The Government has denied buying spyware from hacking team, they really should have checked with me before issuing the statement.

On the 23rd of November 2015, Datuk Seri Azalina Othman Said denied that the Malaysian government had procured spyware from hacking team. In a formal response (in Parliament!!), the Minister simply stated “For your information, no such device was purchased by the Prime Minister’s Department”.

For YOUR information, dear Minister, I don’t like being lied to, and oh look there’s a flying pig by the window.Next time ask your PR guys to call me before you go setting your pants on fire.

Ok folks, here’s a step-by-step on why we can trust the hacking team leak, why there’s conclusive proof Malaysia bought this spyware, and why we should be worried about the manner in which it is being used. So let’s go.

2 weeks ago, Wan Saiful Wan Jan. the chief executive of the Institute for Democracy and Economic Affairs (IDEAS) penned an opinion piece in thestar claiming that there was a prevalence of anti-TPP ideologies in Malaysia.

The Gist of his piece centered on 4 key points:

1. The Anti-TPP ideologues opposed the bill before knowing what it was, and therefore must be stupid (or bomohs)
2. Opponents of the TPP oppose trade liberalisation
3. TPP like any other free trade agreement was negotiated in secret and not exceptional
4. That the government was doing a bad job communication the TPP to the rakyat

Let’s go through them one by one:

The price of freedom is the possibility of crime, and if you’re unwilling to pay that price, don’t be surprised when your freedom is taken away from you.

In a free country, it’s impossible to prevent a mad lunatic from getting a knife and stabbing people on a train, you might prevent some lunatics but you can’t prevent them all. The best you can hope for is that rescue comes fast enough before anything serious occurs.

I get annoyed when parent associations insist that the Government needs to teach science and maths in English. They argue that because English is the lingua-franca of science, teaching science in English will help students learn more effectively without needing them to translate scientific terms from the vernacular. They add that teaching Science and Maths in English is a great way to improve the standard of English in schools.

It would great if those points were true, but they’re not.

English as the Lingua franca of Science?

Instead, what children learn in school is so dated, that their initial publications were probably in Latin or Greek, with older text going back to Arabic, Chinese or even Indian origin. The most recent ‘findings’ your children learn in physics is Quantum Physics, which is roughly a hundred years old. Even then, they aren’t reading Einstein’s original paper on the Photoelectric effect, they’re reading a textbook that sufficiently distils and simplifies it for their consumption.

In fact, a vast majority of what children learn in Form 4 physics is derived from Principia, which is a collection of 3 books by Sir Isaac Newton who wrote them in Latin. The famous rhyme that “Every action has an equal and opposite reaction” may sound nice in English, but doesn’t exist in the original text, simply because it wasn’t written in English. Going further back in history, the algebra you loved in high school derives its name from a notoriously hard to pronounce book titled “kitāb al-mukhtaṣar fī ḥisāb al-ğabr wa’l-muqābala” , the highlighted al-gabr means the reunion of broken parts, and forms the origin of the word Algebra. The book itself was written by al-khwarizmi (who is the most important mathematician you never heard of), and whose name is where we get the word Algorithm from, obviously he didn’t write his works in English.

Of course, I use these ancient examples a bit unfairly, but the fact is that your children are learning ancient science in schools. It’s not irrelevant, it’s that you have to build the foundation of scientific literacy from these ancient roots before you can tackle modern day science of the Higgs-Boson. You can’t fly before you learn how to walk.

The point is, that if these ancient text were translated into English at some point, why can’t we do the same to Bahasa, or Mandarin, or Tamil..or whatever language you want to. Isn’t it easier to translate and contextualize these century old ideas into a language the next generation is comfortable with, rather than hope they suddenly develop a love and understanding of a foreign language like English?

When you say Lingua-franca of science, in the context of what children actually learn in primary and secondary school–it isn’t English.

From: jibby@Malaysia.gov Sent: 23 Dec 2015 To: orangbawah@Malaysia.gov Subject: Cybersecurity Year end message.

