CyberLaw on keithrozario.com

Preventing a DDOS is not going to be easy

Wed, 02 Nov 2016 20:56:42 +0000

As a follow-up to my previous post on DDOS attacks [1,2], I’ve seen a lot of so-called ‘solutions’ to the problem, which really aren’t solutions at all.

While it’s still not explicitly clear that the StarHub DDOS was executed by Mirai, a recently released malware built specifically for DDOS, the timing and similarity of it to other Mirai attacks leave little room for doubt–at least to me.

If indeed, StarHub was a victim of a Mirai based attack, it would seem extremely odd that their CTO would reference phishing emails as a vector for infection. So a few things don’t quite line up here, including the advice from the CTO to change the default username and password, when Brian Krebs already reported that doesn’t quite help:

Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” <IP address> to reach a username and password prompt at the target host).

The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

If you're more technically inclined, I strongly suggest listening the feature interview on last week's risky business podcast.

But the last piece of advice that the StarHub CTO gave, that didn't make sense to me at all was this:

"If you were to buy a webcam from Sim Lim Square, try to get a reputable one"

Again, this may seem like good advice, but it doesn't conform to the evidence. Brian Krebs has a list of devices that are hack-able, and they include the likes of Panasonic, RealTek, Samsung and Xerox. All of which regular consumers would consider 'reputable'.

So StarHub claimed that you should change your passwords--but doesn't protect you from Mirai.

StarHub claim that you should buy equipment from 'reputable' suppliers, but even reputable suppliers produce hackable IOT devices, that can't be secured.

Finally StarHub are going to be sending technicians out in the field to help subscribers, and while this is laudable, it's not a sustainable solution. It only fixes a short-term problem, because as long consumers continue to buy hack-able IOT devices, the threat isn't going to go away.

And how often can StarHub afford to send technicians to make home visits before the cost start becoming un-bearable?

The way to view this issue is from a legal, economical and technical perspective--and in that order.

Internet of shitty things!

Mon, 24 Oct 2016 23:05:27 +0000

Brian Krebs is the most reputable name in CyberSecurity reporting, his krebsonsecurity website is the best source of ‘real’ journalism on the subject.

But reputation works both ways, the same thing that makes him popular in some circles, makes him unpopular in other. He’s had criminal hackers send him heroin in the mail and even have SWAT teams descend on his home with guns all blazing (in a phenomenon called swatting!). Reporting and exposing underground cyber-criminals comes at a price, you don’t piss of darknet crime lords without taking a few hits along the way.

The problem though is when those ‘few’ hits, turn into a hurricane of web traffic aimed at your server, because that’s exactly what descended on Krebs’ server late last week, when krebsonsecurity was hit by an epic DDOS attack

DDOS is an acronym for Distributed-Denial-of-Service, which basically means forcing so much web traffic to a single website that it eventually collapses–making it unable to provide services to the ‘real’ visitors of the site. All websites run on servers with finite capacity, DDOS attacks are about sending enough traffic to those servers that they eventually exceed that capacity.

But this DDOS was different, and krebsonsecurity will go down in history as the Hiroshima of this type of DDOS. But nuclear weapons only had Hiroshima and Nagasaki, krebsonsecurity will be the first in a Looooong line of DDOS attacks of this scale.

So what makes this attack so different as to merit it’s own class? Well 3 things.

The safest place for your money is under the mattress

Mon, 12 Sep 2016 08:38:24 +0000

When I was in school, we joked about people who kept their money under the mattress, that somehow those who didn’t use banks were less intelligent than people who did.The general thinking was that smart people kept their money in the bank, where it was safe from theft, fire and flood, while still collecting interest.

In the 80’s this was a compelling argument, when interest rates were high and banks really did provide security,but is that thinking still applicable today?

In June of 2000, Maybank launched their ’new’ internet banking platform, Maybank2u, which allowed their customers to do their banking online, outside of traditional branches or even ATMs. Few years later, it begun offering online purchases and soon after the mobile app was launched.

But while online banking platforms brought convenience, they also introduced new security threats – and it wasn’t clear whose job it was to secure against those new threats, and who would be liable for inevitable financial losses.

Was it going to be bank who assumed liability, just like they did before, or would it be the account holder, or possibly a mixture of both?

The answer depends on who gets attacked, because not all attacks are equal.

Not all attacks are equal

There's two types of attack, one where the bank itself is attacked, and another where the account holder is targeted instead.

When someone walks into a bank with the threat of violence, and walks out with $30,000 of the banks cash, the bank absorbs all the loses. After all, that’s why your money is in their safe and not under the mattresses.

But there exist another class of attack–customer impersonation, where the attacker isn’t threatening violence or even ‘attacking’, but trying to fool the bank into believing they are the rightful account holders. In other words, the attacker is trying to impersonate you, to get to your money.

And in the digital world, customer impersonation is far more common. Consider the case of ATM fraud.

ATMs identify a user by verifying their ATM cards, and then prompting them for the PIN. More specifically, the ATM first authenticates the inserted ATM card (is this card real?) and then proceeds to ask the user for the PIN (is the person the accountholder?), once an ATM is satisfied, it then proceeds to grant the user access to the account.

Hence if an attacker managed to steal your card and knows your PIN, the ATM has no way to differentiate between you and the attacker. Anyone could take your money from your account, by just having your ATM card and PIN, in contrast robbers attacking a bank would simply be taking the bank’s cash…not yours.

Credit Card fraud is another prime example, but at least in Malaysia end customers have their liability capped at RM250 provided they report their lost cards in a ‘reasonable’ amount of time. For debit cards and ATM cards are not protected in the same way. Which is strange because the poorer sections of society who need more protection usually have debit instead of credit cards.

But even credit card users need to be wary, because changes in the liability model are bound to happen when we introduce Chip and Pin. (read more here)

To summarize, customer impersonation isn’t the same as a bank robbery, when the bank issues you credentials (like PINs, passwords or ATM cards), the responsibility to secure those credentials are yours–and if those credentials are compromised, then you’ll have to shoulder some of the financial losses as well.

Show notes for today

Thu, 23 Jun 2016 13:35:35 +0000

Your browser does not support native audio, but you can download this MP3 to listen on your device.

Some interesting links you might want to check out during my interview on BFM today, will tidy up this list later in the week.

Office of Personnel Management Data Breach (Chinese hackers breaking into US Federal Employee Databases)

China arrested the hackers responsible for OPM breach

Turkey losing Personal Information on 50 Million Citizens

This is how Pedophiles get caught

Sun, 12 Jun 2016 15:24:43 +0000

This will easily be the most controversial blog post I ever wrote, so consider yourself warned.

It’s controversial, because it touches on multiple taboos in our society, sex, child abuse and security theater. You see, there’s been a growing call for a national sex offender registry, especially in the wake of news that a British Pedophile had sexually abused up to 200 children in Malaysia.

The news is especially shocking for Malaysians, who are still coming to grips with the fact that a foreign ‘mat salleh’ abused our children, in our country, right under our fucking noses, and we’re only now learning about it….years after the abuse had taken place and even then, the details are sketchy.

As I said,many have renewed the call for a Sex Offender registry. The idea being, that if we start registering sex offenders, we could more easily monitor them, and be able cut-off their ability to further abuse children. It’s a great idea, but it wouldn’t have saved these 200 children, simply because Richard Huckle wasn’t convicted of any sexual abuse, he wouldn’t have been on the registry even if had one.

Then we have calls for better screening procedures of people who work with children. Another great idea, but again wouldn’t have stopped Richard Huckle. Maybe a extremely thorough and in-depth screening process that interviewed his parents, grandparents and fourth grade history teacher would have uncovered something about his psychology that may have triggered some alarms–but that level of screening is both unrealistic and a gross invasion of privacy.

Finally we have calls for better sex-education in schools, which I’m 100% in favor off. Proper sex education may have prompted one of Huckle’s victims to speak out and report the issue, which may prompted his arrest at a much earlier time–but ultimately these were impoverished children who were not given access to proper education anyway, so sex education in public schools probably wouldn’t have helped them.

But are we forgetting something obvious?

The law shouldn't rely on good behavior from Billionaires

Sun, 05 Jun 2016 11:22:37 +0000

Gawker is the internet’s most slimy news organization, a online website that has no qualms disclosing people’s sexual infidelities regardless of the cost such disclosures have on their personal lives.

So for most people, seeing WWF superstar Hulk Hogan win a lawsuit against Gawker to the tune of $140 Million dollars was a real sight for sore eyes. But when it was revealed that Hogan was funded by Billionaire Peter Thiel, the internet suddenly lost its damn mind.

Passcodes should be protected

Sat, 14 May 2016 11:28:20 +0000

Some people are fans of medieval torture, and who can blame them. There’s just something about the sadistic treatment of people that makes us both want to watch with a bowl of popcorn in our hands, yet at the same time turn away in disgust and discomfort.

How else do you explain the popularity of shows like Saw?

I personally am a fan of the Iron Maiden, which before it became a name of rock band, was a evil torture device designed to impale its victims with spikes, but meticilously avoid crucial organs thereby prolonging the agony, letting the victim slowly bleed to death rather than die from something boring like heart failure or liver damage.

There’s a list on Wikipedia, that has all the gory details of medieval torture techniques, including keel-hauling (which I always though was some pirate term) and Scaphism, which is a Persian specialty where the victims dies of Diarrhea.

It’s a whole new level when the victim dies of Diarrhea—Diarrhea!! (and the smart-ass know it all types probably are thinking that Persia wasn’t in the medieval period–yes, I know and I don’t care)

[*Steve in the comments points out that Scaphism didn’t really die from diarrhea but from insects feasting on them. Which doesn’t exactly make it sound any better ]

Fortunately, we live in a modern world, where such barbarism is consigned to history classes rather than current affair shows, and trust me while water boarding is torture, it’s probably a couple of rungs lower on the cruelty scale than an Iron Maiden or Scaphism.

It’s good to view out past just to figure our far along we’ve come along as a species, to take stock in the great progress we’ve made in civil liberties. Torture is a fine example of such progress, but take for example the what 16th century English had to deal with, when they were sent to the Star Chamber!

Hate Speech is defined by private companies

Sun, 13 Mar 2016 15:55:01 +0000

You don’t have a right to freedom of speech.

Obviously true if you’re Malaysian, but even Americans only enjoy a liberty in freedom of speech and not an absolute right.

The difference is clear, liberties are protections you have from the government, while rights are something you have from everyone.

So if someone threatened your right to live, the government is obligated to intervene and protect that right, because your right to live is a protection you have from everyone, whether it be a common criminal, abusive husband or Ayotollah Khomeini.

On the other hand you only have a liberty in freedom of speech (at least in an American context), which means that the government can’t prevent you from speaking, or penalize you for something you said.

However, the government is under no obligation to ensure your speech gets equal ‘air-time’, a newspaper may decline to publish your article, an auditorium may elect to deny you their roster, and online platforms like Facebook may choose to remove your post–all of which do not violate your freedom of speech, because freedom of speech is protection only from the government (state actors) and not from private entities.

And like all liberties and rights, freedom speech is not absolute. Under strict conditions even the US government can impose limits to what they’re citizens can say, or penalize them for things they have said.

In the case of freedom of speech, a liberty defined in their first amendment, those strict conditions are very strict indeed. In order for the government to infringe on the freedom of speech, it must demonstrate a imminent danger that will result in a serious effect.

In other words the government must be able to prove that if the speech were given freedom, there would be an imminent threat of something serious. Both the imminence and seriousness must be proven, failing which the government cannot infringe on that speech. This is indeed a very tall hurdle to climb, and based on my cursory research no case has ever reached this limit.

FBI vs. Apple : Everything you need to know part 2

Mon, 07 Mar 2016 00:00:04 +0000

The Apple vs. FBI story has evolved so much in the past weeks, I thought I needed to write a separate post just on the updates. Admittedly, the story is far more complex and nuanced that I initially presumed, and everyone wants to be part of the conversation.

On one side, we have the silicon valley tech geeks, who seem to be unanimously in the corner of Tim Cook and Apple, while on the other we have the Washington D.C policy makers, who are equally supportive of James Comey and the FBI whom he directs.

But to understand this issue from a fair and balanced perspective, we need to frame the correct question, not just what the issue about, but who is the issue really focused on.

This isn't just about the FBI or Apple

Framing this as the FBI vs. Apple or The Government vs. Apple is wrong. This is Law Enforcement vs. Tech Companies.

The FBI is just a part of the The Government, specifically the part tasked with investigating federal crimes.James Comey, FBI director, is genuinely trying to do his job when he uses the All Writs Act to compel Apple to create a version of iOS that would allow them to brute-force the PIN code.

But there are other parts of The Government, like the NSA, who have the wholly different task of national security. To them, if a smartphone, is genuinely secured from FBI, then it’s secured from Russian Cybercriminals and Chinese State Sponsored actors too (probably!).

And because so much data are on smartphones, including the smartphones of federal government employees, the national security interest of America is better protected by having phones that are completely unbreakable, rather than ones the provide exceptional access to law-enforcement. Exceptional being defined as, no one has access except for law enforcement, and perhaps TSA agents, maybe border patrol and coast guard–you can see how slippery a slope ’exceptional’ can be. Oh and by the way, exceptional doesn’t exist in end-to-end encryption.

Former NSA director, Michael Hayden, has openly said “I disagree with Jim Comey. I actually think end-to-end encryption is good for America”. So it appears the NSA has an interest of national security that competes with the FBIs interest of investigating crimes.

The Government isn’t a single entity with just one interest, rather it is a collection of agencies with sometimes competing objectives, even though they all ultimately serve their citizens. Experts believe the NSA has the capability to crack the iPhone encryption easily, but are refusing to indulge the FBI, because–well it’s hard to guess why the NSA don’t like the FBI.

testimony to House Judiciary Committee. Both methods involved complicated forensics tools, but would cost a few hundred thousand dollars (cheap!) , and wouldn’t require Apple to write a weakened version of iOS. If the goverment can get into the phone for $100,000 , that would mean it couldn’t compel Apple under the All Writs Act (AWA).

Remember, the FBI buy their spyware from the lowlifes at hacking team, which means they’re about as competent as the MACC and Malaysian PMO, but if Comey and Co. can afford $775,000 on shit from Hacking Team, I’m guessing $100,000 for a proper computer forensics expert isn’t a problem.

