Keith on BFM

Keith_on_BFM_Tech_Talk3-4 weeks ago, I pimped myself an interview on BFM, and yesterday it finally aired. Woohoo!!

Here’s the audio, and below are some show-notes you might be interested in if you want to learn more. I searched for these links AFTER the show, so they may not be 100% in step, but good place to start.

Show notes:

  1. My post on how to change Unifi WiFi password and a bonus note, here’s how to hack them.
  2. Windows Tech Support Scam , here’s another and here’s how some pros respond
  3. Why Anti-Virus is dead from Brian Krebs
  4. Russian Business Network (I wrongly called them the Russian Business Alliance on the podcast): Wikipedia Link is here, but I suggest buying Spam Nation by Brian Krebs, easily the best book on the subject.
  5. Target hacked through their HVAC supplier, while their supplier was using anti-virus
  6. Kevin Mitnick on social engineering and corporate inoculation.
  7. Cybersecurity professional shortage…trust me, IT is the way to go.
  8. Security frameworks like PCI-DSS, I should have mentioned it.
  9. My favorite password manager: Lastpass
  10. The Fappening (if you don’t know what it is, please click the link NOW)
  11. Ashley Madison password, rights and wrongs.
  12. Why I don’t like bio-metrics
  13. OPM Hack : you need to know this
  14. TheStar reporting on teen winning award from Google (fake report)
  15. Google Malaysia was hacked–and my explanation on why it wasn’t.
  16. My take on our view of hackers and specifically anonymous
  17. Tech Journalism in Malaysia
  18. Ahmed didn’t build his clock and now he’s suing for $15 Million–damn.
  19. Tony Stark asking to boost ISDN by 15%.
  20. Hacker who claimed he could hack a plane avionics from the seat.

I really enjoyed the interview, and felt it came out really well.

Shout out to Jeff Sandhu for the brilliant work, and let me know if you enjoyed the show.

Keith Out!!

Hackers and terrorist

Tip to newsmenL Next time blur out the photos and names on the ID tags as well.

Pic from TheMalaysianInsider, Tip to newsmen: Next time blur out the photos and names on the ID tags as well.

There is no greater danger of tech illiteracy, than the way we treat hackers. A society that doesn’t understand technology will view those who can manipulate it as wizards and sorcerers.

Technology sufficiently advanced is indistinguishable from magic, and to most people that bar of being ‘sufficiently advanced’ isn’t set very high.

The magic analogy is apt, even in fiction, wizards are treated either with  awe, ala Harry Potter and the muggles, or disdain ala the Salem witch trials, where ignorance bred fear, which in turn led to persecution.

Regular readers of this blog will know Kevin Mitnick, the grand-daddy of hackers, who was once rumored to be able to launch a nuclear missile by whistling into a phone. Not only was the rumor patently false, it nudged Judges in American courts to deny him a bail hearing, something guaranteed to Mitnick by the countries Federal Constitution. Prosecutors quickly learnt that if you throw around words like Hacker and Nuclear, Judges will willingly jettison constitutional protections quicker than Han Solo can dump cargo to make the jump to light speed.

In the absence of a nuclear threat, law enforcement agencies have begun using terrorism, and found it equally effective in demonizing hackers and anyone else who could do seemingly magical things with bit and bytes on a computer screen. Continue reading

Chip And Pin : An intro for Malaysians

In 2016, Chip and Pin will gradually be introduced in Malaysia, that means your Credit Cards now will prompt you for a PIN instead of signature during purchases. This will be a bit of a hassle, but it will be worth it,  here’s what you need to know about it and credit card transactions in general.

The 5 people you meet in card transaction

19205891971_2abaa89036_zFirst off, a short primer on credit card transactions. In any business transaction, there are at least 2 actors involved, a buyer and a seller. In industry lingo we call them Merchants and Cardholders. These are important terms to remember, as we’ll use them extensively .

But a card transaction is far more complicated and involves at least 3 more actors, some of which you may not even be aware off. First, we have the party that issued the cardholder their card, the ‘Issuer‘. If you have a credit card, chances are that credit card is tied to an line of credit issued by a bank, whether it’s HSBC, or Maybank, these are issuers, who have a relationship with the card holder.

Then we have the ‘Acquirer‘. This is the financial institution that provides the merchant the ability to accept card transactions. Sometime this is as simple as just placing a card terminal on the merchant premise. The acquirer has a relationship with the merchant, and that’s why when you look at credit card receipts, they usually have a banks logo on them–that’s the acquirers logo.

