Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? Crazy, crazy episode today. I want to talk to you about cannabis, large scale security systems and unintended consequences. If you've been listening to me for more than 30 seconds over the last few months on mornings with Mark, you have obviously figured out that I am Canadian, whether I have apologized profusely for something or said a boot or roof a room or made some mention to the Great White North.
You know that I'm Canadian and as of today in Canada, cannabis is federally legal. A couple quick things about that. I don't want to dive into the politics of it, whatever your opinion on it. This is now a legal substance within the country of Canada.
What I want to talk about is the complexity of large scale security systems and how one decision has trickled down effects. So now that it's legal federally, the provinces all have different provinces and territories, all have different rules on how you can buy it.
But the vast majority of them allow online purchasing and the online purchasing is delivered through our post office through Canada Post. It turns out we've been able to buy booze through Canada Post for quite a while, but nobody really does it because it's easier just to walk to the store.
So this is really the first time at scale Canada Post will be handling a restriction substance, right? Totally legal, but it's not like anybody can just walk up. You need to be of age. The age is vast majority of the time across provinces, the age is 19 and there are limits on how much you can buy.
So there's still some controls around the substance. That's in stark contrast to the rest of the planet. For the vast majority of the rest of the planet is a flat out illegal substance, especially for our neighbors to the south where it's a controlled schedule, one substance just like MDMA or heroin.
So obviously, there's some significant international issues and we're going to tackle that in a second. So what I wanted to do and what kind of got my wheels, you know, turning as a security professional as I was looking at this issue overall was that now you have, so you need to be of age and they need to verify that they do that online.
The online sales are all based at least in Ontario through Shopify, which is a homegrown Canadian technology start up success and they're used to e commerce at scale. So there's no real issues around that. You attest that you are 19 years of age and that it's for your use.
You're not going to give it to kids, blah, blah, blah, and then you pay and they ship it to you Canada post handles that shipment and they're going to be I ding at the door. So that's the first thing that puts out of the normal what a system was designed for.
Um, the last mile delivery was never designed to verify age for a legal purchase. They were verifying like, ok, Mark, you live at this address, you can have this package or your partner lives at this address and they could have this package.
So there's a difference there. Right? So now you're asking one little thing and that doesn't really stress the system too much. But what if you miss that delivery? Now, those packages, like any package that you miss is going to the local post office depot and they're going to verify your ID when you get there.
Ok. Not, not really a problem except for the fact that you think that a lot of these post office depots are in drugstores in rural areas there in like the general store. So now you've got a location that has the potential to be having a lot of packages of a substance that, of quite a lot of interest to criminal elements, especially internationally because while it's legal here, it's not to the south, right?
Or, and it has good value on the underground markets. So there's a risk there, there's a physical security risk in that you're piling up, potentially piling up packages that contain this substance that's highly attractive. Right? You would have a similar issue if you had a depot that, you know, stocked ipads and iphones.
So we see that at the Apple stores, even though they keep their stock levels low to avoid. Exactly that. So that's the first thing. But then it started to bubble, you know, this one decision of legalizing federally starts to bubble up to a lot of other security questions, not problems necessarily, but questions.
So, can I check it into my bag if I'm flying? Well, if I'm flying within Canada, that should be legal just like booze. But if I'm flying internationally as soon as I cross the border, now I'm an international drug smuggler and that's illegal, highly illegal and carries significant serious penalties.
Same with crossing the border. And they're going to be asking questions about previous convictions. They're going to be asking questions about consumption and about investment in the industry and the industry that's entirely legal in your home country. But again, remember when you come to a border, you're actually asking permission to enter a country.
There's no requirement that they let you in. So they could say no based on your activities because it doesn't line up with laws in their country. So it's interesting that this one decision, regardless of what you think of it has had these snowball effects.
And we see this all the time. And the reason why I want to talk about on this show was that not just for the privacy aspect, which has been handled really, really well online, there's a lot of great warnings, um or not warnings but um, information.
Um as you're purchasing about what is happening with your personal information is kept for the minimal amount of time just to complete the transaction, that kind of thing to alleviate any concerns. Um But what's interesting is we see this all the time in it where somebody a decision that has these trickle down effects that starts to stress additional security controls that you never thought of.
So, you know, I deal with this one all the time when people go, ok, we're going to start rolling this out into the cloud. We're going to deploy a system into the cloud. Great, fantastic. That's really where everybody should be going.
But then the challenge is they go well, you know, Mark and Fred have the keys to the cloud account. What happens with their laptop? Now they're walking around with a laptop that potentially has access to all of this back end information into the production information that was only ever previously stored on site.
Is it bad? What are the consequences? How do we handle that and then further that and go well, wait a minute. What about if they're accessing that back end from their phone? How do we lock that down? And it's sort of this ripple down effect and it highlights, you know, a it's a very timely example, obviously with the legalization, but it's a very timely example of major challenge and security that we don't really do well at which is analyzing sort of this graph of risk.
So you have all these nodes on the points that we're pretty good about looking at the security, but then you have edges between these nodes trying to figure out that. OK. If I make a decision here, what's the impact downstream over here?
Bing bing bing bing bing, what is that cumulative? What is that overall comprehensive risk? How does that one decision trickle down? How does that one decision impact and adjust? And the real world impact of that is that we've seen this year especially, we saw it with Facebook most recently, with the 30 million users who had their tokens breached was that people are using multiple small vulnerabilities in different systems to escalate.
We saw that at several competitions over the last couple of years for researchers that are, they're chaining small bugs that you wouldn't necessarily treat as important to create a larger vulnerability. And again, it's this node and edge issue. So what I wanted to do today was really just highlight that as a security challenge.
Obviously, it's very timely because there's tons of questions and that's what's really, really interesting is that I would love to see the risk calculations behind the scenes at a federal level, at a law enforcement level within Canada based on this massive massive experiment and saying we're going to legalize this substance.
What was the risk factors? What was the risk calculus that said? OK, based on the fact that you're now legally allowed to have this and consume this. What about everything else that's been set up previously to stop that exact action? How does that impact?
Because it wasn't like you implemented a rule just to prevent people from consuming this one substance. It was a class of substances or a group of substances. So there's going to be a ton of trickle down effects a ton of edge cases, a ton of stuff litigated, a ton of stuff that's going to be have to dealt with by case by case basis until this clarifies.
That's you actively want to avoid in your it deployments because you don't want to make one decision of saying, hey, we're going to allow people to log in and that login stays active for 90 days. They don't have to re log in.
You don't want that decision to trickle down to create a vulnerability that is unacceptable to the business. So no, no edge, very much graph risk mechanics is an area that we're really weak on. I think, you know, today's announcement in Canada is something that's going to show you at a national scale, the consequences of that for better or for worse.
Um make sure that you're making smart and at least reasonably mapped out risk decisions in your it deployment in your organization. Because the last thing you want to do is make one decision that you think is for the best and have it have tragic consequences in the background.
Anyway, what do you know? What do you think? Let me know online at Mark NC A for those of you in the vlog in the comments down below. And as always by email me at Mark N dot C A again, we're not looking for a political discussion around this, the legalization of the substance.
We're not looking for your opinion on whether it was the right or wrong. What we're interested in is that, that how do you handle that graph of risk within your organization? We just use that the legalization as a, as a really pointed and um pa tangible example.
Um So let me know uh happy to have this discussion. I think it's really gonna be interesting. It's gonna be fascinating to see it play out. Um Have a great day and I will see you on the show tomorrow.