Under the current hype of the FBI ordering Apple to ‘install backdoors’ on their iPhones, a bit of interesting news seems to have slid under the radar.

A court in Singapore ruled that e-mails from the Hacking Team breach, published by the hacker Phineas Fisher via a torrent download, and available freely on Wikileaks–were still confidential in nature.

The news hits close to home, after all, I’ve written a 2,000 word article on it back in July, and have been harping on the issue over the past weeks, even going on BFM radio for an interview.

So was I using confidential information in my tech evangelism?!

Well, probably not, but this does raise some interesting questions.

Here’s the facts of the case.

Our spanking new, hand-picked Attorney-General is proposing life imprisonment for journalist who refuse to reveal their sources.

And surprisingly, my favorite Member of Parliament,Dato Azalina Othman, has supported the move, saying it was ‘high-time’ Malaysian did something. Fortunately, some calmer more rationale heads, like Dato Paul Low have criticized the A-G for his short-sighted stupidity.

Putting aside the fact that anonymity of sources is a core component of Press freedom, it’s easy to extrapolate how harsher punishment for journalists who keep their sources anonymous will back-fire spectacularly for the Government.

If sources know that Journalist will be pressured to reveal their identities, most sources will stop speaking journalist, thereby stemming the leakages from the government, and keeping the status quo.Or so the theory goes…

Next week, I’ll be on BFM for an interview about spyware, which will be my last Hail Mary play to get a conversation started about the use of surveillance software by the Government. If a radio interview on a popular station won’t do it, nothing on my blog will possibly be able to anyway :)

In any case, this post is a pre-emptive response to a slightly controversial idea that I cover (very briefly) in the interview, and hopefully it can be articulated better here than in a radio segment. To be honest, I haven’t fully thought this through, but I believe it at least some some aspects of truth that deserve further attention.

The Idea comes in 3 parts:

1. Terrorism has changed dramatically with ISIS (or Daesh)
2. Our conventional approach to surveillance will be ineffective against this new threat
3. Our surveillance-based response to the new threat may end up hurting us more than ISIS ever could

So the buzz around twitter is that Medium.com has been blocked by the Malaysian Authorities, and guess what? It’s true.

It was expected, after all Medium is where the ‘infamous’ Clare Rewcastle Brown uploads her articles to circumvent censorship of her own site, the equally diabolical SarawakReport.org.

Medium is like twitter without the character limits, and it's quite a cool site to just browse around and look for interesting articles to read, The platform claims to be "community of readers and writers offering unique perspectives on ideas large and small".

So it made sense for SarawakReport to take their content to Medium. After all, most of their readership is Malaysian, and since Malaysian ISPs ‘censored’ their content, using a neutral ‘un-censored’ platform like Medium was a perfect solution—well almost perfect!

It’s a phenomenon called ‘collateral freedom’, and for a while SarawakReport readers, and Malaysian internet users enjoyed that collateral freedom, Medium was free and un-censored, which made Sarawark also free and un-censored as long as it was on the platform.

The Government has denied buying spyware from hacking team, they really should have checked with me before issuing the statement.

On the 23rd of November 2015, Datuk Seri Azalina Othman Said denied that the Malaysian government had procured spyware from hacking team. In a formal response (in Parliament!!), the Minister simply stated “For your information, no such device was purchased by the Prime Minister’s Department”.

For YOUR information, dear Minister, I don’t like being lied to, and oh look there’s a flying pig by the window.Next time ask your PR guys to call me before you go setting your pants on fire.

Ok folks, here’s a step-by-step on why we can trust the hacking team leak, why there’s conclusive proof Malaysia bought this spyware, and why we should be worried about the manner in which it is being used. So let’s go.

From: jibby@Malaysia.gov Sent: 23 Dec 2015 To: orangbawah@Malaysia.gov Subject: Cybersecurity Year end message.

*This message is intended for all Malaysian Government servants only, do not forward without prior approval*

I want to use this year-end as an opportunity to discuss the important topic of Cybersecurity. This year was interesting for me personally, and for all Malaysians, and we need to be aware of cybersecurity issues in order to avoid situations where some people go bat crazy over a missing pendrive, or we’re struggling to interrogate a sysadmin in Thailand.

But let’s start with a Government Linked Company, Malaysian Airlines (MAS).

In February, MAS had their website hacked by a group calling themselves Lizard Squad, which appeared at the time to be affiliated with ISIS. However, I confirmed with my pal Badghdadi that Lizard squad are in no way related to our good friends at the Caliphate, and we should continue striving to be as brave as them.

