The guys over at H-online reported recently that they have some pretty good evidence that good ol’ Microsoft is eavesdropping onto your Skype conversations, and the results are pretty damning.

The method for detecting those sneaky little eavesdroppers was pretty ingenious though. The researchers sent two urls in their skype messages to each other. The urls pointed to servers that the researchers owned. For all practical reasons these urls were made specifically for the purpose of the test and should not be receiving any traffic from anywhere–unless of course Microsoft was listening.

Then they sat at wait at their servers to see if they received any traffic, and lo’ and behold barely a few hours later they received some rather funky traffic from an IP address registered to Microsoft in Redmond. busted!

The urls didn’t just end with the .com, but had sensitive material appended to it (or at least that’s what the researchers made it look like), and Microsoft used the url which meant they had to be eavesdropping on Skype messages and conversations. More importantly these urls were made to look like they held sensitive material, such as bank logins..etc etc, but Microsoft still used it, and worse even visited the sites to see what was on it.

Even more shocking is that Microsoft isn’t even denying the charge–yet, but they point out that they do scan urls once in a while to flag spam, but H-online isn’t buying it.

Heard about the latest allegation accusing the Malaysian BN government of using Finfisher on its own Citizens?

Well that allegation is true–to me at least, and here’s a taste of what Finfisher can do in the hands of the government.

Usually most Internet Service Providers (ISP) don’t censor the internet, not because they don’t want to–it’s simply because censoring the vast amount of online traffic is a monumental technical challenge. In the past we’ve seen Malaysia ISPs do this, for instance when they blocked Malaysia-Today in the run-up to the 2008 General elections, but censoring one entire website is a fairly straightforward thing to do–an bypassing that censorship is equally straightforward.

A really piece written by Asohan Aryaduray on DigitalNewsAsia some time back talked about how the CyberWar between Malaysia and the Philippines was going on, and how he wanted government agencies to step up the security of our digital assets (or at least start the discussion). Asohan claims that Malaysia perhaps has “the most number of government and quasi-government agencies looking into cyber-security for a country this size; it is time for them to put their heads together and harden the nation’s cyber-defenses.” 

He ends with a rather poignant phrase: It’s war, gentlemen, and it’s time our agencies got cracking.

I’m not so sure it’s war–even less sure we should get the government involved.

If he calls the attacks by Malaysians on Pinoy websites (and vice-versa) a war, then what’s currently going on with the DAP website is a sign of not just war–but a digital civil war, with internal actors, attacking local sites.

TheStar last week reported that the:

DAP has claimed that its websites have been attacked and forced to shut down since last Friday.

National publicity secretary Tony Pua (pix)said the party’s official website, dapmalaysia.org, and its Malay portal, roketkini.com, were incapacitated by denial of service attacks (DDOS) on March 8, 10 and 13.

While TheStar doesn’t report it, but other newsportals claim Pua was blaming political foes for the attack. For the most part this is quite common, we’ve seen Malaysiakini go down a few times, and various other pro-opposition blogs have taken some hits. This of course is even more interesting because Krebsonsecurity.com blogged that he was a victim of not just a DDOS attack but Swatting as well.

I’ve been pretty busy the past few months, and my post count has been pretty low, and although I just returned from a 2 week trip abroad and am now flushed full of work, I decided to burn a bit of the midnight oil today because the Malaysian Insider completely pissed me off.

It all started with an article from Lim Kit Siangs blog, which read “Malaysia uses spyware against citizens, NYT reports”. The post was merely a cut-and-copy reproduction of a Malaysian Insider article that had the same headline. The headline really got my blood churning and it was followed up with an even more mouth watering opening paragraph:

I read a brilliant article on the Evidence act by Zul Rafique and Partners that I think everyone should read. In it, the author compares the newly amended Evidence Act (supposedly amended to combat the evils of the internet) to a sub-section of the original act meant to look into telegraphs. Now I must admit, that as an internet kid, I don’t quite understand the concept of a telegraph, but the point is that even before the internet Anonymity was possible.

The public perception that is reinforced by ignorant government statements, is that with the internet has enabled anonymity which in turn has enabled crime.

According to Datuk Seri Mohamed Nazri Aziz, Minister in the Prime Minister Department, the amendments were tabled to address the issue of Internet anonymity since this very fact makes it extremely difficult, if not impossible, to trace the alleged offender.

That is a false statement.

Let me introduce you to snail-mail.

In the past, long before the internet was around, people use to communicate via letters and postcards that were hand-delivered by postmen to your doorstep. This is a foreign concept to most children but it’s good to let them know just how hyper-connected they are in relation to their parents or grandparents.

When you send a letter, you write a note on a piece of paper, sign it at the bottom (presumably with your name) and then place it into an envelope. You then write the name and address of the recipient on the envelope, afix a stamp (that acts as a proof of purchase)–and then drop it off at any post office you see fit. The Post Office then somehow routes that letter to the recipient on the envelope–physically hand delivered.

