson Marilyne Guèvremont on Tuesday.

“Given its profile, Global Affairs Canada takes a proactive approach and employs a variety of security monitoring measures to detect and address potential risks.”

“The Department is closely monitoring the situation and is conducting an investigation into the matter,” Guèvremont added.

There’s really not a whole lot of detail here. Thus we can only guess how they got pwned, or how long it will take to restore their systems. And we can only guess how this will affect Canadians. Hopefully in the days ahead there will be more details released by the Canadian government that gives Canadians an idea of how bad this is, and what they will do to not get pwned again.

1 Comment »

Canada’s Cyber Centre Contracts Grading Platform For Critical Infrastructure

Posted in Commentary with tags , on January 13, 2024 by itnerd

Yesterday, The Canadian Centre for Cyber Security said it contracted SecurityScorecard and intends to use its rating platform to rank cyber threats for the country’s critical infrastructure.
 
Instantly, any critical infrastructure entity can be graded with a rating from “A” through “F” using continuously monitored threat intelligence data. The scoring platform’s intention is to help the Cyber Centre educate critical infrastructure organization operators on the risks they face and assist them in remediating and measuring cybersecurity risks.

“According to the World Economic Forum, critical infrastructure remains the prime target for threat actors. Our partnership with SecurityScorecard provides us with authoritative and trusted data on critical infrastructure and insight to manage such risks at scale. […] This will help the Cyber Centre ensure we can provide tailored support to critical infrastructure owner-operators vital to the security of Canada,” Cyber Centre head Sami Khoury said in a statement.

The partnership “serves as a model for other governments to collaborate with the private sector to achieve real-time visibility into the cyber threats facing critical infrastructure,” said Sachin Bansal, SecurityScorecard’s chief business officer.
 
The scoring platform is only for critical infrastructure operators and won’t be made public.

Troy Batterberry, CEO and Founder, EchoMark:

   “Cyber threats in today’s digital landscape are becoming increasingly sophisticated and pervasive. The importance of implementing cybersecurity measures cannot be overstated. The Canadian Cyber Centre’s decision to leverage SecurityScorecard’s tools is a testament to the growing need for dynamic and data-driven approaches in protecting critical national infrastructure.

   “This partnership between the Canadian Cyber Centre and SecurityScorecard exemplifies the type of collaboration and commitment to cybersecurity excellence that we strive for in our own operations. By prioritizing the identification and mitigation of cyber risks, we not only protect our own assets but also contribute to the broader security and resilience of the industries and communities we serve.”

David Ratner, CEO, HYAS Infosec:

   “The protection of critical infrastructure is, not ironically, increasingly critical as we see cyber intrusions cross the chasm from simple financial damage and harm to significant impact on human life. Having the ability to grade critical infrastructure is a great start and paves the way for programs that standardize not just cyber protection but real operational resiliency.  Only by shifting the conversation from one around pure prevention to one focused on resiliency and continuity of service will we be able to truly protect critical infrastructure and, in doing so, reduce the potential for impact on human life.”

While the Canadian citizen in me wishes that a Canadian company could have been found for this, I do applaud this move. One of the best ways we make ourselves safer is to work together to secure as much as possible. So if this move helps to achieve a positive outcome, I am all for this.

Leave a comment »

Canadian Government Warns Of Data Breach Impacting 25 Years Of Public Service Employee Data

Posted in Commentary with tags , on November 20, 2023 by itnerd

In a press release on Friday, the Canadian government warned current and former public service employees and members of the Royal Canadian Mounted Police and Canadian Armed Forces that their personal and financial information may have been accessed in a data breach involving two relocation support companies.

The breach occurred on October 19th and affects federal government data that was held by Brookfield Global Relocation Services and SIRVA Worldwide Relocation & Moving Services. Data may include any personal and financial information provided to the companies from as early as 1999.

“Given the significant volume of data being assessed, we cannot yet identify specific individuals impacted,” said the release.

“The Government of Canada is not waiting for the outcomes of this analysis and is taking a proactive, precautionary approach to support those potentially affected.

Jason Keirstead, VP Collective Threat Defense, Cyware had this comment:

   “Breaches that involve third-party subcontractors are increasingly one of the most challenging issues to manage on an organization’s risk register. One way an organization can reduce their own risk is by leveraging their capabilities to help protect their suppliers – for example by sharing both threat intelligence and defense information downstream with their supply chain.”

Given that Canada has very robust laws when it comes to this sort of thing, I fully expect that a robust investigation will take place. And I will be looking to see what the Canadian Government does to stop this sort thing from happening in the future based on said investigation.