Both the issuer and acquirer are usually banks, because credit cards deal with debt, and only registered financial institutions are authorized by law to perform such transactions (think of interest rates, and loan functions..etc)

So far, we have the Issuer that issues the card to the cardholder, and the Acquirer that provided the infrastructure to the merchant, but how do we tie all of them together. Here the final actor provides a network that connects all acquirers to all issuers, they’re called Card Schemes. You know them by their names, VISA, Mastercard, Diners, JCB, Discover..etc. The schemes provide the ability to connect acquirers and issuers, so when you go a merchant, you only ask them if they accept Master or Visa, and not worry about the specific acquiring bank. Similarly the merchant places a “Mastercard accepted” logo on their premise, because if they can accept one Mastercard, they can accept them all.

These 5 actors, the Cardholder, the Merchant, the Acquirer, the Issuer and the Scheme work seamlessly together to allow you to purchase goods and services using only a single piece of plastic we call a card.

But what is a card? Continue reading

PSI vs. API, Malaysia vs. Singapore air quality readings

Haze MalaysiaThere’s been some controversy recently regarding the Air Pollutant Index (API) readings in Malaysia, with some even accusing the government of intentionally downplaying the readings.

I intended to find out exactly how the readings were different, and as a glorified techie come wannabe programmer I decide to use a data approach to this as opposed to a theoretical one. In case you’re wondering what the theoretical differences are, check out this cool article from cilisos, otherwise keep on reading.

At the crux of this issue, we first have to appreciate how  API or PSI readings are calculated. Both take measurements of pollutants in the air, but only take the highest concentrated pollutant to give you the reading value. It’s hard trying to consolidate something as complex as air quality into a single number, and as a result a certain amount of ‘simplification’ is required.

Theoretically, PM2.5 measures particulate matter up to 2.5 micrometers in diameter, while PM10 measures particulate matter of up to 10 micrometers in diameter, the Singaporean Government claims that PM2.5 is the main pollutant of concern during periods of smoke haze, and hence you’d expect PM2.5 readings to be higher than Pm10.

But that’s theoretically, what about empirically? Continue reading

The problem with bio-metrics

8229504229_47a07ff41f_zPasswords have always been a problem.

For a password to be adequately secure, you need a certain amount of randomness (or entropy in geek) associated with the password to ensure it can’t be easily guessed. The password monkey is less secure than the password k3ithI$one$3xydev1l, but the latter is inherently harder to remember (although still very true).

Remember you should use a different password for each online service you subscribe to, Your Jobstreet credentials should be different from your banking credentials. This way, if someone hacks into Jobstreet and compromises their passwords, your banking credentials remain secure.

What people often do is re-use one password across all their services, so that a compromise on one service is as good as a full-blown compromise across their entire online identity, a hack on that nutrition forum you visited two years could cause you to lose your life savings.

There in lies the trade-off, a easier to remember password is also easier to guess, and hence easier to hack (Google ‘the fappening’ if you need more convincing), while a hard to guess password is harder to remember, and near impossible to execute if you need remember a different password for each your online services.

Which suggest that the problem isn’t passwords per se, but rather our human inability to remember long un-guessable passwords. Computers have long out-stripped us in this arena, and trying to overcome that is pretty much unthinkable at this point.

But what is the solution then? Well, in general we have 2 partial solutions. Continue reading


ransomwareBy now, you either know someone that’s been a victim of nasty malware or have yourself been on the business end of nefarious software. The perpetual duel between security companies and malicious elements in cyberspace has changed dramatically over time, and no change has been so dramatic as the rise of a new type of threat, a threat we call…ransomware!!

…but what is Ransomware?

Ransomware is piece of nefarious code that infects your machine the same way any ordinary virus or spyware would. But what differentiates it from other threats is what it does after its infected a system.

Ransomware immediately seeks out specific file types like Microsoft Documents, Excel Spreadsheets, digital pictures, all for the purpose of encryption. Different Ransomwares target different file types, but the idea is behind it is to seek out these files that are considered particularly valuable to the user, and one that a user would pay lots of money to retrieve if ever lost. These files are then quickly encrypted using ‘bank-level’ encryption ciphers making them un-readable to the user.

Once the files are ‘safely’ encrypted, the user is usually prompted with the–Pay us money or never see your files again!!

The famous (or infamous) cryptolocker, would request payments only in bitcoin, before the decryption key would be released to the user, the malware has kidnapped your files and the only way to get them back is to pony up the cash.

In essence, cryptolocker held your files from ransom, in much the same way kidnappers hold kids for ransom in those hollywood movies, but unlike hollywood this is real, and the one and only way to get back the files is either pray for a miracle, or make the payment. Continue reading

Is Uni-tasking underrated?

Google reported that  91 per cent of its Malaysian respondents are “multi-screening” with their smartphones, meaning that while watching TV, or working a laptop, Malaysians were at the VERY SAME TIME, using their phones.

The Malay Mail reported this as Malaysians being champion multi-taskers, but I look at it as a negative, and instead view it as indication of just how easily distracted we are.