But maybe there’s an ulterior motive here, at the very recently concluded Brooklyn iPhone case, Magistrate Judge Orenstein noted that necessity was a pre-requisite for any request made under AWA, and if the FBI have an alternative for a reasonable price, then Apple’s support was not necessary, and hence outside the ambit of the AWA. So maybe the NSA isn’t providing the support to necessitate the NSA.

An this isn’t singularly about the FBI either. The New York A-G is waiting for this case to set precedent before he makes request for the 175 iPhones he’s hoping to unlock for cases that aren’t related to terrorism or ISIS. You can bet he’s not the only A-G waiting for the outcome, and it’s highly unlikely for the Judge to make her ruling so specific that nobody except the FBI could use it as precedent.

But it’s also not just about Apple. The legal precedent set by this case would apply not just to every other iPhone, but possibly every other smartphone, laptop, car or anything else we could squeeze into the definition of a computer. This is about more than Apple, and that’s why the tech companies are lining up in support of Mr. Cook, 32 such companies the last I checked.

But now that we’ve framed the ‘who’ , let’s frame the ‘what’.

Apple vs. FBI: Everything you need to know

Sat, 20 Feb 2016 09:26:04 +0000

A judge in the US has ordered Apple to provide ’technical assistance’ to FBI, in creating what some (but not all) cybersecurity experts call a backdoor. In the few years I’ve written about these issues, I’ve never seen anything as hotly debated as this one, across the folks from digital security to foreign policy all coming down on both sides of the debate.

On one hand it seems a bit snarky of the FBI to use this one particular case, that looks to have the highest possible chance of success to set precedent, but on the other hand it seems mighty nasty of Apple to refuse to comply with a court order, to crack into a terrorist phone.

So here’s some facts of the case.

The phone in question belonged to Syed Rizwan Farook, a shooter in the San Bernadino shooting, which caused the deaths of 14 people. America has numerous mass shootings, but this one involved two Muslims aligned to ISIS–and hence more easily labeled terrorism, without the need for adjectives like ‘domestic’.

As I blogged about last week, self-radicalized terrorist don’t get funding from headquarters, and without that glorious ISIS-oil money, all these guys could afford for was an iPhone 5C, an entry-level phone with hardware identical to that of the iPhone 5, a phone launched waaaayy back in 2012 (you’ll remember that as the year Manchester United last won the Premier League). As an older phone, the security architecture of the 5C lagged behind the current generation iPhones, all of which have a secure enclave, but make no mistake, it’s still pretty secure.

By pretty secure, I mean that the phone has all of its contents encrypted, and un-readable to anyone without the encryption key. The key is derived from both the user passcode, and a randomly generated hardware key that is unique to the specific iPhone. It is generally understood that Apple doesn’t keep track of the hardware key, and therefore unable to provide it, as you might expect the hardware will also never give up it’s key under any circumstance. Without the hardware key, the encrypted data is unreadable, even with the passcode. Which explains why the FBI can’t suck the data out of the device for decryption on a more powerful computer, or load the data into 1000’s of iPhones for parallel cracking.

Court rules Hacking Team documents still confidential

Fri, 19 Feb 2016 08:00:51 +0000

Under the current hype of the FBI ordering Apple to ‘install backdoors’ on their iPhones, a bit of interesting news seems to have slid under the radar.

A court in Singapore ruled that e-mails from the Hacking Team breach, published by the hacker Phineas Fisher via a torrent download, and available freely on Wikileaks–were still confidential in nature.

The news hits close to home, after all, I’ve written a 2,000 word article on it back in July, and have been harping on the issue over the past weeks, even going on BFM radio for an interview.

So was I using confidential information in my tech evangelism?!

Well, probably not, but this does raise some interesting questions.

Here’s the facts of the case.

Forcing journalist to reveal sources will be bad--for the government!

Tue, 09 Feb 2016 19:21:19 +0000

Our spanking new, hand-picked Attorney-General is proposing life imprisonment for journalist who refuse to reveal their sources.

And surprisingly, my favorite Member of Parliament,Dato Azalina Othman, has supported the move, saying it was ‘high-time’ Malaysian did something. Fortunately, some calmer more rationale heads, like Dato Paul Low have criticized the A-G for his short-sighted stupidity.

Putting aside the fact that anonymity of sources is a core component of Press freedom, it’s easy to extrapolate how harsher punishment for journalists who keep their sources anonymous will back-fire spectacularly for the Government.

If sources know that Journalist will be pressured to reveal their identities, most sources will stop speaking journalist, thereby stemming the leakages from the government, and keeping the status quo.Or so the theory goes…

Being Terrified: The price of terrorism

Mon, 08 Feb 2016 18:58:35 +0000

Next week, I’ll be on BFM for an interview about spyware, which will be my last Hail Mary play to get a conversation started about the use of surveillance software by the Government. If a radio interview on a popular station won’t do it, nothing on my blog will possibly be able to anyway :)

In any case, this post is a pre-emptive response to a slightly controversial idea that I cover (very briefly) in the interview, and hopefully it can be articulated better here than in a radio segment. To be honest, I haven’t fully thought this through, but I believe it at least some some aspects of truth that deserve further attention.

The Idea comes in 3 parts:

Terrorism has changed dramatically with ISIS (or Daesh)
Our conventional approach to surveillance will be ineffective against this new threat
Our surveillance-based response to the new threat may end up hurting us more than ISIS ever could

Let's go through them one at a time

Medium blocked: Collateral Censorship vs. Collateral Freedom

Sun, 24 Jan 2016 16:53:23 +0000

So the buzz around twitter is that Medium.com has been blocked by the Malaysian Authorities, and guess what? It’s true.

It was expected, after all Medium is where the ‘infamous’ Clare Rewcastle Brown uploads her articles to circumvent censorship of her own site, the equally diabolical SarawakReport.org.

A lot of successful writers and bloggers have taken to Medium to host their content, including Stephen Levy, the author of In the Plex, one of my favorite books on Google. He's using it (and only it) to start a Tech Hub for his content, and placing it alongside millions of other articles contributed by both professional and amateur writers.

So it made sense for SarawakReport to take their content to Medium. After all, most of their readership is Malaysian, and since Malaysian ISPs ‘censored’ their content, using a neutral ‘un-censored’ platform like Medium was a perfect solution—well almost perfect!

It’s a phenomenon called ‘collateral freedom’, and for a while SarawakReport readers, and Malaysian internet users enjoyed that collateral freedom, Medium was free and un-censored, which made Sarawark also free and un-censored as long as it was on the platform.

The Government doesn't buy spyware--yea right!

Wed, 30 Dec 2015 00:28:44 +0000

The Government has denied buying spyware from hacking team, they really should have checked with me before issuing the statement.

On the 23rd of November 2015, Datuk Seri Azalina Othman Said denied that the Malaysian government had procured spyware from hacking team. In a formal response (in Parliament!!), the Minister simply stated “For your information, no such device was purchased by the Prime Minister’s Department”.

For YOUR information, dear Minister, I don’t like being lied to, and oh look there’s a flying pig by the window.Next time ask your PR guys to call me before you go setting your pants on fire.

Ok folks, here’s a step-by-step on why we can trust the hacking team leak, why there’s conclusive proof Malaysia bought this spyware, and why we should be worried about the manner in which it is being used. So let’s go.

The PM's year end cyber-security message

Fri, 04 Dec 2015 08:00:46 +0000

From: jibby@Malaysia.gov Sent: 23 Dec 2015 To: orangbawah@Malaysia.gov Subject: Cybersecurity Year end message.

This message is intended for all Malaysian Government servants only, do not forward without prior approval

Greetings and Salam 1Malaysia.

I want to use this year-end as an opportunity to discuss the important topic of Cybersecurity. This year was interesting for me personally, and for all Malaysians, and we need to be aware of cybersecurity issues in order to avoid situations where some people go bat crazy over a missing pendrive, or we’re struggling to interrogate a sysadmin in Thailand.

But let’s start with a Government Linked Company, Malaysian Airlines (MAS).

In February, MAS had their website hacked by a group calling themselves Lizard Squad, which appeared at the time to be affiliated with ISIS. However, I confirmed with my pal Badghdadi that Lizard squad are in no way related to our good friends at the Caliphate, and we should continue striving to be as brave as them.

Delving deeper into the hack, revealed it to be a domain registrar hijack, and was not a result of inadequate security from MAS. Essentially MAS registered their website with a registrar, and it was that registrar which was hacked, not MAS themselves. Let that be a lesson for us all, sometimes the responsibility of security rest not just with us, but with our IT vendors as well.

Another good example of IT vendors completely messing up is Miliserv.

Hackers and terrorist

Mon, 23 Nov 2015 20:29:09 +0000

[caption id=“attachment_5307” align=“aligncenter” width=“550”]

Pic from TheMalaysianInsider, Tip to newsmen: Next time blur out the photos and names on the ID tags as well.[/caption]

There is no greater danger of tech illiteracy, than the way we treat hackers. A society that doesn’t understand technology will view those who can manipulate it as wizards and sorcerers.

Technology sufficiently advanced is indistinguishable from magic, and to most people that bar of being ‘sufficiently advanced’ isn’t set very high.

The magic analogy is apt, even in fiction, wizards are treated either with awe, ala Harry Potter and the muggles, or disdain ala the Salem witch trials, where ignorance bred fear, which in turn led to persecution.

Regular readers of this blog will know Kevin Mitnick, the grand-daddy of hackers, who was once rumored to be able to launch a nuclear missile by whistling into a phone. Not only was the rumor patently false, it nudged Judges in American courts to deny him a bail hearing, something guaranteed to Mitnick by the countries Federal Constitution. Prosecutors quickly learnt that if you throw around words like Hacker and Nuclear, Judges will willingly jettison constitutional protections quicker than Han Solo can dump cargo to make the jump to light speed.

In the absence of a nuclear threat, law enforcement agencies have begun using terrorism, and found it equally effective in demonizing hackers and anyone else who could do seemingly magical things with bit and bytes on a computer screen.

The problem with bio-metrics

Sun, 18 Oct 2015 15:59:49 +0000

Passwords have always been a problem.

For a password to be adequately secure, you need a certain amount of randomness (or entropy in geek) associated with the password to ensure it can’t be easily guessed. The password monkey is less secure than the password k3ithI$one$3xydev1l, but the latter is inherently harder to remember (although still very true).

Remember you should use a different password for each online service you subscribe to, Your Jobstreet credentials should be different from your banking credentials. This way, if someone hacks into Jobstreet and compromises their passwords, your banking credentials remain secure.

What people often do is re-use one password across all their services, so that a compromise on one service is as good as a full-blown compromise across their entire online identity, a hack on that nutrition forum you visited two years could cause you to lose your life savings.

There in lies the trade-off, a easier to remember password is also easier to guess, and hence easier to hack (Google ’the fappening’ if you need more convincing), while a hard to guess password is harder to remember, and near impossible to execute if you need remember a different password for each your online services.

Which suggest that the problem isn’t passwords per se, but rather our human inability to remember long un-guessable passwords. Computers have long out-stripped us in this arena, and trying to overcome that is pretty much unthinkable at this point.

But what is the solution then? Well, in general we have 2 partial solutions.

Ransomware

Mon, 12 Oct 2015 11:44:34 +0000

By now, you either know someone that’s been a victim of nasty malware or have yourself been on the business end of nefarious software. The perpetual duel between security companies and malicious elements in cyberspace has changed dramatically over time, and no change has been so dramatic as the rise of a new type of threat, a threat we call…ransomware!!

...but what is Ransomware?

Ransomware is piece of nefarious code that infects your machine the same way any ordinary virus or spyware would. But what differentiates it from other threats is what it does after its infected a system.

Ransomware immediately seeks out specific file types like Microsoft Documents, Excel Spreadsheets, digital pictures, all for the purpose of encryption. Different Ransomwares target different file types, but the idea is behind it is to seek out these files that are considered particularly valuable to the user, and one that a user would pay lots of money to retrieve if ever lost. These files are then quickly encrypted using ‘bank-level’ encryption ciphers making them un-readable to the user.

Once the files are ‘safely’ encrypted, the user is usually prompted with the–Pay us money or never see your files again!!

The famous (or infamous) cryptolocker, would request payments only in bitcoin, before the decryption key would be released to the user, the malware has kidnapped your files and the only way to get them back is to pony up the cash.

In essence, cryptolocker held your files from ransom, in much the same way kidnappers hold kids for ransom in those hollywood movies, but unlike hollywood this is real, and the one and only way to get back the files is either pray for a miracle, or make the payment.

Hacking Government, Malaysian Style

Fri, 02 Oct 2015 10:39:38 +0000

The simplest definition of a hacker, is someone who breaks systems. We tend to equate systems to computers, but that’s a limited definition of the term. A system can also refer to a legal system or a set of processes that have nothing to do with technology.

For example, lawyers often hack around the law, looking for loopholes to exploit to give them an advantage in their case. A good lawyer is expected to work within the legal system of a country, but still try to bend it a wee bit for their clients. He’s not breaking the law, merely hacking it for his own good.

In the technology world, we sometimes define hackers as those to attempt to gain un-authorized access to computers, in other words an attacker that’s able to circumvent security measures of a server to gain access. This bypassing of security measures it what makes a hacker–but how does it reflect in a legal context?

How corporations lie to the technologically challenged

Mon, 28 Sep 2015 11:50:39 +0000

Two weeks ago, Lowyat.net published a ‘challenge’ to their readers, one that would supposedly pay a cool RM100,000 to the winner.All you had to do was decrypt an AES-256 encoded blob of code (more accurately referred to as ciphertext).

As expected, no one won.

Because breaking that ‘military-grade’ encryption is beyond the capability of most normal human beings, and certainly not worth a paltry RM100,000 that was being offered. It’s the equivalent of offering 50 cents for someone to build a rocket capable of going to the moon. In fact, Rm100,000 is exactly the cash prize celcom offered for it’s cupcake challenge, because baking cup-cakes and breaking ‘military-grade’ encryption are the same thing.

Once the challenge has expired, Celcom conveniently launched their new zipit chat application, which surprisingly used AES-256 encryption as well, and more importantly they released some statistics of a ‘hackerthon’ they conducted in which 18 Million people viewed the challenge, and 17,000 registered to participate but none succeeded.

OK, so while there was no official announcement from Celcom to tie the original lowyat challenge to their new zipit app, it was quite plain for all to see.

So let’s go into why this upsets me.

Why we fear 'hackers': Dangers of Technical Illiteracy

Sun, 23 Aug 2015 20:00:56 +0000

Are you afraid of Hackers? Do you lie restless at night thinking of what might happen if they got into your bank account, facebook profile, or e-mail. Perhaps you’re also worried about that they might hack into a forum you visit, or that they might get into your personal messages on whatsapp.

