Wednesday, 11 April 2018

Today is one-year since I decided to transition

Author: if you're sensitive to certain subjects including suicide, transphobia, and overall queerphobia, I'd suggest reading this with an abundance of caution. A lot of what is written here may also be paraphrased either due to the fact that time has passed and I wouldn't able to be entirely accurate or it's not necessary to write everything in whole.

A year ago today, I was on holiday from work. I was stressed-out, miserable, hating every single aspect of myself, and just outright feeling dead inside. There was effectively no fuel left in the tank and I was just running on whatever fumes I had remaining.

I took a walk one day in the hopes of having a "good day" and found myself staring at a bridge.

My brain gave me three options as I looked.
  1. Continue with this charade where I pop anti-depressants to calm myself down and find myself becoming increasingly angrier, resembling someone I didn't want to become
  2. Take a walk to the middle of this bridge and 'resolve' the matter, leaving everyone questioning everything about why
  3. Go further down the street, not knowing what will happen but make a radical change in my life
How I got to this point in my life was a culmination of two decades of wondering about my gender and sexuality and eight years of me knowing but trying to not make it a big deal. It wasn't the first time I found myself with my brain suggesting a variation of option two but I was unable to push myself not to like the last time.

Back in July 2009, there was a trans woman who transitioned in front of me and her actions were what started my dealing with being transgender. I knew her from years prior helping run a local convention and then after not seeing her for most of the year leading up to then, she came out. She was beautiful and I was jealous. "I want to be like her" was the theme in my mind as I kept looking in her direction. It was the first time it clicked in my head that maybe I was like her but there were so many questions.

Why her? I worked with transgender persons, made friends with them, and had so many interactions. Why?

It's because I saw her before. She was beautiful before and she was even more beautiful now. I was jealous and it stuck with me harsh. 

When I was 12-years old, I was stealing clothes from the laundry room and in some cases kept them in a drawer next to my bed; I only stopped because my mother caught me. I was ashamed of my body and always found changing before P.E. class aggravating. I felt inferior to the boys I was forced to interact with and compared to my more athletic younger brother I felt like a bit of a runt.

At 18, I was dating my first girlfriend and my sexual experience was awkward, finding myself feeling uncomfortable after. When we broke up a few months later, she asked me if I was gay and my only response was, "I... am not sure". Going forward, I tried to put on this machismo image of myself but truthfully I found it to be absolute garbage; the problem was I didn't understand why.

I was always in fear of being queer to be honest. I remember when I was 16, I admitted to someone that I thought that I was bisexual but I couldn't really say why and only said it to one person. I had to deal with my father making limp-wristed gestures in regards to my cousin being gay and my mother and grandfather referring to a trans woman computer technician he had hired as "he-she" or variations of that. Classmates constantly taunted me frequently, referring to me using queer-specific derogatory terms and using "queer" offensively, replacing my last name with that word due to it rhyming--I now own and use that word now in describing a part of who I am.

Being placed in a Catholic school didn't help me process my queerness in a productive manner. Any thoughts of me being anything close to "queer" was shameful and I lay the blame on the indoctrination I had underwent as a kid. I don't lament my parents placing me in a Catholic school, as they felt like it was the "right thing to do", but honestly there is nothing good to be said about my experience the more and more I revisit this time in my life. The constant bullying I faced during this time was outright awful and never dealt with appropriately by my parents or school officials (blame was virtually pinned on me most of the time), thus making me want to never express my true self. There was no emotional support for me and I was made to believe that I was wrong and I needed to "smarten up".

As an aside to all this, I am not the lone trans person in my rather small class (we had around a hundred students at graduation) as someone we all assumed as a lesbian came out as a trans man many years post-graduation. There were others who came out as queer with one coming out midway through our last year of school.

I digress, but regrettably, this shame I developed early on didn't help me behave outside of grade school any better: I used to use these aforementioned derogatory terms on message boards and in chat. It was only until the mid-noughties did I realise that this behaviour of mine was abhorrent. Cleaning my language of certain words was a long-process and I made an effort to listen to others when called out on it.

