Part 3: PRISM and Upstream

Initially I wrote about PRISM and how a lot of people felt it was a tool to intercept communication in flight to companies like Google and Facebook, however slightly more details have emerged to debunk that claim.

However, it’s of paramount importance that we understand what people are saying. No one is denying that communications aren’t being intercepted on their way to Google, Facebook or Apple, instead what they are denying is that the capability to perform that interception and storage is under purview of another program called Upstream, and that analyst like Edward Snowden at the NSA were encouraged to use both PRISM and UPSTREAM.

PRISM and Upstream What the crudely drawn powerpoint on the left is trying to describe is the distinct-ness of the programs and how each program would complement (rather than replace) the other.

The release of this particular slide was done shortly after the initial news broke to, in the interests of aiding the debate over how Prism works. 

The Guardian have intentionally redacted some of the program names from the slide, presumably in an effort to milk this story dry for all that it’s worth, but probably also to keep the momentum of the debate just in case people move on. However, in their own words the slide:

details different methods of data collection under the FISA Amendment Act of 2008 (which was renewed in December 2012). It clearly distinguishes Prism, which involves data collection from servers, as distinct from four different programs involving data collection from “fiber cables and infrastructure as data flows past”.

The of course points to separate approaches, one where information is accessed directly from the servers their stored in (data at rest), and one where information is collected while in transit (data in transit).

This distinction resonated with me, simply because I read about this a couple of months back when another wanted man name Kim Schmitz was making the news instead of one Edward Snowden. Continue reading

PRISM and Tempora

GCHQ Mastering the InternetAs Edward Snowden begins to look for more ‘accommodating’ countries who wouldn’t mind playing host to a man that currently is more wanted than Osama bin Laden, Saddam Hussein and Kim Kardashian combined, more details slowly begin to emerge about PRISM, painting an ever clearer picture of the extent of the program both Stateside and abroad. Each individual piece of information that filters continues to sharpen the image we have on just what the NSA has (and probably still IS) been surveilling.

However, we also need to acknowledge a separate project called Tempora, which is the British equivalent of PRISM–or since we don’t know the full details of PRISM–we can at least infer that both Tempora and PRISM share the same objectives, which was to spy on internet communications of netizens throughout the world. As of last year, the British had finished attaching probes to 200 fibre-optic cables each with a capacity of 10 gigabits per second. Which would have granted them access to 21.6 petabytes  of data on a daily basis. This we are told is just the half-way point!

Basically the British government through the Government Communications Headquarters (GCHQ) was accessing a vast majority of data flowing into and out of its borders, most of which probably didn’t originate in the UK and was merely transiting through it. The GCHQ is itself a pseudo-military agency which traces its roots back to World War 1, when communications jamming involved shooting carrier pigeons. Which means that a military organization is looking at private citizen data of not just UK citizens, but possibly Europeans, Japanese and even Malaysians, as the internet traffic we use on a daily basis route through Europe and UK before finally landing on the US East Coast.

The interesting though, is that Project Tempora is based in the UK, while PRISM is based in the US, and while local regulations prevent local agencies like GCHQ and the NSA to spy on their own citizens within their own borders, it is physically impossible for a person to be both in the UK and the US at the same time–damn laws of physics….. Which essentially means that between Tempora and PRISM, both the UK and US government can spy on the whole world, and that’s probably what they’re doing.

The UK is a favourite landing spot for all those undersea cables that transverse the atlantic, carrying internet traffic between Europe and the US, and if you’re wire-tapping the lines between the UK and the US, it’s almost a certainty that you’re tapping nearly all of Europe. Which would explain why the Germans aren’t too happy about the recent revelations of Project Tempora, and have sent a list of questions to the British Embassy in Berlin. If I were the German chancellor I’d be very interested in the details of the project, primarily around why it’s named after a Japanese delicacy–oh wait that’s Tem-PU-ra. Continue reading

Fair Usage Policy: Data caps and Torrent filters

Capping the Nations future

This article is really more a continuation from yesterdays piece about how unfair the Fair usage policies in Malaysia are. In my view telcos complaining about 15% of customers using 70% of their traffic is just ludicrous behaviour–it’s the cost of doing business. This is akin to a restaurant owner offering a buffet and then complaining that 15% of his customers are fat men who eat the expensive mutton curry. Really? Do you really think that if you offer a buffet all you’re going to get is skinny super models?
As ironic as it sounds, the more customers any telco has, the less the average consumption of data per user becomes. That’s because your grandmother down the road who uses Unifi for just Skype-ing with her grandchildren can essentially subsidize your torrent hungry consumption. At the end of the day, there are far more grandmothers in Malaysia than there are torrent hungry downloaders like yours truly.

