There was a time when the internet was young, just a little fledgling network, an academic toy used only by computer scientist to try out theoretical concepts. Contrary to popular belief the internet wasn’t created to withstand a nuclear war(although it can), instead it was created to address a very serious engineering question–how to connect together different computers with different operating systems and different commands? The answer to that question stumped many brilliant people, in the late 60’s and early 70’s, computers were Gods of their domain, stand-alone machines with ‘slaves’ like disk-drives and monitors, if you hooked up a computer to another computer, they wouldn’t know what to do–there’s a chinese saying about one mountain can only have one dragon, computers in those days were exactly like that.

The new Prevention of Terrorism Act (POTA) in Malaysia should not be considered in isolation but rather in the context of the 6 other anti-terrorism Bills that were concurrently proposed. All of these new laws, will almost certainly come into effect, thanks to the whip system employed by the ruling party. Yet the laws violate fundamental human rights, such as a right to fair trial and right to personal privacy.

I’m particularly worried about the amendments to the Security Offenses Special Measures Act (SOSMA), an amendment that has slipped under the radar simply because its been out-done by harsher changes to the sedition act, and the new POTA.

The original SOSMA had granted Law Enforcement powers to intercept and store any kind of communication, including digital communications, without any judicial oversight.  Police Officers ‘not below the rank of SuperIntendants’ could wiretap any communications if the ‘felt’ there was need to do so, without obtaining any warrant. Section 24 of the act further stipulated, that law enforcement did not have to reveal how they obtained such information and could not be compelled to do so under the law, which acts as blank cheque to the police and other investigative bodies to utilize any and all manner of surveillance and intelligence gathering, regardless of their legality of their methods, since no oversight can be carried out on their methods.

The amendment to SOSMA, further enhances existing powers to allow for any evidence “howsoever obtained, whether before of after a person has been charged” to be admissible in a court of law. Which isn’t a big jump from where we were, but making this statement explicit in the act, leads me to only one conclusion.

Our legislators have granted such a broad powers to the Police and the executive branch of government, that they now can intercept, and store communications of millions of Malaysians, hence the next logical step would be state-wide bulk surveillance. In light of what the NSA and GCHQ have already done, SOSMA would make it perfectly legal for Malaysian authorities to execute identical surveillance programs locally and have all the evidence generated under such program be admissible in a court of law without ever revealing how the evidence was obtained.

Think about it, on the one hand, the Government amends Sosma to allow it to collect just about anything as evidence without any Judicial oversight that might ‘slow down the process’, and on the other hand it needs POTA to detain ’terrorist’ without a trial because its hard to come by evidence. It doesn’t make any sense, what’s the point of creating POTA if you’ve already removed all the barriers to collecting evidence, and what’s the point of SOSMA if you already have the powers to detain someone without any evidence.

It would seem to me, that by allowing Government surveillance of any kind, and by allowing detention without trial, we’re creeping into a world where the Government can intercept all your communications to learn about what you’re thinking and doing–and then detain you without any justification. That’s a world even Stalin would envy.

I know I’m a tin-foil hat wearing conspiracy nut, and I know I’m on an extreme edge when it comes to political and social views—not many Malaysians agree with me on many things. Still…I think that if you look at the acts in totality, place it in context of the current trends of Government surveillance across the world, and consider that our government has a track record of deploying spyware in Malaysia, seems perfectly reasonably to me, to conclude that our government wants to run a state-sponsored bulk-surveillance operations in Malaysia.

What’s the price of falling in love?

What are the consequences of being head over heels, mindless crazy in love with someone?

I would say the price of falling in love is the possibility of getting hurt. Sometimes the person you fall in love with doesn’t love you back–and that can cause significant emotional pain and grief. But that’s a price we’re more than willing to pay, because a world where no one is allowed to be hurt, is also a world where no one is allowed to fall in love, and who wants to live in that world?

Today I attended an Institute for Democracy and Economic Affairs (IDEAS) event about the TPP. Among the panel members, included Michael Froman, the US trade representative and chief advisor to President Obama on issues of International Trade and Investment. (big shot!!)

