From traditional hackers to PacCERT

I thought that I would post this piece that formed part of my half-day workshop on information security at PacINET 2008 in the Cook Islands. My slides were almost the same set that I used last year in Honiara.

Historically speaking, information security is not new. There is evidence of people protecting and of course attacking information in all cultures as far back as there is a historical record. If we take early missionary accounts in Fiji, for example, as containing at least a kernel of truth, we find that access to spiritual information was a closely protected monopoly of a priestly class. The confidentiality, integrity, and availability of information from the world beyond – which was extremely valuable information about the weather, the future, the correct course of action, and many other things – was strictly limited to established priests who seem to have been kept under close control by the chiefs.

However, even pre-European contact Fiji had its hackers. Living at the fringes of Vitian society were (and still are in remote areas) medicine men and witches who could also tap into spiritual information. Their status as relative social outsiders made them either an enemy or a counter-balance to the priestly information monopoly. Some witches and medicine men could even hack (I mean, influence) the spiritual world and alter the confidentiality, integrity, or availability of information to priests.

Even the technology focused information security that jumps to mind when we hear terms like infosec, has very old and mostly military roots going back in Europe to before the time of Christ. One perspective that is used in military, governmental, and business circles today is that information security forms the defensive aspect of information warfare – that is the part of information warfare that is concerned with protecting information assets. For example, information security was something that the USA knew that Iraq was lacking in the first Gulf War in 1991 when they disabled Iraqi air defense computers with a virus smuggled in on dot matrix printers (see Dorothy Denning, Information Warfare and Security, 1991).

Of course, with the rise of the personal computer and the Internet in recent history, information security has become much more than a military concern. With the growth of the so-called information economy has come an equal and predicable growth of information crime, leading to some staggering statistics including a 2005 estimate that the cost of computer crime in the USA exceeded the size of the combined economies of all the nations in the South Pacific.

I have been quoted in the past as saying that despite all of the fascinating mathematics and technology that underly modern infosec, information security is fundamentally a very human discipline. Certainly, no one likes to have money stolen from them, but increasingly information security is focusing on our privacy, our public personae, our collective identity, our fundamental rights, and even our legal identity.

Fiji's anti-government bloggers, who are only able to voice their (all too often slanderous) opinions due to technology which assures their anonymity, are playing a role in shaping the future of Fiji and the region. Only time will tell how significant that role is. However, anonymous political activists everywhere should be wary of the behavior of America's Internet giants in repressive regimes, as they are not always on your side. The most striking example is the case of the activist Shi Tao who was essentially handed over to Chinese authorities by US-based Yahoo. Yahoo, and other international firms, have agreed to work with Chinese authorities in order to gain access to the immense Chinese market.

Information security even has a role in protecting the function of entire nations. Take the case of Estonia, a small former Soviet republic on the coast of the Baltic Sea with a population of around 1.3 million people. In May this year, Estonia moved a certain Russian war memorial to a location more desirable to Estonians but less desirable to Russian nationals living both in and out of Estonia. Soon, various blogs were posting instructions on how to wage a denial of service attack against Estonian institutions, and a little while later, this attack was in full swing bringing down government and financial sector systems across the tiny maritime nation. Should this story concern other, perhaps more tropical, small maritime nations who are rushing to get their institutions online? The answer is a resounding, "Yes".

Still, one of the largest challenges facing information security today is the heady combination of social engineering and user ignorance. Many computer criminals have discovered that hacking just does not pay off as well as simply fooling people into giving up either their money (to help move funds out of Nigeria to help a poor window, for example) or enough information to get to their money. To give a somewhat trivial example, I have never received so many chain emails from people I know since I came to Fiji – and I was part of the first wave of Internet users in Canada. It goes without saying that nations with large populations of new Internet users are more at risk.

Technology policy makers in the South Pacific should indeed be worried by all of this. By joining the global information economy, the region is embarking on an enterprise that is as fraught with danger and as ripe with rewards as the great Melanesian and Polynesian migrations of days past. Fortunately, it is not necessary to sail the seas blind – technology policy navigators need only to look across the ocean to the experiences of other nations to see what problems to expect and which solutions are effective.

A consumer view of residential Internet service in Fiji

Intro
Let's be honest, Fiji's ISPs have room for improvement. The problem with residential broadband in Fiji is value for money. Value in this case means a combination of 1.) actual, as opposed to promised, speed, 2.) reliability of service, and 3.) monthly data volume. Why is this value lacking?

Wholesale
Last week there was a session on the Southern Cross Cables Network (SCCN) presented by George Samisoni of FINTEL (video of the session is available, thanks to Franck from PICISOC). The three most noteworthy points of the presentation for me were:

1. FINTEL splits the revenue roughly 50/50 with local ISPs for data transfered. Some undisclosed portion of FINTEL's share then goes to SCCN.
   
2. The SCCN is nowhere near its capacity - only money/pricing and the infrastructure between FINTEL and your door is preventing users in Fiji from having faster access to the Internet.
   
3. In the new deregulated environment, FINTEL will remain the sole agent for access to the SCCN. This means that FINTEL maintains a practical monopoly on wholesale Internet access until a competitive sea-floor cable is run to Fiji or satellite connections become more reliable and affordable.

What does this mean for Fiji's residential Internet users? It means that competition will only benefit residential consumers through any economic efficiencies that can be made and reliability that can be gained through infrastructure between FINTEL and your doorstep. In other words, there will be no changes in the near future on the wholesale side.

Retail
The following table lays out the current options for residential Internet consumers.

Residential ISP pricing as of May 9, 2008
based on ISP websites supplemented by phone calls to sales reps.