During my 20s, I waffled in and out of depression. I came out as depressed to some friends in 2004 and I was reluctant to do anything about it due to a friend's recent passing. I just didn't want to have any attention centred on me and I suffered in silence. Come 2006, I decided to move away from Vancouver thinking that it would fix me. As a consequence, I ended up really isolated, resulting in moving back less than a year later. Some time after my return, I sought out a psychiatrist and got myself on anti-depressants. It lead to this thought that I'd be on my path to finding inner-peace.

All during that time I couldn't figure out what my problem was with my gender and my sexuality. I knew somehow I was queer but just could never put my finger on it. 

I soon started to date my first long-term partner of whom I would later ask to marry me. During that time, I would meet this aforementioned trans woman and thus began my slow spiral; this was not her fault of course! It was a slow burn and even after that incident I gave it a thought but eventually after my car accident in 2010, I started to reevaluate everything.

I was off the anti-depressants and truthfully my time with the medical professional was absolutely useless, but I had convinced myself months before the car accident that I was fine. After the car accident, I found myself back at the same point I was in 2007 if not worse. When I remarked to my mother that I wanted go to back on the medication, she gave me a rather milquetoast response that very much discouraged me from trying again.

My partner and I broke up in mid-2011 and I felt like maybe this trans stuff in my head was in fact nonsense. I didn't find men attractive so why the heck would I be transgender? The trans women I had met before were all ambiguous about their sexuality and as such I left myself with the false impression that they were straight. I briefly flirted with the idea of transitioning around this point although it was the first time it was serious unlike before it was a "what if".

So instead of doing the right thing, I tried to reinvent myself. I had friends help me choose out new clothes and I started to toy with doing my hair differently. I bought a suit for a wedding and felt like I could own myself. I then met a woman at this wedding and we began a long-lasting relationship. We were engaged in 2015 and married a year later; all the while I kept going back to thoughts about why I was born a "man" and not a "woman". The idea of me being trans was still absurd until I was sick in the summer of 2016.

My wife was out of town and I came down with a nasty case of bronchitis. I couldn't work at all so I found myself reading all sorts of random things. An article I came across was by a trans woman about being closeted and how her life had improved once she came out. She described who I was to a T and it was outright unnerving; she had help me complete my knowledge in the separation between gender and sexuality. I didn't know what to do so for months I distracted myself with whatever I could and it shifted the spiral towards its steepest.

My sexuality was no longer the problem; my gender was however. Sex has always been broken for me in some capacity, but it had become hyperaware to me at this point. I couldn't face myself in a mirror anymore and the idea of me being any photos by myself bothered me immensely; this was a problem before but it really felt significantly amplified by this point. Everything was just outright broken in my head.

My self-image of myself had always been skewed. For example: I've always hated my facial hair.

I tried to grow it out while living in Edmonton, but after a week I found it absolutely awful and went back to shaving it regularly. I made many quips about wanting to wax my face to my partners, but they all said it was a horrible idea; I just never wanted to see stubble. The way I approached my genitals at the time was slightly different albeit the same, but I am not up for elaborating on this.

Side-tracking here a bit further: it's sort of funny how we assign gender roles right at birth based on what is between the legs, allowing for zero self-determination since at the start we're already telling the child what they're supposed to be. This scene (at 3:40) from Monty Python's Meaning of Life exemplifies the absurdity of it all.

I remember after the 2016 American election (or debacle), I went to sleep that night negotiating with myself that maybe I could transition but only in a decade or so; I don't know what initiated it all but I imagine the completion of a bottle of whiskey was at play.

Maybe things will be better, maybe I'll get over this, or maybe I'll "come to my senses" and figure out that this is just a really absurd fever dream and that I just need to "pull up my socks". I was really drunk and at the same time failing to fall asleep; it was probably the worst night's sleep of my life.

It was at this point the obvious anxiety attacks started; I would later realise that I have had anxiety attacks of this severity before but not at this frequency. I would spend Christmas and New Years just in a complete panic, doing my best to keep myself together at least on the surface.

Work was my only outlet really, finding myself just spending all day at my day job doing as much as I could tolerate. However, I was reaching close to burn-out and opted to shut down a service I was running in the hopes I could refocus. I tried to spin up new, smaller projects and had some decent success but couldn't keep the momentum going. I was burning the candle at both ends basically.

