ChinPen

The Stop Online Piracy Act (SOPA), also known as H.R. 3261, is a bill that was introduced in the United States House of Representatives on October 26, 2011, by House Judiciary Committee Chair Representative Lamar Smith (R-TX) and a bipartisan group of 12 initial co-sponsors. The bill expands the ability of U.S. law enforcement and copyright holders to fight online trafficking in copyrighted intellectual property and counterfeit goods.[2] Now before the House Judiciary Committee, it builds on the similar PRO-IP Act of 2008 and the corresponding Senate bill, the PROTECT IP Act.[3]

-Source Wikipedia

While I was following the fellow journalists and podcasters in the US talking about SOPA/PIPA, I kept thinking why I should bother with SOPA/PIPA? It’s a act which is being passed in the US, and if enforced, it will allow the government (with/without due process) to kick websites off the internet. But the effect of this is restricted to the US and such a banned website should be still accessible for us Singapore. So what’s the big deal for us? I bet many of your have the similar thought.

Thanks to Justin Lee, I realized my lack of foresight. Let’s start with history…

Last few years many of the governments around the world have been discussing a really unusual trade agreement. Of course the intent of this agreement is honest and fair. The ACTA (Anti-Counterfeiting Trade Agreement) had the aim of “ establishing international standards on intellectual property rights enforcement”.  While the agreement was on a voluntary basis, there were murmurs around the internet that the US government being lobbied by the MPAA/RIAA was putting their weight on countries to sign the pact. And one of the clauses of this agreement was the famous, “3-strikes rule” which basically forced the governments to force the local ISPs to give users 3 chances of “suspected copyright infringement” before stopping their access to the internet.

And among the list of countries who have signed ACTA is our dear Singapore. Singapore has always tried to stay in the good books of the US, and especially with respect to copyright issues. The current emphasis on media has heightened that significantly as a strong copyright law makes media company more willing to setup operations in Singapore.

Thus, there is a significant possibility that Singapore might import SOPA and make it a law here. In fact there are indications of that already. While it’s not that serious for Singapore, where there is already a significant censorship of the internet based on what’s considered acceptable by MDA. But allowing random 3rd parties (copyright holders) pull the trigger on censorship is stretching it.

Don’t get me wrong, I am not in support of piracy. Being a part of Tech65, we take our IP right seriously. We’d hate to see our content being stolen/pirated/abused as much as any movie producer. And I totally agree that copyright of content should be protected with government mandate. But HOW that is done is the question to be asked. Allowing copyright holders who have a definite commercial interest to practically ban any website they suspect of infringing their copyright is definitely not the way.

Here’s a simple example why such such law can be abused. Revision3 was DDOSed and “crippled” for a suspected copyright infringement in 2008 (just because they served THEIR OWN content on BitTorrent). Rev3 suspects that the DDOS was done by a company acting on behalf of the MPAA. While DDOSing is currently not legal, you can imagine that with SOPA such things can be done simply and legally by banning the site at DNS level. Too much power in the hands of people with obvious commercial interest against many smaller players on the internet. Talk about being unfair..

So here’s what you can do..

1. Stop Pirating!

2. Read up and understand what is SOPA/PIPA and what the US Congress debating on. Try to understand what banning a website at DNS level can mean to ANY website that YOU own.

3. Know and understand ACTA and see what Singapore government has agreed to do.

4. Spread the word. Take part in the anti-SOPA blackout. Or tell your friends why SOPA is a bad way to implement copyright regulations.

5. Keep your eyes and ears open to how the Singapore government reacts to SOPA. If need be, we will have to contact our representatives and tell them our view on copyright issues to be raised to the appropriate level.

6. Think about alternative ways how copyright can be preserved and protected in other ways than straight up banning suspected copyright infringers from the internet.

If you have some ideas, do comment below. I would love a discussion.

 

So I’m back in Singapore. And when I found out that there was Creative Commons Day in Singapore, I was stoked. I have always believed in Open Source / Creative Commons and other forms of community based IP licensing concepts. While I believe private licensing still has some use in this world, and innovative business models around both shares and private licensing schemes are the way forward, I am pretty sure that there’s tonnes of content in the world, which can easily be given a shared license without ANY loss of value to the original owner.