ISP	Advertised speed	Price (rounded off)	Usage cap	Setup costs (rounded off)	Notes
Connect	256/128 down/up kbps	$40	3 Gb/mo.	$100	need a land line
	512/256 down/up kbps	$90	3 Gb/mo.	$100	need a land line
Kidanet	128 kbps	$50	4 Gb/mo.	$300	install visit required
	256 kbps	$100	5 Gb/mo.	$400	install visit required
Unwired	256/128 down/up kbps	$50	none	$100 24 mo. $200 no contract	burglar bars may cause interference
	512/256 down/up kbps	$100	none	$100 24 mo. $200 no contract	burglar bars may cause interference

There are a number of points of interest on this table:

• Internet companies lacking commitment to their own website: Kidanet's website is woefully out of date. They are certainly turning potential customers away due to the high startup pricing quoted on their website ($599 for the modem and $99 installation). If you call or go in person, they will quote you the lower pricing that I have provided in the table above and tell you that there is now a data cap. Connect and Unwired both have some minor inconsistencies on their sites as well.
  
  
  
  Kidanet's broadband pricing on their website as of May 9, 2008 - no cap and a very expensive modem
  
  
• All you can eat?: Kidanet's nationwide launch was based on no monthly download limits. Now, only a few months later, they have quietly clamped on limits starting at 4 Gb per month. In response to Kidanet's launch last year, Unwired dropped the monthly download cap that had been in place since at least mid 2006 (when I signed up). Now Unwired's website claims that they have always had no cap. Other than Connect's special After Dark plan, which allows access only on evenings and weekends, Unwired is the only ISP currently offering no download limits. Can they keep it up? The reluctance of ISPs to offer residential customers no limit Internet access is an indication of significant pricing pressure on data volume procured through FINTEL.
  
  
  Unwired's dubious claim of "always have been" from their website on May 9, 2008
  
  
  
• Student plans: All three ISPs offer reduced rates for student users. If you are a student, consider signing up for a rate reduction of up to 20%.
  
• Lock in: Both Connect and Unwired have service packages requiring no long term commitment other than the purchase of necessary hardware - although packages with special pricing do require contracts with a term of one year or longer. In contrast, Kidanet requires all users make a two year commitment (the website says three) and the penalty for early cancellation is a painful six months of fees. Increasing customers' switching costs is not an uncommon practice for many service vendors, but it is not a method for forging strong customer relationships.
  
• Misleading advertising: All three ISPs advertise attractive data communication speeds, but my informal survey of residential customers of all three vendors reveals that no one sees the advertised speeds for any significant period of time, and others claim that they do not see the advertised speeds at all. In fact all customers that I spoke to claim to have experienced significant episodes of down time. None of the ISPs offer a meaningful service level agreement to residential customers and terms of service small print always reveals that the advertised speeds are nothing more than maximums. It would be invaluable to have a third party carry out customer satisfaction and actual throughput surveys across all major vendors. Based on my informal research, I assume that Kidanet does not offer less for $50 per month as it might appear on paper; rather they are merely more honest than the competition in advertising their residential transfer rates.

Conclusion
I am not confident that deregulation will substantially improve the lot of Internet consumers in Fiji in terms of data transfer rate or cost per packet. Without competition at the upstream or wholesale stage, the opportunity to drive consumer pricing down is severely limited. And, at least for the short term, competition in Fiji is a facade. The ATH Group owns controlling stakes - directly or indirectly - in all of FINTEL, Connect, Kidanet, and Vodafone Fiji. Unwired is the only meaningful competition to the ATH juggernaut. However, increased competitiveness in the future, should it come, is likely to drive an increase in quality of service to residential consumers as vendors will seek non-price related means of differentiation. I look forward to a day when Fijian ISPs' primary method of maintaining customers is through creating an outstanding customer experience rather than relying on switching costs.



Photo by: publicenergy
Diagram by: activeside

Human rights report critiques blog censorship

There has been much said this week about the recent American report on human rights in Fiji. From the perspective of a Fiji blogger, it is interesting to see that blogs are explicitly mentioned several times in the report. Here are the relevant sections:

Internet Freedom
There were no government restrictions on general public access to the Internet. However, the military attempted to censor or shut down a number of antigovernment blogs that appeared after the coup, and the Public Service Commission warned civil servants against accessing or taking part in antigovernment Web sites. The military extensively monitored Internet chat rooms on these Web sites. In May the RFMF announced that it was following three individuals alleged to be involved with antigovernment blogs. Also in May, a businessman accused by the military of involvement with such a blog was detained by RFMF personnel at an army camp, where he was verbally and physically abused. Several other individuals suspected of maintaining blogs or posting on blogs were threatened or intimidated. Two senior civil servants accused of contributing to a blog were suspended from duty and subjected to disciplinary action. At least two persons were arrested for allegedly authoring or forwarding e-mail messages critical of the interim government.The Internet was widely available and used in and around urban centers, and the majority of the population lived in areas with
Internet coverage. However, low-income persons generally could not afford individual service, and other public access was very limited. Access outside urban areas was minimal or nonexistent.

Academic Freedom and Cultural Events
Academic freedom was generally respected; however, government work‑permit stipulations prohibit foreigners from participating in domestic politics. University of the South Pacific contract regulations effectively restrict most university employees from running for or holding public office or holding an official position with any political party. RFMF agents reportedly infiltrated the university campus to monitor any political activity. The RFMF also threatened to terminate scholarships from the Fijian Affairs Board, a government-funded statutory body, for university students who contributed to antigovernment blogs.
[Fiji. Country reports on human rights practices. US Department of State. March 11, 2007]

Most of this seems to refer to well known events from the first half of 2007. Readers, what do you think?

• Is this report acurate?
• Is it still unsafe to blog in Fiji?
• Does the US really have the right to criticize the human rights practices of other countries?
• Would anyone from the interim government like to comment on this section of the report?
  

Photo by: riacale

Blogged with Flock

Franck Martin and myself interviewed on email security

Fijilive has run a story on email security based on interviews with Franck Martin of PICISOC and myself. Here is an excerpt.

While email is an extremely useful technology, it is not very secure, warns Chris Hammond-Thrasher, the author of the Digital Fiji Blog, dfiji.blogspot.com . And he suggested that the best advice to follow is "to always assume that all of your emails are being read by others".
[Emails are not so secure: experts, Fijilive, March 9, 2008]

That's right, email is not secure - it never has been. You do not need to dream up elaborate hacking plots to explain Hunter's emails getting out into the wild.

