T3H Blog

Here something very interesting – China decree that all foreign IT technology are security risks; and now, its inspectors are going around sitting Chinese companies using such technologies. Further, China recognizes that standards can do much to improve security – such as ISO/IEC 27001 – but it will only recognize Chinese qualified auditors to assess compliance. These auditors site the use of non-Chine products within an Information Security Management System as automatic non-compliances – faulting the risk assessment approach (4.2.1c) and the risk treatment process (4.2.2b).

In addition, China is about to demand that its version of the China Union Pay Data Security Standard (CUP DSS) be mandatory for the China-based electronic payment operator issued credit and debit cards, and yet it will not allow the internationally recognized Payment Card Industry DSS compliance assessments to be conducted in China by qualified security assessors (under the pretext that foreign QSAs would spy on state financial secrets).

China is pushing the envelop in all directions at all levels to protect fledgling industries – maybe it is time to say whoa, big fella, whoa!!!

The Canadian government is appealing to Canadians – and immigrants in particular – to monitor and report suspicious or extremist activity as Ottawa grapples with what it calls the rising threat of homegrown terrorism.“Part of the minister’s message is we can count on the Muslims to work with us,” according to Carleton University Prof. Martin Rudner.

Islam, or being a Muslim, has nothing to do with the evil that lies in the hearth of these men – remember the FLQ in Canada (the domestic terror group of the 60s) and the ETA and IRA in Europe, their members were likely all good Christians… yet no one holds Christendom to account!

Although, the IRA, or the UDA, were not considered terrorist organizations by Canada, regardless of the atrocities they committed.  However, almost all organizations with analogous aims in Asia and the Middle East are designated terrorist organizations… Granted that many of these organizations deserved to be listed; their members hunted down, prosecuted, duly and publicly punished, in a most extreme and cruel way – since rehabilitation does not work with psychopaths that are simply hiding being a religion (many murderous criminals turned this into a calling).

The Crusades in the 11th, 12th and 13th century in the Middle East were complete collective madness, and yet we persist in rehashing the same religious-based nonsense spouted out by the Crusaders, and especially their patrons, 10 centuries later. Let’ s not turn this into a crusade; view these individuals for what there are – psychopathic criminals – and treat them accordingly – an eye for an eye – after due and swift process; but leave religion out of it.

A friend of mine, Christopher Dillon, has published two books on the delights and tribulations of purchasing real estate in Hong Kong or Japan – Landed: Hong Kong and/or Landed: Japan. I highly recommend both, even if you are not contemplating purchasing real estate in either country; they will give you an different (additional) perspective (insight) on an aspect of life that can so shape a person.

I recently moved to Singapore, a nice little lush city-state, with too many unnecessary cars – given that it has a mass rapid transit (MRT) that could be world class if people knew how to board and alight from trains. This is not Japan when it comes to public transportation manners (discipline). Then again, this is probably why there are too many cars here.

Otherwise, Singapore is a very liveable place, on par with other major business centres around the world, but warmer than many; hence, the abundance of verdant parks; and unlike Japan a profusion of sidewalks and lengthy dedicated public cycling network, all very healthy, civilised, and relatively safe. (Relatively safe since there seems to be a lack of well-marked crosswalk and a nonchalant attitude by drivers regarding pedestrians.)

Aside the numerous parks, there are many worthwhile attractions such as the Singapore Zoo, the Jurong Bird Park, and beautiful Botanic Gardens (with an enviable Orchidarium). For a night out, Clarke Quay, the historical riverside quay located upstream from the mouth of the Singapore River and Boat Quay, has a wide range of restaurants and bars, some with light entertainment.

Further, being in proximity of Malaysia and Indonesia there are many places to escape and recharge over a weekend. There is Desaru a beach and resort area in Johor, Malaysia or Sibu Island (Pulau Sibu) a diving spot off the eastern coast of Johor. On the Indonesia side, there are the many resorts and getaways in Bintan Island, park of the Riau Archipelago; and many more places within short flights distance like the many tranquil reserves on Borneo shared by Brunei, Indonesia and Malaysia.

As for work, it is interesting and requires frequent short trips in neighbouring countries; where I get to meet, young professionals destine to be great people.

Apparently, I shall enjoy Singapore until R-Day.

