Security theater on KTM trains

The last time I took a public train in Malaysia was 10 years ago.

That’s a long time to be spoilt by the luxury of having a car to drive around. So it was a pleasant surprise to see this viral story, about a man on a KTM kommuter train who saved a women from a group of youths who “misbehaved and demanded cash and their valuables”.

But then I remembered that KTM had launched ‘women-only’ coaches on their train, and this event had me pondering the security and social implications of such coaches, and concluded that women-only coaches are a terrible idea!!

Women shouldn’t fear men

Firstly women shouldn’t be afraid of men, they should be afraid of perverts, rapist and criminals. But not all men are perverts, rapist and criminals, and implementing women-only coaches discriminates against all men like as though their criminals.

Of course the argument is that women feel ‘safer’ on these coaches, and indeed they do. But feeling safer is not the same as being safer, and it’s a fallacy to implement policy based on peoples feelings.

There may be a strong perception of an oncoming zombie apocalypse, but we shouldn’t be spending money trying to prevent that–policy decisions must be rooted in facts and effectiveness, not feelings.

The women-only coach conflates men with rapist, the same way Donald Trump conflates terrorism to Islam.We wouldn’t tolerate a white western tourist demanding to be on airplanes that didn’t have arab muslims in it, yet we somehow women on trains that didn’t have men on them perfectly acceptable.

Obviously discriminating against men isn’t as bad as discriminating against women, as women have less power economically, politically, socially and, to an extent, physically as well. In much the same way as black comedians can make fun of white folks, but not the other way–it’s a phenomena called punching-up, it’s not as bad if you’re discriminating against the more powerful.

But the social impact of such a move is way beyond my knowledge, so let’s focus on the security effectiveness of the women-only coach, and whether it’s worth the price.

First off, what is the price? Social implications aside, as an engineer it’s quite plain to see that having a public transport system that discriminates is pretty inefficient. If people were allowed to get on any coach at any time, they’d naturally filter in an efficient manner. Having specific coaches for specific genders will logically lead to a less efficient utilization of the trains–and in the realm of public transport, efficiency is of prime importance.

Are women in danger on public trains?

So if we’re losing efficiency, are we at least gaining some security for the women?

Here’s where things get a bit complicated….

Not many studies have been conducted on these women-only coaches, but I manage to snag this study from UUM:

In terms of the safety in Women-Only Coach in KTM Komuter, it was found that approximately (i) one in 30 respondents (3%) had experienced snatch theft, (ii) one in 30 respondents (3%) had experienced others incidents such as fighting, falling, (iii) one in 10 respondents (10%) had experienced sexual harassment, and (iv) almost the majority respondents (84%) from the total female passengers had no experience of encoutering any of the mentioned incidents while travelling on KTM Komuter.

A study in 2002 conducted  found that 35% of respondents in Malaysia had experienced one or more forms of sexual harassment, and honestly these numbers are ridiculously higher than what I anticipated.

I expected it wasn’t going to be 0%, but I figured that a well-mannered society like Malaysia would have better record of somewhere between 0.2-0.5%, I was convinced we wouldn’t have broken the 1% barrier.

The fact, that even the lowest estimate is 10% is mind-boggling to me, and frankly points to how far removed I really am from society at large.

So we know we have a problem of sexual harassment on trains–and we know that women suffer nearly all of that. What can we do?

Well the unimaginative would simply have women-only coaches, which may improve the feeling of safety, but not safety itself. Consider if the group of youth from the viral facebook article decide to hop on the women-only coach at some dodgy station in Klang–why board a mixed coach, when you could hop only women-only coach and have a field day demanding money from women in a coach where no men could save them.

And it works the other way around as well–imagine a women who can’t board the women’s coach because it’s full, and now she’s a coach that’s predominantly male, and the perverts on the coach start thinking “why are they here if not to be felt up”, and now we’ve just double the discrimination impact on women who choose to use the normal coaches.

Essentially, the logical conclusion of a women-only coach policy is a that you will create a men-only as well–and that’s taking a couple hundred steps back as a society.

