Tuesday, 20 March 2018

Performing Your Own Dentistry - Challenges, Unknowns, and What is Overlooked in Security Log Collection

This is essentially a blog post version of my BSides Vancouver 2018 presentation that I gave on Tuesday, March 13th. You can download a copy of my slides in PDF format and at the start of this YouTube stream is where I am speaking (albeit the first 5 minutes is cut off). I'll update this blog post with the actual video release which may be in a few months.

I've opted to write this entry in a condensed format so for further context I do suggest grabbing the slides and following along with my presentation. However, much of what I spoke about will be contained within. Some people remarked to me post-presentation that they wish they had seen my talk before they had embarked on their journey in collecting security logs.

One thing I'll warn you all on is that I may skip things since I spoke about them verbally in the talk. Additionally, the notes that form most of this entry were initially strictly for me so any odd typos or grammatical errors are to be expected.

A copy of the slides can be downloaded here.

Getting a running start...

To give you a backgrounder on who I am: I've been working in various information security roles for the past decade, but presently for the past 3.5 years as of this writing for a natural resources company as their senior analyst. The company I work for has about 10,000 employees scattered globally and has some interesting challenges; namely a need to defend both corporate and industrial control assets and geographical challenges that I never thought about until I came onboard. We process and store anywhere between 170 and 250 GB of data within our security log software daily with a year's retention.

You're done with using the command line tools like grep, awk, and cut and you're done with data going into the aether, so now you want to collect your logs and have them somewhere in a central repository. You have figured out that using the tools of old is not faster (they're not) and now you're embarking on looking for a software solution.

Here's the mess you'll encounter:

This is a sampling of the smörgåsbord that is security log collection. All of these displayed above have different use cases, different feature sets, and you will be bombarded with buzz terms like "machine learning" and "threat intelligence". Vendors are going to be super eager when they get a whiff of you having a budget and will do anything to convince you that their solution is the best option. I'm not going to tell you what to choose but I will tell you what to consider.

Right off of the bat, you must try and keep this simple at least in the short term. The first six months of you using your new kit is going to be you implementing it, getting it configured right, and then pulling your hair out because you think you understand just a fraction of what it is doing. It is super tempting to aim to have these really neat features that on the surface appear to solve all of your woes, but realistically you need to set expectations and set them early so you don't get blind-sided when you discover that they're not living up to your expectations.

Knowing your network before you dive in is super important. Do you know everything that is on your network? When your network is small (say a 20 person company), there is probably not a lot of legacy things or at least if there are you know what they are. However, as time has gone on, your large organisation probably hasn’t been so lucky and you have oddball things scattered about and have become long-forgotten yet somehow important.

Annoyingly, not every device is going to have an effective method for log collection! Even security appliances can fall victim to this issue! In one case, I had a proxy server that had only one output for its logs and at the time we were sending them to an analytic software by the same vendor. We chose to ditch the software and have the proxy send its data directly namely because our log collection software could do a much better and faster job at answering questions and generating reports.

Not everything needs to be collected either. Your brain doesn't store all the information it is fed at all. All the while you're reading this, your eyes are capturing approximately 30 GB of data (let's just run with the idea of your brain storing bits here). It is assumed by neuroscientists that you could keep anything between 10 TB and 2.5 PB within, meaning that within a whole day you'd be full! Of course, your brain is very clever and discards so much of that information unless it is important. You need to know what you want to keep otherwise things will just become way too much to handle!

If your team is large enough maybe host your security logs yourself! It’s a lot of work but then you have full control over the log collection. However, you need to be prepared to have lots of storage capacity. How long do you want to keep it around?

My organisation collects 200 GB per day and we’re about to migrate to 72 TB of our data to our own infrastructure. Can you host 72 TB? Can you backup 72 TB? Do you need to collect a year’s worth of data?

However, on the flip side, the advantage of having someone else host your log collection is that it takes the infrastructure challenges off of your plate. Make sure your SLA includes backups and storage redundancy! And you should also keep in mind that you may want to seize the data should you decide to pull the data into your own environment.

You’re now freeing up time and energy to devote to responding to incidents or integrating the log collection into other systems. However, one challenge you may face is that you will lose a lot of flexibility in terms of configurations.

You’re going to find that since you chose your SaaS solution that certain configurations are not going to be supported or after badgering the vendor to do something to improve it they come up with a solution that their support team cannot make sense of so when it breaks you find yourself pulling hair because they won’t get the urgency of the situation.

Do you have change control? It is quite possible that a new device or a change to an existing device could lead to a problem with log collection. Will a change to an existing device cause the log output to change or stop all together? Will you be able to support the log collection?

Things are in place--now what?

Make sure that everyone is aware of what your intentions are for these logs. Knowing the difference between collecting, monitoring, hunting, and predicting when it comes to all this is super important in setting expectations.