It’s true that hackers are able to do all of these things, but the public perception of hackers really isn’t quite justified, and this false perception can lead to terrible outcomes.

Take last weeks post about the hacktivist group Anonymous. In it I expanded on the public fear of anonymous and how that didn’t correspond to the actual damage that the group causes. Sometimes all Anonymous does is a DDOS on a public website, that still takes some skill, but far removed from actually infiltrating a server. Yet, most people wouldn’t be able to differentiate a DDOS attack of a website to a compromise of an actual server, and this inability leads then to disproportionately fear hackers, worse still it leads them to lump all security related incidences into a single bucket called “hacked by hackers”.

But Why?

Why are people so afraid of hackers? And why is there a huge discrepancy between what some of these hackers are actually doing and the fear that the average citizen has of them.

I have one theory–ignorance, or more specially tech-illiteracy.

Our Communication Minister must be mistaken

Tue, 18 Aug 2015 23:17:23 +0000

Our newly appointed Communication Minister has come out all guns blazing in directing the The Malaysian Communications and Multimedia Commission (MCMC) to ask social media giants such as Facebook, Google and Twitter soon to block “false information and rumours” on their platforms.

That in itself is quite frustrating, but what really got me scratching my head was his claim that “that social media providers acted on 78 per cent of MCMC’s request for removal of content last year, with Facebook taking action on around 81 per cent of its request.”

Should an IP address be used to Identify someone?

Wed, 29 Apr 2015 11:00:29 +0000

Recently a court in Malaysia ruled that the newly amended evidence act could presume an IP address would uniquely identify a user of a network, and in the case of an Internet IP address, enough to tie an IP to the individual subscriber. In other words if the authorities ever found out that ‘your’ IP address was behind a post, then you’d have to prove it wasn’t you rather than they having to prove it was.

In Tong Seak Kan & Anor v Loke Ah Kin & Anor [2014] 6 CLJ 904, the Plaintiffs initiated an action for cyberspace defamation against the 1st Defendant. In tracing the perpetrator, who had posted defamatory statements on two Google Blogspot websites, the Plaintiffs filed an action called a John Doe action in the Superior Court of California. In compliance with the court order, Google traced the blogs to two IP (Internet Protocol) addresses which were revealed by Telekom Malaysia Bhd to be IP addresses belonging to the 1st Defendant’s account.
Bread & Kaya: Malaysian cyberlaw cases in 2014

Upon further reading of the post on DigitalNewsAsia, my non-lawyer mind got the feeling it didn't end well for Loke Ah Kin & Anor as the court decided they were guily of defamation based on a flimsy piece of evidence like the IP address of the user who posted blogspot.

I’m uncomfortable that a court of law could find someone guilty based on something as trivial as an IP address, when other courts around the world have ruled that IP addresses are insufficient for this purpose.

Jho Low uses Gmail? Why emails can't be considered evidence

Sat, 07 Mar 2015 15:11:26 +0000

As the 1MDB fiasco begins to simmer over the political stove, I wanted to inject some technical information into this discussion, specifically around emails and how they’re almost useless pieces of evidence.

Just to make sure everyone’s on the same page, here’s some context.

In early March 2015, sarawakreport.org, a website run by investigative journalist Clare Rewcastle-Brown together with the London Sunday Times, published an article on controversial deal done by the 1MDB fund. At the centre of the deal was a man named Jho Low, who masterminded a sophisticated ‘wheeler-dealer’ that pocketed him $700 Million, all of which (at least according to sarawakreport.org) was siphoned from 1MDB, a Malaysian sovereign wealth fund.

Honestly, I don’t understand the financially complex deals that sarawakreport.org was trying to explain to lil ol’ me. So I’m just going to take her word here, that all the documentation that was produced leads to the conclusion that Jho Low masterminded the “Heist of the Century” by stealing $700 million through shady back door deals involving 1MDB and a company called PetroSaudi. But then of course, the question becomes, can you trust the documentation.

Reading the article you get the sense that the e-mail trail presented forms the backbone of the entire story, and if the emails themselves are not true then the entire story is untrue as well.

In either case though, let’s get straight to the point, and say that e-mails by themselves are quite useless.

MyProcurement: All government tenders in one Excel file

Tue, 16 Sep 2014 22:54:40 +0000

I've updated this post on 31-Mar-2015, to incorporate the latest changes, and to provide more up to data info on the procurement database. Left everything else in tact.

Happy birthday Malaysia!! Just how awesome is our country, that we celebrate an Independence Day AND a Malaysia Day, not to mention 2 New years day, (or 3 if you count Awal Muharram).

So on that note, I decided to use my IT skills for the good of the country.

To be honest, my IT skills have never been up to par, my day job is more managing/planning/documenting than actual execution of ‘real’ IT work. But it was good for me to dust of the ol’ programming fingers and learn Python to grab some publicly available information and make it more accessible to the less IT centric members of society.

Since I had limited time, and sub-par skills, I decided to set my sights low, and aim to extract all the data from the Malaysian MyProcurement portal, which houses all the results of government tenders (and even direct negotiations) in one single website for easy access. The issue I had with the portal though, was that it only displayed 10 records at a time–from it’s 10,000+ record archive, so there was no way to develop insights into the data from the portal directly, you had to extract it out, but the portal provider did not provide a raw data dump to do this.

So I wrote a simple Python script to extract all the data, and prettified the data in Excel offline. The result is a rather mixed one.

I was happy that I could at least see which Ministeries or Government departments gave out the most contracts, and what the values of those contracts were. All in all, the excel spreadsheet has more than 10,000 tenders with a cumulative value of RM35 billion worth of contracts going back to 2009. The data allowed me to figure out which Ministry gave out the most contracts, the contracts with the highest and lowest value (including one for Rm0.00, and one for just Rm96.00). All in all it was quite informative.

Is Malaysia's Broadband slow--no it isn't.

Sun, 14 Sep 2014 23:31:20 +0000

Recently KiniBiz did a piece on Malaysian broadband speeds, and once again the hoopla about how Malaysian broadband speeds are slow arose. Kinibiz quoted an article from Asean DNA which stated that the average broadband speed in Malaysia was just 5.5 Mbps, while Thailand, Vietnam and Singapore had speeds that were double that (or more!)

The report however was inaccurate, and I think there’s a need to address the hoopla, because this happens often. There was a report couple months back that said Cambodia had faster speeds than Malaysia, and I wrote a post addressing that. This time I think, we have to really go into the data and find out what exactly is going on.

So let’s start at the source of this data.

The data was built from billions of download test conducted by users throughout the world on speedtest.net (a website that allows users to test the speed of their internet connection). This dataset is HUGE!, one of the biggest I’ve seen and definitely the biggest I’ve had the pleasure to play around with. Just one file in the set had more than 33 Million rows and weighed in at more than 3.5GB.It took me some time and lots of googling just to figure out how to deal with a csv file this large. Fortunately, there’s LogParser, but we’ll skip that tutorial for now and focus on the juicy details of data.

The number reported by Asean DNA is wrong. The average internet speed in Malaysia isn’t 5.5Mbps, it’s more like 7.5Mbps.

5.5 Mbps was obtained by averaging the speed across the regions of Malaysia (Kl, Alor Setar, Klang..etc) rather than by averaging the speed across all the test conducted by Malaysian users. In short, Asean DNA placed equal emphasis on Kuala Terengganu and Kuala Lumpur, although Kuala Lumpur had 50 times more test conducted. It would be like calculating GDP per state, rather than GDP per capita. The real per capita download speed in Malaysia is 7.5Mbps, rather than 5.5Mbps (if you limit yourself to just data from 2014).

Here’s the breakdown. You can download the file from netindex.com or just use an extract I created with just the Malaysian data–it took some time to do this so leave a Thank you in the comments if you downloaded the data.

A Techie's view on the Law

Mon, 08 Sep 2014 22:30:09 +0000

Are some laws worth following–in other words, are some Laws so idiotic that they should be ignored completely?

That sounds anathema, because we have a romanticized definition of the law, we define the Law as a broad general agreement a society undertakes, and the law keeps society from tearing itself apart. In other words, the law is so sacred because without it–we descend into anarchy, so ignoring the law is akin to promoting anarchy.

But I’m not speaking of “The Law”, I’m speaking of “A law”, specifically an Act of Parliament. “The Law” refers to a vast conglomeration of many things, including constitutions (state and Federal), statutes, precedence of case law and Acts of Parliament. I’m not sure what a statute is–but I roughly know what an Act of Parliament is, and it surely isn’t a broad general agreement that society depends on to stave off Anarchy–rather an act of Parliament is a law brought into effect by Parliament–nothing more nothing less.

To my techie mind, that means that 222 Members of the Malaysian Parliament got together to enact a piece of legislation. Romantically we think this is the people’s will–the Rakyat voted these people into power and they now wield this power to enact laws that will protect the Rakyat. A glorious cycle of virtuosity that only democracy can deliver. That’s wishful thinking, realistically it’s a law brought into effect by 222 voting members of Parliament whose collective IQ would probably not exceed that of the Zoo.

So when these 222 MPs ge t together and enact legislation to regulate technology–I get a bit uncomfortable. Not only do most of them not have engineering qualifications, half of them don’t even have a website. Having these MPs enact legislation that will regulate a field they’re clueless about, is akin to getting open heart surgery from a car mechanic.

On a side note, a techie like me has a hard time understanding why we have 222 seats in Parliament. It would seem, that in a first past the poll system, you’d want to have ODD number of seats, to avoid the situation where 111 members belong to Barisan, and the other 111 belong to Pakatan (what happens then?). That’s just ONE of the many things an engineer would quickly realize is wrong with the entire system–and that’s why we only have 3 engineers in Parliament (at least according to the Sinar Project).

CheDet on Censorship

Mon, 04 Aug 2014 20:00:04 +0000

Tun Dr. Mahathir now says he’s change his mind about internet censorship. To quote him “Not knowing the power of the Internet, I promised that we (speaking as the Prime Minister of Malaysia) would not censor it. But today I have changed my mind."

Of course, everyone has a right to change their mind–but in this case Tun went from being absolutely spot-on (the internet doesn’t need censorship) to dead wrong.

Internet Censorship is an invasion of privacy

Sun, 06 Apr 2014 16:49:24 +0000

With the on-going debacle about the Kangkung saga dying down, I thought it would be a good opportunity to write specifically about internet censorship and its implications to ordinary Malaysian citizens. As you may well know, many Malaysia Netizens reported of difficulty accessing one particular post of the BBC website that dealt with the Kangkung issues, causing many to cite that Telekom Malaysia was actually censoring the internet--but what does internet censorship actually entail for Malaysia?

Let’s first take a step back, and understand how and Internet Service Provider (ISP) like Telekom Malaysia, Maxis or Digi operate.

Is it Root-er or Rao-ter : The age old question for the pronunciation of the word router

Mon, 03 Mar 2014 22:15:20 +0000

Here’s an age old question, is it pronounced router (as in rao-ter) or is it router (as in root-er).

A lot of people seem to think it depends where you are, if you’re in the US, it’s rao-ter, and if you’re in the UK it’s root-er. But the internet is global, it doesn’t care where you are, it doesn’t matter which culture you’re from, there can only be one answer to this question, and it must be location agnostic.

Why Dato' Sri Shabery Really wants to censor the internet

Tue, 30 Jul 2013 09:18:29 +0000

[box icont=“chat’]The social media in Malaysia is being monitored and existing laws are sufficient to weed out troublemakers trying to test the limits of free speech, Communications and Multimedia Minister Ahmad Shabery Cheek said today…

“The laws that we make are not to defend the party alone - that’s wrong,” Ahmad Shabery, who is also an Umno supreme council member, said.

In an attempt to curb internet freedom in Malaysia, the government is beginning a series of concerted statements to signal that internet censorship in Malaysia is merely a question of ‘when’ rather than ‘if’. Previously I’ve explored why internet censorship doesn’t alleviate or even mitigate the risk of communal violence, yet the government still presses on with trying to censor the internet, apparently jumping on the opportunity of Alvivi to make their case stronger.

So why is the government so enamoured by the thought of internet censorship, when clearly it doesn’t work?

The Security Offences Bill 2012 -Technology Perspective

Tue, 09 Jul 2013 08:00:17 +0000

The Security Offences (Special Measures) Act 2012 and it’s new amendment. that wonderful piece of legislation meant to repeal the archaic and ‘draconian’ ISA may turn out to be even more archaic and draconian than the ISA it was meant to replace.

While much of the legal fanfare has been focusing on the detention without trial sections of the bill, as a tech blogger, I wanted to focus on the technical aspects of it. Specifically let’s focus on how the new law would allow the government to eavesdrop onto your internet communication without the authorization of any Judge or Judicial oversight. Now while, the public prosecutor, or Attorney General in this country isn’t specifically part of the government–he (or she) is appointed by the Yang Di Pertuan Agong on the ‘advice’ of the Prime Minister.

The sections of the bill that focus on the interception of communication is both all-encompassing and far-reaching, giving far too much power to the Public Prosecutor to intercept your private conversations and web surfing habits, which is a gross invasion of privacy.

Power to intercept Communications

The act grants exceeding powers to the Public Prosecutor, including the ability to authorize any police officer to intercept your postal letters, your internet conversations, you email and even your web surfing habits. This includes a list of the website you visits, and which comments you're posting on Malaysiakini.

On top of this, the Public Prosecutor has the legal authority to compel an ISP to intercept and retain any communication you performed for an unspecified amount of time. Which could be forever.

Basically he can begin to ask Maxis or Unifi for the list of websites you visit, and your detailed online communications, access to your emails, your friend list on facebook, your tweets and even your online files. Not even your online porn stash will be free from the prying eyes of the Public Prosecutor (not that I have one though…just saying, I know a friend who does).

All this without ever having to go to a Judge for judicial oversight. More importantly, anything collected in this way is deemed admissible as evidence in court, and no one will have to explain how the evidence was obtained. For all you know they could have placed webcams in your home, but they would would never have to explain this in court.

What’s worse is that a Police Superintendent is granted similar powers when “immediate action is required leaving no moment of deliberation”.

We all understand the need for the Police and Public Prosecutors to do their job well, and they require tools to catch the bad guys. However, this grants them way too much power with regards to their ability to invade the privacy of personal citizens. I don’t want the Public Prosecutor or a curious Police Superintendent snooping on my internet conversations, and yet the new Special offences act allows them to do that–legally!

