Why we fear ‘hackers’: Dangers of Technical Illiteracy

anonymousmask380-300x225Are you afraid of Hackers? Do you lie restless at night thinking of what might happen if they got into your bank account, facebook profile, or e-mail. Perhaps you’re also worried about that they might hack into a forum you visit, or that they might get into your personal messages on whatsapp.

It’s true that hackers are able to do all of these things, but the public perception of hackers really isn’t quite justified, and this false perception can lead to terrible outcomes.

Take last weeks post about the hacktivist group Anonymous. In it I expanded on the public fear of anonymous and how that didn’t correspond to the actual damage that the group causes. Sometimes all Anonymous does is a DDOS on a public website, that still takes some skill, but far removed from actually infiltrating a server. Yet, most people wouldn’t be able to differentiate a DDOS attack of a website to a compromise of an actual server, and this inability leads then to disproportionately fear hackers, worse still it leads them to lump all security related incidences into a single bucket called “hacked by hackers”.

But Why?

Why are people so afraid of hackers? And why is there a huge discrepancy between what some of these hackers are actually doing and the fear that the average citizen has of them.

I have one theory–ignorance, or more specially tech-illiteracy. Continue reading

Our Communication Minister must be mistaken

Our newly appointed Communication Minister has come out all guns blazing in directing the The Malaysian Communications and Multimedia Commission (MCMC) to ask social media giants such as Facebook, Google and Twitter soon to block “false information and rumours” on their platforms.

That in itself is quite frustrating, but what really got me scratching my head was his claim that “that social media providers acted on 78 per cent of MCMC’s request for removal of content last year, with Facebook taking action on around 81 per cent of its request.”

Reuters reported that:

A Google spokesman in Kuala Lumpur said the Internet giant was “always in conversation with” the Malaysian Communications and Multimedia Commission but he declined to comment on the request from the government on curbing content.

Facebook and Twitter were not immediately available for comment.

Fortunately, we don’t need to ask Google, Facebook or twitter about these specific request, because this information is already publicly available. All 3 social media platforms publish transparency reports that detail any and all government request made to them, and whether or not those government request were acted upon.

And as it turns out the data that our Minister has doesn’t quite tally up with the information published by the platforms. According to the Facebook transparency reports (found here and here), the Government of Malaysia made 36 content removal request, and 46 user account request. Of these, less than a quarter were acted on by Facebook, unfortunately Facebook doesn’t provide the details about the specific Government agency making the request or which specific request were acted upon. But, as you can see, the numbers are fairly small (a mere 36 content removal request over an entire year), and the success of those request are quite slim as well (less than 25%).

With twitter things get even more interesting.

In 2014, the government made 3 User account request to twitter, of which all 3 were rejected that’s a resounding success rate of 0%. And in the first half of this year, it had made 1 removal request, which was also rejected. Twitter doesn’t quite like the request from our government, and the government doesn’t make that many either.

I could go on with Google, but you get the picture.

The government is not having ANY success with the removal request, so why bother trying.

A more pertinent question is why is the Minister making these numbers up? Either he’s been given false information, or he’s just making shit up at this point. There is a possibility that maybe he’s telling the truth, through some math-magic, maybe the MCMC makes a smaller fraction of the request to Facebook, and maybe those have a success rate of 80%, but that’s unlikely, and it would be a insignificant number anyway.

My theory is that when you have Ministers who are appointed based on their loyalty to a certain someone, as opposed to technical knowledge of the area they’re supposed to be administering, you will continue to get this sort of this bullshit.

When technical merit, takes a backseat to political connections and allegiances–you’re bound to end up with people who don’t know anything. Something we all should be very very worried about.

Full disclosure:Google actually had one request for the 2nd half of last year, and complied with that request, resulting in a 100% compliance. However  over the entire reporting history, Google complied with 17 out of 31 request, nowhere near the numbers the good Minister has.

Understanding Anonymous from a Malaysian context

anonymousmask380-300x225The latest buzz in Malaysian cyberspace is the ‘threat’ from Anonymous Malaysia to launch ‘internet warfare’ on the Malaysian government, singling out our poor ol’ Prime Minister, demanding that he step down or face the consequences of Anonymous actions.

The threat of internet warfare even came with a date, 29th to 30th August at 2.30pm, coinciding with Bersih 4.0. You know you’re dealing with a bad-ass when they tell you when the attack is coming, sort of like Muhammad Ali telling his opponents which round he would knock them out in. (down in the 5th)

Of course, this was followed swiftly by condemnation from Bersih, that sought to distance itself from an unknown entity like anonymous, and even from the Police, who quickly determined that the video published wasn’t shot in Malaysia. some have claimed that the hackers are only interested in fame, which seems odd, seeing as how they’re …..Anonymous.

