So that’s why I don’t like the data caps, but how about the content filtering? Particularly filters that block of torrent downloads?

Part of the cost of your broadband connection includes the cost that the telcos pay to route your transaction to the US. That’s really where the internet is, and while Google has a couple servers here and a youtube presence–the vast majority of traffic still flows to the US. This means on top of the price of getting the Fibre to your home, the local telcos also have to pay for routing your data to the US (and back). If most Malaysians started viewing local sites rather than pornhub, our broadband cost ‘could’ become cheaper, because the telcos don’t have to invest in those expensive undersea cables to setup the connection to the states. Contrast this with the situation in the US where only 10% of traffic from the US flows outside it’s borders, it means that even if a US ISP lost its undersea cables, it could still serve up 90% of the content its users were requesting. It also explains why Singapore has cheaper broadband than Malaysia–Singapore is the data-hub for the Asia Pacific Region, so a lot of it’s traffic is also local.

So how do we resolve this issue? One approach would be to make Malaysia a hub, but most experts conclude that it’s probably not going to happen (including Afzal Abdul Rahim in his 2011 TedXKL talk). The other option would probably be to start hosting more content in Malaysia, and that’s why a Youtube server within our borders is a great start. What would probably help better is Netflix availability and Netflix servers in Malaysia–until you realize that Netflix host their servers on Amazon Web Services, and Amazon chose Singapore as their Asia-Pac location–probably because Singapore is a data hub, which sends us into a round-about circular argument.

We can’t get cheaper broadband because we don’t have the cables coming into Malaysia, and we don’t have the cables because we don’t have the content, we don’t have the content because we don’t have the cloud servers and we don’t have the cloud servers because we don’t have the cables. I explored this before how cloud computing ties in closely with your data connectivity as a nation–and there really is nothing much we can do to address the gap with Singapore except spend more on undersea cables. Most of which require significant monetary investment–and take a lot of time to deploy.

The average monthly traffic in Asia-Pacific has dropped.

I suspect the average monthly consumption has dropped because of the growth in Asia Pacific, it’s quite counter-intuitive, but as Asia Pacific adds more users to the internet, the newer users in the more rural parts of the region aren’t downloading as much as their urban cousins. Therefore, while the overall traffic flow has increased, the average monthly consumption per account has reduced. It’s all conjecture at this point–but that’s what I think based on just this one data point. It makes sense to me, as a lot of people aren’t torrent-crazy-downloaders, which just means that they aren’t consuming anywhere near the full amount.

The Median monthly consumption is just 8.8GB, while the Mean monthly consumption was 22.0GB, and that tells me that the data is skewed–highly skewed. The statistician inside me is just crying to get out and shout–SKEWED!!

Skewed is just another way of saying that the distribution of internet consumption is un-evenly distributed across–or in more laymens terms–a few internet users are using the vast majority of the bandwidth.

I’ve almost been fascinated by the fact, that our money in the bank these days are secured not by steel doors or armed guards, but rather by cryptography and the encryption keys that enable them. To put it in the simplest form  your money in the bank is protected by a number–that’s what an encryption key essentially is. A long binary number of 1’s and 0’s that protects your life savings…

Most (if not all) of your ‘secure’ internet communications is protected by something call SSL, or its successor, TLS. SSL is the stuff of legend, initially invented by Netscape to encrypt internet communications, SSL is now used by nearly everyone online. You see it when you login to your bank account on Maybank or CIMB, when you log into a online store like the ones run by Digi and Maxis even when you do your Tax filings on e-Filing LHDN website.

However, just like every standard in IT, SSL and TLS act as frameworks, and different websites could implement these frameworks slightly differently, usually based on the customer segmentation or the amount of security required. Each implementation could vary from one to another and yet still remain compliant to the ‘standard’, we wouldn’t need consultants if it were otherwise.

The problem is, that just because some website use TLS or SSL, doesn’t mean it’s secure–all it means is that the website is now using a standard, but could have implemented the standard poorly, making it vulnerable to attack, and possibly leaking out your data (some of which might be very very sensitive).

