2020-01-31_Jodi_Posavad_Privacy_and_Security_Review_RMC_IP_Shell_Companies.docx
2020-01-31_Jodi_Posavad_Privacy_and_Security_Review_RMC_IP_Shell_Companies.docx

Disclaimers and Statements!

  • ** Legal, Security, Government Please Review Immediately. **
  • In this email I will be proving IP address. I will separate them with extra spaces however if anything is hyperlinked, etc. – DO NOT CLICK unless you are confident that you know what is going on.
  • I have no affiliation with any sites or IP addresses listed in this document and do not affiliate with their content or creators. This is intended to be for educational and reference purposes.
  • So far I’ve written 46054 words to the Shipyard (Not including this letter, will be 52,000+ including this letter), if you do not feel you have read that much – then they have not provided you everything.
  • For Jim – I’m not claiming I’m an expert, I do have extensive computer knowledge and believe the opinions expressed convey the points well and provide solid foundations for the reader to educate and decide for themselves. That means – Google It, YouTube It, Ask an Expert. Seek independent verification.
  • To this point I have not refused any cooperation and continue to make myself available for meetings and to go on official record – Again.
  • Full Disclosure to the shipyard, I sent a message to blahblahblahh@irvingshipbuilding.com Jan 29, 2020, 12:44 PM AST from my personal email address (the one we are conversing on), from the standard Gmail Web console to see if anyone wanted to chat. I didn’t get anything back and do not plan on trying to converse again
  • Remember if anyone is uncomfortable with the use of any of this widely and publically available information, think about what is probably being justified against me and the capabilities and resources these others would have – its dominating
  • And please remember, I only have so much time to do this so I’m trying to be accurate and as organized as possible whilst conveying a lot of information. And you know, living. So if I’m wrong about something, please present information and I will promise you and objective review will occur. The same is true if you would just generally like clarification.
  1. Government General Statement -> Please review the SSL concerns and the Security Assessment. There are serious concerns
    1. I know you know this. You want to get a leg up if this goes public – someone might dump some info eh? If not then you seriously need to look into it!
      1. Please Review -> Hosting Service: VERY Serious (Legal / Government Review Immediately)
      2. What is she or others were targeted by a foreign agent? They could use this system to gain information!
      3. What are the privacy concerns with this being routable in plain text through the states?
      4. What is the impact to National Security if information is divulged over an insecure channel in these scenarios?
      5. I could have used this as a decoy to deceive you in the same way. Was this considered or was it desired? I’m not being deceitful, just asking logic questions.
      6. CSIS – Please don’t be idiots. Please.
  2. Jodi Security Assessment - Exploitation Level is Very High:
    1. Hosting Service: VERY Serious (Security, Legal, Government Review Immediately)
    2. SSL: VERY Serious
    3. Privacy Risk (Liability Concerns) : Serious
    4. Email / Password Concerns: Medium / Serious
    5. Social Equity (Exploitation Considerations): Informative / Suggestive
    6. POST / Contact Form: Informative / Suggestive
  3. Why someone Might choose Jodi from a technical / intelligence perspective - Substantial Security Risk Detected. Legal and Security please review!
    1. The Summary -> See Detailed Version and Rest of Letter to answer the questions
      1. Requesting clarification from the Shipyard on disclosing this Security Hole / Quantified Privacy Concerns to Jodi? I will Default to 2 Businesses Days if no response from Shipyard requesting more time. This is to protect everyone’s Privacy, The Shipyards, Canadas, Employees as well as Jodi’s. If the Shipyard will not respond then I will.
      2. What should be done for others whom may have submitted any details through this method already? What review will be done? What disclosure polices exist?
      3. By disclosing this can I be held liable? What is my responsibility?
      4. Is it the Shipyards responsibility to advise their contact / contractor of this, what is the legal time frame of that disclosure? Legal, Security Please Review.
  4. The Detailed Version -> Walkthrough and Technical Description:
    1. How Many IP addresses there are. Some basic Math.
    2. How your own Physical Address and Personal Identity Are Tracked and Confirmed by IP address (And wi-fi hotspots):
    3. How IP information and associated Physical Addresses can be easily anonymized. Process explained!
    4. Why this allows for easy justification for a Warrant! Because it all looks garbled, until it’s not!
      1. Ps – this whole tracking bit is actually terrifying from a bio terrorism perspective. If someone had this information and wanted to spread a disease… like say the corona virus? Or, as we more commonly experience it - as manipulation from foreign governments.
  5. How IP data, Names and Addresses can be encrypted generally for “bulk collection” / Monitoring Purposes – Easy Legal Justification.
  6. Evidence / Proof of Similar IP and Phishing Tactic:
    1. Guessing the chances of coincidence
      1. Do you know the odds of winning lotto max? Well you will!
      2. Who wants to come with me to buy a lottery ticket?!
  7. Personal Letter to Jodi (Legal Please Confirm Questions on Disclosure):
  8. Letter to everyone Security, Legal , Government, Jim ,Jordan, Jodi,
  9. I see all of you

