Monthly archives of “April 2015

comments 2

Should an IP address be used to Identify someone?

How IP addressing worksRecently a court in Malaysia ruled that the newly amended evidence act could presume an IP address would uniquely identify a user of a network, and in the case of an Internet IP address, enough to tie an IP to the individual subscriber. In other words if the authorities ever found out that ‘your’ IP address was behind a post, then you’d have to prove it wasn’t you rather than they having to prove it was.

In Tong Seak Kan & Anor v Loke Ah Kin & Anor [2014] 6 CLJ 904, the Plaintiffs initiated an action for cyberspace defamation against the 1st Defendant.   In tracing the perpetrator, who had posted defamatory statements on two Google Blogspot websites, the Plaintiffs filed an action called a John Doe action in the Superior Court of California.   In compliance with the court order, Google traced the blogs to two IP (Internet Protocol) addresses which were revealed by Telekom Malaysia Bhd to be IP addresses belonging to the 1st Defendant’s account.

Bread & Kaya: Malaysian cyberlaw cases in 2014

Upon further reading of the post on DigitalNewsAsia, my non-lawyer mind got the feeling it didn’t end well for Loke Ah Kin & Anor as the court decided they were guily of defamation based on a flimsy piece of evidence like the IP address of the user who posted blogspot.

I’m uncomfortable that a court of law could find someone guilty based on something as trivial as an IP address, when other courts around the world have ruled that IP addresses are insufficient for this purpose.

comment 0

Tech Journalism in Malaysia is disappointing

GOOGLEHACKED-MLast week visitors browsing to Google’s Malaysia website were greeted with a big bold image stating the website was hacked. The media had a field day proudly proclaiming that Google’s website was hacked, because that was exactly what the page they visited said….Google Hacked!!

Only, Google wasn’t hacked.

MyNic was hacked.

They’re the agency in charge of managing all internet addresses ending with the .my suffix. Hackers had infiltrated MyNic, and reconfigured the systems to point www.google.com.my to their own servers instead of Google’s. Then they simply pasted a silly looking screen that boldly proclaimed their ‘hack’ to the world, claiming to hack Google rather than MyNic—which is what you’d expect from hackers. But the media, took that to mean Google was comprimised, and boldly proclaimed that Google Malaysia was hacked, going so far as to ask if ‘user data was compromised’.

The analogy is that if someone hacked Waze, and took all unsuspecting tourist who were trying to get to KLCC, and re-directed their route to an abandoned warehouse in Klang, the headline for that story should read “Waze hacked” instead of “KLCC destroyed”. Everyone knows how absurd a headline like the latter would be, but very few people would think the same thing the moment ‘internet things’ get involved–if the website says Google hacked, surely it must be true, in the same way that if Waze says this dilapidated factory lot is KLCC, surely it is, because Waze is never wrong right?!

comments 2

FireEye: Group spied on Malaysia for 10 years

Spying ProgramThe team over at the FireEye threat intelligence published a special report(pdf) detailing an long running (and still on-going) cyber-espionage operation that has targeted multiple entities in ASEAN countries, including Malaysia. The program was reported to be running for more than a decade, and the sustained period coupled with the list of targets the program had, led FireEye to believe it to be a state-sponsored activity, as no other other type of organization would be able to afford such a professionally run program, operated for such a long period of time with no discernible source of income.

The group were nicknamed APT30, an abbreviation for Advanced Persistent Threat number 30 (I’m guessing the 30 part, because FireEye have other APTs on their github page). APT is a cyber-security term coined to identify an attacker that has both the capability and persistence to target specific entities up until they eventually break, and then continue to suck information from their victims for a significant amount of time. Basically there are script kiddies, hackers and then the ‘Advanced Persistent Threats’, APTs are a class above the rest.

