Reacting to MCMC’s action of blocking the website he set up to let users check if their personal information was compromised by a recent data leak, tech blogger Keith Rozario lashes out at the authorities, accusing them of elitism.
- Site designers says the average Joe has the right to know
- Breached data freely available for geeks and hackers
- Criticises Lowyat and its editor
- Data on site masked not manipulated
- Site more secure than elections commission website
In a blog post yesterday, which he said would be his last post on the matter, Rozario penned his comments on the whole debacle.
The right to know
“You might choose to ‘not know’, but that is a right you can choose to exercise. No one should be allowed to withhold that information from you.
“I believe that you have a right to know about it, in a timely manner. Authorities can’t sit on the data for weeks without letting you know on any pretense,” Rozario said.
According to him, the correct authority to tell the public about the leaks is the Malaysian Communications and Multimedia Commission (MCMC).
“But till today they have made no attempt to create such a service, not even communicated a plan to implement one. There is no evidence to suggest they have (or had) any intention to do anything about it,” he said.
He claimed he coded sayakenahack in his spare time within four weeks while holding a fulltime job and “being a father and husband”, and saw no logical reason why the MCMC or the telcos could not do something better in a shorter time-frame.
Rozario opines that the right to know about a breach should exist even if a person whose data has been breached can’t do anything about it.
Only geeks and hackers should see the data, not the average Joe
The blogger said the data is freely available for people with the skills to find it and download.
“To ban sayakenahack is to say geeks and hackers can access the data – but not the average joe. It’s emphasising that normal people don’t deserve that knowledge while geeks and hackers do.
“This is elitism, and it’s wrong,” Rozario said.
He slammed Lowyat.net, which had published the initial report on the data leak, for taking down the article at the request of the MCMC.
“They continue to side with the MCMC, in saying that ‘sheer amount of information made available on the site could subject it to abuse.
They fail to mention that the ‘sheer amount of information’ is already made available, just not to common folks, but to geeks and hackers. Effectively Lowyat is saying that it’s OK for geeks and hackers to have this data, but god-forbid the average joe get a hold of it.”
Manipulating vs masking
He also hit out at Lowyat’s editor, who told The Malaysian Insight that the site was blocked because “it’s not right to manipulate the stolen data”.
“The word ‘manipulate’ is a dishonest choice. I mask the data, not manipulate it. No IT professional would ever make confuse manipulation with masking. Manipulation carries a negative connotation, that implies I’m changing the data in some way. Masking though is the intentional removal of data, to protect its confidentiality,” Rozario said.
He said he went out his way to ensure that enough data was left so that users could still identify their numbers, yet not enough for somebody else to guess.
Trust on the Internet
According to Rozario, the Internet is “built on a whole load of trust” and there is no such thing as an “unhackable” website. He also claimed that even the website of the SPR (election commission) is marked insecure by Google Chrome because it does not even have TLS (transport layer security).
“What that means, is that when you search for your voting information on the website, the data is transferred in clear across the internet for anyone in the middle to see. It also means that your browser is not authenticating the site, and anyone can create a fake SPR website and make it look identical.
“If you’re logged onto the SPR website from a kopitiam WiFi, I can see the data you’re sending (and receiving) just by logging on the same WiFi.
“Fundamentally, when you log onto the SPR website, you’re trusting all the infrastructure between you and SPR, kopitiam Wifi included.
“Do you trust the SPR? How about their vendor? How about the company that supplied them the servers?
“How about the guy managing their database? Or the company that host their datacentre?
“Their SysAdmin? Their Web Admin? All of their guys who wrote their code? Trust all of them?
“Oh, and if you’re logging on to the site from home on Unifi – you’re probably trusting your stock-standard Dlink DIR-615 router, that’s hackable from the open Internet.
“Why doesn’t Lowyat complain about the ‘sheer amount of data’ on the Election Commissions website?”
Rozario said that the only bit of “data capturing” that he does is collecting data about who visits the site and seeing what their load/lag times are to ensure the site is operational and working well – which he claimed is an industry standard.
He added that no query strings are captured, therefore no IC numbers are tracked.
More importantly, the sayakenahack site is TLS protected, he said, and all data between users and servers is encrypted, meaning users don’t have to trust the Internet providers, or WiFi connection.
“So, I go through great lengths protecting the site, and definitely more effort than the SPR,” Rozario said.
“Afraid that next time I land in Malaysia, I end up in handcuffs at the back of a police car.
“But sometimes, you gotta do what’s right, and not just what’s ‘legally permissible’,” Rozario said at the end of his blog post.
He added a post-note to reporters who contacted him that he is cancelling all interviews for now.
Earlier report: Nov 16, http://www.thetruenet.com/debunked/checking-out-sayakenahack-com/Checking Out sayakenahack.com