Today I attended an Institute for Democracy and Economic Affairs (IDEAS) event about the TPP. Among the panel members, included Michael Froman, the US trade representative and chief advisor to President Obama on issues of International Trade and Investment. (big shot!!)

For those you don’t know, the Trans-Pacific Partnership(TPP) agreement is a trade deal between 12 countries including Malaysia and America whose main objective is to balance out the power and influence China has over the region. But the TPP has been opposed by many NGOs and special interest groups, for good reason–it’s secret. The TPP has garnered such a bad reputation, it’s sort of like the Justin Bieber of trade agreements, everyone knows about it, but nobody likes it.

The event went on for a good 40 minutes, before your friendly neighbourhood tech blogger got a hold of the mic to ask about the secrecy of the trade agreement.Prior to that everyone was talking about Bumi Policies,Price of Medicine and impacts to SMEs. I really didn’t understand why no one spoke about the tremendous secrecy surrounding the talks and how the secrecy itself is fundamentally undemocratic and bad enough for Malaysians to reject the agreement.

This secrecy is the one reason every Malaysian should oppose the TPP. Everything else is moot, because we can’t confirm the documents we’ve seen until it’s made publicly available to the citizens of the countries negotiating the deal. Would you sign a housing loan agreement without the ability to first read the contract? Yet, here with the TPP we have a legally binding 29-chapter multi-lateral agreement that very few people have seen, but will impact all Malaysians once signed. How do we know the prices of medicines are going up? Oh that’s right, we read it from Wikileaks …. must definitely be true then. Sorry let’s move on.

I strongly believe the Goods and Service Tax is a good idea.

Yes, it will impact the poor more than the rich. Yes, it will cause the cost of living to increase at a time when most Malaysians are struggling to pay the bills.

But the people who will suffer the most aren’t the poor, it’s the tax-evaders. Tax evasion and illicit flows are a big problem for Malaysia, and the Goods and Service Tax is a straightforward and effective solution to that problem. GST is a closed loop sort of tax, which makes tax evasion much harder.

So enough of the GST choir, I’m sure you don’t agree, but that’s fine. In this great country  of ours there should be room for dissent, except with Maslan, cause he’s so smart he must be right.

Output - Input

Imagine a top-up of RM10.Let’s assume that in a pre-GST Malaysia, the telco sold the top-up card to the retailer for RM9. The retailer sold it to the end customer for RM10, making a profit of RM1 per card.

In a post-GST world, the telco still sells the top-up card to the retailer for Rm9, but now adds 6% GST, making the total sale price from Telco to Retailer RM9.54. This additional Rm0.54 is called the input tax.

The retailer then sells the card to a customer at Rm10 plus 6% GST, making the final price Rm10.60. The additional Rm0.60 is called the output tax.

His Gross profit is Rm10.60 - Rm9.54 = Rm1.06. (stay with me here folks)

Now here’s the bit many don’t understand, the retailer doesn’t pay Rm0.60 to the government (even though that’s what he charges you), rather the retailer pays his output - input, or Rm0.60 - Rm0.54 = Rm0.06 . His gross profit of Rm1.06 becomes of nett profit of Rm1.00 after you deduct GST, which is exactly the same profit he had pre-GST.

[caption id=“attachment_5004” align=“aligncenter” width=“650”]

Post-GST implementation as it is today[/caption]

The way this works is that the Telco pays Rm0.54 to the government (from their sale to the retailer), and the retailer then pays Rm0.06 to the government (from their sale to the customer). The end result is that the governments still gets Rm0.60 from the sale, but from two different entities at two different points of the supply chain.

This all lines up nicely, the problem is that customers are now paying Rm10.60 instead of Rm10. Let’s call this the RM10-Gross Model.

Recently a court in Malaysia ruled that the newly amended evidence act could presume an IP address would uniquely identify a user of a network, and in the case of an Internet IP address, enough to tie an IP to the individual subscriber. In other words if the authorities ever found out that ‘your’ IP address was behind a post, then you’d have to prove it wasn’t you rather than they having to prove it was.

In Tong Seak Kan & Anor v Loke Ah Kin & Anor [2014] 6 CLJ 904, the Plaintiffs initiated an action for cyberspace defamation against the 1st Defendant.   In tracing the perpetrator, who had posted defamatory statements on two Google Blogspot websites, the Plaintiffs filed an action called a John Doe action in the Superior Court of California.   In compliance with the court order, Google traced the blogs to two IP (Internet Protocol) addresses which were revealed by Telekom Malaysia Bhd to be IP addresses belonging to the 1st Defendant’s account.

Bread & Kaya: Malaysian cyberlaw cases in 2014

I’m uncomfortable that a court of law could find someone guilty based on something as trivial as an IP address, when other courts around the world have ruled that IP addresses are insufficient for this purpose.

Last week visitors browsing to Google’s Malaysia website were greeted with a big bold image stating the website was hacked. The media had a field day proudly proclaiming that Google’s website was hacked, because that was exactly what the page they visited said….Google Hacked!!

Only, Google wasn’t hacked.

MyNic was hacked.

They’re the agency in charge of managing all internet addresses ending with the .my suffix. Hackers had infiltrated MyNic, and reconfigured the systems to point www.google.com.my to their own servers instead of Google’s. Then they simply pasted a silly looking screen that boldly proclaimed their ‘hack’ to the world, claiming to hack Google rather than MyNic—which is what you’d expect from hackers. But the media, took that to mean Google was comprimised, and boldly proclaimed that Google Malaysia was hacked, going so far as to ask if ‘user data was compromised’.