Should the government use Microsoft products?

Tue, 02 Jul 2013 08:00:26 +0000

[box icon=“chat”] I don’t think the US government should use operating systems made in China for the same reason that most governments shouldn’t use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.

-Richard Matthew Stallman founder of Free Software Foundation (Techbytes interview)

In what appears to be open-season on the NSA and Tech Companies, Bloomberg has joined in with a report of their own, implicating that Microsoft provides US intelligence agencies with information about bugs in its popular software before it publicly releases a fix. In other words, Microsoft grants special access to the likes of the NSA to poke around in the nearly 1 Billion users of Microsoft software via newly discovered bugs—long before Microsoft report it to the public and eventually patch the bug.

Part 3: PRISM and Upstream

Fri, 28 Jun 2013 08:00:11 +0000

Initially I wrote about PRISM and how a lot of people felt it was a tool to intercept communication in flight to companies like Google and Facebook, however slightly more details have emerged to debunk that claim.

However, it’s of paramount importance that we understand what people are saying. No one is denying that communications aren’t being intercepted on their way to Google, Facebook or Apple, instead what they are denying is that the capability to perform that interception and storage is under purview of another program called Upstream, and that analyst like Edward Snowden at the NSA were encouraged to use both PRISM and UPSTREAM.

What the crudely drawn powerpoint on the left is trying to describe is the distinct-ness of the programs and how each program would complement (rather than replace) the other.

The release of this particular slide was done shortly after the initial news broke to, in the interests of aiding the debate over how Prism works.

The Guardian have intentionally redacted some of the program names from the slide, presumably in an effort to milk this story dry for all that it’s worth, but probably also to keep the momentum of the debate just in case people move on. However, in their own words the slide:

details different methods of data collection under the FISA Amendment Act of 2008 (which was renewed in December 2012). It clearly distinguishes Prism, which involves data collection from servers, as distinct from four different programs involving data collection from “fiber cables and infrastructure as data flows past”.

The of course points to separate approaches, one where information is accessed directly from the servers their stored in (data at rest), and one where information is collected while in transit (data in transit).

This distinction resonated with me, simply because I read about this a couple of months back when another wanted man name Kim Schmitz was making the news instead of one Edward Snowden.

PRISM and Tempora

Wed, 26 Jun 2013 08:00:02 +0000

As Edward Snowden begins to look for more ‘accommodating’ countries who wouldn’t mind playing host to a man that currently is more wanted than Osama bin Laden, Saddam Hussein and Kim Kardashian combined, more details slowly begin to emerge about PRISM, painting an ever clearer picture of the extent of the program both Stateside and abroad. Each individual piece of information that filters continues to sharpen the image we have on just what the NSA has (and probably still IS) been surveilling.

However, we also need to acknowledge a separate project called Tempora, which is the British equivalent of PRISM–or since we don’t know the full details of PRISM–we can at least infer that both Tempora and PRISM share the same objectives, which was to spy on internet communications of netizens throughout the world. As of last year, the British had finished attaching probes to 200 fibre-optic cables each with a capacity of 10 gigabits per second. Which would have granted them access to 21.6 petabytes of data on a daily basis. This we are told is just the half-way point!

Basically the British government through the Government Communications Headquarters (GCHQ) was accessing a vast majority of data flowing into and out of its borders, most of which probably didn’t originate in the UK and was merely transiting through it. The GCHQ is itself a pseudo-military agency which traces its roots back to World War 1, when communications jamming involved shooting carrier pigeons. Which means that a military organization is looking at private citizen data of not just UK citizens, but possibly Europeans, Japanese and even Malaysians, as the internet traffic we use on a daily basis route through Europe and UK before finally landing on the US East Coast.

The interesting though, is that Project Tempora is based in the UK, while PRISM is based in the US, and while local regulations prevent local agencies like GCHQ and the NSA to spy on their own citizens within their own borders, it is physically impossible for a person to be both in the UK and the US at the same time–damn laws of physics….. Which essentially means that between Tempora and PRISM, both the UK and US government can spy on the whole world, and that’s probably what they’re doing.

The UK is a favourite landing spot for all those undersea cables that transverse the atlantic, carrying internet traffic between Europe and the US, and if you’re wire-tapping the lines between the UK and the US, it’s almost a certainty that you’re tapping nearly all of Europe. Which would explain why the Germans aren’t too happy about the recent revelations of Project Tempora, and have sent a list of questions to the British Embassy in Berlin. If I were the German chancellor I’d be very interested in the details of the project, primarily around why it’s named after a Japanese delicacy–oh wait that’s Tem-PU-ra.

What is PRISM?

Mon, 17 Jun 2013 08:00:08 +0000

There’s a controversy brewing in the land of the free, one that will have implications for Americans, but also Malaysians and nearly every citizen of the world. We may look back at the moment Mr. Snowden leaked controversial (and ugly) slides about a program called ‘PRISM’ as the start of a pivotal moment in internet history, a moment where we either begun a massive campaign to prevent illegal and unethical government wiretaps or a moment where we let governments turn the internet into a police state.

So let's recap what happened.

First, the Guardian newspaper broke a story on how the US Government had 'direct' access to the servers of the tech giants of the Silicon valley including Google, Youtube, Yahoo, Apple and Facebook. In short, the report claimed US Government had direct access to the emails, personal details and chat sessions of everything stored on in massive datacenters of the social networks that the tech giants ran.

There isn’t a person I know that doesn’t have either an iPad, Facebook account or Gmail address. Even my dad who vehemently refused to have a Facebook account, eventually succumbed to the social pressure but that was much after I setup his company email with Google Apps. So to say that the US Government had access to private details of nearly every single person in the world is not a stretch.

So what is PRISM really?

The theory is that US government officials, specifically from the National Security Agency(NSA) have direct access to the servers of 9 Tech giants. Details are scarce and denials abound....what isn't debated is that the NSA has some sort of access to the server, even though the likes of Google and Facebook have repeatedly denied that they have created a backdoor.

So is it possible that the NSA has a backdoor to Google without Google knowing about it? Turns out it’s not as far-fetched as it seems.

Steve Gibson, a security guru with his own show on TwitTv seems to think so. He’s put together some high level analysis of the story, taking into account other similar stories and suggest that the NSA has a wire-tap on the entire world. A communications intercept targeting the likes of Google and Facebook, but one that the tech companies could be blissfully ignorant of. A wiretap strategically placed at the front door of Google, Facebook, Microsoft and Apple–that collects and stores every data packet passing into and out of their servers.

But communications intercepts don’t work–because the data is usually encrypted…isn’t it?

In most parts the communications that people like you and me use to connect to Google is encrypted, and we’re secure in the knowledge that our data in transit is protected from prying eyes by a minimum 128-bit encryption–that’s encryption that probably won’t be broken for another 20 years.

But not all data flowing into and out of Google is encrypted, some of it flows in plaintext–ripe for any wiretap to pick up. Just like email.

Security Offences Bill vs. Universal declaration of Human Rights

Thu, 13 Jun 2013 08:34:25 +0000

This is what Article 12 of the Universal Declaration of Human Rights says:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

This is what security offences bill in Malaysia says:

(1) Notwithstanding any other written law, the Public Prosecutor, if he considers that it is likely to contain any information relating to the commission of a security offence, may authorize any police officer— (a) to intercept, detain and open any postal article in the course of transmission by post; (b) to intercept any message transmitted or received by any communication; or (c) to intercept or listen to any conversation by any communication.

To me, the phrase ‘if he considers it is likely’ is another way of saying arbitary.

Can you out-tech the government?

Mon, 10 Jun 2013 08:00:25 +0000

Over the past years we’ve seen a recurrent theme where Government agencies were attempting to curtail internet freedom in the name of ‘keeping the peace’. From Saudi telcos threatening security experts to help them hijack tweets to governments procuring tools like Finspy to spy on their citizens–usually without any warrant or legal oversight. We’ve seen US federal agencies try to legislate mandatory technical backdoors into software and how the Syrian government treats internet access for its Citizens like candy for their children–you only get it if you behave.

In Pakistan, a wholesale blockade of youtube means their citizens are missing not just Gangnam Style, but Gentlemen as well (although that may not necessarily be a bad thing)–and we all know how much censorship and surveillance is going on in China.

A French court is now asking twitter to hand over account details to identify individual users that tweeted anti-semitic messages, both the Dutch and German police are users of spyware from companies that the are deemed ‘corporate enemies of the internet’ by reporters without borders, and while you may agree that courts have a right to curtail hate speech, just ruminate for a moment how one-sided French law is when they aggressively pursue anti-Semitic messages but forbid Muslims school girls from wearing a hijab to school because it is supposedly a symbol of oppression. These biases point to deep flaws in our belief that freedom of speech can somehow be regulated by governments–the term regulated freedom of speech is an oxymoron to begin with.

This of course doesn’t just affect the ‘bad’ countries, those with lifetime membership cards to the axis of evil, but countries we’d generally consider good guys as well, those we associate with a respect for personal privacy and citizen rights, so that we did end up like this? To truly appreciate where we are we need to go back to how it all starts.

A false sense of Insecurity

Throughout history it all starts in the name of national security, or keeping the peace. Government agencies ramp up the security concerns and threat levels to grant a false sense of insecurity to its citizens--because it's only in this environment that citizens are willing to grant such unilateral powers to the government (and its agencies). People aren't too willing to allow for unilateral government interception of communications--unless of course they perceive that terrorist live among us, and the government requires these powers to protect the innocent.

The track records of governments has never been good. September 11 was a colossal failure of government intelligence, and it’s usually used an example of why governments should do better. What most people don’t know is that a company called Acxiom had data for 11 hijackers, and provided that data to assist in investigations post 9/11, it turns out had the government agencies used Acxiom, they may have had additional security on the planes that crashed into the WTC. The breadth and depth of the information provided to law enforcement has been kept secret–and in the wake of such attacks nobody bothered to ask whether Acxiom was operating within legal limits of collecting and storing that data–worse still people forget that Acxiom itself was hacked leaking private information of millions of Americans. Yes it may have help thwart the attacks on 9/11, but the Acxiom itself became a target of attack shortly after details of its information bounty were published, there are a lot of people who would pay for that kind of information.

Even with the fundamental problems of the government storing such private information–government agencies throughout the world continue to ramp up security concerns in the hope of scaring people into giving up their freedoms. Closer to home we continuously see the ’threat of sedition’ being used to deny individuals and private citizens their rights. The ‘possibility’ of a repeat of May 13th, is now accepted as a ‘high probability’ even though there is no data to suggest that a repeat is possible let alone probable. Just like courts in France we see a glaring bias in the execution of these sedition laws–and the targets are often pro-opposition rather than pro-government.

The Malaysian government is now being accused of running spyware suites like Finfisher, which incorporates a voyeuristic like ability on the malware owner to spy on the victims. The makers of Finfisher claim their software is only sold to governments–without realizing it’s the governments themselves that are illegally spying on its citizens.

Not since Tom Sawyer tricked his friends to paint his white fence has such levels of deception been seen.

However, the level of deception isn’t what is troubling, it’s the level of apathy among the mainstream society to these revelations that send shivers down my spine. No one from the general public seems perturbed that the very technology that was supposed to advance democracy and free speech in Malaysia is now being used to suppress it.

And we’re not the only ones spying on our citizens…

Maxis blocks Torrent traffic

Thu, 30 May 2013 07:00:47 +0000

There’s a really cool tool called glasnost, that can easily detect if your ISP is throttling certain traffic through its servers. It works amazingly well at detecting if your ISP is blocking that most sacred of all internet traffic–BitTorrent.

So running two test, one over my Unifi connection, and one more tethered over my Galaxy S3 on Maxis, and came to the conclusion that Maxis does indeed block torrents by default. However, just like how you have to call Maxis to enable VPN access via your phone, you have to call them to allow torrent traffic as well…supposedly.

The Malaysian cybertrooper phenomenon or is it Botnet?

Sat, 25 May 2013 07:00:17 +0000

The Edge recently held a political poll on whether Anwar Ibrahim should quit as the Opposition leader–But when the editor begun to see that the one-week survey attracted 12,736 responses and the responses were overwhelmingly one-sided, she smelt something fishy.

Upon further checking with the IT team, they found that 6,354 of the responses came from one IP address, and about 1,700 came from several IP addresses within the same building. Another 2,000 responses came from seven different IP addresses.

DAP lodges report with MCMC over blocked sites

Thu, 23 May 2013 07:00:31 +0000

Two days ago, the Democratic Action Party (DAP) lodge a report to the MCMC on an 'internet blockade' targeting DAP related political websites that was allegedly being carried out by Telekom Malaysia (TM). As you may know TM is the largest ISP in Malaysia, and if TM suddenly blocks a website--a large chunk of the Malaysian public are automatically denied access to it.

The DAP IT manager (didn’t know the DAP had an IT team now did ya?), in his press statement said that :

In investigating the DPI filtering equipment location, I have found 1032 suspicious network equipment using same IP address family as the the Arbor Network Peakflow SP with TM branding. Since the login page of this network equipment bears TM logo, undoubtedly MCMC should haul up TM and conduct IT forensic investigation on all 1032 equipments without delay. I am fully prepared to assist MCMC in its investigations.
In light of this new evidence, MCMC must re-examine its 2nd May statement. MCMC should be politically impartial and hold the standard of government regulatory body that it should be. It must put the interest of all Malaysians first.

Now this isn’t really news, to be fair the Arbor Network Peakflow SP solution is meant primarily as a DDoS protection security suite with a slight tinge of DPI functionality added on the side. TM in their defence haven’t really denied they own the Arbor Network solution–there’s even a joint press release from 2004 to announce their purchase of it.

Unless TM operates like the government, in which they announce the purchase of something in 2004, but only start to using it in 2013–I’m guessing they were using Arbor for other purposes before they decided to unleash its DPI functionality.

But there could be a twist.

Microsoft is eavesdropping on your skype conversations

Wed, 22 May 2013 07:00:59 +0000

The guys over at H-online reported recently that they have some pretty good evidence that good ol’ Microsoft is eavesdropping onto your Skype conversations, and the results are pretty damning.

The method for detecting those sneaky little eavesdroppers was pretty ingenious though. The researchers sent two urls in their skype messages to each other. The urls pointed to servers that the researchers owned. For all practical reasons these urls were made specifically for the purpose of the test and should not be receiving any traffic from anywhere–unless of course Microsoft was listening.