So that’s why I don’t like the data caps, but how about the content filtering? Particularly filters that block of torrent downloads?

Part of the cost of your broadband connection includes the cost that the telcos pay to route your transaction to the US. That’s really where the internet is, and while Google has a couple servers here and a youtube presence–the vast majority of traffic still flows to the US. This means on top of the price of getting the Fibre to your home, the local telcos also have to pay for routing your data to the US (and back). If most Malaysians started viewing local sites rather than pornhub, our broadband cost ‘could’ become cheaper, because the telcos don’t have to invest in those expensive undersea cables to setup the connection to the states. Contrast this with the situation in the US where only 10% of traffic from the US flows outside it’s borders, it means that even if a US ISP lost its undersea cables, it could still serve up 90% of the content its users were requesting. It also explains why Singapore has cheaper broadband than Malaysia–Singapore is the data-hub for the Asia Pacific Region, so a lot of it’s traffic is also local.

So how do we resolve this issue? One approach would be to make Malaysia a hub, but most experts conclude that it’s probably not going to happen (including Afzal Abdul Rahim in his 2011 TedXKL talk). The other option would probably be to start hosting more content in Malaysia, and that’s why a Youtube server within our borders is a great start. What would probably help better is Netflix availability and Netflix servers in Malaysia–until you realize that Netflix host their servers on Amazon Web Services, and Amazon chose Singapore as their Asia-Pac location–probably because Singapore is a data hub, which sends us into a round-about circular argument.

We can’t get cheaper broadband because we don’t have the cables coming into Malaysia, and we don’t have the cables because we don’t have the content, we don’t have the content because we don’t have the cloud servers and we don’t have the cloud servers because we don’t have the cables. I explored this before how cloud computing ties in closely with your data connectivity as a nation–and there really is nothing much we can do to address the gap with Singapore except spend more on undersea cables. Most of which require significant monetary investment–and take a lot of time to deploy. Continue reading

Maxis and TM Fair Usage Policies : Are they fair?

Fixed Access in asia

Every six months, the great people over at Sandvine release their Global Internet Phenomenon report, which seeks to make sense of global internet traffic across the different regions of the world, and every six months I learn a lot from just gleaning through it. For instance most of the traffic in the US continues to point to just one website–Netflix, which also explains the drop in bitTorrent traffic in the US (why bother downloading anything when you can stream). However, in Malaysia, where it’s difficult (but not impossible) to get a Netflix account, most of the traffic for both upstream and downstream still uses the bitTorrent protocol–which mostly means there’s still a lot of illegal downloading going on in these here parts–but you can’t blame us, because the alternative isn’t legal downloading, it’s buying a DVD–if you can find the DVD you want in the first place.
You can view the report in it’s entirety here, but I just wanted to point out one cool fact.

The average monthly traffic in Asia-Pacific has dropped.

Just 12 months ago the average monthly consumption was 32.2GB, now it’s at 22.oGB. That’s a significant drop in traffic, that which really boggles the mind. This is the growth region of the world–why is our average monthly consumption of the ‘internet’ decreasing. Put another way, why are Asians using less internet?

I suspect the average monthly consumption has dropped because of the growth in Asia Pacific, it’s quite counter-intuitive, but as Asia Pacific adds more users to the internet, the newer users in the more rural parts of the region aren’t downloading as much as their urban cousins. Therefore, while the overall traffic flow has increased, the average monthly consumption per account has reduced. It’s all conjecture at this point–but that’s what I think based on just this one data point. It makes sense to me, as a lot of people aren’t torrent-crazy-downloaders, which just means that they aren’t consuming anywhere near the full amount.

The Median monthly consumption is just 8.8GB, while the Mean monthly consumption was 22.0GB, and that tells me that the data is skewed–highly skewed. The statistician inside me is just crying to get out and shout–SKEWED!!