For those you don’t know, the Trans-Pacific Partnership(TPP) agreement is a trade deal between 12 countries including Malaysia and America whose main objective is to balance out the power and influence China has over the region. But the TPP has been opposed by many NGOs and special interest groups, for good reason–it’s secret. The TPP has garnered such a bad reputation, it’s sort of like the Justin Bieber of trade agreements, everyone knows about it, but nobody likes it.

The event went on for a good 40 minutes, before your friendly neighbourhood tech blogger got a hold of the mic to ask about the secrecy of the trade agreement.Prior to that everyone was talking about Bumi Policies,Price of Medicine and impacts to SMEs. I really didn’t understand why no one spoke about the tremendous secrecy surrounding the talks and how the secrecy itself is fundamentally undemocratic and bad enough for Malaysians to reject the agreement.

This secrecy is the one reason every Malaysian should oppose the TPP. Everything else is moot, because we can’t confirm the documents we’ve seen until it’s made publicly available to the citizens of the countries negotiating the deal. Would you sign a housing loan agreement without the ability to first read the contract? Yet, here with the TPP we have a legally binding 29-chapter multi-lateral agreement that very few people have seen, but will impact all Malaysians once signed. How do we know the prices of medicines are going up? Oh that’s right, we read it from Wikileaks …. must definitely be true then. Sorry let’s move on.

I strongly believe the Goods and Service Tax is a good idea.

Yes, it will impact the poor more than the rich. Yes, it will cause the cost of living to increase at a time when most Malaysians are struggling to pay the bills.

But the people who will suffer the most aren’t the poor, it’s the tax-evaders. Tax evasion and illicit flows are a big problem for Malaysia, and the Goods and Service Tax is a straightforward and effective solution to that problem. GST is a closed loop sort of tax, which makes tax evasion much harder.

So enough of the GST choir, I’m sure you don’t agree, but that’s fine. In this great country  of ours there should be room for dissent, except with Maslan, cause he’s so smart he must be right.

Output - Input

Imagine a top-up of RM10.Let’s assume that in a pre-GST Malaysia, the telco sold the top-up card to the retailer for RM9. The retailer sold it to the end customer for RM10, making a profit of RM1 per card.

In a post-GST world, the telco still sells the top-up card to the retailer for Rm9, but now adds 6% GST, making the total sale price from Telco to Retailer RM9.54. This additional Rm0.54 is called the input tax.

The retailer then sells the card to a customer at Rm10 plus 6% GST, making the final price Rm10.60. The additional Rm0.60 is called the output tax.

His Gross profit is Rm10.60 - Rm9.54 = Rm1.06. (stay with me here folks)

Now here’s the bit many don’t understand, the retailer doesn’t pay Rm0.60 to the government (even though that’s what he charges you), rather the retailer pays his output - input, or Rm0.60 - Rm0.54 = Rm0.06 . His gross profit of Rm1.06 becomes of nett profit of Rm1.00 after you deduct GST, which is exactly the same profit he had pre-GST.

[caption id=“attachment_5004” align=“aligncenter” width=“650”]

Post-GST implementation as it is today[/caption]

The way this works is that the Telco pays Rm0.54 to the government (from their sale to the retailer), and the retailer then pays Rm0.06 to the government (from their sale to the customer). The end result is that the governments still gets Rm0.60 from the sale, but from two different entities at two different points of the supply chain.

This all lines up nicely, the problem is that customers are now paying Rm10.60 instead of Rm10. Let’s call this the RM10-Gross Model.

Recently a court in Malaysia ruled that the newly amended evidence act could presume an IP address would uniquely identify a user of a network, and in the case of an Internet IP address, enough to tie an IP to the individual subscriber. In other words if the authorities ever found out that ‘your’ IP address was behind a post, then you’d have to prove it wasn’t you rather than they having to prove it was.

In Tong Seak Kan & Anor v Loke Ah Kin & Anor [2014] 6 CLJ 904, the Plaintiffs initiated an action for cyberspace defamation against the 1st Defendant.   In tracing the perpetrator, who had posted defamatory statements on two Google Blogspot websites, the Plaintiffs filed an action called a John Doe action in the Superior Court of California.   In compliance with the court order, Google traced the blogs to two IP (Internet Protocol) addresses which were revealed by Telekom Malaysia Bhd to be IP addresses belonging to the 1st Defendant’s account.