It used to be that multi-tasking was a prized asset in an employee, but as a regular cari-makan working adult, I have to say that trying NOT to multi-task is getting harder by the day. A brief boring moment in a call, a e-mail alert while you’re writing a document, a phone call in the middle of a presentation–trying to focus on ONE thing at ONE time is HARD.

And most of my best work comes from uni-tasking. In fact, all the science leads to conclude that focusing on a single task leads to better performance in a shorter amount of time. Multi-tasking is a myth that only about 2% of the population can do at any one time, the greatest among us are those that focus on a single core activity at once.

And uni-tasking isn’t just for better performance, it leads to better satisfaction.

The only real time I uni-task is when I’m gaming, when I’m playing DOTA I naturally turn off all distractions and focusing purely on winning a game, every distraction I get while gaming is both irritating and quickly addressed. I don’t leave half-way through a game to view my facebook feed or read e-mail, I’m 100% committed to killing the enemy.

And do I enjoy gaming–you bet.

Is that because of focus–yes!

Or so says Mihaly Csikszentmihalyi (pronounce cheeks-sent-me-high), who authored one of the most influential books on the subject–flow.

Flow is that feeling you get when you’re deeply immersed into an activity, we all have at least one of them, or at the very least Sex. That one thing you do, when all other distractions are immediately switched off, and you’re focused on it. In fact, you’re so focused on the matter,that you lose sense of time, and even your sense of being–it’s the feeling of flow.

Some get it from gaming, others from some other activity, but think of the last time you were so thoroughly engaged in something you lost sense of time. That’s the feeling of flow–and nobody is multi-tasking while they’re flowing.

In a sense, smartphones and all the technological gadgetry that surrounds us make it impossible for us to achieve flow, and that’s a negative.

Maybe it’s time we put down our smartphones, and start looking for employees who can uni-task, because let’s face it, life is better that way.

Internet connections speeds in Malaysia

Broadband connection speedsNot to beat a dead horse now, (you can read my previous articles here and here)but I’ll say it one last time, internet speeds aren’t exactly what we should be debating over these days. We should focus on internet penetration rates, and broadband penetration, and define these correctly.

The MCMC defines broadband as anything over dial-up. Which is stupid, because a 128kbps ISDN would be considered broadband, but certainly it wouldn’t feel like broadband to any user. It would crawl.

But at the same time, you can’t set the number too high to something like 100Mbps because what would you be able to consume at that speed which you wouldn’t at 5Mbps, in other words why would you need 100Mbps instead of 5Mbps, and what you actually mean by the term broadband?

So the question becomes, how fast is fast enough? What bandwidth is sufficient for the average Malaysian to enjoy the internet at the same level as anybody else. A lot of people buy a car without caring about the cars top speed, because very few people actually push the car to it’s top speed. Why isn’t it the same for internet bandwidth? Continue reading

Hacking Government, Malaysian Style

hacking-governmentThe simplest definition of a hacker, is someone who breaks systems. We tend to equate systems to computers, but that’s a limited definition of the term. A system can also refer to a legal system or a set of processes that have nothing to do with technology.

For example, lawyers often hack around the law, looking for loopholes to exploit to give them an advantage in their case. A good lawyer is expected to work within the legal system of a country, but still try to bend it a wee bit for their clients. He’s not breaking the law, merely hacking it for his own good.

In the technology world, we sometimes define hackers as those to attempt to gain un-authorized access to computers, in other words an attacker that’s able to circumvent security measures of a server to gain access. This bypassing of security measures it what makes a hacker–but how does it reflect in a legal context? Continue reading

How corporations lie to the technologically challenged

wpid-wp-1442992521638 (1)Two weeks ago, published a ‘challenge’ to their readers, one that would supposedly pay a cool RM100,000 to the winner.All you had to do was decrypt an AES-256 encoded blob of code (more accurately referred to as ciphertext).

As expected, no one won.

Because breaking that ‘military-grade’ encryption is beyond the capability of most normal human beings, and certainly not worth a paltry RM100,000 that was being offered. It’s the equivalent of offering 50 cents for someone to build a rocket capable of going to the moon. In fact, Rm100,000 is exactly the cash prize celcom offered for it’s cupcake challenge, because baking cup-cakes and breaking ‘military-grade’ encryption are the same thing.

Once the challenge has expired, Celcom conveniently launched their new zipit chat application, which surprisingly used AES-256 encryption as well, and more importantly they released some statistics of a ‘hackerthon’ they conducted in which 18 Million people viewed the challenge, and 17,000 registered to participate but none succeeded.

OK, so while there was no official announcement from Celcom to tie the original lowyat challenge to their new zipit app, it was quite plain for all to see.

So let’s go into why this upsets me. Continue reading