President Barack Obama met with Japanese Prime Minister Yukio Hatoyama for 10 minutes during the Nuclear Security Summit held in Washington (April 12, 2010). Originally PM Hatoyama had not be on the list of exalted leaders that were to meet with President Obama; however, through diplomatic wrangling PM Hatoyama managed to save face back home with the inconsequential 10 minutes meeting during dinner Monday night marking the opening the summit. Nevertheless, the meeting will likely do very little to improve on his credibility and popularity at home (or anywhere else).

It is nice to see that President Obama can be so magnanimous to a brother politician in desperate need… (I guess he had lots of practice with people like al-Maliki, Karzai, Zardari, and the likes)

PS. I wonder if President Obama quibbled “trust me” to PM Hatoyama to reassure him that thing would be OK?

Many tribes in Afghanistan are in existence since much before the development of a state and have largely remained outside of any nation building. Afghan borders with neighbouring countries, as those countries’ borders, are artificial delineation made by strangers to the region (mostly by from the British and Russian Empires), incapable to contain these tribes. These tribes have been conducting endemic warfare – living in a state of continual, low-threshold warfare, for nearly two millennia – starting with Alexander the Great in 330 BC.

From the Durrani Empire (1747-1826) on the “Afghanis” have known very little peace from war with the Sikhs (starting in 1760s), the Uzbeks (from 1770s), the British (1839~42, 1878~80, 1919), all the way to the Soviet (1979~88) and now the United States (2001~); and the period between these wars, pretty well for the entire Barakzai dynasty (1826-1973) a civil war or another punctuated Afghanistan’s history.

To add oil to the fire – many of the tribes are not only aligned along ethnicity – Pashtun, Tajik, Farsiwan, Qezelbash, Hazara, Uzbek, Aimaq, Turkmen, Baluch (just to name a few) – but kinship, with its endless clans like feuds. This make-up leads to segregation from valley to valley (regions) complicating ever arriving to a just and equitable peace any time soon within Afghanistan (as a nation). The shared Afghan heritage either based on putative common ancestry, history, kinship, religion, language, shared territory, nationality, physical appearance will continue to be corrupt, always dominated by the strongest man (based on guns or money, or both).

However the obvious seem to be lost on politicians that for the greater majority have never worn a pair of combat boots, had them covered in Afghan dust, had their hands and lips crack by the cold nights, the sweat from exertion make their clothes stick to their body, be perpetually thirsty, hungry, tired, and so on. Therefore, they keep sending cannon fodder to a land where the best resource is opium poppy.

Yes, the country has natural resources such as gold, silver, copper, zinc, and iron ore (Southeast); precious and semi-precious stones (Northeast); and significant petroleum and natural gas reserves (North), along with uranium, coal, chromites, talc, barites, sulphur, lead, and salt – but even these untapped resources are regionally distributed and amount to very little in the daily survival of most Afghanis.

Afghanistan cannot be fenced off and simply ignored or become the subject of endless rhetoric like in Palestine or meaningless resolution like Iraq – thus, it is too soon for any politicians to think that they will find a politically expedient solution to the region based on their schedule. This endeavour has to go all the way to the end. This festering wound has to be bandaged and nursed to health; in end that will take courage that few current politicians have – As Winston Churchill had pondered at the close of World War II, “America, it is a great and strong country, like a workhorse pulling the rest of the world out of despond and despair. But will it stay the course?” I like to add – or simply cut and run before the next election…

Maybe one true leader will have an epiphany and stay the course regardless of what America does – bring a different unifying perspective to this land and safeguard it no matter what – and more importantly give meaning to all the lives of yesterday, today, and tomorrow.

PS. Solutions to the Karzai brothers problem exist, such as accidents, many of them costing less than US$100 (price of 50 cal bullets from stray sniper shots)

Hey dreaming is free, and in colour!

References:

• Afghanistan: Why Karzai Is Pushing Back Against the U.S.
• Afghan woman seeks help when Karzai comes to town
• Editorial: Karzai’s outburst is indeed troubling

According to the new Fear, Uncertainty, and Doubt (FUD) mill, APT is apparently the work of skilled professional teams (often working in relays). As the name implies, it is a very skilled long-term siege of a network and computer systems. The attack is taken slowly and carefully; the stealth approach is so as not to trigger any IPS/IDS alerts or be detected during internal pen test, vulnerability scans, and logs reviews at the target.

Based on the scale and logistics of the detected (known) APT operations, these professionals are more likely state or terrorist organization sponsored. However, I would be surprise if they were not some operations backed by well-funded organized crime organizations. (For an organized crime organization, APT would be part of a long-term business plan with clear ROI.)