*This message is intended for all Malaysian Government servants only, do not forward without prior approval*

I want to use this year-end as an opportunity to discuss the important topic of Cybersecurity. This year was interesting for me personally, and for all Malaysians, and we need to be aware of cybersecurity issues in order to avoid situations where some people go bat crazy over a missing pendrive, or we’re struggling to interrogate a sysadmin in Thailand.

But let’s start with a Government Linked Company, Malaysian Airlines (MAS).

In February, MAS had their website hacked by a group calling themselves Lizard Squad, which appeared at the time to be affiliated with ISIS. However, I confirmed with my pal Badghdadi that Lizard squad are in no way related to our good friends at the Caliphate, and we should continue striving to be as brave as them.

Delving deeper into the hack, revealed it to be a domain registrar hijack, and was not a result of inadequate security from MAS. Essentially MAS registered their website with a registrar, and it was that registrar which was hacked, not MAS themselves. Let that be a lesson for us all, sometimes the responsibility of security rest not just with us, but with our IT vendors as well.

Another good example of IT vendors completely messing up is Miliserv.

3-4 weeks ago, I pimped myself an interview on BFM, and yesterday it finally aired. Woohoo!!

Here’s the audio, and below are some show-notes you might be interested in if you want to learn more. I searched for these links AFTER the show, so they may not be 100% in step, but good place to start.

Show notes:

1. My post on how to change Unifi WiFi password and a bonus note, here's how to hack them.
2. Windows Tech Support Scam , here's another and here's how some pros respond
3. Why Anti-Virus is dead from Brian Krebs
4. Russian Business Network (I wrongly called them the Russian Business Alliance on the podcast): Wikipedia Link is here, but I suggest buying Spam Nation by Brian Krebs, easily the best book on the subject.
5. Target hacked through their HVAC supplier, while their supplier was using anti-virus
6. Kevin Mitnick on social engineering and corporate inoculation.
7. Cybersecurity professional shortage...trust me, IT is the way to go.
8. Security frameworks like PCI-DSS, I should have mentioned it.
9. My favorite password manager: Lastpass
10. The Fappening (if you don't know what it is, please click the link NOW)
11. Ashley Madison password, rights and wrongs.
12. Why I don't like bio-metrics
13. OPM Hack : you need to know this
14. TheStar reporting on teen winning award from Google (fake report)
15. Google Malaysia was hacked--and my explanation on why it wasn't.
16. My take on our view of hackers and specifically anonymous
17. Tech Journalism in Malaysia
18. Ahmed didn't build his clock and now he's suing for $15 Million--damn.
19. Tony Stark asking to boost ISDN by 15%.
20. Hacker who claimed he could hack a plane avionics from the seat.

Shout out to Jeff Sandhu for the brilliant work, and let me know if you enjoyed the show.

[caption id=“attachment_5307” align=“aligncenter” width=“550”]

Pic from TheMalaysianInsider, Tip to newsmen: Next time blur out the photos and names on the ID tags as well.[/caption]

There is no greater danger of tech illiteracy, than the way we treat hackers. A society that doesn’t understand technology will view those who can manipulate it as wizards and sorcerers.

Technology sufficiently advanced is indistinguishable from magic, and to most people that bar of being ‘sufficiently advanced’ isn’t set very high.

The magic analogy is apt, even in fiction, wizards are treated either with  awe, ala Harry Potter and the muggles, or disdain ala the Salem witch trials, where ignorance bred fear, which in turn led to persecution.

Regular readers of this blog will know Kevin Mitnick, the grand-daddy of hackers, who was once rumored to be able to launch a nuclear missile by whistling into a phone. Not only was the rumor patently false, it nudged Judges in American courts to deny him a bail hearing, something guaranteed to Mitnick by the countries Federal Constitution. Prosecutors quickly learnt that if you throw around words like Hacker and Nuclear, Judges will willingly jettison constitutional protections quicker than Han Solo can dump cargo to make the jump to light speed.

In the absence of a nuclear threat, law enforcement agencies have begun using terrorism, and found it equally effective in demonizing hackers and anyone else who could do seemingly magical things with bit and bytes on a computer screen.

In 2016, Chip and Pin will gradually be introduced in Malaysia, that means your Credit Cards now will prompt you for a PIN instead of signature during purchases. This will be a bit of a hassle, but it will be worth it,  here’s what you need to know about it and credit card transactions in general.