Delving deeper into the hack, revealed it to be a domain registrar hijack, and was not a result of inadequate security from MAS. Essentially MAS registered their website with a registrar, and it was that registrar which was hacked, not MAS themselves. Let that be a lesson for us all, sometimes the responsibility of security rest not just with us, but with our IT vendors as well.

Another good example of IT vendors completely messing up is Miliserv.

[caption id=“attachment_5307” align=“aligncenter” width=“550”]

Pic from TheMalaysianInsider, Tip to newsmen: Next time blur out the photos and names on the ID tags as well.[/caption]

There is no greater danger of tech illiteracy, than the way we treat hackers. A society that doesn’t understand technology will view those who can manipulate it as wizards and sorcerers.

Technology sufficiently advanced is indistinguishable from magic, and to most people that bar of being ‘sufficiently advanced’ isn’t set very high.

The magic analogy is apt, even in fiction, wizards are treated either with  awe, ala Harry Potter and the muggles, or disdain ala the Salem witch trials, where ignorance bred fear, which in turn led to persecution.

Regular readers of this blog will know Kevin Mitnick, the grand-daddy of hackers, who was once rumored to be able to launch a nuclear missile by whistling into a phone. Not only was the rumor patently false, it nudged Judges in American courts to deny him a bail hearing, something guaranteed to Mitnick by the countries Federal Constitution. Prosecutors quickly learnt that if you throw around words like Hacker and Nuclear, Judges will willingly jettison constitutional protections quicker than Han Solo can dump cargo to make the jump to light speed.

In the absence of a nuclear threat, law enforcement agencies have begun using terrorism, and found it equally effective in demonizing hackers and anyone else who could do seemingly magical things with bit and bytes on a computer screen.

Passwords have always been a problem.

For a password to be adequately secure, you need a certain amount of randomness (or entropy in geek) associated with the password to ensure it can’t be easily guessed. The password monkey is less secure than the password k3ithI$one$3xydev1l, but the latter is inherently harder to remember (although still very true).

Remember you should use a different password for each online service you subscribe to, Your Jobstreet credentials should be different from your banking credentials. This way, if someone hacks into Jobstreet and compromises their passwords, your banking credentials remain secure.

What people often do is re-use one password across all their services, so that a compromise on one service is as good as a full-blown compromise across their entire online identity, a hack on that nutrition forum you visited two years could cause you to lose your life savings.

There in lies the trade-off, a easier to remember password is also easier to guess, and hence easier to hack (Google ’the fappening’ if you need more convincing), while a hard to guess password is harder to remember, and near impossible to execute if you need remember a different password for each your online services.

Which suggest that the problem isn’t passwords per se, but rather our human inability to remember long un-guessable passwords. Computers have long out-stripped us in this arena, and trying to overcome that is pretty much unthinkable at this point.

But what is the solution then? Well, in general we have 2 partial solutions.

By now, you either know someone that’s been a victim of nasty malware or have yourself been on the business end of nefarious software. The perpetual duel between security companies and malicious elements in cyberspace has changed dramatically over time, and no change has been so dramatic as the rise of a new type of threat, a threat we call…ransomware!!

...but what is Ransomware?

Ransomware immediately seeks out specific file types like Microsoft Documents, Excel Spreadsheets, digital pictures, all for the purpose of encryption. Different Ransomwares target different file types, but the idea is behind it is to seek out these files that are considered particularly valuable to the user, and one that a user would pay lots of money to retrieve if ever lost. These files are then quickly encrypted using ‘bank-level’ encryption ciphers making them un-readable to the user.

Once the files are ‘safely’ encrypted, the user is usually prompted with the–Pay us money or never see your files again!!

The famous (or infamous) cryptolocker, would request payments only in bitcoin, before the decryption key would be released to the user, the malware has kidnapped your files and the only way to get them back is to pony up the cash.

In essence, cryptolocker held your files from ransom, in much the same way kidnappers hold kids for ransom in those hollywood movies, but unlike hollywood this is real, and the one and only way to get back the files is either pray for a miracle, or make the payment.

The simplest definition of a hacker, is someone who breaks systems. We tend to equate systems to computers, but that’s a limited definition of the term. A system can also refer to a legal system or a set of processes that have nothing to do with technology.

For example, lawyers often hack around the law, looking for loopholes to exploit to give them an advantage in their case. A good lawyer is expected to work within the legal system of a country, but still try to bend it a wee bit for their clients. He’s not breaking the law, merely hacking it for his own good.

In the technology world, we sometimes define hackers as those to attempt to gain un-authorized access to computers, in other words an attacker that’s able to circumvent security measures of a server to gain access. This bypassing of security measures it what makes a hacker–but how does it reflect in a legal context?