Monday, December 18, 2017
Digital Commerce by Diplo Foundation
Sunday, December 17, 2017
Startups in Pakistan May Not Reach Customers in U.S without Net Neutrality
Thursday, November 9, 2017
Saipov, ISIS and Growing Violent Online Extremism in Pakistan
Wednesday, November 1, 2017
Tips for Protecting Critical Infrastructure
Friday, October 27, 2017
Contribution to the IGF Best Practice Forum on Cyber Security
On 15 August 2017, the BPF on Cybersecurity issued a public call for inputs through the IGF‘s mailing lists and through invitations to organizations and individuals with cybersecurity expertise.
Below is my Contribution to the IGF Best Practice Forum on Cyber Security.
How does good cybersecurity contribute to the growth of and trust in ICTs and Internet Technologies, and their ability to support the Sustainable Development Goals (SDGs)?
Cybersecurity is one of the corner stones of modern information communication technologies and their ability to contribute economic and social development is unmatched. A culture of good cybersecurity helps to build trust in the digital environment, enabling economic growth, social inclusion, and innovation. As ICTs and internet technologies increasingly become essential to everyday life in developing countries, its security is becoming more of an international development issue. Effective use of technology is critical to realization of many of the Sustainable Development Goals. Recent research at the observatory has shown that lack of trust in internet technologies has resulted in reduction of adoption of ICTs. Following are some examples where good cybersecurity can help building trust and further SDGs.
Develop industry, innovation, and infrastructure (SDG 9): Good cybersecurity can increase the availability and management of internet infrastructure, leading to the increase in agricultural and business productivity, innovation and development.
Achieve gender equality and empower all women and girls (SDG 5): Cybersecurity capacity building on staying safe online for women and girls can boost technology adoption and empower women to achieve SDGs.
How does poor cybersecurity hinder the growth of and trust in ICTs and Internet Technologies, and their ability to support the Sustainable Development Goals (SDGs)?
The role of Information and Communication Technologies as a key driver of sustainable development is evident from the fact that 95 per cent of the global population is now covered by a mobile cellular signal. However, poor cybersecurity and vulnerability of infrastructure can thwart the growth and trust in ICTs and internet technologies for Sustainable Development. The recent breaches and hacks at global level has again highlighted the critical importance of the issue and the role global community needs to play in ensuring that trust is reinforced in this wonderful technology by adopting mutual frameworks and agreements that can curb poor cybersecurity. Cyber hacks and breaches break the trust of businesses online which has a direct impact on productivity and economic growth in developing countries where more and more enterprises are adopting this technology for delivery of goods and services.
Assessment of the CENB Phase II policy recommendations identified a few clear threats. Do you see particular policy options to help address, with particular attention to the multistakeholder environment, the following cybersecurity challenges:
Denial of Service attacks and other cybersecurity issues that impact the reliability and access to Internet services
The coming of new age IOT devices with internet access, massive adoption of pirated/cracked software’s and underestimation of the importance of anti-malware protections are contributing to the spread of bots and increasing the risks of DDoS attacks. The cyber gangs involved in developing DDoS botnets are increasingly investing heavily in creating botnets of network devices such as routers and dsl modems in developing countries. These impact the reliability and access to internet services in developing communities which directly impact on achieving Sustainable Development Goals. Developing countries need to play their role and ensure that networks are monitored for such attacks on critical national infrastructure and setup a global rapid response team to mitigate such attacks.
Security of mobile devices, which are the vehicle of Internet growth in many countries, and fulfill critical goals such as payments.
Mobile device have seen an explosive proliferation in the last decade and are always connected even when roaming in our pockets making them susceptible to the growing security problems. Mobile devices are a high value target because they are always online, store massive amounts of some personal data, and equipped with small cameras, microphones, and positioning devices. Mobile devices security model is very simple and making it more vulnerable to security threats unless the weakness in the models are removed using a multistakeholder strategy that involves all stakeholders.