The best way to think about is to go back the number analogy, and assume that the amount of security you get from encryption is determined by the length of the number. So a 10 digit number is less secure than a 100 digit number–and a 1 digit number is less secure than both of them. In security jargon, we call this the key length, and it’s quite a common criteria used to determine the security of a given SSL/TLS implementation. This of course is just one of the criteria to determine how secure the the implementation is.

Basically it’s not enough to check if a website is using SSL or not, it’s more important to figure out how well the encryption is implemented by the website. Of course, this is beyond the scope of most people, no one has the time or inclination to perform a security audit on their banks website, although it is in their best interest to do so. Usually that green lock icon at the bottom of the screen helps me sleep well at night–but it shouldn’t, it’s a good start, but not a guarantee of security.

Fortunately, there’s a really quick and dirty way, to determine how secure the SSL/TLS implementation of a website is. Head on over to SSLLabs.com and enter the url of the website you want to evaluate and the perform a really good audit of the site in real-time, measuring things like key-length and SSL versions, up to the certificate authenticity.

So armed with SSLLabs.com, I decided to just quickly perform a quick check of the most popular secure websites in Malaysia to see if these websites were offering the security their users deserved. Checking out the most popular forum in Malaysia, two telco companies, two banks, one government agency and a news portal, the good news is that 3 out of 7 got straight A’s on their test–the bad news is that the other 4 got F’s–and it’s possible to get E by the way…so an ‘F’ is what most people call an epic failure.

This is what Article 12 of the Universal Declaration of Human Rights says:

• No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

This is what security offences bill in Malaysia says:

(1) Notwithstanding any other written law, the Public Prosecutor, if he considers that it is likely to contain any information relating to the commission of a security offence, may authorize any police officer— (a) to intercept, detain and open any postal article in the course of transmission by post; (b) to intercept any message transmitted or received by any communication; or (c) to intercept or listen to any conversation by any communication.

To me, the phrase ‘if he considers it is likely’ is another way of saying arbitary.

Over the past years we’ve seen a recurrent theme where Government agencies were attempting to curtail internet freedom in the name of ‘keeping the peace’. From Saudi telcos threatening security experts to help them hijack tweets to governments procuring tools like Finspy to spy on their citizens–usually without any warrant or legal oversight. We’ve seen US federal agencies try to legislate mandatory technical backdoors into software and how the Syrian government treats internet access for its Citizens like candy for their children–you only get it if you behave.

In Pakistan, a wholesale blockade of youtube means their citizens are missing not just Gangnam Style, but Gentlemen as well (although that may not necessarily be a bad thing)–and we all know how much censorship and surveillance is going on in China.

A French court is now asking twitter to hand over account details to identify individual users that tweeted anti-semitic messages, both the Dutch and German police are users of spyware from companies that the are deemed ‘corporate enemies of the internet’ by reporters without borders, and while you may agree that courts have a right to curtail hate speech, just ruminate for a moment how one-sided French law is when they aggressively pursue anti-Semitic messages  but forbid Muslims school girls from wearing a hijab to school because it is supposedly a symbol of oppression. These biases point to deep flaws in our belief that freedom of speech can somehow be regulated by governments–the term regulated freedom of speech is an oxymoron to begin with.

This of course doesn’t just affect the ‘bad’  countries, those with lifetime membership cards to the axis of evil, but countries we’d generally consider good guys as well, those we associate with a respect for personal privacy and citizen rights, so that we did end up like this? To truly appreciate where we are we need to go back to how it all starts.

A false sense of Insecurity

The track records of governments has never been good. September 11 was a colossal failure of government intelligence, and it’s usually used an example of why governments should do better. What most people don’t know is that a company called Acxiom had data for 11 hijackers, and provided that data to assist in investigations post 9/11, it turns out had the government agencies used Acxiom, they may have had additional security on the planes that crashed into the WTC. The breadth and depth of the information provided to law enforcement has been kept secret–and in the wake of such attacks nobody bothered to ask whether Acxiom was operating within legal limits of collecting and storing that data–worse still people forget that Acxiom itself was hacked leaking private information of millions of Americans. Yes it may have help thwart the attacks on 9/11, but the Acxiom itself became a target of attack shortly after details of its information bounty were published, there are a lot of people who would pay for that kind of information.