Hawks and Doves

Sometimes in security we use the analogy of Hawks and Doves.

Hawks are competitive assholes you fight for every inch of turf you give them. A couple hundred hawks on a sinking ship, causes them all to fight each other till the last hawk is left limping onto the lifeboat whilst bleeding to death.

Doves are co-operative nice guys, that are just plain good. A couple hundred doves on a sinking ship will line up 2-by-2 and calmly fill out the lifeboats till all of them are safely on board.

But put a hawk among the doves, and he’ll have an unfair advantage. Being the first on the lifeboat, and launching it away before the doves get on board.

Put a dove among the hawks, and they’ll be first to be killed.

If you have a Dove-only coach on a train–you can easily see how this becomes a juicy target for the hawks.

In IT, we operate on the same principle. It used to be, that the internal corporate network was considered ‘safe’, anything deployed inside the firewall was generally regarded as low-risk and didn’t need things like pen-testing and vulnerability assessments.

But with the old model, a hawk, that has somehow got a foothold in your network now will have a field-day within your network, because all your defenses are down. This is how Sony Pictures, Target, and hundreds of other companies failed to protect their prized IT assets.

If your internal data is not protected, all it takes is a single compromised machined, or bribed employee to cause havoc within the network. Instead most organizations now segment their networks placing more critical infrastructure behind layers of protection (defense in depth), and taking long hard looks at the security of their internally deployed systems.

Believing that a internal network somehow magically protects the internal systems, is like believing a women-only coach protects women.

Conclusion

In summary, a coach on a Komuter train made exclusively for women causes a huge inefficiency in the system.

In the end, there’s no evidence it makes women safer, or reduce crime–it merely serves to discriminate against men, and causes wide social implications.

Women’s safety isn’t about sequestering them in separate compartments, but the enforcement of laws already on the books, and the social changes necessary to ensure they are treated equally in society and not looked upon like sex-toys on trains.

 

The ugly truth about Uber

MADRID, SPAIN - OCTOBER 14:  In this photo illustration the new smart phone taxi app 'Uber' shows how to select a pick up location at Atocha Station on October 14, 2014 in Madrid, Spain. 'Uber' application started to operate in Madrid last September despite Taxi drivers claim it is an illegal activity and its drivers currently operate without a license. 'Uber' is an American based company which is quickly expanding to some of the main cities from around the world.  (Photo by Pablo Blazquez Dominguez/Getty Images)Two weeks ago, I took my first ever Uber ride, and here’s what I think is The Good, the bad and the ugly of Uber.

The Good

The app worked perfectly out of the box, it was intuitive, and the drivers that fetched me from (and to) the Toyota service center were courteous and friendly. What was even more shocking was the price–Uber is freaking cheap.

Bukit Jalil to Bukit Bintang for RM20.20. I remember a time when taxi drivers would charge me Rm10 just to drive from Menara Citibank to KLCC, or RM20 to drive from the Kelana Jaya LRT station to Subang Parade–and that was after I haggled, begged and bargained the prices down.

Uber is so cheap, I felt compelled to tip the driver, but the app doesn’t let me do it.

And when a cheapskate klang boy feels compelled to tip, that’s when you know things are cheap.

Some of you may scream, that Uber isn’t legal and that it’s not regulated. Well, a Taxi Driver refusing to use the meter is also illegal, and if I’m going to choose and illegal Taxi vs. and illegal Uber–I’ll take the Uber, thank you very much.

And in terms of regulations–well Uber (the company) does regulate it’s drivers, probably as much as SPAD regulates taxi drivers. But the Uber system works perfectly in terms of self-regulation, Passengers rate drivers AND Drivers rate passengers too.

What that means is that you can’t be an asshole passenger, because drivers would give you a bad rating, and no one would want to take you anymore. And because rating drivers is so easy, drivers can rely on the hundreds of good reviews they’ve had to offset one nasty review.

Contrast this with how SPAD regulates its drivers–well actually it doesn’t!