Why would they [hackers] take weeks to plan a sophisticated attack if they can just trick you into giving them your password or key, or if they can take advantage of a well known software flaw on a server that has not been updated for a couple of months? ... He cites the dangers of the common practice of "writing your password on a sticky note on your PC, leaving your PC unattended while you are logged into email and other services, and allowing others to watch over your shoulder while you type in your password".

The mystery of how Hunter's email was stolen is the biggest non-story in Fiji ICT news.

Photo by: juiceboxgasoline

Blogged with Flock

ICT, information warfare, and the RFMF

Note to RFMF readers: I would be very interested in hearing your comments on this post.

The Royal Fiji Military Force (RFMF) recently posted a document entitled Commander's Intent 2008 on the their website. This statement of intent forms sort of a strategic plan for the RFMF for 2008 and beyond. It is broken up into three main sections:

• One section dealing with "Good Governance in the RFMF", including issues such as policy and legal compliance, formal planning, and budgetary restraint;
  
• One section that is a kind of environmental scan of the current internal and external situation in Fiji, including social and economic pressures, race relations, regional security, and a survey of the RFMF's "competition" within Fiji, "there had been a move to replace the RFMF with a reinvigorated and robust police force," and in the region including Commonwealth forces recruiting soldiers away from the RFMF; and
• A large section outlining the Commander's strategic ideas for the coming year.

I was curious to see what this document would say, if anything, about ICT in general and information warfare in particular. In the environmental scan section the document makes the following optimistic statement about Fiji's ICT potential, "Technologically, Fiji can be the Singapore of the region." Only to burst that bubble in the very next sentence, "Unfortunately we continue to lag behind badly and this has affected our ability to grow like Singapore." No additional information is provided about who we are lagging behind, what is the cause of the lag, nor how said lag can be overcome.

ICT is referred to explicitly three additional times in the list of actions that the RFMF is considering in 2008.

• "Improve logistic support system,"
• "Develop a modern reliable and secure communications system," and
• "Develop a computerization and IT system for the RFMF."

While these seem valuable strategic activities, it should be understood that these three are nearly lost in a lengthy list of 50 actions that are under consideration for the 2008 budget. Clearly, ICT is not high on the military priority list. Let's examine each of these in turn.

LSS
While I do know a thing or two about electronic procurement, I am the first to admit that I know nothing about logistics support systems (LSS); and I am not familiar with what the RFMF currently has deployed. Certainly they will need to equip their logistics personnel with computers, wireless equipment, and assorted electronic inventory management apparatus - not to mention training - in order to take full advantage of a modern LSS.

Secure Communications
My informal survey of civilians who have had email contact with RFMF officers revealed two facts. First, RFMF officers use free email accounts from US vendors (i.e. Hotmail, Yahoo, etc.), at least to communicate with civvies. Using these American services makes spying on RFMF communication quite simple for US intelligence services, not to mention the risk due to the notorious insecurity of these services. Still, these are not a problems as long as these free accounts are limited to use for unclassified communications only. There is a mail exchanger (MX) registered for RFMF email addresses pointing to a server operated by Connect. Could this be the military's current/future secure mail server?

Second, my survey revealed that RFMF officers do not have Internet access in RFMF facilities and that officers must leave their bases in order to access the net. However, this cannot be entirely true. For one thing, there is a webmaster's Unwired email address posted at the bottom of the RFMF home page. This indicates that there is at least one wireless modem in RFMF facilities around the country. For another, according to an issue of the RFMF newsletter, there is an Internet Cafe located at QEB.

Our soldiers are so fortunate to be given this opportunity especially the Other Ranks and they will no longer go to town because we now have our own, and I would urge them to make good use of it," said the Commander Land Forces.
[Internet cafe to boost troops' interoperability, Mataivalu News, Feb. 2007, p13]

The newsletter states that soldiers can purchase Internet access cards in $5, $10, and $15 denominations.

Of course, there is a lot more to digital military communications than email, but one must walk before one can run.

IT
In terms of establishing a state of the art military ICT infrastructure, the RFMF clearly has some challenges to overcome and room to grow. It will be difficult to establish such an infrastructure when the organization seems much more focused on the purely physical side of soldering. While the Commander's intent does mention the "changing nature of warfare", a phrase that evokes the increasing importance of information warfare and asymmetric conflict, the bulk of the 50 potential action items listed in this document involve enhancing the RFMF's physical operational capabilities. Of course, military forces often conceal their information warfare capabilities in terms of signals intelligence, cryptology, and system and network attack and defense - could there be more beneath the surface?

Absent?
In terms of ICT, what is missing from the Commanders statement of intent? There is no mention of plans to develop the RFMF's capacity to wage offensive or defensive information warfare. There is no mention of how the RFMF plans to compensate for the high-tech support and training that they used to receive from the Australian and New Zealand forces. There is no mention of plans to use private contractors to shore up RFMF's high-tech expertise, such as the Indian hackers rumored to have been employed last year or the consultations with FINTEL experts over anti-government bloggers. There is no mention of investing in media and public affairs training for officers.

As I have written about before, Fiji's current crisis is not a traditional military conflict, but rather a battle for the supremacy of ideas - the new ideas of the interim regime vs. the old ideas of the Qarase government. Fiji's current crisis is a 4th generation warfare (4GWF) conflict, where the focus is not on physically outmaneuvering one's opponent, but rather on winning the battle for public opinion. To quote Kim Taipale,

4GWF is political war -- superior political will, when properly employed, can defeat greater economic and military power... In 4GWF conflicts, nonmilitary instruments of power (information) trump military solutions (warfare, technology, and firepower). Information constrains the exercise of kinetic power but kinetic power cannot constrain information power.
[Seeking Symmetry in Fourth Generation Warfare: Information Operations in the War of Ideas. March 2006]

The possibility that political will could overcome the RFMF's monopoly on military power in Fiji should be a concern. Yet most of the activities under consideration, other than winning "the hearts and minds of the local population through professionalism," are purely 3GWF considerations - that is focused on informed, flexible, and rapid physical deployment of military force.