B) Jodi – Security Assessment

Hosting Service:

Have you folks verified her password requirements for this free site? Do you know how the contact system works for this free service? Here is a quote:

https://www.weebly.com/ca/features/form-builder

Screenshot taken January 31st 2020. It is copy and paste, the image has not been edited.

“When a form entry is submitted by a visitor to your website, an email is sent to the address of your choice with the data. The Data is also stored on your site’s dashboard for easy review”

So, my understanding of this is - not only would a copy be routed through another country as plain text it would also be stored there. And what about backups?

Now, I watched a YouTube video to confirm, and it doesn’t let you specify SMTP settings which tells me, this data is getting routed through a 3rd Party mail server and a copy is Stored on their server!

This is a screenshot, copy and paste and unedited from when I did sample test (intentionally failed) on January 31st 2020

And then on top of this -> this data is routed Plain Text through 199.34.228.77 which returns San Francisco!

You are exposing and routing these details plain text through another country.

This is a Huge Privacy Oversight.

Not to mention if someone contacted this person with a lot of sensitive details, names (for phishing / engineered targeting), anything!

SSL:

This is a very serious concern and makes this person a prime target. It could also be used to trick someone into submitting something through that method intentionally, for purposes of gathering that information.

It creates a false sense of anonymity amongst non-technical people and can be used as a tool against them.

Exploitation Level is Very High: Bulk Data Gathering (technical, names, contact info – for phishing), False sense of anonymity, Social Engineering and Privacy Breach

Privacy Risk:

This should be a serious point of concern for you. This could get someone sued, legit. If not sued, it could degrade integrity of involved parties – especially knowing there is sensitive data, topics and confidential clients? You whole approach should be Privacy! You wouldn’t just let someone see someone’s HR record would you?

The contact form would expose them before anyone could even help in literally just milliseconds and can’t be taken back.

Seriously it’s my suggestion to contact nonaffiliated professional for verification.

Email / Password Concerns:

You should consider using a controlled special email account when dealing with these issues- not a publically listed email!

How do you control if something gets sent to this email address?

How are you verifying her email password integrity if you don’t have control over this environment?

Now – online as breaches are found people amalgamate the email addresses / names involved in known breaches as to help people search through *limitless number of entries – depending on context (That only gets larger as time goes on!) And the particular service I searched showed your public email address has been involved in 2 breaches.

Two entries for email address jodi@grassrootsHRconsulting.ca:

Data Enrichment Exposure from PDL (People Data Labs): seems they likely got your name and, employer data, geographic location, titles, phone numbers and social media handles.

Houzz – A housing design website and this one was pretty bad – it looks like they could have got passwords to your Social media. This was in 2018.

**Now, it is not my recommendation to change those passwords, it’s to point out what a public resource thinks about publicly known information associated with that publically listed email address! And to inform you that sometimes the associated passwords also get posted to the internet meaning if you were breached – you should automatically assume you can never use that password again anywhere safely!

** I have never searched for any passwords and would not do that. This is educational!

**Also, I did not figure there was an issue with doing this – the address is publically listed (Susceptible to MUCH worse) and there is no subscription with any type of service. And I would be fully allowed to google the email address as well as expected to.

Has anyone spoken to her about security / how her site could be compromised (And those form submissions) if her password does not meet certain standards? Was it changed since these breaches?

And to that, I believe you may have already taken steps? (Speculative but reasonable)

The Email does seem secure and it appears to be using very similar servers as the Shipyard. But that would be expected if using similar providers and as she is using a hosted domain, this can only be done through a paid service through a well-known provider.

For example: Here is a comparison of IPs from SMTP servers (the protocol and the computers that send and receive email)

So, here is the logic - SMTP is the protocol used to send email on the internet. As it’s a protocol, its run on a computer – this computer has a physical address so it can be uniquely referenced and used.

