[News] CSEC's acceptable proof of vaccination for Saddledome games

[cam_wmh]

Quote:

Originally Posted by Electricprez

Not a security guy, but do business with a lot of cybersecurity firms, app developers, etc. in general -- so take this with a grain of salt.

Everything about this smacks of PORTPass being outsourced to an inept development team with zero oversight done by by a completely negligent and incapable founder.

Even the way Zakir talks about this in the media is indicative (to me, anyways) that he doesn't have the slightest clue how cybersecurity works or what the requirements are.

But CSEC is absolutely to blame here as well. I don't know what their protocol is, but even a basic cybersecurity audit would've helped to illuminate the serious issues here.

For example, my small business needs to answer questions like these to do business with enterprise-level vendors, and this is a fraction of the BASIC audit we go through as a not-even-tech firm that deals with minimal sensitive information:

(Boring stuff ahead)

+ Do all systems with access to sensitive information have automatic locking features?
+ Do you maintain access records to all physical locations containing X information?
+ Do you log inventory, tracking, and accountability for X data (including backups) into or out of facilities, and make logs available to X upon request?
+ Do you have 24/7 physical monitoring of locations storing sensitive X information?
+ Will all X data be stored within the US, or are you able to agree to data locality terms that segments our data within the united states?
+ Is MFA required for employees/contractors to log in to production systems?
+ Do you have procedures for securely deleting X data after use?
+ Do you prevent X data from leaving production systems?
+ Do you limit access to X data to only personnel specifically requiring access?
+ Are access logs to X data personally identifiable?
+ Are you able to restrict access to X systems and data only via the interface X provides, if required?

Beyond this, vendors will ask for things like certifications, letters of attestation regarding penetration tests, and so on. If you're building an app, and that app's primary use is dealing with sensitive documentation, not performing even cursory due diligence like this is patently insane. If these types of things WERE asked, and were lied about, well... that's another story. But the evaluation process here ought to have been RIGOROUS given the nature of the application.

Everyone involved here royally screwed up.

For not being a security guy, you ask and know the important questions for businesses exploring their risk exposure.

[Electricprez]

Quote:

Originally Posted by cam_wmh

For not being a security guy, you ask and know the important questions for businesses exploring their risk exposure.

Literally pulled from an assessment we had to complete to do business with a software company out of the U.S. that deals with HIPAA compliance, so it makes me look a little more knowledgeable than I am, ha.

But so much of this would be so easy to verify as CSEC, and they just... didn't?

Certifications especially, and the location of the data would've been incredibly easy to verify.

It's also why I don't buy anything Zakir is saying. Why has there not been a single other person from the company the media can talk to with regards to security precautions? It's terrifying to imagine that this could literally be a one-man-show from Alberta having an app built by some random offshore dev company and selling it as an innovative, well-networked, secure solution.

Like -- that I can go to LinkedIn, punch in Portpass' company name, and see that they have exactly one employee?
Not a good sign. That I can't find the name of their so-called cybersecurity 'partner' in any of the press leading up to this? Also not a good sign.

[Inglewood Jack]

Alberta MyHealth is now spitting out QR codes in preparation for scanning capability. not that PortPass was destined for a long lifespan but it's officially deader than the Oilers cup contention window.

[djsFlames]

I'm really excited for the scannable QR codes.

No forging, everything legit.

[rohara66]

My Flames rep gave me a very generic response, pretty much exact same as the one earlier in this thread.



Wonder if they even speak of it again or hope if just goes away? I've asked when their security audit will be completed and no response.

[Passe La Puck]

Quote:

Originally Posted by djsFlames

I'm really excited for the scannable QR codes.

No forging, everything legit.

What do you mean no forging? It's from the same numbnuts who sent editable PDFs. There's nothing magic about a QR code it's just text encoded to QR...it's exactly like a bar code but 2D instead of 1D.

[klikitiklik]

This can't be allowed to die can it? 😡

They have majorly screwed up. They advocated/recommended/required that you sign up for Portpass as the preferred method of entering the stadium.

Now our data is compromised and there has been no further word? How long is long enough to at least give us another update on what the situation is, where the organization went wrong or if my info is in danger? I messaged the Flames again today with no response.

I'm not even that mad at Portpass because I would never have signed up without the explicit direction of the Calgary Flames. This reeks of incompetent management. They were in a rush to get as many people into the stadium as possible. We will see no on ice success until this org gets its house in order. Top to bottom.

Look, I accept full responsibility for not doing my own research and properly vetting the app myself, but when a professional NHL organization that is responsible for the safety of the people attending their events tells me this is the app they require, I just did it. You factor in that the name of the app is Portpass, and I was under the mistaken impression that it was tied to the Nexus border crossing program. My bad.