I tried calling SPAD hotlines before for speeding express busses and lorries, those numbers just don’t work. In truth, I think Uber is far more regulated than taxis in KL.

And anecdotally, the Uber cars I got into were cleaner and better maintained that most taxis I’ve been in. So if SPAD is regulating them, I’m not sure how effective it is.

Finally, Uber seems to be helping Malaysians make ends meet. One of my drivers was a part-time property agent, who was driving Uber in his ‘off’ time to make some extra cash, and the other was a recently layed-off employee who resorted to Uber as his primary income. Both seemed pretty happy about the arrangement–so I guess I’m happy for them.

Uber is cheap, works perfectly (on all my trips at least) and has friendly and courteous drivers. What’s there not to like?

The Bad

The reason why I like Uber so much, is that Uber is like me.

An Uber driver is more likely to be tech-savvy , middle-income and my age. The same can’t be said of generic cab drivers in KL.

Driving an Uber Car requires you be the following:

  • 21 years old with with driving license
  • Own a car that is less than 8 years old
  • Car insurance policy under the same name as applicants. If you are driving your family’s car do make sure that your name is also under the insurance policy

A poor man driving a 15-year old Proton Iswara is not going to have an Uber opportunity, and neither is a 50 year old uncle who doesn’t know how to use a smartphone.

In some ways, Uber is an sequestered community or tech-savvy 30-something urbanites, and that’s a bad thing. But wait till you see what comes next.

 

The Ugly

If you’re waiting for the part where I reprimand the Taxi drivers–that’s not the point on the post.

I want to focus on the nice Uber Drivers, because something not-so-nice is going to happen to them.

Uber drivers will be the front-lines of the job wars humans will have to fight with Artificial Intelligence. And most people on the front-lines don’t make it through the war.

The moment Google (or whoever else) releases their an autonomous vehicle, that local authorities will let on the road, is the exact instant Uber drivers lose their source of income.

An Uber driver working 12 hours a day, 30 days a month, can expect an income of around RM8,000–a number Uber themselves guarantee. Some have this number at Rm10,000 or even Rm12,000, but those are not guaranteed numbers.

Even then, it’s revenue and not salary. The driver still needs to maintain their car, pay their fuel bill, and gets no EPF, medical benefits or annual leave while doing so.

Roughly, if you drove a more realistic 8 hours a day (from 6am to 3pm) and only for 22 days a week (leaving weekends for your family), you’ll earn just over RM4,000. Minus cost, and the loss of EPF and Medical Benefits, and you’re looking at an effective salary of about RM2,500 .

An autonomous vehicle needs no rest, and therefore can drive 24/7. It requires no EPF or Medical Benefits either, and can be programmed to drive in a fashion that prolongs the life of the car, consumes less fuel, and charges more. Autonomous vehicle will over time incur less insurance premiums, cost less overall and replace ‘driverable cars’.

Think about it, horses are considered a  luxury these days because of cars, and in the next 3-5 years, the manual gearboxes will cost more than automatic ones (in fact, most cars these days don’t come with a manual option anymore).

And if ladies feel safer in cars driven by ladies, they’re probably going to feel a whole lot safer in cars driven by AI, pay no attention to Hollywood AI depictions, they’re wildly off the mark.

In the same way, rich people buy houses to rent to poorer people–rich people will buy autonomous cars to Uber around. If Johnny Bill Gates can expect a return of RM4,000 for a full-time autonomous vehicle that Uber-ing around, he’d buy a 1000 of them and put 1000 Uber drivers out of business.

We’ve got 10 years (at most) before the guys relying on Uber to supplement their income have to look elsewhere–and the saddest part is that their driving Uber in the mean-time, which isn’t adding any hard-skills to their resume (aside from the ability to make casual conversation–a skill most people lack).

Uber is just delaying a huge problem that’s going to come over the horizon.

And sure, taxi drivers and lorry drivers are in the same bucket as well.

The problem with AI

The only real-problem with AI in Malaysia, would be that some genius would figure out to call AI cars to some dogdy corner of KL, and start stealing car parts while the AI sat passively not harming humans!

