digital knowledge. digital culture. digital memory.


From traditional hackers to PacCERT

New to this blog? Why not subscribe to its feed or sign up for free email updates?

I thought that I would post this piece that formed part of my half-day workshop on information security at PacINET 2008 in the Cook Islands. My slides were almost the same set that I used last year in Honiara.

Historically speaking, information security is not new. There is evidence of people protecting and of course attacking information in all cultures as far back as there is a historical record. If we take early missionary accounts in Fiji, for example, as containing at least a kernel of truth, we find that access to spiritual information was a closely protected monopoly of a priestly class. The confidentiality, integrity, and availability of information from the world beyond – which was extremely valuable information about the weather, the future, the correct course of action, and many other things – was strictly limited to established priests who seem to have been kept under close control by the chiefs.

However, even pre-European contact Fiji had its hackers. Living at the fringes of Vitian society were (and still are in remote areas) medicine men and witches who could also tap into spiritual information. Their status as relative social outsiders made them either an enemy or a counter-balance to the priestly information monopoly. Some witches and medicine men could even hack (I mean, influence) the spiritual world and alter the confidentiality, integrity, or availability of information to priests.

Even the technology focused information security that jumps to mind when we hear terms like infosec, has very old and mostly military roots going back in Europe to before the time of Christ. One perspective that is used in military, governmental, and business circles today is that information security forms the defensive aspect of information warfare – that is the part of information warfare that is concerned with protecting information assets. For example, information security was something that the USA knew that Iraq was lacking in the first Gulf War in 1991 when they disabled Iraqi air defense computers with a virus smuggled in on dot matrix printers (see Dorothy Denning, Information Warfare and Security, 1991).

Of course, with the rise of the personal computer and the Internet in recent history, information security has become much more than a military concern. With the growth of the so-called information economy has come an equal and predicable growth of information crime, leading to some staggering statistics including a 2005 estimate that the cost of computer crime in the USA exceeded the size of the combined economies of all the nations in the South Pacific.

I have been quoted in the past as saying that despite all of the fascinating mathematics and technology that underly modern infosec, information security is fundamentally a very human discipline. Certainly, no one likes to have money stolen from them, but increasingly information security is focusing on our privacy, our public personae, our collective identity, our fundamental rights, and even our legal identity.

Fiji's anti-government bloggers, who are only able to voice their (all too often slanderous) opinions due to technology which assures their anonymity, are playing a role in shaping the future of Fiji and the region. Only time will tell how significant that role is. However, anonymous political activists everywhere should be wary of the behavior of America's Internet giants in repressive regimes, as they are not always on your side. The most striking example is the case of the activist Shi Tao who was essentially handed over to Chinese authorities by US-based Yahoo. Yahoo, and other international firms, have agreed to work with Chinese authorities in order to gain access to the immense Chinese market.

Information security even has a role in protecting the function of entire nations. Take the case of Estonia, a small former Soviet republic on the coast of the Baltic Sea with a population of around 1.3 million people. In May this year, Estonia moved a certain Russian war memorial to a location more desirable to Estonians but less desirable to Russian nationals living both in and out of Estonia. Soon, various blogs were posting instructions on how to wage a denial of service attack against Estonian institutions, and a little while later, this attack was in full swing bringing down government and financial sector systems across the tiny maritime nation. Should this story concern other, perhaps more tropical, small maritime nations who are rushing to get their institutions online? The answer is a resounding, "Yes".

Still, one of the largest challenges facing information security today is the heady combination of social engineering and user ignorance. Many computer criminals have discovered that hacking just does not pay off as well as simply fooling people into giving up either their money (to help move funds out of Nigeria to help a poor window, for example) or enough information to get to their money. To give a somewhat trivial example, I have never received so many chain emails from people I know since I came to Fiji – and I was part of the first wave of Internet users in Canada. It goes without saying that nations with large populations of new Internet users are more at risk.

Technology policy makers in the South Pacific should indeed be worried by all of this. By joining the global information economy, the region is embarking on an enterprise that is as fraught with danger and as ripe with rewards as the great Melanesian and Polynesian migrations of days past. Fortunately, it is not necessary to sail the seas blind – technology policy navigators need only to look across the ocean to the experiences of other nations to see what problems to expect and which solutions are effective.