Various agencies have also claimed to ‘tighten up’ their security following the threat, which meant that security probably wasn’t very tight prior to a threat from person wearing a guy fawkes mask.

But here’s the thing. Anonymous isn’t like any other organization you know off, it doesn’t have a leader, or a CEO, or someone that’s in command. Anonymous is a hacker ‘collective’and its governance structure isn’t something you’d find in the real-world.

The best explanation I can give you of Anonymous is this, its a group hackers that come together to utilize their skills for a common goal, and the grouping disintegrates once the common goal is achieved. Meaning that the anonymous that attacked the Church of Scientology back in the early days are probably not around any more. They most likely have been replaced by a new bunch of anons (that’s what we call members of Anonymous). In short anyone can be Anonymous, and no one has copyright over the term. So having one branch of Anonymous cite another for ‘using our name‘–seems anathema to the principles of the collective. Also, Anonymous does get involve in politics, it does so all the time, whether it’s attacks on US Government websites, attacks on regimes like Tunisia, helping out Occupy Wall Street or Julian Assange, Anonymous is very political in nature.

Most of the time though, Anonymous is responsible for things that border between attack and prank. It’s attacks on the Church of Scientology (code named project Chanology), involved sending black faxes (designed to waste ink), and a Denial of Service attack on the churches website. A few years down the road, Anonymous took out Paypal, Visa and Mastercards website through a similar DDOS attack, that while damaging to the companies web-sites, did not impact the financial processing capability of the victims. These things obviously have some impact to the corporations being attacked, but the degree of that attack doesn’t seem to correspond to the amount of fear people have of the collective.

It’s like if someone were found guilty of chaining the doors at your local McDonalds, but you penalize them as though they detonated an explosive inside.To be honest, even if Anonymous took out the 150 Malaysian websites, how many of us actually visit the MACC website–do you even know the URL for it?

Of course, that doesn’t mean Anonymous is a lame-duck threat, there are times when Anonymous steps up their game. Part of the beauty of being a collective, is that sometimes you do get genuine bad-ass hackers that can wreak some havoc. One such case was #OpCartel, where members of Anonymous claimed to have hacked the databases of the Zeta Drug Cartel in Mexico, and threatened to expose the names of the members unless a kidnapped Anon was released. Not one to back-down from fights, the Zetas issued a simple but scary as hell response, “for every name released by Anonymous, the Zetas would kill 10 innocent people”. Anonymous understandably backed down, but what eventually unfolded is unknown, and the facts surrounding the entire story are blurry to say the least.

What’s interesting about the confrontation between Anonymous and Zetas is that it gives us a glimpse as to what happens when two non-state actors go at it with each other. What’s even more interesting is that Anonymous backed down, they themselves were not in any harm, and seemingly ceased operations of #OpCartel presumably because they didn’t want innocent people to die for their actions. If the American Government had such information, would it have done the same thing? If the NSA had a list of ISIS operatives in London, and ISIS threatened to kill 10 innocent people for every one ISIS operative caught–do you think the situation would play out with the NSA backing down?

The collective nature of anonymous makes them unpredictable, and that itself can be threatening. If you’re responsible for the security of the websites of certain agencies, what could you make of it? Nothing much, because you should be as secure as you can be, every single time. You shouldn’t be waiting for a guy in a video to threaten you before you take action, your websites should be secured to your best possible effort every day of the week, the fact that the government is ‘taking this seriously’ is cause of concern for me.

So what should we as Malaysians do?

We have a Government who has censored in the internet, bought surveillance software to spy on citizens (twice!), threatened to force news portals to register online, has overseen a significant drop in the quality of our science and maths education, and is fully fine with accepting foreign donations of RM2.6 billion. What you should do as a Malaysian, is get off your arse and join Bersih 4.0, and let Anonymous do what they want.

TM blocking SarawakReport

Website BlockedSarawakreport, a website covering sensitive political topics in Malaysia was blocked today by the countries most prominent ISP, Telekom Malaysia (TM).

Internet users using TM’s Domain Name Server (DNS) reported that the website was inaccessible, and I’ve confirmed that is an intentional block by TM.

Here’s a quick primer on DNS. The internet works on this marvelous set a rules we’ve come to call the Internet Protocol. Part of this protocol requires that every server or machine on a network be assigned a unique number to identify itself, this number is called an IP address. An IP address is sort of the phone number of a server, and if you want to communicate with a server you’d need to know that servers phone number.

Now of course the internet is made of billions of websites, and so it comes with its own directory service. Older readers will remember dialing 103 on our local phone lines to talk to an operator to look up someones phone number, this is exactly the same concept. On the internet, this directory service is automatic, and comes with a cool name–Domain Name Server (DNS).