Then they sat at wait at their servers to see if they received any traffic, and lo’ and behold barely a few hours later they received some rather funky traffic from an IP address registered to Microsoft in Redmond. busted!

The urls didn’t just end with the .com, but had sensitive material appended to it (or at least that’s what the researchers made it look like), and Microsoft used the url which meant they had to be eavesdropping on Skype messages and conversations. More importantly these urls were made to look like they held sensitive material, such as bank logins..etc etc, but Microsoft still used it, and worse even visited the sites to see what was on it.

Even more shocking is that Microsoft isn’t even denying the charge–yet, but they point out that they do scan urls once in a while to flag spam, but H-online isn’t buying it.

Censoring and spying--Malaysian Style

Sat, 04 May 2013 15:06:15 +0000

In 2 days time, the South-East Asian nation of Malaysia will go through its 13^th General Election since 1955. Some might look negatively on the number 13, but for the vast majority of Malaysians the coming few days will either raise our hopes or shatter them.

Malaysia has had only 1 party in power since it’s independence—that’s a long time to be in power, and for the first time since 1955 the ruling party in Malaysia is under threat, not just to lose it’s 2/3rd majority in Parliament, but the entire elections altogether, and with it control of the Federal Government.

What is Finfisher capable of

Fri, 03 May 2013 22:15:36 +0000

Heard about the latest allegation accusing the Malaysian BN government of using Finfisher on its own Citizens?

Well that allegation is true–to me at least, and here’s a taste of what Finfisher can do in the hands of the government.

Kerajaan Malaysian Mengintip Rakyat Malaysia sendiri

Fri, 03 May 2013 09:30:40 +0000

Beberapa minggu lalu, saya telah menulis tentang sekeping artikel yang ’tidak bertanggungjawab’ oleh Malaysian Insider apabila ‘mendakwa’ kerajaan Malaysia mengintip rakyat Malaysia - tanpa sebarang bukti. Saya amat kecewa bahawa wartawan tersebut membuat kenyataan tersebut tanpa apa-apa bukti–apabila menulis blog tersebut saya kecewa dan saya marah!

Tetapi yang lebih penting–saya silap!

Mengikut laporan dari Citizenlab semalam–sekarang timbulnya bukti bahawa kerajaan Malaysia MEMANG mengitip rakyat–terutama sekali Rakyat Malaysia yang mengunakan Bahasa Melayu.

I'm Sorry, the Malaysian Government IS spying on you

Fri, 03 May 2013 09:06:52 +0000

A couple of weeks ago, I wrote about an ‘irresponsible’ piece of journalism by the Malaysian Insider when the ‘claimed’ the Malaysian government was spying on Malaysian citizens–but they didn’t have any proof. I was very upset that a reporter would make such a bold statement and not back it up with any proof –so obviously the post was written in a caustic and emotionally charged way–I was upset, annoyed, angry even!

More importantly though–I was wrong!

On Labour day, Citizenlab released a second report detailing out more info from they’re Finspy research.

I’ll let speak for themselves in an excerpt they prepared specifically addressing MALAYSIA:

Telekom Malaysia is censoring the internet prior to GE13

Thu, 02 May 2013 10:17:35 +0000

I'm not a usual fearmonger, or a person who panics easily--yet you friendly local tech evangelist has a warning for Malaysian users out there. Unifi is censoring the internet in the run up to the hotly contested GE1--and that's what the data suggest. You heard that right folks, some of you suspected all along, and I apologize for not believing you earlier. I was initially skeptical that Unifi and Telekom Malaysia would go to such extents to censor our right to information, and I'm deeply upset that this is happening in my own country.

Usually most Internet Service Providers (ISP) don’t censor the internet, not because they don’t want to–it’s simply because censoring the vast amount of online traffic is a monumental technical challenge. In the past we’ve seen Malaysia ISPs do this, for instance when they blocked Malaysia-Today in the run-up to the 2008 General elections, but censoring one entire website is a fairly straightforward thing to do–an bypassing that censorship is equally straightforward.

Malaysiakini twitter account hacked

Sun, 28 Apr 2013 15:17:32 +0000

Sorry for inconvenience! let us manage your twitter account from now on,Untuk semua , For All, Wei Ren Ren, Ellowrukkum - SarkasSiber
— malaysiakini.com (@malaysiakini) April 27, 2013

In what appears to be an escalating amount of cyber-attacks on the online web portal, Malaysiakini reported that they're twitter account has been hacked by a group calling itself Sarkas-Siber.

Malaysiakini now follows in the footsteps of other notable newspapers who’ve had they’re twitter account hacked, hopefully twitters recent announcement for two-factor authentication may help reduce the high number of hacks the social network faces on a regular basis.

Government Network used to download porn : Privacy is dead

Wed, 24 Apr 2013 07:00:15 +0000

Just how private are your searches…turns out they aren’t private at all.

The wonderful people at Torrentfreak did an amazing piece of investigative journalism today. Upset over the passing of CISPA, they decided to do an internet check on how active the House of Representatives were–on bit torrent. It turns out with a couple of IP addresses, and some elbow grease you can pretty much find out how active a certain IP range is on bit-torrent or even on searching porn!!

So using the same techniques that Torrentfreak used, and applying them to the Malaysian e-Government official service provider “Government Integrated Telecommunication Network (GITN)”, your friendly neighbourhood Tech Evangelist manage to find some pretty interesting results!

The GITN is owned by Telekom Malaysia and is dubbed the “official network provider for the e-Government” in Malaysia–so let’s see what the official network for the e-government was being used for?

First off, someone was using the GITN network to download torrents–not exactly surprising, but judging by the variety of torrents (everything from Dark Skies to Naruto to Discovery Channel documentaries) it looks like more than one person was doing the downloading.

Also equally interesting was that someone used the GITN network to download porn. I'm no expert, but I'm thinking Gangbanged.XXX isn't really a discovery channel documentary.

Datuk Maglin Dennis D'cruz in Klang : The non-updating Minister

Sat, 20 Apr 2013 20:22:13 +0000

So it’s official. Datuk Maglin D’Cruz will compete in N.48 Kota Alam Shah in Klang. Sadly this is true.

I never liked Datuk Maglin, he’s the Deputy Information Communications and Culture Minister that was looking at ways to ‘control’ social media. I won’t go much further as to why this is a bad idea–but it just goes to show how in touch Datuk Maglin is on the social media.

Malaysiakini goes free from 17th April for GE13

Wed, 17 Apr 2013 12:26:00 +0000

Got a note from Malaysiakini today, for all you stingy-porkers out there who read all the malaysiakini news reposted by various parties, but never really paid for the subscription–here’s some good news.

Malaysiakini will go free from 17th April onwards, to pave the way for MORE adverts (like we didn’t have enough) but also to allow Malaysiakini to respond to attacks more effectively. Having to cater to two customer models makes responding to DDOS attacks a bit harder–though I can’t imagine why.

It’s however good news all-around. Malaysiakini will extend the subscription if you were already paying, and if you never were a customer, you now have access to all the news from Malaysia no.1 Online News Portal.

My BN Spam SMS collection

Sun, 14 Apr 2013 23:44:29 +0000

In the past 6 months, I've received more than 20 political SPAM sms' from the Barisan Nasional Yakini BN campaign, various political surveys and two from my local MP from PAS (Dr. Siti Mariah Mahmud).

Now obviously, I’m expecting the spam rate to increase exponentially as we approach GE13, and to me that’s really bad news. In fact over the last month alone, I’ve received 5 text messages from the Barisan Nasional Yakini BN campaign–they know my FULL name, my contact number and even my place to vote. They know more about me than I’ve ever given out to ANYONE from any survey, and I consider this an invasion of my privacy.

MCMC screw up press release

Wed, 20 Mar 2013 06:00:25 +0000

So after the furore over the Malaysian Insider article that wrongly accused the Government of using spyware on its citizens, the MCMC rightly issued a press statement denouncing the article.

Unfortunately, even the MCMC has to do some reading up a bit before it post up press releases. According to the MCMC press release which you can read in it’s entirety here:

Malaysian Cyberwar: Is it an external war or is it civil

Mon, 18 Mar 2013 00:00:41 +0000

A really piece written by Asohan Aryaduray on DigitalNewsAsia some time back talked about how the CyberWar between Malaysia and the Philippines was going on, and how he wanted government agencies to step up the security of our digital assets (or at least start the discussion). Asohan claims that Malaysia perhaps has “the most number of government and quasi-government agencies looking into cyber-security for a country this size; it is time for them to put their heads together and harden the nation’s cyber-defenses.”

He ends with a rather poignant phrase: It’s war, gentlemen, and it’s time our agencies got cracking.

I’m not so sure it’s war–even less sure we should get the government involved.

If he calls the attacks by Malaysians on Pinoy websites (and vice-versa) a war, then what’s currently going on with the DAP website is a sign of not just war–but a digital civil war, with internal actors, attacking local sites.

TheStar last week reported that the:

DAP has claimed that its websites have been attacked and forced to shut down since last Friday.

National publicity secretary Tony Pua (pix)said the party’s official website, dapmalaysia.org, and its Malay portal, roketkini.com, were incapacitated by denial of service attacks (DDOS) on March 8, 10 and 13.

While TheStar doesn’t report it, but other newsportals claim Pua was blaming political foes for the attack. For the most part this is quite common, we’ve seen Malaysiakini go down a few times, and various other pro-opposition blogs have taken some hits. This of course is even more interesting because Krebsonsecurity.com blogged that he was a victim of not just a DDOS attack but Swatting as well.

Malaysian government using spyware against citizens? No, not really.

Fri, 15 Mar 2013 01:01:00 +0000

I’ve been pretty busy the past few months, and my post count has been pretty low, and although I just returned from a 2 week trip abroad and am now flushed full of work, I decided to burn a bit of the midnight oil today because the Malaysian Insider completely pissed me off.

It all started with an article from Lim Kit Siangs blog, which read “Malaysia uses spyware against citizens, NYT reports”. The post was merely a cut-and-copy reproduction of a Malaysian Insider article that had the same headline. The headline really got my blood churning and it was followed up with an even more mouth watering opening paragraph:

Is the MCMC going to 'monitor and control' or is it going to 'censor'

Tue, 12 Mar 2013 07:00:33 +0000

A week ago, I wrote about the MCMC was planning to ‘monitor and control’ the internet, but just today I looked at my RSS subscription and notice that the Malay version of the press release used completely different words.

While the English version of the Press release used words like ‘monitor and control’, the Bahasa version used the term ‘memantau dan menyekat’. The term ‘memantau dan menyekat’ more appropriately translates to ‘Monitor and Block’ or ‘Monitor and Censor’ rather than ‘Monitor and Control’.

MCMC looking to 'control' social media at GE13: A worrying trend

Sun, 03 Mar 2013 15:19:37 +0000

Bernama (an official government news channel) yesterday reported that the MCMC is “looking at suitable methods to monitor and control the use of social media in the 13th General Election (GE13)". Deputy Information Communications and Culture Minister Datuk Maglin Dennis D’Cruz said this was “to ensure that the social media would not be abused by irresponsible quarters to achieve their own political agenda”. Datuk Maglin then quickly goes on to shameless promote the BN by saying that “Therefore, the public, especially the young voters should be wise enough to do their parts in selecting the right government with vast experience in managing the country, so that their future will be secured.”

Are your broadband meters accurate?

Mon, 18 Feb 2013 07:00:38 +0000

When Maxis, or Telekom or Digi claim that you’ve used all your bandwidth quota–can you really trust them? A good article from consumerist reported that even American telcos are facing difficulty counting the bytes their users use.

For the most part this is OK if your ISP provides you unlimited quota, in which case it doesn’t matter how much you use. However, if your ISP is either charging you per byte (like Yes 4G prepaid) or capping your speeds once you exceed a certain threshold, then they’d better be sure that they’re accurately counting the number of bytes you’re using before they starting capping speeds. So if you’ve got a bandwidth quota or a data cap, it’s in your interest to ensure your ISP is measuring your usage accurately, otherwise you could potentially be billed for data you never used.

It’s also interesting to note, that in some cases what the ISP measures as your data usage, is not what you will measure at home. A GigaOm article detailed out Chicago Area Resident, Ken Stox tried to simulate his ISPs metering his own meter at home. Stox installed a Linux application called Tomato, which basically is a Linux program installed on his router that allowed him to write programs to track his usage.

Knox reported on Slashdot that:

Are Free Public WiFi initiatives safe? Or do they pose a Health Risk?

Fri, 15 Feb 2013 07:00:51 +0000

Techdirt recently reported on how Canadian Schools are Banning WiFi based on bad science, and I was appalled by the complete lack of science we have operating in the minds of these clueless parents. No doubt they’re well-intentioned but their complete and utter disregard of the scientific evidence in favour of fearful knee-jerk reactions are actually causing more harm than good for the very children they intend to protect.

Of course it doesn’t take much research to find out that WiFi isn’t dangerous, and there’s no evidence to show that it is dangerous. In fact, most studies suggest WiFi radiation is so weak, that a year of WiFi radiation equals to 20 minutes on a cell phone. The most important thing of course is not to fall into the trap of thinking we’re ‘better safe than sorry’ because we already are safe with WiFi and we have enough evidence to suggest what WiFi poses to health risk.

Wireless@PENANG : The Health risk of Public WiFi

I'm also reminded of Wireless@PENANG project, that took so long to launch due to pressures from public groups and NGOs similar to the Canadians parents. This includes flak from Anil Netto (a journalist I respect) , who wrote a couple of post about how the public were not consulted about the Wireless@PENANG and how the European Parliament has begun to be wary of Wifi. All of this of course didn't bode well for the Penang Government, because they had to organize a town hall on the matter, fortunately the science prevailed and Jeff Ooi (whom Lim Guan Eng branded as 'tech-savvy') announced that the project was back on track shortly after the town hall.

Unfortunately, the consumer association of Penang wrote a long open-letter to Lim Guan Eng, chastising him for not engaging them enough. It was clear from the letter than the Consumer Association, while having the right intentions in mind–were clearly misled in terms of the science. It was even clearer that all they wanted was for them to be engaged, but from my end I can’t see how a consumer association who has looked at the scientific data (and lack thereof) not conclude that the benefits of WiFi almost astronomically dwarf the ‘perceived’ health risk– quite frankly there are no health risk. More to the point, I would not even begin a conversation with them, till they point to some scientific proof of how WiFi is a health risk. At present there is no such data.