To be successful with its cleanup campaign, the RFMF needs to win a conflict where the battlespace is bounded by communications technologies (including Fiji's ineffable but very effective coconut wireless) and the content of the stories that these technologies communicate. To be successful, it is in this battlespace, the informationspace, that the RFMF needs to increase its operational capacity. [Note: This morning's Fiji Times reports that the interim government is reviving the National Security Council and the Fiji Intelligence Services. Does this signal a change in focus or are these purely civilian initiatives?]

By way of conclusion I offer two quotations - one from a Russian Major-General and one from the most wanted man in the world - both of whom understand 4GWF better than anyone in the Pacific.

We are approaching a stage of development when no one is a soldier anymore but everyone is a participant in combat action. The task now is not to inflict losses in men and material but to thwart an enemy's plans, demoralize it, undermine its worldview, and destroy its intrinsic values."
[Maj. Gen. G.A. Berezkin, Deputy Head of the Russian Federation Defense Ministry Center of Military-Technical Information Studies, in Lessons from the war in Iraq, Military Thought (May 1, 2003). Quoted in Taipale.]

It is obvious that the media war in this century is one of the strongest methods; in fact, its ratio may reach 90% of the total preparation for the battles.
[Osama bin Laden, 2002. Quoted in Taipale.

Photos by: soldiersmediacenter

On top of everything else, lan problems!

2007 and now 2008 have not been easy years for the small Pacific nation of Fiji. Between a coup and ensuing political turmoil, an economic down turn driven by a drop in tourism visits, a couple of cyclones, occasional flooding, corrupt officials, home invasions, drownings, road deaths, typhoid, and water and power cuts; things have been challenging. And now, I sit down in front of my computer, open up the Fiji Times web site to read that, on top of everything else, we now have "lan problems"!

[Fiji Times, February 25, 2008]

One can only hope that the "meaningful dialogue" succeeds so that we can all get back to WoW and SL in order to escape reality.

Blogged with Flock

Are Fiji's ISPs delivering what they promise?

Complaining about your ISP is one of the most popular topics in ICT circles in Fiji. So I wanted to put the question publicly, does your ISP deliver what they promise?

• How often do you achieve the maximum throughput that you pay for?
• How often are one or more of your ISP's services offline?
• What is your experience calling customer support?
  
• Have you used more than one ISP? If so, was one better than the other and how?
• If you work for one of the ISPs, would you like to address you customers? I will publish your statement.

Leave a comment --> here <-- and let your voice be heard!

Note: Digital Fiji is not responsible for the opinions of its readers.

Photo by: Matt Watts

USA and Fiji are "nations of lawbreakers"

Let's be honest, it is difficult to spend $5 to rent a DVD for a day when you can own it for $1. Every year, hundreds of thousands of Fijians chose the $1 option. A FAVIA press release (with no supporting evidence whatsoever) claims that, "Fiji's piracy rate is about 98%." These numbers were rolling around in my head as I read a recent article by Nate Anderson on ars technica about a country that has chosen a very different path from Fiji when it comes to copyright.

Tehranian's paper points out just how pervasive copyright has become in our lives. Simply checking one's e-mail and including the full text in response could be a violation of copyright. So could a tattoo on Tehranian's shoulder of Captain Caveman—and potential damages escalate when Tehranian takes off his shirt at the university pool and engages in public performance of an unauthorized copyrighted work.

Singing "Happy Birthday" [and Happy Long-Life -cht] at a restaurant (unauthorized public performance) and capturing the event on a video camera (unauthorized reproduction) could increase his liability, and that's to say nothing of the copyrighted artwork hanging on the wall behind the dinner table (also captured without authorization by the camera). Tehranian calculates his yearly liability at $4.5 billion...

What better way could there be to create a nation of constant lawbreakers than to instill in that nation a contempt for its own laws? And what better way to instill contempt than to hand out rights so broad that most Americans simply find them absurd?
[Overly-broad copyright law has made USA a "nation of infringers", ars technica, Novemebr 19, 2007]

The USA has created a nation of constant lawbreakers by handing out absurd rights to copyright holders combined with millions of dollars of public money spent on enforcement. Fiji has created a nation of lawbreakers through a complete failure to enforce almost any rights of copyright holders.

Having unenforced laws in place for the sake of meeting Fiji's WIPO commitments (is there another reason?) may be doing more harm than good. In a nation who's elite has consistently had difficulty with the rule of law for the past twenty years, breach of copyright has become every man and woman's opportunity to join in the tradition of trampling on one of the nation's fundamental institutions. Is this really what we want for our beloved Fiji? Is this really what we want to teach our children?

My advice to the country: Either repeal the 1999 Copyright Act or figure out a way to enforce it.

Photo by: Dr John2005

Blogged with Flock

Wow! The Quick Links are great!

While I have not had time to write a great deal in recent weeks, I have tried to keep you on top of interesting ICT stories from Fiji and around the world with the dfiji Quick Links which you can see on the right hand side of this blog or via the RSS feed.

A few interesting recent Quick Links include:

• The Oceanic blog comments on gross financial mismanagement at USP in response to a lengthy article in Islands Business magazine. It is unfortunate that the hard working students and staff at USP are already experiencing the aftermath of recent disastrous financial decisions.
• The O'Reilly Radar blog draws a comparison between libraries and the Oink music site that was recently taken offline by law enforcement.
• The Fiji Times reports that new telecom licenses will be granted in Fiji some time on November. Creating genuine competition - not just competition between companies in the ATH family - would be a real boon for Fijian consumers.

How do I manage these great Quick Links? I use the free del.icio.us bookmark management and sharing site.

Photo by: splorp

Security and Pacific technology policy

The following is derived from my workshop on Information Security at PacINET 2007. My slides are available on SlideShare.

