All posts filed under “Malaysia

Malaysian Technology Issue from a Malaysian Tech Blog

comment 0

Cyberwar assessment of Malaysia vs. DPRK

Would North Korea ever declare war on Malaysia?

Probably not.

But nothing is predictable when you’re dealing with a erratic despot who killed his own uncle with an anti-aircraft gun.

Realistically though, few nations have the resources and political will, to launch a war, half-way across the world. And neither Malaysia nor North Korea are one of those ‘few’ nations. But what if, instead of moving armies we just moved malicious code? What if we fought a cyberwar with the North Koreans, how would it look like, and could we win? Let’s find out.

Cyber is new domain of war

Cyber is a new domain of warfare, and this domains involves new ways of thinking and paradigm shifts. In the 18th and 19th century, the most powerful nation on earth, Great Britain had the worlds greatest Navy, and that allowed the empire to control the trade that flowed through the seas, and protect the island nation. Strategically Britain’s Navy was essential to the protection of Britain, and the projection of its power around the world.

As we move from trading over the seas to trading over network cables, the parallels of having a Cyber-Navy become more apparent by the day. After all, the data that pass through our networks have an inherent value above and beyond the physical goods they may represent.

Let’s say you’re buying a new laptop online, you enter your password into the online shopping portal, and then inevitably your credit card details. Your password and card information has value, inherent to itself, regardless of the laptop the transaction represents. We still ship physical goods via sea-lanes and air-freight, but the data transversing the internet has tradeable value.

More apparent when you consider that the vast majority of ‘money’ is traded in digital form, over the internet. Just ask the Bangladesh Central Bank, that lost millions of dollars (which could have been Billions) to hackers who infiltrated their network, and issued electronic instructions to wire money.

But there are things far more important than money.

In today’s world of ‘fake news’ and election tampering, it could be argued that having a Cyber Army is a necessity not just to protect trade and finance, but the very core of a country’s democracy.

And there we see the first issue with Cyber defense of critical infrastructure–is it a civil or military function?

Private companies in any country run their own security guards, banks hire private firms to protect the cash in the safe. If a bank gets robbed, the manager calls the police, and the entire apparatus is a civilian function. But a private company in Malaysia (or anywhere else) isn’t worried about military attack. After all, armies don’t attack banks or companies don’t they?

On the internet, everyone is fair game.

Strong evidence suggest that state sponsored actors have attacked banks, stolen secrets from chemical companies, even attacked Facebook. In a non-cyber world, having an army attack civilian infrastructure in peace-time would be insane! But that is the norm on the internet.

So whose job is it to protect civilian infrastructure from military attack during peace time?

The Americans have drawn clear delineation, that the Department of Homeland Security (DHS) protects civilian government infrastructure (and helps private companies when called upon), while US Cyber Command protects the Military infrastructure. Malaysia (and most other countries) have no such delineation–and the problem is that governments get hacked all the time, even ours, and it’s unclear to me which Malaysian government agency is actually responsible for the security of our infra.

But before we evaluate our defensive capabilities, let’s evaluate the North Korean defense.

comments 2

Relax dear-citizen your contactless card is relatively safe—ish

As Malaysia slowly (but surely) migrates to Chip and Pin, some banks have taken the opportunity to issue not just new Pin-enabled cards, but contactless-enabled ones as well.

To be clear, Banks are only mandated to issue new Pin cards (replacing the signature cards you had before), but are taking the opportunity to also embed contactless capabilities into them as well. After all they’re already issuing new cards to every (single!) card holder, might as well get them on the contactless bandwagon while they’re at it.

The reason for being so gung-ho about contactless is purely economical. Research suggest that the easier payment methods become, the more money people are willing to spend. People with credit cards spend more than people with just cash, and 0% interest schemes have been a godsend to retailers. Contactless payments, which don’t involve cumbersome Pins or signatures, are clearly the next evolutionary step, with one research paper suggesting they increase customer spending by nearly 10%.

Banks make money from small percentages per transactions, the more transactions at higher amounts, the more money they stand to make. So if an extra dollar worth of electronics in a contactless card increases revenue by 10%–why not?!

Pins are for security, Contactless is for convenience

But while PINs are a security feature, contactless is all about convenience. And conveniences trade-off security, so it stands to reason that contactless cards are less secure than regular ‘contact’ ones.

The question is whether that trade-off is worth the increase in convenience. After all, nothing is absolutely secure, and in today’s criminally infested internet, keeping your money under the mattress is safer than keeping it in a bank–but nobody does it because the mattress would be too inconvenient.