In desperation, I joined a gym to help destress from everything and while it did improve some things for me, overall it didn't really help; I lost 14 KG (30 lbs) between February and April. All during that time I was on anti-depressants again and I was visiting a psychologist.

There were two things happened in March that changed everything.

First, my psychologist said something profound: "all anxieties are rooted in something; we need to find what it is in your case". Second, my wife said, "we used to be on the same page, but now I feel like we're in different books". We had agreed to buy a home but a few nights before we had a fight over going ahead with buying one at the time and we spent the car ride home from where we ate in absolute silence. Everything was stressing me out and I was starting to break and break hard.

The week off was approaching and I felt like it was going to "reset" me. In fact, it was the end of this spiral and the start of something new. I managed to get through the first day off by doing things I wanted but the second day was a hard start. I decided to go for a long walk from my home to the city centre. I came to the Pattullo Bridge and began to walk up the path for no apparent reason, stopped, and then found myself presented with those options.

It would be the last time I would visit a pub and consume several pints in the middle of the day; but I did make a decision. I was about to mess things up, yet I didn't know what else to do other than tell the truth--or at least everything that I had thought about up until that point as I didn't have the luxury of retrospection like I do here right now.

I wanted to write about my coming out which was on April 13th, but I am still dealing with the aftermath of that ordeal. Most people in my life have been fairly chill about it and in some cases relationships significantly improved, but I have one aspect that is in complete tatters and I am still working on sorting out my thoughts on the whole matter. It has resulted in me seeking counselling and while it's making things better for me mentally, I still have a long ways to go. There are people I want to acknowledge that have done so much for me since but until I can make amends with others or at least myself, it'll need to rest.

These people do know who they are and I love you all and cannot express enough the gratitude I have for your patience and friendship. Some of you have done more than for me than I could ever expect especially considering how difficult our past relationships may have been. Seriously it means a lot to me.

Revisiting this spot for the two photos was really jarring. I didn't want to stay much longer than I needed to and I found myself crying in the car for a little bit after this experience. It hurt and even as I am writing this the pain is all too real. There was so much pain involved in my coming out but what I will say is that regardless of the hardships I still face, I don't regret it. Nothing is perfect now but things are better. My only regret is that I wish I did this sooner and perhaps I could have handled things better when I did come out in the first place; but it did happen and well there is no do-over now is there?

I've basically "unlearned" gender and it has been quite a trip to say the least.

I think that 2018 will continue to be a good year for me as a person and I hope that in 2019 I can talk about some presently unresolved issues in a positive light. My door is still open for most who are still "coming around", but I won't allow for myself to get hurt.

Tuesday, 20 March 2018

Performing Your Own Dentistry - Challenges, Unknowns, and What is Overlooked in Security Log Collection

This is essentially a blog post version of my BSides Vancouver 2018 presentation that I gave on Tuesday, March 13th. You can download a copy of my slides in PDF format and at the start of this YouTube stream is where I am speaking (albeit the first 5 minutes is cut off). I'll update this blog post with the actual video release which may be in a few months.

I've opted to write this entry in a condensed format so for further context I do suggest grabbing the slides and following along with my presentation. However, much of what I spoke about will be contained within. Some people remarked to me post-presentation that they wish they had seen my talk before they had embarked on their journey in collecting security logs.

One thing I'll warn you all on is that I may skip things since I spoke about them verbally in the talk. Additionally, the notes that form most of this entry were initially strictly for me so any odd typos or grammatical errors are to be expected.

A copy of the slides can be downloaded here.

Getting a running start...

To give you a backgrounder on who I am: I've been working in various information security roles for the past decade, but presently for the past 3.5 years as of this writing for a natural resources company as their senior analyst. The company I work for has about 10,000 employees scattered globally and has some interesting challenges; namely a need to defend both corporate and industrial control assets and geographical challenges that I never thought about until I came onboard. We process and store anywhere between 170 and 250 GB of data within our security log software daily with a year's retention.

You're done with using the command line tools like grep, awk, and cut and you're done with data going into the aether, so now you want to collect your logs and have them somewhere in a central repository. You have figured out that using the tools of old is not faster (they're not) and now you're embarking on looking for a software solution.