104.47.61.57 – Audra SMTP Address

104.47.60.36 – Jodi SMTP address

(Regardless if this is meaningful, this is a great example of IP leasing – Microsoft owns an IP block and gives a unique address to each of its servers)

But, also tells me the email is secure and quite similar to the Shipyards in fact…. And Changing DNS / MX records is simple and there is no common record kept so it could easily be that the MX records recently changed, pointing towards a new mailbox for the duration of the investigation.

Now, if someone was able to get into this hosting service because of nobody verifying the password. What could have happened?

They could point their official MX records – Mail Exchanger records to an IP of their choice (A server they control) that can copy the message and then forward it off without knowing anyone was in the middle and all they would need is your hosting website password. (Just like the ISP that acts as a proxy and Email that submits in the contact form!)

They could hijack the whole site really it would just be more obvious.

And if the Shipyard / Government was not watching this, it could happen seamlessly!

Regardless of my speculation - You need to verify password integrity!

Social Equity:

  • Directed at Jodi as a set of questions / statements / line of questioning (All Rhetorical, to express line of questioning about intent and personal gain)

“I see you have a good Social Standing- a google search will show that you have community integrity. Which is great! Thank you.

But you also have a history of corporate leadership and are now running your own business? What’s also interesting is the unemployment gap between 1994 and 2001… 7 years unaccounted for. I would think most HR Directors like to share their history as part of their pride especially on a Business platform like LinkedIn… the platform is there for advertising… and you aren’t fully advertising? I see you had your certification and were registered with the HRPA until 2015, were you not working in your field? You jumped right to Director of Red Cross?

I mean looking at all you publicly available social accounts – there is a specific gap! And even when you do show up there doesn’t seem to be a lot of details or activity, including changing your profile picture. Regardless, it seems your keeping certain portions of your life consistently contained…

And now looking at your website… I’m betting you are quite dependent on these comments? And the support from these businesses. What would someone think if someone in your position went against the Shipyard? Would you post that comment?

Do you think employers would hire you if you had a comment like:

“X is an absolute pleasure to work with, but did not work in our favor”

“I have sought X’s advice on a number of HR issues, it turns out it led to our person “right at the time” resigning – would recommend 5 stars!”

And how does any of this help your financial situation?

If you don’t favor them, you get paid once and denied later. If you side with them it’s paid now and paid later.

And it appears you are running your business out of your home and a house in that area is not very cheap to live in? 2020 Assessment $670,100… average sale price $711,817, the land taxes alone are like what $8000?

Publically available information from viewpoint.ca using publically available address information that’s associated with your publically listed business, from the business card you willingly gave me and is the first return in google!

And there is a lot of Social Equity to be had – As you said – you don’t know Jim, now you know a high ranking police officer with a lot of contacts. What are your feelings about Jim?

Jim is quite tall isn’t he, what at least 6’5? And a solid frame, he told me he works out… How much do you think he could lift?

Do you think you two could be friends?

What about other contacts the Shipyard could provide… Halifax is a small place to burn bridges? I bet you’ve had lots of meetings with new people who now all know your face and you personally – what will they all think?

Does all this create a disposition for your favor? It would be easy wouldn’t it? And everyone would probably believe you – who else ever gets to see the details? And you aren’t technical so who explains the issues to you…?

And then how do you know if they were right or not? You just have to “assume”… so how do you know if you properly evaluated a technical response? And memory only fades with time, it’s a tool of deceit on its own.

And What if someone offered you a lump sum of cash or money? What would you do, who would you speak to?

Who watches your bank account during all of this, have you thought about this?

You haven’t considered this?”

POST -> Contact Form:

The amount of data this accepts -> paired with no SLL is very misleading. Recommend changing method ASAP.

C) Why someone Might choose Jodi – Intelligence?

I’d like to start by stating, I understand the implication that this was intentional is speculative and it’s not an accusation. It’s in relation to CSIS Act-23 and Warranting justifications. How to reduce direct Canadian impact, while protecting Canada’s interests. Again it’s an attempt at a logical argument / discussion with facts.

There is no SSL certificate on her site.

http://www.grassrootshrconsulting.ca/clients.html

(This image is cut and pasted from a screenshot on January 31st 2020 12:32 AM, it has not been edited)

This means anyone connecting is exposed to the world, so if they send you something through the contact page - anyone clever can see it – it travels as plain text over the internet.

And all of it and it can be tracked with very Minimal intrusion.

See, the Contact page, doesn’t actually require any valid information!