So what convenience are you getting with a contactless cards?

For one thing, no more waiting for a receipt printout to sign on, or bending down to an inconveniently placed pinpad to type in your PIN. Plus, for someone with gigantic fingers like me, I jump on the opportunity to avoid having to fidget with pinpads that must have been designed for dwarf children after they’ve been struck by the ray gun from Honey I shrunk the kids.

But that’s about it–the only convenience contactless cards provide is that you can do contactless payments–up to a specified amount.

The question now is what security trade offs are you making for this remarkable feature?

comment 0

Two years on, teaching coding in schools declared a success

teach-codingKLANG: Two years on, the the pilot initiative to teach coding and digital security as an SPM subject has been touted as a resounding success, and the government is mulling a move to make it compulsory by 2020.

The announcement shocked parents, as out of 10,000 students who took part in the pilot program, only 10 had scored an A while the rest had failed with a grade of F.

Education Minister, Dato’ Seri Java, said that this reflects the current IT market, where out of 10,000 security consultants, only 10 will ever give you good advice.

“We benchmarked against the industry, and set the grading curve accordingly, so only a 10 students getting an A was the intention!! We can’t have cases where students just memorize a textbook and then score an A, this is not History or Geography, this is an important subject” he said, while further mocking drama and English literature under his breath.

Deputy Director of Education, Perl Ramachandran further added that instead of focusing on the 9,990 students who failed, the public should instead focus on the ‘A’ students who showed exemplary work and are were ‘bright spots’ in the dark abyss which is the Malaysian education system.

One such exemplary student was 17-year old lass Siti Pintu bt. Belakang, she had managed to install a backdoor into the MOE exam system and downloaded the question paper days before the exam. A backdoor is an application that allows an attacker unfettered access to the compromised system, and Siti managed to code one from scratch specifically for this purpose.

Already Russian cyber-criminal organizations are offering her scholarships to prestigious universities, Perl further added.

Then there Godam a/l Rajakumar, who instead of stealing exam papers, simply hacked into the MOE grading system and gave himself a ‘A’.

comment 0

The Internet is slow because of illegal downloads

Let’s start with the quote that set off the rage in my heart—

“You can see today that our Internet is slow. Not because it itself is slow but because a lot of people are using it,” he said

The government agency chief blamed this on illegal downloads hogging Internet bandwidth here, adding that this does not happen in countries like Germany due to stricter enforcement.

“In Germany, the Internet is fast because if you download illegally, you will be charged by the authorities.

“You can’t download illegal movies, songs and pictures there, you need to pay but we here, anything also we download illegally right up to the pictures of our grandfathers.

“That is why the Internet highway is slow but we blame the government. The government has created proper Internet highways but we don’t know how to use it. Millions have been spent on this by the government,” he explained.

So apparently, Datuk Ibrahim Saad, the  National Civics Bureau (BTN) chief  thinks that the internet is slow in Malaysia (it’s not that slow), because illegal downloads are hogging up the pipelines.

Let’s start with his first sentence, an substitute the word ‘internet’ with the name of any Malaysian highway you choose, personally I like to use the LDP:

You can see today that our LDP is slow. Not because it itself is slow but because a lot of people are using it

Hmmm, I guess in his infinite wisdom that makes sense to the BTN chief, but to me that just sounds like the highway wasn’t built properly.

Let’s go to the 2nd statement:

In Germany, the Internet is fast because if you download illegally, you will be charged by the authorities.

“You can’t download illegal movies, songs and pictures there, you need to pay but we here, anything also we download illegally right up to the pictures of our grandfathers.

“That is why the Internet highway is slow but we blame the government

Now we come to the crux of the issue. If Malaysians weren’t illegally downloading, they’d have faster internet.

Here’s 4 reasons why he’s wrong.

comment 0

This is how Pedophiles get caught

SexOffenderThis will easily be the most controversial blog post I ever wrote, so consider yourself warned.

It’s controversial, because it touches on multiple taboos in our society, sex, child abuse and security theater. You see, there’s been a growing call for a national sex offender registry, especially in the wake of news that a British Pedophile had sexually abused up to 200 children in Malaysia.

The news is especially shocking for Malaysians, who are still coming to grips with the fact that a foreign ‘mat salleh’ abused our children, in our country, right under our fucking noses, and we’re only now learning about it….years after the abuse had taken place and even then, the details are sketchy.

As I said,many have renewed the call for a Sex Offender registry. The idea being, that if we start registering sex offenders, we could more easily monitor them, and be able cut-off  their ability to further abuse children. It’s a great idea, but it wouldn’t have saved these 200 children, simply because Richard Huckle wasn’t convicted of any sexual abuse, he wouldn’t have been on the registry even if had one.

