Why China is a parallel universe

shanghai

Visiting Shanghai this time felt like stepping into a parallel universe where things were similar but different. In a world where Apple, Twitter, Facebook, WhatsApp, Google or Youtube doesn’t exist, people connect through HuaWei, Weibo, WeChat, Baidu and Youku. In the West, where English is the predominant language of the Internet, the predominant language of the internet is Chinese (obviously). In both cases, there is a proliferation of cute cat videos. It is a world where Kim Kardashian doesn’t seem to exist whilst Hugh Jackman continues to be as popular there as he is everywhere (yay!).

Disconnection in a connected society

Even though I consider myself a fairly connected and active user of social media, I was almost invisible in China. My current follower base may be humble, but it is big enough for me to feel that I have a voice and am connected. In China, where people were sharing news and photos on their social networks, I was left feeling rather isolated. With one default Weibo follower (Expecting another one soon – I am waiting for a follow back from my cousin) and a handful of friends on WeChat, I am pretty much invisible in the Chinese online community. I also have limited things to share, as the content I consume is blocked in China.

A selfie of a selfie

You know in the past when it was considered polite to walk around someone taking a photo or wait for them to finish? Not possible. If I had to wait for someone to finish taking a selfie, I would never get anywhere! There were people even taking selfies of selfies. The dedication to the selfie has also resulted in the selfie stick, now sold everywhere in Shanghai. These selfie sticks are also like nothing I have ever seen. Multi-tiered and adjustable, these are the full works.

selfies

Another favourite memory is also one of a rainy visit to Yu Yuan market. The rain was so bad that whole crowds had gathered under covered roofs to wait for the downpour to stop before crossing over to the next covered roof. That didn’t stop the dedicated selfie takers from walking into the middle of the downpour to pose for their perfect selfie though!

Solar panels, electric cars? Old news

I was walking around the neighbourhood of ZhongShan, a wonderful part of Shanghai that is characterised by the famous ZhongShan Park which is filled with the old and the young keeping active with dance and Tai Chi. I walked past three electric cars. One was being charged, another drove past me and the third one was parked. On a separate day, I was walking in People’s Square when I also came across Solar Panels fitted on the roofs of random convenience shops. The realisation that China is using solar to power an ice-cream fridge, whilst we (in Australia) focus our efforts on trying to sell coal, is just a little bit scary. Candlesticks anybody?

solarpanels

QR Codes everywhere

Want to add a friend, search for a link or get information on anything? All you need is a mobile phone and a QR code. Every advertisement seems to have one that allows users to access the URL without having to type it in. It can also be used for website log in, payments, virtual stores (remember those?) and adding friends on WeChat. Whilst QR codes never really seemed take off in Australia, it has in China – big time.

Is cloud ever secure enough?

cloud

The simplest way to define cloud is to describe it as a shared service. Instead of individuals and businesses setting up their own software/platforms or infrastructure to manage their data, they can outsource this to a cloud provider. Cloud is seen as a cost effective and environmentally friendly solution. There are now many providers offering different cloud solutions including SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service). But is cloud secure enough?

This is a big question to tackle and there is no right or wrong answer that can be applied en masse. Instead, deciding on whether adopting cloud will fulfil your business/individual requirements will need to be assessed on a case-by-case basis. To make this assessment, here are some of the key questions that may be considered.

1. How good is my local storage?

How good are you currently at protecting the availability, confidentiality, integrity and authenticity of your data?
If your data is stored on a hard-drive on a networked computer then chances are, you may not be applying best practice. However, if your data is stored encrypted & backed up on two or more file-servers, with good physical/logical access control and logging, then there may not be much to improve on than what you already do. These are two extremes and most likely, you will be sitting somewhere in between.

2. How much am I willing to invest?
To avoid spending too much on protecting data that is not really critical or too little where data needs be secured, you should assess the availability, confidentiality, authentication and integrity of your data against current local storage protections to see how it stacks up. This should help you identify whether you have been investing adequately in protecting your data or if it needs to be adjusted. Then, you will be able to determine whether going to a cloud provider will be a cost effective and secure solution for you.

3. How important is availability?
Despite whatever assurances cloud providers give about providing a highly-available solution, end-users will still need an active internet connection to access the data, which is not always guaranteed. This also makes it harder and more time consuming to detect connection problems should they arise. Additionally, there is also the added problem of network latency which can result in additional delay/drop-outs when connecting to the cloud provider. This will only get worse over the next few years with ever more connections choking up bandwidth and causing congestion/more drop-outs.

4. How important is confidentiality and trust?
Cloud offers new challenges for data confidentiality as the data needs to travel over the internet, is stored remotely and is administrated by somebody else. Even with cloud providers providing assurances that they apply best practices to secure your data at rest and in transit, there is still the danger that even given best intentions, their security controls may not be up to the mark. E.g. Adobe’s security breach leading to stolen logins and IDs. . Additionally, transport layer encryption may not always be that secure. I have described in previous blog posts, the security defects affecting SSL and weak TLS encryption.
The best way to guarantee confidentiality is to encrypt the data before sending it to the cloud and to keep the keys yourself!

What do you think of these questions and should there be more? Please add to the discussion below.

3 Training grounds to train the white-hacker in you

problem-solving

For those interested in learning about IT security or sharpening their skills, there are free websites that provide great resources and a safe training ground for new professional security professionals/ethical hackers. Even for veterans in the field, these sites can either help you confirm what you already know or broaden your knowledge. Before you start – Having a background in IT is recommended. While you don’t need to be an expert, having some knowledge will go a long way in being able to understand and complete some of the exercises.

  1. OWASP (Open Web Application Security Project). This is a security community with a mission to keep users informed and kept up-to-date about critical application security flaws currently being exploited. This includes an annual list of Top 10 Most Critical Web Application Security Risks, describing what they are, example attacks and how to avoid them. Additionally, OWASP provides free resources (videos/guidelines) for developers to test and review their own code for vulnerabilities.
  1. asecuritysite.com. Not only does this site provide a great selection of theoretical reading, challenges and sample tests for certification exams (e.g. A+, CCNA, ethical hacker to name just a few) but it also teaches you the basics of Cryptography in simple/digestible language. There are also practical calculators to help you understand how Crypto mathematics works e.g. Simple RSA and DSA Calculators.
  2. hackthissite.org. This is a free training ground for white hackers of all levels. This takes a no-nonsense, learn-by-doing approach to teaching. Once you have signed up, you literally need to hack your way through all the basic levels until you “graduate” to the intermediate and hard levels. Each level provides a new lesson about insecure coding. Although it takes some patience and persistence to complete some of the exercises, the personal rewards are well worth it! Hacking websites is not legal and can lead to criminal charges so for those who have those intentions, this isn’t for you. However, for ethical hackers or site developers/administrators who are interested in developing safer sites and up for the challenge, then go for it!

Of-course, if you are still needing more information about anything, there is great community at http://security.stackexchange.com/!