Truthfully, never say more than collecting as if you’re using this in an incident response role, you want to set the expectations before something occurs in how you’ll deal with a situation. You may be creating alerts (monitor) based on existing indicators and you’re probably going to do the same for hunting.

Predicting is something I highly doubt you’re going to achieve. You can of course use the software to forecast, but it probably isn’t going to tell you when you’re about to get breached. If any product could do that, security would be “solved”.

You need to know what you’re going to do with this data. Is it for digital forensics? Incident response? Employee behaviour?

Can you measure the amount of data and events per second (EPS) you’re going to generate? I won’t get into how you’ll want to do this but there are many guides out there for doing this effectively. This is something you’ll want to consider before signing that licence agreement. At 200 GB per day, we’re eating up almost a quarter of our daily Internet traffic sending our data over to an AWS cluster.

It’s quite possible you’ll end up with duplicate data. Do you need to collect device from your router sitting in front of your firewall?

Who is responsible for the data? Who is supposed to be involved in any changes? This is an opportunity to learn the RACI model.

Working with the data

Let's talk about what I am collecting.

The biggest set of logs you’ll probably collect will be your event logs. You have your typical Application, System, and Security logs, but Windows Event Log system is a lot more extensible than just that. Some security products create their own event logs (such as many endpoint solutions) and having that data collected can make a whole lot of difference in incident response.

On the subject of endpoint security, there are a lot of products out on the market that will keep a ledger of sorts to help in digital forensics. However, your organisation may be unable to afford such software. An alternative is to make use of Sysmon logging which is something native within Windows. Actions such as specific user behaviour and various other events not otherwise captured by event logs can be recorded. This has proven very, very useful in determining the spread of malware within my organisation.

However, bear in mind that event logs are probably going to be the bulk of your log collection so you should determine how much traffic you’re going to generate from those details alone.

One thing to take advantage of here is to forward your event logs to a central spot. This is a feature that exists within Windows and can be very useful in avoiding installing too many collector agents -- especially useful for workstations such as what I mentioned here with Sysmon. Bear in mind that you will need to do some rewrites on the log data to correct tag the log data itself as the source and host data may end up getting lost.

Proxy data is very useful as well but something to keep in mind is if your web filtering solution is doing HTTPS inspection, you may need to ensure that recording this activity is permissible. I am not your risk and legal here so I won’t bother to elaborate further on this point, but this may be very important to keep in mind.

When it comes to DNS, it’s surprisingly easy to capture and record this traffic. Assuming you have centralised your name servers, you don’t need to do much in the way of logging to disk to make this effective. There are ways to just outright capture the traffic by monitoring the network traffic itself. You can either just sniff traffic right on the DNS servers or mirror traffic going to them to a dedicated collector running the capture software.

DHCP is also useful (and can be captured the same way) for looking for rogue devices and for historical DNS lookups. If you don’t have any sort of network access control, this could be a way to supplement one.

Firewall data; not much to be said. If you’re lucky to have a firewall that does packet inspection and thus can tag the application data or are able to tag users and IP addresses, this can be extremely useful.

Be careful with Netflow! Holy heck have I ever seen this one go sideways if you have far too many devices capable of it. Netflow is super useful for determining lateral movement within the network but because of how noisy it is you may find it nigh-impossible to make use of it. In my situation, I am only using it for egress and ingress traffic at our sites where our main firewalls do not cover them and they’re set up in a split tunnel configuration, meaning that Internet traffic isn’t captured by our usual means. Netflow can easily surpass the amount of data that event logs generate.

Lastly, I have lots of other random logs I am collecting from mainframes, various database software, and from Internet-facing appliances.

What about your cloud data? You should own that data and if your vendor says you don’t then it’s time to consider going elsewhere.

Many SaaS solutions do offer log data either via an API or syslog (usually over TLS). However, it may not be documented all that well and there is a good chance that you’ll either have to write some of your own code or have something sitting within your DMZ to capture this traffic.

I’ve had situations where the vendor has provided the log data but it’s only what they deem as “important” and not the general activity. Be prepared for this to happen and do not hesitate to demand a feature request to change this.

A grotesque myriad of log formats

You’re going to find three popular HTTP daemon log formats: Apache, W3C (done by the standards committee for the world wide web), and Microsoft IIS. IIS is kind of ridiculous as they modeled their format off of W3C but like all things Microsoft from the late 90s and early noughties, they opted to go their own way sort of.

This is something you’re going to have to face and you have a few options for dealing with it. In a lot of cases, the software you use will do field extractions for you automatically if the product is mainstream. You may luck out and the vendor or a very nice person may have written a solution for you. However, even if a solution is provided, you have weird edge cases that arise.