Notice–you never have to prove your identity when you send a letter or postcard. No where in the chain of events are you ever asked for your IC or phone number, in fact I could just as easily write a malicious letter, post it to the Prime Minister and sign it as Datuk Seri Mohamed Nazri Aziz. Would the Prime Minister then automatically assume his cousin sent him the letter just because it was signed in his name?

I guarantee you it’ll be harder for the authorities to trace that physical letter as opposed to a similar digital email. Too many people watch CSI these days to believe that statement, but there’s a reason why kidnappers still use physical constructs–because in the digital world you always leave a trace.

If we apply the amended Evidence Act to the letter analogy, Datuk Seri Mohamed Nazri would be charge for sending that malicious letter to the Prime Minister–even though he never wrote it. All of us understand the stupidity of assuming someone sent you a letter just because the letter was signed by that person, yet we seem to think nothing of it in terms of emails. In fact, if I wanted to get Nazri into a whole heap of trouble, all I’d have to do is send 1000 similar letters to 1000 different people, and sign it with his name–in that way, he’d be charged 1000 different times in a 1000 different court proceedings and even though he might be deemed innocent on each count, it’s still a whole load of trouble I can cause for him for the price of 1000 stamps (roughly Rm500 which wouldn’t pay for even one hour of a lawyers time).

1. The internet can be used for fantastic good.

2. The general Malaysian public can make a difference in the governance of the country.

My website also had the pop-up banner, and according to Google Analytics, all 300+ people who visited yesterday were at least enlightened by it.

However, there are some misconceptions about the act, or more specifically misconceptions about the technology behind the internet. The only reason, I’m writing this post is because yesterday morning RockyBru posted up content by a blogger named Fatimah Zuhri, defending the act. Why on earth would a blogger defend the act is beyond me, but it became clear that her understanding of key internet concepts were way off the mark.

From a technological perspective, she was advocating from a point of ignorance, and Rocky whose a popular (or unpopular) blogger/journo only served to spread these misconceptions. I hope to point out how it is very difficult to pinpoint the origin of an anonymous or malicious post, and how shifting that burden to the ordinary citizen is unjustified.

So let’s start with the Post which you can read here, although for your sake I wouldn’t suggest it. Partial contents of the post is quoted in here as well.

It’s an irony that while the internet was the first place you could create avatars and split personalities to impersonate others, it has now turned into a free for all buffet for private data. I previously shared on how the ads you see on facebook were inherently tied to the Google searches you perform, and how ad companies have probably gathered so much data on you that they can find out if you’re pregnant before even you do.

With that in mind, many people still have an antiquated concept of a fully private and anonymous internet, in fact in most cases its easier to track an internet connection than an actual physical person, and its actually quite possible that a confiscated computer from your home could prove your whereabouts for the last 2 years. Earlier this year, a 19 year old girl was strangled to death while she was asleep, her alleged killers were actual stupid enough to perform an internet search on “chemicals to passout a person,” “making people faint,” “ways to kill people in their sleep,” “how to suffocate someone” and “how to poison someone”. Needless to say, the evidence seems rock solid, and these dumb criminals would go behind bars.

On the other hand, some criminals aren’t so stupid. In fact, the FBI, Interpol and various other law enforcement agencies have entire departments looking and searching for online criminals who do everything from fake money Nigerian scams to trafficking child pornography on the internet. These guys have proven quite difficult to track because of something called TOR.

Would you get freaked out if I told that from just 1 hour of internet browsing, your information could be shared with nearly 70 organizations, including advertisers who use it to target ads to you. Would you be angered if this information were sold to other 3rd parties including insurance providers and even governments to build profiles of you on their systems. Would you be annoyed that the internet which promised to be a bastion of democracy and anonymity, isn’t all it was cracked up to be? Well read on…

Recently I posted something about how Advertisers track your data via the pages you visited, and how the advertisers successfully build profiles of you based on information readily available online in addition to your browsing habits. What they then have is a treasure trove of information many of us consider private, these include your birthdate (and by extension your age)   your preferences, your affliations (both religious and professional) your likes and dislikes, your family members…etc etc. If you’re a person who likes privacy, you might want to unplug your laptop–right now!

Remember the story of the supermarket who knew a teenage girl was pregnant before her dad did, that’s nothing compared to the amount of data these networks have on your own children. If your children go online regularly, somebody has a pretty good profile on them. And if you would get freaked out if somebody followed your child everyday with a camera and notebook , you should worry about the amount of personal (and very private) information some companies are keeping on you – and your loved ones.

Ever wonder how come the ads you see on Facebook or Malaysiakini reflect the searches you just recently made. Ever felt freaked out about it, there really is nothing to freak out about, unless of course you’re worried that a Multi-Billion dollar company may be keeping information about your searches and sharing them with ad sites that build profiles to uniquely identify you. Or that your personal search isn’t really private data, yet it can reveal very private details about yourself including your religious beliefs, sexual inclinations, medical conditions and even credit rating.

This is a blog about technology, but as of late it’s becoming increasingly difficult to focus only on technology without looking into copyright, censorship and privacy. I can’t blog about technology while ignoring these aspects, anymore than financial analyst you look at Apple ignore the technology around their products.