Tuesday, August 27, 2013

Dinner speech for the International Conference on Cyber Crime and Computer Forensic 2013

Dinner speech for the International Conference on Cyber Crime and Computer Forensic 2013 – Hong Kong (August 27, 2013)

Ray, Oliver, KP, Laurie, Albert, Michael, it is my honor to be invited to give this remark at the International Conference on Cybercrime and Computer Forensic 2013 at Hong Kong.  It is especially an honor and very special for me to do so, I think, because I am neither an expert in cybercrime nor forensic.

As I was introduced, I am currently serving as the Legislative Councilor representing the information technology sector here in Hong Kong.  Our legislative council is our law-making body here, and for better and for worse, we do have representatives for a number of professional sectors. I felt I better explain this a little for the benefit of our overseas delegate.

But my background has been from IT, and in particular for the last almost twenty years, particularly focusing on the Internet.  I actually first used the Internet in 1982, more than thirty years ago.  This is something I used to brag about in other audience but tonight, I am afraid that there must be others here who have been on the Internet longer than I have.

Things have certainly changed a lot in the last thirty years, and one thing must be true – that the Internet has changed the world, and that includes the very themes and subjects we are talking about in these three days.  Crime has become cybercrime, or at least a bigger and bigger part of what we consider to be crime today is now consisting of so-called cybercrime.  And, forensic has become computer forensic.

To be sure, much of the hype created in the media because of all these new cybercrime phenomena has given the Internet a bad name, I am afraid.  But the Internet is just a medium, and as a medium it carries both good and bad information, and people do both good and bad things there.  And I hold it to myself as a very basic principle that we should not shoot the messenger.

I always like to remind people and friends that the Internet was, unfortunately, not designed for this sort of things.  The sort of things we do or we let people do on the Internet today – buying and selling things, making friends, sharing photos and liking things, and all these activities done by people of all countries at all ages.

Really, the Internet was first designed and built with a lot of assumptions that no longer holds true today – such as, people using the Internet were well, well-educated people from universities and research companies and they were generally “doing their jobs” with the Internet, be it technical research or related communications, with only occasional chit-chatting.  The Internet was indeed built with a high level of trust because the founding fathers did not think his teenage sons and daughters would be using it.  How they were wrong about it.

And, to revamp the whole Internet with the right technologies to ensure trust is certainly technically feasible, but it would be a commercial disaster and with all the vested interests from companies and countries around the world, it has simply become impossible to do.  It is somewhat like if we want to redistribute wealth and redraw country borders in order to root out poverty.  So, we can only tinkle with the problems we face rather than, in most cases, make large-scale, wholesale changes.

So, in the last twenty since the world-wide web era began, we have moved rapidly from emails and the web to social media, mobile phones and tablets and the cloud.  Think about it, the first iPhone just appeared in 2007, and the first iPad in 2010.  Think about how many iPhones and iPads, or its Android and other variations of smartphones and tablets you have thrown away.  Think about that, not how many you have used, but how many you have thrown away.

With the hardware and the tools including all these apps changing so rapidly, it gives a new meaning for what we have talked about for a long time, that technology moves and changes faster than the law.  Certainly in making laws we talk about due process, consultations and making decisions at lawyers' speed.  But technologists and engineers don't wait for the next court session or legislative session to reconvene in several months' time.

If laws are behind technology, then what is law enforcement going to do?  That's why I always believe that laws and regulations must be technology-neutral as much as possible, and only when we are very sure or we see a proven need or advantage then we implement laws that are technology-specific.

Having said that, things are surely not getting any easier for law enforcement in today's cyberworld, combatting against cybercrimes and cybercriminals.  Expectations from citizens have grown, and incidents in the cyberworld tend to be more widely publicized, and cyber-citizens often expect a much higher degree of transparency.

These emerging conflicting priorities and expectations have certainly risen to the surface of public attention, and the Edward Snowden and NSA incident has revealed that the NSA and indeed later on as we found out many other governments of the world are literally spying on us, people are beginning to ask all kinds of questions: Can they do this and that?  Are they really doing this and that?

People are no longer just happy to be able to use these tools to enhance their own utilities.  People now want to know if and whether they can be spied upon and how.  In a sense, this may be the beginning of basic awareness for the understanding of computer and information forensic.  So, all these developments indeed have made this conference and the sharing you are having more timely and important than ever before.

So, once again, welcome to Hong Kong, the city that Edward Snowden once wanted to call home.  Too bad he couldn’t or else I am sure Ray and Oliver and KP will invite him to give the speech here to you tonight. I wish you bon appetite, and more great sharing in this conference.  Thank you.

Monday, August 05, 2013

NFC: Past, present, and future

Near field communications (NFC) applications are finally appearing in Hong Kong. Why the delay? Hong Kong has an advanced financial services industry and high mobile penetration rate.

Because of the Octopus card. For over 15 years, Octopus stored-value cards are used for quick cashless payments throughout the HKSAR. Transportation, supermarkets, frappucinos...the Octopus (which uses NFC technology based on Sony's Felica reader) handles everything from school attendance records to making donations.

The huge success of Octopus has crowded out other quick-pay methods. Remember Mondex? Visa Cash?

New terminals signal change

But NFC-based credit cards have been making gradual inroads in the local market recently, with more of terminals such as those from Visa payWave appearing on counters, next to Octopus touch-processors. And Hong Kong banks are beginning to issue smartphone-based NFC mobile service apps.