APT30 operated a suite of tools including back-doors, and command and control software that were given catchy names like Backspace, NetEagle, Flashflood and ShipShape. The tools demonstrated a fair amount of sophistication in the way the functioned, but what really impressed the FireEye team was the level of professionalism that the coders exhibited, the malware had a well defined version control system, automated tools to manage many of the operational task and even the functionality that allowed for the system to be operated 24/7 by a team working on shifts, with one window requesting the operator to enter their ‘attendant code’. I wouldn’t be surprised if the system even calculated yearly increments, and provided KPI reports in the background.

comments 2

Worked Example: iPhone PIN Hack

Last month, a company called MDSec released a video detailing how they manage to brute force hack an iPhone PIN lock. Pretty sweet piece of work, but I thought this would be a good example to understand how hacks work, and how hackers think.

What is a hacker

First off, we need to define what a hacker is, it’s a convulated term, but my favorite definition is :

A hacker is someone who makes system work in an unintended way, because they know have a deep knowledge of the underlying mechanism of the system.

-Keith Rozario (wannabe tech blogger)

I took great pains to avoid terms like technology and computers, because hacking isn’t purely confined to these areas (unlike what other think). For example, Jazz musicians are hackers, they make music work in unintended ways, because they know how music works. You can’t just string a couple of notes, and melodies together hoping to get a Jazz piece, you need to have a understanding of music before you can ad-lib your around notes and keys, and produce something that is pleasing to the ears. In music it’s called improvisation,in tech we call it hacking.

Fusion cooking is another example, Asian Sambal wasn’t meant to go with Chicken chops, but somehow chefs make it work (at least some of them do), but you can only do this if you understand things like flavor, taste, and texture work. Otherwise you end up with disgusting combinations like Nasi Jam Strawberry, or Black pepper goreng pisang.

Things in technology are designed to work in a specific way, like asking for username and passwords before granting access, but hackers get the technology to produce unintended results (like allowing access without the credentials)by passing certains steps and processes, because they know what those steps and processes are. For example the iPhone PIN hack I mentioned in the opening paragraph.

comment 0

MDeC Private Meeting with ODI

Mdec-LogoEarlier this week I attended a MDeC organized private meeting with Richard Stirling from the Open Data Institute (ODI).The ODI is an institution that hopes to promote the ‘open data’ culture, and founded by a giant of the Tech world, Sir Tim Berners-Lee, which you might remember for inventing a small little thing we call the world wide web.

The meeting was attended by just a handful of folks, some of whom I recognized from a previous Seatti conference I attended, with the audience and topic focus on Open Data (and Big Data) in Malaysia.

The conversation was really good, and broadly speaking touched on 3 key topics. Most of this post is a re-hash from my failing and aged memory, but there’s a clearer version of the minutes here from the amazing people of Sinar Malaysia if you’re interested in the specifics.

comment 0

The Snowden Revelations

SnowdenIt’s now almost two years on, since that fateful day at the Mira Hotel in Hong Kong when Edward Snowden divulged secret NSA documents detailing unlawful and on-going spying programs carried out in the name of security.

Sure we knew the government had ‘a’ spying program, and we’ve all seen Hollywood movies with fictional technology that allowed governments to carry out un-restricted surveillance,  but no one in their wildest dreams would have imagined a government having access to ALL phone calls, ALL e-mails, ALL text messages and ALL transactions…and then storing that information for ALL time.

What we’ve learnt so far is that the NSA had executed bulk surveillance on the American people (and us poor non-Americans as well) across all channels of communications including phone calls, internet searches and e-mail without a proper court warrant, congressional approval or oversight of any kind. Particularly strange for a country whose own constitution protects the rights of citizens against illegal searches and seizures. I’m no lawyer, but even to layman like me, the bill of rights looks like a masterpiece, and the fourth amendment is a beautifully written piece of law:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

-4th Amendment to the Constitution of the United States of America

In other words, if you want to search smartphones, computers or e-mail accounts, you’ll need a warrant. And the law goes on to state, that warrants can only be issued, upon probable cause, that must be affirmed by a Judge providing the necessary oversight. Finally, even after a warrant is issued,it must state the place of the search and things to be seized. A warrant shall not act as a blanket approval for law enforcement to look through all aspects of the citizens life, but only that which is explicitly stated in the warrant.