The new Prevention of Terrorism Act (POTA) in Malaysia should not be considered in isolation but rather in the context of the 6 other anti-terrorism Bills that were concurrently proposed. All of these new laws, will almost certainly come into effect, thanks to the whip system employed by the ruling party. Yet the laws violate fundamental human rights, such as a right to fair trial and right to personal privacy.

I’m particularly worried about the amendments to the Security Offenses Special Measures Act (SOSMA), an amendment that has slipped under the radar simply because its been out-done by harsher changes to the sedition act, and the new POTA.

The original SOSMA had granted Law Enforcement powers to intercept and store any kind of communication, including digital communications, without any judicial oversight.  Police Officers ‘not below the rank of SuperIntendants’ could wiretap any communications if the ‘felt’ there was need to do so, without obtaining any warrant. Section 24 of the act further stipulated, that law enforcement did not have to reveal how they obtained such information and could not be compelled to do so under the law, which acts as blank cheque to the police and other investigative bodies to utilize any and all manner of surveillance and intelligence gathering, regardless of their legality of their methods, since no oversight can be carried out on their methods.

The amendment to SOSMA, further enhances existing powers to allow for any evidence “howsoever obtained, whether before of after a person has been charged” to be admissible in a court of law. Which isn’t a big jump from where we were, but making this statement explicit in the act, leads me to only one conclusion.

Our legislators have granted such a broad powers to the Police and the executive branch of government, that they now can intercept, and store communications of millions of Malaysians, hence the next logical step would be state-wide bulk surveillance. In light of what the NSA and GCHQ have already done, SOSMA would make it perfectly legal for Malaysian authorities to execute identical surveillance programs locally and have all the evidence generated under such program be admissible in a court of law without ever revealing how the evidence was obtained.

Think about it, on the one hand, the Government amends Sosma to allow it to collect just about anything as evidence without any Judicial oversight that might ‘slow down the process’, and on the other hand it needs POTA to detain ’terrorist’ without a trial because its hard to come by evidence. It doesn’t make any sense, what’s the point of creating POTA if you’ve already removed all the barriers to collecting evidence, and what’s the point of SOSMA if you already have the powers to detain someone without any evidence.

It would seem to me, that by allowing Government surveillance of any kind, and by allowing detention without trial, we’re creeping into a world where the Government can intercept all your communications to learn about what you’re thinking and doing–and then detain you without any justification. That’s a world even Stalin would envy.

I know I’m a tin-foil hat wearing conspiracy nut, and I know I’m on an extreme edge when it comes to political and social views—not many Malaysians agree with me on many things. Still…I think that if you look at the acts in totality, place it in context of the current trends of Government surveillance across the world, and consider that our government has a track record of deploying spyware in Malaysia, seems perfectly reasonably to me, to conclude that our government wants to run a state-sponsored bulk-surveillance operations in Malaysia.

The team over at the FireEye threat intelligence published a special report(pdf) detailing an long running (and still on-going) cyber-espionage operation that has targeted multiple entities in ASEAN countries, including Malaysia. The program was reported to be running for more than a decade, and the sustained period coupled with the list of targets the program had, led FireEye to believe it to be a state-sponsored activity, as no other other type of organization would be able to afford such a professionally run program, operated for such a long period of time with no discernible source of income.

The group were nicknamed APT30, an abbreviation for Advanced Persistent Threat number 30 (I'm guessing the 30 part, because FireEye have other APTs on their github page). APT is a cyber-security term coined to identify an attacker that has both the capability and persistence to target specific entities up until they eventually break, and then continue to suck information from their victims for a significant amount of time. Basically there are script kiddies, hackers and then the 'Advanced Persistent Threats', APTs are a class above the rest.

APT30 operated a suite of tools including back-doors, and command and control software that were given catchy names like Backspace, NetEagle, Flashflood and ShipShape. The tools demonstrated a fair amount of sophistication in the way the functioned, but what really impressed the FireEye team was the level of professionalism that the coders exhibited, the malware had a well defined version control system, automated tools to manage many of the operational task and even the functionality that allowed for the system to be operated 24/7 by a team working on shifts, with one window requesting the operator to enter their 'attendant code'. I wouldn't be surprised if the system even calculated yearly increments, and provided KPI reports in the background.

Last month, a company called MDSec released a video detailing how they manage to brute force hack an iPhone PIN lock. Pretty sweet piece of work, but I thought this would be a good example to understand how hacks work, and how hackers think.

What is a hacker

A hacker is someone who makes system work in an unintended way, because they know have a deep knowledge of the underlying mechanism of the system.

-Keith Rozario (wannabe tech blogger)

Fusion cooking is another example, Asian Sambal wasn’t meant to go with Chicken chops, but somehow chefs make it work (at least some of them do), but you can only do this if you understand things like flavor, taste, and texture work. Otherwise you end up with disgusting combinations like Nasi Jam Strawberry, or Black pepper goreng pisang.

Things in technology are designed to work in a specific way, like asking for username and passwords before granting access, but hackers get the technology to produce unintended results (like allowing access without the credentials)by passing certains steps and processes, because they know what those steps and processes are. For example the iPhone PIN hack I mentioned in the opening paragraph.

It’s now almost two years on, since that fateful day at the Mira Hotel in Hong Kong when Edward Snowden divulged secret NSA documents detailing unlawful and on-going spying programs carried out in the name of security.