Microwave ray gun controls crowds with noise

New to this blog? Why not subscribe to its feed or sign up for free email updates?

A US company claims it is ready to build a microwave ray gun able to beam sounds directly into people's heads.The device – dubbed MEDUSA (Mob Excess Deterrent Using Silent Audio) – exploits the microwave audio effect, in which short microwave pulses rapidly heat tissue, causing a shockwave inside the skull that can be detected by the ears. A series of pulses can be transmitted to produce recognisable sounds.The device is aimed for military or crowd-control applications, but may have other uses.
[Microwave ray gun controls crowds with noise New Scientist Tech, July 3, 2008]

Two thoughts on this story: 1.) I'm no physicist, but I think my foil hat might actually protect against this one - seriously; and 2.) Could this be put to good use in Fiji? "Oi! Jone, Ise, Prakash! Put down the bilo and go home to your wives so that I can go to sleep!" "Did you hear that?" "Hear what?"

Photo by: nicmcphee

Blogged with the Flock Browser


A consumer view of residential Internet service in Fiji

New to this blog? Why not subscribe to its feed or sign up for free email updates?

Let's be honest, Fiji's ISPs have room for improvement. The problem with residential broadband in Fiji is value for money. Value in this case means a combination of 1.) actual, as opposed to promised, speed, 2.) reliability of service, and 3.) monthly data volume. Why is this value lacking?

Last week there was a session on the Southern Cross Cables Network (SCCN) presented by George Samisoni of FINTEL (video of the session is available, thanks to Franck from PICISOC). The three most noteworthy points of the presentation for me were:

  1. FINTEL splits the revenue roughly 50/50 with local ISPs for data transfered. Some undisclosed portion of FINTEL's share then goes to SCCN.
  2. The SCCN is nowhere near its capacity - only money/pricing and the infrastructure between FINTEL and your door is preventing users in Fiji from having faster access to the Internet.
  3. In the new deregulated environment, FINTEL will remain the sole agent for access to the SCCN. This means that FINTEL maintains a practical monopoly on wholesale Internet access until a competitive sea-floor cable is run to Fiji or satellite connections become more reliable and affordable.
What does this mean for Fiji's residential Internet users? It means that competition will only benefit residential consumers through any economic efficiencies that can be made and reliability that can be gained through infrastructure between FINTEL and your doorstep. In other words, there will be no changes in the near future on the wholesale side.

The following table lays out the current options for residential Internet consumers.

Residential ISP pricing as of May 9, 2008
based on ISP websites supplemented by phone calls to sales reps.

ISPAdvertised speedPrice (rounded off)Usage capSetup costs (rounded off)
Connect256/128 down/up kbps$403 Gb/mo.$100need a land line

512/256 down/up kbps$903 Gb/mo.$100need a land line
Kidanet128 kbps$504 Gb/mo.$300install visit required

256 kbps$1005 Gb/mo.$400install visit required
Unwired256/128 down/up kbps$50none$100 24 mo.
$200 no contract
burglar bars may cause interference

512/256 down/up kbps$100none$100 24 mo.
$200 no contract
burglar bars may cause interference

There are a number of points of interest on this table:
  • Internet companies lacking commitment to their own website: Kidanet's website is woefully out of date. They are certainly turning potential customers away due to the high startup pricing quoted on their website ($599 for the modem and $99 installation). If you call or go in person, they will quote you the lower pricing that I have provided in the table above and tell you that there is now a data cap. Connect and Unwired both have some minor inconsistencies on their sites as well.

    Kidanet's broadband pricing on their website as of May 9, 2008 - no cap and a very expensive modem

  • All you can eat?: Kidanet's nationwide launch was based on no monthly download limits. Now, only a few months later, they have quietly clamped on limits starting at 4 Gb per month. In response to Kidanet's launch last year, Unwired dropped the monthly download cap that had been in place since at least mid 2006 (when I signed up). Now Unwired's website claims that they have always had no cap. Other than Connect's special After Dark plan, which allows access only on evenings and weekends, Unwired is the only ISP currently offering no download limits. Can they keep it up? The reluctance of ISPs to offer residential customers no limit Internet access is an indication of significant pricing pressure on data volume procured through FINTEL.