When you type google.com or keithRozario.com on your web-browser, the browser automatically looks up the IP address of the website you requested via a DNS server. And just like how you’d have to memorize 103 in order to call it, your computer is set to request DNS resolutions from a specific DNS server.

For most TM users, this is set to a DNS server with an IP address of 1.9.1.9, you can change this of course, but if you’ve never knew what a DNS was, chances are you’re using TM’s server to convert web addresses to IP addresses.

Now you can see the issue, if TM is the sole service that you use to convert website addresses to IP addresses, it has a lot of control. For instance it could block you from accessing porn sites (which it does), and of course it can block you from accessing ‘controversial’ political blogs like SarawakReport.

How do I know this? You can change the settings on your computer to use alternative DNS servers (Google and OpenDNS run great free services), and these DNS servers convert SarawakReport.org to IP addresses like 104.20.27.161 (note that most of the time popular websites have multiple IP addresses, but that’s not important for now). However, if you use TM’s DNS server, SarawakReport.org converts to 175.139.142.25, which is an IP address owned by TM. This also explains why users who use Proxy servers or different DNS settings will not experience any issues.

TM-DNS

TM’s DNS server resolving SarawakReport.org to 175.139.142.25

Tsk, tsk, tsk.

If you do a reverse DNS lookup, essentially reversing the process of looking IP addresses corresponding to web urls, and instead lookup web-urls corresponding to IP addresses, you find that the same IP address is currently being used by Senyum.my–and that website has a glaring notice on the front page, signalling that the site is blocked for violating Malaysian law , that’s the screenshot you see above.

Essentially TM routed all traffic destined for SarawakReport.org to a server they keep up for hosting a ‘blocked’ notice.

This is just so sad, I really don’t know if I should laugh or cry. This method of blocking is so ineffective even a child would be able to bypass it.

For those wishing to access SarawakReport.org, please change your DNS server settings in Windows–a more effective way around the issue is to use a VPN, like the one I recommend here. A VPN provides a sure-fire way to bypass all the censorship that local ISPs can put in place.

Here’s my review of a VPN service you can use, and hopefully you use my promo code to send some cash my way :). Even if you don’t, it’s OK though, I’m still cool.

*Update*

TheStar have confirmed that the MCMC has issued the directive to block the website, something quite sad, seeing as how you already know how to circumvent the ‘block’.

Hacking Team got Hacked, and here’s what Malaysia Bought

RCS monitor

A screenshot of the RCS Software from Hacking Team

There are two types of governments in the world, Those that build complex surveillance software to spy on their citizens, and those that buy them. Our government is more the buying type.

Few nation-states have the budgets to build out complex surveillance software, but many government are finding that ‘off the shelf’ software sold by dodgy companies are just as effective at a fraction of the price of developing that capability. The problem with buying of course, is that sometimes those dodgy companies sell their wares to repressive regimes like Sudan, and being on the same customer list with Sudan doesn’t reflect well on you.

One such dodgy company is Gamma Corp, the organization responsible for the FinSpy and Finfisher suite used by the Malaysian government in the run-up to the 2013 General elections. Another is Hacking team, an Italian based company that produces similar remote control software (RCS).

And in a bit of internet karma–both of these companies were hacked themselves…possibly by the same person.

In August 2014, Gamma was hacked and had 40GB of data forcefully exfiltrated from their servers. My analysis of that leak, revealed no information about Malaysian purchases of their FinSpy software, but that was a puny 40GB of data, or roughly 3 times more data than a iPhone.

Recently however, Hacking Team had a much more severe attack, one that managed to extract 10 times more data, and here I found ample evidence of Malaysian government agencies procuring spyware from Hacking Team presumably to be used against Malaysians.

The question of course is should you be worried, the answer is Yes, and not just for the obvious reasons you might think. After combing though a trove of documents I found that 3 government agencies procured the ‘flagship’ RCS software from Hacking team, and from my layman’s understanding of the law, none of them have authority to actually use it. Worst still, some e-mails point to incompetent IT skills as well as bad Procurement practices, that actually annoyed the supplier. I will conclude this post with why this attack on Hacking Team has a positive outlook for regular internet users, and why our government agencies procuring this stuff isn’t exactly ALL THAT BAD. Continue reading

For the FINAL time, Malaysian internet speeds are NOT slow.

Average Internet SpeedsFirst off, apologies for the lack of content on the blog. I’ve been really busy at work these past few months, and content is slow moving. For instance, the previous post was a review of a router, that I tested for 4 weeks, and returned to the supplier more than a week ago–and the post only went up yesterday. To that end, my decision is to churn out my thoughts just ‘straight from the gut’ and not give this posts the usual research I typically do. Hope my regular readers will forgive the tardiness.

OK, let’s go.