Bread & Kaya: Malaysian cyberlaw cases in 2014

I’m uncomfortable that a court of law could find someone guilty based on something as trivial as an IP address, when other courts around the world have ruled that IP addresses are insufficient for this purpose.

Last week visitors browsing to Google’s Malaysia website were greeted with a big bold image stating the website was hacked. The media had a field day proudly proclaiming that Google’s website was hacked, because that was exactly what the page they visited said….Google Hacked!!

Only, Google wasn’t hacked.

MyNic was hacked.

They’re the agency in charge of managing all internet addresses ending with the .my suffix. Hackers had infiltrated MyNic, and reconfigured the systems to point www.google.com.my to their own servers instead of Google’s. Then they simply pasted a silly looking screen that boldly proclaimed their ‘hack’ to the world, claiming to hack Google rather than MyNic—which is what you’d expect from hackers. But the media, took that to mean Google was comprimised, and boldly proclaimed that Google Malaysia was hacked, going so far as to ask if ‘user data was compromised’.

The analogy is that if someone hacked Waze, and took all unsuspecting tourist who were trying to get to KLCC, and re-directed their route to an abandoned warehouse in Klang, the headline for that story should read “Waze hacked” instead of “KLCC destroyed”. Everyone knows how absurd a headline like the latter would be, but very few people would think the same thing the moment ‘internet things’ get involved–if the website says Google hacked, surely it must be true, in the same way that if Waze says this dilapidated factory lot is KLCC, surely it is, because Waze is never wrong right?!

In case anyone needs my PGP key to send me encrypted e-mails. Here it is.

e-mails should be sent to keith@keithrozario.com, which is hosted on Gmail, if you’re uncomfortable with that, drop me an encrypted e-mail there, and I’ll respond with a privately hosted e-mail you can connect with me on.

Regards,

Keith

The team over at the FireEye threat intelligence published a special report(pdf) detailing an long running (and still on-going) cyber-espionage operation that has targeted multiple entities in ASEAN countries, including Malaysia. The program was reported to be running for more than a decade, and the sustained period coupled with the list of targets the program had, led FireEye to believe it to be a state-sponsored activity, as no other other type of organization would be able to afford such a professionally run program, operated for such a long period of time with no discernible source of income.

The group were nicknamed APT30, an abbreviation for Advanced Persistent Threat number 30 (I'm guessing the 30 part, because FireEye have other APTs on their github page). APT is a cyber-security term coined to identify an attacker that has both the capability and persistence to target specific entities up until they eventually break, and then continue to suck information from their victims for a significant amount of time. Basically there are script kiddies, hackers and then the 'Advanced Persistent Threats', APTs are a class above the rest.

APT30 operated a suite of tools including back-doors, and command and control software that were given catchy names like Backspace, NetEagle, Flashflood and ShipShape. The tools demonstrated a fair amount of sophistication in the way the functioned, but what really impressed the FireEye team was the level of professionalism that the coders exhibited, the malware had a well defined version control system, automated tools to manage many of the operational task and even the functionality that allowed for the system to be operated 24/7 by a team working on shifts, with one window requesting the operator to enter their 'attendant code'. I wouldn't be surprised if the system even calculated yearly increments, and provided KPI reports in the background.

Last month, a company called MDSec released a video detailing how they manage to brute force hack an iPhone PIN lock. Pretty sweet piece of work, but I thought this would be a good example to understand how hacks work, and how hackers think.

What is a hacker

A hacker is someone who makes system work in an unintended way, because they know have a deep knowledge of the underlying mechanism of the system.

-Keith Rozario (wannabe tech blogger)

Fusion cooking is another example, Asian Sambal wasn’t meant to go with Chicken chops, but somehow chefs make it work (at least some of them do), but you can only do this if you understand things like flavor, taste, and texture work. Otherwise you end up with disgusting combinations like Nasi Jam Strawberry, or Black pepper goreng pisang.

Things in technology are designed to work in a specific way, like asking for username and passwords before granting access, but hackers get the technology to produce unintended results (like allowing access without the credentials)by passing certains steps and processes, because they know what those steps and processes are. For example the iPhone PIN hack I mentioned in the opening paragraph.