Subverting Fingerprint Scanners

So you probably heard about this already as it has been mentioned on BBC News, Slashdot and one of my favorite new sources, HiTB.

From BBC News:

"Lin Rong, 27, had previously been deported from Japan for overstaying her visa. She was only discovered when she was arrested on separate charges.

Tokyo police said she had paid $15,000 (£9,000) to have the surgery in China.

It is Japan's first case of alleged biometric fraud, but police believe the practice may be widespread.

Japanese police suspect Chinese brokers of taking huge sums to modify fingerprints surgically.

Local media reports said Ms Lin had undergone surgery to swap the fingerprints from her right and left hands.

Japanese newspapers said police had noticed that Ms Lin's fingers had unnatural scars when she was arrested last month for allegedly faking a marriage to a Japanese man."

From about 3 years ago, Japan has required all foreigners to have their fingerprints scanned and picture taken at customs when entering the country. This has cost an ENORMOUS amount of money to deploy and has been seen as a complete waste and useless at best by most security experts here. The system was installed in the name of "preventing terrorism" (the popular excuse for anything these days) but many think it is just an excuse to be able to crack down even more on illegal foreigners, despite the already hard time it is to get into (and be able to stay legally in) this country. The system was based off the the U.S. list of known terrorists which is known to be highly inaccurate. Just ask Bruce Schneier.

Actually, this is not really new news at all as I heard about this on NHK (I believe) several months (maybe year?) back. They were reporting on not Chinese, but how in South Korea there is a big semi-underground market to supply people with a clear plastic film to put over your fingers that will fool the fingerprint scanner. This has been going on since shortly have the installment of the system apparently. The thing that I thought was most interesting about this was that they said either the cost of the fake plastic fingerprint or the cost that people were paying for them was less than a dollar. One would naturally think it is the manufacturing cost of the actual plastic that is less than a dollar but I am pretty sure I remember they said that people were buying these things for that price! (Although I wouldn't take my word for it as my memory isn't so great in my old age..) But if my memory serves me correct, it means that this Chinese woman isn't a very a wise spender as she could have easily saved money buying a plane ticket to South Korea ($300?), picked up some of those plastic fake fingerprints for a couple bucks and saved $14,700 along with permanent scars. ^^v


Be careful when illegally exporting to North Korea

Two men, one 62 and one 73 were arrested in my (figuratively speaking) backyard, the Kobe port, for trying to export clothes and other luxurious goods to North Korea. (About $60,000USD worth of goods)
It is the first time for someone to get arrested for illegal exports to the country since increased sanctions introduced last year because of the long range missile tests of Japan and continued nuclear weapon productions.



First Mass? Arrests In Copyright Infringement Bust

(Headline: Man arrested for leaking new Harry Potter)

Yesterday, the National Police Agency announced that they arrested 11 people in 10 different provinces around Japan for copyright infringement. This is the very first time that authorities have cooperated together and performed a "large scale" (I use the term relatively) bust on many people at once.
Currently, only uploading copyrighted materials is illegal but as of next January (28 days left!) downloading copyrighted material will also become illegal thanks to a revision in the copyright laws.

The police say they will started cracking down hard as of next year...

The person that was shown on the news I saw yesterday about this and is written in the article is a 47 year old man from Nagano who would upload hit songs. In October alone this year, he uploaded to around 9600 people, supposedly causing "damages" of around 77,000,000 yen (around $770,000USD)

By the way, the P2P software that all of these people were using is called "Share", the sort of replacement for Winny. Share is a closed source program that it only available on Freenet. The author of the program keeps anonymous as he/she does not want to end up with the same fate as the Winny creator. (and with good reason!)
The main benefit of the program was that it was supposed to guarantee anonymity, which it obviously fails to do....

Here are some other cases where people have been arrested for using this software(from wikipedia):
Three Japanese people aged 21 to 41 were arrested in Kyoto, Japan on 9 May 2008 for illegally uploading anime files with Share. These were the first Share-related cases in Japan. Nevertheless, a research showed that there was no significant drop of on-line Share users after these arrests.

On 27 November 2008, another male Share user was arrested in Japan for illegally uploading Japanese TV drama with Share.

On 12 February 2009, the first two male Share users were caught for uploading Child pornography with Share.