Skewed is just another way of saying that the distribution of internet consumption is un-evenly distributed across–or in more laymens terms–a few internet users are using the vast majority of the bandwidth. Continue reading

How secure are the webpages of Malaysian Banks and Telco

SSLI’ve almost been fascinated by the fact, that our money in the bank these days are secured not by steel doors or armed guards, but rather by cryptography and the encryption keys that enable them. To put it in the simplest form  your money in the bank is protected by a number–that’s what an encryption key essentially is. A long binary number of 1’s and 0’s that protects your life savings…

Most (if not all) of your ‘secure’ internet communications is protected by something call SSL, or its successor, TLS. SSL is the stuff of legend, initially invented by Netscape to encrypt internet communications, SSL is now used by nearly everyone online. You see it when you login to your bank account on Maybank or CIMB, when you log into a online store like the ones run by Digi and Maxis even when you do your Tax filings on e-Filing LHDN website.

However, just like every standard in IT, SSL and TLS act as frameworks, and different websites could implement these frameworks slightly differently, usually based on the customer segmentation or the amount of security required. Each implementation could vary from one to another and yet still remain compliant to the ‘standard’, we wouldn’t need consultants if it were otherwise.

The problem is, that just because some website use TLS or SSL, doesn’t mean it’s secure–all it means is that the website is now using a standard, but could have implemented the standard poorly, making it vulnerable to attack, and possibly leaking out your data (some of which might be very very sensitive).

The best way to think about is to go back the number analogy, and assume that the amount of security you get from encryption is determined by the length of the number. So a 10 digit number is less secure than a 100 digit number–and a 1 digit number is less secure than both of them. In security jargon, we call this the key length, and it’s quite a common criteria used to determine the security of a given SSL/TLS implementation. This of course is just one of the criteria to determine how secure the the implementation is.

Basically it’s not enough to check if a website is using SSL or not, it’s more important to figure out how well the encryption is implemented by the website. Of course, this is beyond the scope of most people, no one has the time or inclination to perform a security audit on their banks website, although it is in their best interest to do so. Usually that green lock icon at the bottom of the screen helps me sleep well at night–but it shouldn’t, it’s a good start, but not a guarantee of security.

Fortunately, there’s a really quick and dirty way, to determine how secure the SSL/TLS implementation of a website is. Head on over to SSLLabs.com and enter the url of the website you want to evaluate and the perform a really good audit of the site in real-time, measuring things like key-length and SSL versions, up to the certificate authenticity.

So armed with SSLLabs.com, I decided to just quickly perform a quick check of the most popular secure websites in Malaysia to see if these websites were offering the security their users deserved. Checking out the most popular forum in Malaysia, two telco companies, two banks, one government agency and a news portal, the good news is that 3 out of 7 got straight A’s on their test–the bad news is that the other 4 got F’s–and it’s possible to get E by the way…so an ‘F’ is what most people call an epic failure. Continue reading

What is PRISM?

Prism controversyThere’s a controversy brewing in the land of the free, one that will have implications for Americans, but also Malaysians and nearly every citizen of the world. We may look back at the moment Mr. Snowden leaked controversial (and ugly) slides about a program called ‘PRISM’ as the start of a pivotal moment in internet history, a moment where we either begun a massive campaign to prevent illegal and unethical government wiretaps or a moment where we let governments turn the internet into a police state.

So let’s recap what happened.

First, the Guardian newspaper broke a story on how the US Government had ‘direct’ access to the servers of the tech giants of the Silicon valley including Google, Youtube, Yahoo, Apple and Facebook. In short, the report claimed US Government had direct access to the emails, personal details and chat sessions of everything stored on in massive datacenters of the social networks that the tech giants ran.

There isn’t a person I know that doesn’t have either an iPad, Facebook account or Gmail address. Even my dad who vehemently refused to have a Facebook account, eventually succumbed to the social pressure but that was much after I setup his company email with Google Apps. So to say that the US Government had access to private details of nearly every single person in the world is not a stretch.

So what is PRISM really?

The theory is that US government officials, specifically from the National Security Agency(NSA) have direct access to the servers of 9 Tech giants. Details are scarce and denials abound….what isn’t debated is that the NSA has some sort of access to the server, even though the likes of Google and Facebook have repeatedly denied that they have created a backdoor.

So is it possible that the NSA has a backdoor to Google without Google knowing about it? Turns out it’s not as far-fetched as it seems.