Potential abuse by authorities, including surveillance of Internet usage, or the use of user-provided data for different purposes than intended
The main challenge for developing countries is the transition of all human rights to the digital sphere. Many governments have upgraded their capacity to use more advanced digital tools for censorship and surveillance. Highly intrusive biometric identity systems supported by international development organizations like the World Bank and United Nations for achieving Sustainable Development Goals (SGDs) have sprung up for profiling every citizen in the country with the potential to interferes with the individual’s right to privacy. Surveillance on the internet is on the rise at an alarming rate many countries are looking up to the efforts of CIA and other counterparts in west on surveillance on the internet. Unless the globalized world is able to address the issue of mass surveillance of five eyes countries and openly debate about cyber weapons surveillance and abuse on the internet will remain part of the cyber strategy being adopted by most countries.
Confidentiality and availability of sensitive information, in particular in medical and health services
Most of the modern health systems are using digital technology for saving very private and sensitive information. These systems are further connected to the internet which makes them very susceptible to cyber threats and sophisticated cyber weapons. The international community need to work on a legal binding framework that provides amnesty to such systems from cyber threats to ensure its data remains confidential and available. Furthermore, developing countries should be supported on designing and implementing cyber security frameworks and standards by development organizations that are pushing the rollout of these systems.
Online abuse and gender-based violence
Women and children are most affected by online abuse in the developing countries. Government’s needs to take the lead to tackle the issue and join hands with all stakeholders to mitigate and educate about online abuse and gender based violence if it seriously want to address the issue. Further, international rapid response units need to be setup to provide immediate support and relief to the victims of such abuse at a global level.
Security risks of shared critical services that support Internet access, such as the Domain Name System (DNS), and Internet Exchange Point (IXP) communities
Internet is a shared resource that has become an engine of economic growth for all countries. Any security threat or risk to services that support internet access can directly impact all fabric of modern society. As more and more countries connect to the internet business, industries, government with critical infrastructures protecting the shared resources has become of vital importance. Also, multistakeholder approach needs to be adopted in managing these resources with equal representation of all stakeholders. This will ensure that critical resources are protected for a global interest.
Vulnerabilities in the technologies supporting industrial control systems
Industrial control systems (ICS) are used across a wide range of critical infrastructure sectors, including energy, manufacturing, transport, water, waste and healthcare. Traditionally these systems were isolated and operated independent from the internet. However, due to the revolution in the industrial sector many of these systems have converged making them vulnerable to cyber threats. The state of cyber security of such systems in developing countries is extremely poor making them more vulnerable in case of a cyber-attack. It is recommended to enable a common security language across all industry sectors and support industry associations to implement sound security practices in current standards.
The lack of Secure Development Processes combined with an immense growth in the technologies being created and used on a daily basis
Secure development processes needs to be embedded in the development platforms and all stakeholders including governments, academia, civil society and most importantly key industry players need to raise awareness on best secure coding practices and available frameworks for security. Industry giants along with governments can sponsor national initiatives that can create national standards for secure development processes embedded in the digitalization process.
Unauthorized access to devices that take an increasing role in people’s daily lives
Most countries have drafted laws and implemented legislations to criminalize “unauthorized access”. Access to unauthorized devices can result in disclosure of confidential, sensitive or embarrassing information that can result in loss of credibility, reputation, market share, and competitive edge impacting Sustainable Development Goals 8 (decent work and economic growth) Goal 1 (no poverty) and Goal 5 (Gender equality).
Many Internet developments do not happen in a highly coordinated way – a technology may be developed in the technical community or private sector, and used by other communities and interact in unexpected ways. Stakeholders are managing complexity. This both shows the strength and opportunities of ICTs and Internet Technologies, but also the potential risks. New technologies may be insufficiently secure, resulting in harms when they are deployed: conversely we may adopt security requirements or measures that prevent the development, deployment, or widespread use of technologies that would generate unforeseen benefits. Where do you think lies the responsibility of each stakeholder community in helping ensure cybersecurity does not hinder future Internet development?
