Why Dato’ Sri Shabery Really wants to censor the internet

[box icont=”chat’]The social media in Malaysia is being monitored and existing laws are sufficient to weed out troublemakers trying to test the limits of free speech, Communications and Multimedia Minister Ahmad Shabery Cheek said today…

“The laws that we make are not to defend the party alone – that’s wrong,” Ahmad Shabery, who is also an Umno supreme council member, said.

In an attempt to curb internet freedom in Malaysia, the government is beginning a series of concerted statements to signal that internet censorship in Malaysia is merely a question of ‘when’ rather than ‘if’. Previously I’ve explored why internet censorship doesn’t alleviate or even mitigate the risk of communal violence, yet the government still presses on with trying to censor the internet, apparently jumping on the opportunity of Alvivi to make their case stronger.

So why is the government so enamoured by the thought of internet censorship, when clearly it doesn’t work? Continue reading

Guest Post: Keyboards on Smartphones and the Future of Buttons

When a new phone hits the market, we tend to get terribly excited about its new features. And rightly so: what are boundaries for, if not to push frantically? But with the release of the latest BlackBerry 10 handsets, perhaps the most important contribution to the future of the smartphone might come in the form of the continuing inclusion of an actual QWERTY keyboard.

While the iPhone has been holding steady at four buttons, and Android handsets are caught in a strange limbo between buttons and always-on touch-screen style soft keys, BlackBerry has held fast with its products’ trademark keyboards while also offering touchscreen options.

In the early days of the touchscreen boom, this might have been viewed as simply behind the times. But now, this decision is looking much more like a distinct vision. Sure, virtualizing your keyboard has its advantages – the potential for mechanical failure is minimised, while Android’s wide variety of third-party keyboard layouts pays testament to the touchscreen’s infinite adaptability. But the lack of discrete keys renders accurate touch-typing almost impossible – there is nothing to which one’s muscle memory can orient itself.

Ultimately, the ingenious lengths to which the developers of virtual keyboards go all seem to be an attempt to compensate for the fact that full touch-screen interfaces are simply missing something. BlackBerry has simply chosen not to give their customers unnecessary obstacles in the path towards efficient and intuitive usage.

But what about the flexibility offered by that extra screen space that can be repurposed and customized, I hear you cry? Granted, this protean capability is a major draw for touch-screen phones and a cornerstone of their app design. But while these types of phones have gained real estate, they’ve also lost the potential for simple, immediate control through keyboard shortcuts.

On BlackBerry handsets, the R key can act as a reply button when you’re scrolling through your emails. No big deal, right? Well, when you’ve got 30-odd individual keys, that equates to an awful lot of extra functionality at your fingertips. On a touchscreen-only interface, these same functions would almost certainly require you to tap and scrolling through menus, make ambiguous and unreliable swipe gestures, or – worst of all – fiddle around with tiny on-screen boxes that require laser-guided finger accuracy on an unhelpfully uniform glass surface.

While the market continues to be fixated mainly on touchscreen interfaces, perhaps it’s not too much of a stretch to speculate that there might still be a bright new future around the corner for keyboard phones. Could these two families even come together to create a new hybrid interface with all the flexibility of a touchscreen and the ease-of-use of a hardware keyboard? Only time will tell. Our busy thumbs await an exciting new future.

[box icon=”chat”]

This post is a series of guest post written by guest bloggers on keithrozario.com. The opinions of the author are his own and not mine 🙂

Internet Censorship won’t work in Malaysia

Why shouldn’t Malaysia censor the internet?

Of late, the recent cases involving a certain pair of ‘sex’ bloggers and their ilk have prompted certain parties to call for more stringent regulations of the internet, but I for one think that we need to ensure that the internet remain free and un-censored–now more than ever. So why shouldn’t we censor the internet?

Rephrasing the question

The question itself deserves some space for discussion, the question should rather be posed as Why SHOULD we censor the internet? The onus should be left on those hoping to censor the internet to make their case before any defence should be made, implicit in the question of why we shouldn’t censor the internet is the assumption that someone has already made a strong case for censorship–that isn’t the case. In fact, what we have is merely anecdotal and conjecture rather than an argument backed up by facts and evidence.

A lot of people have made up their minds about it, mostly based on a series of assumptions–assumptions that usually false, and I hope to address the core assumption in this post.

Why censor at all?

The initial question we need to ask ourselves, is why are we censoring. Intuitively people know this, but most struggle to articulate the actual rationale for WHY they would like to turn over control of the world’s most powerful information repository to politicians.

