Indonesia’s 20 per cent smartphone tax likely to backfire

indonesiaThis week news emerged that the Indonesian government is planning to levy a 20 per cent luxury goods sales tax on all smartphones made outside the country. It’s an old fashioned piece of protectionism which could hit mobile phone makers in the region pretty hard and is unlikely to have the desired outcome.

As I mentioned in my story for The Register, Indonesia is a growing smartphone market with massive potential – as the world’s fourth most populous nation.

Firms that might be particularly dismayed by the tax include BlackBerry, which counts Indonesia as one of its few remaining strongholds, and Apple, which only recently restarted iPhone 4 production to target budget conscious locals.

If the rumours are true it can be seen less as an attempt to spur local handset makers, of which there are few, and more as a means to persuade more global manufacturers to locate facilities in the country.

Foxconn has already stolen a march on its rivals here by announcing a $1bn investment in facilities there.

Canalys analyst Jessica Kwee told me that, seeing as most domestic smartphone makers are focused on cheap, low-end handsets it’s unlikely that high-end users will be persuaded by the tax to buy local.

“What I think is more likely to happen is that the extremely wealthy would continue to buy their premium phones as is,” she said.

“Then other users will resort to the grey market to source their high-end phones – either via grey importers, by buying when they travel to nearby countries like Singapore or Malaysia, or by requesting from their friends etc. The latter would certainly not benefit the government.”

It’ll be interesting to see whether the government follows through with its plans. After all, at one stage it was mooting the tax only on handsets over Rp 5 million (£260), which I still reckon is the most likely outcome.

Advertisements

China set for Windows XP meltdown in 2014

big dataThis week news emerged that Beijing officials have been leaning on Microsoft to try and get it to extend support for Windows XP, due to run out in April 2014. I covered it here for The Register.

Now the arguments apparently made by Yan Xiaohong, deputy director of the National Copyright Administration, seem to be two-fold. First, he warned of a potentially huge security risk if Redmond stops releasing patches, with the archaic OS still accounting for over 50 per cent of Windows licenses in the Middle Kingdom.

Secondly, he seems to be saying the government has done its bit and led by example in ditching its pirated software for genuine licenses, so the least Microsoft can do now is support the still-popular OS. Oh yes, and Windows 8 is too expensive to upgrade to.

The second is a typically arrogant argument from a Beijing official. Microsoft has been trailing this switch off for years now so it should have had time to plan an upgrade path, or at least factor it into government plans to “go legit” with  its stock of software.

However the security issue is more valid and in reality could affect consumers and IT security bosses all over the world. According to Akamai, China was just pipped to first place in Q2 2013 in terms of biggest source of attack traffic by a late surge from Indonesia. It has a sizeable 33 per cent share while Indonesia’s stands at 38 per cent.

Not only will this percentage jump significantly higher post-April but if XP levels stay as high as they have been, we can expect a large number of new infected machines appearing in China in 2014. Why should you care? Because these machines will be remotely controlled by cyber criminals to do their bidding. A DDoS campaign or targeted attack against your organisation perhaps, or an information stealing Trojan designed to lift credit card credentials from customers.   

SC Leung, senior consultant at Hong Kong CERT, told me there’s no doubt that the OS will come under greater attack post April.

“If Microsoft ceases to support WinXP, that means service patches, hot fixes and support is no longer provided,” he warned. “If Win7 or Win8 vulnerabilities are shared by WinXP, hackers may reverse engineer the patch for Win7 and Win8 to find out the vulnerability they can use to exploit WinXP.

Attackers may even craft fake patches containing malware to trick users and infect their machines, Leung claimed.

There also exists a longer term problem for WinXP Professional for Embedded Systems, which will run out of support on December 31 2016.

“They are typically used in POS terminals and ticketing systems,” he explained.

“Hardware vendors providing devices using this embedded version of WinXP has to develop plan for upgrade. Changing development platform takes time. They should plan now.”

Unfortunately for many Chinese users and businesses time is not something they have.

“From an information security point of view, we advise users to use a more secure OS, by either upgrading to newer versions of Windows or use other OS that has continuous support,” Leung counselled.