On 30 September 2009, multiple Japanese media reported that two men were arrested for uploading Nintendo DS game software which include Square Enix's Dragon Quest IX. They are the first users arrested for uploading DS games.

Since 2001, there has only been 26 cases of people being arrested for copyright infringement for distributing over P2P networks. 6 of them have been in 2009.

As the Japanese culture makes people be very crazy about sticking to the rules no matter how silly, small, etc... they could be, I wouldn't be surprised if there was a much larger rise in people getting arrested (and no doubtfully getting fired from their jobs short after, being put on national news shown as a criminal..as if someone among the ranks of a terrorist, and probably causing many other major reasons for severe depression) just for providing a few songs or games over P2P networks, something that would probably be overlooked in the rest of the world.

(I only post this picture of Ed Norton from American History X as I thought it was weird that it came up on a google image search when I searched for "Share Arrests"(in Japanese). Nonetheless, this is probably the image that the general public has on file sharers thanks to the way the media portrays them)

For the last image of the day, I post this as I thought it was cute and particularly Japanese. Every time someone gets arrested for a computer crime like this the police lay out all of the seized computer equipment nice and neat on a table and that gets shown on the news as they talk about the incident.

Source: Yahoo Japan News

Cracking Down on Net Cafes

A couple days ago, there was an announcement about considering "hardening" net cafes in the Tokyo metropolitan area that would require by law net cafes to ID all customers and keep that information for up to 3 years. This is to prevent abuse at net cafes which are seen by some as a "breading ground for evil" since anyone can use the computers.

At the earliest, this ordinance will be brought up in the Diet next spring and may be in effect as soon as next year.

As of August, there were 561 net cafes in Tokyo and only 38% did ID checking(/recording?).

Source: Asashi News


"Runaway Sites"

Taken from the Japantimes.

News photo
Desperate measures: A cell phone in Shibuya, Tokyo, shows an "iede saito" (runaway site), where runaway girls post requests for a place to stay in return for sex. YOSHIAKI MIURA PHOTO

'Runaway sites' latest Net-based exploitation of young girls

Men provide a place to stay for troubled youths in return for sex

Staff writer

First there were the "enjo kosai" Internet sites where underage girls hook up with adult males in exchange for money. Now there's a new type of Web site that unites girls running away from home with men offering a place to stay in return for sexual favors.

Called "iede saito," or runaway sites, and potentially harmful to children, they provide a forum where messages posted by runaway girls asking for a place to stay are answered by men.

Observers say such sites have emerged because the operators and male users want to dodge new laws on "deaikei," or "encounter sites" (where members of the opposite sex can meet), that ban people under 18 from using them, diminishing the chance they will attract underage girls.

"If you regulate one type of Web site, users will go to another," said Atsufumi Suzuki, an expert on Internet activity. Runaway sites first emerged about five years ago, he said.

With online encounter sites flourishing as a hotbed for sex with minor girls seeking pocket money, a law was introduced in 2003 that bans under-18 users and, since last year, requires site operators to register with authorities and confirm the identity of their users.

Another law regulating Internet use by minors was passed in June, this one requiring that cell phones used by children under the age of 18 block sexually provocative sites, although their parents can switch this feature off.

These regulations do not apply to runaway sites, which technically carry messages only seeking accommodations.

One message posted on an online bulletin board for runaways last month stated: "I am a high school student in Osaka. I've been living in an Internet cafe, but I don't have any money left. I am prepared to do anything."

A response reads, "I live in Kyoto but I can come pick you up."

The runaways refer to the men as "kami" (god) and themselves as "kamimachi" (god-waiting).

A 17-year-old girl named Eri in Kita Ward, Tokyo, told The Japan Times she used a bulletin board to find the man who put her up and fed her for five days during the summer holiday in August.

The girl, who withheld her surname, said she fled home because her older brother was causing trouble and her father was violent. She stayed with the man in Saitama Prefecture for five days and slept with him during that time. She believes he was in his 30s.

"I just wanted to get away from it all, they were being so annoying," she said.

While many of the runaway girls are not seriously harmed by their hosts, in some cases it can lead to sexual violence or confinement, said Tetsuya Shibui, a freelance journalist who wrote "A True Account: Underground Web Sites Crime Report" ("Jitsuroku: Yami Saito Jikenbo").

