Why I Won’t Be Voting for Lorrie Williams

Lorrie Williams is currently a councillor for the City of New Westminster. She is running for re-election in November 2014, and I won’t be voting for her.

There’s an intersection in New Westminster that is dangerous to pedestrians and cyclists. Since 2011 there have been various attempts to make the intersection more friendly to pedestrians and cyclists, and in 2014 the city’s Engineering Department provided a report describing all of the possibilities for doing so. It’s a long report, full of pictures and maps and all of the things that everybody could ever think of to change the intersection.

The report recommended cutting a three-metre section out of a wall, and re-routing pedestrian traffic through that. In conjunction with realigning the crosswalk, this would make pedestrians more visible to drivers turning right.

The recommendation was voted down by Council in May 2014.

Lorrie Williams had this to say:

I don’t want to see any of the wall taken down, thank you very much.

She also suggested agreed with Betty MacIntosh’s idea of putting up a blinking sign to warn drivers. (Edit: I originally stated that Councillor Williams suggested the blinking sign idea. I’ve been made aware that Councillor MacIntosh originally made this suggestion and that Councillor Williams agreed with it.)

Here are the two reasons why I’m not voting for Lorrie Williams:

  1. She put preservation of a heritage wall above pedestrian and cyclist safety.
  2. She rejected three years of hard work by experts in the field with an incredibly off-the-cuff and dismissive non-solution.

Patrick Johnstone (who is also running for City Council) summed up #2 the best:

With all due respect, does the Councilor seriously think that through three years of engineering staff time, committee meetings by at least three City committees (two who are dedicated to discussing accessible transportation issues), and the hours spent by the team of professional traffic consultants hired to develop and assess the best alternatives – IT NEVER OCCURRED TO THEM TO SEE IF ADDING A FREAKING FLASHING LIGHT WOULD WORK!?!

The arrogance expressed by Lorrie Williams in thinking she might know more about traffic safety than professionals and experts who live and breathe traffic safety, that’s why she lost my vote.

Introducing ‘Pwned’: An AngularJS Directive to Search Against the Have I Been Pwned Database

The Have I Been Pwned website lets you check your email address against a large number of data breaches. If it’s in there, then your email address and probably some form of your password are out there to the public, all ready for nefarious use.

And security researchers all say that you shouldn’t re-use passwords, because that’s unsafe precisely because of these data breaches. Wouldn’t it be nice to be warned that your email address or username has been compromised, and then you’d get some kind of warning to not re-use a password? The ideal time for this is when you’re picking a new password for your account, right?

If the site you’re logging in to is built with AngularJS then I have the thing for you! Well, for whoever built the website, at least:

It’s a simple AngularJS directive that checks against the HIBP database!

I’ve put up a very simple example of it here for you to try out as an end-user.

May the Force Be With Your Bad Baby Names

After a pretty long hiatus, Bad Baby Names are back! To be honest, I got a little bored of all of the bad baby names that the Hawaii Tribune Herald kept serving up. You can only make so many jokes about too many Y’s or girls named Madison before they start getting stale. But this week’s list had a name that I just couldn’t pass up.

See, normally I get a link to the list of births emailed to me every week (thank you If This Then That!), and it puts the first two names in the body of the email. The first name in the list spurred this post (don’t worry, we’ll get to it) but it turns out that there are a couple of non-standard Bad Baby Names that deserve mention.

First, Spartacus. That’s a hell of a name to live up to, and I only hope his classmates help him out when he throws spitballs in class.

Second, along the same lines as Spartacus, comes little Ronilla-Cleopatra. Watch out for asps, little one! It’s lucky you’ll be growing up in snake-free Hawaii.

And the reason behind the Bad Baby Name rejuvenation: Princessleia. The only way this little girl’s name could get any better is if her middle name were Organa. Then the force would truly be with this girl.

Translink vs. Translink

Translink, May 23 2012:

With fare gates coming into operation at SkyTrain and Canada Line stations next year, TransLink has yet to smooth out potential wrinkles in the new system.

One involves a particular benefit enjoyed by riders with prepaid passes. On Sundays and holidays, two adults and four children aged 13 and under can travel on a single TransLink adult monthly fare card or West Coast Express 28-day pass, or an annual employer transit pass.

“All we can tell you right now is that the offering will still be there,” spokesperson Ken Hardie told the Straight by phone. “How it will work—at this point, we don’t have that detail for you.”

Translink, July 30 2013:

After a review of discounts and programs in its tariff, TransLink will make changes that will affect customers. As part of the changes, several programs will be discontinued.