It’s very tempting to log all traffic on your file server. If you’re small enough, it’s probably no big deal, but what happens as you scale? Just like I mentioned earlier with Netflow traffic, it can become far too difficult to sift out what is a real threat and what is normal activity. Consider evaluating the event IDs you absolutely want and filter out whatever you don’t. This can be useful in reducing the amount of traffic and storage required.

I guess I am harping on event logs here still but by default it does include helper details that to you and I is super useful. However, when you have millions of events per day, those details add up and are not useful to keep around. Consider filtering that stuff out too and you may find that you save at least a third of your storage requirements!

This is your typical contents of a Windows Event log. Out of your box your software solution should support the format and if not then I have no idea what you’re using and you’re probably going to want to reconsider everything you’re doing. However, it will by default only deal with your typical System, Application, and Security event logs.

In this case, we have an output from Sysmon, allowing my organisation to see what is happening on a machine--if you have the ability to set this up, sysmon data is an absolute goldmine for information. However, if you look at the message field, you’ll notice that it starts to differ.

Okay. You’ve fixed the Sysmon issue, but now you’re like me and you’re collecting AV logs. In this case, SCCM manages our built-in Windows AV solution but in order to get the data out, we had to create a trigger within MSSQL to dump the event into an event log. It works great but take a look at the Path and DN fields. This would not be extracted properly with the same solution as Sysmon.

There are times however where everything just sucks. The above is an output that couldn't be extracted properly. It was awful. None of the data was consistent and the log software would just do everything improperly. I hated it so much but I fortunately had a solution after much complaining to the vendor (I'll elaborate a bit later).

To fix most of these, you’ll want to learn regular expressions. They’re absolutely useful to learn but do require a lot and I mean a lot of time to learn effectively. I am very rusty with them these days but there are solutions for writing them without having to spend too much time getting beyond the basics. I recommend working with RegEx101 if you want to get a start on things.

However, don't get too creative as it doesn't fix everything.

Shout out to Ex-Parrot for this disastrous regular expression.

This was not written by hand. If your regular expressions are getting to this point, you’re going to hate life. Regex is NOT a solution to all of your woes and does not mean 100% perfection. You will NOT achieve perfection in your extractions--but you will get something functional with enough work.

Do not use regular expressions to parse XML either. Your software should be able to work with it natively (as well as JSON, which can be regex'd but shouldn't need to).

If your syslog output has CEF (Common Event Format) as an option: use it. There are variations of it per vendor, but it's night and day in contrast to other log formats.

In the case of the vendor with the terrible output, after much complaining and pointing out their other products can do better, they provided us with a JSON output that pushed over HTTP. It has been the most workable data I have received yet so far so sometimes vendors can improve and improve real well in this space if you ask them to!

Things will break I promise you

Prepare for things to break and prepare to not panic. You must accept that somehow everything will break. Have everything documented and understand the impact of missing or delayed data.

If any amount of downtime or interruption causes a compliance issue, you must prepare for it either through redundancy or risk acceptance. These are things I cannot walk you through but know who to consult as it is important!

Regardless of whether or not you’re dealing with one, two, or fifteen time zones, you should always set everything to UTC. This will make it easier for you to build timelines. Having accurate time also means you can correlate with other sources effectively.

Have a central NTP source too. Time can be a few seconds off but any more than that and it makes correlation very difficult!

Time will break without you trying to. One of the times here is correct and one of them is not. This will become a headache.

As I mentioned earlier, one of the things I deal with in my organisation is industrial control--you may have heard it referred to as “real-time systems”, “process control”, or “SCADA” but they’re all one in the same. There’s a huge concern for safety and as a result we do monitor some aspects of our IC environments.

Be very, very careful when it comes to monitoring these spaces as even though you’re listening, you’re not necessarily passive about it. I highly recommend skipping to the part of the video where I use the above image as I go into detail about how using TCP instead of UDP can lead to trouble.

If you’re a team of one, then you’re responsible for everything that breaks!

If not, then you need to be able to identify the problems and then determine where the fault lies. Have your partners within your department involved in these situations and make sure that they’re aware of what their involvement needs to be. You may not have access to that firewall that is no longer sending syslog but they do. These teams may want to identify your log collection software as at fault so ensure that you have checked everything on your end and done the appropriate tests. Don’t be afraid to use netcat for example!

Closing Remarks

Be prepared for things to break and have a plan to deal with it. This also includes identifying the risks involved.

Don’t hesitate to hire a consultant and make use of them. They’re assets and can make your life easier. You're burning money if they're doing nothing.

This is probably the most effective security software you’ll use, but it’s not a holy grail so don’t treat it as such.

Lastly, this was the first talk I've given since coming out as queer. I really appreciate those who were attendance and appreciated the questions and feedback.