According to people knowledgeable about this, APT teams aim is to compromise networks and systems for gaining access to information and set-up so that they can keep coming back. According to the media, what makes APT frightful is that regardless of the countermeasures put in place to thwart attacks; these people have the resources and knowledge to work around those countermeasures.

As I have been saying, systems infiltration has been, is, and will be around for a long time – granted that they many are routed in old programme like the AUSCANZUKUS signals intelligence (SIGINT) collection and analysis network Echelon and evolved (or is it intelligently designed) into “Dynamically Unique Metrics Based Analysis for Secure Systems” or DUMBASS programmes. It is not surprising that cold war era methodology to still state and defence secrets would find it was into the hands of those seeing financial gains from financial institutions, ecommerce retailers, or just about anyone with a cyberspace presence.

The uncomfortable inconvenient truth is that in most organization with a cyberspace presence top management is more concern with their take home package than the cyber security of their ICT infrastructure; the people in charge of the ICT infrastructure are busy make life easier for themselves; and, the general population (users) just could not be bothered with having to jump trough a few simple hoops to avoid oops. (Biometrics, encrypted data (like EFS), mandatory UTM, and opt-in intelligence agencies supported blacklist, etc.)

Security is always an afterthought, like condoms! Therefore, DUMASS programmes to redistribute wealth, knowledge, and anything else of value will flourish – my only astonishment is that we learn very little but new rhetoric and acronyms from our security laps…

References:

Wired: The Advanced Persistent Threat Attack

TMCNet: Espionage via APT or Advanced Persistent Threat Widespread

SCMA Magazine: State of the Hack – Addressing the Advanced Persistent Threat

ZDNet: Advanced Persistent Threats: Should your panties be in a bunch, and how do you un-bunch them?

(And lots more…)

DUMBASS reference from AEON Security Blog

With Google gone, Baidu rules China and with a little effort if can gain substantial market-shares around Asia, easily.

What can I say but thank you Google.

News media reports describing the praise coming from every possible opinionated spectrum about Google’s recent decision to end government-induced censorship over its search results and pullout of China,

Hey, wake-up! Google’s actions in China are purely self-serving – the pretentious Googlelites could not get things there way so they had a tantrum, took their toys, and went hope – boohoo!

Google commonly censors and/or alter search results to comply with many countries’ laws or government requests (i.e., Germany and France: Nazi memorabilia, anti-Semite statements, etc.) – yet, we do not ear Google breaking laws, threatening to pullout, and political dribble about Google’s “a remarkable, historic and welcomed action.”

Simply put Google found itself in a market it could not dominate, adequately compete in, and likely loose money – so it moved on.

I am not fan of censorship of any kind, but let us face it cyberspace is a wild frontier that chafe politicians and nationalists everywhere – people incapable to imagine a self-regulated space in no need of their controls. Their psychosis, which normally insure that their mouth gets in gear before their brain get anywhere near, their need to control leads to some form or another of suppression to satisfy their delusions of persecution.

(If you want to read more abut Internet Censoring Countries start here.)

As for the hacking (by governments) – well folks welcome to the ‘big brother’ factor, which goes tongue and groove with paranoia and small minded politicians and nationalists! (By criminals) Well the Internet is big business for many organizations and easy picking for criminals. The Internet will never be 100% safe, we just have to learn to protect ourselves better.

(One would not walk into a dark alley in a cede neighbourhood alone or step on a battlefield naked… commonsense is a key word here.)

In addition, there is no reason to condemn Microsoft and others for staying and abiding by Chinese laws, just as they do elsewhere.

Like the old Hebraic proverb says – ברומא התנהג כרומאי (In Rome act like a Roman)

What Google should have done is stay in China and used some of the googleions to support projects like to advance cyberspace freedom and choice:

The Information Warfare Monitor is a joint project of the Citizen Lab and the SecDev Group, (Ottawa Ontario). The aim of the Information Warfare Monitor is to monitor and analyze the exercise of power in cyberspace.

The OpenNet Initiative is a partnership with The Berkman Center for Internet & Society at Harvard Law School and The SecDev Group. The aim of the ONI is to document patterns of Internet censorship and surveillance worldwide.

The aim of Opennet.Asia is to engage academic, policy, and civil society stakeholders in each of the countries of the regions concerned by surveillance and censorship to build institutional capacity and networked resources to conduct research and public policy advocacy around those issues.

