Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.
X

Can Malaysia be Land of the Free and Home of the Brave

As we come to terms with the terrible events that occurred at the offices of Charlie Hebdo, I think we need to be cognizant of  what these attacks really mean, and how our response to these events (even in far away Malaysia) has severe repercussions on our future.

As a Blogger and Techie, I’m 100% for absolute ‘no holds-barred’ Freedom of expression.. I’ve written so much on the subject it begins to bore people, but we have so little freedom of expression in this country, we must fight to preserve what we have, and rise up to pursue even more.

The pursuit of freedoms of which we do not enjoy is necessary, thanks to laws like the Sedition Act of 1948. An act so grossly out-dated it’s embarrassing that we still have it on the books. People forget that Malaya was at war in 1948, and when the act came into effect, we had already begun one of the darkest period of our history–the Malayan Emergency. This was a time when planes were dropping bombs in the jungles and rubber tappers had to be escorted with arm guards, the laws needed at a time like aren’t the laws you need now.

Because unlike World War 2, the emergency was part of a larger ideological war–one where Ideas were dangerous. So we put laws that limited the dissemination of ideas which was wrong, but then we kept them even after the last elements of the communist insurgency had left–which was definitely wrong. Soon we used these laws clampdown on everything from questioning Malay rights to criticizing education policies (education policies that were later reversed by the way!). 

How can using a law, enacted during a dark period of war be considered relevant for peace time? These things really should come with expiry dates.

And lest you think this only impacts Malaysia–every country at War will go to extremes in the law.For example, the US enacted their own sedition act in 1918, just before they were setting off to take part in the ‘Great War’–only for the act to be repealed in 1920. This in a country where the first thing they amended in their constitution was to explicitly guarantee Freedom of Speech–the lesson to take away is that whenever people’s security is threatened, they’d give up their freedoms. The Patriotic act would have never seen the light of day weren’t it not for September 11th.

But let us find solace in the last verse of the Star Spangled Banner which reads “Land of the Free and Home of the Brave”–and just like Roti Canai and Dhall, you can’t have one without the other. You can’t live in the Land of the Free, unless you are Home to the Brave, because cowards give up their freedoms at the first sight of danger. To keep your freedom you have to fight to protect them, and never give them up. Because if these laws are anything to go by, once we enact laws to curb freedoms, we seldom repeal them.

Which brings us to the point, protecting freedom requires courage. It requires us to say we don’t want to trade security for freedom, we’d rather live insecure than un-free. And that takes courage, but also common sense. Because if you don’t like that, there’s a place where you can get all the meals you want, a roof for the head and be totally secure…it’s called prison.To get total security, you need to give up ALL your freedom.

And that’s what the terrorist REALLY want you to do, because the real point of terrorism isn’t to kill people, It’s to terrorize them.

To get people to change their way of life, and force upon them a sense of fear so crippling that they will never live free again. If we are to defeat the terrorist, we must not just condemn these acts, but condemn the  weak and cowardly among us who would give in to this terrorizing and suggest that we ‘beef up our laws’ and ‘grant more powers to the government’–these are not words of strength, these are code words for giving up freedom and they come only from the lips of the meek. These are the defeatist who would allow the terrorist to win.

We must protect freedom wherever they exist–we already have so little. So when I see people being charged for selling IS merchandise, and politicians claiming we need laws to curb freedom of speech to avoid another Charlie Hebdo, I think to myself where are the brave in Malaysia? Why do the spine-less invertebrates get so much publicity, why isn’t anyone defending our right to freedom of speech (even if it offends, and especially if it offends), why isn’t anyone defending the rights of someone to sell merchandise of an organization? If you’re going to charge someone for selling merchandise of organizations that you don’t agree with–I suggest you start with those that sell swastikas and the book shop that sells Mein Kempf,better yet don’t charge them at all. Because who are you to make such assumptions of what agreeable and what isn’t–what is dangerous and what isn’t?

Isn’t this still a free country? And selling a t-shirt is hardly a crime in a free country is it?

If we are really such cowards as to be afraid of t-shirts…I fear we can never be land of the free, but that’s completely our fault.