The strength and weakness of internet technology is that it’s autonomous and highly uncoordinated with the interplay between benefits and risks of newly deployed technologies unseen. This makes the responsibility of each stakeholder in the community critical for the continuous growth and development of this powerful technological revolution. Governments and international development organizations have a very influential role to play in the progress and growth of this technology ensuring that shared resources are secured, criminal states are sanctioned and cyber criminals living in safe heavens persecuted and brought to justice. Civil society, industry and academia need to play a greater role in increasing awareness about cybersecurity. Global civil society organization involved in protecting digital rights and freedom on the internet need to provide assistance and mentor local civil society organizations/advocacy groups to ensure that balance between privacy and security is achieved.
What is for you the most critical cybersecurity issue that needs solving and would benefit most from a multi-stakeholder approach within this BPF? Should any stakeholders be specifically invited in order for this issue to be addressed?
The future of cyber security is looking more complex and challenging as organizations develop and adopt technologies such as big data, cognitive computing and AI supported analytical/automated systems. Failure of AI system has the potential to damage human society on a global scale as already some of the world’s greatest minds including Stephen Hawking, Bill Gates, and Musk, have expressed concerns about the potential for super automated AI systems can evolve to a point where humans could no longer keep control of them.
United Nations as a globally accepted forum needs to provide leadership and define framework for behaviors and norms acceptable in the virtually connected world especially when countries having greater cyber capabilities can use them to damage critical infrastructures of least-friendly nations.
Thursday, October 26, 2017
Reading for Autumn
If you are looking to pick a book for reading I would recommend the following ;
The Paranoid Style in American Politics by Richard Hofstadter
The book is everything you need to know about the root of Donald Trump's rhetoric and "fake news."
'Orfeo,' by Richard Powers
It is a story of music and genetics in our contemporary age of terror and surveillance. Amazing book and you'll learn a hell of a lot about music, science, politics and even about life.
'The Strategy of Conflict,' by Thomas Schelling
The Strategy of Conflict' is probably the best book ever written about conflict and still very useful and important for understanding strategic interaction among states (and individuals).
A Theory of the Drone,' by Gregoire Chamayou
A must read to understand how drones have revolutionized warfare and its implication for just war theory and notions of military valor.
The Soul of Inequality in American Life,' by Karen E. Fields and Barbara J. Fields.R
Given the resurgence of questions around race in American society I think everyone should take a look at this book.
Saturday, September 30, 2017
Identification for Development (ID4D)
Sunday, July 30, 2017
The Fourth Industrial Revolution
I just went to the Singularity University summit and here are the key learnings.
In 1998, Kodak had 170,000 employees and sold 85% of all photo paper worldwide.
Within just a few years, their business model disappeared and they got bankrupt.
What happened to Kodak will happen in a lot of industries in the next 10 year - and most people don't see it coming. Did you think in 1998 that 3 years later you would never take pictures on paper film again?
Yet digital cameras were invented in 1975. The first ones only had 10,000 pixels, but followed Moore's law. So as with all exponential technologies, it was a disappointment for a long time, before it became way superiour and got mainstream in only a few short years. It will now happen with Artificial Intelligence, health, autonomous and electric cars, education, 3D printing, agriculture and jobs. Welcome to the 4th Industrial Revolution.
Welcome to the Exponential Age.
Software will disrupt most traditional industries in the next 5-10 years.
Uber is just a software tool, they don't own any cars, and are now the biggest taxi company in the world. Airbnb is now the biggest hotel company in the world, although they don't own any properties.
Artificial Intelligence: Computers become exponentially better in understanding the world. This year, a computer beat the best Go player in the world, 10 years earlier than expected. In the US, young lawyers already don't get jobs. Because of IBM Watson, you can get legal advice (so far for more or less basic stuff) within seconds, with 90% accuracy compared with 70% accuracy when done by humans. So if you study law, stop immediately. There will be 90% less laywyers in the future, only specialists will remain.
Watson already helps nurses diagnosing cancer, 4 time more accurate than human nurses. Facebook now has a pattern recognition software that can recognize faces better than humans. In 2030, computers will become more intelligent than humans.