    Unwired's dubious claim of "always have been" from their website on May 9, 2008

  • Student plans: All three ISPs offer reduced rates for student users. If you are a student, consider signing up for a rate reduction of up to 20%.
  • Lock in: Both Connect and Unwired have service packages requiring no long term commitment other than the purchase of necessary hardware - although packages with special pricing do require contracts with a term of one year or longer. In contrast, Kidanet requires all users make a two year commitment (the website says three) and the penalty for early cancellation is a painful six months of fees. Increasing customers' switching costs is not an uncommon practice for many service vendors, but it is not a method for forging strong customer relationships.
  • Misleading advertising: All three ISPs advertise attractive data communication speeds, but my informal survey of residential customers of all three vendors reveals that no one sees the advertised speeds for any significant period of time, and others claim that they do not see the advertised speeds at all. In fact all customers that I spoke to claim to have experienced significant episodes of down time. None of the ISPs offer a meaningful service level agreement to residential customers and terms of service small print always reveals that the advertised speeds are nothing more than maximums. It would be invaluable to have a third party carry out customer satisfaction and actual throughput surveys across all major vendors. Based on my informal research, I assume that Kidanet does not offer less for $50 per month as it might appear on paper; rather they are merely more honest than the competition in advertising their residential transfer rates.
I am not confident that deregulation will substantially improve the lot of Internet consumers in Fiji in terms of data transfer rate or cost per packet. Without competition at the upstream or wholesale stage, the opportunity to drive consumer pricing down is severely limited. And, at least for the short term, competition in Fiji is a facade. The ATH Group owns controlling stakes - directly or indirectly - in all of FINTEL, Connect, Kidanet, and Vodafone Fiji. Unwired is the only meaningful competition to the ATH juggernaut. However, increased competitiveness in the future, should it come, is likely to drive an increase in quality of service to residential consumers as vendors will seek non-price related means of differentiation. I look forward to a day when Fijian ISPs' primary method of maintaining customers is through creating an outstanding customer experience rather than relying on switching costs.

Photo by: publicenergy
Diagram by: activeside


Human rights report critiques blog censorship

New to this blog? Why not subscribe to its feed or sign up for free email updates?

Declaration of human rightsThere has been much said this week about the recent American report on human rights in Fiji. From the perspective of a Fiji blogger, it is interesting to see that blogs are explicitly mentioned several times in the report. Here are the relevant sections:

Internet Freedom
There were no government restrictions on general public access to the Internet. However, the military attempted to censor or shut down a number of antigovernment blogs that appeared after the coup, and the Public Service Commission warned civil servants against accessing or taking part in antigovernment Web sites. The military extensively monitored Internet chat rooms on these Web sites. In May the RFMF announced that it was following three individuals alleged to be involved with antigovernment blogs. Also in May, a businessman accused by the military of involvement with such a blog was detained by RFMF personnel at an army camp, where he was verbally and physically abused. Several other individuals suspected of maintaining blogs or posting on blogs were threatened or intimidated. Two senior civil servants accused of contributing to a blog were suspended from duty and subjected to disciplinary action. At least two persons were arrested for allegedly authoring or forwarding e-mail messages critical of the interim government.The Internet was widely available and used in and around urban centers, and the majority of the population lived in areas with
Internet coverage. However, low-income persons generally could not afford individual service, and other public access was very limited. Access outside urban areas was minimal or nonexistent.

Academic Freedom and Cultural Events
Academic freedom was generally respected; however, government work‑permit stipulations prohibit foreigners from participating in domestic politics. University of the South Pacific contract regulations effectively restrict most university employees from running for or holding public office or holding an official position with any political party. RFMF agents reportedly infiltrated the university campus to monitor any political activity. The RFMF also threatened to terminate scholarships from the Fijian Affairs Board, a government-funded statutory body, for university students who contributed to antigovernment blogs.
[Fiji. Country reports on human rights practices. US Department of State. March 11, 2007]

Most of this seems to refer to well known events from the first half of 2007. Readers, what do you think?
  • Is this report acurate?
  • Is it still unsafe to blog in Fiji?
  • Does the US really have the right to criticize the human rights practices of other countries?
  • Would anyone from the interim government like to comment on this section of the report?