This is a potentially lucrative market: larger amounts available on a single "tap-and-go" payment may convince customers to forgo the familiar sound of the Octopus "dood" for NFC.

Security, standards, regulations

But obstacles remain. Octopus is a debit card capped at HK$500 even with an automatic value-ad. Mobile payment on a credit card is another matter—potential losses due to abuse are harder to cap. As always, there's a convenience/security tradeoff.

Banks and other institutions offering NFC payment services must sweeten the deal with incentives like customer loyalty programs and other marketing gimmicks. But they must instill confidence in their customers that data will not be misused—a lesson that Octopus learned years ago, when it was revealed that the company sold customer data to outside insurance companies.

So, while developers may receive better NFC support from the newest smartphones, successful mass adoption of NFC mobile payment services won't be about technology. Justifying the value proposition to customers for choosing this option means lowering transaction costs for both mobile service platform operators and merchants as well, as well as building user-confidence in NFC's security and reliability.

But then two other issues remain: industry standards, and regulations.

The issues around industry standards may be difficult, because the entrenched incumbents in the mobile payment market today means large business-volumes at stake. Without standards and proper portability, customers will be permanently confused by competing services and platforms. Merchants will also find it hard to support excess mobile payment options as more terminals means more capital investment and more counter space.

On regulatory matters, the HKMA completed a study on NFC payments in early 2013. Some of the questions: How to handle more than one NFC payment service on a single NFC-enabled phone? How to ensure service continuity as a user switches from one phone to another, or from one phone company to another?

Last month, the HKMA launched another public consultation on stored-value facilities and retail payment systems. While this consultation and the suggested regulatory regime is not technology-specific, it does cover NFC-based mobile payment services, including the Octopus card—which despite its incumbent status will be required to take out a new license and comply with other conditions in order to continue properly regulated operation.

It comes down to the apps

I don't believe that regulations alone will ultimately drive adoption and market success. Innovation delivered via apps that attract users and give them incentives to use these apps with their NFC phones is key. The infrastructure is more or less built—with more innovative apps, users will drive the business. After all, apps are one thing you can't have on your Octopus, right?

If card-based services are NFC's past, banks and mobile service companies are building the platforms for NFC's present, then which apps (and other bottom-up innovative ideas) will determine our NFC future?

#

Charles Mok is a member of the Legislative Council representing the IT
Functional Constituency. He is also founding chairman of Internet Society
Hong Kong. Contact him at: charlespmok@gmail.com

無知是資訊保安最大隱憂

電腦發展已經今非昔比,網上流通的數據量暴增,各種形式的資料和記錄在有意無意間被製造出來。這變改除了意味著電腦網絡為我們帶來生活上的便利和無限的商機以外,就是同等份量的資訊保安、網絡安全的挑戰。

雖然我們不時強調資訊保安的重要性,但公眾卻因為沒有相關知識,對資訊安全的危機意識欠奉,又或者是一知半解,對資訊保安威脅抱著愛理不理、不以為然的態度,這才是真正的資訊保安的最大隱憂。

疏於資訊保安的理由有很多,卻是不能推卸的責任,個人以至企業應該從最基本的習慣做起提升整體的資訊安全。由個人開始講起,現時BYOD 的風氣盛行,身為員工少不免會用自家手機或電腦處理工作,一但遺失或遭入侵,招至的損失的再不是員工的個人事情。所以個人的流動裝置應安裝防毒硬件和加密程式以防萬一,當然設定密碼鎖這第一道防線也是少不免的。

由於資訊保安威脅層出不窮,不少難以預測,因此近年不少大企業都注重網絡資訊保安策略,都由單靠防禦性措施改為系統和數據分析主導。例如定期進行風險評估和審計、資料安全監控、整合內部資訊保安工具的反饋並利用海量數據進行分析,並參考外部情報評估高風險的漏洞和威脅,預測和制訂即時回應方案等。

當然,中小企業未必有資源做到上述的評估,但近年企業遭黑客入侵洩露私隱頻密發生,來自商業對手或黑客的網絡攻擊、入侵盜取資料、內部疏忽等種種因素,已足以為公司帶來各方面損失。中小企制訂公司資訊保安政策並加強員工培訓,例如必須設定多重確認登入帳戶、必需加密載有重要資料的儲存裝置、重要資料不准帶離公司或複製副本。

此外,不論是「釣魚式」或「魚叉式」的惡意垃圾電郵,都是中小企面對的常見威脅。以下有幾項小貼士提醒員工如何分辨可疑電郵:

(一)  盡量先用網上預覽方式打開附件,有問題附件可能無法預覽。電郵內的網址連結也需小心留意,可能會連到惡意網站。

(二)  細心留意發件人的電郵地址是否有異樣,如以數字代替字母、中間加上底綫之類,黑   客或會假扮你朋友發件。

(三)  如有懷疑電郵真偽,請以回覆該電郵以外方式聯絡發件人加以確認。

順帶一提,資訊保安絕對是值得投資的企業成本,即使普通不過的惡意電郵也足以感染公司的電腦系統,資料被盜甚至電腦被利用來建立起殭屍網絡,繼續向其他電腦散播病毒。市面上有一站式的資訊保安配套服務,價格水平各異,建議企業採購服務或產品之前,應花時間比較各產品的防病毒、隔離垃圾郵件、防火牆、反惡意軟件和間諜軟件攻擊功能。

刊於 2013.08 IT Pro Magazine 第76期

-->