Steve Gibson, a security guru with his own show on TwitTv seems to think so. He’s put together some high level analysis of the story, taking into account other similar stories and suggest that the NSA has a wire-tap on the entire world. A communications intercept targeting the likes of Google and Facebook, but one that the tech companies could be blissfully ignorant of. A wiretap strategically placed at the front door of Google, Facebook, Microsoft and Apple–that collects and stores every data packet passing into and out of their servers.

But communications intercepts don’t work–because the data is usually encrypted…isn’t it?

In most parts the communications that people like you and me use to connect to Google is encrypted, and we’re secure in the knowledge that our data in transit is protected from prying eyes by a minimum 128-bit encryption–that’s encryption that probably won’t be broken for another 20 years.

But not all data flowing into and out of Google is encrypted, some of it flows in plaintext–ripe for any wiretap to pick up. Just like email. Continue reading

Security Offences Bill vs. Universal declaration of Human Rights

This is what Article 12 of the Universal Declaration of Human Rights says:

  • No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

This is what security offences bill in Malaysia says:

(1) Notwithstanding any other written law, the Public Prosecutor, if he considers that it is likely to contain any information relating to the commission of a security offence, may authorize any police officer
(a) to intercept, detain and open any postal article in the course of transmission by post;
(b) to intercept any message transmitted or received by any communication; or
(c) to intercept or listen to any conversation by any communication.

To me, the phrase ‘if he considers it is likely’ is another way of saying arbitary. Continue reading

Can you out-tech the government?

Over the past years we’ve seen a recurrent theme where Government agencies were attempting to curtail internet freedom in the name of ‘keeping the peace’. From Saudi telcos threatening security experts to help them hijack tweets to governments procuring tools like Finspy to spy on their citizens–usually without any warrant or legal oversight. We’ve seen US federal agencies try to legislate mandatory technical backdoors into software and how the Syrian government treats internet access for its Citizens like candy for their children–you only get it if you behave.

In Pakistan, a wholesale blockade of youtube means their citizens are missing not just Gangnam Style, but Gentlemen as well (although that may not necessarily be a bad thing)–and we all know how much censorship and surveillance is going on in China.

A French court is now asking twitter to hand over account details to identify individual users that tweeted anti-semitic messages, both the Dutch and German police are users of spyware from companies that the are deemed ‘corporate enemies of the internet’ by reporters without borders, and while you may agree that courts have a right to curtail hate speech, just ruminate for a moment how one-sided French law is when they aggressively pursue anti-Semitic messages  but forbid Muslims school girls from wearing a hijab to school because it is supposedly a symbol of oppression. These biases point to deep flaws in our belief that freedom of speech can somehow be regulated by governments–the term regulated freedom of speech is an oxymoron to begin with.

This of course doesn’t just affect the ‘bad’  countries, those with lifetime membership cards to the axis of evil, but countries we’d generally consider good guys as well, those we associate with a respect for personal privacy and citizen rights, so that we did end up like this? To truly appreciate where we are we need to go back to how it all starts.

A false sense of Insecurity

Throughout history it all starts in the name of national security, or keeping the peace. Government agencies ramp up the security concerns and threat levels to grant a false sense of insecurity to its citizens–because it’s only in this environment that citizens are willing to grant such unilateral powers to the government (and its agencies). People aren’t too willing to allow for unilateral government interception of communications–unless of course they perceive that terrorist live among us, and the government requires these powers to protect the innocent.

The track records of governments has never been good. September 11 was a colossal failure of government intelligence, and it’s usually used an example of why governments should do better. What most people don’t know is that a company called Acxiom had data for 11 hijackers, and provided that data to assist in investigations post 9/11, it turns out had the government agencies used Acxiom, they may have had additional security on the planes that crashed into the WTC. The breadth and depth of the information provided to law enforcement has been kept secret–and in the wake of such attacks nobody bothered to ask whether Acxiom was operating within legal limits of collecting and storing that data–worse still people forget that Acxiom itself was hacked leaking private information of millions of Americans. Yes it may have help thwart the attacks on 9/11, but the Acxiom itself became a target of attack shortly after details of its information bounty were published, there are a lot of people who would pay for that kind of information.

Even with the fundamental problems of the government storing such private information–government agencies throughout the world continue to ramp up security concerns in the hope of scaring people into giving up their freedoms. Closer to home we continuously see the ‘threat of sedition’ being used to deny individuals and private citizens their rights. The ‘possibility’ of a repeat of May 13th, is now accepted as a ‘high probability’ even though there is no data to suggest that a repeat is possible let alone probable. Just like courts in France we see a glaring bias in the execution of these sedition laws–and the targets are often pro-opposition rather than pro-government.