So if autonomous vehicles ever landed in Malaysia, and you saw a couple of guys jacking up Uber cars to remove the rims–you know what’s happening.

Passcodes should be protected

Diverse_torture_instrumentsSome people are fans of medieval torture, and who can blame them. There’s just something about the sadistic treatment of people that makes us both want to watch with a bowl of popcorn in our hands, yet at the same time turn away in disgust and discomfort.

How else do you explain the popularity of shows like Saw?

I personally am a fan of the Iron Maiden, which before it became a name of rock band, was a evil torture device designed to impale its victims with spikes, but meticilously avoid crucial organs thereby prolonging the agony, letting the victim slowly bleed to death rather than die from something boring like heart failure or liver damage.

There’s a list on Wikipedia, that has all the gory details of medieval torture techniques, including keel-hauling (which I always though was some pirate term) and Scaphism, which is  a Persian specialty where the victims dies of Diarrhea.

It’s a whole new level when the victim dies of Diarrhea—Diarrhea!! (and the smart-ass know it all types probably are thinking that Persia wasn’t in the medieval period–yes, I know and I don’t care)

[*Steve in the comments points out that Scaphism didn’t really die from diarrhea but from insects feasting on them. Which doesn’t exactly make it sound any better ]

Fortunately, we live in a modern world, where such barbarism is consigned to history classes rather than current affair shows, and trust me while water boarding is torture, it’s probably a couple of rungs lower on the cruelty scale than an Iron Maiden or Scaphism.

It’s good to view out past just to figure our far along we’ve come along as a species, to take stock in the great progress we’ve made in civil liberties. Torture is a fine example of such progress, but take for example the what 16th century English had to deal with, when they were sent to the Star Chamber! Continue reading Passcodes should be protected

The new media is powerless

People think of the media as the powerful behemoth that’s capable of swaying public perception.

On the contrary, I think public perception sways the media.

Companies like Facebook, Google and even Amazon, have gone all-in on the confirmation bias, the idea that people like and prefer information that confirms their existing ideas and biases. No one likes being told their wrong about religion, climate change or even smoke, you can a great Ted Talk by Eli Pariser here.

Google knows that the best search engine is the one that provides you the most ‘relevant’ results–but relevance is a subjective term that depends more on the user than it does the search term.

A PKR member searching from Anwar Ibrahim may not like to see a anti-Anwar blog exposing his homosexual behavior, to them this result is irrelevant, even inaccurate. But to a rabid UMNO supporter this post is the complete opposite, both relevant and accurate.

Two different users, one single search, two different outcomes.

Google isn’t interested in providing you the ‘correct’ answer, it’s interested in provided you the answer you’re looking for–two completely different things. To do this, Google evaluate 200 different signals or ‘clues’ that leak out of your browser onto Google, to differentiate search results it presents to you, they try to figure who you are before providing you an answer.

Think of it as a funnel, that sieves through all relevant search results, and presents to you what they think is the answer you’re looking for. Obviously, not everyone typing in Anwar Ibrahim into the search bar is looking for the same content, and Google expends equal effort to guess your intent as it does to search for relevant answers.

Google knows that when you do a search, click the first link and never return, that they’ve done their job well, that you’ve found what you were looking for. But do a search and come back a minute later, and that suggest the result wasn’t relevant, and you’ve returned to get a better hit.

With funky algorithms and a whole bunch of computing power, it then takes this feedback and tailors future search results specifically for you–your own Google, one made especially for your biases, beliefs, and misconceptions.

The driver for all of this is of course money!

The more relevant searches presented, the more you’ll use Google–and more searches means more money for Google.

The downside is that you’re unlikely to bump into content you’re disagreeable with that doesn’t confirm your bias, and you’re now living in an echo chamber where the Google results, Youtube videos, Twitter tweets and Facebook posts reflect your inner opinions and biases. Hopefully you’re never going to see something offensive or disagreeable to you ever again–at least not by accident.