Photo by: riacale

Blogged with Flock


Franck Martin and myself interviewed on email security

New to this blog? Why not subscribe to its feed or sign up for free email updates?

white elephantFijilive has run a story on email security based on interviews with Franck Martin of PICISOC and myself. Here is an excerpt.

While email is an extremely useful technology, it is not very secure, warns Chris Hammond-Thrasher, the author of the Digital Fiji Blog, . And he suggested that the best advice to follow is "to always assume that all of your emails are being read by others".
[Emails are not so secure: experts, Fijilive, March 9, 2008]
That's right, email is not secure - it never has been. You do not need to dream up elaborate hacking plots to explain Hunter's emails getting out into the wild.
Why would they [hackers] take weeks to plan a sophisticated attack if they can just trick you into giving them your password or key, or if they can take advantage of a well known software flaw on a server that has not been updated for a couple of months? ... He cites the dangers of the common practice of "writing your password on a sticky note on your PC, leaving your PC unattended while you are logged into email and other services, and allowing others to watch over your shoulder while you type in your password".
The mystery of how Hunter's email was stolen is the biggest non-story in Fiji ICT news.

Photo by: juiceboxgasoline

Blogged with Flock


ICT, information warfare, and the RFMF

New to this blog? Why not subscribe to its feed or sign up for free email updates?

Note to RFMF readers: I would be very interested in hearing your comments on this post.

The Royal Fiji Military Force (RFMF) recently posted a document entitled Commander's Intent 2008 on the their website. This statement of intent forms sort of a strategic plan for the RFMF for 2008 and beyond. It is broken up into three main sections:
  • One section dealing with "Good Governance in the RFMF", including issues such as policy and legal compliance, formal planning, and budgetary restraint;
  • One section that is a kind of environmental scan of the current internal and external situation in Fiji, including social and economic pressures, race relations, regional security, and a survey of the RFMF's "competition" within Fiji, "there had been a move to replace the RFMF with a reinvigorated and robust police force," and in the region including Commonwealth forces recruiting soldiers away from the RFMF; and
  • A large section outlining the Commander's strategic ideas for the coming year.
I was curious to see what this document would say, if anything, about ICT in general and information warfare in particular. In the environmental scan section the document makes the following optimistic statement about Fiji's ICT potential, "Technologically, Fiji can be the Singapore of the region." Only to burst that bubble in the very next sentence, "Unfortunately we continue to lag behind badly and this has affected our ability to grow like Singapore." No additional information is provided about who we are lagging behind, what is the cause of the lag, nor how said lag can be overcome.

ICT is referred to explicitly three additional times in the list of actions that the RFMF is considering in 2008.
  • "Improve logistic support system,"
  • "Develop a modern reliable and secure communications system," and
  • "Develop a computerization and IT system for the RFMF."
While these seem valuable strategic activities, it should be understood that these three are nearly lost in a lengthy list of 50 actions that are under consideration for the 2008 budget. Clearly, ICT is not high on the military priority list. Let's examine each of these in turn.

While I do know a thing or two about electronic procurement, I am the first to admit that I know nothing about logistics support systems (LSS); and I am not familiar with what the RFMF currently has deployed. Certainly they will need to equip their logistics personnel with computers, wireless equipment, and assorted electronic inventory management apparatus - not to mention training - in order to take full advantage of a modern LSS.

Secure Communications
My informal survey of civilians who have had email contact with RFMF officers revealed two facts. First, RFMF officers use free email accounts from US vendors (i.e. Hotmail, Yahoo, etc.), at least to communicate with civvies. Using these American services makes spying on RFMF communication quite simple for US intelligence services, not to mention the risk due to the notorious insecurity of these services. Still, these are not a problems as long as these free accounts are limited to use for unclassified communications only. There is a mail exchanger (MX) registered for RFMF email addresses pointing to a server operated by Connect. Could this be the military's current/future secure mail server?

Second, my survey revealed that RFMF officers do not have Internet access in RFMF facilities and that officers must leave their bases in order to access the net. However, this cannot be entirely true. For one thing, there is a webmaster's Unwired email address posted at the bottom of the RFMF home page. This indicates that there is at least one wireless modem in RFMF facilities around the country. For another, according to an issue of the RFMF newsletter, there is an Internet Cafe located at QEB.
Our soldiers are so fortunate to be given this opportunity especially the Other Ranks and they will no longer go to town because we now have our own, and I would urge them to make good use of it," said the Commander Land Forces.
[Internet cafe to boost troops' interoperability, Mataivalu News, Feb. 2007, p13]
The newsletter states that soldiers can purchase Internet access cards in $5, $10, and $15 denominations.