PsiLab is a joint activity of the Citizen Lab and Psiphon, oriented around advanced research of circumvention technologies, threat analysis, and the consideration of political and legal issues surrounding their use in denied environments.

NATO will have to look the other way if they want local support as someone at Strategic Advisory Group quipped “we don’t trample the livelihood of those we’re trying to win over” – thus postponing eradication. That will not sit well with many drug enforcement agencies around the globe, especially in the EU, UK, and the US (the byproducts marketplaces).

So to ease the dilemma that the poppy fields will likely generate much needed revenues for the Taliban SAG should be planning realistic replacement crops and/or industries instead to just ignoring this conundrum until it is OK to start eradication again (after they unlikely win the hearth and minds of the offending farmers) – kind of disinfecting a wound after you stitched it. It may be simpler to connect the Afghans with an extended NAOMI study (North American Opiate Medication Initiative) where heroin-assisted therapy benefits people suffering from chronic disease.

Another option would be for governments to purchase the harvest outright from Afghan opium poppy farmers – the price at the end of the supply chain is certainly affordable when compare to the cost of suppression at the street end (opium and heroin); thus keeping all things in balance in Afghanistan.

Personally, I always though of poppies as commemorating the sacrifices of members of the armed forces and of civilians in times of war – at the end of the day it is better to turn a blind eye so that Afghanistan’s poppy fields do not give rise to another poem like Lieutenant Colonel John McCrae’s In Flanders Fields…

Reference:

http://www.nytimes.com/2010/03/21/world/asia/21marja.html?scp=1&sq=poppy%20field&st=cse

The UK Centre for the Protection of National Infrastructure (MI5) prepared a short ‘restricted’ report back in 2007~08 entitled “The Threat from Chinese Espionage” – that was widely distributed to UK business organizations worldwide – to little effect.

The report of bugging and burgling by agents from the People’s Liberation Army and the Ministry of Public Security. It warns also of electronic gifts given at exhibitions and seminars riddled with Trojans capable of creating a backdoor, ferreting and transmitting specific data, and remotely triggered malware.

According to CPNI “The Chinese government represents one of the most significant espionage threats to the UK because of its use of widespread electronic hacking.” UK cybersecurity experts suspect that Chinese cyberwarfare units have directed concerted hacking exercises against UK’s defence, energy, communications, and manufacturing entities.

In their great wisdom MI5 and CPNI believe that “any UK company might be at risk if it holds information which would benefit the Chinese.”

At the time of the ‘restricted’ letter released by MI5′s DG it was observed in Schneier on Security (4 December 2007) that sending a confidential letter to 300 businesses and expecting it to be kept so was not such a good idea – publicity, and lots of it, should have been the order of the day. The Chinese Ministry of Public Security must have had a good laugh at the time (from reading their own copy); it sure did not slow them down any…

References:

MI5 alert on China’s cyberspace spy threat, Exclusive: director-general of MI5 sends letter to British companies warning systems are under attack from China, From The Times, published: 1 December 2007

Britain Warned Businesses of Threat of Chinese Spying, By Jonh F. Burns, published: 31 January 2010

The Internet has opened global markets and revolutionized modern business practices. Yet, while providing new opportunities, reliance on the Web has also exposed new vulnerabilities. McAfee estimates that in 2008, “companies worldwide lost more than $1 trillion” from IP and data theft. A recently released PwC report on the rising threat of e-espionage asks: “Are companies aware and ready to respond?” In general, the resounding answer is, “No.”

Surveys after reports after commissions unanimously demonstrate that the Internet (Web, cyberspace) is unsecured. Threats are multiplying and growing evermore successful in gaining access to desired data or results. Nevertheless, no one in is right mind stays away – yet, most do very little to protect their property, even themselves – Why?

One answer is ease of use – the Internet is too simple to use and yields too much benefits at a click – how can something this beneficial be this nefarious!

