The Malaysian Government isn’t watching your porn habits

Recently, there was a poorly written article in The New Straits Times, that suggested the Malaysian Police would know if you were watching porn online.

Let me cut to the chase, the article is shit.

The software in question, aptly named Internet Crime Against Children Child Online Protective Services (ICACCOPS) is used to detect Child Pornography, and Child Pornography only — as the name clearly implies. It is a collaborative effort by Law Enforcement agencies, and is shared with PDRM, probably as a gesture of good will, and also a collaborative effort.

Pornography is perfectly legal in the US, insofar if it’s consensual and does not include minors, there is no way US Law Enforcement agencies are investigating something that is legal in their jurisdiction — it is a waste of effort, and possibly illegal.

From what I pieced together, the system has a list of known Child Pornographic material and uses it to check against what is being shared across a limited number of Peer-2-Peer (P2P) networks. This might surprise you, but your sharing habits on bitTorrent, Ares, and Freenet are all ‘in the clear’, it’s very easy to find out which IP addresses are sharing what.

Hence, the scope isn’t just limited to Child Pornography (good!), but is narrowly focused on P2P networks only. Your general internet surfing habits, even those on PornHub are completely off-bounds to this thing.

How the NST, went from this to “the police will know if you watch Porn” is beyond me.

This was my email to The Malay Mail, who reported on this issue last week:

Hi Anith,

First off, the NST report was sensationalized. It omitted 2 key facts, one that this was focused on child pornography, and two (more importantly) the monitoring was limited to a small set of p2p networks like bit-torrent, Ares and Freenet . ICACCOPS is a system put in place by various authorities to allow for the dissemination of data on p2p users who are sharing child pornography material on these networks.

Nothing in the report or video suggest that the Police are monitoring your regular Internet usage outside of these p2p networks. Your Facebook, twitter, Google, Youtube and all other Internet traffic is still very much private.

P2P networks aren’t anonymous, the music and movie industry regularly threaten legal action against people who share copyrighted material on these networks. It’s easy to find which IP addresses are uploading the latest movies or sharing child pornography, it’s not easy trying to tie an IP address to individual — it should not be automatically assumed that everything flowing from an IP address belongs to the individual subscriber who owns the account, as IP addresses are shared.

In my opinion, information sharing on ICACCOPS, between Law Enforcement Agencies, on the data of P2P networks, targeting the distribution of child pornography, is a very good thing. And if the Police are using it as a starting point for investigations (as the report suggests), that should also be applauded. That’s all I see in this report, and it all looks perfectly fine, nothing to be alarmed about, The NST should be more responsible.

However, as child pornography starts to move to the DarkWeb outside of these P2P networks, this piece of technology will lose it’s efficacy over time, but as the video shows, there’s still a lot of child pornography being shared on these networks and authorities should act.

I don’t want to answer you specific questions, because they assume the authorities are monitoring the network — that may be true, but it’s not in the context of this story. The story should be what is above, to reduce the sensationalism that’s floating around.

More context:

Security Headers for Gov-TLS-Audit

Gov-TLS-Audit got a brand new domain today. No longer is it sharing a crummy domain with sayakenahack (which is still blocked in Malaysia!), it now has a place to call it’s own.

The domain cost me a whooping $18.00/yr on AWS, and involved a couple hours of registration and migration.

So I felt that while migrating domains, I might as well implement proper security headers as well. Security Headers are HTTP Headers that instruct the browser to deny or allow certain things, the idea being the more information the site tells the browser about itself, the less susceptible it is to attack.

I was shocked to find out that Gov-TLS-Audit had no security headers at all! I assumed AWS (specifically CloudFront) would take care of ‘some’ http headers for me — I was mistaken. Cloudfront takes care of the TLS implementation, but does not implement any security header for you, not even strict-transport-security which is TLS related.

So unsurprisingly, a newly created cloudfront distribution, using the reference AWS implementation, fails miserably when it comes to security headers.

I guess the reason is that HTTP headers are very site-dependant. Had Cloudfront done it automatically, it might have broken a majority of sites And implementing headers is one thing, but fixing the underlying problem is another — totally bigger problem.

But what security headers to implement? Continue reading

Why my people will never be Ministers

As Malaysians woke up today, to a brand new cabinet of Ministers, many have already begun expressing their dissatisfaction on the lineup. I know better than to wade into these politically charged discussions — but I will point out that my people have long been overlooked for Ministerial positions.

Who are ‘my people’ you ask…


Or if you prefer a less negative word — Geeks. But for the rest of this post, I’ll use the more accurate term of hacker to refer to technically savvy folks who subscribe to the hacker ethic.

Yes, we in the hacker community have long been overlooked for ministerial positions, and I for one, choose to speak out against this travesty. But before I delve into why I think we’ve not played a bigger part in politics, let me first make the case for why we need hackers in parliament.

Why we need hackers in parliament

As technology becomes more pervasive and ubiquitous in our lives, every policy decision becomes a technology decision, whether it’s in education, finance or defence. Hence it becomes pertinent to ensure that the people making these decisions have the capacity to understand the technology that drives the issues. This is not something you get from a 2-week bootcamp, or a crash course in computers, it involves deep technical knowledge that can only be attain from years (even decades) of experience.

But it’s not enough that policy makers merely understand technology, they also need to subscribe to the hacker ethic , and bring that ethic into the decisions they make.

What is the hacker ethic? Well I’m glad you asked.

The ethic has no hard definition, but it incorporates things like Sharing, Openness, Decentralization and Free access to computers, etc. The ethic further includes attitudes, like pure meritocracy, the idea that hackers should be judged for their hacking (and nothing else), not age, gender, degrees or even position in a hierarchy. So anytime you see some poor sod who claims to be a hacker, but puts CISSP, PMP, CEH at the end of their LinkedIn profile — you know they’re not really hackers.

You can see ethic played out at hacker conferences throughout the world, hackers are ever willing to share what they’ve built with anyone who’ll listen, and they’re accepting of anyone willing to learn, at any age bracket, without any education or formal training.

The Hacker perspective is an interesting one, and like all perspectives, may not always be right or appropriate, but it’s important for it to be present at the decision making process, if nothing more than to add to the diversity of thought.

So why aren’t there more hackers in decision making levels? Well let’s see what it takes to reach the decision making level in the first place. Continue reading