LGBT Movies Ban in Malaysia

Mon, 11 Feb 2013 07:00:22 +0000

This is a bit of old and stale news, but in April of 2012, the Information Ministry released a 'directive' to ban all movies or films that featured gay characters. In their defence, the Ministry did later clarify that their facebook post wasn't a directive, but a topic for debate. Of course, there can't be much defending when the post itself starts with "Berkuatkuasa serta merta, stesen radio dan televisyen diminta menghentikan.." which effectively translates to "With immediate effect, all radio and television stations are requested to stop..".

However, this little directive provoked my thoughts, because I’ve always been intrigued by the ‘weeding’ effect of censorship. The ‘weeding’ effect is a simple analogy I came up with while I was –you guessed it– weeding my garden. You see I’ve got a small garden in my home, and every now and then I put a pair of pink rubber gloves and go weeding around by hand, it’s a tough job, but someone has to do it. Now for those of you who’ve weeded anything before you know those nasty little weeds tend to grow in between the grass, and it’s really difficult to pick them up without plucking a fair bit of non-weeds with them. In fact, if you’ve got a lawn like mine–it’s almost impossible to get rid of the weeds without getting rid of the lawn grass as well. You most definitely want to avoid plucking out that expensive lawn grass you laid down.

The same goes with censorship, every time you try to censor something like the word ‘Breast’, you may inadvertently censor out something entirely innocent and useful–like Breast Milk, or Breast cancer, or Breast feeding. So while I really doubt the keyword Breast would lead to anything other than porn for the first 10,000 entries on Google, censoring the word Breast is really an ineffective solution because it could censor out a lot of really useful and relevant information.

Selangor Cyber Cafes made to retrieve personal data

Tue, 01 Jan 2013 18:15:09 +0000

Goldfries today reports that Selangor Cyber Cafes were given new regulations to make them 'healthier'. Among the new regulations put in place were:

>register their patrons’ personal details based on their MyKad or MyKid identification cards. >use transparent and untinted glass so that what happens inside can be monitored; >have an open layout with no “blind spots” so that illegal activities like cyber gambling cannot be carried out without being easily noticed; >have brighter lighting to give the perception of a “Healthy Cyber Cafe” instead of being dark and dingy; >operate a minimum of 40 computers in urban areas, and 20 computers in rural areas.

Why the SKMM Rm200 smartphone rebate is a bad idea

Sun, 30 Dec 2012 07:00:47 +0000

The Malaysian Communications And Multimedia Commission (MCMC) or better known by its bahasa acronym SKMM, has recently announced that the government will be offering a 'rebate' of RM200 of a list of 'selected' smartphones for youthsaged 21 to 30 years old. The program called the 'Youth Communication Package' or Pakej Kommunikasi Belia (PKB) has come under tremendous scrutiny from both the general public, and even members of the ruling government as well.

A press release from the SKMM further elaborates:

Youths who qualify for the RM200 rebate will be able to purchase 'selected' 3G smartphones costing up to RM500 from selected dealers and agents appointed by service providers. With the rebate, they are expected to pay no more than RM300 to own a new 3G smartphone. “The idea is to spread the incentive across to those who do not yet use smartphones. We really want to help those who cannot afford to change phones to upgrade from their old 2G phones to a basic 3G smartphone.

The Malaysian cyberspace was immediately set abuzz when the announcement was made. The twitter outburst over the scheme is primarily on the price cap of Rm500 because when the Prime Minister announced this back when the budget was tabled, there was no mention about the RM500 price cap on the phone. Even UMNO youth chief Khairy got in on the action--requesting the government not limit the price of the phones, even after the SKMM 'clarified' why it was offering the rebate to only those purchasing phones under Rm500. (apparently we don't offer rebates to the rich)

Malaysia signs ITU

Sun, 16 Dec 2012 19:18:46 +0000

About 2,000 delegates representing major telecommunication industry players, experts and representatives from nearly 200 member countries of the International Telecommunication Union (ITU) assemble here to discuss the International Telecommunication Regulations (ITR) at theWorld Conference of International Telecommunications 2012 (WCIT).

Shouldering the responsibility as a member of the ITU Council for Asia- Pacific, Malaysia is expected to highlight the important issue of telecommunication network security and the right to protect the sovereignty of a country.

Does the government have a right to shut down telecommunications services?

Fri, 30 Nov 2012 13:58:29 +0000

Press.Tv reports that Pakistan has suspended mobile phone services in several major cities to prevent terror attacks on minority Shia groups as they celebrate the holy month of Muharram. The rationale behind the suspension is that the terrorist use mobile phone services to detonate bombs and as a result the suspension of mobile phone services would help prevent such attacks. Meanwhile, Ihsanullah Ihsan, a spokesman for the militants’ umbrella group, the Tehrik-e Taliban Pakistan (TTP), has claimed that suspending mobile phone services will not hold them back from carrying out their deadly attacks against the Shia Muslims.

This is ultimately a case of the government having too much power, the real threat of terrorist using bombs somehow resulted in a government issued communications blackout throughout the country–which does little to prevent the terrorist who are hell bent on killing.

I’m guessing that cellphones are picked as detonators for their ubiquity and range, however if you remove the cellphone from the equation you still have hundreds of possible detonation mechanisms, including timers (like the ones from early Mission Impossible shows), walkie talkies and even just a person standing by the bomb and detonating himself with it.

While many of us are of the opinion that a government should do everything to protect it’s citizens, we often fail to to realize that the mechanisms the governments utilize to protect us has a cost–a cost usually paid for by the very people they are supposed to protect.

A full blown mobile service block, doesn’t just block the terrorist–they block everyone. From a father frantically trying to locate his daughter, a hospital trying to locate next of kin in an emergency, or even a blood bank trying to contact its donors. This sort of carpet block is not an effective solution and the cost of it usually far outweigh the benefit, with the benefit being ZERO if the terrorist find some other way to detonate the bomb in spite of the block.

Anonymous downs Israeli web sites to protest web embargo

Sun, 18 Nov 2012 23:12:32 +0000

[blackbirdpie url=“https://twitter.com/YourAnonNews/status/269572459651555328”]

In what can be described as a great battle for the freedom of the internet, Anonymous – those self-proclaimed hacktivist – have launched a series of attacks on Israeli websites owned by the Israeli Military or Government. The attacks come in the midst of a huge Israeli offensive on Gaza, but contrary to what CNet would have you believe, the attack themselves were not in retaliation to the Gaza offensive, but rather a retaliation to the Israeli ‘threat’ of severing all internet communications in and out of Gaza.

Evidence Act: Anonymity before the internet

Tue, 06 Nov 2012 08:00:35 +0000

I read a brilliant article on the Evidence act by Zul Rafique and Partners that I think everyone should read. In it, the author compares the newly amended Evidence Act (supposedly amended to combat the evils of the internet) to a sub-section of the original act meant to look into telegraphs. Now I must admit, that as an internet kid, I don’t quite understand the concept of a telegraph, but the point is that even before the internet Anonymity was possible.

The public perception that is reinforced by ignorant government statements, is that with the internet has enabled anonymity which in turn has enabled crime.

According to Datuk Seri Mohamed Nazri Aziz, Minister in the Prime Minister Department, the amendments were tabled to address the issue of Internet anonymity since this very fact makes it extremely difficult, if not impossible, to trace the alleged offender.

That is a false statement.

Let me introduce you to snail-mail.

In the past, long before the internet was around, people use to communicate via letters and postcards that were hand-delivered by postmen to your doorstep. This is a foreign concept to most children but it’s good to let them know just how hyper-connected they are in relation to their parents or grandparents.

When you send a letter, you write a note on a piece of paper, sign it at the bottom (presumably with your name) and then place it into an envelope. You then write the name and address of the recipient on the envelope, afix a stamp (that acts as a proof of purchase)–and then drop it off at any post office you see fit. The Post Office then somehow routes that letter to the recipient on the envelope–physically hand delivered.

Notice–you never have to prove your identity when you send a letter or postcard. No where in the chain of events are you ever asked for your IC or phone number, in fact I could just as easily write a malicious letter, post it to the Prime Minister and sign it as Datuk Seri Mohamed Nazri Aziz. Would the Prime Minister then automatically assume his cousin sent him the letter just because it was signed in his name?

I guarantee you it’ll be harder for the authorities to trace that physical letter as opposed to a similar digital email. Too many people watch CSI these days to believe that statement, but there’s a reason why kidnappers still use physical constructs–because in the digital world you always leave a trace.

If we apply the amended Evidence Act to the letter analogy, Datuk Seri Mohamed Nazri would be charge for sending that malicious letter to the Prime Minister–even though he never wrote it. All of us understand the stupidity of assuming someone sent you a letter just because the letter was signed by that person, yet we seem to think nothing of it in terms of emails. In fact, if I wanted to get Nazri into a whole heap of trouble, all I’d have to do is send 1000 similar letters to 1000 different people, and sign it with his name–in that way, he’d be charged 1000 different times in a 1000 different court proceedings and even though he might be deemed innocent on each count, it’s still a whole load of trouble I can cause for him for the price of 1000 stamps (roughly Rm500 which wouldn’t pay for even one hour of a lawyers time).

Auditor-General report 2011 : When can Malaysians expect Transparency in IT spend

Mon, 29 Oct 2012 08:00:49 +0000

As a tech blog in Malaysia, I thought it’d be interesting to see the latest Auditor-General’s report faired in terms of IT spend from the government. IT spend is a tricky thing, and most don’t understand just how tricky it is, particularly around big IT spend by governments–they often fail. In fact, one of my favorite blogs is dedicated solely to IT failures, aptly titled–IT Project failures.

However, even the Synopsis report of the AG report is a harrowing 87 pages long. It’s not just the length that puts of me off, but rather the sheer dry-ness of the language that is used. Interestingly, not a single diagram exist in the documentation filled with enough monotone text to put even the most ardent auditor to sleep, and I’m no auditor so I nearly dozed off after the 2nd page. I had to take a different approach if I was to get a synopsis of the synopsis, fortunately I work in IT (not auditing or law), and I know of function in Adobe Acrobat that let’s you quickly search a document–it’s called the FIND function, and I was a deadly ninja in the art of the FIND.

So, armed with the FIND function on Adobe Reader, I combed through the document looking for the word ‘system’ and where it tied with an actual IT system too see just how well our government was in delivering IT systems in 2011. Below are just a few paragraphs pertaining to the AG’s report and below are 2 prime examples of the the magnitude of IT failures from Putrajaya.

Sumptuous Erotica and Barisan Nasional

Tue, 23 Oct 2012 08:00:19 +0000

In case you've been under a rock for the past week let me fill you on some details:
Alvin Tan and Vivian Lee–both Malaysians started a little porn blog called Sumptuous Erotica attracted headlines both in Malaysia and across the causeway. However, unlike other couples who’ve been caught with their pants down before, both Alvin and Vivian seem indifferent to the controversy surrounding them, more importantly they seem quite confident that they’ve done nothing wrong and have nothing to apologize for to anyone.

On the face of it–they’re right. Whatever you think Alvin or Vivians parents have against their children posting pictures of themselves naked online…that’s a matter for them to settle, not for you to be a busy body about.

Software piracy in China : Can the Yankees really complain?

Sun, 21 Oct 2012 09:00:40 +0000

Did you know the term ‘Yankee’ is thought to be derived from the Dutch name Janke, which means “little Jan” or “little John,” a nickname that can be traced back to the 1680s, when it was used as a slang term for pirates. Yes, you heard that right, the Americans were regarded by the Europeans as Pirates. At least that’s what Matt Mason, author of The Pirates Dilemma suggest.

Matt isn’t just an author of a book, but also the Executive Marketing Director of BitTorrent, so when he says something–I listen. Things like: [box icon=“chat”]

But the term really gained steam during the Industrial Revolution. Europeans began using the term to refer to all North Americans as a result of America’s national policies towards European intellectual property. America only industrialized as rapidly as it did by counterfeiting European inventions, ignoring global patents and stealing intellectual property wholesale. Lax enforcement of the intellectual property laws was the primary engine of the American economic miracle writes Doron S. Ben-Atar in Trade Secrets. The United States employed pirated know-how to industrialize. Europeans saw America as a nation of bootleggers, which was a little unfair, as every major European country was also heavily engaged in piracy and industrial espionage at some point in the 18th century. Piracy was, in fairness, the only way the U.S. could keep up.
Of course, fast forward a couple hundred years, and now you see US companies accusing other countries, particularly China and other Asian nations of doing the exact same thing the US did to try to bridge the economical and technological gap it had with Europe. One would argue that part of the China miracle, is their lax enforcement and ignorance (or arrogance) of patent laws, but in all fairness within this space of of gross patent apathy, there exist large pockets of innovation that would otherwise be impossible if intellectual property laws were strictly enforced and followed.
Consider a very specific example of the ‘drop down’ menu in the iOS. When I bought the iPhone4 for my wife 2 years ago, the only way you could get the ‘fancy’ drop down menu that enable/disabled 3G and Wi-Fi was by jail-breaking your iPhone. Now it comes standard with iOS from Apple, so you could in theory argue that the worlds best design company got their que from the pirate market–but you never hear apple admitting to this.

Cyberbullying in Malaysia

Tue, 16 Oct 2012 07:00:11 +0000
Tributes are pouring in for Amanda Todd, a teenager who committed suicide after posting the video above describing how she was tormented by bullies and struggling with depression. Amanda's story was told little by little via post-it notes and it full detail about the extent of the bullying and torment and just how this poor 15-year old girl had experienced her version of hell on earth.
The story isn’t a typical one, but one that exist in a nuance variety even in Malaysia. Amanda was tricked into exposing herself in front of a webcam by an unknown person. Soon she was blackmailed and finally, photos or her were circulated to her entire school. What followed next was every bit as predictable as it is sad, she was ostracized by her friends and tormented by bullies, she even tells of how she switch schools–multiple times–even moving to a school in a different city!!

Yet, the bullies and torments followed here (aided and enabled by social networks), and Amanda must have reached her limit and at some point she eventually chose to take her own life.

Youtube has taken down the videos, but I felt Amanda’s story should be left for the world to see, as a stark reminder to all of us to look after our children, and I just hope you get to watch the embedded video before even this gets removed. I believe out of respect for Amanda–we should listen to the story she so desperately wanted to tell.

Let's put the evidence act into action

Fri, 28 Sep 2012 22:30:44 +0000

So let’s say someone in Malaysia actually was stupid enough to post something insulting Islam and it’s Prophet on his Facebook page as a status message. Then let’s say that same person claimed that his Facebook page was hacked.