Even with the fundamental problems of the government storing such private information–government agencies throughout the world continue to ramp up security concerns in the hope of scaring people into giving up their freedoms. Closer to home we continuously see the ’threat of sedition’ being used to deny individuals and private citizens their rights. The ‘possibility’ of a repeat of May 13th, is now accepted as a ‘high probability’ even though there is no data to suggest that a repeat is possible let alone probable. Just like courts in France we see a glaring bias in the execution of these sedition laws–and the targets are often pro-opposition rather than pro-government.

The Malaysian government is now being accused of running spyware suites like Finfisher, which incorporates a voyeuristic like ability on the malware owner to spy on the victims. The makers of Finfisher claim their software is only sold to governments–without realizing it’s the governments themselves that are illegally spying on its citizens.

Not since Tom Sawyer tricked his friends to paint his white fence has such levels of deception been seen.

However, the level of deception isn’t what is troubling, it’s the level of apathy among the mainstream society to these revelations that send shivers down my spine. No one from the general public seems perturbed that the very technology that was supposed to advance democracy and free speech in Malaysia is now being used to suppress it.

And we’re not the only ones spying on our citizens…

I’m truly anxious at the recent rhetoric about ‘regulating’ of the internet, and fear the worst. I grew up with the internet and like to think we made a journey together, from my high school days where dial-up internet was the norm, to the blazing fast broadband I have now–things have change a lot for the both of us. I am a digital native, I know no other land other than a digitally infused one we live in today. Couple that with my unique libertarian views and my savvy for all things tech, and you can quickly see why I strongly oppose internet censorship of any kind….and I really mean any kind.

There’s a really cool tool called glasnost, that can easily detect if your ISP is throttling certain traffic through its servers. It works amazingly well at detecting if your ISP is blocking that most sacred of all internet traffic–BitTorrent.

So running two test, one over my Unifi connection, and one more tethered over my Galaxy S3 on Maxis, and came to the conclusion that Maxis does indeed block torrents by default. However, just like how you have to call Maxis to enable VPN access via your phone, you have to call them to allow torrent traffic as well…supposedly.

The Edge recently held a political poll on whether Anwar Ibrahim should quit as the Opposition leader–But when the editor begun to see that the one-week survey attracted 12,736 responses and the responses were overwhelmingly one-sided, she smelt something fishy.

Upon further checking with the IT team, they found that 6,354 of the responses came from one IP address, and about 1,700 came from several IP addresses within the same building. Another 2,000 responses came from seven different IP addresses.

The DAP IT manager (didn’t know the DAP had an IT team now did ya?), in his press statement said that :

In investigating the DPI filtering equipment location, I have found 1032 suspicious network equipment using same IP address family as the the Arbor Network Peakflow SP with TM branding. Since the login page of this network equipment bears TM logo, undoubtedly MCMC should haul up TM and conduct IT forensic investigation on all 1032 equipments without delay. I am fully prepared to assist MCMC in its investigations.

In light of this new evidence, MCMC must re-examine its 2nd May statement. MCMC should be politically impartial and hold the standard of government regulatory body that it should be. It must put the interest of all Malaysians first.

Unless TM operates like the government, in which they announce the purchase of something in 2004, but only start to using it in 2013–I’m guessing they were using Arbor for other purposes before they decided to unleash its DPI functionality.

But there could be a twist.

Couple of weeks before the election, we saw how the Deputy Minister of Information Communications and Culture was so into Information communications. Now, with the new cabinet being sworn in, I’m sad to say we’ll probably see more of the same ol’ same ol'.

Meet your new Deputy Minister of the Communication and Multimedia ministry–Dato’ Jailani Johari!!!

Apart from having a whooping 71 followers on twitter, and a mind-blowing 5 (yes that’s a single digit) connections on LinkedIn. Although,  he does have more than 2,000 likes on his Facebook page–which he started on April 15th 2013. Coming back to twitter though, did you know he follows a spine-chilling 12 accounts–must be some pretty heavy Communicating going on in the Ministry eh!