Tuesday, 27 February 2018

Finding the best London Fog in Vancouver

The above beverage is a London Fog, which is a tea-based latte. The basic ingredients of what is my favourite drink are typically as follows:

  • Earl Grey tea (1 bag)
  • 100 mL boiling water
  • 10-30 mL vanilla syrup (to taste)
  • Steamed milk (to taste)
There are all sorts of variations on the above but that is more or less what I expect. In some cases, you can work with simple syrup and then add real vanilla into it or you can also just use vanilla extract, but the above is what I would be the absolute basics of what you'd need to make it at home.

I've been drinking this beverage as a default in most Metro Vancouver cafes for a good decade and a bit; I first came across it in my university's coffee shop and was immediately hooked. Its origins are disputed, but it has been suggested it originated from a now-defunct place on West 4th Avenue called the Buckwheat Cafe. I've tried to find more details on the place but information is scarce as it existed before the Internet was commonplace (the claim is that it was invented in late 1996) and the digital records on the City of Vancouver Archives website do not make mention of the place anywhere.

At some point I'll have to do more digging and maybe check with the Vancouver Library. I want to know why it was called a London Fog (presumably due to its use of Earl Grey tea), if the stories about its origins written the Internet are true, and maybe a bit more about the shop itself. If you know anything, do drop me a line!

I've been hitting up random cafes I tend to frequent and have compiled a list of what I think about their version of a London Fog. Because some places will do theirs slightly differently than the above recipe, I've opted to skip on mentioning them.

Name Location Thoughts
Kafka 2525 Main Street
(Near Broadway)
I am going to say that this is probably one of my favourites. The cafe is near two friends of mine so I have only hit it up when I am with them but each time I've had the drink there it has been absolutely fantastic. It's not too sweet, it appears to use real vanilla, and it has the right balance of ingredients.
Cafe Deux Soleils 2096 Commercial Dr. To be honest, I really come here for the vegetarian food but they do serve a fairly okay London Fog. There isn't anything to write home about but I will remark that it's good and I don't find myself offended by it.
Starbucks Earth Like most things in Starbucks, it's not all that great. Like if I need a cup of tea or anything, it's fine, but I find that their version is just far too sweet. That said, it does exist outside of their Vancouver locations as someone in Dallas confirmed that they can make it. In a pinch, I'll settle with them but maybe ask them to not pump in so much syrup.
Blenz Metro Vancouver Theirs is mediocre. Being that there are three locations near me sometimes I do settle for going with them, but there are far better options but nowhere near that is convenient. Better than Starbucks but that is not an achievement.
JJ Bean Vancouver & Toronto It's good. I've had it at two of their locations (Marine Building and Commercial Drive) and it's fine and really I have no complaints. Definitely better than Blenz and if I feel like walking further away from work I'll go to them.
Prado Cafe 1938 Commercial Drive Prado has a few locations but I generally go to this one due to its accessibility--if I ask to take you there, I probably like you. Theirs is really good and is probably as good or close to as good as Kafka's. The above photo is in fact one I had just earlier this week.

So these are my really ridiculous tasting notes for my favourite beverage. I hope to find out more information about the origins of the London Fog. Once I have dealt with some personal matters in the coming few months, I am going to start digging more into it. I also am going to start making my own at home!

Monday, 1 January 2018

How I made my custom-coloured keyboards

For some time, I've seen many people have these really wicked pastel-coloured keyboards usually representing the colours on the transgender tri-colour. I decided that after fully coming-out that I'd change my keyboard at home and at work to reflect that--other people have these fancy LED Cherry MX-type keyboards so I figured why not.

Here's the end result of what I ended up building:

The top keyboard I bought brand new from Amazon for $77 CAD and the bottom one is a Coolermaster CM Storm which I have had for a few years for use at home. Both make use of Cherry MX switches meaning that swapping the keycaps was really straightforward!

These two links can be used to get the correct colour keycaps if you happen to like pink and blue in pastel tones:

I got the keyboard and the keycaps within a few weeks (keyboard came the next day) but any Cherry MX keyboard of your liking will suffice.

Friday, 29 December 2017

Things I liked, did, or have remarks about in 2017

Oh boy. If 2016 was a wild ride for the world then 2017 was me trying to play catch up. I came out earlier this year and have had a lot of my life unraveled and am now in the midst of ironing things out once again. With that said, I have been inspired by Natalie's "Nattos" awards albeit I will be writing about things that I did or consumed in the year as opposed to what is necessarily new.

I'll try and do this once a year going forward. Items that I'll cover may include purchases, things I've read or watched, food, places I've visited, and so forth. Let's get started!

I've broken this apart into a list here in case you're only interested in certain subjects since this is rather long.

My new car

Of course I am going to start off with the biggest purchase I've made in a decade: I bought a brand new 2017 Hyundai Ioniq Hybrid! I test-drove several cars including a Kia Niro, Kia Optima, and a Ford Explorer--the first two were hybrids and the last one was a rental so I'll count it. I had a few requirements but one in particular was that it had to be a hybrid. After some humming and hawing, I settled on the Ioniq and I cannot say anything seriously bad about this thing!