Historically speaking, information security is not new. There is evidence of people protecting and, of course, attacking information, information systems, and the flow of information in all cultures as far back as there is a written record. If we take early missionary accounts in Fiji, for example, we find that access to spiritual information was a closely protected monopoly of a priestly class. The confidentiality, integrity, and availability of information from the world beyond – which included extremely valuable information about the weather, the future, the correct course of action, the afterlife, and many other things – was strictly limited to established priests who held a close relationship with the local chief.

However, even pre-European-contact Fiji had its hackers. Living at the fringes of Vitian society were (and still are in remote areas) medicine men and witches who could also tap into spiritual information. Their status as relative social outsiders made them either an enemy or a counter-balance to the priestly information monopoly. Some witches and medicine men could even hack (I mean, influence) the spiritual world and alter the confidentiality, integrity, or availability of information available to priests by counteracting the priestly influence on the divine or by uttering counter-prophecies.

In European culture, information security has a solidly military origin dating back, at least, to Julius Caesar's encrypted military communications. What is commonly termed information security today is really the defensive aspect of information warfare – that is, the part of information warfare that is concerned with protecting information assets.

Of course, with the rise of the personal computer and the Internet in more recent history, information security has become much more than a military concern. With the growth of the so-called information economy has come an equal and predicable growth of information crime, leading to some staggering statistics including a 2005 estimate that the cost of computer crime in the USA exceeded the size of the combined economies of all the nations in the South Pacific.

I have been quoted in the past as saying that despite all of the fascinating mathematics and technology that underly modern infosec, information security is fundamentally about people. Certainly no one likes to have money stolen from them, but increasingly information security is about our privacy, our public personae, our collective identities, and even our fundamental rights. Fiji's anti-government bloggers are only able to voice their opinions due to the security mechanisms provided by their blog hosts which assure their anonymity. Whatever you think of their opinions, they are one of the few voices of opposition to Fiji's interim regime and are undoubtedly playing a role in shaping the future of Fiji and the region. Only time will tell how large or small that role is.

Still, anonymous political activists everywhere should carefully follow the recent behavior of America's Internet giants, as they are not always on your side. The most striking example is the case of the activist Shi Tao who was essentially handed over to Chinese authorities by US-based Yahoo. Yahoo, and many other international firms, have agreed to cooperate with Chinese authorities – even at the expense of their individual customers – in order to gain access to the immense Chinese market.

Information security even has a role in protecting the function of entire nations. Take the case of Estonia, a small former Soviet republic on the coast of the Baltic Sea with a population of around 1.3 million people. In May this year, Estonia moved a certain Russian war memorial to a location more desirable to Estonians, which enraged many Russian nationals living both in and out of Estonia. Soon, blogs were posting instructions on how to wage a denial of service attack against Estonian institutions, and a little while later, this attack was in full swing. Numerous government and financial sector systems across the tiny maritime nation were brought to a stand still and international experts had to be flown in to curb what some described as an Internet riot. Should this story concern other, perhaps more tropical, small maritime nations who are rushing to get their citizens and institutions online? The answer is absolutely “yes”.

Still, one of the largest challenges facing information security today is the heady combination of social engineering and user ignorance. Many computer criminals have discovered that hacking just does not pay off as well as simply fooling people into giving up either their money (to help move funds out of Nigeria to help a poor window, for example) or enough information to get to their money. Wide spread user naiveté is widespread in the South Pacific. I have never received so many chain emails from friends and acquaintances since I came to Fiji – and I was part of the first wave of naive Internet users in Canada!

Technology policy makers in the South Pacific should indeed be worried by all of this. By joining the global information economy, the region is embarking on an enterprise that is as fraught with danger and as ripe with rewards as the great Pacific migrations of days past. Fortunately, it is not necessary to sail the seas blind – technology policy navigators need only look across the ocean to the experiences of other more wired nations to see what problems to expect and which solutions will be effective.

Photo by: bhikku

Internet 101 for media professionals

PRESS RELEASE/INVITATION TO ALL EDITORS

Editors may be interested in sending their reporters to attend a two-hour workshop/crash course to learn about Internet and Internet-related issues.

Why?

Internet has no doubt become the way of communication in modern day civilisation. According to one source of global statistics, ( www.internetworldstats.com ), Internet usage in Oceania (including Australia) exploded by 142% between
2000 to March 2007.

In Fiji, growth in Internet usage between 2000-March 2007 was 833.3%. This means more and more people – your readers and audience - are going "on-line". It also means they are going to get exposed to Internet-related issues.

ARE YOU PREPARED TO REPORT ON CYBER CRIMES WHEN THEY HAPPEN?
OR TELL YOU READERS ABOUT VoIP, IPV6, INTERNET BANKING, ETC, ETC?

The Pacific Islands Chapter of the Internet Society (PICISOC) invites you to ATTEND "INTERNET 101 FOR MEDIA PROFESSIONALS", A TWO HOUR WORKSHOP, FREE OF CHARGE, for media people interested in covering Internet-related issues. Learn what is the Internet anyway and why it is changing the way we think and do business.

This Workshop will be on Wednesday 1st August 2007 at the Forum Secretariat Committee Room A, Suva, Fiji, from 10am to 12pm.

This workshop has the support of the Forum Secretariat and SOPAC.

RSVP: Mue Bentley, MueB(at)forumsec(dot)org(dot)fj, tel: 3312600, Franck Martin franck(at)sopac(dot)org

Photo by: [hdy]**

Fiji Rugby Blog hits Wordpress list

For the second time this month (see here for the first), a Fiji blog has hit one of the top 100 lists of the blogging giant Wordpress. On July 14, 2007, the Fiji Rugby Blog, brainchild of columnist Rusiate Mataika, appeared in the 35th position in the Growing Blogs list.