It would have been prudent of them to ensure that app is secure before telling all of us who planned to attend the games to fill it out. I don't think it is too much to ask. I also don't think it is too much to expect for the Flames Org to let its fans know what is up. They are currently in defensive mode about this and I personally believe they will comment no further due to the legal issues they are facing.

I wasn't going to put up in a privacy/foip complaint because the Flames hockey club has been part of my life since they announced they were moving here, and they have always strived to be first class, but now I think I have to in order to ensure I'm protected. Their handling of this situation has left us fans no choice but to complain as we are not receiving any info.

Thanks for letting me vent. Sorry if some of you feel it's an over reaction on my part but it's how I feel.

[N-E-B]

I don’t think that’s an over reaction at all. In fact I think it’s a completely reasonable position to take. There was a level of trust put in the Flames that they would have done their due diligence before recommending a service to their customers and it was clearly broken.

[Snuffleupagus]

Quote:

Originally Posted by Passe La Puck

What do you mean no forging? It's from the same numbnuts who sent editable PDFs. There's nothing magic about a QR code it's just text encoded to QR...it's exactly like a bar code but 2D instead of 1D.

If done correctly along with photo ID it's better than the trash we have now.

[chedder]

Watching the game and can't help but notice that nobody, like nobody, is wearing a mask in the dome. Not sure I care but aren't fans supposed to unless eating/drinking?

[Knut]

I know of 3 people. Unvaccinated at the game. Obvious forgery. They posted all over social media too and are quite up front about not being vaccinated. Can’t wait for QR codes.

[getbak]

Quote:

Originally Posted by Knut

I know of 3 people. Unvaccinated at the game. Obvious forgery. They posted all over social media too and are quite up front about not being vaccinated. Can’t wait for QR codes.

Call the cops and report them.

https://www.calgary.ca/csps/cema/cov...ine-bylaw.html

Quote:

Providing false vaccine records will be investigated by the Calgary Police Service as a Criminal Code offence. Complains of fraudulent vaccine records can be reported to the Calgary Police Service non-emergency line at 403-266-1234.

[Fighting Banana Slug]

I was at the game and people were extremely lax on wearing their mask while seated. I get it, drinking beer and eating popcorn and all, but most just didn’t bother even trying.

[jayswin]

Quote:

Originally Posted by ben voyonsdonc

I'm surprised that this isn't bigger news. CSEC should be asked very tough questions about how they could possibly require attendees to their events to upload crucial documents to a company without having done any due diligence to find out how this information would be protected. Heads should certainly roll at CSEC but also the media should be all over this. Thousands of people's personal information was given to a shady company who left it completely vulnerable and has seemingly disappeared. Instead of having an actual statement about the mess that they created and how people could be impacted by it, CSEC has just made a minor change to the website.

Of course, this situation all stems from the fact that we don't have a true vaccine passport program here...just a program that was slapped together in five minutes by drunk monkeys - namely the provincial government and Tyler Shandro.

Local media outlets are very tight with the Flames, always have been. It's absolutely bonkers that they would ease up in something as serious as this, though. But not unexpected, I guess.

[Wormius]

Quote:

Originally Posted by Knut

I know of 3 people. Unvaccinated at the game. Obvious forgery. They posted all over social media too and are quite up front about not being vaccinated. Can’t wait for QR codes.

And this is just going to lead to anti-vaxxers later proclaiming, “hey, see, the passports didn’t work!”

[jayswin]

Quote:

Originally Posted by Philly06Cup

I remember when CSEC was pushing Bill Smith as mayor. Coincidentally, Calgary Herald and Calgary Sun were also pushing for Bill Smith. I'm guessing CSEC has close ties with Post Media -- explains the lack of news cycle and fair reporting on this PortPass debacle.

Yep.

[howard_the_duck]

Quote:

Originally Posted by Wormius

And this is just going to lead to anti-vaxxers later proclaiming, “hey, see, the passports didn’t work!”

Unreal. Congrats, you fooled us?

[jayswin]

Quote:

Originally Posted by rohara66

My Flames rep gave me a very generic response, pretty much exact same as the one earlier in this thread.



Wonder if they even speak of it again or hope if just goes away? I've asked when their security audit will be completed and no response.

They had one media source battling the severity of what happened here - the CBC, while local news sources left them alone. News moves fast, so with only one outlet going after this, they'll quietly drop port pass and start accepting government QR codes and printed vaccine passports and life will go on for them.

[jayswin]

Quote:

Originally Posted by Fighting Banana Slug

I was at the game and people were extremely lax on wearing their mask while seated. I get it, drinking beer and eating popcorn and all, but most just didn’t bother even trying.

On TV it looked like 30% masked at any given time. I literally didn't even know they had a mask mandate and would have guessed they didn't based on usage.

[Fighting Banana Slug]

Quote:

Originally Posted by jayswin

On TV it looked like 30% masked at any given time. I literally didn't even know they had a mask mandate and would have guessed they didn't based on usage.

That is how it felt inside the dome as well.