Last year, 724 people under 18 were victims of real-world crimes such as rape in connection with encounter sites, while 792 youths were victims of crimes that stemmed from other types of sites, including runaway sites, game sites, profile sites and social networking sites, according to the National Police Agency, which released such figures for the first time this February.

There is no official figure for the number of runaway sites, but experts estimate there are currently about five runaway bulletin boards, while many posts with this kind of content are also found on nondedicated bulletin boards.

There are also around 50 sites run by encounter site operators, some of whom act as agents for prostitution organizations that dispatch call girls pretending to be runaways, according to Shibui.

The runaway sites attract girls from unhappy households who are prepared to offer sex to strangers for protection and sometimes money, Shibui said.

"Until recently, runaways were 'yankees,' slightly bad girls, who already had such networks, but now good girls also flee home and they don't have these networks," he said.

The sites also provide a solution for girls who want money but cannot find work in the entertainment industry due to strict age restrictions, he said.

The police are urging the operators of runaway sites to self-regulate, according to the NPA, but such clampdowns are ineffective because operators will simply start up new types of sites, according to the Internet expert Suzuki.

"It is hard to find a simple answer since it involves family problems and sex-related issues, which is why there is a tendency to blame it on the Internet, but that is only a haphazard solution," he said.

Experts say the emergence of the runaway sites is a reflection of the behavior of minor girls nowadays, who tend to be less resistant to sex and see it as a bargaining tool to secure protection.

According to a 2005 survey by the Japanese Association for Sex Education, about 30 percent of girls between the ages of 15 and 17 attending high school said they have had sex, 6 points more than in the previous survey in 1999. The report sampled 1,093 high school girls nationwide.

Offering minors a place to stay and having sex with them is illegal under various laws. Sexual activity with anyone under 13 is a crime, while it is also illegal to have sexual relations with someone under 18 if money is exchanged.

It is also forbidden in many prefectures for minors to stay out overnight without parental permission.

Since 2006, at least six men have been arrested for engaging in sexual activity with girls they met over runaway sites. Company employee Keiichi Koma, 31, was arrested last month by Tokyo police on suspicion of performing obscene acts on a 13-year-old girl.

But in other cases, it is difficult to clarify the nature of the relationship, as some men do not demand sexual favors or pay, and a runaway might be given a job that technically makes her an employee, Shibui said.

The men offering accommodations tend to be in their 30s, but they are not necessarily single, and some genuinely want to help runaways, according to Shibui.

"One might be lonely during the few days his wife is on a business trip, and it's a choice between a runaway girl or 'delivery health' (call girl service). Then there are some who fled home themselves as kids, and they are genuinely worried about the girls and do not necessarily demand sexual favors."

Observers say runaways use the sites instead of turning to friends or relatives because they fear being discovered. Some stay with the same man while others flit from one to the next, sometimes by recommendation from fellow runaways or by being passed around between men who make the arrangements online.

In some cases the girl has no intention of returning home and the parents don't press the matter.

One such runaway that Shibui met was a 15-year-old from Kanagawa Prefecture whose parents had divorced because of domestic violence. The girl, whose name he withheld for privacy reasons, had left home with her mother but preferred her father, and fled home a year ago to live near him.

She still attends school and her parents are aware she is living with strangers, he said.

"The parents think, 'at least if she's in school she's alive.' If they tried to force her home there would be trouble and then she might not even go to school."

Shibui added that not all parents apply for missing person searches — because they would have to inform the police of their domestic troubles.

According to the NPA, applications for missing person searches were submitted for nearly 20,000 runaways aged between 10 and 19 last year.


Winny developer acquitted!

This is big news!
The developer of Winny, the infamous Japanese P2P software that is pretty much equivalent to "information security", "personal information disclosure" and "the computerized embodiment of the devil" in Japan, has been acquitted reversing a guilty ruling by a lower court that imposed a 1.5 million Yen fine. (At current exchange rates, about $17,000USD)
This is great news for anonymous P2P software developers as they now do not have to hide in fear of getting caught for distributing software that provides anonymity!
I am very surprised by this ruling as most Japanese are pretty "hard headed" concerning these kind of issues, so good on the judges for not going with the crowd and just assuming that because someone releases software that provides *albeit now broken* anonymity that that person is undoubtedly doing something illegal.