Allow me to help. Some call for the censorship of the internet to prevent hate speech and the publishing of articles that are ‘seditious’ in nature. The core of the argument is that internet censorship would allow us to avert (or at least mitigate) racial, communal or religious violence ala May 13th. That seems to be the call of the day, when politicians threaten the general population from questioning facebook post, usage of changing rooms or even beauty pageant participation with the threat of sedition, as the very of act of questioning certain decisions can be construed as instigated hatred.

…But censorship doesn’t work

However, internet censorship doesn’t help avert or even mitigate this risk, in fact, it may even make the threat of violence more likely. Internet censorship or censorship in general does not help create a united/loving community. Think of the countries that have had communal violence in the last 2 decades, countries like Rwanda and Bosnia. Not only have these countries experienced genocide at a time when the world thought it an impossibility–they did so in a environment where the media was tightly controlled by the governments in power.

In Rwanda, the RTLM played a crucial role in inciting in violence. Prior to the killings, the radio station began a series of broadcast aimed intentionally at de-humanizing Tutsi, and shortly after a private plane carrying President Habyarimana was shot down, RTLM was more than willing to utilize its airwaves to further fuel the flames of hate. All of this occurred in a country where the government had committed ban against “harmful radio propaganda” in a UN joint communiqué in Dar es Salaam.

In Bosnia, Milosevic had such a tight stranglehold on the media outlets of Serbia, he might as well have written all the newspapers himself.

These two examples tell a sad story of human hatred and viciousness, but also serve as a lesson for us–a lesson Malaysian haven’t yet appreciated. Giving the government control of the media is by no means a guarantee against racial violence, in fact in both these examples the world stood witness to governments abusing the control of the media to further incite hatred rather than quell it.

These aren’t outliers either, closer to home, we see Myanmar, a country with one of the most abysmal internet censorship records–and they’re experiencing their own brand of communal violence against the Rohingya, all under the watchful eye of the government controlled internet, print and broadcast media.

We don’t want another Arab spring

Finally, we also have to address the countries taking part in the Arab Spring–all of them, whether it was Tunisia, Syria, Egypt or Bahrain, make up the bottom part of the Press Freedom Index. In fact, if the Press Freedom Index were the Premier League, they’d all be relegated next year. Sadly, both Malaysia and Singapore also occupy the same positions on the index–Malaysia Boleh indeed!

In conclusion though, it’s quite clear that internet censorship won’t avert or even mitigate the risk of violence or street protest. Delving deeper we may come to a conclusion that providing a free media, one that is free from government imposed restrictions, allows the population to voice their dissatisfaction with government policies that they view as unfair. A sort of safety valve, that releases tension so people don’t have to resort to violence out of sheer desperation but can instead turn to rationale discourse and debate over the most sensitive topics–because let’s face it–they’re sensitive for a reason.

The bottom line though, is that if you wanted to make a case to censor the internet, you would first have to address if it would work in achieving your end goal, failing which your entire case would be moot. I believe that if your end game was to avert violence–internet censorship would quite frankly do Jack Shit! And unless you can come up with a compelling explanations as to why censorship didn’t work in Rwanda, Serbia, Syria, Tunisia, Egypt, Bahrain and Myanmar, but yet you think could work in Malaysia–then there really is no case for censorship.

So the reality is that internet censorship doesn’t help avert or mitigate violence, but rather the evidence suggest it actually promotes and allows it. How ironic indeed!

Using Captchas on cybertroopers and botnets

Last week I wrote about the ‘rigged’ EDGE poll, that the EDGE had to eventually take down because they suspected someone was trying to bias the results. It was later revealed that a handful of IP addresses were responsible fro the bulk of the votes–presumably the fake ones. An IP address defines a unique internet connection, but not necessarily a unique device. You can try this yourself at home, and connect your PC, Laptop, Tablet and phone to your Wi-Fi router and then go online to check your IP from each–all of your devices will have the same ‘external’ IP address.

So in theory, the IP address could have belonged to a shared cybercafe where everyone was logging in and voting on this obscure Poll–but that’s unlikely. What’s more likely is that a single PC loaded with a simple script was logging into multiple times to the EDGE and continuously voting. There’s no other way to get 6,000+ votes in a short space with a regular human being.

That of course, begs the question–how can you fix this. Well the answer to these automated scripts has been around for quite sometime now, its called a CAPTCHA and it looks like this:

What is CAPTCHA

You’ve seen this before, a Captcha is a simple test of human-ness,

A Captcha is a little bit of checking most websites do to make sure you’re a human. Now the reason they’re all jumbled up and ‘squigly’ is simply because the squigly-ness makes it impossible for a computer program to read. In fact no one has yet come up with a program that can read a Captcha, yet even my 6 year old niece can be able to identify most Captchas on the first try, which tells us a lot about the difference between man and machine.