Finally, we say there’s a huge backlash against this person on the internet, so even though the comment was deleted from Facebook, it has been screenshot-ed so many times, it’s now permanently etched online.

This is exactly the sort of hypothetical situation the newly amended Evidence act is supposed to address, yet for the most part it doesn’t. In fact, the case really isn’t hypothetical, it’s actually something going on right now, and it’s a great test-bed to see if indeed the evidence act would help us address these issues.

Gopinanth Jayaratnam from Klang, posted up a rather insulting statement online about Islam. Of course, a couple of people picked it up and soon it went viral on Facebook. What followed was every bit as predictable as a bad hollywood movie, Police reports were lodged, the ‘suspects’ personal details were published online and soon a group calling itself the Jemaah Fisabilillah Klang, launched an actual attack on his house. The gate of his house was rammed into and the car parked in the compound was damaged. Fortunately, there was no report of bodily harm, but one can imagine that’s probably not too far away.

One Visa files suit against TM : Is it a Human Rights abuse?

Wed, 26 Sep 2012 22:00:16 +0000

The Star today reported that a company called One Visa is suing Telekom Malaysia (TM) for providing telecom services and infrastructure to squatters on it’s land in Negeri Sembilan.

TM was alleged to have trespassed five pieces of One Visa's land by supplying the telco services to the illegal occupiers of its land.
One Visa had sought RM23.07mil as special damages being the total rental value of the land based on current market value rates calculated from March 22, 2011 and continuing until cessation of the telco services and the date of removal of TM’s infrastructure from the land.

That’s right 23.07mil in ‘special’ damages for the TOTAL rental value of the land, because TM had supplied telco services to the illegal occupiers.
Now, I’m no lawyer and I’m not familiar with the case, So I cannot comment on the legality (or illegality) of the squatters staying on the land. What I can comment on though is the utter ridiculousness of the suit to sue TM for the full rental of the land just because TM had supplied telco services. That’s like charging your neighbour rental for your entire house value, just because his mango tree has over-grown into your garden.

Ban Youtube in Malaysia?

Tue, 18 Sep 2012 09:23:13 +0000

Rais Yatim a Member of Malaysian Parliament and a Minister in Government, has threatened Youtube with legal action over their refusal to remove the video of Innocence of Muslims. Nevermind the fact that Youtube have tried their level best to restrict access to the video from Malaysian users, and also failing to recognize the fact that Youtube is merely a video sharing site.

You have to sympathize with Google, they’ve drawn the line the sand and they’re getting the most flak of anyone in this debacle. Most people seem to forget that it was a Youtube user (not Youtube itself) that created and uploaded the film. It also may have slipped your mind, that the video clip is available on other less prominent video sharing sites like Vimeo. Yet Google is sticking to it’s guns under enormous pressure not just from Muslim Governments but from it’s own Government to take down the offensive video. At the very least they deserve commendation for their courage in the face of adversity.

Censoring Innocence of Muslims in Malaysia

Mon, 17 Sep 2012 15:21:38 +0000

The Malaysian government has requested that Google take down the video Innocence of Muslims, and Google has since complied. As of today, anyone trying to access the clip from a Malaysian IP address would see a screen that reads “This content is not available in your country due to a legal complaint. Sorry about that.”

The clip is most definitely offensive, and demeaning but what is quite obviously isn’t is–serious. The first thing anyone notices from the clip is that it’s of low quality, there are multiple versions of Malaysian Gangnam style that are made with far higher quality than the clip, yet this one particular clip has managed to create such an uproar that people have killed for it. I’m not defending the clip, or opposing it.

What I am against is Governments and Corporations coming together to censor something ‘on behalf’ of the people. What I am against is a ineffectual censorship, which instead of preventing people from viewing the clip, actually nudge them towards actively searching for it online.

In the end, we have to say that video clips don’t kill people–people kill people and in my view the censoring of the clip is both ridiculously short-sighted and terribly ineffective.

Evidence Act Technological Misconceptions: A response to Rocky and Fatimah

Wed, 15 Aug 2012 12:56:16 +0000
The government has finally 'relented' and now wants to 'discuss' section 114A of the Evidence act 1950. Now it's great because it proves beyond a shadow of a doubt that:

The internet can be used for fantastic good.

The general Malaysian public can make a difference in the governance of the country.

My website also had the pop-up banner, and according to Google Analytics, all 300+ people who visited yesterday were at least enlightened by it.

However, there are some misconceptions about the act, or more specifically misconceptions about the technology behind the internet. The only reason, I’m writing this post is because yesterday morning RockyBru posted up content by a blogger named Fatimah Zuhri, defending the act. Why on earth would a blogger defend the act is beyond me, but it became clear that her understanding of key internet concepts were way off the mark.

From a technological perspective, she was advocating from a point of ignorance, and Rocky whose a popular (or unpopular) blogger/journo only served to spread these misconceptions. I hope to point out how it is very difficult to pinpoint the origin of an anonymous or malicious post, and how shifting that burden to the ordinary citizen is unjustified.

So let’s start with the Post which you can read here, although for your sake I wouldn’t suggest it. Partial contents of the post is quoted in here as well.

Personal Data Protection Act 2010 Malaysia

Mon, 30 Jul 2012 06:00:19 +0000

[box icon=“chat”]

Data is the natural by-product of every computer mediated interaction. It stays around forever, unless it’s disposed of. It is valuable when reused, but it must be done carefully. Otherwise, its after-effects are toxic. - Bruce Scheneier

As society moves towards a ‘knowledge’ based society, data naturally becomes a by product. Every action you perform leaves a tiny digital trail like breadcrumbs in the forest, and just like though breadcrumbs each individual data point is insignificant, but piece them together–and you’ve found you way home.

What we use to buy we cash, we now buy with credit cards – with every swipe, digital data is created and stored, it records the amount of the transaction, where the transaction took place, and the banks bill the customer, which means it can tie it to an address a person, their age, their income and even their preferences.

Photos were physical things we could only share in person,but now we share them digitally on social networks–all those photos are stored–permanently, and they’re tagged with meta data regarding the photos location and the names of people in the photo. A lot more data, and a lot more public. Even if you randomly stumbled across a photo on Facebook, chances are you could easily find out who the people in the photos were, and where the photo was taken–that wasn’t the case before digital photography.

When we use to pay toll booths in cash, we now use touch N’ Go, so there is a full blown record of where we travelled and at what time. Coupled with the CCTV footage they can even identify which vehicle you used. Tie that with your credit card and we can determine where you fueled before you got on the highway, coupled with CCTV footage from the Fuel station we know how many people were in the vehicle. Look at the JPN records and we’ve got the car owners name, and contact information, a quick search on Google reveals his profession on LinkedIn, his favorite places from tripadvisor, his friends on facebook, and if we pay close enough attention to his tweets chances are we can find out which football team he supports or which political party he’s aligned to.

What used to be something you’d only reserve for your close friends at the kopitiam now is public knowledge, provided some one takes the trouble to Google your name.

And the list literally goes on and on, and all these add the amount of our personal data stored digitally online–data that can be used to determine who you are, where you are, what you like, what your political beliefs and religious inclinations–even your medical history and sexual orientation. I’m not kidding, there’s a story I love to link to which tells of a supermarket who knew a teenager was pregnant before her father did.

One of the biggest abusers of personal data has been advertising companies and mail-order folks, the people that spam you day in and day out with emails about viagra and cheap housing loans, however as time goes on a lot of other people are getting on board, like insurance companies who want to know more about your medical history or driving records, banks who wish to determine if you’re really eligible for a loan–even a supermarkets may have a direct interest in your personal data.

It has become imperative that we as users look towards protecting our data online, but there also is an imperative for governments to regulate the way our data can be used–even by governments themselves (or ESPECIALLY by the government).

Is your Wi-Fi safe?

Sun, 01 Jul 2012 08:00:28 +0000

With the newly enacted Evidence Bill Amendment, you would have been deemed to have published everything that originates from your IP address. What that means is that if someone hacks your Wi-Fi and then uses it to publish malicious or seditious statements online, you will be deemed to have published it, and the onus is on YOU to prove you’re innocence rather than for the prosecution to prove your guilt.

So obviously with the new law floating around, Wi-Fi security should be at the top of every Unifi Subscribers agenda–if it isn’t already.

However, how secure is your Unifi Wi-Fi connection?
The short answer is not so secure.
The brilliant blog Lifehacker recently posted an article on how you can hack Wi-Fi connections secured by a WPA or WPA2 password. The post is quite detailed but even I have to admit the technical skills neccessary to pull this off is somewhere between intermediate and expert. At the end of the post is a link to a spreadsheet detailing all the devices that are susceptible to this hack, and one of those devices is the DLink Dir-615 Wi-Fi router, if it doesn’t sound familiar let me refresh your memory–it’s the router that Unifi gives out to all Unifi customers!!! (que bone-chilling Alfred Hitchcock Movie sound)

Now taking aside the fact, that I could probably call all Unifi customers to request the Wi-Fi password printed at the bottom of their router, and 50% would probably provide that to me with no issue, this also means that for those people smart enough to hide their passwords – I can still hack your Unifi Wi-Fi connection no matter what you do on your router. There’s literally nothing you can do, hiding SSIDs don’t work and neither will MAC address filtering. Of course this is all theory, and testing this theory took a lot more time than I had, so I’m not sure.

What I am sure is that Unifi have their own firmware for the DIR-615 router, and that’s a partially susceptible router, meaning some firmwares are susceptible some firmwares aren’t, and it’s a coin toss and whether your router at home is susceptible.

Now, while I know of a few people who hack Wi-Fi passwords just for the fun of it,and there’s a lot of references and material online detailing the steps required–so we all know this works. In fact you can buy packages online that allow you crack the routers easily :). This blog written in Malay claims that they’ve successfully hacked a DLink Dir-615 router, I’ve no doubt it’s possible, but it’s not easy and it takes time.

Either way though, it’s always good to remember this. There is no such thing as impossible to crack, merely inconvenient and infeasible. Don’t believe me? Check out this story of how a group of University Students manage to hack a US Military Drone in mid-flight using nothing more than $1000 worth of equipment, do you really think your Wi-Fi at home is more secure a ‘death from above’ US Predator Drone? Every Wi-Fi access point hackable, it’s only a matter of how much time, effort and money is required.

Is Dowloading a banned ebook illegal?

Fri, 22 Jun 2012 10:00:02 +0000

Let’s get straight to the point, the latest case where the Federal Territory Islamic Affairs Department (Jawi) is prosecuting a store manager is both disgusting and without merit. Not only is she just a Manager carrying out here duties–thereby making the bookstore liable instead of her, but the raid on the bookstore was carried out BEFORE the book was banned by the Home Ministry. So here in Malaysia, not only will the Government be able to persecute you in a guilty until proven innocent manner, but apparently government agencies can persecute for possession of a book before it is banned.

However, politics aside, let’s talk technology!!

What if I used Technology to bypass all government censorship. So instead of buying the book from Borders (or MPH, Popular or Kinokuniya for that matter), I simply download the Kindle version of the book online?

I did an online search, and indeed found that Amazon has a Kindle version of the book retailing for $11.99, if you already own a Kindle in Malaysia, then you can bypass all this drama and simply download the book to your Kindle. Of course, there are legal concerns with just downloading regular books from Amazon, much less banned books–so be warned!!

Now I wouldn’t recommend it and there are huge legal questions, but technically–it can done, and it can done easily. I’m start to finish in 5 minutes–it really is that easy.

My point isn’t that the book should or should not be banned, my point is that the ban can be circumvented with ease using technology. So how effective can any ban be, when most Malaysians have access to the internet?

On top of this is a very interesting question, Does a banning a physical book constitute internet censorship–probably not. However, does banning an electronic book constitute internet censorship? Of course you may say the law makes no distinction between and e-book and an actual physical book, but the law makes no distinction between and ebook and webpage either (they’re all considered publications), and if banning a webpage is obviously internet censorship, isn’t banning an ebook internet censorship as well?

The question I believe can be synthesized into Does Banning and ebook constitute censoring the internet? I don’t have the answer, but I believe there are 2 aspects:

The Traditional legal aspect as covered by the Printing and Publications act 1984.

The goverment promise as outline in the MSC Bill of Guarantees to not censor the internet.

If you’re a lawyer, I would love to hear your comments.

Internet Privacy with TOR: Should the internet be anonymous

Thu, 21 Jun 2012 07:42:54 +0000

It’s an irony that while the internet was the first place you could create avatars and split personalities to impersonate others, it has now turned into a free for all buffet for private data. I previously shared on how the ads you see on facebook were inherently tied to the Google searches you perform, and how ad companies have probably gathered so much data on you that they can find out if you’re pregnant before even you do.

With that in mind, many people still have an antiquated concept of a fully private and anonymous internet, in fact in most cases its easier to track an internet connection than an actual physical person, and its actually quite possible that a confiscated computer from your home could prove your whereabouts for the last 2 years. Earlier this year, a 19 year old girl was strangled to death while she was asleep, her alleged killers were actual stupid enough to perform an internet search on “chemicals to passout a person,” “making people faint,” “ways to kill people in their sleep,” “how to suffocate someone” and “how to poison someone”. Needless to say, the evidence seems rock solid, and these dumb criminals would go behind bars.

On the other hand, some criminals aren’t so stupid. In fact, the FBI, Interpol and various other law enforcement agencies have entire departments looking and searching for online criminals who do everything from fake money Nigerian scams to trafficking child pornography on the internet. These guys have proven quite difficult to track because of something called TOR.

Black Day for Malaysians : New Evidence Bill Takes effect today

Fri, 01 Jun 2012 05:00:38 +0000

Today marks a crucial point in the crusade against freedom on the internet in Malaysia. We’ve had SOPA in the US, ACTA in Europe and the TPP has brought the fight closer to our borders. Today in a brilliant tactical move by the enemy of Freedom, Malaysians will be subjected to an amended evidence act that would shift the burden of proof from the accuser to the accused. It is a black day indeed, and the words John Fogerty ring in my ears–I see a bad moon rising.

Scary Scary Privacy Concerns Online

Sun, 20 May 2012 15:40:39 +0000

Would you get freaked out if I told that from just 1 hour of internet browsing, your information could be shared with nearly 70 organizations, including advertisers who use it to target ads to you. Would you be angered if this information were sold to other 3rd parties including insurance providers and even governments to build profiles of you on their systems. Would you be annoyed that the internet which promised to be a bastion of democracy and anonymity, isn’t all it was cracked up to be? Well read on…

Recently I posted something about how Advertisers track your data via the pages you visited, and how the advertisers successfully build profiles of you based on information readily available online in addition to your browsing habits. What they then have is a treasure trove of information many of us consider private, these include your birthdate (and by extension your age) your preferences, your affliations (both religious and professional) your likes and dislikes, your family members…etc etc. If you’re a person who likes privacy, you might want to unplug your laptop–right now!