From the Japan Times:

OSAKA (Kyodo) The Osaka High Court on Thursday acquitted the developer of the Winny file-sharing software program of copyright violation, reversing a guilty ruling by a lower court that imposed a ¥1.5 million fine.

News photo
Isamu Kaneko KYODO PHOTO

Isamu Kaneko, 39, who published the software on his Web site in May 2002, was accused of assisting two users to illegally make movies and other files available for downloading through peer to peer online file exchanges in September 2003 in violation of copyrights.

Kaneko, a former University of Tokyo researcher, pleaded not guilty, arguing at the high court that certain technologies always involve the possibility of being abused and questioning whether engineers should be punished when their technologies are misused.

"It cannot be said that the defendant published the software to encourage copyright infringement, thus its public opening cannot be recognized as abetment of copyright violation," said presiding Judge Masazo Ogura in the ruling.

Okura determined that while Kaneko had been aware of the possibility that his software would be used to violate copyrights, "the defendant did not encourage illegal acts." He rejected the prosecutors' argument that Kaneko developed the program intending to undermine the copyright system and that he encouraged unlawful copying of protected content.

The Kyoto District Court had found him guilty in December 2006, ruling he "made Winny public on his Web site, assisting users to easily violate copyrights." It called his acts "selfish and irresponsible."

The case marked the first time in Japan that a developer of software has been charged and found guilty over unlawful acts by the software's users. The guilty verdicts on the two users have already been finalized.


Fighting Video Pirates

Sorry no links as I just saw this on TV the other day.
Apparently some Japanese folk have created technology to put sensors behind movie screens that can detect if anyone in the audience is filming it with a video camera.
I forget how they said they were able to do so technically but they are trying to get them installed in all movie theaters in Japan within the next 3-4 years.

If they become widespread in Japan perhaps other countries will follow along and one day it may not be possible for pirates to "steal" movies as soon as they hit the big screens...

Probably not, but will be interesting to see how this new technology changes things.


Risks of Credit Cards

Apparently credit card numbers are linked to the expiration date MM/YY so that you can run an algorithm with just these two pieces of information offline and tell if the CC is valid or not.
Although a convenient feature, this design can be....i mean actually is being exploited.

Apparently, some Japanese hackers found out how to derive the full credit card number from just having the last four digits of the CC# and the expiration date.

Now... I wonder where they could the last four digits and exp. date from??

Oh yea! My monthly credit card statement has that information along with my address!!
So yes, apparently, bad guys are actively stealing people's monthly bills, calculating the full CC#, and using that for fraud.

By the way, most postal boxes in Japan are pretty easy to steal from and even if they have locks (most of the fancier apartments do), you can still stick your fingers in and take out all of the mail... so yea, the lock is more for show than anything practical.



Japanese Government Tightens Its Iron Grip on Foreigners

Excerpted from the Japan Times:

You may want to read this if you are a foreigner living in Japan. If not, read if you are bored...

The Diet passed bills Wednesday that tighten controls on foreign residents, paving the way for them to take effect within three years, despite opposition from foreigners and human rights activists....

The bills, which cleared an Upper House plenary session, will abolish the Alien Registration Act and revise immigration control and resident registration laws.

The revision will shift authority to manage foreign residents from municipalities to the Immigration Bureau and enable it to consolidate the personal information of foreign residents, including name, address, type of visa and expiration date, making it easier for the bureau to detect illegal residents.

"Currently, it is difficult to fully grasp where foreign residents live, so we need to change that," LDP lawmaker Ryuji Matsumura, a board member of the Upper House Judicial Affairs Committee, said after the chamber passed the bills. "In other countries, including the U.S., France, Britain, Germany and South Korea, governments keep such personal information on foreign residents."

Rights activists condemned the bills for excessively tightening controls on foreigners.

"We will keep fighting against the enforcement of the bills in municipalities, the Diet and the United Nations, seeking cooperation from nongovernmental organizations in Japan and the world," said Nobuyuki Sato, representative of Research-Action Institute for the Koreans in Japan, which wants the bills abolished.

Currently, municipalities issue alien registration cards to foreigners overstaying their visas even though they are aware of the illegal status. By registering them, the municipalities can send them notices of various public services, including public school enrollment and medical services for children and pregnant women.

The Immigration Bureau and lawmakers worked out the bills to reduce the number of undocumented foreign residents, which the bureau estimates total about 110,000.