As far as vote rigging prevention methods go, a Captcha is more like a long line at the polling center, rather than indelible ink. A Captcha doesn’t prevent anyone from double-voting but it does raise the effort required to place a vote to the point where one person submitting 6,000 votes would be practically impossible. It’s a ‘proof-of-work’ that basically charges the user for whatever transaction was being performed, in this case the user is charged the time and effort it would take to solve the Captcha before placing their vote. The fact that the transactions cost something, means that at some point it becomes economically infeasible to repeat the transaction over and over again–whether that transaction was a vote for an online poll, or a comment on a blog or even sending out an email. 

So the proof-of-work actually helps address the bot-nets or even cybertroopers, I wonder why the EDGE didn’t implement it?

The root cause of crime

Crime has become a hot-button topic these days, and while a lot of fingerpointing and blame-shifting has been going on in political circles, I think it’s wise we took a step back and try to address the root problem rather than its symptoms.

A brilliant piece by Evgeny Morozov from the Slate, points out the following:

[box icon=”chat”]

Forget terrorism for a moment. Take more mundane crime. Why does crime happen? Well, you might say that it’s because youths don’t have jobs. Or you might say that’s because the doors of our buildings are not fortified enough. Given some limited funds to spend, you can either create yet another national employment program or you can equip houses with even better cameras, sensors, and locks. What should you do?

If you’re a technocratic manager, the answer is easy: Embrace the cheapest option. But what if you are that rare breed, a responsible politician? Just because some crimes have now become harder doesn’t mean that the previously unemployed youths have finally found employment. Surveillance cameras might reduce crime — even though the evidence here is mixed — but no studies show that they result in greater happiness of everyone involved. The unemployed youths are still as stuck as they were before — only that now, perhaps, they displace anger onto one another. On this reading, fortifying our streets without inquiring into the root causes of crime is a self-defeating strategy, at least in the long run.

While the article itself is directed at the folly of big data, the over-arching theme though points to a fundamental shift in policy making that is now solely focus on short term fixing rather than addressing the root cause of problems.  In short big data, seems to sometimes miss the big picture.

Read the entire article here.

The Security Offences Bill 2012 -Technology Perspective

Government Eavesdropping on your conversations

The Security Offences (Special Measures) Act 2012 and it’s new amendment. that wonderful piece of legislation meant to repeal the archaic and ‘draconian’ ISA may turn out to be even more archaic and draconian than the ISA it was meant to replace.

While much of the legal fanfare has been focusing on the detention without trial sections of the bill, as a tech blogger, I wanted to focus on the technical aspects of it. Specifically let’s focus on how the new law would allow the government to eavesdrop onto your internet communication without the authorization of any Judge or Judicial oversight. Now while, the public prosecutor, or Attorney General in this country isn’t specifically part of the government–he (or she) is appointed by the Yang Di Pertuan Agong on the ‘advice’ of the Prime Minister.

The sections of the bill that focus on the interception of communication is both all-encompassing and far-reaching, giving far too much power to the Public Prosecutor to intercept your private conversations and web surfing habits, which is a gross invasion of privacy.

Power to intercept Communications

The act grants exceeding  powers to the Public Prosecutor, including the ability to authorize any police officer to intercept your postal letters, your internet conversations, you email and even your web surfing habits. This includes a list of the website you visits, and which comments you’re posting on Malaysiakini.

On top of this, the Public Prosecutor has the legal authority to compel an ISP to intercept and retain any communication you performed for an unspecified amount of time. Which could be forever.

Basically he can begin to ask Maxis or Unifi for the list of websites you visit, and your detailed online communications,  access to your emails, your friend list on facebook, your tweets and even your online files. Not even your online porn stash will be free from the prying eyes of the Public Prosecutor (not that I have one though…just saying, I know a friend who does).

All this without ever having to go to a Judge for judicial oversight. More importantly, anything collected in this way is deemed admissible as evidence in court, and no one will have to explain how the evidence was obtained. For all you know they could have placed webcams in your home, but they would would never have to explain this in court.

What’s worse is that a Police Superintendent is granted similar powers when “immediate action is required leaving no moment of deliberation“.