As approved by the TransLink Board, the changes to the tariff include the discontinuation of:

Free travel for family members of monthly pass holders on Sundays and holidays effective January 1, 2014.

Huh.

Mail and Smail

Of course, seven minutes before Chris tweeted this:

…but I didn’t see it until just now. Co-creators of ‘smail’?

Cycling on Sidewalks in New Westminster

Did you know that it’s perfectly legal to ride your bicycle on the sidewalk in New Westminster?

Well, strictly speaking that’s not true, but it’s perfectly legal to ride your bicycle on most of the sidewalks in New Westminster.

British Columbia’s Motor Vehicle Act Section 183(2)(a) states:

A person operating a cycle must not ride on a sidewalk unless authorized by a bylaw made under section 124 or unless otherwise directed by a sign.

Section 124(1)(v) states:

The council of a municipality may, by bylaw not inconsistent with or derogatory to this Part, provide for the following:

the use, in places, under conditions and in circumstances specified by the bylaw, of sidewalks and crosswalks by persons riding cycles.

That means that municipalities in British Columbia have the power to allow people to ride their bicycle on sidewalks. New Westminster exercises this power through the Street Traffic Bylaw No. 6027, 1991.pdf). Sections 501.2 and 501.3 state:

501.2 A person operating a cycle on any sidewalk, footpath, or walkway in the City shall operate the cycle only in such a way that it will not interfere with a pedestrian lawfully on or using said sidewalk, footpath or walkway.

501.3 No person on a cycle shall operate the sidewalk, footpath, or walkway set out in a Schedule attached to and forming part of this bylaw.

So there you have it. Section 501.2 states that you can operate a cycle (which in New Westminster is defined as “a device having any number of wheels that is propelled by human power and on which a person may ride”) on any sidewalk in New Westminster, as long as you don’t interfere with pedestrians.

But there’s also Section 501.3 which refers to a Schedule attached to the bylaw. That would be Schedule 7 – Sidewalks, Footpaths and Walkways Where Cycling, Roller Skating and Skateboarding is Prohibited. There are nine stretches of street listed in that Schedule. Instead of listing them, I made this handy Google Map showing the roads along which you are not allowed to cycle on the sidewalks.

The roads are mostly in commercial areas with high foot traffic. The only exceptions to this are the small stretch of Twentieth Street (there are some small strip malls here but hardly any foot traffic) and the Waterfront Esplanade, which strictly speaking isn’t a road or a sidewalk.

There you have it. You’re allowed to cycle on most of the sidewalks in New Westminster. Just remember that pedestrians have the right-of-way, so don’t go mowing people down. And pedestrians, remember that for most of the streets in New Westminster bicycles are allowed, so don’t get shirty when you see one coming towards you.

When Is an Array Not an Array?

Short answer: When it’s a JavaScript arguments object.

Long answer:

In a JavaScript package I’m writing, I have a function that returns an object. There’s a bug in it where in certain situations it returns the JavaScript value true.

I have a test framework set up with Mocha using the Chai assertion library. With it, I can do

1
expect(result).to.eql(expected);

This means that the result I get back from my function should deeply equal the expected value. “Deeply equal” means that the objects being compared are identical — they’re the same type of object and store the same information.

In JavaScript, one would not expect an Array to be deeply equal to an Object because they’re different types of objects.

But in the Chai assertion library, an empty Array is deeply equal to an empty Object. This assertion passes when it shouldn’t:

1
expect({}).to.eql([]);

Similarly, but even more confusingly, both an empty Array and an empty Object are considered to be deeply equal to the JavaScript true value:

1
2
expect(true).to.eql({});
expect(true).to.eql([]);

Both of these assertions pass.

When I was writing a test to ensure that my function wasn’t returning true, but instead should be returning {}, I was expecting the assertion to fail. It didn’t.

Since Chai is open source, I forked it, patched it, and submitted a pull request to get the fix into the main Chai repository. It makes sure that when deep equality is done, the types of both objects have to be the same.

This was over a month ago, and my pull request hasn’t been accepted.

Why? Because of arguments.

See, JavaScript has a builtin arguments object, which is “Array-like” in that it’s an ordered list of values. When you call a function, it’s the list of arguments that you passed to that function:

1
2
3
4
5
function dumpArgs() {
    for (var i = 0; i < arguments.length; i++) {
        console.log(i + " : " + arguments[i]);
    }
}

This object is kind of like an Array, but the only Array method you can call on it is length. It’s not an Array object, it’s an Arguments object.

I’m of the opinion that “deeply equals” means that if the objects are different, they’re not deeply equal. The string "4" might look like it contains the same value as the integer 4, but you wouldn’t expect them to be deeply equal, because they’re different types of objects.