Human rights activists, including Akira Hatate, director of the nongovernmental organization Japan Civil Liberties Union, said that instead of focusing on reducing the number of illegal residents, the government should treat overstayers as members of society that can help the country prosper.

The United States has an estimated 13 million illegal aliens, he noted, citing information from the American Civil Liberties Union. The Europen Union is thought to have had about 8 million in recent years, Hatate added.

"In the U.S. and Europe, it is natural to have a certain number of overstaying foreigners," he said. "Japan is extremely strict.".....

The bills will extend the normal duration of visas from the current three years to five. Also, foreigners will no longer be required to obtain a re-entry permit if they return to Japan within a year of leaving the country.

On the other hand, punishments for failing to report address and other personal information will become harsher. To prevent fake marriages, the bills grant the justice minister the power to cancel a spouse visa from those who have failed to conduct for six months without a legitimate reason "activities spouses normally do."

I wonder what they mean by "activities spouses normally do", and how exactly are they going to check?


Porn Downloads Strain Japan Phone Network

Porn Downloads Strain Japan Phone Network

"Takeshi says he pays 6,300 yen ($66) a month to NTT DoCoMo Inc. for unlimited Internet access, allowing him to download adult movies on his mobile phone.

“A mobile is far handier than a computer for Internet access -- I seldom use a PC outside the office,” said Tokyo travel agent Takeshi, 32, who declined to give his surname.

Takeshi and other pornography fans are feeding a surge in demand for movie downloads in Japan, home to the world’s first third-generation wireless network. While profiting from the traffic, Tokyo-based mobile carriers DoCoMo and KDDI Corp. say they’ve been forced to impose limits on the heaviest users as the $74 billion network feels the strain...."


Cellphones banned in Ishikawa prefecture schools

Ishikawa Prefecture, a rural prefecture in Japan, has just passed a ordinance forbidding elementary and grade school students from possessing cell phones. This is the first time for an entire prefecture to pass a law like this. I am interested in seeing how much of an effect this will have as there is no penalty or fine for violation. There is also many angry people who would rather have their children have cell phones so they are able to contact them or track them with GPS in case they get lost, etc... (i.e. legitimate reasons)
The prefecture is apparently slightly worried for being sued for infringing on its citizens' rights.

For the average Japanese person, one of the main security related issues he/she deals with is whether or not to let his/her son/daughter have a cell phone.

This is a big issue in schools all throughout Japan and there have been many schools banning students from using cell phones. This is due to all of the problems that have arisen from them. The main one being cyber bulling. Others include looking at porn, visiting shady forums, calling dating service chatlines, etc...

Source: Slashdot.jp


Controlling Wheelchairs with Brainwaves

I have been seeing a lot of news on Japanese researchers making breakthroughs in controlling robots, games, and now wheelchairs using only brainwaves.

If you don't believe me, you can check out this demo video here. (There is even an explanation of how it works... just in very difficult Japanese. =) )

I figure if people are figuring out how to read brainwaves with machines, it is only a matter of time before they are able to start reading thoughts... even extract passwords, perhaps?

Probably not in my lifetime, but I would be surprised if that technology wasn't created sometime in the *relative* future...

"Impossible! There's too much complexity!" you say?

Well, I am sure if you told people 1000 years ago that there would be machines that could fly people across the globe and even to the moon, they would have probably said the same exact thing...


Shuriken USB Drives

For those of you who want to be efficient and not have to carry around both your ninja stars and usb harddrives, now you can combine them together!

Although, as a security professional, I do not recommend you to use your usb drive as a ninja star that you throw at your enemies during missions.

It just seems like really easy way for causing "personal information leakage incidents"...

By the way, anyone know the more natural way to say 個人情報漏洩事件 in English?

My engrish is getting wolsel by the day..

Google Streetview is declared legal in Japan!

(Kind of old news.. 6 days ago)

I found an article about this in English here.

Google has had repeated troubles with their maps and privacy issues in Japan.
First it was when streetview came out a couple years ago. Everyone had a fit but they blurred the images of people's faces and while people didn't like it, they learned to live with it.
(And even many young "hip" people think its cool and useful despite being a little frightening)

Then there was a big problem with google earth showing old maps of Japan that showed where the Burakumin used to live.

Just do a search for "google earth burakumin" and you will find many articles on this.