Until we find the right answer, we will continue to barrel down towards an unparalleled cataclysmic  catastrophe where not only IP or data will be lost, but lives…

References:

Study Finds Growing Fear of Cyberattacks, by John Markoff, Published: 28 January 2010

Unsecured Economies: Protecting Vital Information, The first global study highlighting the vulnerability of the world’s intellectual property and sensitive information, December 2009

Securing Cyberspace for the 44th Presidency, A Report of the CSIS Commission on Cybersecurity for the 44th Presidency, December 2008

Kei Eide, the UN special representative in Afghanistan, suggests that ISAF and the UN give into grievances expressed by Taliban leaders regarding the incontinence of being listed on the UN list of terrorists. Apparently, he does not believe that persuading rank-and-files Taliban fighters to leave terrorist organizations in exchange for schooling and employment, or simply payment to stay idly home, is a sustainable course of action. (I agree turncoats in that region are just that – turncoats that can never be trusted.)

Ostensibly, the reason to delist Taliban leaders is to enable reconciliation talks with people of authority instead of supporting uneducated bottom of the barrel individuals that may or may not be worth trust.

As it ever occurred to anyone at the UN that this approach has not, does not, will not work – there are plenty of examples since 1947 where attempts to mediate with criminals and terrorists have solve or change nothing (i.e., Palestine, Congo, Yugoslavia – Bosnia, Croatia, Kosovo).

Is it that easy for the UN to forget that those listed are responsible for the mass murders, rapes, destruction of homes, near ethnic (tribe) cleansing, and unbelievable discrimination against women – all reasons for the last eight years of war (security assistance).

There is no political solution to Afghanistan, especially if presided over by politicians of any ilk. The solution is hard work towards relative prosperity for all through sustained relevant education and honest labour – rendering Taliban rhetoric meaningless. First near self-sufficiency sustained with the manufacture of tradable products onto the world markets.

A house is build from the bottom up, the same applies to a country… very hard work for all concerned, something real versus likely meaningless talks from UN bureaucrats and politicians. Case in point (and that is only the now list):

War in Somalia

Insurgency in the North Caucasus

Sudanese nomadic conflicts

Cambodian-Thai standoff

Civil war in Ingushetia

Civil war in Chad

South Thailand insurgency

Conflict in the Niger Delta

Sa’dah insurgency

War in North-West Pakistan

Baluchistan conflict

Iraq War

Reference:

U.N. Seeks to Drop Some Taliban From Terror List, by Dexter Filkins, published:  24 January 2010

In a recent NY Times article Amichai Shulman, the chief technology officer at Imperva examined a list of 32 million accounts that an unknown hacker stole last month from RockYou – they found that the 32 million accounts shared about 5000 passwords.

I have been maintaining for almost 20 years that the safest user/password access combo, and now the easiest now, is the ten passwords at your fingertips and the one user ID in your face – a simple choice now that almost all laptops have built-in fingerprint reader and camera, or can be added via the USB port.

If the sign-in provider is too lazy to add the few lines of code needed to take advantage of biometrics, let someone come up with a elegant face recognition to user ID and fingerprint to password conversion application that generates unique user ID and password based on an individual’s biometrics (contact me if you want to know how it works).

We have the technology people, let’s get with the program…

References:

If Your Password Is 123456, Just Make It HackMe by Ashlee Vance, Published: January 20, 2010

Facial Recognition Door Lock and Time Clock for Less than $500 by Aaron Saenz, Published: December 29, 2009

RockYou Hack: From Bad To Worse by Nik Cubrilovic Published: December 14, 2009

Biometrics Turns Your Ear Into Your Password by Drew Halley, Published: May 6, 2009

Like warring on each other for no other apparent reason than political gain was not bad enough, slavery goes on without abating. According to Time Magazine’s article “South Africa’s New Slave Trade and the Campaign to Stop It” by By E. Benjamin Skinner (Monday, Jan. 18, 2010) there are more slaves today worldwide than at any point in human history despite dozen international conventions banning slavery.

In addition, please purchase and read “A Crime So Monstrous: Face-to-Face with Modern-Day Slavery” by E. Benjamin Skinner – a shockingly revealing and powerful book that goes far to point out our governments ineffectual rhetorics and the UNHCR impotence.

It is available in bookstore, as well as:

• Amazon
• Barnes & Noble
• Books-A-Million
• Borders
• Overstock
• Powell’s
• Waldenbooks

Note: 25% of U.S. royalties go to Free The Slaves, a group that uses holistic, locally-based strategies through global partners to fight slavery, rehabilitate slaves and eradicate bondage. 25% of U.K. royalties go to the group’s British sister, Anti-Slavery International, the world’s oldest human rights organization.

Benjamin Skinner discusses the challenges of writing about the slave trade on NPR’s Day to Day – http://j.mp/2Uis0 – unbelievable, and yet not surprising.