I can put in anything in those fields as long as it looks valid.

So someone would think “oh I can use a pseudonym” and presume they are safe! Which is false and is not something most people would notice!

Regardless the other method is email which almost always leaves a trace (unless you take a lot of extra precautions, which the large majority of user would not)

Meaning it would give someone a false sense of security and it only takes a second to make that mistake!

I wonder what other employees Jodi might be representing here. Do you think Jodi or the employees would have reasoned this about SSL?

I’d wager quite confidently it’s a No!

But the Shipyard should have!

Now - I tested a submission to her contact form – it’s a lot of garbled text with 426 at the end, that the number of lines I sent testing – my intention was not to spam but to perform a non-intrusive test of capabilities – fully legal –I never hacked. Just watched a Simple POST not using any special tools.

I got confirmation that that whole blob went through, implying that if someone wanted to send you a large trove of data or a really long letter it would accept it!

So, if someone sent you a lot of information, confidential information, any details - anyone clever – anywhere in the world could see them! And most definitely your ISP would see it.

People literally build programs to find this very type of issue to exploit it (We could have a whole discussion on that).

On top of this, it appears it would all be routed plain text through San Francisco! So yeah, did anyone see that???

It’s that or they made yet again another big oversight that could directly hurt the Shipyard and expose our Data and Internal state to Non Canadians.

Think about this, When Irving makes a statement – are they going to mention Jodi’s name? How will it circulate?

A lot of people look at your social equity and think they can trust you. And in this, they will try to be anonymous.

And then all this traffic gets routed to another country as plain text…….

They should review this immediately as this could put the Shipyard at direct risk – it should not be up to employees to have to determine this.

This plays back into providing a safe resource! You can see how this issue tumbles if you don’t take precautions! From my previous letter:

“Security – how could the current state of the Shipyard be manipulated by individuals who don’t have representation? (And yes I know what that means about my situation – but we have to ask this – even of me!) Are you arguing there isn’t a considerable amount of pressure here – you are in charge of determining this!? If people can’t speak internally – they will probably speak externally – they deserve a resource – is that not an issue for the Shipyard? This helps you control the dissent in a legal, logical, respectful and protective way for everyone! “

The Detailed Version - How your Physical Address and Personal Identity Are Tracked and Confirmed by IP address

ISP - internet Service Provider – For example Bell

IP – Internet Protocol (Address)

SSL – Secure Socket Layer

Social Engineering – Process of using social factors to manipulate a source into providing you information typically unknowingly or until it’s too late.

API – Application Program Interface – In this context it’s basically a structured way of interacting with a data source / sending commands. Protocols are an example.

All computers accessible over the internet are given a unique* IP address – this is how information can pass all over the world and still find its way back to you and These IP addresses are taken from a global pool of addresses.

These IP addresses are divided out globally to Internet Service Providers and there is a finite amount*.

Now, as IPs are hard for people to remember, we came up with an automatic way of linking a domain name to an IP address, this way people don’t need to remember the unique numbers to every resource! For instance google.com is a lot easier to remember than 172.217.164.174,

However computers can still use just an IP address because it’s easier for them! The protocol for handling this translation of words to numbers is called DNS. The protocol for handing out IP addresses is called DHCP.

So in essence the addressing system is the same for both humans and computers. There is just a translation that happens in between!

Now, each part of an IP address contains information that can link back to a specific ISP, physical residential address, company, specific people and a specific piece of hardware.

Meaning by just having an IP address it can directly expose a person’s identity (Phishing / Social Engineering) but much worse it will publicly expose their physical system for exploits!

Now to take this further, any connection made between computers requires an IP exchange.

Meaning both systems require an IP address from this finite pool! (Your computer and the resource you want to access say a website)

This is true for even the most basic of tasks involving two computers which communicate over a network.

Where your ISP comes into play is that they act as a relay between your IP and the Resource IP (Server).

And By relaying this information, all traffic is relayed (proxied) through the ISP.

Example without SLL:

You send a request from Your IP –> ISP RELAY (Content Plain Text “hey how are you”) – Resource IP (Server).

Resource IP replies -> ISP RELAY (Content Plain Text “I am good”) -> Resource IP (Server).

Example with SSL:

You send a request from Your IP –> ISP RELAY (Encrypted BLOB) – Resource IP (Server).

Resource IP replies -> ISP RELAY (Encrypted BLOB) -> Resource IP (Server).