Here's the mess you'll encounter:

This is a sampling of the smörgåsbord that is security log collection. All of these displayed above have different use cases, different feature sets, and you will be bombarded with buzz terms like "machine learning" and "threat intelligence". Vendors are going to be super eager when they get a whiff of you having a budget and will do anything to convince you that their solution is the best option. I'm not going to tell you what to choose but I will tell you what to consider.

Right off of the bat, you must try and keep this simple at least in the short term. The first six months of you using your new kit is going to be you implementing it, getting it configured right, and then pulling your hair out because you think you understand just a fraction of what it is doing. It is super tempting to aim to have these really neat features that on the surface appear to solve all of your woes, but realistically you need to set expectations and set them early so you don't get blind-sided when you discover that they're not living up to your expectations.

Knowing your network before you dive in is super important. Do you know everything that is on your network? When your network is small (say a 20 person company), there is probably not a lot of legacy things or at least if there are you know what they are. However, as time has gone on, your large organisation probably hasn’t been so lucky and you have oddball things scattered about and have become long-forgotten yet somehow important.

Annoyingly, not every device is going to have an effective method for log collection! Even security appliances can fall victim to this issue! In one case, I had a proxy server that had only one output for its logs and at the time we were sending them to an analytic software by the same vendor. We chose to ditch the software and have the proxy send its data directly namely because our log collection software could do a much better and faster job at answering questions and generating reports.

Not everything needs to be collected either. Your brain doesn't store all the information it is fed at all. All the while you're reading this, your eyes are capturing approximately 30 GB of data (let's just run with the idea of your brain storing bits here). It is assumed by neuroscientists that you could keep anything between 10 TB and 2.5 PB within, meaning that within a whole day you'd be full! Of course, your brain is very clever and discards so much of that information unless it is important. You need to know what you want to keep otherwise things will just become way too much to handle!

If your team is large enough maybe host your security logs yourself! It’s a lot of work but then you have full control over the log collection. However, you need to be prepared to have lots of storage capacity. How long do you want to keep it around?

My organisation collects 200 GB per day and we’re about to migrate to 72 TB of our data to our own infrastructure. Can you host 72 TB? Can you backup 72 TB? Do you need to collect a year’s worth of data?

However, on the flip side, the advantage of having someone else host your log collection is that it takes the infrastructure challenges off of your plate. Make sure your SLA includes backups and storage redundancy! And you should also keep in mind that you may want to seize the data should you decide to pull the data into your own environment.

You’re now freeing up time and energy to devote to responding to incidents or integrating the log collection into other systems. However, one challenge you may face is that you will lose a lot of flexibility in terms of configurations.

You’re going to find that since you chose your SaaS solution that certain configurations are not going to be supported or after badgering the vendor to do something to improve it they come up with a solution that their support team cannot make sense of so when it breaks you find yourself pulling hair because they won’t get the urgency of the situation.

Do you have change control? It is quite possible that a new device or a change to an existing device could lead to a problem with log collection. Will a change to an existing device cause the log output to change or stop all together? Will you be able to support the log collection?

Things are in place--now what?

Make sure that everyone is aware of what your intentions are for these logs. Knowing the difference between collecting, monitoring, hunting, and predicting when it comes to all this is super important in setting expectations.

Truthfully, never say more than collecting as if you’re using this in an incident response role, you want to set the expectations before something occurs in how you’ll deal with a situation. You may be creating alerts (monitor) based on existing indicators and you’re probably going to do the same for hunting.

Predicting is something I highly doubt you’re going to achieve. You can of course use the software to forecast, but it probably isn’t going to tell you when you’re about to get breached. If any product could do that, security would be “solved”.

You need to know what you’re going to do with this data. Is it for digital forensics? Incident response? Employee behaviour?

Can you measure the amount of data and events per second (EPS) you’re going to generate? I won’t get into how you’ll want to do this but there are many guides out there for doing this effectively. This is something you’ll want to consider before signing that licence agreement. At 200 GB per day, we’re eating up almost a quarter of our daily Internet traffic sending our data over to an AWS cluster.

It’s quite possible you’ll end up with duplicate data. Do you need to collect device from your router sitting in front of your firewall?

