Let's try to revive this

The Sem has finished...

Let's see if this can be continued...

Thursday Mornings Will Never Be The Same Again

It is just a matter of time when this country will have to face the developments in ICT.

Will those in this picture looking like students be up to the [legal] challenge?

Tracing the Hack 2

(Finally Part 2)

We continue the story of Totoy the hacker
( http://itphonehome.blogspot.com/2006/08/tracing-hack.html) who succesfully hacked into his school's web server and defaced his school's official webpage for revenge on a school official. He used a commercial DSL account for this purpose.

At the ISP

Bagito found that the IP address used for the hack is assigned to an ISP in Manila. Armed with a search warrant, Bagito went to the ISP in question to look into their records corresponding to the time stamp he got from the server. Fortunately, the ISP was in very cooperative mood and more fortunately, the ISP has not yet deleted its logs pertaining to that time frame. Assisted by one of the ISP's topnotch system administrator, they were able to get to the log file and match the IP address with the time stamp from the server. With these information, they were able to get the account details of the owner of the said DSL account. At this stage, Bagito may now have the necessary information to obtain a seach warrant to be used in his quest to obtain the computer used in the perpetration of the hack.

Summary

This story of Totoy and Bagito for all intents and purposes is a very simplified version of an account of a hacker. A true-to-form hacker will not leave such telltale traces of his or her work. Of course, a competent system and network administrator will not leave his system undefended, or at the least will see to it that the system's logging mechanism is adequate for tracing purposes. As can be seen from the story, the success of knowing who the hacker is depends on the initiative of many persons to in safeguarding their respective systems. If there is no logging mechanism in place, and if there is one, making sure that the data stays intact for a reasonable time, is essential to knowing the identity of the hacker. The cooperation of these people is indispensable.

Tracing the Hack 2

(Finally Part 2)

We continue the story of Totoy the hacker
( http://itphonehome.blogspot.com/2006/08/tracing-hack.html) who succesfully hacked into his school's web server and defaced his school's official webpage for revenge on a school official. He used a commercial DSL account for this purpose.

At the ISP

Bagito found that the IP address used for the hack is assigned to an ISP in Manila. Armed with a search warrant, Bagito went to the ISP in question to look into their records corresponding to the time stamp he got from the server. Fortunately, the ISP was in very cooperative mood and more fortunately, the ISP has not yet deleted its logs pertaining to that time frame. Assisted by one of the ISP's topnotch system administrator, they were able to get to the log file and match the IP address with the time stamp from the server.

ICT Governance or Just More Government Incompetence?

It was very interesting that the Commissioner of CICT acknowledged in his lecture the 40 % failure rate (may be higher since he did not define the parameters of measurement) in getting the government connected. The government should follow the lead of the private sector in using technology to make things more efficient and in the end, save costs.

It was discussed how different government agencies run on different programs due to the incompetence (or corruption) of public officials, creating the inter-operability problem. Imagine if you can have computers of different government agencies talk with each other instead of you having to actually go to the different agencies every time that you need to transact with the government. What is worst is that some of the government agencies buy hardwares that they do not need, and sometimes they cannot even operate. Maybe the CICT should work with the Ombudsman if any government agency will not follow its lead since the Ombudsman Law has given the “protector of the people” power to act not only regarding illegal activities but also any act of injustice or inefficiency in any public office.

The solution to the government failure to get wired is not only ICT governance. For ICT Governance is merely a euphemism for simple management or decision making in an organization regarding ICT matters. At the end of the day, even if we have a great ICT plan/blueprint for the government and ICT decision making structure laid out corruption, human nature and incompetence will eat away everything even before we start the plan. But this should not deter us from trying to wire the government. The next batch of public officials should have IT knowledge for surprisingly part of the problem now is that some people do not even know how to operate a computer. (The CICT might want to give mandatory lectures for all government officials.) People are afraid of what they do not know or they will merely disregard it as unimportant since they do not know its usages/benefits. People are afraid of losing jobs for the whole bureaucracy is paper-based, there are so many documents needed to get something done. Those in the public service should understand that the government is not here just to be their employer; they should really learn that they are here to serve the people.

The problem with the corruption in the Philippines is that there is no honor among thieves. According to an interview with an executive of some foreign company, even after they paid certain fees to some government officials the result is not even guaranteed. Although I am not espousing corruption, but we have to be practical about its existence, I suggest that they think about the government and the people every time that they get their money. At least they should get the hardware that the government needs even above costs (factoring corruption), as long as they deliver something to the people. They should at least give the people something that actually works.

National ID System

We have to be careful about the analogy of the UP Student ID system and the National ID System for the latter has a broader effect on the lives of the citizens. Everything about the citizen may be accessed by a sequence of numbers only. What are at stakes are not just our grades but about how many house/s, car/s a citizen has, the amount of tax he paid, etc.

