[caption id=“attachment_5307” align=“aligncenter” width=“550”]

Pic from TheMalaysianInsider, Tip to newsmen: Next time blur out the photos and names on the ID tags as well.[/caption]

There is no greater danger of tech illiteracy, than the way we treat hackers. A society that doesn’t understand technology will view those who can manipulate it as wizards and sorcerers.

Technology sufficiently advanced is indistinguishable from magic, and to most people that bar of being ‘sufficiently advanced’ isn’t set very high.

The magic analogy is apt, even in fiction, wizards are treated either with  awe, ala Harry Potter and the muggles, or disdain ala the Salem witch trials, where ignorance bred fear, which in turn led to persecution.

Regular readers of this blog will know Kevin Mitnick, the grand-daddy of hackers, who was once rumored to be able to launch a nuclear missile by whistling into a phone. Not only was the rumor patently false, it nudged Judges in American courts to deny him a bail hearing, something guaranteed to Mitnick by the countries Federal Constitution. Prosecutors quickly learnt that if you throw around words like Hacker and Nuclear, Judges will willingly jettison constitutional protections quicker than Han Solo can dump cargo to make the jump to light speed.

In the absence of a nuclear threat, law enforcement agencies have begun using terrorism, and found it equally effective in demonizing hackers and anyone else who could do seemingly magical things with bit and bytes on a computer screen.

In 2016, Chip and Pin will gradually be introduced in Malaysia, that means your Credit Cards now will prompt you for a PIN instead of signature during purchases. This will be a bit of a hassle, but it will be worth it,  here’s what you need to know about it and credit card transactions in general.

The 5 people you meet in card transaction

First off, a short primer on credit card transactions. In any business transaction, there are at least 2 actors involved, a buyer and a seller. In industry lingo we call them Merchants and Cardholders. These are important terms to remember, as we’ll use them extensively .

But a card transaction is far more complicated and involves at least 3 more actors, some of which you may not even be aware off. First, we have the party that issued the cardholder their card, the ‘Issuer’. If you have a credit card, chances are that credit card is tied to an line of credit issued by a bank, whether it’s HSBC, or Maybank, these are issuers, who have a relationship with the card holder.

Then we have the ‘Acquirer’. This is the financial institution that provides the merchant the ability to accept card transactions. Sometime this is as simple as just placing a card terminal on the merchant premise. The acquirer has a relationship with the merchant, and that’s why when you look at credit card receipts, they usually have a banks logo on them–that’s the acquirers logo.

Both the issuer and acquirer are usually banks, because credit cards deal with debt, and only registered financial institutions are authorized by law to perform such transactions (think of interest rates, and loan functions..etc)

So far, we have the Issuer that issues the card to the cardholder, and the Acquirer that provided the infrastructure to the merchant, but how do we tie all of them together. Here the final actor provides a network that connects all acquirers to all issuers, they’re called Card Schemes. You know them by their names, VISA, Mastercard, Diners, JCB, Discover..etc. The schemes provide the ability to connect acquirers and issuers, so when you go a merchant, you only ask them if they accept Master or Visa, and not worry about the specific acquiring bank. Similarly the merchant places a “Mastercard accepted” logo on their premise, because if they can accept one Mastercard, they can accept them all.

These 5 actors, the Cardholder, the Merchant, the Acquirer, the Issuer and the Scheme work seamlessly together to allow you to purchase goods and services using only a single piece of plastic we call a card.

But what is a card?

Not to beat a dead horse now, (you can read my previous articles here and here)but I’ll say it one last time, internet speeds aren’t exactly what we should be debating over these days. We should focus on internet penetration rates, and broadband penetration, and define these correctly.

The MCMC defines broadband as anything over dial-up. Which is stupid, because a 128kbps ISDN would be considered broadband, but certainly it wouldn’t feel like broadband to any user. It would crawl.

But at the same time, you can’t set the number too high to something like 100Mbps because what would you be able to consume at that speed which you wouldn’t at 5Mbps, in other words why would you need 100Mbps instead of 5Mbps, and what you actually mean by the term broadband?

So the question becomes, how fast is fast enough? What bandwidth is sufficient for the average Malaysian to enjoy the internet at the same level as anybody else. A lot of people buy a car without caring about the cars top speed, because very few people actually push the car to it’s top speed. Why isn’t it the same for internet bandwidth?

Two weeks ago, Lowyat.net published a ‘challenge’ to their readers, one that would supposedly pay a cool RM100,000 to the winner.All you had to do was decrypt an AES-256 encoded blob of code (more accurately referred to as ciphertext).

As expected, no one won.

Because breaking that ‘military-grade’ encryption is beyond the capability of most normal human beings, and certainly not worth a paltry RM100,000 that was being offered. It’s the equivalent of offering 50 cents for someone to build a rocket capable of going to the moon. In fact, Rm100,000 is exactly the cash prize celcom offered for it’s cupcake challenge, because baking cup-cakes and breaking ‘military-grade’ encryption are the same thing.

Once the challenge has expired, Celcom conveniently launched their new zipit chat application, which surprisingly used AES-256 encryption as well, and more importantly they released some statistics of a ‘hackerthon’ they conducted in which 18 Million people viewed the challenge, and 17,000 registered to participate but none succeeded.