You really have to go out of your way to look for disagreeable content online, which is why I subscribe to Helen Ang, Parpukari, Rocky Bru even Lim Sian See, just so I see content would churn my stomach–the filter bubble is real and dangerous, and unless you’re acutely aware of it, the consequences can be devastating.

Prior to the 2013 general elections, I was 100% certain the opposition would win–by a freaking landslide!! All but a handful of my friends were going to vote for pakatan, and all the Facebook post and Malaysiakini reports suggested this was going to be the first time Barisan would lose.

But they didn’t. Barisan won comfortably, how could I have been so wrong?

And then I realized, that my Facebook timeline and twitter feed wasn’t an accurate reflection of Malaysian society, and the filter bubble made the effect even more pronounced, and being unaware of such things, I wrongly assumed certain outcomes.

Facebook wants you to stay on Facebook, and thus provides you more content you like–which is content like you (bundled with all your biases and conceptions with it). You don’t see a different point of view unless you actively seek it, and most people don’t bother, so that friend you likes to post pro-government post may already be hidden from your timeline even though you’re close friends.

This is also why a Terrorist attack in France gets more media attention than a terrorist attack in Pakistan–because let’s face it, the latter is going to get more shares and likes, and media companies (that we so often blame for lack of coverage) are simply responding to this explicit signal and creating more content for the stories people read.

The Malay Mail report 6 month ago, that quoted your’s truly exposing the government’s purchase of surveillance software got 1,500 likes on Facebook. A report about ISMA denouncing feminism as the cause for “women forgetting their place in society” got 400% more engagement in just 2 days.

If you were a purely rational news editor of a media outlet, where would spend your journalistic resources? On covering a multi-million dollar mega-shrimp project that would affect thousands of poverty stricken farmers, or on a goat that looks like a human if viewed from a certain angle. It’s an easy decision if the latter get 1,900 Facebook likes, and the former gets 1 (yes, just one).

comparison2

In many ways, the media gives you what you want–and what you want is less Pakistani terrorism and more Kim Kardashian.

The media isn’t to blame–you are!

With modern analytic software and social media integration, determining which stories are read and which aren’t is now an exact science, and the vicious cycle continues to weed out content you’re less likely to enjoy, stripping down all alternative view-points till you end up with a single customized utopian feed that gives you (and only you) content you like.

We might be consuming a lot more media than we were 10 years ago, doing it from more diverse sources, but ironical the content is more homogeneous, less diverse, and dangerous!

‘The Media’ is still powerful, but the power has been diluted across hundreds of sources, so that each individual media company (whether it’s newspapers, digital or radio) has no power over it’s readership’s views , partly because it is already preaching to the choir and partly because viewers who don’t like the op-ed can click somewhere else instantly.

But in order to keep readership numbers up, media outlets churn out content that their already bias readership agrees to, just to keep ad revenue numbers stable–but confine us to a filter bubble and echo chamber of opinions.

A newspaper editor for a Malay Daily in Malaysia is not going to allow a pro-Israel op-ed not just because they’ll most likely get in trouble legally, they’re likely to get in trouble financially as well–but if an entire section of Malaysian society has never heard of an alternative viewpoint of Israel how can they ever gain insight into the matter?

And while some people think the filter bubble is OK, to me it’s like feeding an entire population with Big Macs and Chicken Nuggets. Sure we all know the thin bastard next door that gobbles fast food everyday and lives healthy and happy, but for most people that diet is going to have severe and irreversible consequences in the long run.

I fear we may end up a society that can’t handle disagreement and lose our ability to rationalize and debate ideas, simply because we only consume content we agree with–and what’s worse is that we blame the media for what is essentially our fault.

The internet was meant to be democratic, a marketplace of ideas. Apparently in a perfect marketplace, people only shop for what they want.

Isn’t that sad?

Making the world safe for Technology

quote-to-make-the-world-safe-for-democracy-woodrow-wilson-67-97-51On April 2nd, 1917, the President of the United States of America addressed an extraordinary session in congress, asking them to authorize America to declare war against the central powers in World War 1.