Autonomous cars: In 2018 the first self driving cars will appear for the public. Around 2020, the complete industry will start to be disrupted. You don't want to own a car anymore. You will call a car with your phone, it will show up at your location and drive you to your destination. You will not need to park it, you only pay for the driven distance and can be productive while driving. Our kids will never get a driver's licence and will never own a car. It will change the cities, because we will need 90-95% less cars for that. We can transform former parking space into parks. 1,2 million people die each year in car accidents worldwide. We now have one accident every 100,000km, with autonomous driving that will drop to one accident in 10 million km. That will save a million lifes each year.
Most car companies might become bankrupt. Traditional car companies try the evolutionary approach and just build a better car, while tech companies (Tesla, Apple, Google) will do the revolutionary approach and build a computer on wheels. I spoke to a lot of engineers from Volkswagen and Audi; they are completely terrified of Tesla.
Insurance companies will have massive trouble because without accidents, the insurance will become 100x cheaper. Their car insurance business model will disappear.
Real estate will change. Because if you can work while you commute, people will move further away to live in a more beautiful neighborhood.
Electric cars will become mainstream until 2020. Cities will be less noisy because all cars will run on electric. Electricity will become incredibly cheap and clean: Solar production has been on an exponential curve for 30 years, but you can only now see the impact. Last year, more solar energy was installed worldwide than fossil. The price for solar will drop so much that all coal companies will be out of business by 2025.
With cheap electricity comes cheap and abundant water. Desalination now only needs 2kWh per cubic meter. We don't have scarce water in most places, we only have scarce drinking water. Imagine what will be possible if anyone can have as much clean water as he wants, for nearly no cost.
Health: The Tricorder X price will be announced this year. There will be companies who will build a medical device (called the "Tricorder" from Star Trek) that works with you phone, which takes your retina scan, you blood sample and you breath into it. It then analyses 54 biomarkers that will identify nearly any disease. It will be cheap, so in a few years everyone on this planet will have access to world class medicine, nearly for free.
3D printing: The price of the cheapest 3D printer came down from 18,000$ to 400$ within 10 years. In the same time, it became 100 times faster. All major shoe companies started 3D printing shoes. Spare airplane parts are already 3D printed in remote airports. The space station now has a printer that eliminates the need for the large amout of spare parts they used to have in the past.
At the end of this year, new smartphones will have 3D scanning possibilities. You can then 3D scan your feet and print your perfect shoe at home. In China, they already 3D printed a complete 6-storey office building. By 2027, 10% of everything that's being produced will be 3D printed.
Business opportunities: If you think of a niche you want to go in, ask yourself: "in the future, do you think we will have that?" and if the answer is yes, how can you make that happen sooner? If it doesn't work with your phone, forget the idea. And any idea designed for success in the 20th century is doomed in to failure in the 21st century.
Work: 70-80% of jobs will disappear in the next 20 years. There will be a lot of new jobs, but it is not clear if there will be enough new jobs in such a small time.
Agriculture: There will be a 100$ agricultural robot in the future. Farmers in 3rd world countried can then become managers of their field instead of working all days on their fields. Aeroponics will need much less water. The first petri dish produced veal is now available and will be cheaper than cow produced veal in 2018. Right now, 30% of all agricultural surfaces is used for cows. Imagine if we don't need that space anymore. There are several startups who will bring insect protein to the market shortly. It contains more protein than meat. It will be labeled as "alternative protein source" (because most people still reject the idea of eating insects).
There is an app called "moodies" which can already tell in which mood you are. Until 2020 there will be apps that can tell by your facial expressions if you are lying. Imagine a political debate where it's being displayed when they are telling the truth and when not.
Bitcoin will become mainstream this year and might even become the default reserve currency.
Longevity: Right now, the average life span increases by 3 months per year. Four years ago, the life span used to be 79 years, now it's 80 years. The increase itself is increasing and by 2036, there will be more that one year increase per year. So we all might live for a long long time, probably way more than 100.