Side Note:

This is also the reason why you want to be sure of any WI FI hotspot you are connecting to! All your data could be logged and be seen by anyone on that network at the router acts as a relay! So, say if you walked into WalMart – that local WiFi may be compromised. This is especially troublesome on Open Networks!

In fact, I’d wager that on average a WiFi Connection it’s much more likely to be seriously compromised than your ISP / Wireless Carriers network!

What SLL does in this process is use a certificate to encrypt data (See Certificate Authority), so your ISP will only be able to see the IP routing information but all the content is encrypted and will look like non coherent data to any human. You can see an example of this in another section E this document!

Meaning even with SSL the best case scenario is, a list of connecting IP addresses, Total Traffic and Date Information is retained by the ISP! At best the data text can be captured, but can’t be decrypted unless someone can get their hands on the keys – And that’s a whole other fun discussion.

Now, this will also protect your computer/phone/device as it encrypts traffic even over these WiFi Networks (That you have no control over). Meaning, that even if the WIFI isn’t safe, at least it’s likely a lot of the data being sent has some integrity to it!

Regardless the resource (server) will also log detailed transaction information between Your IP and its self so if someone had access to the hosting account / Web Server / Router they could easily get this information.

So, I think it’s clear here why not having SSL is a HUGE problem, data is being passed as plain text all over the world and over every connection! All while its being logged and can be logged!

Now even with SSL this isn’t perfect and it has been exploited! And exploits have existed for long periods of time without being reported.

So to take this all further, in its most basic form, your Home Router has an IP address (Your front door to EVERYONE on the internet) and your domain has an IP address grassrootsconsulting.ca * - that’s how people get to that resource but is also the address to the front door to each!

Now given an IP address – you can go on the web and search “whats my ip address” and usually you can find it and it will show specific information about who it’s leased to.

Mine shows it’s owned By Bell, And in Dartmouth Nova Scotia Canada. So just by an IP address you would be quite close to my physical address and identity and from anywhere in the world would be able to knock right on my routers door, or any computer for that matter!

Now – VPN clients, take your encrypt your connection between you and them so your ISP can only see that you connected to say VPN PROVIDER. The VPN Provider then bounces your IP around internally and anonymizes its path. It then gives you an IP address that it owns in whatever country you would like! They then wipe any traces of your IP within their network – This makes it EXTREAMLY difficult to determine what you were doing or looking at however there are ways of figuring this out even then

Now a little math to think about for later - IP ranges or singles (Statics) are subdivided from a total of 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5, each (number reducing to 0, it’s almost like replacing the. with X for multiply – it’s about 4.2 billion useable addresses within IPV4, obviously we need / will need more hence the implementation of a newer protocol, IPV6 which actually supports 340 undecillion addresses or 2128).

There are ways of getting around this external limit as your home router works the same way, it can act as a relay (A single IP address) to its own defined subset of internal IP’s So it gets one IP to the WORLD but creates its own internally.

So, you’ve probably all seen 1 9 2. 1 6 8 . 0 . 1 -> that’s a typical home routers / Access Points IP address / range.

Now - Knowing even the basic geographic information from a simple search - reduces the potential 4.2 Billion IP pool to a substantially smaller pool with simple logical steps! But can also quite easily reduce the uncertainty from 7.8 billion people (World population) to 971,395 possible people (Number of people in Nova Scotia). And, Bell only has so many consumers?

So we can reduce a huge dataset using a few logical steps that a computer could do easily, automatically and immediately in response to a new IP showing up! And all anonymously!

Add a few more steps like knowing the age range of your target demographic as you add public factors - you can get eerily close.

And if you are the Government / Foreign Body / Hacker Group / The Police! They will have enough data to be right on your door step.

Folks - You can build a program to literally crawl the internet and just do that, just so you have that information to compromise someone later on. Or, set a minimum value for which constitutes sufficient data on a person or asset and then move into human assistance.

Remember, computers are quick, even if you delete something a minuet after its posted – it could have been copied already, or still be cached somewhere. Take a look in your internet cache sometime.

Consider – how quickly can a computer react to it receiving a notification of a post on Facebook? It can react in milliseconds, before your eyes could even process the notification.

To that - it’s absolutely a tactic used by foreign bodies – take a Public LinkedIn list, and Crawl the internet gathering details – phone numbers, email addresses, even known city / town names, “social preferences”, and social handles.

Considering all the open API’s, the Posts people forgot about. The unintended consequences of access – seriously.

See Facebook / Cambridge Analytica Scandal. Russian Interference.

