Monday, 21 November 2016

Shutting down Canario

On December 16th, I intend to shut down Canario (formerly Canary)--and by “Canario”, I mean the service, not the company, of which I will explain later.

The reasons for this are simple: I am starting a new project in the new year and unfortunately cannot put effort into it without removing something else--and with that, Canario has to go.

The decision has been quite difficult because it has taught me a lot about what I can do as a single individual, but at the same time it also taught me of my limitations. I’ve had a few people work with me on Canario over the course of the past four years, but the vast majority of its heavy lifting, maintenance, development, and research has been me and me alone. Overall it has been a tiring experience, but far from anywhere near a regret and really rewarding.

The journey towards ending it started around the summertime when I was playing around with the idea of rebuilding it to be more like other services such as HaveIBeenPwned. I like how Troy Hunt has gone and made it very simple but one aspect I’ve always found lacking about it was that using it for research purposes was very limited. Having said that, his goal isn’t to provide those capabilities but rather to help inform those of when their information has been compromised and or exposed.

As I had gone about in developing this this new capability, I had been sitting on an idea completely different from Canario but kept thinking about it as just a novel idea with little additional thought. However, in September, I found myself looking into the idea a bit further, doing some research into other similar things (I am being vague here yes) that were otherwise lacking in features. I came to the conclusion that this idea would be something worth pursuing. I can make it fund itself with a lot less effort and be able to get people involved with again a lot less effort.

Circling back, Canario has four big problems for me:

  1. The type of data I am working with is never uniform and never will be. Someone posting a data dump on Pastebin or any other service is going to almost always have it in some unique format where there may be similarities to past dumps, but never enough for me to just automate to near perfection.
  2. Getting exposed data that isn’t publicly available has so many complications. I have become pretty adept at finding this data, but trying to get people to come to me with that data in the same way others have succeeded has proven to be unsuccessful on my part.
  3. Trying to get others on-board to work with me has been difficult at best. I’ve had cases where people wanted to get involved but wanted to have strings attached or where they wanted to contribute data but I wasn’t permitted to sell access to it.
  4. Other people and organisations are doing a better job than me and will continue to do so.

The latter part is really more of a sore point as I have tried to reach out to people but being that by the time I had started to do this, there were others in the space already and trying to improve what I had already done was going to be difficult.

To add to this, I was funding the project out of my own pocket and contributing my free time, so in some ways I wonder if I was being blinded by my egotism to go about it my own way and not let others interfere. One of the difficulties I had overall was trying to come up with a model that would allow it to be self-financed, but every time I’d come up with a model that could work I found it to be very onerous and likely to be of no benefit in the long term.

Having said all that, Canario taught me database design dos and don’ts (and also taught me to hate MySQL and embrace Postgres), allowed me to speak at conferences, has gotten me cited in the media, and it even gave me an opportunity to speak at Facebook to talk about threat intelligence, a topic that I have a lot of mixed opinions about.

So what next?

First of all, when I do close off the service, it’ll just be a hard shutdown. As it stands right now, I have not added any new data since November 15th and I will be leaving it all in place until sometime on December 16th. All user accounts and associated data will be permanently deleted as I do not wish to hold on to this data any further. I’ll do my best to clear up any backup data I have sitting around but for certain the live data will be gone.

All data that has been collected will no longer be available via the site--so search and data viewing will cease to function. If there are requests for copies of the database (again, without user data), I’ll consider them but likely it will not be free and will be as-is--if you plead your case on the “not free” part I’ll hear it.

Second of all, I am starting a new project and I am trying to get others involved. It’s not a pure information security project but at the same time it’s the core aspect of it. I want to make it easier for schools and small businesses to be able to do specific things. Additionally, Canario will continue as a legal entity, acting as a parent to the project.

Obviously right now I am being a bit hush-hush on this idea of mine, but if you’re interested in working with me on this and understand networking and cryptography, let me know--there’s your hint to what I am working on. Aspects of it are going to be open-source.

Monday, 14 November 2016

Why I left Vancouver Hack Space


I recently became aware a fellow former member of Vancouver Hack Space (VHS)'s blog post about alternatives to the hackerspace in light of it becoming a rather toxic environment. A few years ago, I had penned a draft piece about why I chose to leave but never bothered to publish it. After having seen someone else's disgust for what it has become, I have decided to speak up.

One way to start is to show what VHS looked like in 2009 when I had originally joined (my old iBook is visible in the shot too):


This was the first un-shared physical space that VHS occupied, a room that was barely larger than my living room being used by twenty or so people who all had the same goal in mind: do cool shit. On my first night there, I was enamoured and immediately signed myself as a member.

For me, it was the start of a lot of things: I met a lot of great people, made friends, furthered my own career, and learnt new things--it contributed to me being a better person overall. When I found myself working downtown after leaving my job in Surrey, I was able to put more time into the space and was able to leave work and go straight there to hangout.

VHS had spun up a lot of cool projects or was at least the catalyst for bigger things. The best one I can think of is Mini Maker Faire Vancouver, which otherwise may have never happened if it weren't for the space. Two startups come to mind that have changed the personal lives of members for the better and again it may have not been this way if it were not for VHS' existence.

I think that around the time that VHS started to need a new space and that there were new members coming in was the time I started to lose interest in being an active member. For a while, I would still go on a regular basis, but found myself as time went on that the space was changing and it was changing for the worst. When it left its location on Hastings Street for a larger one on East 1st Avenue, it was pretty much the end for me and the place because it had already become something that it shouldn't have been.