The analogy is that if someone hacked Waze, and took all unsuspecting tourist who were trying to get to KLCC, and re-directed their route to an abandoned warehouse in Klang, the headline for that story should read “Waze hacked” instead of “KLCC destroyed”. Everyone knows how absurd a headline like the latter would be, but very few people would think the same thing the moment ‘internet things’ get involved–if the website says Google hacked, surely it must be true, in the same way that if Waze says this dilapidated factory lot is KLCC, surely it is, because Waze is never wrong right?!

In case anyone needs my PGP key to send me encrypted e-mails. Here it is.

e-mails should be sent to keith@keithrozario.com, which is hosted on Gmail, if you’re uncomfortable with that, drop me an encrypted e-mail there, and I’ll respond with a privately hosted e-mail you can connect with me on.

Regards,

Keith

The team over at the FireEye threat intelligence published a special report(pdf) detailing an long running (and still on-going) cyber-espionage operation that has targeted multiple entities in ASEAN countries, including Malaysia. The program was reported to be running for more than a decade, and the sustained period coupled with the list of targets the program had, led FireEye to believe it to be a state-sponsored activity, as no other other type of organization would be able to afford such a professionally run program, operated for such a long period of time with no discernible source of income.

The group were nicknamed APT30, an abbreviation for Advanced Persistent Threat number 30 (I'm guessing the 30 part, because FireEye have other APTs on their github page). APT is a cyber-security term coined to identify an attacker that has both the capability and persistence to target specific entities up until they eventually break, and then continue to suck information from their victims for a significant amount of time. Basically there are script kiddies, hackers and then the 'Advanced Persistent Threats', APTs are a class above the rest.

APT30 operated a suite of tools including back-doors, and command and control software that were given catchy names like Backspace, NetEagle, Flashflood and ShipShape. The tools demonstrated a fair amount of sophistication in the way the functioned, but what really impressed the FireEye team was the level of professionalism that the coders exhibited, the malware had a well defined version control system, automated tools to manage many of the operational task and even the functionality that allowed for the system to be operated 24/7 by a team working on shifts, with one window requesting the operator to enter their 'attendant code'. I wouldn't be surprised if the system even calculated yearly increments, and provided KPI reports in the background.

Last month, a company called MDSec released a video detailing how they manage to brute force hack an iPhone PIN lock. Pretty sweet piece of work, but I thought this would be a good example to understand how hacks work, and how hackers think.

What is a hacker

A hacker is someone who makes system work in an unintended way, because they know have a deep knowledge of the underlying mechanism of the system.

-Keith Rozario (wannabe tech blogger)

Fusion cooking is another example, Asian Sambal wasn’t meant to go with Chicken chops, but somehow chefs make it work (at least some of them do), but you can only do this if you understand things like flavor, taste, and texture work. Otherwise you end up with disgusting combinations like Nasi Jam Strawberry, or Black pepper goreng pisang.

Things in technology are designed to work in a specific way, like asking for username and passwords before granting access, but hackers get the technology to produce unintended results (like allowing access without the credentials)by passing certains steps and processes, because they know what those steps and processes are. For example the iPhone PIN hack I mentioned in the opening paragraph.

Earlier this week I attended a MDeC organized private meeting with Richard Stirling from the Open Data Institute (ODI).The ODI is an institution that hopes to promote the ‘open data’ culture, and founded by a giant of the Tech world, Sir Tim Berners-Lee, which you might remember for inventing a small little thing we call the world wide web.

The meeting was attended by just a handful of folks, some of whom I recognized from a previous Seatti conference I attended, with the audience and topic focus on Open Data (and Big Data) in Malaysia.

The conversation was really good, and broadly speaking touched on 3 key topics. Most of this post is a re-hash from my failing and aged memory, but there's a clearer version of the minutes here from the amazing people of Sinar Malaysia if you're interested in the specifics.

It’s now almost two years on, since that fateful day at the Mira Hotel in Hong Kong when Edward Snowden divulged secret NSA documents detailing unlawful and on-going spying programs carried out in the name of security.

Sure we knew the government had 'a' spying program, and we've all seen Hollywood movies with fictional technology that allowed governments to carry out un-restricted surveillance,  but no one in their wildest dreams would have imagined a government having access to ALL phone calls, ALL e-mails, ALL text messages and ALL transactions...and then storing that information for ALL time.

What we've learnt so far is that the NSA had executed bulk surveillance on the American people (and us poor non-Americans as well) across all channels of communications including phone calls, internet searches and e-mail without a proper court warrant, congressional approval or oversight of any kind. Particularly strange for a country whose own constitution protects the rights of citizens against illegal searches and seizures. I'm no lawyer, but even to layman like me, the bill of rights looks like a masterpiece, and the fourth amendment is a beautifully written piece of law:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

-4th Amendment to the Constitution of the United States of America

In other words, if you want to search smartphones, computers or e-mail accounts, you'll need a warrant. And the law goes on to state, that warrants can only be issued, upon probable cause, that must be affirmed by a Judge providing the necessary oversight. Finally, even after a warrant is issued,it must state the place of the search and things to be seized. A warrant shall not act as a blanket approval for law enforcement to look through all aspects of the citizens life, but only that which is explicitly stated in the warrant.

[caption id=“attachment_4859” align=“alignleft” width=“256”]

Apache runs nearly 50% of all active websites[/caption]

Recently I moved the hosting for keithRozario.com from a regular hosted platform called WPWebhost to my own Virtual machine on digitalOcean. The results have been great, but the migration process was a bit tedious and took some effort.

I thought I’d share my Apache configurations, so that if you’re thinking of hosting your own WordPress site on an SSL server, you’ll at least have a solid base to start off from. I’m by no means an expert here, but this is what makes sense to me, and if you have any feedback please let me know in the comments.

So let’s start.