Groups, Political Parties, Individuals, or Countries can and are doing this very thing themselves, using public information and open API’s and it’s extremely concerning!

This itself is a tumbling mess and is something that is not going away and it will have to be managed responsibly. And with the rapidly impeding Machine Learning revolution and Massive Increase to processing power being made available to search for patterns / exploits in this data…

The ways individuals, groups and companies can become targeted and manipulated become uncountable. Let alone political discourse and misinformation?

Remember - The internet doesn’t forget (At least not yet)… What a state backed system could do with millions of dollars and talent? It’s spooky!

(I am not a hacker, not a threat – illustration purposes only)

E) How IP data, Names and Addresses can be encrypted generally for “bulk collection” / Monitoring Purposes – Legal Justification and Quantification

Encryption in a Basic Sense -> A method that reduces the human readability of information. This means it inherently implies a range, involving less complex methods and much more complex methods.

For basic Purposes, Reversing the Letters Could Be Encryption as long as the Human / Machine does have the rules to understand it.

So, when I say encrypting in this next piece, think just that, reversing the letters and well assume that’s an acceptable non-human readable state.

Example:


Not-Encrypted “Hawke”

Encrypted “ekwaH”

You then repeat this same Encryption method to an IP address, Physical Address, or any other Meta Data About a user and you will soon have an encrypted, “anonymous” data set! And to identify them you put a unique ID beside each entry. Just a simple number works! Starting at 1 and incrementing with each entry.

This is a simple set of rules for a human and a computer to implement!

No human ever had to look at it so nobody is exposed!*

And now, if you have a reduced list of suspected data, you can Encrypt it (reverse it) and search your anonymous encrypted data set, if you get a match then only a specific entry you want is decrypted and made human readable!

So let’s run through a scenario:

All you would need is a list of Employees. And you don’t even need direct access to the company to get a list.

Just from taking a public list of names -> say from LinkdIn “See all 757 Employees on LinkedIn”.

You could get quite a few! Perhaps a few decoys as well

In fact, there are a lot of considerations about what could you do with this public information? – That’s a really interesting and long discussion for another time!

Now, given any type of cooperation from an ISP, they could take this encrypted list or build an encrypted list (And never violate anyone’s privacy!), run the same encryption method against their IP listings, Names, Addresses, And Content. Upon matching, they can return this data – encrypted with a unique reference ID.

Indicating matches between encrypted data while not exposing personal details unless absolutely required. This makes this approach highly attractive when requesting a warrant, especially on Canadian citizens!

It’s highly rational if done properly.

F) Evidence / Proof of Similar Tactic:

I know this is speculative.

So, is anyone thinking this guy is paranoid? – This is overkill – he’s overthinking it?

Well I actually have quite strong evidence of these activities / similar activities. So I present:

On December 5th 2018 was my final interview with XXXXXX and <MANAGER>, please see the Record.

On December 4th 2018 I received an email from “Marrie Sommer”… I remember clicking on the link and going to their site (Remember this – it’s the same as this situation).

This is a Snip from the Mail Header logs from the email from Marrie Sommer:

Altered with spaces to remove auto linking. Do not access this IP, unverified

Received: from USER-W7 (unknown [216. 208 . 235 . 222])

The email contained information about a job that seemed awfully close to the pay scale of what we had discussed at the Shipyard and the timing seemed weird and it stuck in my head … but I didn’t think anything of it for months (I’m kicking myself for this, but perhaps its better I didn’t know)

So I start this process… and I go back to that email and I go through its headers (Information about how it travelled through the internet) and I found an IP address, the site no longer worked and no matter what I couldn’t find “Marie Sommer”… so I thought oh…maybe this is spam… So I tried finding the company… and nothing… but some strange registration information…so I went to lookup the IP history and I see the IP had bounced a few times (changing its physical location as it gets passed around) and then I found it…

In this history it showed the IP as being owned by The Royal Military College Of Canada:

And the possibility exists that perhaps a spammer would know this and buy up certain ranges to help boost confidence… but the timing?

Remember how those blocks get handed out and how you can see who owns them…

Honestly I don’t know if it was a test to see id figure it out or something? Honestly I felt weird about it for so long…

Do you folks know what they do there? Take a look at what they actually list.

Go google it so it’s not just me selling some narrative.

So – given the billions of addresses and the timing…. What do you folks think the chances of this are?

PAUSE AND GUESS – just try to guess the random chance, without factoring in the timing!

