Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.
X

Who are you trusting online?

Trusting in an online world

When you get behind the wheel of your car, and hit the road–you’re implicitly trusting ever other road user to play by the rules.  You trust no one will go out of their way to crash into you, or that no one would swerve into you for an insurance claim, you even trust that pedestrians won’t hijack your car as you stop at the red light.

Sometimes you mitigate these risk, by locking your doors and keeping your distance, but fundamentally you’re placing a lot of trust on your fellow road-user. You have no way of knowing for sure that they’ll be good boys and girls–but you go about your daily car ride trusting that they’ll do what is right. In cases where you don’t trust anyone, you don’t use the road. I know a lot of people who won’t drive in India because they don’t trust road users there–and some foreigners refuse to drive in Malaysia for the same reason.

Society works on trust, and without it–society just wouldn’t work.

Think about it–you might not trust the restaurant waiter with your credit card–but you just ate at the restaurant without viewing the kitchen. Dying from poisoned food is far more serious than credit card fraud, yet you’ve trusted the restaurant not to poison you, but not with 16 digits from your bank. Sometimes you’re trusting people without even knowing it.

And the same is true for the internet, The Internet Protocol(IP) that governs the whole internet till this day, is a highly ‘trusting’ protocol that prioritizes speed and simplicity over security and privacy. In much the same way that it’s faster and simpler just to trust the restaurant not to poison you than it is to inspect the kitchen and verify the ingredients–the Internet Protocol accepts everything as true and routes data accordingly. Other protocols like SMTP and POP3 that are used for email employ the same levels of trust, that’s why you can never trust an email–it’s just too easy to spoof.

Essentially everyone on the internet trust everyone else to play by the rules. For example when Pakistan decided to block youtube in their borders, a mistake made by their local telecoms managed to take youtube down for several hours worldwide simply because everyone trusted the information Pakistan was sending them. Nowhere else in the world does such a high level of trust exist as on the internet–and nowhere else is it more dangerous. More…

RHBNOW Email: Intricate details of a Phishing scam

Last month alone I’ve received 6 phishing emails asking me to change my RHB banking password. I always wondered what would happen if I’d actually clicked on one of the links in the email–and today I did just that. Immediately I was transported to a dodgy world of sophisticated deception, and soon realized this was far more complicated that I initially expected.

Before I proceed a friendly word of caution–Kids don’t try this at home–the scam is an elaborate ploy geared towards robbing you of your cash, and if you’re not sure what you’re doing–chances are you’ll be a victim yourself. The simplest way to avoid a scam like this is to never click on an email from the bank–regardless of how genuine it looks. Banks never send you email–so don’t expect one from them. Not even a Christmas card.

But if you’d like to see what happens when you click on one–read on:

Step 1: The email from RHBGroup.com

Email from RHB Group

 

First there’s the email, it was (supposedly) from sshccserv356@rhbgroup.com. Quite deceptive, and if you visit rhbgroup.com you’ll find that it’s the legitimate RHB Bank website. So it appears this email from rhbgroup.com would be legitimate as well.

Except it’s not.

Email is a remnant of the internet past–it was created at a time when security wasn’t a priority, hence Emails lack any form of authentication (validating whom the email is from) which allows them to be easily forged. This inherent insecurity is what Emails should never be trusted, especially when those emails come from external sources like a bank.

That’s why your bank will NEVER send you an email. It’s too easy to forge. So rest assured that every email you receive from the bank is a fake (there are exceptions of course, like transfer notice etc, but those emails don’t require any action from your end)

Analysing the email further, I find the first victim of the scam. A website called pjpan.co.uk, a pajama-store (of all things). The website url was all over the email-header, which just like every other aspect of the email could be spoofed. Why the scammers chose to us pjpan.co.uk was beyond me, but they did. In any case the email was sufficiently obfuscated that trying to determine its origin would be difficult and probably pointless as well.  More…

Youtube Video flagged as inappropriate

Last week one of my most popular videos detailing how I hacked Unifi accounts was ‘flagged’ as inappropriate in YouTube–apparently it was in violation of their community guidelines.