Although the idea of a national identification number is great but it is fraught with dangers; it is true that like any system only the system administrator/s will have absolute access to the system while others will have limited access, but human experience has taught us that no system is full proof and that there are a lot of the so called “geniuses” who can illegally gain access to it. These information/data could also be traded illegally. Our law enforcement officials even have problem with credit card fraud, identification theft; how can we expect them to protect the system. It will be a data mining heaven for criminals (in uniform or not).

May be the people will be amenable to a simple system involving some government agencies that they usually transact with such as LTO, NSO (birth cert.), NBI. But definitely they should not include anything that reveals the financial status e.g. tax return of a person for that would even put the lives of the people in danger. The level of trustworthiness of our government is definitely very low. Maybe they should build on an existing system such as the Comelec ID system; allowing it to be use as an SSS card or a driver’s license (at least people will not have multiple licenses).

Wisdom of the Optical Media Act of 2003 (RA 9239)

The policy of the law is to protect and promote intellectual property rights. Although the proponents/authors of the law drafted it with the intention of regulating the container (optical media) and not the content; but the reality or the resulting effect of the law is giving the IPR owners another layer of protection over their work and imposing an undue burden on the technology, hence impeding its use and development. It was not necessary for Congress to enact the law (OMA) for the Intellectual Property Code (RA 8293) provides enough protection for IPR owners.

The law imposes an undue burden on optical media and magnetic media (Sec. 26) in its bid to give more protection to the content owners. The real purpose of the law is not to regulate the container but the content. We can see this from their definition of manufacturing, mastering, and replication of optical media; manufacturing is the act or business of producing optical media or devices “CONTAINING sounds and/or images, or software code” by mastering or replication. They define manufacturing equipment as any and all equipment, machine, or device, now known or to be known in the future, “intended or designed for the production or manufacture, by mastering and/or replication of optical media”.

The intent or the underlying purpose of the IP Law is to strike a balance between the rights of the IPR owners in reaping economic benefits over their work in order to spur their creativity for innovation and the rights of the public over information or access of such work. In enacting this law, the Congress tilted the balance in favor of the IPR owners and gave them power beyond their creation (to go after IPR infringer) and over the technology which MAY OR MAY NOT be used for purpose of IPR violation.

It is admitted that technology such as optical media will make infringement of IPR easier and faster but this is no reason to regulate all technologies, now or in the future, just because of their potential for evil. The IP Law is sufficient to protect IPR owners and they should use it against those evil doers; they should not knock on Congress door every time that a new technology threatens their IPR. As for Congress, they should not be cowed into enacting these stupid laws (regulating technology)which is for the benefit only of a specific sector of the society, IP owners, and not for the general public at large; Congress should not forget the right of the public to access of information and also access to such technology (optical media). It is unfair to threat technology as a bane to society just because of their potential for evil; technology is not like illegal drug which potential for evil overwhelms its benefit for the public. Technology should be welcome by all. I suggest for the IP owners to review their set up (e.g. pricing, marketing) to fight against piracy; they should not rely on Congress to regulate all the technologies for changes and developments are constant and at the rate technological changes are going, they cannot hide forever from the truth that it is really getting easier to infringe over IPR. They should undergo self-assessment and think of strategies to use this technology for their own benefit. Gone are the days of high economic returns for IPR; they must balance their own rights with those of the public. They must realize that the do not have a captive market anymore; that the public would not necessarily side with them just because they lost a lot of money over a wrong done against them. They must adapt to changes and not expect Congress to hold back or control/regulate changes for them.

NOTE: I might write about the constitutionality/unconstitutionality (the law or certain provisions) of the OMA for next week.

X Rating not the end for Erap documentary

In what could be an incentive for this administration to regulate the Internet, the Joseph E. Estrada documentary after being rated X by the MTRCB is available for download at the Joseph Estrada website . Of course there is a tremendous amount of materials available through the Internet that would normally get an MTRCB X-rating, but this could be a special case. This move by the proponents of the documentary is in clear act of defiance of the MTRCB decision. Of course the MTRCB, nor any agency of the government for that matter, cannot do anything about it. As it is, and particularly in this country, the Internet is still a self-regulating. The MTRCB may have won the television battle but the war is definitely far from over. Maybe Sec. Gonzales can come up with something.

In defense of Snakes on a Plane

Despite the countless nasty comments hurled against the movie Snakes on a Plane, there is still something nice that can be said about it. It eventually had to end. Kidding aside, people expecting to see a crappy B-rated movie got what they expected a first class crappy B-rated movie. Niceties aside, others have said that the movie was outright stupid and dumb, lacking any creativity or at worse devoid of any substance and meaning. That said, these people were expecting a whole lot from a movie that is not marketing itself as an art film or a movie that has a storyline that would become a classic that would transcend the ages crossing the varying preference boundaries and intermingling the film connoisseurs with the ordinary film buffs. They expected a whole lot from a movie that projected itself as a movie with snakes on a plane. Anybody who expected anything anymore would either be fooling himself or herself. The title in itself was a dead giveaway. Creativity was thrown out the window the minute they decided to use that title. Without using any logic or rational thought, from the title alone, one cannot expect to see a thought-provoking movie or a movie with any substance. The movie is just about snakes on a plane. One cannot overemphasize such fact. It’s just about snakes that were on a plane.