Of course, there is a lot more to digital military communications than email, but one must walk before one can run.

In terms of establishing a state of the art military ICT infrastructure, the RFMF clearly has some challenges to overcome and room to grow. It will be difficult to establish such an infrastructure when the organization seems much more focused on the purely physical side of soldering. While the Commander's intent does mention the "changing nature of warfare", a phrase that evokes the increasing importance of information warfare and asymmetric conflict, the bulk of the 50 potential action items listed in this document involve enhancing the RFMF's physical operational capabilities. Of course, military forces often conceal their information warfare capabilities in terms of signals intelligence, cryptology, and system and network attack and defense - could there be more beneath the surface?

In terms of ICT, what is missing from the Commanders statement of intent? There is no mention of plans to develop the RFMF's capacity to wage offensive or defensive information warfare. There is no mention of how the RFMF plans to compensate for the high-tech support and training that they used to receive from the Australian and New Zealand forces. There is no mention of plans to use private contractors to shore up RFMF's high-tech expertise, such as the Indian hackers rumored to have been employed last year or the consultations with FINTEL experts over anti-government bloggers. There is no mention of investing in media and public affairs training for officers.

As I have written about before, Fiji's current crisis is not a traditional military conflict, but rather a battle for the supremacy of ideas - the new ideas of the interim regime vs. the old ideas of the Qarase government. Fiji's current crisis is a 4th generation warfare (4GWF) conflict, where the focus is not on physically outmaneuvering one's opponent, but rather on winning the battle for public opinion. To quote Kim Taipale,
4GWF is political war -- superior political will, when properly employed, can defeat greater economic and military power... In 4GWF conflicts, nonmilitary instruments of power (information) trump military solutions (warfare, technology, and firepower). Information constrains the exercise of kinetic power but kinetic power cannot constrain information power.
[Seeking Symmetry in Fourth Generation Warfare: Information Operations in the War of Ideas. March 2006]
The possibility that political will could overcome the RFMF's monopoly on military power in Fiji should be a concern. Yet most of the activities under consideration, other than winning "the hearts and minds of the local population through professionalism," are purely 3GWF considerations - that is focused on informed, flexible, and rapid physical deployment of military force.

To be successful with its cleanup campaign, the RFMF needs to win a conflict where the battlespace is bounded by communications technologies (including Fiji's ineffable but very effective coconut wireless) and the content of the stories that these technologies communicate. To be successful, it is in this battlespace, the informationspace, that the RFMF needs to increase its operational capacity. [Note: This morning's Fiji Times reports that the interim government is reviving the National Security Council and the Fiji Intelligence Services. Does this signal a change in focus or are these purely civilian initiatives?]

By way of conclusion I offer two quotations - one from a Russian Major-General and one from the most wanted man in the world - both of whom understand 4GWF better than anyone in the Pacific.
We are approaching a stage of development when no one is a soldier anymore but everyone is a participant in combat action. The task now is not to inflict losses in men and material but to thwart an enemy's plans, demoralize it, undermine its worldview, and destroy its intrinsic values."
[Maj. Gen. G.A. Berezkin, Deputy Head of the Russian Federation Defense Ministry Center of Military-Technical Information Studies, in Lessons from the war in Iraq, Military Thought (May 1, 2003). Quoted in Taipale.]

It is obvious that the media war in this century is one of the strongest methods; in fact, its ratio may reach 90% of the total preparation for the battles.
[Osama bin Laden, 2002. Quoted in Taipale.

Photos by: soldiersmediacenter


On top of everything else, lan problems!

New to this blog? Why not subscribe to its feed or sign up for free email updates?

2007 and now 2008 have not been easy years for the small Pacific nation of Fiji. Between a coup and ensuing political turmoil, an economic down turn driven by a drop in tourism visits, a couple of cyclones, occasional flooding, corrupt officials, home invasions, drownings, road deaths, typhoid, and water and power cuts; things have been challenging. And now, I sit down in front of my computer, open up the Fiji Times web site to read that, on top of everything else, we now have "lan problems"!