As such my video was made unavailable and essentially deleted from Youtube.

I was upset.

The email I received from YouTube, gave no indication as to what I did wrong, and even though it states that someone have viewed my video, the language used suggest this was just an automated message sent to my inbox. Nowhere does it suggest an actual human viewed my video and made a judgement, and even worse no justification was given for the removal of the video other than it was ‘flagged’.

Regarding your account: Keith Rozario

The YouTube Community has flagged one or more of your videos as inappropriate. Once a video is flagged, it is reviewed by the YouTube Team against our Community Guidelines. Upon review, we have determined that the following video(s) contain content in violation of these guidelines, and have been disabled:

Everyone hates spam. Misleading descriptions, tags, titles or thumbnails designed to increase views are not allowed. It’s also not okay to post large amounts of untargeted, unwanted or repetitive content, including comments and private messages.

Your account has received one Community Guidelines warning strike, which will expire in six months. Additional violations may result in the temporary disabling of your ability to post content to YouTube and/or the permanent termination of your account.

For more information on YouTube‘s Community Guidelines and how they are enforced, please visit the help center.

Please note that deleting this video will not resolve the strike on your account. For more information about how to appeal a strike, please visit thispage in the help center.

Sincerely, 

The YouTube Team

More…

3 Ways to watch Netflix from Malaysia

Netflix is awesome. I watch it everyday, and while the selection is dated–it’s still pretty good.

If you needed proof for just how good it is–32% of all internet traffic in the US, belongs to Netflix. There’s two problems though. First, it isn’t free, and cost about Rm30 month. Not really and issue since Rm30 on Netflix gets you a lot more content than the RM100+ you spend on Astro.

The second problem is that it’s not available in Malaysia. So even if you were willing to pay the cash, you couldn’t get Netflix streamed to your home–until now that is. So here’s 3 ways to stream Netflix, BBC iPlayer and even DramaFever (for the k-drama fans out there) to your home in Malaysia. More…

Seatbelts and Anti-Virus software increase your risk

There’s evidence to suggest that mandating seat-belts actually increases the accident rate in a country. The hypothesis is that drivers are  likely to take more risk in cars with visible security features like seat-belts than in cars without these safety features. Ironically feeling safe–is the most dangerous thing drivers are at risk from.

In addition because car drivers felt safe, and took more risk–cyclist and pedestrians were the worst to suffer. Somehow increasing the safety of one group of road users, reduced the safety of another. The results aren’t conclusive but I believe it, and there’s other fields of study that support this hypothesis as well.

Consider this study, that asked people to install malware on their PC–by offering them financial incentives that were as low as 1 cent! Of course it’s depressing that people were willing to install unknown applications on their machines just because someone offered them a pityful amount of money–but there was another surprising element that the study uncovered:

Surprisingly, we noticed a significant positive trend between malware infections and security software usage ( = 0:066, p < 0:039). That is, participants with security software were more likely to also have malware infections (17.6% of 766), whereas those without security software were less likely to have malware infections (11.6% of 199). While counterintuitive, this may indicate that users tend to exhibit risky behavior when they have security software installed, because they blindly trust the software to fully protect them

So it seems that seat-belts and Anti-Virus software that both operate in the foreground and provide visual confirmation that they’re protecting you–actually increase risky behavior among some of their users. The added protection that seat-belts and anti-virus software provide, gave their users a heightened sense of security–which is justifiable. However, users than took that sense of security and used it to engage in more risky behavior, or at least some users did.

I’ll say it again. Feeling safe is ironically, not so safe!

Powerline adapter for better networking at home

AV500 Gigabit Powerline Adapter TL PA511A popular question I get, is how to boost a WiFi signal. Folks struggle to get good WiFi connections on the 2nd (or 3rd) floors of their homes because the routers they have don’t pump enough  ‘juice’ to go around. This is particularly true for those that work from home, having poor WiFi while trying to have a teleconference– just sucks. While other applications like YouTube and Facebook could use buffering or caching, a real-time conversation with someone over skype relies on good connectivity all the way from one party to the other, and it doesn’t matter if you have Unifi 20Mbps, if your WiFi is laggy.