They are wedged between a Swedish blog and a blog advocating the abolition of wealth. The Fiji Times had this to say:

This is a remarkable achievement spurred by the creative juices of local sports writer Rusiate Mataika and internationally renowned but locally based web design firm Webmedia Fiji.
[Fiji rugby blog gains momentum, Fiji Times, July 20, 2007]

Keep up the great work, Rusi!

Let me also give a little praise here to one of Fiji's "oldest" and most prolific bloggers. Gilbert Veisamasama, Jr has been running two very active blogs since January of 2006:

• Promoting Suva
• Invest in Fiji

These two blogs are invaluable sources of information that is difficult to find elsewhere. Check them out!

Photo by: huygens

What was on the laptop?

Nobody likes to loose something that costs two or three thousand dollars, which is the typical cost of a laptop these days. However, when a laptop goes missing from an important government office, the replacement cost should be the least of anyone's worries. Technology can be replaced but the damage done by stolen information can be irrevocable.

Sometime during the afternoon or evening of Friday, July 6, 2007, a laptop, a mobile phone, and other items, possibly including a USB cable, went missing from the Office of the Prime Minister in the Government building in Suva. This fact has been widely reported on by all major media outlets in Fiji. Commentary from government officials, police, and journalists seem to focus on outrage that the PM's office was violated and the new security measures being put in place to ensure that this incident is not repeated in the future. This reaction can be summed up by comments from former Prime Minister Rabuka carried by the Fiji Times.

The theft from the Prime Minister's Office was tantamount to sacrilege and a serious crime against the State, said former Prime Minister Sitiveni Rabuka yesterday. He said such a breach of security never happened during his tenure and it pointed to the need to upgrade security.
[Security concern in the PM's office, Fiji Times, 11/7/2007]

However, the question that no one is asking is, what was on the laptop? What information from the highest office in the country is now "in the wild"? What government information may be lost forever if the laptop was not recently backed up?

Shortly after I arrived in Fiji approximately one year ago, the theft of a government laptop from an employee's home was reported in my home town of Edmonton, Alberta, Canada. It turns out that this laptop contained mental health information for over a thousand patients in the Province of Alberta. Neither the laptop nor the data were recovered.

What motivated a government investigation resulting in a twelve page public report into this incident was not the question of whether the employee or her employer failed to adequately protect public physical assets, i.e. the laptop. The government inquiry was focused on whether the employee or her employer failed to adequately protect confidential patient data. The investigation found that the employer, a regional health management organization, had failed in its responsibilities - chiefly through having inadequate policies in place - and was required to inform all 1000+ patients that their files had been compromised.

The investigation report went on to make the following general recommendations to all government departments in the province of Alberta who use mobile computing equipment such as laptops.

• Perform a Privacy Impact Assessment (which should include an assessment of security risks) before implementing mobile computing.
• Do not store personal or health information on mobile computing devices unless you need to – consider technologies that allow secure, remote access to your network and data instead.
• If you must store personal or health information on a mobile device, use encryption to protect the data – password protection alone is not sufficient.
• Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs.
• Periodically check your policies against practice to ensure they reflect reality and remain effective.
• Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.

[Information and Privacy Commissioner of Alberta, Report of an Investigation Concerning a Stolen Laptop Computer, December 5, 2006 - pdf file]

These recommendations are valuable to all organizations with sensitive information stored on laptops and other mobile devices, both in the public and private sectors. Organizations in Fiji would do well to consider adding similar provisions to their information security policies. You do have an information security policy, right?

Photo by: Filipe Morin

Infamous Fiji blog hits Wordpress top 100 list

Most of the world's bloggers are typing away in relative obscurity having very few readers beyond a few family and friends. Most of Fiji's bloggers are no different drawing only single digit readerships daily. I have been grinding away at Digital Fiji for roughly a year now and I can only boast of a daily readership of around 40 unique readers daily with occasional spikes to over 100 whenever I write something reasonably interesting.

It will not surprise anyone that Fiji's anonymous political blogs, which exploded onto Fiji's blogosphere shortly after the 2006 coup, draw much more of an audience than Digital Fiji. However, who would of thought that one of Fiji's most controversial anti-military blogs would rate among the "top blogs" of the world? Why Fiji Is Crying, which I recently blogged about, has done just that.


This screen shot is taken from the Wordpress Top Blogs page today. You can see Why Fiji Is Crying sandwiched between YOU BEEN BLINDED and Tennis Planet. What does this mean? It is hard to say. Wordpress's page says that they top blogs are "ranked here according to a special formula". The formula is not revealed.

This certainly demonstrates that Fiji's anonymous political blogs, with all of the questions that they raise, are extremely popular - in fact, Why Fiji Is Crying is likely the most popular blog in Fiji.

P.S.: If you are interested in trying to draw more readers to your own blog, check out Matt Huggins' 55 Essential Articles Every Serious Blogger Should Read. Keep blogging!

Fiji VoIP policy workshop - July 12, 2007

This is an important announcement (see the full text below). The advent of VoIP in Fiji is a major event in the history of ICT in Fiji. What is VoIP? It stands for "voice over Internet protocol" which is a collection of technical standards for allowing voice communications, such as telephone calls, to take place across the Internet. Typically, once all the problems have been worked through, this results is a dramatic reduction in the cost of telephone calls - especially long distance calls - to consumers.

How VoIP works
(Wikipedia)

Back in Canada, I was able to sign up with a VoIP provider and make as many local or long distance phone calls anywhere within North America for CDN$40 per month. The expensive reality of transoceanic data communications will likely ensure that Fiji does not see costs this low any time in the near future. In the mean time, if you have Internet access and a microphone for your computer, you can already use VoIP through services like Skype and Gizmo. (The technologically adventurous will want to check out asterisk.)

--INVITATION--

IMPLEMENTATION OF GOVERNMENT VoIP POLICY WORKSHOP

Thursday 12 July 2007 (Southern Cross Hotel)
Time: 9.00am 4.00pm

Background

The changes brought about by the rise in IP-enabled communications are by nature revolutionary. Developments in such services have reduced communication cost and spur innovation and individualization. Through this means communications services are delivered as demanded by each end user via an attractively priced suite of services and not necessarily limited within the confined of the legacy network. Generally IP-enabled services and VoIP will generate increased demand for more broadband connections, fostering development and growth in this area.

