My Security Disclosure

This website is operated by Marc Moisan (me) and reports on any vulnerability to my website are most welcome.

Reports and Rewards

If you learn of a security breach, or a possible exploit that could affect my website, please contact me, I will investigate legitimate reports from security researchers and make every effort to quickly resolve any vulnerability. I would also appreciate any suggestions or recommendations on what I should do to correct the reported issues. While no monetary rewards is promised, any report that ultimately result in prevention of any breach or exploit against my website will be looked favorably towards a reward.

Hacking

In Canada, fraudulently obtaining any computer service or intercepting any function of a computer system is a criminal offence. The use of a computer system with intent to commit such an offence and the use or possession of a computer password to enable such an offence also constitute a criminal offence.[1] I would personally consider accidental, good faith trespasses to be permissible as long as there is no privacy violations, destruction of data, interruption or degradation of services. However, the server where my website resides is not owned by me, it is operated by 7081936 Canada Inc., which trades under the name Web Hosting Canada, as such it isn't within my authority to permit access and they may choose to initiate a complaint to law enforcement for any unauthorized access to their computer system.

Past Incident

A major incident occurred in the morning of 28 August 2021 at the Montreal data centre where the server hosting my website was located. It appears that an individual with a third-party service provider used their privileged account access to connect to one of the management portals and without authorization, initiated server re-imaging on some of the backup servers, then on some of the production servers.[2] This resulted in the server having both its local storage and its external backup storage heavily damaged. My website was among the most affected accounts. The individual responsible was identified and it was confirmed the incident was not a ransomware attack and there is no indication that data of any kind was ever downloaded, exported, shared, or exposed.[3]

Transport Layer Security

Because there has been evidence that the capabilities and activities of attackers are greater and more pervasive than previously known, the Internet Architecture Board now believes it is important to make encryption the norm for Internet traffic.[4] Consequently, my website has a certificate issued by ZeroSSL and it is capable of establishing a TLSv1.3[5] connection that has been secured for hypertext text transfer protocol communication. This should give visitors of my website the assurance of authentication (truly my website), confidentiality (no eavesdropping), and integrity (not tampered with).

References

  1. Criminal Code, R.S.C. 1985, c. C-46, s. 342.1, as amended by the Criminal Law Amendment Act, 1985, R.S.C. 1985, c. 27 (1st Supp.), s. 45; Criminal Law Improvement Act, 1996, S.C. 1997, c. 18, s. 18; and Protecting Canadians from Online Crime Act, S.C. 2014, c. 31, s. 16.
  2. Emil Falcon, Major Incident: What happened? (https://whc.ca/blog/major-incident-what-happened/ : 30 August 2021).
  3. Emil Falcon, Statement - Where are we now? (As of Sept 2) (https://whc.ca/blog/statement-where-are-we-now/ : 2 September 2021).
  4. Internet Architecture Board, Statement on Internet Confidentiality (https://datatracker.ietf.org/doc/statement-iab-statement-on-internet-confidentiality/ : 13 November 2014).
  5. Eric Rescorla, The Transport Layer Security (TLS) Protocol Version 1.3, RFC 8446 (August 2018).