Leave a comment »

WeChat & Kaspersky Have Been Banned On Canadian Government Devices

Posted in Commentary with tags on October 31, 2023 by itnerd

Citing security concerns, the Canadian Government has announced that WeChat and Kaspersky have both been banned on Canadian Government devices:

Effective October 30, 2023, the WeChat and Kaspersky suite of applications will be removed from government-issued mobile devices. Users of these devices will also be blocked from downloading the applications in the future.

The Chief Information Officer of Canada determined that WeChat and Kaspersky suite of applications present an unacceptable level of risk to privacy and security. On a mobile device, the WeChat and Kaspersky applications data collection methods provide considerable access to the device’s contents.

The decision to remove and block the WeChat and the Kaspersky applications was made to ensure that Government of Canada networks and data remain secure and protected and are in line with the approach of our international partners.

While the risks of using these applications are clear, we have no evidence that government information has been compromised.

Kaspersky didn’t waste any time in responding to this:

Kaspersky is disappointed with the decision by the Treasury Board of Canada Secretariat to prohibit the use of Kaspersky applications on government-issued mobile devices. This decision comes as a surprise, was made without any warning or opportunity for engagement by Kaspersky on the Canadian government’s underlying concerns, and is not based on any technical assessment of Kaspersky products – which the company continuously advocates for – but instead seems to be made on political grounds. 

I have not seen any reaction from WeChat. But I would imagine that they aren’t happy either. And I expect that there will be additional reaction coming from Russia as Kaspersky is a Russian company, and from China as WeChat is Chinese.

Leave a comment »

LockBit Pwns Commission des services electriques de Montréal… But The Victim Isn’t Paying Up

Posted in Commentary with tags , on September 1, 2023 by itnerd

On Wednesday, the LockBit ransomware gang took credit for an attack on the Commission des services electriques de Montréal (CSEM) — a 100-year-old municipal organization that manages electrical infrastructure in the city of Montreal.

The lock bit ransomware group has claimed credit (@FalconFeedsio) for an attack on the Montreal electricity supplier Commission des services electriques de Montréal (CSEM).

The company has confirmed the incident saying it was hit with ransomware on August 3rd but they refused to pay the ransom. They contacted authorities and law enforcement in Quebec and began efforts to restore its systems and claim that their IT infrastructure has been rebuilt.

“The criminal group at work in this case has made public today some of the stolen data. The CSEM denounces this illegal gesture, while specifying that the data disclosed represents a low risk for both the security of the public and for the operations carried out by the CSEM,” they said.

While public utility companies offer ransomware groups a broad target, it does seem that the attackers have not been doing their homework. The company pointed out: “It should be noted that all CSEM projects are the subject of public documents. Therefore, all these plans – engineering, construction and management – are already publicly available through the official process offices in Quebec.”

Emily Phelps, Director, Cyware had this comment:

   “Public utilities are critical to our day-to-day life, and while this attack acted as more of a warning shot, it reinforces the importance of cyber resilience for business continuity. Ransomware groups leverage their reputations to intimidate targets, and they adapt as security controls mature. Expediting threat intelligence and knowledge sharing can help mitigate the risks for enterprises. The sooner the right people get the right information about a known threat, the sooner they can adapt their defenses accordingly.”


Dave Ratner, CEO, HYAS follows with this:

   “While the risk of data disclosure from this particular attack is low, as the company has pointed out, the attack nevertheless re-enforces the need for all critical infrastructure providers to protect themselves.  

   “Attackers will continue to develop new ways to infiltrate and evade security systems; the deployment of business and operational resiliency systems, such as Protective DNS and others, is the best way to proactively ensure business continuity.”

I am happy that Commission des services electriques de Montréal didn’t pay the ransom as that only encourages these threat actors. Hopefully they take the money that they saved themselves and invest in better defensive measures so there isn’t a repeat of this.

Leave a comment »

Teamsters Accuse CN Rail Of Secretly Tracking Their Employees Movements Via Company Issued Tablets

Posted in Commentary with tags , on August 24, 2023 by itnerd

This is one of those topics that I always thought would come up more often. CTV News is reporting that the Teamsters union is accusing CN Rail of tracking employees movements, even after hours via the tablets that CN Rail issues their employees and not disclosing that they were doing so:

The Teamsters Canada Rail Conference, which is the union that represents 5,500 Canadian National railway employees, alleges CN has been monitoring the whereabouts of a train operator outside of work hours through a company-issued tablet.