Governments awareness about developments in Internet Protocol (IP_ enabled applications and services, in particular those concerning Voice Over Internet Protocol (VOIP) and its impact on our social and economic fabrics has necessitated its initiative in developing its policy directions in respect of the provision of VoIP service in Fiji. These directions are enunciated in the VoIP policy of Government.

Cabinet agreed to the substance of the VoIP Policy at its 12th Meeting on Tuesday 16 June 2007.

The VoIP Policy is premised on ensuring Governments facilitative and supportive role towards the provision of VoIP service and the establishment of related necessary licensing and regulatory parameters to promote on orderly transition into this dimension.

Workshop Objective

In connection with the approved VoIP Policy, the Ministry of Commerce, Industry, Investment and Communications is organizing a one-day workshop on Thursday 12 July 2007 that is intended to enlighten interested stakeholders on the following-

• Voice over Internet Protocol (VoIP)

• VoIP Policy of Government

• Provision of VoIP Service

• Licensing

• Numbering

• Regulatory aspects

• Implementation of the VoIP Policy

Workshop Material

All presentation documents and a summary of the discussions at the workshop will be posted in the Department of Communications website within the Fiji government On-Line Portal that is accessible via the following link www.fiji.gov.fj/publish/page_3514.shtml

Attendees

All interested stakeholders are welcome to attend the one-day workshop.

Department of Communications
Ministry of Commerce, Industry, Investment & Communications
P.O. Box 2264, Government Buildings, Suva
Telephone: 330 0766
Facsimile: 331 5167

Photo by: o2ma

Blogs, the laws of the USA, and why Fiji is really crying

The New Zealand press

In my June 19, 2007 post, I quietly mentioned the unreported story of an alarming change in the rhetoric of Fiji's anti-military blogs from defamatory to violent. As of today, the New Zealand press is starting to pick up on this. Michael Field, who was recently ejected from Fiji, penned a story appearing on Stuff this morning. Here is an excerpt:

A Fiji internet blog has called for attacks on tourists and has provided recipes for making Molotov cocktails and bombs. Fiji's military, which staged a coup in December, has been trying to close down blogs but one of the oldest, Why Fiji's Crying (WFC), has survived and in its latest set of postings calls for guerrilla war.Following the expulsion of New Zealand High Commissioner Michael Green last week, WFC has published an appeal to Fijians to destabilise the country by striking at weak points...
[Blog calls for attacks on tourists in Fiji, Stuff, June 22, 2007]

In a similar piece, the tvnz.co.nz site references the same post from WFC.

A Fijian blog is calling for attacks on tourists to the island nation. The author says driving tourists away would cut revenue flowing to the Bainimarama regime. The website suggests targets like tour buses and resorts. The blogger says Fiji is already economically unstable and wiping out the country's main industry will be the final nail in the regime's coffin.
[Fiji blog calls for tourist attacks, tvnz.co.fj, June 22, 2007]

Why is Fiji crying?

So that you are free to draw your own conclusions, here is an excerpt from the WFC post that has prompted most of this discussion.

Strike at your enemies weak points. The most obvious weak point of the regime, its jugular, is its inability to protect its outer networks and the failing economy.

Tourists are still coming to Fiji, think of how you can stop that. What assets can you focus on within the tourist industry that will send the message back to their home countries that Fiji is not a safe destination at the moment ? Tourist tour busses ? Tourist Bure’s ?

If you want to make Molotov cocktails, think about how you will access the fuel and the motor oil without attracting suspicions. Think about a safe location where you can prepare your materials and keep them hidden. Do not keep the materials at the house of any of your members. Keep them at a safe hideout. A hidesite away from any of your homes. You can also keep all your plans and documents at that site. It is a safe point where all your materials are safely stored away so that no one can link you back to the materials. When you need to go on the operation you can then go and pick up from the hidesite and move out.

Try to operate in two teams. One team as your strike team and the other as your "overwatch". That means you can split your force into two teams on operations. One team is to provide route security to ensure that your intended escape route is safe and the other team is to do the attack.
[Fijians - destablise the country, WFC, June 19, 2007]

The very next post qualifies this tactical advice with the statement, "have some faith and patience, and remember that physical resistance is the last option - not the first." For me, this call for patience does little to warm the chill left by images of fire-bombed buses.

Even more disturbing is the juxtaposition of this call to arms with the fanning of the decades-old flame of racial hatred in Fiji in another June 19, 2007 post at WFC.

(Chaudhary) by his 5/12 coup, was really hoping that Fiji will be his, under his control, a place he would like Fijians and the rest of the world to know as “little India”, the Fijian Island paradise lost to the hands of a man who is living out his whole life to “Indianize” Fiji.
[Mahen Chaudhary angered by Frank, WFC, June 19, 2007]

The result of these posts on WFC is a heady mix of uttering threats, inciting violence against innocent civilians, hate crime, and quite frankly, terrorism. Based on the WFC's stated goal of destabilizing the economy by driving tourists away, the authors of these posts may actually have no intention of having anyone carrying out these acts - the threat is sufficient. However, the fact remains that the act of publishing these posts violates several criminal laws in many countries around the world, including the United States.

The laws of the USA

Why are the laws of the USA significant to Fiji bloggers? Why not talk about the laws of New Zealand, Australia, or at least those of Fiji? The answer is simple. Because San Francisco based Wordpress and San Jose based Google (the owner of Blogger and blogspot.com) are American companies. "So?", you ask. Well, when you violate American criminal law on a server on American soil, you may get the attention of American law enforcement.