[Fiji Times, February 25, 2008]

One can only hope that the "meaningful dialogue" succeeds so that we can all get back to WoW and SL in order to escape reality.

Blogged with Flock


Fiji political blogs: truth or slander?

New to this blog? Why not subscribe to its feed or sign up for free email updates?

Since the 2006 coup, I have tried to chronicle the rapidly changing world of blogs in Fiji as they start up, shut down, climb to great heights, and then fall out of the spotlight. My comments even garnered some unwanted attention from the Human Rights Commission Director who, paradoxically for a human rights officer, seemed to be arguing against freedom of speech. While the interim government ended its public affairs assault on blogs some months ago, there are still intrigues to explore in Fiji's blogosphere.

In recent weeks, one of the top news stories in the Fiji press has been the mystery of the interim government minister who has been accused of tax evasion. The interim government and the police claim that this individual has been cleared of all wrong-doing and refuses to reveal his or her identity. At least one of Fiji's political blogs, however, has openly published the identity of the accused minister. Of course there is no proof. If there was concrete proof, the international press would certainly be publishing this name, even if the Fijian press practices self-censorship.

As I wrote over nine months ago,

Clearly, some of the remarks in Fiji's anonymous political blogs regarding members of the interim government are libelous. Fiji's Defamation Act and supporting Common Law allows for an injured party to ask the court to instruct an Internet Service Provider to turn over records relating to a customer who has published defamatory remarks.
[Blocking anti-military blogs may harm military, Digital Fiji, May 14, 2007]
We will have to wait an see if anyone is willing to put their name and some evidence behind this accusation, otherwise it remains simply the unfounded finger-pointing of anonymous individuals with a clear anti-government political agenda.

Photo by: TW Collins

Blogged with Flock


Koha hits Apia, Samoa

New to this blog? Why not subscribe to its feed or sign up for free email updates?

UNESCO has formally announced the installation of the Koha open source library management system in the Nelson Memorial Library in Apia, Samoa. I was honoured to be involved in this project.

Dear Pacific Library colleagues,

The Communication & Information (CI) Sector of UNESCO, the University of the South Pacific (USP) Library, and the Samoa Nelson Memorial Library are very proud to announce the launch of the online Koha Library Management System (LMS) for the Samoa Nelson Memorial Library.

The Samoa Nelson Memorial Library is the first Pacific National Library to launch an online Library Management System allowing members and visitors to view their entire catalogue including their extensive Samoa and Pacific collection.

UNESCO is committed to developing dynamic, viable websites for Pacific National Libraries and National Archives to increase access to information. By publishing their catalogue, the Samoa Nelson Memorial Library promotes Samoa and Pacific literature and knowledge. It protects Samoa’s literary and intellectual heritage.

The Library now also provides a 24/7 service to Samoan members and visitors worldwide.

UNESCO promotes the use of open-source software and supports the Koha LMS. The Samoa project follows on from a successful 2006 deployment for the Cook Islands National Library. UNESCO fully funded the project including the supply of server hardware, bar-code readers, extensive training and documentation, internet connectivity, and linking Nelson staff to Koha technical support groups.

USP Library is the only recognised Koha implementation partner in the Pacific. We received excellent ICT support from CSL Ltd.

Please visit the Nelson site at:

We look forward to comments on the Nelson site especially improvements. We would like to hear from Pacific National Libraries expressing interest in developing websites of their collections.


Abel Caine

Adviser for Communication & Information

UNESCO Office for the Pacific States


Photo by: The Depratment

Blogged with Flock


Are Fiji's ISPs delivering what they promise?

New to this blog? Why not subscribe to its feed or sign up for free email updates?

Complaining about your ISP is one of the most popular topics in ICT circles in Fiji. So I wanted to put the question publicly, does your ISP deliver what they promise?

  • How often do you achieve the maximum throughput that you pay for?
  • How often are one or more of your ISP's services offline?
  • What is your experience calling customer support?
  • Have you used more than one ISP? If so, was one better than the other and how?
  • If you work for one of the ISPs, would you like to address you customers? I will publish your statement.
Leave a comment --> here <-- and let your voice be heard!

Note: Digital Fiji is not responsible for the opinions of its readers.

Photo by: Matt Watts