Every year we get a renewed riff-raff over the internet speeds in Malaysia. Some Malaysians feel that internet speeds in Malaysia are slow, and maybe they’re right. But some Malaysians–including some reporters who should know better quote sources like Ookla and claim that Malaysian internet speeds are slower than those of Cambodia or Vietnam.

Here’s the problem, the Ookla report only churns out data based on user executed test on the popular speedtest.net website, where every test on the website is counted against the country. This makes Ookla a pretty decent place to get info, but if you confine yourself to merely the Ookla data, you can easily see how it can mislead your conclusions. Firstly, it assumes users with different internet speeds are testing at the same rate, secondly it is the collective average of all internet connectivity (fixed and mobile) and thirdly it doesn’t really give a good indication for a country the size of Malaysian.

More problems crop up, when you actually dive into the data (something I hope the reporters did) and you realize the way Ookla was averaging the speeds wasn’t accurate and the most important issue of all, is that most test conducted are usually between the user and closest node–meaning if you’re in KL it would try to test against a node in KL, rather than in the US. Unfortunately, the internet is geographically very distributed, and these test don’t provide us a good indication of the overall speed of connections–and more importantly how those connection speeds are distributed among the citizens in the country.

A more comprehensive way to gauge how well Malaysian internet connectivity is to take a couple of other data points besides Ookla to draw a more comprehensive picture of the true state of Malaysian internet.

For instance, you might look at the Akamai state of the internet report. Unlike Ookla that bases its data on user executed test, Akamai bases it data on actual internet traffic, and they should know because by some accounts they deliver 15-30% of global internet traffic. What does Akamai say? Well Malaysia has an average speed of 4.3Mbps, while Cambodia averages just 3.3Mbps and Vietnam 3.2Mbps. We’re still trailing Singapore and Thailand, but we’re not as bad as the Ookla data suggest. Also, Akamai report that more than 43.2% of users have a internet connection above 4Mbps (quite surprising if the average is 4.3–suggesting our median internet connection speed is also 4Mbps), while in Vietnam and Cambodia those numbers are 25% and 17% respectively.

Now of course we can’t compare to Cambodia and Thailand if we want to grow as a  ‘knowledge-based’ economy, but in reality we can’t compare to Singapore either–we are a very geographically diverse country, a lot of Malaysians draw a Malaysian map that only includes Peninsula Malaysia–forgetting we have a another part of Malaysia across the sea whose internet connectivity is nowhere near what we have in KL. So….you can’t really compare averages here, it would be completely unproductive.

Finally we have the sandvine report, which you can download from the sandvine site after you’ve registered. Sandvine provides services to various ISPs and telcos and uses that data to detail trends–they don’t provide connection speeds as part of the report, but they do break traffic down into fixed vs. mobile, and the amount of data consumes (and type of data consumed) across the different channels.

For example, in the Asia-Pacific region, the average consumption of data across a fixed is between 17-30GB of data. That’s less than half the fair usage amount advertised by TM, and a good reason to believe that TM will probably never implement such a policy.Sandvine also break down the traffic type, indicating that in our region the biggest data usage is on bit-torrent, followed by youtube. Partially expected, but think about what that means for connection speeds–if we have local youtube servers in Malaysia wouldn’t that result in better overall internet experience for Malaysian users. Better than say someone in Thailand with a faster internet connection, but having to route that to an outside country? Also bit-torrent is interesting, because your connection speed on bit-torrent is just part of the equation, you also have to rely on the bit-torrent swarm to have enough bandwidth and seeds to experience quite downloads on the protocol.

All in all, I just want to say, Malaysia is far from perfect, and I’ve got no problems bringing the government down a peg or two, maybe even three. But sometimes we just have to be honest and focus on the real issue.

The real issue in Malaysia is internet penetration, and specifically broadband penetration. Unlike you old folks (including myself these days), the younger generation of this country are using less fixed devices like PCs and Laptops, and more smartphones and tablets, and the way we use the internet is fundamentally changing. We need to up the penetration to the kampungs and rumah panjangs, and not fret too much about speeds. We also need to get cost down, which is a fundamentally different problem than getting speeds up.

I blame the media for this bullshit. The reporters of most of these news outlets, have so badly researched their stuff that geeks like me just get angry when we read them, and I know the vast majority of Malaysians have no idea of the nuances of these reports, and are just taking them on face value–the media have a fundamental responsibility to help people make sense of the data, and they have failed misreably–I’m looking at you Malaysiakini.

That’s it folks, i’m sure there are some typos and errors in the post, but any post is better than no post. Hope you enjoyed it.

Keith signing off!!

EnGenius Wireless Router ESR600 Review

dsc00503

A couple of weeks back, the guys over at infoversal loaned me a Engenius ESR600 router for a review, at first I was a bit hesitant, but my overall unhappiness with my TP-link router made me think twice. So I gave it a shot, and boy was it worth it.