More to the point for those of you attempting to preserve your online anonymity, WFC has given US law enforcement a powerful motive to cooperate with the Fijian law enforcement. It is also important to note that US law enforcement agencies gain far-reaching evidence gathering powers when a criminal investigation is connected with terrorism. This is due to a piece of legislation known as the Patriot Act, which empowers US federal law enforcement to gain access to all records held by Wordpress, Google, and other American online services for any suspects or their alleged associates. This includes their gmail, yahoo, and msn email accounts and all information connected with those accounts.

Does this all sound a little far fetched?

Google does it in India.

Think twice before you let loose your thoughts on Orkut. The Google-run community site, which has become a global platform for sharing personal information, ideas and sentiments and already has nearly 6.6 million registered Indian users (of a total of 49 million worldwide), has entered into a pact with the Cyber Crime Cell of Mumbai police saying it will not only block those 'forums' and 'communities' that contain 'defamatory or inflammatory content' but also provide the IP addresses from which such content has been generated...

"Now we can do away with the process and not just directly ban content but also obtain details of IP addresses and service providers quickly"
[Orkut's tell-all pact with cops, Economic Times, May, 2007]

Yahoo does it in China.

Yu Ling, the wife of imprisoned Chinese dissident Wang Xiazoning, has sued Yahoo for divulging information about her husband's Internet activity, which allegedly led to his arrest and torture.
[Yahoo sued over jailing of Chinese dissedent, CIO, April 19, 2007]

Why wouldn't it happen with Wordpress and Google in Fiji?


p.s. American contract law: Recent content posted to WFC and a few other anti-military blogs in Fiji may violate of both Wordpress' and blogspot.com's terms of service (Wordpress tos, blogspot tos). Wordpress and Google reserve the right to terminate your blog for very little reason if they see fit to do so.

Photos by: carf, MISz "H"

Reported and unreported ICT news

There have been three significant significant ICT stories reported in the Fiji press in the last week.

The first is the announcement of a 30 machine computer lab opening at Sangam College in Labasa. This lab, which was donated by a former student, Ragge Mudaliar, is certainly now one of the finest in Vanua Levu.

The second story is the continuing slow march towards hearing the fate of public servant and accused anti-military blogger, Filipe Nagera. Mr. Nagera has been accused of using public computing resources on public time to participate in anti-government blogging. The Fiji Times has repeatedly written articles about the Public Service Commission getting closer to coming to a decision here, here, here, and here.

The third story concerns the NLTB nearing a decision on scrapping or keeping their currently unused mySAP installation. The fate of the mySAP enterprise resource planning system at NLTB will be decided at the next board meeting in two weeks. Interim Fijian Affairs minister, Ratu Epeli Galineu was quoted, "The system is too complicated and we don't have experts in Fiji to operate such system."

There is also one unreported story this week. Fiji's anti-military blogs step up the rhetoric in the wake of the removal of the state of emergency. While it is not clear what portion of the populace these anonymous bloggers represent, this week they are increasingly threatening the interim regime with violence - often cloaked in racial overtones. I do not want to repeat such sentiments here, but a quick survey reveals that numerous anonymous bloggers seem to have crossed the legal boundary from libel, slander, and defamation into the realm of inciting violence and uttering personal threats.

Let us hope that all those in Fiji with violence in the hearts choose instead to follow the example of a certain peasant from Nazareth, who I hear is quite popular in Fiji, and seek other methods of effecting change.

photo by: Steve took it

Announcing the Fiji Rugby Blog!

Following onto my previous post about Fiji rugby (or lack thereof) on the web, there is an exciting new Fiji blog on the block; heading into its second week of operation: The Fiji Rugby Blog. One notable feature of this blog is that roughly half of the posts to date are in Fijian.

I found the two thoughtful post-mortems of the Flying Fijians' recent lacklustre performances against the Junior All Blacks and the Wallabies to be great reads. Here is a sample:

Australia’s defence was so tight; the Fiji team has no way of breaking or unlocking them with aimless running; unless Fiji uses their creative juices to study those defences; use some diversion to confuse them and attack them when they are bristling with confidence; until we come up with these, Fiji still has a long way to go.
[Fiji put on better showing, June 10, 2007]

Let's hope that this is the beginning of Fiji's favourite game gaining a foothold online!

Photo by rosswebsdale

Nabua RC: the only rugby club in Fiji with a web presence

A strange fact came to my attention recently. In this rugby-obsessed country, there is only one rugby club with a web presence - the famous Nabua Rugby Club. This site has been up and running for a number of years, yet it has no competition. Great work NRC! But what about the rest of you guys?

What does it mean that Fiji rugby clubs have not jumped onto the web? Is it an issue of funding? Perhaps - NRC has a philanthropist supporting their web site. Is it a matter of audience demographics - are rugby fans in Fiji are not online? That seems doubtful as Fiji rugby attracts a fan-base that seems to cut across all economic and ethnic divisions in the country and Internet usage is increasing daily. Does club management not see the potential of having an online presence? Maybe. Likely, there are a number of factors.

To all Fiji Rugby club managers: Don't let those Nabua boys show you up! Get online
to promote your team and to support and build your loyal fan-base. Imagine if your fans could look up your teams' game schedules on the web - then you would not have to answer so many phone calls! (Note: NRC does not have their schedule online yet, but they are working on it.)

NRC has opted to take advantage of affordable web hosting in the US. However, if your club is really strapped for cash, why not look into the growing number of free web publishing options such as:

• A free web site at Google Pages or Hi5
  
• A free blog at Blogger or Wordpress
• Free email lists and discussion groups at Google Groups or Yahoo Groups

If you need some help or advice leave a comment below or email me at thrashor (AT) gmail (DOT) com and I will try to help out myself or find you an eager student volunteer.

Go Fiji go!

Photo by: ediot

Fijian rep falls to Finnish rep in Iwamoto round two

After making a strategic error in the opening followed by solid play from Reino Kartunen (3 kyu) of Finland, I was forced to throw in the towel. That brings my record to 1 win and 1 loss. Looking forward to round three.

The Iwamoto tournament is an online go/weiqi/baduk tournament involving over 600 amateur go players. All games are played on the KGS go server.

Related posts: Round 1