We all understand the need for the Police and Public Prosecutors to do their job well, and they require tools to catch the bad guys. However, this grants them way too much power with regards to their ability to invade the privacy of personal citizens. I don’t want the Public Prosecutor or a curious Police Superintendent snooping on my internet conversations, and yet the new Special offences act allows them to do that–legally! Continue reading

How Computer Security Research works: Facebook 20,000 prize

[box icon=”chat”]In the early days of public computing, researchers who discovered vulnerabilities would quietly tell the product vendors so as to not also alert hackers. But all too often, the vendors would ignore the researchers. Because the vulnerability was not public, there was no urgency to fix it. Fixes might go into the next product release. Researchers, tired of this, started publishing the existence of vulnerabilities but not the details. Vendors, in response, tried to muzzle the researchers. They threatened them with lawsuits and belittled them in the press, calling the vulnerabilities only theoretical and not practical. The response from the researchers was predictable: They started publishing full details, and sometimes even code, demonstrating the vulnerabilities they found. This was called “full disclosure” and is the primary reason vendors now patch vulnerabilities quickly (9). Faced with published vulnerabilities that they could not pretend did not exist and that the hackers could use, they started building internal procedures to quickly issue patches. If you use Microsoft Windows, you know about “patch Tuesday,” the once-a-month automatic download and installation of security patches.

Bruce Scheneir (Securing Medical Research: A Cybersecurity Point of View)

For the most part computer security is about full disclosure–well almost. The basic stable state these days is that security researchers would contact the product vendor directly, and alert them of vulnerabilities they’ve found. This would include a full disclosure on what was found and how to exploit it. The product vendor would then be given some lead time to issue a patch, once the patch is released the full details of the vulnerability is published by the researcher and everyone remains happy.

This way, the security researchers have an incentive to keep finding vulnerabilities, because each published vulnerability helps them score some publicity–publicity that would be vital for them to secure more research funding. Not disclosing the full vulnerability before the software is patched helps protect the customers of the product vendor, thereby creating a win-win for both sides. As each vulnerability is discovered and patched, the software gets more and more secure, which is good for the researchers, vendor and general public. It’s a wonder that it took so long to come to this conclusion–that for the most part of product vendors would muzzle security researchers, and upon success of muzzling them would then neglect to patch the same vulnerability they tried so hard to keep secret.

Following in the footsteps of this great tradition, Facebook have elected to take the same route, but have added cash incentives to the mix as well. They’ve given $20,000 to a Brit who discovered a potentially embarrassing flaw in the way Facebook links accounts to mobile numbers. That same exploit given to a hacker or criminal organization ala Nigerian Prince scams, could easily have cost Facebook and its users millions (if not more). Now Facebook is safer, not just because it continuously looks for cracks in its system, it encourages other to look for them as well.

It also explains how Microsoft gets all those bug reports–which it then shares with US government agencies, before patching them for the rest of the world.

More insight on how full disclosure on bugs actually keep software safe, check out a brilliant post by Bruce Schneier (whom I secretly worship) here.

.my domains hacked: Why SSL is more important than ever

MYNIC_HACKEDMyNic is the organization responsible for managing the .my Top Level Domain, which means every website address that ends with a .my is under their administration. These centralized control centers act as giant targets for hackers, but for the most part, they’re protected better than Fort Knox–or they should be.

Yesterday, a hacker going by the name [email protected] successfully manage to hijack the .my addresses of popular websites belonging to Google, Microsoft, Dell and even Kaspersky (an Anti-Virus company). Instead of being presented with the usual webpage, visitors who entered urls like www.google.my, or www.skype.my were redirected to a static page with the word HACKED emblazoned in big red letters.

Initially, word around the tech community was that this was a DNS poison, but later on evozi.com reported that this was a DNS hijack. The difference is that a DNS poison is where just one DNS resolver is ‘poisoned’, and a user could easily circumvent the issue by choosing a separate resolver like one provided by Google or OpenDNS. A DNS hijack on the other hand is where the actual Top Level Domain (TLD) administrator has been compromised, resulting in every DNS resolver replicating the wrong IP address.

A DNS poison is a localized issue affecting just a portion of the servers that make up the DNS eco-system, a DNS hijack is a global issue affecting everyone.

Put another way–MYNIC screwed up, big time! The vulnerability in this case had nothing to do with Google, Dell, Microsoft or Kaspersky, it was all MyNic.

I’m not sure on whether DNSSEC would have solved this issue. DNSSEC implicitly relies on the trustability of the TLD domain name server, and if that server is comprimised DNSSEC wouldn’t help. However, DNSSEC does require the signing of these domains by a key, and if that key were protected, the hijack wouldn’t have worked. At worst, user wouldn’t have been able to access the webpages, they wouldn’t be redirected.