Across the Atlantic, the European continent had been devastated by nearly 3 years of bloody conflict. Regardless of who started the war, President Wilson was sure the war was at it’s tail end and he knew that if America stayed a neutral observer any longer, it might not get a seat at the table to discuss peace terms.

President Wilson had an agenda to setup the League of nations, to ensure that such wars would never be waged again, and this would truly be the war to end all wars.

Sadly, with hindsight we know the truth, that America would reject the League of Nations, and the peace treaty at Versailles would act more as a 20 year armistice than an indication of true lasting peace.

America was a pale shadow of what is it today. Britain was the richest country on earth and had the biggest Navy while Germany had the best industry and the biggest army. America was a sleeping giant, but one awoken by WW1 and one that has never slumbered since.

But what made her go to war?

What compelled this great nation, whose on founding fathers warned would never go abroad in search of monsters to destroy, to take up arms and cross an ocean to wage war?

Many think it was Lusitania, some suggest the Zimmerman telegrams, but those were merely side distractions to the true cause of America’s involvement. The true reason for her involvement and ultimate victory is found in one sentence from the speech of President Wilson on that fateful day–The world must be made safe for democracy.

It wasn’t that America was trying to impose democracy on Europe or Asia, rather it was merely making it safe for democratic principles to thrive in the face of despotic monarch and militaristic dictators. Contemporary American foreign policy fails to distinguish between making the world safe for democracy and imposing democracy.

America can never please her critics, get too involved and she’s accused of meddling in affairs, while staying neutral and distant invites the critic of indifference to human suffering.

But not all dangers to democracy come in the form of dictators with armies at their disposal, and in one sense America continues to make the world safe–while the rest of us remain blissfully unaware of her efforts. Continue reading Making the world safe for Technology

Full Disk Encryption with the keys inside

Nobody really knows how the FBI is hacking into iPhones.

Well nobody, except Cellebrite and the FBI themselves.

We can safely assume that the underlying crypto wasn’t hacked–that would be truly catastrophic for everyone’s security, and way above the pay grade of a company like Cellebrite.

So we have to conclude that somehow the FBI has managed to trick the iPhone into giving up it’s encryption keys, or bypassed the Passcode protections on the phone. Apparently the hack doesn’t work on iPhone 5S and higher devices,  and obviously this can’t be a software bypass (because all iOS devices literally run the software), so it has to be a hardware limitation, one that probably affects the key storage. Continue reading Full Disk Encryption with the keys inside

When bad advice comes from good people

What happens when a government agency tasked with providing cybersecurity “guidance” and “expertise” gives you advice like “avoid uploading pictures of yourself to avoid the threat of black magic”?

And then goes into damage-control claiming that it “was just a casual remark and did not represent the federal agency’s official position on the matter”,  only to follow-up with more ridiculous advice like “passwords should be changed constantly to prevent identity theft and hacking”.

Sometimes I sigh so often my wife gets worried—or annoyed, maybe both 🙂

First-off you know my view on black magic, and for an agency under MOSTI to make such an anti-science remark is just appalling. Secondly, from a security point of view, changing passwords regularly doesn’t help, and they cause more harm than good by encouraging users to use easy to remember passwords that they transform after every iteration. Think superman123, then superman456…etc.

In fact, research from Microsoft suggest changing your passwords regularly isn’t worth the effort, and the best one can do is use a password manager that would allow you to have passwords that are both unique and hard to remember across all online services you use.

The fact, that the head of cybersecurity Malaysia is giving advice that most people in the security community consider obsolete doesn’t exactly calms your nerves. Continue reading When bad advice comes from good people

The relationship between surveillance and censorship

Spying ProgramIn the online world, surveillance and censorship are two sides of the same coin, you can’t have one without the other.

When the government moots a ‘blogger registration’ act , we automatically infer it to be part of a wider censorship initiative, an attempt to control the narrative by subtlety telling bloggers “we know who you are, so watch what you say”.