I thought I could fix this by buying a more powerful router–but that didn’t work. The signal strength increased, but the quality was still below par.

The best solution is to skip WiFi  and get a Powerline Adapter instead. A powerline adapter uses your home electricity wiring to transmit the data, and because it uses wires, it’ll beat any wireless connection you have. The adapters fit nicely into your 3-Pin wall sockets, and all you need is Ethernet cables to plug into them to hook up your laptop or PC to your router located somewhere else in your home.

The premise is quite interesting and the results are even better.

More…

Malaysia boleh: 3 countries, 3 card-skimmers, all Malaysian

On April 28th, 4 men were caught for installing card-skimming devices on ATM cash machines in Bangkok Thailand. They were all Malaysian.

On the 14th of May, 6 men were caught for installing similar devices in ATM machines in Jakarta Indonesia. They were all Malaysian.

On the 8th of June, 2 men were convicted in Singapore for installing card-skimming devices on ATMs in Singapore. They were both Malaysian. I wrote about this more than 2 years ago, when some DBS customers noticed withdrawals from their accounts occurring in Malaysia.

Why are Malaysians getting involved in these syndicated crimes? Are they a front, or are they the the fall-guys, or are they the brains of the operations?

I guess another way to ask the question is also–why aren’t they committing their crimes in Malaysia? Why go to Thailand to commit a crime when you can do it here–surely the banks must be doing something right with our security. But don’t let your guard down, here’s the most important thing you have to do when you withdraw money from an ATM:

Cover the PIN-PAD with your hand when you’re entering the PIN

Without the PIN, even if the criminals manage to clone your card–it’ll be difficult to do anything damaging. So remember guys, always cover your PIN. It’s unfortunate that Credit Cards in Malaysia are signature only–if they were Chip and Pin we’d be in a much more secure environment. However, a initiative to implement Chip and Pin in Malaysia has been delayed, so we’re unsure when Malaysians will get PIN enabled Credit Cards.

Here’s a video with more info:

*Now some may claim that in Malaysia we use EMV rather than the mag-stripe in the video and therefore we are more secure. Yes, we are more secure, but we’re not completely secure. EMV is a pretty old standard, and more and more exploits have been released for EMV. It’s only a matter of time, before someone discovers a full-blown vulnerability in the EMV standard that would render EMV cards clone-able (or much easier cloneable than they are today).

The Monty Hall Problem in Excel

Monty Hall Problem Excel

I remember this problem from watching an episode of numbers. You’re a contestant on a game show–and you’re given 3 doors to choose from.

Behind one door is a shiny new sports car–behind the other 2 are goats. Your goal is to get the sportscar, by choosing a door. But after you choose a door the host reveals one of doors with the goats. Leaving you with you just two doors, instead of your initial 3.

The choice is now yours again–do you switch doors or do you keep your initial choice–or do you think it doesn’t matter.

Think about it.

The answer is that’s is always better to switch, in fact your two times more likely to win the car if you switch than if you don’t. There’s  a quick video at the bottom of the post, outlining the problem, but here’s an excel spreadsheet simulation I coded with some macros to help you visualize the problem.

All you have to do is enter in how many games you want to play (the default is 1000), and what kind of switching you want:

  • YES – Switches the choice everytime
  • NO – keeps the initial choice door everytime
  • RANDOM – randomly selects a door from the remaining 2 doors

Then you can see how many games you would have lost or won based on your strategy, and it’s clear that switching is twice more successful than keeping. To download the spreadsheet click here.

One way to think of it, is that your initial choice has a 1/3 chance of winning the car. Meaning you had a 2/3 chance of losing. So your initial choice was most likely wrong, and switching after the a goat is revealed flips your chances of winning from 1/3 to 2/3.