The router looks pretty normal, nothing to shout about here. While its competitors like Asus and TP-Link opted to go for black exteriors, Engenius chose to stick to white-ish color, this thing doesn’t look good near modern TV sets or  home theatre systems (which is where my router is), but the fact that it doesn’t have antennas seems to be a saving grace.

That being said, the Engenius is a pretty slick device, I’m not sure how it does it, but the antenna-less design Engenius has more signal strength than my TP-Link router over both the 2.4Ghz and 5Ghz range. Yes, the router is dual-band and one that actually works well over both bands. So great points for Engenius in that category. Continue reading

The day the internet stood still–AGAIN!

There was a time when the internet was young, just a little fledgling network, an academic toy used only by computer scientist to try out theoretical concepts. Contrary to popular belief the internet wasn’t created to withstand a nuclear war(although it can), instead it was created to address a very serious engineering question–how to connect together different computers with different operating systems and different commands? The answer to that question stumped many brilliant people, in the late 60’s and early 70’s, computers were Gods of their domain, stand-alone machines with ‘slaves’ like disk-drives and monitors, if you hooked up a computer to another computer, they wouldn’t know what to do–there’s a chinese saying about one mountain can only have one dragon, computers in those days were exactly like that.

Solving that issue of having a computers connect to each other, was no trivial task, it took a US Department of Defence project to resolve the issue, culminating in ARPANET. For geeks like me, ARPANET is like the garden of Eden, where it all began, where God said let there be downloads and uploads. But ARPANET was a military funded network, and soon other networks begun to connect into it, and slowly but surely ARPANET faded into oblivion leaving a civilian run Internet behind. The engineering challenges of the day were daunting enough, that no one stopped to think about the possible security challenges, after all the word cyber-crime didn’t exist yet, there wasn’t an internet to do bad things on. So a lot of the protocols that were designed by the engineers of the day assumed that everyone on the network was playing fair and nice, and that it was a co-operative network of peers. Today, IT architects like myself view the internet as an un-trusted by reliable network, where all sensitive data traversing it should be encrypted. It’s a like a super highway full of bandits, and the only way we’d use it, is if we drove tanks.

E-mail, the killer-app

Take for instance the very first ‘killer-app’ for the internet, e-mail. The first iteration of e-mail was built on a protocol meant for transferring files rather than messages, a kind of protocol hack. This was a time when the number of users on the network could be listed by hand on a piece of paper–and everyone trusted each other, hence the protocol never incorporated any form of authentication simply because it wasn’t required, the early internet was like the sitcom cheers, everybody really did know your name. Even when e-mail got its own protocol, authentication was never considered an important feature.

Authentication is the act of verifying the identity of a person or machine performing a request, when you call certain call centers, they may authenticate you by asking a series of questions like “what’s your mothers maiden name”, or “what’s your favorite pet”. Un-authenticated protocols, allow anyone to either impersonate someone, or just execute any command, and unfortunately is the default standards for many of the older protocols online.

The e-mail we use today, is built on these ancient un-authenticated protocols, with a couple of tweaks here and there, but fundamentally it remains every bit insecure today as it did back then. The only difference is that there are lot more internet users today than in the 70’s, and some of those users are criminals, so when you have a widely used insecure protocol, and a criminal element looking to exploit it….you have problems.

Everything is insecure, now what?

And that brings us nicely into what happened last week, I must admit I didn’t experience the issue as I was at work, but apparently the Telekom Malaysia not just experience catastrophic internet melt-down in Malaysia, it was causing network issues on the internet globally.

The internet is (as the name suggest) an interconnection of different networks. You can think of each Internet Service Provider (ISP) as a node on that network that communicates with other ISPs. All these nodes communicate to each other using the Internet Protocol(IP), and IP works fairly similarly to the way the postal system works. With routing occuring at post-offices throughout the country, and between countries. (hopefully my previous post will help you understand)

But IP isn’t the complete picture, while IP defines how messages get routed from one node to another, it doesn’t define how those routing decisions are made. In other words, how does the Post-Office know that letters addressed to the US should be sent to Hong Kong first, before being shipped to the US?

The answer is a totally separate protocol called BGP, which was invented in the 80’s, slightly younger than IP or e-mail, but still old enough to be born in a time before security was a major concern on the internet. BGP allows for nodes in the network to communicate with each other, ‘advertising’ the other nodes they connect to.

IP is a protocol based on routing  by tables, and BGP is the protocol that defines how those routing tables get populated.

How does it work?

So for example, imagine if Klang were a country onto itself (some say it already is), and had it’s own ISP, Klang Telecommunications (KT). KT is a pretty decent ISP, and has about 2,000 IP addresses assigned to it by IANA, the body in charge of IP addresses.