We intuitively get that putting a whole community under surveillance is a bid to control expression within that community, and if someone was even ‘potentially’ watching you–your behavior would change.

But the internet has made the connection between surveillance and censorship work in reverse, not only does surveillance lead to censorship,  but censorship leads to surveillance as well. Continue reading The relationship between surveillance and censorship

Singapore Historical PSI Readings in Excel

Haze MalaysiaEvery now an again, I brush off the dust from an old laptop I have in the corner, and boot-up a couple of forgotten python scripts.

One of those scripts would scrap the DOE Malaysia website for API readings in Malaysia, unfortunately, those damn fools at the DOE now only publish 7-day data, and completely wipe off anything older–for some unknown reason.

I even contacted my ‘insider’ over at MDEC to help out, since she’s leading the open data initiative, but I’ve not had any response. So I’ve stopped work on the collating Malaysian API readings–for now. I suppose I could create a schedule job to scrape the website on a frequent basis, but that’s not something I’m interested in at the moment.

But on a lighter note, I did modify the script to scrape data from the Singapore National Environmental Agency–and here’s the latest PSI readings that go all the way back to April 2014, right up to yesterday (23-Mar-2016). This modification was part of my work last year to compare the PSI values that Singapore was reporting against the API values in Malaysia, (there was a wide discrepancy, check out my report here)

As usual they come in lovely csv files (separated by colons instead of commas, use the text to columns function in Excel to break them apart), and the full python script is fully available on my github page here.

All stuff produced on keithRozario.com is released under creative commons 4.0 (Attribution), which basically means who can use it for whatever you like–feel free, and don’t worry about the government either, nobody holds ‘copyright’ to facts like PSI readings (I don’t know why people often ask me this), and the Singapore government does make this freely available, but not in a easy to crunch csv file.

So without further delay, here’s the CSV files”

Singapore-PSI-Readings (click to download)

Enjoy.

P.S If this work has helped you in any way, would you mind leaving a comment below, helps me keep track of which of my crazy projects actually bring value to the wider community. Check out some climate change findings, based on my previous API reading work here.

TL;DR

For the truly un-initiated, here’s the Google Sheets version of the Singapore readings. They had to be in individual sheets, because together they exceeded the cell-limit in Google Sheets. All in all, it’s 17,000+ data points per region, so enjoy at your own risk 🙂

Central , West , East,  South, North

Security vs. Liberty : Sometimes it’s security and liberty

A public service announcement from our good friends at the FBI, warns that motor vehicles are increasingly vulnerable to remote exploits, which in the wake of the bad-ass research from Chris Valasek and Charlie Miller shouldn’t be shocking.

What struck me, is that the security advice the FBI is offering drivers was identical to the advice cybersecurity experts have been giving to–well just about everyone. As more of your car intertwines with software to provide things like automatic wipers, ABS and even bluetooth audio, the more it becomes susceptible to cyber attacks we traditionally associated with software on servers rather four-wheeled auto-mobiles.

So it would seem obvious that a car with more software bells and whistle would be less secure than a simple ‘hardware only’ car, and from one point of view that’s true.

But should you rush out to buy a 10 year old Honda Civic with no connectivity to the outside world?

It depends.

If you’re buying the car for your family and the you’re more likely to be in a road accident than you are to be hacked by guys like Charlie Miller–you’re better off buying a newer car with modern safety features even if it makes you susceptible to certain attacks. You certainly wouldn’t want to be in an accident in a car without airbags, or crumple zones built to protect passengers.

Compromising security in the name of safety isn’t something people are comfortable doing, but you never deal with absolutes here.

Security is always a compromise,  sometimes you give up convenience, sometimes you give up money, in some cases you even give up safety. Buying a newer car presents a bigger attack surface for ‘hackers’ to target you, but buying an older car presents a bigger risk for when you get into an accident, and because accidents are more likely than hacks, the choice seems straightforward.

However, before we begin to balance security vs. something else, we need to define the term security–and that’s not a straightforward process.