Here is an easily digestible comparison …the chance of winning lotto max is about 1 in 33.2 million:

https://lottery.olg.ca/en-ca/lotto-games/lotto-max/odds-and-payouts

So 4.2 billion total available IP address divided by 33.2 million means I would have won the top prize in lotto max about 127 times. Factor in the timing... (Roughly, it’s not to be exact it’s to illustrate)

So the moral of this story is…

Does anyone want to come with me to buy some lottery tickets??? This whole conversation could be the very least of our problems!

Now - At first I thought they just wanted to see if I was flakey but then reality sank in…

I was already being probed in a general way for security review... I get it... I just don’t know how deep that went. Did they come right inside without saying hi…?

Regardless they were definitely Phishing for something!

G) Personal Statement to Jodi

Please take a look at SSL – there are many resources with scaling complexity that can verify this independently.

If you are not using Outlook.com as a provider and if that doesn’t sound familiar to you, then you should be quite concerned.

So far I’ve written 46054 words to the Shipyard (Not including this letter), if you do not feel you have read that much – then they have not provided you everything.

This is a lot and I’m sorry you got dragged into this, I really am. I’m honestly doing what I feel is best.

And please know I’m not trying to redirect or cause conflict.

And upon verification of an independent source, I think you’ll find the discussion is absolutely related and the Shipyard will definitely be reviewing what I’ve written about here as they absolutely have to factor this in if they didn’t account for this.

It could have easily been a serious oversight – speak to an expert to verify.

Regardless – please consider there is a solid history of direct and indirect ways of getting compromising information from your very type of exposure, even if you aren’t the government and it’s pretty much a guarantee if you are the government. And we could have a whole discussion about it… as I’m sure you’d expect from me by now. Lol.

I would suggest seeking out an expert for more details, this may also help ensure that complexity does not become a major barrier in understanding my perspective and justifications.

This should also help evaluate my technical competencies from an unbiased source.

And please really consider this - These guys are security guys right? If they didn’t recognize that, wouldn’t that be weird?

If someone sent you confidential information - wouldn’t that be a serious breach? Couldn’t someone (outside of this whole issue, independent of us) use and exploit that information? They absolutely could!

So if security didn’t recognize that, that would be concern enough? The Shipyard should have recognized this!

If not it’s a serious oversight - and at this level of involvement - do you think it was an oversight? We can only speculate using some evidence / technical facts.

Do you think it’s unreasonable or a far leap for a clever person to reason that someone may reach out to you, or have others? And that Perhaps someone wants to provide a lot of data?

And that they might also be able to reason that some of those people might want to be anonymous?

And do you think you or other employees would have noticed this? Not the vast majority! Nope.

And what does it mean if that data was sent Plain text through another country?

And please consider this is by no means a regular situation.

It’s an interesting “What If” with a lot of facts to pivot on.

Now full disclosure: I drove by the address listed for your company on google maps the day after our meeting - Tuesday January 28th 3:30PM (approx. can get a more exact time) (my GPS was enabled and can confirm).

I didn’t see a company sign at the address or around.

And I Confirmed this on google maps (it shows the house), there is a missing storm door since the map pic was taken implying this for at least a few months? A victim of Dorian perhaps? I like the red – its striking!

Anyways - I made two passes, I looked around to be sure I didn’t see any signs. But in the time I drove back around, a SUV was then in the driveway, the passes happened within 10 - 15 minutes, I got turned around on the streets and wanted to see from a second angle.

I never got out of my vehicle, nothing like surveillance, and I do not plan to drive by anymore and do not have any plans on approaching you in any type of physical capacity, or digital for that matter.

I just wanted to see the place for myself and it’s publicly listed on google so I figured it would be alright.

And I sincerely apologize if that’s concerning to you in anyway and I would suggest removing this information or privatizing it.

But based on what I can tell this all tells me you are likely doing this solo, or contract “down” or out of your location - this means that they can control the contact points much easier.

They know you aren’t talking in an office, chances are if you discuss this it would be through some form of electronic communication, Phone, email communicator, messaging apps etc.

It’s a good tactic.

Consider… If this was a large company and an HR person, they would have to be much more intrusive and broad with data collection! They would have to surveil a Canadian Business and all of its Employees.

This is a much simpler approach to solving a lot of these “technicalities” involved in gathering information and justifying a warrant.

Regardless - you need to get an SSL certificate - if someone contacts you - their details should not be exposed to the world - That’s a Privacy Breach!