“It’s spying, it’s wrong and it’s illegal in our view” according to Teamsters Canada’s director of public affairs Christopher Monette, who adds “on top of it being creepy, it’s downright dystopian. It’s something that shouldn’t be happening.” 

The union says they have reason to be concerned that a large number of CN Rail employees may have also had their location tracked by the company during their own personal time after work.Speaking to CTV National News, Monette says that CN “didn’t tell us this was going on and they didn’t seek consent from workers to use geolocation data” from their company issued devices and believes CN was trying to keep their tracking methods secret.

“We only found out about this by accident, through a disclosure process where the company was forced to disclose why they were disciplining a worker,” according to Monette.

Now CN Rail doesn’t want to comment on this. But frankly I am not surprised. Tablets and phones issued by companies are often what are called “managed” devices. Meaning that the devices are put into a type of software called Mobile Device Management software or MDM for short. This software allows a company to do a number of things. Get the status of the device, push out software updates, remote control the device for troubleshooting purposes, and most relevant to this story, track the device. Now a company may only decide to use this software to track a device if it is stolen. But I can see a scenario where a company may use this software to track a device at all times. Which if they disclose that up front, I guess that’s fine. But if they didn’t you get this situation.

Now if you have a company issued device and are afraid of being tracked, there are very low tech solutions to this:

Cyber security analyst and lawyer Ritesh Kotak believes employees who have a work phone, tablet or laptop should try and purchase their own personal devices to use off work hours.

“These high-tech problems have really low-tech solutions,” Kotak says.

He also says that he uses a tab to cover the camera on his work computer when he’s not on a video call. Kotak adds that, if possible, employees should turn their work devices onto airplane mode off work hours.

“It’s important to understand that information (from your devices) is being collected on a continuous basis by the employer, it’s probably being stored and there maybe third parties who have access to it.”

One thing to consider is that if you go this route, your company may complain at some point because the device isn’t on all the time. Another thing to consider is if you “BYOD” or bring your own device, and the company puts their MDM software on it, you could be in the same situation. So you may want to keep that in mind as well.

The bottom line is that if you use company property, or simply have their software installed on your own smartphone or computer, you should have no expectation of privacy. Ever. Unfortunate, but true.

1 Comment »

Home Depot Gave Customer Data To Meta Says Canadian Privacy Commissioner Without Customer Consent

Posted in Commentary with tags , on January 26, 2023 by itnerd

Home Depot is my go to for anything I need to fix stuff around my condo. But perhaps I should rethink that as the Canadian Privacy Commissioner has determined that Home Depot handed over customer data to Meta (aka Facebook) without consent from customers:

It is an issue highlighted in a recent investigation by the Office of the Privacy Commissioner of Canada (OPC) into Home Depot of Canada Inc. (Home Depot). By participating in Meta Platforms Inc.’s Offline Conversions program, Home Depot was found to be sharing details from e-receipts – including encoded email addresses and in-store purchase information – with Meta, which operates the Facebook social media platform, without the knowledge or consent of customers.

And:

The investigation found that Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation revealed that during this period, the encoded email addresses, along with high-level details about each customer’s in-store purchases, were also sent to Meta.

Information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta’s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.

Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.

While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality.

During the investigation, Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the Offline Conversions program.

The OPC, however, rejected Home Depot’s argument as the privacy statements Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. Moreover, the OPC found that Home Depot’s privacy statement did not clearly explain the practice in question.

Now I have always been suspect of getting e-receipts from companies which is why I always prefer printed copies. This revelation makes me want to double down on never getting an e-receipt. Now I tried to find a comment from Home Depot or Meta but I couldn’t find one. Which in itself says something. But in the meantime, here’s what the Privacy Commissioner says that Home Depot has to do:

As a result of the investigation, the OPC recommended that Home Depot:

  • cease disclosing the personal information of customers requesting an e-receipt to Meta until it is able to implement measures to ensure valid consent;
  • implement measures to obtain express, opt-in consent from customers prior to sharing the information with Meta, should it resume the practice; and
  • ensure meaningful consent by providing customers requesting an e-receipt with key information regarding its sharing of information with Meta at the point of sale, and by strengthening its privacy statement to include a detailed explanation of its practices and how customers can withdraw consent.

It will be interesting to see if Home Depot complies with this. Because now that this is out there, Home Depot is going have to deal with customers who do not trust them. And that’s not a good place to be in.

Leave a comment »

« Older Entries