Unfortunately, KT is a small local ISP and can’t build expensive under-sea cables to the internet. Instead it connects to Telekom Malaysia and Maxis for all it’s internet traffic. In this case, Telekom Malaysia and Maxis would advertise the KT IP addresses as ones that it connects through directly, and anyone wanting to communicate with KT would route all their traffic to either of them first.

Now Imagine an IP packet on the AT&T network in the US destined for a servers hosted on the KT network, the AT&T would look its BGP tables, and sees that in order to send the data to KT, it would have route the packet to either Maxis or TM. Then it looks internally and discovers that it has a direct connection to TM (single-hop), but needs to go through a Singaporean ISP to connect to Maxis (double-hop). The fastest way to get to KT is through TM, and hence all the routing is from AT&T to TM and finally to Klang.

You can probably see the issue already, if the ‘advertising’ function of the BGP isn’t authenticated, anyone can control network routing, by just claiming to be the nearest node to Facebook, or Youtube, which is exactly what Pakistan did back in 2007. Since all nodes accept the information from all other nodes without question and authentication–a rogue ISP, or even a careless mistake can wreak havoc.

And now we see the problem

That’s what happened last week, TM advertised that they were the shortest path to a motherload of IP addresses, and a giant node in the US noticed and began routing nearly all its traffic to TM. Predictably, TM just got crushed under the load, ending all traffic not just to TM subscribers, but also for the Americans using that giant node as well. Sort of like, a small phone shop, advertising that they’re selling iPhones for one dollar, and then it gets crushed by the sheer number of people cramming into the shop to buy them.

Of course, you may rightfully ask why don’t the geeks fix the problem. We have pretty easy solutions for this, unfortunately the pervasiveness of the internet make it very hard to implement any new change. The internet in many cases is a victim of it’s own success, no one imagined the internet would be this great when it first started, and we’re now reaching the edges of some of the engineering we did in the 60’s and 70’s. It’s a testament to the engineers that we’re only now reaching those limits, but the problem is ever present.

Because so many people use the internet, and because so many ISPs are on-board, any change has to be implemented world-wide. That’s the challenge, we can’t just switch off the internet for 2 days while the engineers make the change, that’s not acceptable.

Links:

http://www.lowyat.net/2015/06/tmunifistreamyx-services-facing-severe-slowdown-across-the-country/

https://news.ycombinator.com/item?id=9704952

http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/

http://www.bgpmon.net/massive-route-leak-cause-internet-slowdown/

The technological effects of SOSMA and POTA

The new Prevention of Terrorism Act (POTA) in Malaysia should not be considered in isolation but rather in the context of the 6 other anti-terrorism Bills that were concurrently proposed. All of these new laws, will almost certainly come into effect, thanks to the whip system employed by the ruling party. Yet the laws violate fundamental human rights, such as a right to fair trial and right to personal privacy.

I’m particularly worried about the amendments to the Security Offenses Special Measures Act (SOSMA), an amendment that has slipped under the radar simply because its been out-done by harsher changes to the sedition act, and the new POTA.

The original SOSMA had granted Law Enforcement powers to intercept and store any kind of communication, including digital communications, without any judicial oversight.  Police Officers ‘not below the rank of SuperIntendants’ could wiretap any communications if the ‘felt’ there was need to do so, without obtaining any warrant. Section 24 of the act further stipulated, that law enforcement did not have to reveal how they obtained such information and could not be compelled to do so under the law, which acts as blank cheque to the police and other investigative bodies to utilize any and all manner of surveillance and intelligence gathering, regardless of their legality of their methods, since no oversight can be carried out on their methods.

The amendment to SOSMA, further enhances existing powers to allow for any evidence “howsoever obtained, whether before of after a person has been charged” to be admissible in a court of law. Which isn’t a big jump from where we were, but making this statement explicit in the act, leads me to only one conclusion.

Our legislators have granted such a broad powers to the Police and the executive branch of government, that they now can intercept, and store communications of millions of Malaysians, hence the next logical step would be state-wide bulk surveillance. In light of what the NSA and GCHQ have already done, SOSMA would make it perfectly legal for Malaysian authorities to execute identical surveillance programs locally and have all the evidence generated under such program be admissible in a court of law without ever revealing how the evidence was obtained.

Think about it, on the one hand, the Government amends Sosma to allow it to collect just about anything as evidence without any Judicial oversight that might ‘slow down the process’, and on the other hand it needs POTA to detain ‘terrorist’ without a trial because its hard to come by evidence. It doesn’t make any sense, what’s the point of creating POTA if you’ve already removed all the barriers to collecting evidence, and what’s the point of SOSMA if you already have the powers to detain someone without any evidence.

It would seem to me, that by allowing Government surveillance of any kind, and by allowing detention without trial, we’re creeping into a world where the Government can intercept all your communications to learn about what you’re thinking and doing–and then detain you without any justification. That’s a world even Stalin would envy.