Who is responsible for the data? Who is supposed to be involved in any changes? This is an opportunity to learn the RACI model.

Working with the data

Let's talk about what I am collecting.

The biggest set of logs you’ll probably collect will be your event logs. You have your typical Application, System, and Security logs, but Windows Event Log system is a lot more extensible than just that. Some security products create their own event logs (such as many endpoint solutions) and having that data collected can make a whole lot of difference in incident response.

On the subject of endpoint security, there are a lot of products out on the market that will keep a ledger of sorts to help in digital forensics. However, your organisation may be unable to afford such software. An alternative is to make use of Sysmon logging which is something native within Windows. Actions such as specific user behaviour and various other events not otherwise captured by event logs can be recorded. This has proven very, very useful in determining the spread of malware within my organisation.

However, bear in mind that event logs are probably going to be the bulk of your log collection so you should determine how much traffic you’re going to generate from those details alone.

One thing to take advantage of here is to forward your event logs to a central spot. This is a feature that exists within Windows and can be very useful in avoiding installing too many collector agents -- especially useful for workstations such as what I mentioned here with Sysmon. Bear in mind that you will need to do some rewrites on the log data to correct tag the log data itself as the source and host data may end up getting lost.

Proxy data is very useful as well but something to keep in mind is if your web filtering solution is doing HTTPS inspection, you may need to ensure that recording this activity is permissible. I am not your risk and legal here so I won’t bother to elaborate further on this point, but this may be very important to keep in mind.

When it comes to DNS, it’s surprisingly easy to capture and record this traffic. Assuming you have centralised your name servers, you don’t need to do much in the way of logging to disk to make this effective. There are ways to just outright capture the traffic by monitoring the network traffic itself. You can either just sniff traffic right on the DNS servers or mirror traffic going to them to a dedicated collector running the capture software.

DHCP is also useful (and can be captured the same way) for looking for rogue devices and for historical DNS lookups. If you don’t have any sort of network access control, this could be a way to supplement one.

Firewall data; not much to be said. If you’re lucky to have a firewall that does packet inspection and thus can tag the application data or are able to tag users and IP addresses, this can be extremely useful.

Be careful with Netflow! Holy heck have I ever seen this one go sideways if you have far too many devices capable of it. Netflow is super useful for determining lateral movement within the network but because of how noisy it is you may find it nigh-impossible to make use of it. In my situation, I am only using it for egress and ingress traffic at our sites where our main firewalls do not cover them and they’re set up in a split tunnel configuration, meaning that Internet traffic isn’t captured by our usual means. Netflow can easily surpass the amount of data that event logs generate.

Lastly, I have lots of other random logs I am collecting from mainframes, various database software, and from Internet-facing appliances.

What about your cloud data? You should own that data and if your vendor says you don’t then it’s time to consider going elsewhere.

Many SaaS solutions do offer log data either via an API or syslog (usually over TLS). However, it may not be documented all that well and there is a good chance that you’ll either have to write some of your own code or have something sitting within your DMZ to capture this traffic.

I’ve had situations where the vendor has provided the log data but it’s only what they deem as “important” and not the general activity. Be prepared for this to happen and do not hesitate to demand a feature request to change this.

A grotesque myriad of log formats

You’re going to find three popular HTTP daemon log formats: Apache, W3C (done by the standards committee for the world wide web), and Microsoft IIS. IIS is kind of ridiculous as they modeled their format off of W3C but like all things Microsoft from the late 90s and early noughties, they opted to go their own way sort of.

This is something you’re going to have to face and you have a few options for dealing with it. In a lot of cases, the software you use will do field extractions for you automatically if the product is mainstream. You may luck out and the vendor or a very nice person may have written a solution for you. However, even if a solution is provided, you have weird edge cases that arise.

It’s very tempting to log all traffic on your file server. If you’re small enough, it’s probably no big deal, but what happens as you scale? Just like I mentioned earlier with Netflow traffic, it can become far too difficult to sift out what is a real threat and what is normal activity. Consider evaluating the event IDs you absolutely want and filter out whatever you don’t. This can be useful in reducing the amount of traffic and storage required.