Maxis Forum needs an upgrade

Yesterday I Googled something about maxis that took me to a forum.maxis.com.my link. Unfortunately, Firefox wasn’t happy with Maxis, because I got the following screen:

SSL V3 on maxis forum

Firefox is the first of the mainstream browsers to end support of SSLv3, ever since Poodle was published. For those of you who aren’t keeping tabs of security issues–Poodle was a big vulnerability discovered in the 2nd half of 2014, that affected the SSLv3 protocol.

The only fix for Poodle was to completely stop using SSLv3 altogether, not a bad idea, since the protocol itself is nearly 18 years old. In other words, the people born at the same time of the protocol, are already driving cars by now–on the other hand people born at the same time as the very first iphone have only just finished kindergarten, and Apple have long since stopped supporting version one of the iPhone. So would anyone support this grandfather protocol?

Just to drive home the point of how old SSLv3 is–the protocol is 3 years older than Maxis pre-paid offering, Hotlink–which was only launched in 1999.

Fortunately, most modern day browsers already support newer versions of SSL, namely TLS version 1.0, 1.1 and 1.2 (1.3 is still draft)–which means of course most people aren’t fully susceptible to the issue. Even then computer geeks were switching SSLv3 off on their servers just to be sure (there are downgrade attacks, which can force a connection to use SSLv3 even though both server and client can support TLS)

But here’s the kicker–some websites continue to support SSLv3, leaving people vulnerable as long as they’re  using a SSLv3 capable browser–which is the main reason Firefox has disabled SSLv3 in it’s latest installment, and Google will follow very soon on Chrome. So regardless of whether the server support SSLv3, clients using the latest version of Firefox will be secure (at least from Poodle)

Now with the Maxis forum though–things are far worse. Not only does forum.maxis.com.my continue to support SSLv3–it apparently is the ONLY version of https supported by the forum page. In other words, the only security the Maxis forum offers, is based of an 18-year old protocol that’s already been owned. This from a company that apparently put their CTO’s life on the line to promise zero youtube buffering.

I mean, it’s great that Maxis is promising zero youtube buffering and all—but if you can’t even get the security basics on your forum page done right–then I question your ability to secure just about anything.

Fortunately, the Maxis login page to view account information isn’t susceptible to the attack (but most users would re-use their passwords for both the forum and login),so that’s not exactly great news.

Honestly Maxis, you have to do better.

Streamyx forced ads (202.71.99.194)

Streamyx forced ads

A couple of days back, I was at my in-laws doing some browsing on their PC. Now my in-laws have a Windows XP laptop, that isn’t secured, which is fine because as far as I can tell, I’m the only one that uses it. Most of them now go to their phones or tablets for internet access–nobody uses PCs anymore!!

But I noticed something strange. I wasn’t able to access Amazon, which was where I was browsing for some Christmas shopping (but not logging in of course). Somehow every time I typed www.amazon.com on the browser, it would re-direct me to a Lazada advert. Now this looks like a piece of malware—sounds like a piece of malware–but after some investigations, I discovered this WASN’T a piece of malware.

Instead I realized that this was a problem with the streamyx DNS. For some reason all the traffic that should have been routed to Amazon, was being routed to a TM IP address at 202.71.99.194. A quick Google search led me to this lowyat post, and this one,  post from 2013–so this wasn’t new. TM was routing all unresolvable domain names to adverts that looked so much like malware, it’s indistinguishable from a malware infection.

TM was doing exactly what malware authors do!!

I would never have encountered this problem, because I use Open DNS–but this is unacceptable from TM. To deploy something, that behaves and acts like a piece of malware, just so they can force feed you some adverts isn’t just unethical and bad ISP practice–it’s terrible security.

Because when you deploy something that looks and acts like malware–but isn’t. Then people get de-sensitized to malware infections and soon ignore malware infections, thinking it’s legitimate shit done by their ISP.

TM should fix this–and really should stop this nonsense.

It’s now a good a time as any to change your DNS settings so you’re not susceptible to this Malware look-alike.

Malaysian Government Hacked Environmental website?

How IP addressing works

Environment News Service, an environmental focused news website this week accused Malaysian government hackers of attacking it after it ran a story implicating Sarawak governor Tun Abdul Taib Mahmud of corruption and graft. As a result, the site was down for 2-hours, before the site manage to re-gain control.

“The attack on our site came from a Malaysian government entity as identified by their IP address,” Sunny Lewis, editor-in-chief of Environment News Service (ENS)

But what exactly is an IP address, and how did ENS identify it?

Let me explain.

What is an IP address?

