Tuesday, August 27, 2013

Dinner speech for the International Conference on Cyber Crime and Computer Forensic 2013

Dinner speech for the International Conference on Cyber Crime and Computer Forensic 2013 – Hong Kong (August 27, 2013)

Ray, Oliver, KP, Laurie, Albert, Michael, it is my honor to be invited to give this remark at the International Conference on Cybercrime and Computer Forensic 2013 at Hong Kong.  It is especially an honor and very special for me to do so, I think, because I am neither an expert in cybercrime nor forensic.

As I was introduced, I am currently serving as the Legislative Councilor representing the information technology sector here in Hong Kong.  Our legislative council is our law-making body here, and for better and for worse, we do have representatives for a number of professional sectors. I felt I better explain this a little for the benefit of our overseas delegate.

But my background has been from IT, and in particular for the last almost twenty years, particularly focusing on the Internet.  I actually first used the Internet in 1982, more than thirty years ago.  This is something I used to brag about in other audience but tonight, I am afraid that there must be others here who have been on the Internet longer than I have.

Things have certainly changed a lot in the last thirty years, and one thing must be true – that the Internet has changed the world, and that includes the very themes and subjects we are talking about in these three days.  Crime has become cybercrime, or at least a bigger and bigger part of what we consider to be crime today is now consisting of so-called cybercrime.  And, forensic has become computer forensic.

To be sure, much of the hype created in the media because of all these new cybercrime phenomena has given the Internet a bad name, I am afraid.  But the Internet is just a medium, and as a medium it carries both good and bad information, and people do both good and bad things there.  And I hold it to myself as a very basic principle that we should not shoot the messenger.

I always like to remind people and friends that the Internet was, unfortunately, not designed for this sort of things.  The sort of things we do or we let people do on the Internet today – buying and selling things, making friends, sharing photos and liking things, and all these activities done by people of all countries at all ages.

Really, the Internet was first designed and built with a lot of assumptions that no longer holds true today – such as, people using the Internet were well, well-educated people from universities and research companies and they were generally “doing their jobs” with the Internet, be it technical research or related communications, with only occasional chit-chatting.  The Internet was indeed built with a high level of trust because the founding fathers did not think his teenage sons and daughters would be using it.  How they were wrong about it.

And, to revamp the whole Internet with the right technologies to ensure trust is certainly technically feasible, but it would be a commercial disaster and with all the vested interests from companies and countries around the world, it has simply become impossible to do.  It is somewhat like if we want to redistribute wealth and redraw country borders in order to root out poverty.  So, we can only tinkle with the problems we face rather than, in most cases, make large-scale, wholesale changes.

So, in the last twenty since the world-wide web era began, we have moved rapidly from emails and the web to social media, mobile phones and tablets and the cloud.  Think about it, the first iPhone just appeared in 2007, and the first iPad in 2010.  Think about how many iPhones and iPads, or its Android and other variations of smartphones and tablets you have thrown away.  Think about that, not how many you have used, but how many you have thrown away.

With the hardware and the tools including all these apps changing so rapidly, it gives a new meaning for what we have talked about for a long time, that technology moves and changes faster than the law.  Certainly in making laws we talk about due process, consultations and making decisions at lawyers' speed.  But technologists and engineers don't wait for the next court session or legislative session to reconvene in several months' time.

If laws are behind technology, then what is law enforcement going to do?  That's why I always believe that laws and regulations must be technology-neutral as much as possible, and only when we are very sure or we see a proven need or advantage then we implement laws that are technology-specific.

Having said that, things are surely not getting any easier for law enforcement in today's cyberworld, combatting against cybercrimes and cybercriminals.  Expectations from citizens have grown, and incidents in the cyberworld tend to be more widely publicized, and cyber-citizens often expect a much higher degree of transparency.

These emerging conflicting priorities and expectations have certainly risen to the surface of public attention, and the Edward Snowden and NSA incident has revealed that the NSA and indeed later on as we found out many other governments of the world are literally spying on us, people are beginning to ask all kinds of questions: Can they do this and that?  Are they really doing this and that?

People are no longer just happy to be able to use these tools to enhance their own utilities.  People now want to know if and whether they can be spied upon and how.  In a sense, this may be the beginning of basic awareness for the understanding of computer and information forensic.  So, all these developments indeed have made this conference and the sharing you are having more timely and important than ever before.