OK, so while there was no official announcement from Celcom to tie the original lowyat challenge to their new zipit app, it was quite plain for all to see.

So let’s go into why this upsets me.

Got Maxis Fiber to your home, but want to change your WiFi passwords, then here’s how you do it.

First you need to logon to your router. You can do so by opening your Web-Browser and type http://192.168.1.254 (where you’d normally type google.com), or just click here.

You should either see a picture like the above, then you’d need to enter the username and password, or if you haven’t setup a router password, then you’d see this:

Are you afraid of Hackers? Do you lie restless at night thinking of what might happen if they got into your bank account, facebook profile, or e-mail. Perhaps you’re also worried about that they might hack into a forum you visit, or that they might get into your personal messages on whatsapp.

It’s true that hackers are able to do all of these things, but the public perception of hackers really isn’t quite justified, and this false perception can lead to terrible outcomes.

Take last weeks post about the hacktivist group Anonymous. In it I expanded on the public fear of anonymous and how that didn’t correspond to the actual damage that the group causes. Sometimes all Anonymous does is a DDOS on a public website, that still takes some skill, but far removed from actually infiltrating a server. Yet, most people wouldn’t be able to differentiate a DDOS attack of a website to a compromise of an actual server, and this inability leads then to disproportionately fear hackers, worse still it leads them to lump all security related incidences into a single bucket called “hacked by hackers”.

But Why?

Why are people so afraid of hackers? And why is there a huge discrepancy between what some of these hackers are actually doing and the fear that the average citizen has of them.

I have one theory–ignorance, or more specially tech-illiteracy.

Our newly appointed Communication Minister has come out all guns blazing in directing the The Malaysian Communications and Multimedia Commission (MCMC) to ask social media giants such as Facebook, Google and Twitter soon to block “false information and rumours” on their platforms.

That in itself is quite frustrating, but what really got me scratching my head was his claim that “that social media providers acted on 78 per cent of MCMC’s request for removal of content last year, with Facebook taking action on around 81 per cent of its request.”

The latest buzz in Malaysian cyberspace is the ’threat’ from Anonymous Malaysia to launch ‘internet warfare’ on the Malaysian government, singling out our poor ol’ Prime Minister, demanding that he step down or face the consequences of Anonymous actions.

The threat of internet warfare even came with a date, 29th to 30th August at 2.30pm, coinciding with Bersih 4.0. You know you’re dealing with a bad-ass when they tell you when the attack is coming, sort of like Muhammad Ali telling his opponents which round he would knock them out in. (down in the 5th)

Sarawakreport, a website covering sensitive political topics in Malaysia was blocked today by the countries most prominent ISP, Telekom Malaysia (TM).

Internet users using TM’s Domain Name Server (DNS) reported that the website was inaccessible, and I’ve confirmed that is an intentional block by TM.

Here’s a quick primer on DNS. The internet works on this marvelous set a rules we’ve come to call the Internet Protocol. Part of this protocol requires that every server or machine on a network be assigned a unique number to identify itself, this number is called an IP address. An IP address is sort of the phone number of a server, and if you want to communicate with a server you’d need to know that servers phone number.

[caption id=“attachment_5085” align=“aligncenter” width=“550”]

A screenshot of the RCS Software from Hacking Team[/caption]

There are two types of governments in the world, Those that build complex surveillance software to spy on their citizens, and those that buy them–and our government is more the buying type.

Few nation-states have the budgets to build out complex surveillance software, but some are finding that ‘off the shelf’ software sold by dodgy companies are just as effective at a fraction of the price. The problem with buying of course, is that sometimes those dodgy companies that are manufacturing these spying software also sell their wares to repressive regimes like Sudan, and being on the same customer list with Sudan doesn’t quite bode well for any ‘moderate’ government.

Take Gamma Corp for example, the organization responsible for the FinSpy and Finfisher suite used by the Malaysian government in the run-up to the 2013 General elections. Another is Hacking team, an Italian based company that produces similar remote control software (RCS).

And in a bit of internet karma–both of these companies were hacked themselves…possibly by the same person.

In August 2014, Gamma was hacked and had 40GB of data forcefully exfiltrated from their servers. My analysis of that leak, revealed no information about Malaysian purchases of their FinSpy software simply because a large chunk of that data was encrypted.

Recently however, Hacking Team had a much more severe attack, one that managed to extract 10 times more data, and here I found ample evidence of Malaysian government agencies procuring spyware from Hacking Team presumably to be used against Malaysians.

The question of course is should you be worried, the answer is Yes, and not just for the obvious reasons. After combing though a trove of documents, I found that 3 government agencies procured the ‘flagship’ RCS software from Hacking team, and from my layman’s understanding of the law, none of them have authority to actually use it.

Worst still, some e-mails point to incompetent IT skills as well as bad Procurement practices, that actually annoyed hacking team’s salesforce. I will conclude this post with why this attack on Hacking Team has a positive outlook for regular internet users, and why our government agencies procuring this stuff isn’t exactly ALL THAT BAD.