The internet runs on a protocol–a set of rules that determines how data gets routed from one corner to another. These rules allow for every computer connected to the internet to communicate with every other computer and the protocol itself is aptly named the Internet Protocol, or more commonly known as IP.

Part of the protocol stipulates that every computer connected to the internet must have a unique number that identifies itself to the network. Just like how telephones have unique phone numbers, devices connected to the internet have unique internet numbers–or more accurately called IP addresses.

You can easily determine your IP address by logging onto www.whatismyip.com, or even just typing “what’s my IP” into Google. But where does your IP address come from? Unlike Phone numbers, IP addresses aren’t static, your IP address changes every time you reboot your router. Your IP address was ‘given’ to you by your Internet Service Provider (Unifi, Maxis, Digi..etc) and once you log-off or shutdown your router, your ISP then takes that IP address and assigns it to someone else. IP Addresses are like gold these days and ISPs need to dynamically allocate them to you, because they’re subscribers exceed the number of IP addresses they have.

So your IP addresses are given to you by your ISP. But who gave your ISP their IP addresses?

The answer is your local Network Information Center (commonly called a NIC)

In our part of the world it’s APNIC (or the Asia-Pacific NIC). You see as de-centralized as we think the internet is–there is still some level of centralization that requires an authority to administer. This is especially true in the allocation of IP addresses to Internet Service Providers–every region of the world has a local NIC that manages the IP address allocations to the local Internet service providers, to prevent them from issuing identical IP addresses across two different networks. It also means that there is a central repository that can tie each IP address and who that IP address was allocated to.

So while your IP address changes with every logon, at the very least it will continue to be a Unifi IP address each time (or Maxis or Digi..etc). Your ISP has a fixed pool of IP addresses that it then dynamically allocates to subscribers like you.

So how did Environment News Service know that Malaysian government hackers attacked them? They simply traced the IP address of the attacker (which they knew), and my guess is found it registered to the Malaysian government. I further speculate that the IP address would have belonged to GITN (the official network provider to the government)–which I wrote a couple of years back was used to download some porn on bit-torrent — so this wouldn’t be the first time some hanky-panky went on over at GITN.

Some unanswered questions

Now some questions.

If these hackers were smart enough to hack a website, how come they weren’t smart enough to hide their IPs? It’s quite trivial to hide an IP (just use TOR)….which makes me sceptical of this entire claim, but then again we’ll know more when we Environment News Service publish more information.

In any case, I highly doubt anyone in our government has the skills to do this–and someone as rich as Taib would have probably hired more competent professional to execute the so-called ‘hack’. There are guys who openly advertise services to take down websites, and they start from as low as RM1 for every 10 minutes. Basically these hackers offer their ‘attacking’ services for a fixed price–and some of them even offer 24/7 helpdesk support, and I’m not joking. So why in the world would someone like Taib even bother going to the government for something as trivial as this–when competent professionals are easily available.

The Malaysian government has been accused of taking down Malaysiakini and other news portals in the past. and in those instances the attack didn’t come from the government, the very first attack in 2004 was reported to have originated from APIIT (yes the IT school), then Radio Free Sarawak was attacked prior to the 2013 General election, and that DDOS came from more than 36,000 IP address (yes, that’s 36 THOUSAND)–this new attack seems like a paltry downgrade when compared to those, and run by amateurs.

I can only speculate of course, the Government is known to be spying on citizens and censoring the internet–but sometimes the stories being thrown around make me question their authenticity.

Conclusion

Thanks for reading. If you want to learn more about IP addresses and what the hell IPV6 is, check out my two videos below:

Phishing by the Bank–Maybank that is

Recently I received a phishing email from konzie2@usm.edu telling me that Maybank had installed new security features and that I need to validate my details on the Maybank2u web portal. The email was marked as SPAM by Gmail, and trying to visit the site further sparked more warnings from Firefox AND my anti-virus.

But I was curious as to what the link would entail, in much the same way I was curious about the RHB phishing emails I received some months back.

Hopefully this post gives you an indication of just how sophisticated these attacks are, and manages to educate you on the one true way to establish if the site you’re visiting is genuine.