There are of course little quirks and annoyances with the car, but they're really so minor that I am not bothering to write about them.

It looks really nice too!

Two of the reasons why I love my car are the incredible fuel economy I get out of it and Android Auto. During the summer, I was averaging between 4.0 and 4.8 L/100 KM (49-58 MPG) but during the winter it's somewhere around 5.5 and 5.8 (40-42 MPG) due to my desire to have the heat on. This is overall fuel economy and there have been times where I've encouraged it to run at 1.9 L/100 KM (123 MPG) when I've driven it gingerly from the gas station to my home a few blocks away.

This was shortly after I had filled the car I think.

Android Auto is by far the best feature of the car's interior. Having Google Maps, Spotify, and other services readily available with either my voice or via touch screen is just perfect. Also, the basic self-driving feature in the car via the adaptive cruise control has made the odd morning commute I would do a lot more tolerable.

Previous cars I've owned included a mid-90s Plymouth Voyager mini-van, a 2009 Hyundai Accent, and then before the Ioniq I was driving a 2013 Hyundai Elantra--I guess I can say that I like Hyundais.

Concerts and music

Can we say here that Cari is stereotypically queer? I guess it is no surprise that after years of not listening to Laura's music, I'd find myself listening to Against Me! once again. Most of it resonated with me harsh and when I found out she was making a tour stop in Vancouver at The Vogue, I decided to buy tickets and go with two other queer friends.

The show was absolutely fantastic.

It was a really great show and I will say that if I find myself in the same city as her once again, I'll definitely come out to a show.

I did also attend some other concerts including Coldplay when they also stopped in Vancouver the same month. It was held at BC Place and the show was really good except for one thing: that stadium is just so huge and it felt more like it was at an outdoor venue (technically it is) than anything else.

This is the second time I've had a colourful LED wrist band whilst Coldplay performed.

I had seen Coldplay play twice before but at Rogers Arena, where it's not intended for playing soccer or football but instead ice hockey and basketball. I'd totally go see a concert at BC Place again, but it's still a weird experience that takes some getting used to.

I also picked up an record player this past summer and am slowly building up by vinyl collection. I may write about this in a later blog entry once I have curated enough things.

A smaller amount of travel this year?

For some of you who know me well, I have really picked up a habit of travelling the past number of years. I've been to over a dozen countries and I have plans for visits to other places as well. However, being that this year was a bit tumultuous, I cancelled a trip to Japan that I would have taken in September. However, this didn't mean I didn't travel (just not outside of North America for once) and one place I did go to was Montreal.

Not a terrible view from my hotel room!

I've actually been to Montreal several times before but this was the first time I was able to go there for the purposes of relaxing and seeing friends. In a previous job, I would travel to Montreal periodically to perform some work as a consultant and I'd find myself basically having enough time to fly in, do the work required, stay for the night, and then fly off. Being that I do have a trip to the city in the next few years that won't be for work nor necessarily for pleasure (those who know me personally know what I am talking about), I wanted at least one trip there that would be fun!

Notre Dame in Montreal very much reminds me of its namesake in Paris.

Lots of Montreal reminds me of Europe--in particular Paris and parts of Brussels. It definitely was easier for me to speak French here than it was in Paris--in Paris, I'd have merchants and various other people responding to me in English after hearing my Anglophone-esque Quebecois. Everything was familiar and yet at the same time was different. Basically, Montreal is a really rad city and I can see myself going back for the heck of it again for sure.

Got to meet Zandra after all these years!

Highlights of the trip include going rock indoor rock climbing with some friends who came out from Kingston, Ontario and another person that was local, a birthday dinner of sorts at a sushi restaurant with said friends and another friend who I was doing a Christmas gift exchange with the year prior, and meeting an old friend from IRC back in the early 2000s that I reconnected with via Twitter (see above). The trip was really fantastic and I feel like it was very much deserved!

Next year I plan a trip to Ireland to deal with some legal matters in Dublin and to make one last visit to Belfast before Brexit screws it all up. Additionally, I'll make a hop over to the UK to visit some friends and make a trip to Bletchley Park, and then finally I'll visit New York City for the first time in six years on the way back to pay respects to someone who passed away this year and meet friends and family. Other trips are planned but this is probably the most notable one so far.

Destroying my body further by playing roller derby

You know, right now I see myself as very much femme and a song that played often this past year according to Spotify was Against Me's Delicate, Petite, & Other Things I'll Never Be. So why the heck am I playing a contact sport? Roller derby definite fits into that definition.

Preparing my skates for outdoor use. I've learnt a lot about wheels in the past few months!