Most websites, including Lowyat.net had advised users to be cautious of using services like Online Banking at this time. However, a straightforward and secure way around the issue is just to ensure you’re browser is operating in SSL mode (that’s the https vs. http question), and check the certificate to ensure you’re on the right page. In fact SSL was built for this sort of thing, as it provides both Authentication and Encryption–this is a case where the former would help but not the latter.

If anything this is a stark reminder on why it’s important to check the SSL certificates of websites you’re visiting constantly, and not rely on Google Chrome to do it for you. It’s also a wake up call to any entity dealing with private and personal data to implement SSL and implement it well.

I was absolutely SHOCKED to find out that bloody MYEG doesn’t have SSL enabled on their website. In fact the login form for MyEG resides on a non-encrypted and non-authenticated site, it’s only the form that is finally posted to a https page. Not good at all, as there ‘may’ be encryption, but definitely no authentication for the main page, and MYEG would be ripe and ready for this sort of attack. It’s a wonder why [email protected] didn’t choose it?

Finally, the conspiracy theorist have looked at the source code of the hacked page, and noticed that some of script used on the page was written in bahasa…stragerer and strangerer.

 

Should the government use Microsoft products?

[box icon=”chat”] I don’t think the US government should use operating systems made in China for the same reason that most governments shouldn’t use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.

-Richard Matthew Stallman founder of Free Software Foundation
(Techbytes interview)

In what appears to be open-season on the NSA and Tech Companies, Bloomberg has joined in with a report of their own, implicating that Microsoft provides US  intelligence agencies with information about bugs in its popular software before it publicly releases a fix. In other words, Microsoft grants special access to the likes of the NSA to poke around in the nearly 1 Billion users of Microsoft software via newly discovered bugs—long before Microsoft report it to the public and eventually patch the bug.

What this means in practice is that intelligence agencies like the NSA and CIA could potentially be granted near complete access and control to every single machine running Microsoft Windows, including your PC and mine, but also the PCs of nearly every government agency in Malaysia. Potentially, every now and then, the NSA and CIA could  be snooping around the data of our local government officials thanks to good ol’ Microsoft, and no one would be none the wiser.

This also may explain how the Stuxnet could have been coded with 4 Microsoft zero-day exploits –that’s 4 with a capital F.

I’m not saying that these agencies ARE spying, I’m just pointing out that they COULD be spying–with relative ease. They’ve already demonstrated their willing to infiltrate the telephone and email networks of  the building that houses the European council. If they’re willing to do it to the Europeans, what more us Malaysians?

All of this is in addition to the PRISM revelations, which implicate Microsoft in providing back doors to US intelligence agencies to their cloud offerings. I personally don’t believe such a backdoor exist, but if it did, you’d better be careful on how you store your Microsoft Office 2013 documents–because its seamless integration to skydrive makes it very tempting to store your precious data in the cloud–where those backdoors exist, rather than on your local machine–where the unreported bugs exist.

Of course this begs the question, with these new revelations should the Malaysian Government or any other non-US government look for alternatives Operating Systems for their staff to use? Open Source versions of Linux like Ubuntu are community driven and publish their full source code online–minimizing the risk that certain governments have the upper hand when it comes to bugs and exploits. A similar situation exist for Microsoft Office alternatives in the form of Open Office and Libre Office, and nearly every closed software suite has a opensource alternative, which are good if not better than their commercial sold-for-profit cousins. Apache springs to mind.

This isn’t as paranoid as it sounds. A US congressional Intelligence Committee report released late last year accused Huawei and ZTE of providing opportunities for Chinese intelligence services to tamper with U.S. telecommunications networks for spying. Huawei and ZTE are one of the largest telecommunications equipment manufacturers in the world, the Chinese equivalent of Microsoft in this case.  Mike Rogers, the Chairman of the Committee that produced the report told US companies to “find another vendor if you care about your intellectual property; if you care about your consumers’ privacy, and you care about the national security of the United States of America.”

Of course this was prior to the PRISM revelations, so his words didn’t sound as hypocritical and hollow as it does today.

Basically, the world’s most powerful nation is itself afraid of foreign technology supplied to it from China, why shouldn’t we be afraid of tech from the worlds most powerful nation?

To be fair, the Tech giants, including the Business Software Alliance, wrote a letter in response to the report citing that “Fundamentally, product security is a function of how a product is made, used, and maintained, not by whom or where it is made… At a time when greater global cooperation and collaboration is essential to improve cybersecurity, geographic-based restrictions in any form risk undermining the advancement of global best practices and standards on cybersecurity”