Fake Maybank2u login page

The fake login page for Maybank2u looks exactly like the REAL login page of Maybank2u, there really is no difference from the victims perspective. What’s more interesting is when you go deeper, by just enter in ‘a’ username and a password you get to the following page (please don’t enter ‘your’ username and password, just ‘a’ username and password) More…

Censoring bomb making websites: NO

The Star reports that :

Malaysia Crime Prevention Foundation vice-chairman Tan Sri Lee Lam Thye called on the Malaysian Communication and Multimedia Commission (MCMC) to block bomb-making websites.

“We live in a troubled age. Previously, it was unimaginable, but now even from your home, you can make a bomb. The MCMC must do a comprehensive check to see how we can block sites that are harmful to the nation,” he said.

Now, apart from the fact, that there aren’t any dangerous substances used for bomb-making today, that wasn’t around in the 1970’s, the entire statement is one made from ignorance.

The Anarchist Cookbook, one of the most famous manuals for making home-made bombs, was written in the 1970’s and improvised in the 1980’s–stuff that was flammable 20 years ago, is still flammable today. It’s not like as though, the atmosphere has changed and petrol no longer burns.

But calling for the MCMC to ‘comprehensively’ block sites that are ‘harmful’ to the nation is something no one, especially a Vice-chairman of an NGO should ever do. We can’t allow for the MCMC to be given a rein on the internet, even if the intentions are good–after all, we know what the road to hell is paved with–we can’t allow good intentions to create bad consequences such as internet censorship.

Anyone that calls for the blocking of websites needs to understand the reasons I don’t condone blocking of websites. More…

ATM Hacks are so bloody boring

KLIA computer infected with VirusLast week, while I was flying from KL to London, I noticed a strange anomaly on the screen of the boarding gate at KLIA. Closer inspection revealed that it was an anti-virus warning that signaled the computer had been infected by a Virus (almost 2 days ago!!). As a techie, I quickly deduced 3 things from the screen.

One, the computer was running Windows, and probably an outdated version of Windows.
Two, the computer had been infected with ConfickerConficker was a pretty infamous threat, back in 2008!! And yet, here we are, at Malaysia’s most prestigious airport, and we have a computer infected by a virus that pre-dates the iPhone 3G.
Three, the computer is probably part of a larger network, and never gets patched or updated–probably. If it were patched, it wouldn’t be infected with a ol’ grandmother of a virus.

As an added bonus–I could easily see the user of the system. That’s a delicious bit of information for any hacker to have.

Heaven forbid, the virus on the computer screen at KLIA not spread to something important–like control tower or Sky Train controls.

These days, everything is a computer. Your phone is a computer, your watch will one day be a computer, so too is your car. But when was the last time you patched and updated these systems? When was the last time you updated the firmware on your router–or even when was the last time you updated the software on your laptop? Some of you probably haven’t done this before–I’m looking at you Android JellyBean and iOS5 users.

So the display screens at the airport are computers–but so are the Automated Teller Machines (ATMs), and trust me when I say this, some of them run on windows….gasp!! More…

MyProcurement: All government tenders in one Excel file

MyProcurement

Happy birthday Malaysia!! Just how awesome is our country, that we celebrate an Independence Day AND a Malaysia Day, not to mention 2 New years day, (or 3 if you count Awal Muharram).

So on that note, I decided to use my IT skills for the good of the country.

To be honest, my IT skills have never been up to par, my day job is more managing/planning/documenting than actual execution of ‘real’ IT work. But it was good for me to dust of the ol’ programming fingers and learn Python to grab some publicly available information and make it more accessible to the less IT centric members of society.

Since I had limited time, and sub-par skills, I decided to set my sights low, and aim to extract all the data from the Malaysian MyProcurement portal, which houses all the results of government tenders (and even direct negotiations) in one single website for easy access. The issue I had with the portal though, was that it only displayed 10 records at a time–from it’s 10,000+ record archive, so there was no way to develop insights into the data from the portal directly, you had to extract it out, but the portal provider did not provide a raw data dump to do this.

So I wrote a simple Python script to extract all the data, and prettified the data in Excel offline. The result is a rather mixed one.

I was happy that I could at least see which Ministeries or Government departments gave out the most contracts, and what the values of those contracts were. All in all, the excel spreadsheet has more than 10,000 tenders with a cumulative value of RM35 billion worth of contracts going back to 2009. The data allowed me to figure out which Ministry gave out the most contracts, the contracts with the highest and lowest value (including one for Rm0.00, and one for just Rm96.00). All in all it was quite informative.

Results_by_ministry

More…