I know I’m a tin-foil hat wearing conspiracy nut, and I know I’m on an extreme edge when it comes to political and social views—not many Malaysians agree with me on many things. Still…I think that if you look at the acts in totality, place it in context of the current trends of Government surveillance across the world, and consider that our government has a track record of deploying spyware in Malaysia, seems perfectly reasonably to me, to conclude that our government wants to run a state-sponsored bulk-surveillance operations in Malaysia.
Continue reading

Censorship and Freedom

What’s the price of falling in love?

What are the consequences of being head over heels, mindless crazy in love with someone?

I would say the price of falling in love is the possibility of getting hurt. Sometimes the person you fall in love with doesn’t love you back–and that can cause significant emotional pain and grief. But that’s a price we’re more than willing to pay, because a world where no one is allowed to be hurt, is also a world where no one is allowed to fall in love, and who wants to live in that world?

Everything has a price, even something as pure as love or as sacred as freedom.

Freedom isn’t free, it comes with a price.

The price of freedom is the possibility of crime–when we give people the freedom to go out at night, and walk on the streets or to speak their mind, these freedoms can be abused. Some take that freedom to become thieves, robbers, and bad men, but that’s a price we’re willing to pay, because freedom is good. In other words, freedom is worth the price we pay for it.

Some today have asked for the internet to be censored, citing the recent Malaysia Pedophile case in the UK as a glaring example of why we need to censor the internet. First of all, I’m not sure how child-pornography in the UK is used to justify censorship in Malaysia and secondly, such calls are ignorant, both of freedom and technology. I’m astounded as to how easy these people can sacrifice their freedom to information online, all in the name of protecting children–a common excuse given by those who have nothing more concrete to say.

The price of a free internet, is the possibility that it will be abused. But the price of censorship is a far higher one.

Let’s take a look at the technology.

The internet was built to be  a decentralized network, it’s not a single network, but a collection of many networks that all operate on a set of rules, rules which are affectionately known in engineering circles as protocols. As long as your network follows these protocols, you can connect to the internet and be connected to everyone else on the information super highway. And these protocols due to legacy reasons lack any real form of authentication and security, which allowed for much mis-use including that one time Pakistan manage to takedown Youtube across all of Asia.

This open nature also extends to the ‘authorities’ on the internet, who don’t have any real authoritative power, and act more like mediators rather than strong-armed leaders. Politicians, especially in our country use the rule of law, the power of the police, and the threat of sedition to exert their authority, on the internet we have something akin to a council of elders who lend advice and suggestions, without any clear consequences if those suggestions are ignored.

Censorship just doesn’t fit into this model. Censorship requires a central authority, that can control what is being broadcasted. If the government wished to censor BFM or TheStar today, all they’d have to do is make a phone call, if the media were reluctant to take on the ‘advice’ of the government, a second phone call to the police would be sufficient. The police can drive up to the doors of the offices in Malaysia, and start pulling out wires or smashing computers, and sooner of later the broadcast would stop.

But the internet isn’t broadcasted. It’s a personal connection for each and every user on it, and the government doesn’t have the same sway with Google, Facebook or Twitter as it does with BFM, TheStar or Utusan. It can’t command Facebook to take down a page, or instruct twitter to delete a tweet, and the so the model of censorship on the internet has to move from the point of broadcast to the point of consumption.

Because the government can’t stop the tweet, video or blogpost from the being broadcasted, it has to do the next best thing, prevent the information from being consumed by little ol’ Malaysians. Technologically this works through a ‘filter’ where all the information flowing into Malaysia from these foreign servers, are analyzed and inspected for the ‘censored’ content, and the moment something unsavoury is found it is either discarded, or flagged for further analysis.

In other words, in order for the government to censor the internet, it must first surveil your connection to the internet. No different from if it were to open every letter destined for your home, Internet censorship and Internet surveillance, are two sides of the same coin, and to call for one–is to call for the other.

But what’s the cost?

Technologically, this is VERY expensive, and VERY ineffective. Loads of technologies today, like encrypted VPN tunnels, and proxy servers, and TOR, work specifically to avoid these sorts of filters. And the technology only works, if it is backed up by a vast little army of minions to do the necessary manual checks–just ask China.

I estimate this to cost in the Billions, shifting through every bit of internet traffic coming into Malaysia in real-time, requires massive infrastructure, and since Malaysian consume more internet year-on-year, the operational cost are going to equally expensive as well, and ever increasing.

But the financial cost is a but a pitiful fraction of the true cost we pay when we allow governments to censor the internet, the real cost comes in the form of limited social progress.

Freedom and Social Progress

The price of Freedom is the possibility of Crime, and sometimes the possibility of Crime is a good thing.