The 5 people you meet in card transaction

First off, a short primer on credit card transactions. In any business transaction, there are at least 2 actors involved, a buyer and a seller. In industry lingo we call them Merchants and Cardholders. These are important terms to remember, as we’ll use them extensively .

But a card transaction is far more complicated and involves at least 3 more actors, some of which you may not even be aware off. First, we have the party that issued the cardholder their card, the ‘Issuer’. If you have a credit card, chances are that credit card is tied to an line of credit issued by a bank, whether it’s HSBC, or Maybank, these are issuers, who have a relationship with the card holder.

Then we have the ‘Acquirer’. This is the financial institution that provides the merchant the ability to accept card transactions. Sometime this is as simple as just placing a card terminal on the merchant premise. The acquirer has a relationship with the merchant, and that’s why when you look at credit card receipts, they usually have a banks logo on them–that’s the acquirers logo.

Both the issuer and acquirer are usually banks, because credit cards deal with debt, and only registered financial institutions are authorized by law to perform such transactions (think of interest rates, and loan functions..etc)

So far, we have the Issuer that issues the card to the cardholder, and the Acquirer that provided the infrastructure to the merchant, but how do we tie all of them together. Here the final actor provides a network that connects all acquirers to all issuers, they’re called Card Schemes. You know them by their names, VISA, Mastercard, Diners, JCB, Discover..etc. The schemes provide the ability to connect acquirers and issuers, so when you go a merchant, you only ask them if they accept Master or Visa, and not worry about the specific acquiring bank. Similarly the merchant places a “Mastercard accepted” logo on their premise, because if they can accept one Mastercard, they can accept them all.

These 5 actors, the Cardholder, the Merchant, the Acquirer, the Issuer and the Scheme work seamlessly together to allow you to purchase goods and services using only a single piece of plastic we call a card.

But what is a card?

There’s been some controversy recently regarding the Air Pollutant Index (API) readings in Malaysia, with some even accusing the government of intentionally downplaying the readings.

I intended to find out exactly how the readings were different, and as a glorified techie come wannabe programmer I decide to use a data approach to this as opposed to a theoretical one. In case you’re wondering what the theoretical differences are, check out this cool article from cilisos, otherwise keep on reading.

At the crux of this issue, we first have to appreciate how  API or PSI readings are calculated. Both take measurements of pollutants in the air, but only take the highest concentrated pollutant to give you the reading value. It’s hard trying to consolidate something as complex as air quality into a single number, and as a result a certain amount of ‘simplification’ is required.

Theoretically, PM2.5 measures particulate matter up to 2.5 micrometers in diameter, while PM10 measures particulate matter of up to 10 micrometers in diameter, the Singaporean Government claims that PM2.5 is the main pollutant of concern during periods of smoke haze, and hence you’d expect PM2.5 readings to be higher than Pm10.

But that’s theoretically, what about empirically?

Passwords have always been a problem.

For a password to be adequately secure, you need a certain amount of randomness (or entropy in geek) associated with the password to ensure it can’t be easily guessed. The password monkey is less secure than the password k3ithI$one$3xydev1l, but the latter is inherently harder to remember (although still very true).

Remember you should use a different password for each online service you subscribe to, Your Jobstreet credentials should be different from your banking credentials. This way, if someone hacks into Jobstreet and compromises their passwords, your banking credentials remain secure.

What people often do is re-use one password across all their services, so that a compromise on one service is as good as a full-blown compromise across their entire online identity, a hack on that nutrition forum you visited two years could cause you to lose your life savings.

There in lies the trade-off, a easier to remember password is also easier to guess, and hence easier to hack (Google ’the fappening’ if you need more convincing), while a hard to guess password is harder to remember, and near impossible to execute if you need remember a different password for each your online services.

Which suggest that the problem isn’t passwords per se, but rather our human inability to remember long un-guessable passwords. Computers have long out-stripped us in this arena, and trying to overcome that is pretty much unthinkable at this point.

But what is the solution then? Well, in general we have 2 partial solutions.