Remember the story of the supermarket who knew a teenage girl was pregnant before her dad did, that’s nothing compared to the amount of data these networks have on your own children. If your children go online regularly, somebody has a pretty good profile on them. And if you would get freaked out if somebody followed your child everyday with a camera and notebook , you should worry about the amount of personal (and very private) information some companies are keeping on you – and your loved ones.

Trans-Pacific Partnership Agreement : What is it?

Tue, 15 May 2012 17:50:35 +0000

You may remember a previous post about the Trans-Pacific Partnership (TPP) Agreement that the Malaysian Government (our Government) is looking to sign under the pretense of protecting intellectual property to “encourage investments, innovation, research and development.” Read up this article from the star to learn more.

Like any other law regarding copyright, this one is complicated and hard to understand (at least for me). However, Techdirt recently had two brilliant articles regarding the TPP with regards to Chile. The first article outlines the fact that Chile (another tentative partner in the agreement) was questioning the benefits of joining the TPP, citing the high cost of complying to Intellectual Property obligations:

Is it legal to buy ebooks from Amazon?

Mon, 14 May 2012 11:46:41 +0000

In my previous post, I wrote about how I bought and Amazon Kindle, and how I can use gift cards to purchase ebooks from the Kindle store. So far the Kindle has been an amazing experience and I personally recommend you get yourself one. However, there is a downside, since there is ’technically’ no legal way to obtain ebooks for your Kindle device.

Today I hope to explore the legality of downloading ebooks from Amazon, and how stupid copyright laws, badly behaving book publishers and a Malaysian Sales Tax all contribute to making it impossible for you to purchase ebooks for your Kindle while still complying with any and all laws pertaining to them.

Malaysiakini down!

Fri, 27 Apr 2012 18:36:29 +0000

*Update: Malaysiakini have confirmed the update on their facebook page, looks like you need to look for other sources of Bersih 3.0 news, this could take a while. It’s also note-worthy that 10 people ’like’ this on facebook, obviously over-looking the fact that nobody should ’like’ this.

With barely 12 hours to go before Bersih 3.0 starts to swing into action, Malaysiakini servers appear to be down. I was trying to logon online to check the news only to notice that I couldn’t access the site, PINGs to the site seem to time out as well. Could this be a repeat of when Malaysiakini went offline in the run up to the Sarawak elections? Plus, I know this doesn’t affect me, because as a Google Chrome user I know when other users are also experiencing problems accessing a site.

MCMC can't solve your Unifi downtime but they're looking for Gays online

Mon, 12 Mar 2012 23:09:43 +0000

Bernama reported today that The Malaysian Communications and Multimedia Commission (MCMC or the SKMM) together The Malaysian Islamic Development Department (Jakim) would begin “collaborating to monitor lesbian, gay, bisexual and transsexual (LGBT) activities in the country, particularly on the websites.”

Apart from the usual gung-ho activity of from Jakim, its Director General Othman Mustapha said “If we find that there are things that are unsuitable on the websites, information would be channeled to the committee for action to be taken,”

Now some of you may know that I contacted the Multimedia Commission some time ago about my Unifi Downtime and to investigate what compensation I could get from a 9 day down time above and beyond the pro-rated cost. In a nutshell their reply was “sorry can’t help you”. It’s quite apparent why they couldn’t help me, they’re busy looking for Gays online.

SKMM on my Unifi Downtime

Sat, 25 Feb 2012 10:43:28 +0000

Did you know Malaysia has a Multimedia and Communication Commission that oversees the quality of service for telecommunications companies including the broadband services they provide. I also understand that they are the enforcers of the Communications and Multimedia Act 1998, with a determination on the mandatory standards for the Quality of Service (Broadband Access Service) .

In not so many words, there are actually laws in place to ensure that your broadband provider meets a minimum standard in terms of uptime and service availability.

However, after reading the a short snippet of the Act from the SKMM website here, I was surprised to find that while it did have a specific outline for the quality of service, it did not have an outline for the penalty imposed if the quality of service was not met.

Pinterest + Martin Luther King =

Thu, 23 Feb 2012 13:51:27 +0000

A couple of days back, I wrote about how copyright law was preventing a lot of us from listening the entire Martin Luther King “I have a dream” speech because it was protected by copyright, and in order to listen to it you had to pay Martin Luther Kings family royalty. Today I did some searching on pinterest, and found some rather remarkable works of art around Martin Luther King that were pinned in pinterest, these works of art would not be possible if the family had further copyrighted other aspects of MLKs life, and with newer stricter copyright laws that could very well be the case.

Remember for a pinterest invite, just leave a comment on the post and I’ll send one to you as soon as I have the time. For now, enjoy!

Source: google.it via Francesca Rufina on Pinterest

From pinterest User Effeluna

More reasons Copyright sucks

Wed, 22 Feb 2012 09:07:13 +0000

Now for an artist to copyright a song or a piece of work, for that artist to then legally make a living of is fine.

It’s not fine if you need to pay royalties to use Martin Luther King Jr’s “I have a dream speech”, because his family own the copyright to a speech that is a part of US history. They later sold those rights to EMI, and now a recording company owns the rights to the speech that encapsulates the civil rights movement, and that same recording company is patrolling the online alleys to catch the copyright infringers.

Copyright laws get dumber: Trans-Pacific Partnership (TPP) agreement

Sat, 18 Feb 2012 21:22:28 +0000

A recent article from the Star noted that Malaysia was about to sign a new Trans-Pacific Partnership agreement that would make subject local copyright laws to those imposed by the US. Now according to the article from the star the purpose of us looking into a stricter Intellectual property law was to “encourage investments, innovation, research and development”. That is a false premise.

The laws by themselves are useless if enforcement isn’t there, and if you can’t even enforce the current IP law, then why bother changing the laws if there is no plan to up the enforcement? Also this premise that we will encourage research and development with a strict law is both flawed and without basis. There is no empirical evidence to suggest that innovation thrives when Intellectual property is strictly enforced, in fact innovation is effectively crippled when you’re afraid that anything you produce might infringe on someone else’s copyright. It would lead to a point where corporations would spend more checking on copyright infringement then they would actually innovating and producing.

Unauthorized withdrawals hit DBS and POSB customers, withdrawals done in Malaysia

Fri, 27 Jan 2012 18:47:12 +0000

According to a report from Channel News Asia, a total of nearly 200 DBS and POSB customers in Singapore have been hit by unauthorized withdrawals averaging S$1000 each. The withdrawals were done in Malaysia “while the ATM cards were with them safely in Singapore”. Which begs the question what does ‘safely in Singapore’ mean?

Channel News Asia goes on to report that withdrawals were made in Kuala Lumpur (not neighboring Johor Bahru) and done approximately the same time as ‘valid’ withdrawals. ZDNet has reported DBS is working together with its IT vendor, NCR to understand the issue and investigate further. It’s also suspended all suspected cards and are contacting customers to give them what it says would be a full refund. NCR also happen to make almost 90% of all ATMs in Malaysia, and according to Yahoo! news, this was “a security breach to its anti-skimming devices installed on ATM machines”, so I’m just wondering why this wasn’t done to Malaysian accounts of local banks?

Censorship in Malaysia: SOPA told through Malaysian Eyes

Tue, 24 Jan 2012 10:15:53 +0000

There’s been a recent surge of Anti-SOPA and Anti-PIPA sentiment over in the Unites States, Wikipedia blacked out it’s entire webpage and Google, Twitter and Facebook all joined in the fray. I’ve even received multiple emails from the Mozilla foundation on how to combat SOPA and recent a congratulatory cum Thank you note from Mozilla for joining the fight. Make no mistake, SOPA isn’t dead, it’s just been shelved for the time being, get ready people round2 starts soon.

In Malaysia though there has been little reporting on the issue, while some local blogs did mention SOPA, and a few newspapers briefly covered it, not much has been discussed on either of the laws. It’s typical of the Malaysian media to report less on matters that actually matter, and more on frivolous material like this article from the New Straits Times that read “Unity is Priceless: PM”. Really? Cause the rest of us thought Unity was worth around about Rm2.75 . I mean apart from pointing out the obvious, the article has absolutely no content, apart from the big picture with the “We Love the PM” nonsense.

That being said, there were a few articles on SOPA and PIPA, however those articles for censored to a certain degree, and here’s how.

SOPA: What Trey Ratcliff and Uri Geller have to say

Wed, 28 Dec 2011 10:24:45 +0000

Trey Ratcliff is a professional photographer who photographs ooze with talent, he also blogs at stuckincustoms.com. It’s an amazing blog, but what’s even more amazing is that Trey chooses to release his works of art under the creative commons non-commercial license, which has it’s restrictions but allows free usage of the photos as long as its used for non-commercial purposes. Now that’s like a programmer offering free programs, or a writer offering free-content. It’s not unheard off, but it’s rare. However, in todays economy more and more professionals are taking this step towards similar licensing of their works.

Treys photos aren’t customized for a specific purpose, he post them on his blog and if you like them you can use them. It’s not customized in the sense that he didn’t take the photograph of you or for you. Similarly a lot of programmers are offering free programs they wrote as a challenge or a dare and shared not just the program, but the source code that any other programmer can build further upon. They didn’t build it for a specific purpose, just something general that they thought would be best shared rather than sold. So in that sense, Trey can use photos of a holiday or a scenery and offer that for free.

I mention Trey not because I love his work (although it IS amazing), and not because Trey is a top level photographer that he shares his work online. I mention Trey because he has synthesized in short post on Google+ what he thinks of Online Piracy, and it really has struck a chord with people, especially since Trey is on a different end of the piracy war and he’s saying that pirates aren’t bad people. WHAT?

Computing Professionals Bill: Final Verdict

Wed, 21 Dec 2011 22:46:02 +0000

In what I hope is my last post about this ridiculous bill, I hope to ask and answer an important question I’m surprised no one has asked yet…

Why do we need such a bill?
In essence do we need to raise standards, or provide assurance to employers regarding hired professionals. I believe the answer is NO. It all stems from a brilliant book I read "start with Why" by Simon Sinek, and you catch his amazing TedTalk here. He goes on to say, that if you mess up the WHY of any action, no one will follow you, because "People don't buy what you do, they buy Why you do it"
Now I understand that we’d always need to raise standards, and provide assurances, but in the greater scheme of things is it really that necessary to do it now, or can we expend our energies and effort elsewhere for the IT community to get the value from our actions. This should be at the core of the discussions, this is the WHY of the bill, if I don’t believe in the WHY of the bill, then there’s no need talk about the who, what,where and how.

If the objective of the bill isn’t agreed upon, then it doesn’t matter how we achieve the objective. I feel a lot of IT professionals have bypassed this and zoomed down immediately to the details, pointing out flaws in the bill and a lack of clarity and specifics, however I’m not even sold at the high level of the bill let alone the specifics, and I struggle to understand why the bill is around in the first place, let alone how it will achieve it’s WHY.

Computing Professionals Bill: 10 reasons to kill the bill

Thu, 15 Dec 2011 11:53:39 +0000

So there’s a lot being said about the new Computing professional bill, even on this blog. For now though, if you’re really interested in finding out about the legal implications of the law, check out this amazing article here from the Bar Council Website written by ‘The Awesome’ LoyarBurok. Or if you’re in the mood for some petition, try signing this petition here, they’re aiming for 2000 signatures, so far they’re about half way through.

You might also want to digest a point by Tony Pua (opposition MP from PJ Utara):

Computing Professionals Bill: This is IT

Tue, 13 Dec 2011 23:22:39 +0000

Some laws you have to fight wars to keep….others you have to fight wars to be repealed. This is one of those laws you have to fight to prevent from ever being made a law…

On April 12th , 1861 Confederate forces attacked Union Military installation named Fort Sumter in South Carolina. The attacked marked the beginning of the American Civil War, and the United States of America would never be the same. The war was about more than just a secession from a Union, it was about preserving the right that every man was created equal and that no man or woman would ever be ‘owned’ again. In just over 140 years later, the United States of America elected their first Black president.If ever there was a war worth fighting for, it was the American Civil War. The Abolition of slavery was a law worth fighting for, it was worth preserving, even till death.

Computing Professionals Bill 2011: Not again!!

Sat, 10 Dec 2011 01:13:55 +0000

The Malaysian government is a crazy bunch, just today I saw two bits of news that left me squirming with disgust. First a short piece on Christmas Carollers requiring Police Permits to go Carolling (not just permits but full details of every activitiy) and then later today there is a new Computing Professionals Bill 2011.

Why would a government want to regulate the computing Industry? It’s not like we’re bankers or something? Why is there a need to regulate an industry that first off is too broad to define under an umbrella called computing, and secondly isn’t exactly a threat to national security.

Lowyat has done a great deal to summarize the bill and post it up for reading here..

But where we should be really intrigued is a part of the bill (according to Lowyat) that says:

What is SOPA?

Sun, 04 Dec 2011 22:14:54 +0000

A couple of days ago, I stumbled onto a website by mozilla claiming “The internet we know and love is at risk”. Now I’m not one to panic but this was some serious stuff here, Mozilla is a company I admire and respect, so if it tells me something serious is going down, I stand up and pay attention.

Further reading brought on a couple of key points, namely that Mozilla was talking about the new Stop Online Piracy Act (SOPA) that was designed to stop online piracy, but what it would effectively do was make give copyright holders essentially too much control over their copyrighted material. Now copyright holders undoubtedly have legal rights to their work, but giving them the right to shut down YouTube because someone sang their song and posted a video takes that a bit too far.

Mozilla also claim:

The fact is that this legislation as written won't stop piracy. But it would pose a serious threat to social media and user generated content sites (like YouTube) across the internet. It could also undermine some of the core technical systems underlying the internet, creating new cybersecurity risks.
As a non-profit committed to keeping the web open and accessible to all, Mozilla wants to ensure that this legislation does not jeopardize the foundational structure of the Internet.
Unfortunately, I’m not a US-Citizen so I can’t join in the calling to US members of Congress, but you probably can. Over here in Malaysia we’ve got our own laws we need fighting. Visit here if you wish to join Mozilla and their cause against SOPA.