The definition of what is secure, begs the question–secure from what? You need to identify your attacker and their methods, before you can secure your defences. Going back to the car example, a newer car with more connectivity to the internet might be susceptible to hackers like Charlie Miller, but could also have shatter-proof windows which may offer better protections from parang wielding car jackers. Which of those two attackers are you more likely to encounter?

Think about the gated-guarded communities that have poped up all over Malaysia, sure these neighbourhoods provide security from the opportunistic criminals, like the wandering thief on his motorbike looking for expensive shoes you left outside your home. But they provide almost no extra security from a skilled attacker who employs both patience, knowledge and occasional violence to get the job done. For them, Nepalese guards who wave in everyone at the entrance present little deterrence.

So when we talk about FBI vs. Apple, people tend to conflate it as a case of security vs. privacy or even broader as security vs. liberty. But before we broadly frame this question, we need to define which liberty are we affecting, and what security are we augmenting.

The FBI is an investigative body, charged with investigating federal crimes. If their powers and capabilities are restricted by either technology or law,  they presumably would be less effective in catching criminals. Hence, if Apple designs smartphones that nobody (even the FBI) can’t access, criminals will remain free and our collective security suffers as a result. In other words, unless we give up some personal privacy, we cannot get the security of knowing criminals are behind bars.

But what about other attackers, like cyber-criminals and state sponsored attackers?

The NSA, who have the wholly different task of national security, feel that if Apple designs smartphones that even the FBI can’t access,  it means Russian cyber-criminals and Chinese state sponsored attackers won’t have access as well(or at least have a much harder time gaining access). And since nearly every federal employee carries a smartphone, the collective national security of the country is better protected by protecting the privacy of individual citizens.

Two different attackers result in two different definitions of security.

The latter example actually posits a scenario where liberty and security go hand in hand, where we get more of both simultaneously, win-win.

We also haven’t ventured into the territory where the government is the attacker. For many citizens living in despotic regimes that is a real and present evil. If Apple builds phones that ‘protects’ criminals from the likes of the FBI, those same phones protect journalist and human rights activist from their repressive governments.

It’s another version of collateral freedom, we all use the same internet, and protections we grant ordinary law-abiding citizens are the same protections we grant criminals. But since that are far more good people than evil bad guys, that’s an effective comprimise–it isn’t perfect, but a rational decision to take.

The alternative is to remove the protections from criminals, but at the same time deny them to ordinary citizens as well. That’s just not rational.

I would be disingenuous if I didn’t point out that in some cases we do need to give up liberty for safety. We have to allow police officers to carry out their duties, we grant the government powers to imprison the criminals among us, and we remove the ‘liberty’ parents have when it comes to vaccinating their children–all in the name of security.

The point of this post is stimulate you to think more deeply about the liberties we sometimes sacrifice in the name of security, for example we offer ourselves for groping at airport security for the ‘comfort’ of others, there’s only a tiny miniscule chance that our particular flight were chosen for a terrorist attack, but we think of this as security. Security Bruce Schneier puts it wonderfully:

Security and privacy are not opposite ends of a seesaw; you don’t have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it’s based on identity, and there are limitations to that sort of approach. Since 9/11, two—or maybe three—things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and—possibly—sky marshals. Everything else—all the security measures that affect privacy—is just security theater and a waste of effort.

-Bruce Schneier

That reinforced cockpit door that protects pilots from terrorist also protected Andreas Lubitz when he took the helm of German Wings flight 9525 and crashed it into the french countryside killing himself and all 150 souls board.

Security entirely depends on who your adversary is and how they will carry out their attacks.

TL;DR

I drive a 3rd generation Prius, which has bluetooth audio, so that I can play my podcast from my phone through my car audio. That same audio headset can display the ‘state’ of the hybrid drive train–whether it’s driven by battery or the engine,  so that would mean the CAM bus on my car is exposed to the outside world via a Bluetooth connection. I accept this risk because I enjoy pod-cast too much, and that the Prius was the cheapest NCAP 5-star car I could buy, I compromised security over safety.