Education: The cheapest smartphones are already at 10$ in Africa and Asia. Until 2020, 70% of all humans will own a smartphone. That means, everyone has the same access to world class education. Every child can use Khan academy for everything a child learns at school in First World countries. We have already released our software in Indonesia and will release it in Arabic, Suaheli and Chinese this Summer, because I see an enormous potential. We will give the English app for free, so that children in Africa can become fluent in English within half a year.
Udo Gollub
Tuesday, July 4, 2017
Signs of Digital Apocalypse
Sunday, April 30, 2017
What killing Net Neutrality means for Internet in Pakistan
His proposal would let internet service providers voluntarily promise to uphold net neutrality principles by including them in their terms of service with customers. The FCC would also hand oversight of those companies to another agency: the Federal Trade Commission (FTC).
Undoing net neutrality would mean big changes for how customers access the internet not just only in the US but globally as well. The undoing of net neutrality rules in the US is set to again restart the debate over global Internet regulations as some major world powers near fork-in-the-road decisions about how they'll govern their own stretch of cyberspace.
The undoing on net neutrality rules in the US will have serious repressions for internet development globally and in Pakistan as well said, Founder Internet Policy Observatory Pakistan. Local startups in Pakistan that have the potential to become the next Facebook or Google may not be able to reach customers in the US, if an ISP decides to block them or charge them extra.
One of the more worrying scenarios in the post net neutrality arena is the desire for paid prioritization by broadband service providers. Broadband companies will have the legalized advantage to ask IOT service providers to pay big bucks to ensure that their content reaches customers without any interferences.
Life will be becoming tougher for smaller internet service providers and internet startups as abolishing FCC plans to roll back net neutrality rules in the US.
Experts believe the lack of net neutrality in the U.S. will set examples for other countries to follow that have primarily looked at US for internet regulation and digital freedoms. This will decrease internet freedoms and promote censorship of internet. US has been a role model for internet policy and it should try to remain the same and impede models proposed by Russia and China to the developing world.
Saturday, March 18, 2017
The Modern Copier
A modern photocopier is basically a computer with a scanner and printer attached. This computer has a hard drive, and scans of images are regularly stored on that drive. This means that when a photocopier is thrown away, that hard drive is filled with pages that the machine copied over its lifetime. As you might expect, some of those pages will contain sensitive information. Always make sure that you physically destory the storage device to ensure it does not end up in wrong hands.
Wednesday, March 15, 2017
FBI Fusion of Law and Hacking
Now lets see how the NIT worked and gathered the information on TOR network.
The website suspected of hosting contraband child porn was known as Playpen, and operated as a darknet website only reachable through TOR. Hidden services on the darknet by default, attempt to hide the locations of both servers and the computers being used to visit the site using a series of intermediary nodes such that visitors location cannot be determined at the website. In an ongoing investigation The FBI learned, through one of its foreign partner, that a website dedicated to the distribution of child sexual abuse materials was determined to be located within the United States jurisdiction. While the FBI was able to locate the server, and bring the site under its control, it was still unable to determine the physical location of individuals who were accessing and posting child pornography on the site.
The FBI using a court authorization to hack the circumvention method was successful in determining the IP address of the website users. It operated the website for 13 days under its control and managed to obtain valuable information of its users using NIT. As Susan Hennessey and Nicholas Weaver have discussed in detail how NIT was operated by the FBI it will be worth sharing a brief description of the exploit and its basic components.
The Network Investigative Technique (NIT consists of a number of components typical of a malware.
2. An “exploit” which, when transmitted from the hidden service to the visitor’s computer, enables running the FBI’s code on the visitor’s system.
3. The “payload” which the exploit fetches, runs on the visitor’s system, and conducts the actual search, transmitting the information discovered to an FBI server.
4. A “logging server”, a system run by the FBI that records the information transmitted by the payload.
The primary role of the generator is to generate a unique and random ID number associate the ID with a logged-in user of the site, and then transmit the exploit, the ID, and the payload to the user’s computer.