The burakumin issue is still a very big issue today and still many companies do (illegal) ancestry checks on new employees in secret.

This is an interesting issue. In Google's defense, you can say "well, these maps were already in the public domain so anyone who really really wanted them could probably get them", but on the other hand making this kind of information easily and widely available does result in many more people abusing this information than if they had to jump over several hurdles to do it.

So I am not sure who I would side with on this issue.

I think it is cool to be able to put an overlay on google earth to see what Japan looked like back in the day. (although i still have not been able to find out where to download or how to use these maps! if anyone knows, please let me know!)

However, I also want to respect and protect unfortunate people who are discriminated against because of their ancestry.

Gobusata shite orimasu!!

Sorry I have been lazy on the posts!

I have been pretty busy with other non-security related issues, but do not fret!
I am still keeping up with the industry and will try to post some interesting things..


Copyright Infringment + Fraud = BIG Trouble

Copyright Infringement leads to BIG trouble in Japan.
Fraud leads to BIG trouble in Japan.

Someone should have told this to music producer Tetsuya Komuro, who was not only able to combine these two evils together but magnify them to an enormous scale.

For those of you who do not know (probably all of you), Mr. Komuro is a former billionaire who made his riches from creating corny J-Pop songs that were popular in the 80's and 90's. However, the music scene changed and by 1998 his songs that used to sell millions of copies would only sell several thousands. He tried to expand his empire overseas to Paris, Los Angeles, and Hong Kong, but lost a lot of money on these enterprises, and by the mid-'00s he was so deep in debt that in order to borrow funds to maintain his operations and lavish lifestyle he had to put up with 60 percent interest rates.

Two years ago, his second wife was threatening legal action because of his failure to pay alimony and child support so he came up with the scheme to sell his music catalog to an investor. Although he wrote most of the songs he did not actually own them. This however did not stop him from trying to sell the rights to the songs (about 800) to an investor for 1 billion yen (about 10 million USD). The investor paid him up front 500 million yen (about 5 million USD) when he realized that Mr. Komuro didn't actually own the copyrights. They went to court and the judge ordered Mr. Komuro to repay the 500 million yen plus an extra 100 million yen.

Komuro must be completely out of his mind because to pay off that money he not so cleverly decided to pull another scam.... which was actually the exact same scam just on a different person!
Needless to say, that didn't work out so well.

Now he faces 5 years in prison for his actions.

If any of you are thinking about doing something similar to this I would recommend that you cease your actions immediately! Not only could you end up spending 5 years of of your life in prison but you will probably start looking like this from all of your stress....

For those that want to read more about the juicy details, you can check out the fine articles at the Japan Times here.


Self Destruct USB Drives

Fujitsu just made a press release of their new Self Destructing USB Drive!

After a set period of time or if the USB drive gets plugged into an unauthorized computer, it will erase itself.

Although I have doubts about the security and foolproofness, it is somewhat interesting.

However, if people just encrypted their data securely in the first place they wouldn't have to worry if their USB drive gets lost nor have to worry about their USB drive deleting their precious data on accident!

Needless to say, I won't be the first in line to get one. I think I'll just use truecrypt instead.


Privacy Woes

There has been many incidents on local and national news that I have been seeing lately.
It is mostly people loosing USB drives with personal information on thousands of people, and then the heads of the company publicly apologizing, etc...

Privacy is taken extremely seriously here for whatever reasons and is probably the strictest in the world. Perhaps a little overkill even... Most of these incidents just leak information such as the address and phone number of a person. No passwords, SSN's(which doesn't exist here anyways), CC#'s, etc... Although it is just an address and phone number it is still considered a privacy breach and many people get very angry. These incidents of a company's loosing information with only addresses, etc... get as much press or more than the amount of press that company's in the U.S. get for loosing thousands-millions of credit card information...

When the heads of the company apologize, they usually say "no worries, we have not heard of any cases where this leaked information has been abused". My question is how exactly is this information going to be abused? You can't apply for a credit card with only this information. If a bad guy could do something nefarious which only a mailing address and name is needed, all they would need to do is snatch someone's mail from their mailbox before they get it. That is incredible easy to do! That would give them all they needed that nefarious act and with almost no effort.