The Malaysian government is now being accused of running spyware suites like Finfisher, which incorporates a voyeuristic like ability on the malware owner to spy on the victims. The makers of Finfisher claim their software is only sold to governments–without realizing it’s the governments themselves that are illegally spying on its citizens.

Not since Tom Sawyer tricked his friends to paint his white fence has such levels of deception been seen.

However, the level of deception isn’t what is troubling, it’s the level of apathy among the mainstream society to these revelations that send shivers down my spine. No one from the general public seems perturbed that the very technology that was supposed to advance democracy and free speech in Malaysia is now being used to suppress it.

And we’re not the only ones spying on our citizens… Continue reading

Should we learn from China?

TianasquareI’m truly anxious at the recent rhetoric about ‘regulating’ of the internet, and fear the worst. I grew up with the internet and like to think we made a journey together, from my high school days where dial-up internet was the norm, to the blazing fast broadband I have now–things have change a lot for the both of us. I am a digital native, I know no other land other than a digitally infused one we live in today. Couple that with my unique libertarian views and my savvy for all things tech, and you can quickly see why I strongly oppose internet censorship of any kind….and I really mean any kind.

So when certain groups like GAPS call on the government to ban Facebook completely, I get a fairly annoyed. This follows just days after similar groups called for Malaysia to follow in footsteps of our neighbours down south and place a price on blogging–to the tune of SGD50,000, and who can forget the day when a respected journalist in Malaysia called for the ban of Youtube.

Any little bit of internet censorship puts Malaysia on a very slippery slope–and I believe we have to look to countries like China to see just how steep the slope really it, and follow it to its logical conclusion.

So what’s it like in China?

The Chinese government get a tad-bit sensitive when it comes to the Tianamen Square Protest–so they decided to censor the internet for any mention of it. However, they really took things to the next level when it comes to keyword censoring, including censoring the word ‘today’ on the anniversary of the protest. The guardian reports:

“today” is part of a long list of search terms that have been censored on Sina Weibo, the country’s most popular microblog.

Other banned words include “tomorrow,” “that year,” “special day,” and many number combinations that could refer to 4 June 1989, such as 6-4, 64, 63+1, 65-1, and 35 (shorthand for May 35th).

Took me a while to figure out May35th, but I eventually got it. (did you?)

If the government thinks it can begin censoring the word ‘today’ from social network sites–do you really think they won’t censor anything else.

However, they didn’t stop there, what followed was a wholesale block of Wikipedia’s HTTPS website, leaving only the HTTP version of wikipedia accessible from within the great firewall. As we’ve seen with similar censorship initiatives in Malaysia, HTTP is unencrypted and allows of filtering of seditious words like ‘today’ and ‘DAP’ because any intermediary network can determine your target URL and censor it. HTTPS on the other hand is encrypted, which means that the intermediary network will only know the target website (in this case Wikipedia), but can’t figure out which page on Wikipedia you’re visiting. This essentially reduces the censoring capability to an all or nothing censorship–the Chinese chose to censor it ALL.

This of course pales in comparison to the blocks on Google and Facebook, but really is this the country we hope to emulate? The path that people like GAPS and rockybru are recommending sends us on a trajectory of full government control of the internet, and treats law-abiding Malaysians like children who need regulated by a higher authority.

Conclusion

I wouldn’t be so worried if the Government would just make a statement dismissing this–it hasn’t. In fact, the new Ministers are now suggesting that they’re ‘looking into it’. That’s scary! Do you think the government wouldn’t block youtube or Wikipedia? I beg to differ. At think that once we allow the government to censor certain sites, we enter a dangerous realm where we grant control of our information to a select few individuals–who really have no business regulating and censoring in the first place. What’s more important is that from past experience we’ve seen that the government won’t hesitate to use these powers to censor political discourse and criticism.

I hate to see us start a complete block of Wikipedia, particularly when so many Malaysians have contributed to Wikipedia. If you still think I’m paranoid, the very same arguments used by Rocky to block youtube, or by GAPS to block Facebook, can easily be used on wikipedia pages like those of the Jyllands-Posten cartoon controversy, in my mind it’s not a far stretch.