So, once again, welcome to Hong Kong, the city that Edward Snowden once wanted to call home.  Too bad he couldn’t or else I am sure Ray and Oliver and KP will invite him to give the speech here to you tonight. I wish you bon appetite, and more great sharing in this conference.  Thank you.

Monday, August 05, 2013

[CWHK] NFC: Past, present, and future

Near field communications (NFC) applications are finally appearing in Hong Kong. Why the delay? Hong Kong has an advanced financial services industry and high mobile penetration rate.

Because of the Octopus card. For over 15 years, Octopus stored-value cards are used for quick cashless payments throughout the HKSAR. Transportation, supermarkets, frappucinos...the Octopus (which uses NFC technology based on Sony's Felica reader) handles everything from school attendance records to making donations.

The huge success of Octopus has crowded out other quick-pay methods. Remember Mondex? Visa Cash?

New terminals signal change

But NFC-based credit cards have been making gradual inroads in the local market recently, with more of terminals such as those from Visa payWave appearing on counters, next to Octopus touch-processors. And Hong Kong banks are beginning to issue smartphone-based NFC mobile service apps.

This is a potentially lucrative market: larger amounts available on a single "tap-and-go" payment may convince customers to forgo the familiar sound of the Octopus "dood" for NFC.

Security, standards, regulations

But obstacles remain. Octopus is a debit card capped at HK$500 even with an automatic value-ad. Mobile payment on a credit card is another matter—potential losses due to abuse are harder to cap. As always, there's a convenience/security tradeoff.

Banks and other institutions offering NFC payment services must sweeten the deal with incentives like customer loyalty programs and other marketing gimmicks. But they must instill confidence in their customers that data will not be misused—a lesson that Octopus learned years ago, when it was revealed that the company sold customer data to outside insurance companies.

So, while developers may receive better NFC support from the newest smartphones, successful mass adoption of NFC mobile payment services won't be about technology. Justifying the value proposition to customers for choosing this option means lowering transaction costs for both mobile service platform operators and merchants as well, as well as building user-confidence in NFC's security and reliability.

But then two other issues remain: industry standards, and regulations.

The issues around industry standards may be difficult, because the entrenched incumbents in the mobile payment market today means large business-volumes at stake. Without standards and proper portability, customers will be permanently confused by competing services and platforms. Merchants will also find it hard to support excess mobile payment options as more terminals means more capital investment and more counter space.

On regulatory matters, the HKMA completed a study on NFC payments in early 2013. Some of the questions: How to handle more than one NFC payment service on a single NFC-enabled phone? How to ensure service continuity as a user switches from one phone to another, or from one phone company to another?

Last month, the HKMA launched another public consultation on stored-value facilities and retail payment systems. While this consultation and the suggested regulatory regime is not technology-specific, it does cover NFC-based mobile payment services, including the Octopus card—which despite its incumbent status will be required to take out a new license and comply with other conditions in order to continue properly regulated operation.

It comes down to the apps

I don't believe that regulations alone will ultimately drive adoption and market success. Innovation delivered via apps that attract users and give them incentives to use these apps with their NFC phones is key. The infrastructure is more or less built—with more innovative apps, users will drive the business. After all, apps are one thing you can't have on your Octopus, right?

If card-based services are NFC's past, banks and mobile service companies are building the platforms for NFC's present, then which apps (and other bottom-up innovative ideas) will determine our NFC future?


Charles Mok is a member of the Legislative Council representing the IT
Functional Constituency. He is also founding chairman of Internet Society
Hong Kong. Contact him at: charlespmok@gmail.com

Published by Computerworld Hong Kong, Aug 2013 issue




疏於資訊保安的理由有很多,卻是不能推卸的責任,個人以至企業應該從最基本的習慣做起提升整體的資訊安全。由個人開始講起,現時BYOD 的風氣盛行,身為員工少不免會用自家手機或電腦處理工作,一但遺失或遭入侵,招至的損失的再不是員工的個人事情。所以個人的流動裝置應安裝防毒硬件和加密程式以防萬一,當然設定密碼鎖這第一道防線也是少不免的。




(一)  盡量先用網上預覽方式打開附件,有問題附件可能無法預覽。電郵內的網址連結也需小心留意,可能會連到惡意網站。

(二)  細心留意發件人的電郵地址是否有異樣,如以數字代替字母、中間加上底綫之類,黑   客或會假扮你朋友發件。

(三)  如有懷疑電郵真偽,請以回覆該電郵以外方式聯絡發件人加以確認。


刊於 2013.08 IT Pro Magazine 第76期