As an American, I don't know what all the fuss is about since I grew up with such privacy killing services like the phonebook. Nowadays, you can go to whitepages.com and find out not only the mailing address and phone number by only knowing someone's name but you can also find out the names of other people in the household and even their approximate age!! Such a service in Japan would be completely illegal and there would be many arrests and public outrage if someone tried to do that here.

Although I have heard residential phonebooks do exist here and have even seen a place online to buy one for certain regions, I have never actually seen a Japanese phonebook despite my searches nor has any native Japanese told me they have ever seen a Japanese phonebook in their life whenever I ask them.
I find this somewhat inconvenient as I wanted to look up a friend who I had lost contact with but only knew her name and where she lived but couldn't... I guess that's the price you pay for better privacy.

As for social networking sites, they also have much better privacy here. On facebook, myspace, orkut, etc... about 90% of the time (from my experience) people will put their real photo of themselves and real names on their profile page and share embarrassing personal photos of themselves and friends for the whole world to see. On mixi, the biggest SNS in Japan, almost 100% of people do not put their real photo on their profile page and only half or so use their real names. Also, almost everyone restricts pictures so only their friends can see and if there is anything really embarrassing they will usually put a password on it so only a few select people can access it.

I can't say which is better. In Japan many people do not feel they can post things freely so it is kind of a shame. However, in the U.S. and probably other parts of the world there has been many problems arising from privacy issues of these SNS sites.
Such as people getting fired from their job for posting bad things about their work, people not being hired for having a SNS profile which contains pictures of them dead drunk or partaking in illegal substances, and even incidents where companies got hacked by social engineering through SNS sites.
I have not once heard of anything like this happening yet through mixi.

There is also recent talk of privacy concerns through Hatena Bookmarks, a Japanese version of Delicious. There is a claim that because when you save a bookmark it saves and shows the timestamp, that cyber stalkers are able to watch your every move and analyze your behavior by knowing what you are looking at at what time. (However the person claiming that there are actually cyber stalkers out there doing this wasn't able to give proof of this happening in real life, I suppose theoretically people could be doing so....)

When Goolge Earth launched streetview in Japan a year or two ago there was massive outcry of privacy concerns, however, that seemed to die down and I think alot of people now think it is a cool and useful service, albiet somewhat scary. However, last month a Japanese company that was providing the same kind of service stopped shop for undisclosed reasons. I would guess it was financial or something along those lines but many people are guessing that it is due to privacy concerns.

So in conclusion, there are many privacy related issues going on in Japan almost every day and will probably only get worse in the future. Personally, I think they go a little too crazy with privacy requirements but I suppose it is better than the U.S. which has relatively terrible privacy requirements/awareness.


Patriotic Hacking

This happens every now and then...

The Ministry of Land, Infrastructure, Transportation and Tourism homepage was defaced a few days ago and replaced with a Chinese flag and in English "Don't forget history"

This is a screenshot to a defacement of the controversial Yasukuni Shrine. (Sorry, i couldn't find one of the one mentioned above..)
For being seen as the symbol of the Japanese militant past, it is the by far the biggest target and has been defaced several times by Chinese and Korean patriotic hackers.

(On a side note, Yasukuni is a very beautiful shrine and has an incredibly nice pond and Japanese garden hidden towards the back. (Check it out if you can!) According to one of my teachers who grew up around the shrine and would frequent there for festivals as a child, his image of Yasukuni is as a peaceful place to fall in love.)


Can't Trust Anyone

While in the past the advice was usually "don't go to *suspicious* or *bad* sites and you won't be hacked", there are plenty of examples out there in recent years that prove this advice to be flawed. Malware gets hosted on legit sites all the time so users now have to browse the web with the assumption that they are going to be attacked no matter how safe and trustworthy they think the sites are.
If you are reading this blog, i am sure you know this already.

I just wanted to point out that this is happening in Japan as well as a recent popular online shop for PCs (GENO) has been hacked recently and was actively exploiting anyone who stopped by...
This is surely not the first time nor will be the last of this activity.

One other interesting thing was that malware found its way on to SSD drives of a Japanese maker...

I don't like it when I have to analyze hardware I buy for malware before I plug it in...
I would like to be able to trust the vendor to at least not put or let viruses get in their hardware.

I know this is not the first time viruses got shipped out on harddrives to some lucky consumers but for a country that provides such amazing quality in their services I was expecting a little better QA here...