The aforementioned blog piece I mentioned stemmed from a variety of abuses directed at someone who spoke out. This was posted to the members-only discussion forum back in May:
Someone cleaned out my locker and stole some of the items in the locker, others item ended up in the drop box. This happens between Thursday May 5th, and May 11th. My locker was not locked, but was labeled with my name and there was a note in the locker that said "[person's] locker, not free, not available"
You have a thief and an asshole at the space. More bad people.
I don't suggest leaving anything of value at the space any more.
Back when VHS was smaller, this behaviour where items were stolen was exceedingly rare to the point where it was more often things getting misplaced, borrowed, or general ignorance--and even then I am failing to remember if and when these circumstances. We were generally better at keeping assholes out of the space and I would argue that until the move away from Hastings Street that the unwritten policy for how it was done went fairly well.

An example of a toxic individual being removed successfully was one person who came to the space in 2012 for one of our Super Happy Hacker Houses (SHHH). This was a periodic event we'd host where we'd have a keg, some music, lots of people, and then the later part of the evening devoted to three minute lightning talks where one could talk about whatever cool topics we had in mind--I had previously given talks on generating tripcodes, lock-picking, and Python to name a few.

This individual that evening chose a rather thoughtless talk: stealing credit card numbers from the wireless network at the Vancouver Public Library. It didn't get too much attention as it was towards the tail end of the evening, but it continued on the IRC channel later on. I ended up calling this person out on this, citing that it was fairly idiotic from an operational security point of view to openly admit that you were looking to commit fraud. His response was to use some uncreative insults, resulting in his removal from the IRC channel and was then made aware that he was not welcomed at VHS.

I'd say that this person's story with me ended there but he would later attempt to include himself in VanCitySec a few years later, resulting in him being removed from the IRC channel as well. He was then removed from being able to attend BSides Vancouver and then finally removed from OWASP's Vancouver chapter after he went off on the organizers and the speaker after the event had concluded when someone had enough of him interrupting their conversations. At an extreme level, he even managed to get a visit by the local police after he had admitted to intrusion on the wireless networks of the local transit agency.

It didn't help that later on I found out that he was harassing a friend of mine at a local meetup.

To this day, I still get him periodically showing up in the various Freenode channels I am in, taunting me over some non-existent botnet that he suspects I run. In almost all cases he ends up getting himself removed from the channel after I realise who he is.

In fairness, I do believe that he has some rather difficult problems to overcome (I have had people show me some aspects of his personal history that were troubling), but one of the things that I have learnt is that even if you know a reason for why someone exhibits shitty behaviour towards you or someone else, it is not something you have to sign up for and you should be able to remove that person if you feel it is necessary.

The reason why I bring up this person in particular is because he was the final straw for me deciding to leave the space: he was making an appearance again and I was finding it problematic that nobody was enforcing the ban--this was before the remarks about OWASP and the local meetup I should add.

When I spoke up on the mailing list, the response I got from someone who later ended up having someone at the space call the police on them was that he had every right to be in there--funny how assholes defend other assholes. At a meeting, he was eventually formally banned but after a year the ban had apparently expired in space's own words "[person] has since expired and he is welcome back at VHS".

I recently learnt that he had joined the hackspace after another encounter with him on Freenode, citing that I was an impediment to his membership. Of course, when he was banned in the first place, I had three people contact me privately letting me know that whatever decision VHS made would influence whether or not they'd be members.

This is not the only story involving harassment that I could bring up but this one I have first-hand knowledge of. I'm also exempting his name from this entry because I do not wish to attract his attention.

One of the things I can point out is that the whole makeup of how VHS is run and operated has changed since its beginnings. I'll use this photo as an example from the 2014 AGM:

Photo: VHS AGM 2014 Group Photo

In this photo, there are twelve men. I don't take exception to seeing twelve men but I damn well know that in the past we had women as members, especially who served as board members--I'll clarify something about how this "board" works or rather used to in a bit. Hell, even the aforementioned Maker Faire event was put on for the first few years by someone who I cannot say enough good things about her in terms of creativity and organizational skills. The fact that in 2014, six years after VHS was founded that it would still show a mostly male face even though it is apparent there are female members and those from the LGBTQ community amongst the membership is downright distressing.

The board that VHS has was originally created to satisfy the requirements of the Societies Act, a law that governs non-profits and other like-minded organizations in British Columbia. I served two years on the board and we only officially met when it was time for our annual general meeting, which again was a requirement of the act. Its sole purpose was to satisfy those legal requirements and to make insurance easier for us to get, but since then the board has morphed into an overseeing eye, drafting policy and everything, which was beyond what VHS was meant to be.

All in all, by the time that the person was banned after discussion amongst members of the space, the board had become something that oversaw everything and VHS was something that it wasn't when I first joined five years earlier. The writing on the wall should have been apparent when walls were erected to keep the woodworking away from the rest of the space that things were going to change. When the ham operator group formed within VHS and wanted to form a society within the society for the purposes of getting government grants for themselves and themselves alone, I knew that my time was done.

Since then, I have visited the space once at its Cook Street location and while it definitely is still a hackerspace, the original vibe it had years prior is not there. It doesn't feel like it's doing anything challenging and while there members there I still respect and chat with periodically, I cannot say that I want anything to do with the organization.

Today, I find myself going to VanCitySec, other local security events, and am friends with people who share the same ethos that I do, but it is really saddening that a space like VHS in 2009 is no more and I believe that the only reason it died was because it wanted to be everything to everyone. The original space is something I truly miss.

Sometimes it's hard to notice that you're becoming a victim of your own success and eventually you miss the forest from the trees.