My patch hasn’t been pulled because the guy doing the pulling disagrees, which you can see at the pull request comments. But only for non-primitive types. “4” is still not deeply equal to 4, but if arguments is [1,2,3] then that’s equal to the Array [1,2,3].

The Mozilla Developer Network docs say

The arguments object is not an Array. It is similar to an Array, but does not have any Array properties except length. For example, it does not have the pop method. However it can be converted to a real Array.

I could change my patch so that if the arguments object is one of the values being tested, it could be converted to a real Array before doing the check, but that goes against the concept of deep equality. Two objects of different types shouldn’t be deeply equal.

So if you’re using the Chai assertion library, and you discover that an empty Array is equal to true, you’re getting that result because one of the Chai developers thinks that deeply equals is only applicable some of the time, because it’s “subtle”.

CIBC Credit Card Fraud Department: You’re Still Doing It Wrong

In part one of this saga I described how CIBC had sent me a text with a phone number to get them to call them, and how this is wrong.

I just went through my spam folder and found this gem:

Dear BradCavanagh,

Please contact us as soon as possible at 1-866-454-4339 (in Canada & U.S.) or 416-785-1331 (from elsewhere) to verify recent transactions on your CIBC Credit Card Account ending in XXXX.

We will also be phoning you at the primary number that we have on file for you with this message.

We are available by phone 24 hours a day, 7 days a week.

Please do not reply to this e-mail.

If you received this message in error, please send an e-mail to feedback@cibc.com.

Sincerely, CIBC

I’d like to quote from CIBC’s email and text message fraud page:

Phishing emails and text messages are often sent out as spam to numerous recipients and appear to come from legitimate businesses, sometimes even duplicating legitimate logos and text. Within a phishing email, you may be requested to click on a link that takes you to a fraudulent site or pop-up window where you are asked to submit personal and financial information. A phishing text message may request that you send personal information back to the sender through text message or call a phone number.

In order to increase the chances of a response, messages may imply a sense of urgency or an immediate risk to bank accounts or credit cards if you fail to answer. Special offers and prizes may also be promoted as incentives.

I’ve bolded all of the ways that CIBC’s email falls under CIBC’s own definition of phishing.

CIBC, you’re still doing it wrong.

CIBC Credit Card Fraud Department: You’re Doing It Wrong

This morning I received a text message purporting to be from CIBC:

BRAD,¡ Please call CIBC at 1-866-454-4339 to verify recent transactions on your credit card ending in¡XXXX.

Yes, the ¡s were part of the text message, and I’ve X’ed out the last four digits in my credit card.

This text came from the number “242-222”. I signed up for CIBC alerts via text message, and they’ve all come from this number, but there’s nothing guaranteeing that CIBC did in fact text me to get me to call them. In fact, if you search for 1-866-454-4339, you don’t get any CIBC webpages in your results.

It’s very nice that CIBC has this service. It was actually a legitimate request, as someone ordered over $1000 worth of stuff from walmart.com using my credit card.

But CIBC is doing it wrong. There is nothing on this text message verifying that this is actually CIBC. Sure, they get the last four digits of my credit card right, but those are all over the place, and they’re not considered to be sensitive data, which means that vendors do not need to do anything special to store them. It would be rather trivial to get the last four digits of my credit card number, my name, and my phone number, and then send a spoofed SMS. If I were naive, I’d call the number listed in the text message, tell them my full credit card number, and they’d be off to the races.

Never trust a text message, voicemail, or email that asks you to call a random phone number to verify any sort of personal information. Never. Always call a number that you know for a fact is linked with the company in question. For CIBC, you can either look at the back of your credit card or look up customer contact numbers on their website.

What CIBC should do is change their text message to read:

BRAD, please call CIBC Credit Card Services at the number listed on the back of your Visa card to verify recent transactions on your card ending in XXXX.

It’s a simple change but one that would help make people less likely to fall for phishing attacks.

CIBC should also list the 1-866-454-4339 number on their website, proving that it is actually a CIBC number. I didn’t call that number because there’s no way of verifying that it’s actually CIBC.

In fact, this text message raises all kinds of red flags that CIBC themselves ask you to watch out for:

A phishing text message may request that you send personal information back to the sender through text message or call a phone number.

In order to increase the chances of a response, messages may imply a sense of urgency or an immediate risk to bank accounts or credit cards if you fail to answer.

CIBC Credit Card Fraud Department, you’re doing it wrong. Even according to your own website.

Update: But wait, there’s more!