Then we have calls for better screening procedures of people who work with children. Another great idea, but again wouldn’t have stopped Richard Huckle. Maybe a extremely thorough and in-depth screening  process that interviewed his parents, grandparents and fourth grade history teacher would have uncovered something about his psychology that may have triggered some alarms–but that level of screening is both unrealistic and a gross invasion of privacy.

Finally we have calls for better sex-education in schools, which I’m 100% in favor off. Proper sex education may have prompted one of Huckle’s victims to speak out and report the issue, which may prompted his arrest at a much earlier time–but ultimately these were impoverished children who were not given access to proper education anyway, so sex education in public schools probably wouldn’t have helped them.

But are we forgetting something obvious?

comment 0

When bad advice comes from good people

What happens when a government agency tasked with providing cybersecurity “guidance” and “expertise” gives you advice like “avoid uploading pictures of yourself to avoid the threat of black magic”?

And then goes into damage-control claiming that it “was just a casual remark and did not represent the federal agency’s official position on the matter”,  only to follow-up with more ridiculous advice like “passwords should be changed constantly to prevent identity theft and hacking”.

Sometimes I sigh so often my wife gets worried—or annoyed, maybe both 🙂

First-off you know my view on black magic, and for an agency under MOSTI to make such an anti-science remark is just appalling. Secondly, from a security point of view, changing passwords regularly doesn’t help, and they cause more harm than good by encouraging users to use easy to remember passwords that they transform after every iteration. Think superman123, then superman456…etc.

In fact, research from Microsoft suggest changing your passwords regularly isn’t worth the effort, and the best one can do is use a password manager that would allow you to have passwords that are both unique and hard to remember across all online services you use.

The fact, that the head of cybersecurity Malaysia is giving advice that most people in the security community consider obsolete doesn’t exactly calms your nerves.

comments 2

Forcing journalist to reveal sources will be bad–for the government!

Our spanking new, hand-picked Attorney-General is proposing life imprisonment for journalist who refuse to reveal their sources.

And surprisingly, my favorite Member of Parliament,Dato Azalina Othman, has supported the move, saying it was ‘high-time’ Malaysian did something. Fortunately, some calmer more rationale heads, like Dato Paul Low have criticized the A-G for his short-sighted stupidity.

Putting aside the fact that anonymity of sources is a core component of Press freedom, it’s easy to extrapolate how harsher punishment for journalists who keep their sources anonymous will back-fire spectacularly for the Government.

If sources know that Journalist will be pressured to reveal their identities, most sources will stop speaking journalist, thereby stemming the leakages from the government, and keeping the status quo.Or so the theory goes…

comment 0

Being Terrified: The price of terrorism

Next week, I’ll be on BFM for an interview about spyware, which will be my last Hail Mary play to get a conversation started about the use of surveillance software by the Government. If a radio interview on a popular station won’t do it, nothing on my blog will possibly be able to anyway 🙂

In any case, this post is a pre-emptive response to a slightly controversial idea that I cover (very briefly) in the interview, and hopefully it can be articulated better here than in a radio segment. To be honest, I haven’t fully thought this through, but I believe it at least some some aspects of truth that deserve further attention.

The Idea comes in 3 parts:

  1. Terrorism has changed dramatically with ISIS (or Daesh)
  2. Our conventional approach to surveillance will be ineffective against this new threat
  3. Our surveillance-based response to the new threat may end up hurting us more than ISIS ever could

Let’s go through them one at a time

comment 0

Netflix is setting back Piracy and Security

copying_is_not_piracy

Malaysian rejoiced last month when Netflix announced that they would be coming to our shores. We were all salivating over the massive amount of content we would finally have access too…except that it wasn’t so massive.

Malaysia would enjoy less than 20% of what was available to Netflix users in the US or even in the UK, and that looked like an especially lousy deal since we were paying the same amount for our subscriptions.

I wasn’t that interested in the news, after all, I had already subscribed to Netflix for more than 2 years, and used a VPN to enjoy US and even UK content. I loved Netflix because it had a lot of interesting content, but what really sealed the deal for me was Pocoyo and Dora the explorer…I’m a father of a 2-year-old, and having a video on demand service that lets me address my toddlers demand was a life-saver.

Netflix was far more effective than youtube for videos for my kid, first of all, the content was pure, and I could be sure that nobody was messing with it or adding commentary, but more importantly, it had no adverts, and when you have a 2-year-old the last thing you want them to watch is adverts.