The exploit takes control over the Tor browser used by the visitor, control it uses to load and execute the payload. Knowledge of how the exploit works is the most sensitive part of an NIT public disclosure not only risks losing the opportunity to use the technique against other offenders but would also permit criminals or authoritarian governments to use it for illicit purposes until a patch is developed and deployed. This is the component the government refuses to disclose in the instant cases.
The payload is the program which searches and gathers information such as computer name, user name, mac address and than transmit it alongwith the unique ID over an unencrypted channel on the internet exposing victims computer public IP address from which he can be tracked back.
The logging service, running on a separate computer, receives the NIT response. The important component in this activity is packet capturing and storing it in a pcap file which records all network traffic transmitted over the unencrypted channel.
In the current case 137 defendants are facing serious charges over data obtained primarily from NIT and seizure of computers. Interestingly from a defense point of view defendants are asserting that the code involved in the NIT are material to their defense which needs to be shared with them for a fair trial and raise following important questions which are befitting for cyber crime trials in Pakistan as well.
1. Defendants should be given an opportunity to perform a detailed evaluation of the functionality of the expolit in this case NIT, to determine what it searched for in the victims computer, how the search was conducted and what data was seized, and the chain of custody.
2. Critical question is how the key ID was generated and whether every computer was given a unqiue ID. To analyze this from a defendants point of view he would need the source code to ascertain that process and cross match it with the logging activity.
3. The pcap file transmitted over an unencrypted channel was manipulated by any third party.
4. Allowing defense to examine the complete source code including the exploit may result in exposing sensitive classified information to a vast array of actors that can be detrimental to national security operations.
Sunday, February 12, 2017
Privacy is Dead
When I started working in internet development I saw it as a great tool of liberation for the global South. 18 years down the road I see it as a great facilitator of absolute control. It is not now but may become a threat to human civilization in coming years.
We live in an age of corporate surveillance architectured by neoliberal global capitalists where Governments and corporate interests have united under the umbrella of metadata surveillance. Given the developments in the surveillance industry in recent years I have taken a different stance on the issue of privacy perhaps, from what most of you would expect me to have taken. I for sometime now have been very vocal about the National Security Agency and massive mass surveillance programs and I think that we should understand that the game for privacy is gone. The mass surveillance is here to stay.
Mass surveillance has had a trickle-down effect, whereby not only large and mid-sized states are engaging in this unethical act of spying on the innocent, but even small countries like ours are now spying on their own citizens after the de facto approval by the world’s most powerful.
We can talk about all the laws that we want, and what policies should be and how society should behave and how it should work, but we should realize the fact that privacy is gone and it will not come back short of a very regressive economic collapse which reduces the technological capacity of civilization.
As the price of cutting edge technology continues to decline, states will employ more surveillance technologies at an increasing rate.
The reason it will not come back is that the cost of engaging in mass surveillance is decreasing by about 50 per cent every 12 months, the underlying cost of telecommunications, moving surveillance intercepts, computerization and storage – all those costs are decreasing much faster at a geometric rate than the human population is increasing.
If you look at societal behavior with reduced social spaces like Sweden, South Korea, Okinawa in Japan and North Korea then you’ll see that society adapts. Everyone becomes incredibly timid, they start to use code words; use a lot of subtext to try and sneak out your controversial views. Like baat tu ap samaj gaye hon gay etc and so on.
Privacy is one of many values “that simply are unsustainabe in the face of the reality of technological change; the reality of the deep state with a military-industrial complex and the reality of Islamic terrorism, and national security is legitimizing that sector in a way that it’s behaving.
Its time to innovate and strategies and comeup with tools like bitcoin, tor and few others in a growing list as a societal reaction to growing state control. Telecos needs to become more transparent.
Transcript of a talk on Privacy
Friday, February 10, 2017
Looking for Leadership
2. Lack of communication within departments.
3. Poor moral forcing to accept culture of mediocrity.
4. Declining business performances and unhappy customers.
5. Thrusting own agendas on the employees.
6. Growing culture of negativity and biased decision making.