In the not so distant past, it was criminal to smuggle slaves from the deep south of the United States to the North where they would be free men and women. Today we admire, and acknowledge these smugglers are heroes, but in their day they were common criminals committing theft. There’s a progression of things when they go from being illegal, to illegal but tolerated to completely legal.

Today, women can’t drive in Saudi Arabia, but I have no doubt someday they will. There are already those who defy the law, and drive anyway, regardless of how many X chromosomes they have, and the country is slowly but surely making progress. Unfortunately, in a country like Saudi Arabia, where freedom is so curtailed, progress is hard. The more control the government has over it’s people, the harder it is for social progress to be made, and granting the government the power to censor the internet only serves to inhibit this natural social progression.

If the Government knew who was Gay or Lesbian 10-20 years ago, there would be little in the way of LGBT rights today, simply because all the Gays and Lesbians would be ‘dealt’ with, and before you get all righteous, just look back at history, and imagine if the Roman empire had a similar surveillance apparatus and was able to identify who was Christian. The point isn’t whether you agree with these shift in social trends, but that granting the government powers to censor the internet inhibit these movements, which lead to stagnating society, which everyone can agree isn’t a good thing.

Limiting everyone’s freedom

You do not limit freedom on everyone just because some have abused it. Instead you focus your efforts on the offenders, and remove only their freedoms, while keeping everyone else free. This is basically the concept of jail, you remove freedom from those that have abused the system, while keeping the freedom of those that have played by the rules.

Internet censorship is such a broad-based thing, that there is no way it can be focused to such an effect. If you knew the government was censoring the internet, and you knew they were carrying out mass surveillance, would you dare search online for keywords like Altantuya, Shia, Innoncence of Muslims, etc? Some might argue that it is a good thing that Government surveillance would scare people from searching for these things, but I argue a country that hopes to keep its citizens in ignorance is not a country worth living in.

Government surveillance of the internet affects the way we use it. The moment you realize that the government ‘might’ be watching, is the moment you change your online habits, a sort of reverse of the old analogy of “if you’ve got nothing to hide, you’ve got nothing to worry about”–the truth is that if you know the government is watching you’ll make sure everything is hidden.

Government doesn’t have a good Track record

Plus our government hasn’t really had a good track record on internet censorship. The first time, we officially censored the internet was during Pak Lah’s time, when all ISPs in Malaysia were ordered to block access to Malaysia Today, a website that was run by Raja Petra Kamaruddin. It’s ironic, that the very same questions raised by RPK way back then, are almost identical to the questions raised by Tun Mahathir today, specifically around issues like Altantunya.

You see we can’t just grant one government the ability to censor the internet, we have to grant all of them. Maybe you’re OK with Najib Tun Razak leading a government with the ability to curtail information on the internet, but maybe you’re not OK with giving that same power to Anwar, or Wan Azzizah, or Lim Kit Siang. I would have huge issues granting that power to the late Nik Aziz, as I’m quite sure there would be very little internet left if he got his fingers on the filters–the point is, even the most hard-core BN supporters must be open to the possibility that they may not be in power come 2018, and if you grant the government censorship rights, you just might be handing over that power to Pakatan–think about that for a minute.

Finally, child pornography doesn’t exist on the ‘regular’ internet. It’s not like as though a Google Search is going to turn up some disturbing image of children. These things exist in the dark-web, the un-searchable, un-goggle-able part of the internet that is obfuscated by a technology called TOR. Internet censorship isn’t going to stop child pornography, just like closing down all highways isn’t going to end all car accidents. To use that as an excuse to call for internet censorship, is political convenience rather than an arguments formed by facts.

Conclusion

But Keith—if it only saves one child, we must do it…I hear you say.

If it were my child, I’ll let you go all Nazi on Malaysia, I’ll spend the entire Malaysian Gold Reserve, pawn all the oil in the ground, and lock up half of the country in Kamunting to save my child–but is that really the way we want to discuss Government policy in this country, like as though every decision has to be made from the basis of an irrational tiger mommy parent. Spare me the theatrics, a policy decision of this magnitude must be made rationally with a sound mind, and don’t drag the children to bolster your ill-conceived arguments.

Post-Script

One of the central authorities of the internet are the Internet Engineering Task Force (IETF), who govern the protocols we discussed earlier. They are nothing more than a bunch of engineers who get together once a while, and discuss engineering specifications, they release documents that are mere suggestions on how the protocols should be executed, and they do so by consensus–no veto power leader, no mandate, no instructions. They vote on these changes by ‘humming’, because humming is anonymous (hard to tell whose humming in a room), and it’s quite difficult to hum twice as loud as someone else,  a solution only engineers could come up with.  This is a world, governed  through consensus, with no central authority yielding veto power.