Take for example all the private concerts that Indian Classical Musicians do. Their compositions are original (mostly improvised on the spot) and hence attract Copyright. If such content is recorded and shared under Creative Commons, the community around this music would benefit so much from it. But I digress..

Creative Commons (CC) Singapore is an informal, 100% volunteer-driven, community effort. We hope to increase the awareness of Creative Commons in Singapore, so that people can make their informed choices for their creative pursuits.

Ivan Chew a friend from the Singapore Garageband Meetup (and other places) is helping out with the community aspect of CC Singapore. He was responsible for organizing the really great CC Singapore Day on 11th Nov 2011 (yes, I am slow posting this..). I was excited to meet other creatives in Singapore who also believed in Sharing.. Also thanks to Ivan, I got to record some of the session and some interviews with the attendees at CC Singapore Day.

Presentations

Here is a list of those who presented..

• DJ Reiki will share some of her CC-licensed works. (only got the last bit of her presentations)
• Justin Koh (got arm-twisted) to share about his CC musical endeavors on soundcloud. Justin contributed audio and videow for CC SG Fest.
• A screening of a made-in-SG CC-licensed film.If you grew up in 80s Singapore and have an inkling of the music scene, I think you’ll like this one. This 20min documentary brought a tear to my eye at the end.
• Tech65.org, Chinmay Pendharkar, will share about their CC podcasts.

Interviews

Enjoy listening to these recordings and let me know what you think [except that I need a better microphone, which I do.. ].

 

With the recent spate of attacks by LulzSec and Anonymous and the subsequent password leaks, keeping your passwords safe and secure has become an extremely important part of doing anything online. Passwords are used to protect any and all information you put online, and hence are extremely important to ensure that only you are allowed to access and change that information. Of course we know this! And now we also know, that we can’t trust big players like Sony and even some national agencies to do just that. Whatever the reasons might be, it seems mighty easy to allow access to your password database (and sometimes even storing plain-text passwords there). So, finally, the responsibility of keeping our passwords safe lies on us. But sadly, the lazy bums that we are, almost everyone I know has at least one vulnerability in their password generation and management schemes.. Luckily for us (and thanks to the geeks) there are many simple ideas and tricks one can use to make your password much safer and secure. Here are a few…

1.  Stop reusing the same password on multiple websites.

This is the cardinal sin. Doing this ensures that if your password gets leaked by one website/service (like Sony for example), then whoever get’s your password can log into ALL your other accounts!!

So what can you do? Simple! Use a different password for each website. “Does that mean I have to remember as many passwords as I have gmail accounts?” Yes!! So stop registering more gmail accounts or start using a password manager. A simple and awesome way to do this is using SuperGenPass. This allows you to just have 1 (master) password but hashes it with the domain name to give you a different password for each website (that does mean it’s not useful if you want to have 10 gmail accounts either).

2. Use a strong password.

This is very critical. In the cases where your password is hashed when stored on the server (as it should be), the only way for an attacker to retrieve it is to do an ‘offline’ attack. There are two general ways of doing this. Dictionary and Bruteforce.

In a Dictionary attack, a ‘dictionary’ of common passwords based on commonly used words and some modifications (using 1337 symbols, etc) is used to generate the hashes. The hashes are then compared with your password hash. Hence if you had been using one of the words in the ‘dictionary’  your password can be guessed this way. So it’s extremely important that you ensure that you don’t use a dictionary word as your password (‘password’ is a great example of that). But don’t be fooled thinking that ONLY words in a actual dictionary are used. There are many ways of generating lists of commonly (or not so commonly) used words. For example, crawling the internet, and doing all sorts of simple and complex modifications (like concatenation, substitution, reversing, capitalization, etc). The weakness to this attack is that it only works when the password is based on some known word.