One might be tempted to ask the actor why he starred in such a movie, as one reporter did. The actor only had a simple answer to an otherwise “legitimate” question, he just wanted to be in it. No more, no less. He didn’t need to read the script nor even know the general story line. He was just caught by the title alone. Snakes on a plane. Who wouldn’t?

The global media hype created by the people in the blogosphere should not be used as an indicator that a movie will be any good or that it would have a surprise twist in the end. The hype that was created did not involve anyone saying that the movie was going to be good. There was just the hype that, however, fizzled out when the movie came out. In fact, most of the blogs that contributed to the hype were of the idea that that the movie would be a flop or, civilities aside, would have a resounding tremendous flop. The important thing to remember though from this experience is the fact that once again the power of the Internet has been proven. The Internet has already been established as a powerful tool for marketing sleeper-movie hits like the Blair Witch Project. It has also established itself as an excellent repository of facts and bull_hit. One only has to have a discerning mind to distinguish between the two. The hype created by the movie should’ve been an excellent exercise in discerning between what is plain hype from the “substance” of the movie itself. To those who expected to see a crappy B-rated movie and saw one, congratulations to you because you have made good use of your head. But for anyone expecting more, take a step back and examine yourselves. Where did you go wrong? The movie should be given congratulatory praises for conveying what it wanted to convey, motherf_cking snakes on a motherf_cking plane. Can’t wait to see the next movie, Elephants on a Train. Wonder about its plot and premise, if you please.

Tracing the Hack

Totoy is a computer programming student and enthusiast who had just learned the art of hacking. Armed with his intoductory knowledge about hacking, he successfully gained access to a one of his schools web servers. Incidentally, he was holding a big grudge againts the school's chairman, Atty. Amang. Seizing this chance, he defaced the front page of the school's website and in a clear and distinct manner placed a compromising image (graphically manipulated and spliced of course) of the head of the school. Immediately upon doing this dastardly act of defacement, promptly closed his home DSL Internet connection and slept for the night.

The next day, the head of the school, and most of the studentry and faculty, were surprised at the new look of their school's website. Chagrined, Atty. Amang promptly caused the server to be disconnected and isolated then promptly called the NBI Anti-Fraud and Computer Crimes Division. Being a good friend of Division Chief Elfren Meneses, the good Division Chief assigned the case to Agent Bagito, his newest recruit, who had just listened to one of his lectures regarding cybercrimes. The green rookie is now faced the task of "tracing the hack".

Dissecting the Server

(It is assumed that this case is an investigator's dream. The hacker is an eager novice who does not cover his tracks and the administrator of the server while may not be that versed in securing his machine is diligent with the server log files.)

Among Bagito's initial tasks is to look at the offended server's log files and see the log entries relevant to the incident. Agent Bagito should at least look at the configuration file of the webserver and look for the directory where the web files are located and search for the start or index page for the website. In many cases this would have the name "index.html". Then, he should look at the time stamp when the file was last modified. Next he would look at the events log of the server and look for the entry wherein the said file was accessed and modified corresponding to the time when the file was last modified. The events log should also show the username of the person who last modified the file. From here, Agent Bagito can now search the server's access log and do a crosscheck of the username and the time stamp. Agent Bagito would then find a match and from there would determine the source IP address of the device which was used for the hack.

Tracing the IP

Loosely speaking, an Internet Protocol (IP) Address is the computer's address on the web. When one connects his/her computer to his/her ISP using a dial-up or DSL account which requires the entry of a username and password, it is most likely that the IP address to be used is dynamically assigned by the ISP and normally varies per ISP log-in. (To test this, for Microsoft Windows users, open the command prompt and there type "ipconfig /all" minus the quotes.) It is most likely that Totoy's ISP is using IP version 4 (IPv4). That in itself is not much relevant but to have a better appreciation of the trace, it is suffice to say that with (IPv4), there is only a limited number of IP adddresses available for the use of the whole world (4,294,967,296 assuming many things ; ) ). Because of the this inherent limitation, IP address allocation is strictly regulated by IANA (http://www.iana.org). IANA divided the world into Internet Registries (Regional Registries, National Registries, and Local Registries) which is tasked to allocate IP addresses per ISP. How would this help Agent Bagito?

With the IP address obtained from the logs, Agent Bagito would determine the ISP this particular IP address is assigned. He could do this by going to IANA itself or to the Registries or just use his favorite Web Browser. He chose the last. Using his favorite web browser he went to the IANA website and from there he found out that the Internet Registries' websites has a tool for determining to whom an IP address is assigned. He first looked at the Asia-Pacific Registry (http://www.apnic.net and http://www.apnic.net/apnic-bin/whois.pl) and tried the IP address he obtained. Luckily, the information may be viewed by the public and the seach revealed the ISP to whom the IP address is asssigned. Luckily, the ISP is located in Metro Manila.

(To be continued)