I joined the Terminal City Roller Girls (TCRG) Mix-Tapes team, which is meant for people like me who are interested in playing but need to build up the skills. Ultimately I'd like to be drafted on to a league team and play in bouts so I am trying to get into even better shape than I started out with--I lost about 15 KG (~33 lbs) this past year and am now trying to work up some core strength and stamina.

I'm the one with the green helmet on the left as we're attempting to do T-stops.

Skating on quads has proven to be something I am sort of competent at being that I've previously ice skated and own a pair of inlines. I'm able to keep myself mostly stable when skating at speed and there are things that I am slowly getting better at achieving.

Stamina has proven to be my second biggest problem as while I am faster than most beginners, I'm finding that a combination of back pain due to a lack of core strength, a breathing problem that I am currently being diagnosed for, and a change in hormones is really making me hit a wall really quickly.

Where this is exemplified is during a 27/5 trial, where you must achieve 27 laps in under 5 minutes. When I first did the trial, I did 18 laps in that period, but got myself up to 22 in three months. However, I've since dropped back down to 19 and I think the ailment and the hormones have caught up with me. To put this into context, if you take the most optimum line possible, you should be covering at least 1,560 metres in that period of time.

I think that with more advancements in skills (I need to get better at doing my transitions from forward to backward skating as well as getting my stops in better order) that a more efficient skate will be achieved and I will hit that 27th lap. I'm also starting my gym regiment once again and am working on adjusting my diet to make it easier for me to power through these things.

Front page of the WFTDA

One thing that attracted me to the sport besides the fact that it is really fun to play is the fact that the world governing body, Womens Flat Track Derby Assocation (WFTDA) has been front and centre about its support for gender-diverse persons within its member leagues. Having met a few other transgender persons within the TCRG by now has really affirmed my decision to join as it's full of cis women, enbies, trans women, and everyone in-between. I was nervous at first but once we did our introductions and explained who we are, my fears went out the window.

Watching the WFTDA finals with others in TCRG. Rose City versus Victoria was intense by the way!

Basically the community is great and the sport is absolutely fun. I've sprained my wrists a few times, seen someone get a concussion, and a few weeks prior to my showing up, someone broke their arm. I think that the fact that I have such a bad relationship with my body makes me not worry about injuries and should I find myself hurt, I'll just mend myself and get back to playing. This is not an attitude that I had before and I am sure as heck going to ride this one.

Games that everyone can play!

This is a really, really new game I was introduced to: Machi Koro is a city building game that is all card-based! Being that I really like Cities Skylines a lot, it's natural that this game became extremely attractive to me.

Come over and play this game with me!

I made some new friends this past month and one of the questions they asked is if I like card and board games: I answered yes and they brought this out. When I walked into a game store during Boxing Day, they had it available for 20% off and I couldn't resist buying it!

I'll write a proper review for this game once I've sat down and played it once more.

Finding unicorns in gaming both real and not

This year not only did I get one current-generation console, I got two! I ended up getting both a Nintendo Switch and a PlayStation 4. However, the one game that I have sunk a lot of time into (almost 100 hours as of this writing) is The Legend of Zelda: Breath of the Wild.

I had a copy of Zelda before I had a Switch.

It's possibly the most beautiful game I've ever played but I really need to just finish it seeing that I've been grinding for the past few months. Some new DLC has been issued for it but I am putting it off until I finish it and a few other games.

Seriously. This is a bloody unicorn.

Other gaming highlights this year include attending the local retro video game show and seeing the literal unicorn that is the Nintendo Playstation. I was lucky to have a photo of me holding it but unfortunately I am not super eager to share some photos of me from the past year--the one earlier with Zandra is the first one I was super comfortable with someone else posting on Twitter since I actually look nice.

This game was totally worth the $26 CAD.

Other highlights include Sonic Mania and the SNES Classic Edition. I'd like to remark more on it but gaming is something I've become a little bit bothered writing about for obvious reasons.

Rethinking my diet and the lifestyle that goes with it

Back in 2011, I started an experiment to see if not eating meat was possible for me and whether or not it would improve my digestive system; I ceased this experiment early on but wanted to return to it eventually. Having mentioned earlier in my derby remarks that my relationship with my body is pretty terrible, my digestive system definitely reflected that. I can safely say that cutting out meat except for fish out of my diet has proven to be a better state; I refer to myself as vegetarian but pescatarian is the best definition here.

I cannot remember what this dish was but it did taste good.

I've gotten better at cooking since I started and am now really getting used to just doing everything with spices and whatever proteins I can. And proteins are key: for me to get better and stronger at derby, I really need to give my body some building blocks to build on.

Fish has become something I am consuming less at home and more often when out. This is okay as one of the complaints I've heard from others is that my consumption of vegetables was really poor. I'm trying to make a change for the better here!

Irish Soda Bread!