I guess I am harping on event logs here still but by default it does include helper details that to you and I is super useful. However, when you have millions of events per day, those details add up and are not useful to keep around. Consider filtering that stuff out too and you may find that you save at least a third of your storage requirements!

This is your typical contents of a Windows Event log. Out of your box your software solution should support the format and if not then I have no idea what you’re using and you’re probably going to want to reconsider everything you’re doing. However, it will by default only deal with your typical System, Application, and Security event logs.

In this case, we have an output from Sysmon, allowing my organisation to see what is happening on a machine--if you have the ability to set this up, sysmon data is an absolute goldmine for information. However, if you look at the message field, you’ll notice that it starts to differ.

Okay. You’ve fixed the Sysmon issue, but now you’re like me and you’re collecting AV logs. In this case, SCCM manages our built-in Windows AV solution but in order to get the data out, we had to create a trigger within MSSQL to dump the event into an event log. It works great but take a look at the Path and DN fields. This would not be extracted properly with the same solution as Sysmon.

There are times however where everything just sucks. The above is an output that couldn't be extracted properly. It was awful. None of the data was consistent and the log software would just do everything improperly. I hated it so much but I fortunately had a solution after much complaining to the vendor (I'll elaborate a bit later).

To fix most of these, you’ll want to learn regular expressions. They’re absolutely useful to learn but do require a lot and I mean a lot of time to learn effectively. I am very rusty with them these days but there are solutions for writing them without having to spend too much time getting beyond the basics. I recommend working with RegEx101 if you want to get a start on things.

However, don't get too creative as it doesn't fix everything.

Shout out to Ex-Parrot for this disastrous regular expression.

This was not written by hand. If your regular expressions are getting to this point, you’re going to hate life. Regex is NOT a solution to all of your woes and does not mean 100% perfection. You will NOT achieve perfection in your extractions--but you will get something functional with enough work.

Do not use regular expressions to parse XML either. Your software should be able to work with it natively (as well as JSON, which can be regex'd but shouldn't need to).

If your syslog output has CEF (Common Event Format) as an option: use it. There are variations of it per vendor, but it's night and day in contrast to other log formats.

In the case of the vendor with the terrible output, after much complaining and pointing out their other products can do better, they provided us with a JSON output that pushed over HTTP. It has been the most workable data I have received yet so far so sometimes vendors can improve and improve real well in this space if you ask them to!

Things will break I promise you

Prepare for things to break and prepare to not panic. You must accept that somehow everything will break. Have everything documented and understand the impact of missing or delayed data.

If any amount of downtime or interruption causes a compliance issue, you must prepare for it either through redundancy or risk acceptance. These are things I cannot walk you through but know who to consult as it is important!

Regardless of whether or not you’re dealing with one, two, or fifteen time zones, you should always set everything to UTC. This will make it easier for you to build timelines. Having accurate time also means you can correlate with other sources effectively.

Have a central NTP source too. Time can be a few seconds off but any more than that and it makes correlation very difficult!

Time will break without you trying to. One of the times here is correct and one of them is not. This will become a headache.

As I mentioned earlier, one of the things I deal with in my organisation is industrial control--you may have heard it referred to as “real-time systems”, “process control”, or “SCADA” but they’re all one in the same. There’s a huge concern for safety and as a result we do monitor some aspects of our IC environments.

Be very, very careful when it comes to monitoring these spaces as even though you’re listening, you’re not necessarily passive about it. I highly recommend skipping to the part of the video where I use the above image as I go into detail about how using TCP instead of UDP can lead to trouble.

If you’re a team of one, then you’re responsible for everything that breaks!

If not, then you need to be able to identify the problems and then determine where the fault lies. Have your partners within your department involved in these situations and make sure that they’re aware of what their involvement needs to be. You may not have access to that firewall that is no longer sending syslog but they do. These teams may want to identify your log collection software as at fault so ensure that you have checked everything on your end and done the appropriate tests. Don’t be afraid to use netcat for example!

Closing Remarks

Be prepared for things to break and have a plan to deal with it. This also includes identifying the risks involved.

Don’t hesitate to hire a consultant and make use of them. They’re assets and can make your life easier. You're burning money if they're doing nothing.

This is probably the most effective security software you’ll use, but it’s not a holy grail so don’t treat it as such.