Let’s hope that at least governments and businesses can stump up the extra cash to upgrade to a newer version before the deadline.

The last thing the global info-security industry needs is for infection rates of epidemic proportions to sweep the Middle Kingdom next year. 


OpenStack: the open source cloud project taking Asia by storm

openstack summit logoCan you guess which city has more OpenStack contributors in it than any other on the planet?  Well, it’s Beijing.

That may come as something of a surprise given the heritage of the open source cloud computing project – NASA and US hosting/cloud giant Rackspace.

However, it’s certainly not a one-off, with several other cities in the PRC also boasting significant numbers of acolytes, including Shanghai which also ranks in the global top ten.

I learnt this and rather a lot more about the project at the OpenStack Summit in Hong Kong this week. It was a conference heavy in symbolism for the OpenStack Foundation – its first ever outside the US and the first since the release of Havana – its eighth major release for building public, private and hybrid clouds.

Having slogged my way around IT conferences for more years than is healthy for a person of my age, the summit was a first for me in many ways.

First up the new announcements from vendors were kept very much in the background – barely mentioned at all in the keynotes and not publicised heavily elsewhere at the event.

Now that could be the fault of the event PR team but I’d like to think it’s because the Foundation are trying to send a message of inclusivity to the community – that no one vendor should be allowed to use the platform to market its wares so blatantly to a captive audience of over 3,000 enthusiasts.

That’s not to say there was no news, of course, or that the major vendors weren’t using the show to meet customers, get their message out, etc, but it was certainly toned down from the all-guns-blazing razzmatazz of some  industry events I’ve been to.

Part of that no doubt lies in the fact OpenStack Summit is really about bringing the community together to share ideas and best practices on implementations and, quite literally, to sit down and draw up a roadmap for where it is headed next.

It is still very early days for OpenStack versus, say, Amazon Web Services, and there is a certain amount of tension still in the community about whether it should be seeking to emulate the cloud leader or take a separate path of innovation – “letting a thousand flowers bloom”, according to Canonical founder Mark Shuttleworth.

The Rackspace private cloud VP Jim Curry and CTO John Engates I chatted to admitted feature parity isn’t at the same level as AWS yet, but also claimed that itself is a bit of a red herring as few people use all the features in Amazon anyway.

In the end one of the more eloquent and passionate speeches on the open source project came from Red Hat consulting engineer Mark McLoughlin – one of the top OpenStack contributors in the world if rumours are to be believed

“Does anyone think we’re just going to add a handful of new projects in 2014 and then stop? I really don’t think that’s realistic,” he said. “I think it’s going to continue to expand and become a broad umbrella of projects. We need to embrace the collaboration that’s happening under this OpenStack umbrella.”


Decrypt Weibo: new tool promises a censorship-free Sina Weibo

great fireGreatFire.org, a not-for-profit calling for an end to China’s repressive censorship regime, has launched another tool designed to bring transparency to the Chinternet and no doubt some consternation in Beijing.

I covered the Decrypt Weibo announcement over at The Register. It pretty much does what it says on the tin, allowing users who see a post on Sina Weibo that has been blocked by the censors, to retrieve that message.

The founders of GreatFire have been mapping the censored Chinese internet for over two years now and last year launched FreeWeibo, a tool which allows users to conduct uncensored searches of Sina Weibo – by far China’s biggest weibo platform.

However their work so far seems to have flown under the radar, which probably comes down simply to user numbers.

“We’ve been operating FreeWeibo.com now for almost a year and they have not done anything to try to block that service,” co-founder Charlie Smith told me. “It may be that we are just a small blip on their radar. But we think that we are making things difficult for them and we are going to continue to makes things difficult.”

The big worry for internet freedom advocates is that China’s latest attempts to suppress online free speech have edged the closest yet to an Orwellian “thought police” model.

In attaching severe jail terms to any popular online message subsequently deemed to be a harmful “rumour”, the government will slowly and insidiously create a nation where all but the bravest are afraid to say anything mildly controversial online, for fear of reprisals.