The other type of attacks is Bruteforce. This technique just tries out all combinations. It only works best when you have loads of time (hence only an offline attack), and tonnes of computational power to do thousands/millions of hashes and comparisons every second to try out ALL combinations. So for a simple example, they can start trying out with a,b,c,d,…, A,B,C,D,…1,2,3,4….aa,ab,ac,ad.. and so on and so forth. The exhaustiveness of this method means that ANY password can be theoretically guessed if given enough time. Now how much is enough. Steve Gibson of GRC fame made a great website about how long it will take to theoretically break a password. Play around with the tool and see how strong your password is. The more type of characters (lower case, UPPER CASE, numbers and symbols) you use, the stronger your password becomes. This is a result of needing to try out a lot more combinations for EVERY character.

Also the other way to strengthen your password is to increase the length. The longer the password the more time (even in trillions of years) it will take to crack it, even with technology which 100x faster than what we have today. The GRC password haystacks site shows this quite well.

So knowing the working of these two common attacks, a good password should be not commonly used and long. There have been many ideas about this. But finally it boils down to this. Your passwords need to be a combination of ALL the 4 main types of characters (lower case, UPPER CASE, numbers and symbols), something not based on a commonly used word, and really long (16-20 characters to say the least). A good way to have a password which is not based on any words is using some kind of random word generation to generate a password with the 4 main types of characters in it.

But it’s hard to remember a 20 character password which is a random sequence of characters. So, there is another trick that Steve Gibson just came up with. While it’s important to have all the 4 types of characters in the password, just one instance of the 4 types is enough to add all the strength you can get from the character types. Hence, just having one of each of the 4 types and then the other 16 of a single type is good enough. This allows you to have the complexity of the 4 types and the length combined to give you a strong password. Steve’s idea is to have a random 4 character (of 4 types) sequence and then add 16 letters around it. For example ‘aaaaaaaaaaaa4B(kaaaaaaaaaaaaaaaa’. This makes it long, complex but much simpler to remember.

3. Manage your passwords properly.

If you’re those with awesome memory and can remember each of your 20 character password (maybe you use Steve’s trick) then good for you. For the rest of us, we need something to remember our passwords. There are many tools (including some built into most browsers) to help us remember our passwords. Most rely on one single password (master password) which you have to memorize and which in turn allows you to access a bank of the rest of your passwords. But don’t be fooled thinking that just because you’re using a password bank, all your passwords are safe all the time. Point #1 and #2 above still apply here for ALL your passwords.

The important thing to consider when using such a tool it itself is saving only the hash of your password and not the plain text. Getting such a password bank hacked into is a 100x worse than just having a google account getting hacked, as most of the time the bank also stores which websites the passwords are for. So it’s a sitting duck for the hackers. I personally love LastPass, and the beauty of this tool is that all the hashing and unhashing is done on client side using the password as a key, hence even if LastPass get’s hacked, you will only stand to loose the hashes of your passwords. And assuming you have followed point #2 you’ll be safe.

The other great thing about these tools is most provide a way generate good random passwords, and many plug into your browser so you don’t have to do much copy-pasting.

4. Change your passwords often.

This is also important. Many services force you to change your passwords every few months. That’s great. That stops many types of offline attacks as even though they might be able to find your password, it might have been changed by that time as it can take loads of time to run dictionary attacks (as we have seen).

Some password management tools also have reminders to tell you to change your passwords regularly, which is really useful.

5. Use Multifactor Authentication (if possible).

Multifactor Authentication uses a ‘Out of Channel’ message to verify the authenticity of entity trying to login. This has been done using small tokens which generate random numbers (with limited time validity) and are synced with the server. These numbers allow the ‘Out of Channel’ verification of the authenticity. This has been common in the world of Internet Banking, but recently other services have been using it as well. Most notably Google has started using 2 Factor Authentication using Apps on your smart phones or SMS.

This system ensures that you are in possession of both the password and the device (token or smartphone) at that given moment to authenticate you. This adds another layer, and thus can’t be broken by any types of attacks discussed previously. But one has to be careful to carry his/her device with him/her all  the time and not to loose it. But 2 factors are always better than 1..

So there you go, 5 tips and tricks to ensure your data is safe and secure on the Internet using passwords. Be sure to use them all and stay safe.