Baking is another hobby I've really liked once again and it's not unusual for me once a week to make a loaf of bread, some sweet treats to bring to work, or just something I'll throw in the freezer for consumption later.

I ate half a dozen of these in five days.

This is a Monster Bar, and it's possibly the best desert I've had in a while. I discovered them while in Montreal and at some point I need to make them here at home because they're just incredibly good and impossible to find here. They're almost everywhere in coffee shops there and yet they're obscure or unknown over here on the West Coast.

One other thing: I sort of gave up drinking? I think that for now I'll continue my sobriety. I am cool with being around others who are drinking and have bought wine and other things for friends as gifts, but I am not sure about what my relationship with alcohol is going forward. I gave my beer making equipment away over the summer and the last time I had any alcohol was when a few friends were over and I wanted to check that the drink I made actually tasted like I expected.

If you're at my home I'll still make sure that there is some booze to consume!

Making an attempt to read things that are way less technical but still for me

I don't think that it is a surprise that this particular book has been picked as my favourite this year being that the first time I've written a review for something in forever was for it.

I love the cover art.

I've read a few other notable books this past year including Girl Sex 101, Queer Privacy, Queer: A Graphic History, and Nevada--holy heck this is really queer.

Sarah is an incredibly wonderful person in real life too.

If you're looking for a copy of Queer Privacy, in the aforementioned blog post at the opening of this piece, there is a link to my coming out post and it may be possible that some of the referral links for free copies may still work.

Improving my career by taking a small step back

I really burnt myself out earlier this year and it's no surprise. To combat my anxiety, I was working aggressively at targets at the end of last year and going into this year, I buried myself in things both at work and at home trying to spin up projects that really went nowhere fast.

Basically I killed my drive and I killed it hard.

RIP 2013 - 2017
One of the things I did early on was shutdown Canario. It was a hard decision as it did give me some credibility within the information security echo chamber that resides on Twitter, but there were so many legal and technical challenges that I myself could not continue to bear. I got a lot of experience out of the project but ultimately I had to bail and it marginally improved my mental health at the start of the year.

There was a VPN project I started to work on and bought equipment for that I too also scrapped in the new year. I figured that by not having Canario on my plate any longer that I'd be able to move forward with other things, but ultimately that too just fizzled out. My mental health was a complete dumpster fire this past year until I finally admitted that I was struggling with being transgender.

As a way to recover, I focused more on what I am doing at work and what I am doing well. I took on some large projects this past year and while they were hard they were most definitely worth it. I can look back at my past year at work with a bit of pride and next year I am going to be able to focus on things far better than I have in the past.

I also pulled away from stuff outside of work and made a point to let my brain relax and sort itself out. I stopped attending the local information security meetups and now the nights I'd find myself there are occupied by going to derby practice. I'm going to show my face at the local VanCitySec meet for the first time in eight months since we're not playing again until February.

I'm also going to start attending conferences once again. I'll be at the Women in Tech Regatta here in Vancouver next month, submitted a talk to BSides Vancouver, and hopefully will be at Hackers on Planet Earth (HOPE) in July.

A lot of personal projects have sprung up but I am taking them very slowly. I am still playing with A/UX and have some odd plans for that project, a few things I am rebuilding are on the road to completion, and I have some data I am sitting on that I plan to share for a good laugh. I have a plan to do more analysis on 3DO games since I keep putting that on the back-burner, but I won't stress out too much here.

British Columbia's wildfires

Let me tell you, this year was the worst year on record for wildfires in British Columbia.

It's annoying but it is also just smoke. I could be losing my home instead.

Pretty much half of July, half of August, and a chunk of September brought smoke from the intense fires in the interior down to the coast.

I'm privileged to have this view every day at work.

When it cleared up it was a huge blessing but still. The lingering effects on people's lives and health definitely cannot be ignored. In my case, it intensified my breathing problems and I fear that next year won't be any better with the effects of climate change still continuing to intensify.

Transitioning and finally being open with myself and others

I'll open this part up by saying this: on April 11th, I didn't think I'd be able to see myself writing this blog piece let alone seeing the sun go down that day. It was that realisation that lead me to start to transition.

I have about four more appointments before I'm going to switch to electrolysis.

Once I came out, I started with laser hair removal on my face, something I wanted to do for years but without transition. It has been the best decision I've made pre-hormones as it made the hair removal far, far easier. I am currently at 95% of my hair gone overall.

It was fun to watch the parade but I think I can do without sitting on concrete for four hours.

I attended my first pride parades and marches. I did the transgender march, went to a festival for lesbians, and joined some friends at the pride parade. There were points where I wanted to cry and I just felt almost whole.

A good skin regime has been the bestest friend ever for my face.

I absolutely care about how I look now and don't rush things most days. Skin care has been my biggest challenge as I do suffer from dry skin on my face. I'm spending time each morning taking care of my face and doing the same before I go to bed. 