To this I have another suggestion – I put in 462 lines into your comment box – that’s a large amount of information to accept through an unsecure connection. Or in general. You could be spammed.

I would absolutely suggest placing a hard cap on this value / provide another more secure avenue – especially if you will be working with any level of security clearance in the future. Taking this opportunity to ensure this with the Shipyard could be something you market!

Also, switch to a Canadian Hosting company if you can! The privacy laws in the States do not Favor Canadians and their Data – its fair game to them!

Now I see your hosting service is Weebly- at very least for now they have SSL as an option?

https://www.weebly.com/ca/features/ssl-and-more

On top of this, I would suggest - if you have the resources - is to have a security person review your site and email setup. I’d be concerned that if you were compromised, it could be considered a Privacy Breach and generally may not look well for you –in fact companies have got sued because of this! And you are absolutely dealing with sensitive private information…and perhaps use someone with a good name so if it does happen, some of the heat will be on them!

And that’s not a threat, it’s an assessment and friendly perspective

Anyways from my perspective there seem to be very specific reasons for why they chose you, very specifically from a security perspective and social equity standpoint. But unfortunately there are some serious security concerns you need to address, and to that SSL is not really that expensive - especially compared to you getting sued or the drag of a bad reputation!

And then what if the Shipyard or anyone turned around and blamed you? (I wouldn’t and won’t)

And to this same discussion Id wonder what their security policy is about your email account? How can they know if someone sent you confidential information? How could they contain that?

Now, the reverse could also be true - if could be socially engineered as a way of me / others avoiding contacting you with details etc. (Low percentage, but a considerable option)

And look at your record with the community, this might not be apparent at first but someone clever would know people will likely trust you and be more willing to engage with you - as you to them! And you are probably not very well versed in web security or general security?

This Social equity can be leveraged without your control / consent by social engineering!

Someone could exploit your built up community trust and use your contact system against them / you. That’s a technical fact.

Think about this, When Irving makes a statement – are they going to mention your name? A lot of people might look at your social equity and think they can trust you. And in this, they will try to be anonymous.

And in this expose a lot of details about who contacted you?

That’s not unreasonable. So - Is this planned? Decide for yourself

And… remember…. who watches your bank account if this goes a funny way? (I’m implying the Government to be clear)

Please seek independent verification.

"

H) Letter to Everyone:

I strongly suggest Irving Shipyard seek independent verification of the information provided.

This is of genuine concern – How long has Jodi Been on this investigation?

Security - please confirm the details internally - if you state this is not an issue - you need to contact a third party security investigator - you cannot be using compromised sources like this in investigations – who is liable! Did you enforce proper polices when dealing with this 3rd parties. Please review the technical details and seek independent review for clarification.

If you do not agree that the Outlined Security Risk is an issue I would fully expect nothing less of you to write and submit a report detailing your technical reasoning.

Legal - You need to look into this - who should have verified this? If confidential information was delivered through this contact - who would have been responsible? In terms of disclosing security holes / privacy breach concerns what is your Policy? What are my obligations? How much of this should have been outlined in the resources you folks should have provided?

If you do not agree that the Outlined Security Risk is an issue I would fully expect nothing less of you to write and submit a report detailing your reasoning.

Jim – I promise you I’ve done nothing and if there was a security hole – I would absolutely inform you immediately if I even thought something could be one and without hesitation, I’d never try to exploit anything and id assist with detailing it (As I am – quite detailed as well) and I’ve never done anything but send that email.

So please don’t raid me! (That’s an old police joke) And if you do, can we have a calm discussion about technology and maybe you could teach me some interrogation / investigation tactics?

But please, if you do insist on raiding me - please have someone to help my mother she doesn’t move well – she’s not a risk and will need help and also my dogs name is Hawke, he is a lover – he wouldn’t hurt anyone and doesn’t have the body weight to do anything really so… be kind.

Jordan – “I hope your investigation is going well, are you following this?”

Jodi – “I’m very sorry you had to be dragged into this…and I hope they are paying you well LOL. But please know, I cannot let my defense down. So if that comes with just a hint of overly cautious during this investigation – then please know I’m aware of what that may convey”

Government - ??? I am confused.

It’s time we had a proper meeting folks. I would really like to redirect this effort into something else… like you know a life.

Or into helping Canada more directly?

So please everyone, you need to be straight with me about all of this.

My defenses are up and I am in protection mode so I will state plainly – be direct with me.

Can we get a proper meeting going?