That’s the worry anyway, as GreatFire alludes to in its post explaining the launch of Decrypt Weibo, although it’s good to hear that Smith and his team are undimmed in their fight.

“Sina’s likely reaction to our new service will be to inform the authorities about our presence … and put the matter in the hands of the police. The police won’t find us and won’t be able to shut us down which means that they would have to shut down the entire Sina Weibo service to stop us doing what we are doing. This would lead to a massive public outcry,” he said.

“Of course, we hope that they just decide to end online censorship voluntarily.”

In the end, the only way this could happen is if the Communist Party realised that its demand for indigenous innovation-based economic growth (rather than one reliant on copying and stealing IP) is doomed if it continues to suppress debate online and place such a heavy burden on web companies for self-policing their platforms.

Unfortunately I don’t think this will happen anytime soon, so in the meantime let’s hope Decrypt Weibo finds its way into the hands of as many Chinese netizens that need it as possible.


Forcing out rooms – Japan’s dirty secret

exitOver the weekend a New York Times story had some interesting insights into the continuing labour problems at Japan’s once proud electronics giants.

It alleged that workers who are unable to be sacked are often sent to oidashibeya or “forcing out rooms” where they are made to perform menial or repetitive tasks in a bid to make them resign out of shame and boredom.

It’s not particularly nice but it’s a situation that seems to have been forced upon multinationals such as Sony because of Japan’s relatively strict employment laws which make it hard to sack staff without good reason.

These firms simply can’t be as agile as their international rivals because they can’t downsize or strip out waste in specific areas. In the technology industry especially, skills can quickly become outdated.

As Gartner analyst Hiroyuki Shimizu told me, these laws should take the majority of the blame for the decline of Japan’s electronics industry on the global stage.

“In these 20 years, the goal for the company executives in almost all the Japanese electronics companies were to make much use of (or not to leave idle) their own excessive resources including workers and assets,” he said.

“In the global electronics market, companies focus on their differentiators. However, Japanese companies focused on the segments where they have plenty of human resources and large assets.”

This is a major failing of Japanese technology firms but not the only one.

Large scale job cuts are starting to appear, at firms including NEC, Sharp and Sony, although more are probably needed. However, this stripping out of dead wood needs to go hand in hand with enhancing traditional areas of technical weakness, said Shimizu.

It’s also true that there’s more to Japan’s well-charted decline on the technology front than just some stubborn employment laws.

“There are several reasons for each Japanese company for losing power such as commoditisation of electronics products, severe competition with Korean or Taiwanese companies or exchange rates,” he told me.

“But we consider that the deep-seated reason is the employment policy of Japanese companies.”


When is a ban not a ban? Ask the Australian Department of Defence

chinaWell that was a messy week, made significantly messier by news that broke in Australia that I covered for The Reg on Lenovo. This story has taken enough twists and turns in the past few days to satisfy even the most ardent F1 fan.

The original piece in the well-respected Australian Financial Review claimed that intelligence agencies in the “Five Eyes” allied countries of US, UK, Oz, New Zealand and Canada had banned Lenovo from top secret networks since the mid-2000s (when the firm acquired IBM’s PC biz) after finding serious backdoor vulnerabilities.

Although it didn’t claim Lenovo was in cahoots with the Chinese government, or that it had used such vulnerabilities to spy on foreign powers, the article rightly stated that the PC giant’s biggest shareholder is part-owned by Beijing.

Although it used unnamed sources to corroborate the ban across intelligence agencies like GCHQ and the NSA, the story also quoted an Australian Department of Defence spokesman as saying Lenovo “never sought accreditation” for use of its kit in secret and top secret networks at the department.

Now, whether the firm didn’t seek accreditation because it knew it wouldn’t get it is conjecture at this stage, although IBM servers and mainframes are accredited for such use.

In a carefully worded statement, Lenovo said it was “not aware of any sort of a restriction of sales”, and bigged up its “strong relationship” with the Australian government. Strange then that it didn’t seek accreditation for use on the department’s most secure networks.