Taking care of myself is something I want to do. Before I came out, I was effectively letting myself go albeit slowly. Now I am exercising, being social, and just trying to be responsible with my life. 

Went to a masquerade ball with friends and felt incredibly happy.

And that being social has been super important to me. Almost everyone I came out to in my circle of friends have been extremely accepting of me and have been very eager to keep me on their minds and involved in things. Old, new, and rekindled friendships have been extremely valuable to me and there is no way I am able to repay this other than being as much if not more of a friend in return. Everyone who has included me in their life has made a significant impact to me.

It hasn't been entirely easy that said. My relationship with my family is rocky (some extended have been very supportive) and definitely will need to be repaired. I am hoping that this will happen sooner than later but I am always going to be waiting and I hope that they're working towards that; I'm patient.

In addition, I did end up losing a spouse over this. She and I had been together for six years, married for one, and sadly we opted to end our relationship. It's really awkward between us right now and I am hoping that we can remain friends; we did recently have lunch and I felt like we had a good time. This new relationship is not going to be easy but I believe that it is possible for it to work out. I care about her deeply and always will consider her family.

I just felt like I nailed it in this photo.

I take so many photos of myself now and am able to express myself in ways I never did before. I coloured my hair starting in September and decided to give my hair a pink streak the last time around. I think that this may become a trend since it seems to be going over well with everyone and is not tactless or anything.

I just bought this sweater and I think it looks alright on me.

It's not always a happy day for me. The above photo makes me look nice but I feel like I can look so much better. Every day is a mixed challenge but I know I am going to get better and every day is a step forward, not one backward.

This dress is so incredibly comfortable and fits me well. I have a red belt that goes with it.

But here I am feeling confident. Some days I take a photo and I just go "wow" and the whole issue with dysphoria vanishes. I've been told that as months and years go by, it gets much easier and I am starting to believe that. Dysphoria is an awful experience and there are days where I cannot face myself due to it.

I look forward to only taking the tiny blue pills for the rest of my life.

The best story I have about transitioning is this: I took a week off before I transitioned to being me everywhere and I was into my second week of being on hormones. Some things have kicked in quickly such as lowered libido (sorely desired and happily working), but one big thing came along that seems to happen with trans women at this point: I felt good. I was just sitting on the couch watching something on Netflix and it just registered in my mind.

It was a new feeling and the way I can describe it was that it felt like my brain and my senses were talking in a language while new was remarkably familiar. I felt happy over this and even though I had a dumpster fire going off left, right, and centre, somehow I knew at that very moment I was more than capable of living and doing what I need to do.

I'm privileged though in my transition. I've been able to afford laser hair removal without thinking about how much it will impact my ability to eat. My physician was referred to me by the provincial health authority that handles transgender persons and she has been absolutely affirming and helpful to the point where we ended up getting me into the system for a procedure all the while us forgetting to talk about my general health issues (we booked a follow up appointment for a few days after). My company has been very good towards me in accommodating my many appointments and letting me know about my options for when eventually I get this procedure done. Effectively, as it stands right now, I am in an enviable position and I won't ever overlook this.

In June, when I saw a psychologist for an assessment, she remarked that she figured I'd be fine and that the panic I had at the time was normal. I thought that her statement was asinine at the time but I realised later on that she was right and when I saw her once again last month, I told her that. I am not panicking about transitioning; I am actually getting through this just fine as she said I would.

As of this writing, I am 136 days into hormone replacement therapy (HRT). I don't want off of these at all; one of the pills I take daily is only needed until I get a procedure performed of which I have already spoken to my physician about. When I was taking anti-depressants, I hated how it ruined my brain and made me feel like a complete alien. With HRT, I feel like a human being again and that human being is a woman.

I'm still exploring my queerness but I am not reluctant to any of it unlike I was for such a long time before. Some other gender diverse people have reached out to me since coming out and have remarked that I am an inspiration for them. I have to say that they're an inspiration to me because it's not easy to do this and I like many other transgender persons before me are following the footsteps of others.

Friends have remarked that I am much more forward with being social and show myself as being happier; I believe them.

Let's end this entry on my favourite event and talk about what's in store for 2018!

Okay. I am going to say this: the solar eclipse was probably the coolest experience of my whole life.

A view from my apartment's patio at peak

Now, granted, it was only something like 88% coverage for those of us in Metro Vancouver, but come on, the way that the light dimmed and how shadows appeared was just truly surreal. I've seen so many lunar eclipses and they are just boring compared to the weirdness that a solar eclipse creates. It also impresses me how even with 12% of the sun's light making it back to us is still as intense as the photo I am sharing here.

In 2018, I plan to continue progressing. I will be more social, I will do my best to mend what is broken, and I will make improvements to my life wherever.