Sure we knew the government had 'a' spying program, and we've all seen Hollywood movies with fictional technology that allowed governments to carry out un-restricted surveillance,  but no one in their wildest dreams would have imagined a government having access to ALL phone calls, ALL e-mails, ALL text messages and ALL transactions...and then storing that information for ALL time.

What we've learnt so far is that the NSA had executed bulk surveillance on the American people (and us poor non-Americans as well) across all channels of communications including phone calls, internet searches and e-mail without a proper court warrant, congressional approval or oversight of any kind. Particularly strange for a country whose own constitution protects the rights of citizens against illegal searches and seizures. I'm no lawyer, but even to layman like me, the bill of rights looks like a masterpiece, and the fourth amendment is a beautifully written piece of law:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

-4th Amendment to the Constitution of the United States of America

In other words, if you want to search smartphones, computers or e-mail accounts, you'll need a warrant. And the law goes on to state, that warrants can only be issued, upon probable cause, that must be affirmed by a Judge providing the necessary oversight. Finally, even after a warrant is issued,it must state the place of the search and things to be seized. A warrant shall not act as a blanket approval for law enforcement to look through all aspects of the citizens life, but only that which is explicitly stated in the warrant.

[caption id=“attachment_4859” align=“alignleft” width=“256”]

Apache runs nearly 50% of all active websites[/caption]

Recently I moved the hosting for keithRozario.com from a regular hosted platform called WPWebhost to my own Virtual machine on digitalOcean. The results have been great, but the migration process was a bit tedious and took some effort.

I thought I’d share my Apache configurations, so that if you’re thinking of hosting your own WordPress site on an SSL server, you’ll at least have a solid base to start off from. I’m by no means an expert here, but this is what makes sense to me, and if you have any feedback please let me know in the comments.

So let’s start.

As the 1MDB fiasco begins to simmer over the political stove, I wanted to inject some technical information into this discussion, specifically around emails and how they’re almost useless pieces of evidence.

Just to make sure everyone’s on the same page, here’s some context.

In early March 2015, sarawakreport.org, a website run by investigative journalist Clare Rewcastle-Brown together with the London Sunday Times, published an article on controversial deal done by the 1MDB fund. At the centre of the deal was a man named Jho Low, who masterminded a sophisticated ‘wheeler-dealer’ that pocketed him $700 Million, all of which (at least according to sarawakreport.org) was siphoned from 1MDB, a Malaysian sovereign wealth fund.

Honestly, I don’t understand the financially complex deals that sarawakreport.org was trying to explain to lil ol’ me. So I’m just going to take her word here, that all the documentation that was produced leads to the conclusion that Jho Low masterminded the “Heist of the Century” by stealing $700 million through shady back door deals involving 1MDB and a company called PetroSaudi. But then of course, the question becomes, can you trust the documentation.

Reading the article you get the sense that the e-mail trail presented forms the backbone of the entire story, and if the emails themselves are not true then the entire story is untrue as well.

In either case though, let’s get straight to the point, and say that e-mails by themselves are quite useless.

Late in January the Malaysian Airlines website was ‘supposedly’ hacked by Lizard Squad. You  might remember Lizard Squad as the guys who ‘hacked’ the XBox and Play Station network over the Christmas holidays, and I’m using a lot of ‘quotes’ here because Lizard Squad didn’t really ‘hack’ XBox One or Playstation, they merely DDOS-ed the services.

What is DDOS-ed I hear you say?

Essentially you’ve denied McDonalds their chance to serve their customers–or you’ve just launched a Denial of Service (DOS) attack–the extra D in DDOS, just stands for distributed.

Real-Life DDOS happen all the time–what do you think the Thai Protestors were doing to Airports in 2008?

But why is this important?

The REAL motive of the Lizard Squad DOS attack became apparent some days later when they started to offer their DDOS attack as a service to paying customers. Essentially you could go online and buy their services to attack a target–maybe a competitor company, a personal blog of someone you don’t like, or just about anything. Lizard Squad were hawking their services to anyone with cash.

Some suspected that Lizard Squad were running this large DDOS attack using nothing more than home routers–similar to the ones that UniFi provides and that I demonstrated could be hacked trivially over an internet connection.

 Step 1: Logon to your router

To logon to your router, fire up your web-browser (Chrome, Firefox, Safari–even Internet Explorer will do).  In the address bar where you usually type www.google.com type http://192.168.0.1 (sometimes it’s http://192.168.1.1 ) or just click the link. Once there enter the username and password of the router. If you’re uncertain try any one of the following combinations:

As we come to terms with the terrible events that occurred at the offices of Charlie Hebdo, I think we need to be cognizant of  what these attacks really mean, and how our response to these events (even in far away Malaysia) has severe repercussions on our future.

As a Blogger and Techie, I’m 100% for absolute ’no holds-barred’ Freedom of expression.. I’ve written so much on the subject it begins to bore people, but we have so little freedom of expression in this country, we must fight to preserve what we have, and rise up to pursue even more.

Yesterday I Googled something about maxis that took me to a forum.maxis.com.my link. Unfortunately, Firefox wasn’t happy with Maxis, because I got the following screen:

Firefox is the first of the mainstream browsers to end support of SSLv3, ever since Poodle was published. For those of you who aren’t keeping tabs of security issues–Poodle was a big vulnerability discovered in the 2nd half of 2014, that affected the SSLv3 protocol.