The story got more murky when a Lenovo spokesperson emailed me a couple of days later with a hard-to-find link to a Department of Defence statement on the story which said the following:

Reports published on 27 and 29 July 2013 in the Australian Financial Review allege a Department of Defence ban on the use of Lenovo computer equipment on the Defence Secret and Top Secret Networks.‪ ‪

This reporting is factually incorrect. There is no Department of Defence ban on the Lenovo Company or their computer products; either for classified or unclassified systems. ‪

As we reported in an update at The Reg, the original AFR story didn’t claim a department-wide ban had been instituted at all, only that Lenovo hadn’t sought accreditation. The ban piece related to the Five Eyes intelligence and security agencies – a different entity altogether.

Just why the DoD decided to release a statement contradicting an assertion no-body made remains to be seen.

It’s possibly just down to plain old incompetence and human error – after all it’s easy to misread a sentence which refers to “multiple intelligence and defence sources in Britain and Australia” as instituting a ban, but then goes on to clarify that in the case of Australia’s defence department it is just the “non-accreditation” piece that was officially confirmed.

However, the conspiracy theorists will claim it did so after pressure from Beijing, after all the DoD statement was not widely publicised – it appeared to have been filed away on a little visited part of the site – but Lenovo was very quick to alert journalists to it.

I also understand that Fairfax Media, which owns the AFR, has received complaints from senior Chinese officials in the past over a certain controversial story.

The AFR has quite rightly written a follow-up piece to clarify the mix-up, which includes clarification from “subject matter experts” stating that intel agency the Defence Signals Directorate doesn’t use Lenovo kit, despite having previously used IBM gear.

Aside from all of this though is another question: if intelligence officials in the UK and elsewhere knew something about serious backdoor vulnerabilities in Lenovo gear, whether deliberate or accidental, did they share such information with the private sector and if not why not?

That kind of information could seriously hurt a company’s bottom line, although Lenovo remains the world’s biggest PC vendor.

This is exactly the sort of thing the UK government’s much lauded Cyber Security Strategy launched in 2011 was meant to promote – improved information sharing between public and private sector. GCHQ should be an asset exploited for the benefit of UK PLC.

China, where the links between government and private business are more secretive and certainly more pervasive, remains streets ahead in this regard.


The truth about PRISM (no, honestly)

big dataJust a short post this week because it has quite frankly been a quiet week apart from one massive story that has dominated the headlines worldwide, except quite notably mainland China: PRISM and the IT whistle-blower Edward Snowden.

By far and away the most balanced most informative and least hyperventerlatingly hyperbolic piece was over at El Reg, where Duncan Campbell picked through the actual facts about PRISM so far to conclude that, actually, most of it is legal and definitely not tyrannical.

My key observations from his piece are as follows:

  • Prism is nothing compared to the powers the UK government was asking for in its draft Communications Bill – now shelved for the time being. It is also pretty similar to what goes on in police offices and other agencies all over the country where officers act on RIPA requests to collect comms data.
  • The NSA has numerous other similar schemes including direct Deep Packet Inspection, which have been going on in the background and arguably are more intrusive on personal freedoms.
  • The scheme costs around $20m year and as such is definitely small fry in terms of the extent and type of surveillance involved. NSA’s overall budget is an estimated $10 BILLION.
  • The number of requests disclosed by Microsoft, Google et al via PRISM are even far lower than the government requests they’ve disclosed not associated with the scheme
  • Where Microsoft is concerned, at least, most requests (2%) were for non-content data – ie just account details but not the content of messages. I imagine the same is true of other web service providers.
  • These providers may have said they didn’t known about PRISM because it is just an internal codename used by NSA.

What people should REALLY be worried about here is not PRISM per se but the other Guardian scoop – that Verizon was issued with a secret warrant “requiring wholesale delivery of all call data records from their entire system”. That and the doubtless other similar requests which other comms providers have been issued with are more insidious and certainly warrantless compared with PRISM.

It’ll be interesting to see whether the future “scoops” which The Guardian promises will focus on these. I for one would be interested to see whether UK operators have been subject to similar orders from GCHQ.