Lastly, this was the first talk I've given since coming out as queer. I really appreciate those who were attendance and appreciated the questions and feedback.

Tuesday, 27 February 2018

Finding the best London Fog in Vancouver

The above beverage is a London Fog, which is a tea-based latte. The basic ingredients of what is my favourite drink are typically as follows:

  • Earl Grey tea (1 bag)
  • 100 mL boiling water
  • 10-30 mL vanilla syrup (to taste)
  • Steamed milk (to taste)
There are all sorts of variations on the above but that is more or less what I expect. In some cases, you can work with simple syrup and then add real vanilla into it or you can also just use vanilla extract, but the above is what I would be the absolute basics of what you'd need to make it at home.

I've been drinking this beverage as a default in most Metro Vancouver cafes for a good decade and a bit; I first came across it in my university's coffee shop and was immediately hooked. Its origins are disputed, but it has been suggested it originated from a now-defunct place on West 4th Avenue called the Buckwheat Cafe. I've tried to find more details on the place but information is scarce as it existed before the Internet was commonplace (the claim is that it was invented in late 1996) and the digital records on the City of Vancouver Archives website do not make mention of the place anywhere.

At some point I'll have to do more digging and maybe check with the Vancouver Library. I want to know why it was called a London Fog (presumably due to its use of Earl Grey tea), if the stories about its origins written the Internet are true, and maybe a bit more about the shop itself. If you know anything, do drop me a line!

I've been hitting up random cafes I tend to frequent and have compiled a list of what I think about their version of a London Fog. Because some places will do theirs slightly differently than the above recipe, I've opted to skip on mentioning them.

Name Location Thoughts
Kafka 2525 Main Street
(Near Broadway)
I am going to say that this is probably one of my favourites. The cafe is near two friends of mine so I have only hit it up when I am with them but each time I've had the drink there it has been absolutely fantastic. It's not too sweet, it appears to use real vanilla, and it has the right balance of ingredients.
Cafe Deux Soleils 2096 Commercial Dr. To be honest, I really come here for the vegetarian food but they do serve a fairly okay London Fog. There isn't anything to write home about but I will remark that it's good and I don't find myself offended by it.
Starbucks Earth Like most things in Starbucks, it's not all that great. Like if I need a cup of tea or anything, it's fine, but I find that their version is just far too sweet. That said, it does exist outside of their Vancouver locations as someone in Dallas confirmed that they can make it. In a pinch, I'll settle with them but maybe ask them to not pump in so much syrup.
Blenz Metro Vancouver Theirs is mediocre. Being that there are three locations near me sometimes I do settle for going with them, but there are far better options but nowhere near that is convenient. Better than Starbucks but that is not an achievement.
JJ Bean Vancouver & Toronto It's good. I've had it at two of their locations (Marine Building and Commercial Drive) and it's fine and really I have no complaints. Definitely better than Blenz and if I feel like walking further away from work I'll go to them.
Prado Cafe 1938 Commercial Drive Prado has a few locations but I generally go to this one due to its accessibility--if I ask to take you there, I probably like you. Theirs is really good and is probably as good or close to as good as Kafka's. The above photo is in fact one I had just earlier this week.

So these are my really ridiculous tasting notes for my favourite beverage. I hope to find out more information about the origins of the London Fog. Once I have dealt with some personal matters in the coming few months, I am going to start digging more into it. I also am going to start making my own at home!

Monday, 1 January 2018

How I made my custom-coloured keyboards

For some time, I've seen many people have these really wicked pastel-coloured keyboards usually representing the colours on the transgender tri-colour. I decided that after fully coming-out that I'd change my keyboard at home and at work to reflect that--other people have these fancy LED Cherry MX-type keyboards so I figured why not.

Here's the end result of what I ended up building:

The top keyboard I bought brand new from Amazon for $77 CAD and the bottom one is a Coolermaster CM Storm which I have had for a few years for use at home. Both make use of Cherry MX switches meaning that swapping the keycaps was really straightforward!

These two links can be used to get the correct colour keycaps if you happen to like pink and blue in pastel tones:

I got the keyboard and the keycaps within a few weeks (keyboard came the next day) but any Cherry MX keyboard of your liking will suffice.