Plagiarism in Japan

I thought I talked about plagiarism in Japan before somewhere, but I forget where..
Anyways, plagiarism is viewed pretty differently than most Westerners outside of Japan know it. I remember being highly advised to make sure I do not plagiarize anything I write from back in grade school and I think I've heard the same thing every year after that until I graduated from college.

For whatever reasons, this sort of lecturing and strict enforcement does not happen as much in Japan. (Note that this claim is only from personal experience and asking friends so I would love to hear if someone says otherwise!)

One thing that supports my claim though is that there is not even a word for "plagiarism" in Japan! It indeed is starting to become a problem here as this was the theme for one day on "Close Up Gendai", an investigative news program from NHK that I think is somewhat comparable to 60 minutes in the U.S.
However, since there is no word for plagiarism, they spent the whole time warning the masses of the new problem of "Kopi Pe"!! ("Kopi Pe" (コピペ) is the Japanese abbreviation of "Copy & Paste")
These irresponsible no goods kids are apparently using technology for evil purposes such as finishing homework and reports by merely copying and pasting what others have written and passing it off as there own!

Yesterday, there has been more attention brought to this issue thanks to some net-savvy TV viewers of TV Asahi when they called them out. TV Asashi recently broadcasted a show called "Lie Busters", a sort of rip off of Myth Busters but with less explosions, that gave a sort of pop quiz game show to bust the myths that many Japanese have about various subjects. They apparently referenced 6 different online blogs as proof (because we all know we should believe whatever someone writes in a blog as facts, right?), however they forgot to mention that these blogs were fabricated by the TV show's staff members!

Whoops! Apparently, people in Japan know how to use google as well as the rest of the world and are able to search for given strings to find the original sources. Somebody should have informed that to the show creators beforehand!

Anyways, they were found out when angry viewers reported that these blogs didn't exist and TV Asahi apologizes deeply for this. They even replaced the Lie Busters' homepage with an apology letter expressing their sorry as well as how they received a "strict warning" as punishment from the Ministry of Internal Affairs and Communications.

In the Lie Buster's staff's defense, they say they only fabricated the blogs because they could not receive copyright permission in time to show screenshots of the blogs. (Yes, copyright laws in Japan have not been updated for centuries now and does NOT include fair use. This causes a whole bunch of problems which i will one day write about in more detail, but for now that means that yes, simply posting a screenshot of a person's blog even if you black out everything except for one word and keep everything anonymous will still result in copyright infringement.)
However, it didn't sound too good when they said that they reproduced the blogs from memory and they don't know where the links to the original sources escaped to....

Now that this is getting media attention, people will surely start cracking down on this issue.

The picture of The Rock body slamming a panda does not have anything to do with this but it was the funniest picture I found when doing an image search for "lie buster".

The second funniest was this ad for a sleeping bag that you can walk in!! Ingenious!!! The Japanese know how innovate anything!
Yeah, I think I am breaking Japanese copyright laws for posting a screenshot of the apology from Asahi TV but since bloggers's (google's) servers are in the U.S., I will fight for my fair use rights!!! Hopefully I will win and not be subjected to a public lashing for my heinous crime...

Have a nice day!




Getting hot hOT HOT!

The security scene in Japan has definitely improved in the last year and people are surprised about how many security "study gatherings" there are around the country now. (Although still the hacking scene is still probably lamer than the hacking scene was back in 98' in the U.S.)
I have been going to security conferences here for the past couple years and besides the international conferences (BlackHat Japan, Pac Sec, etc...), all of the conferences I have been to are elderly manager types in suits that want to get in on this security thing but can only see a strange black box and have little idea what's inside. Little to no technical goodies.

Last weekend was the first Japanese security gathering that I thought was interesting. A couple semi-famous Japanese hackers bullet trained down from Tokyo to host the gathering. There were about 50 people that half came from very distant places just for the event. We just went over some of last year's Defcon CTF problems that was mixed with some original problems. It was only from 13:00-17:00 or so, so it is hard to really learn alot in that short of a time. But I did find it somewhat interesting.

There is finally a small group of semi?-talented hackers here that have finally decided to get serious about hacking. They are extremely determined to make it into this year's Defcon CTF.

I find it funny that probably the biggest motivation for this is not for self improvement or for purely the love of hacking, but to not loose to South Korea!
In recent years, South Korean hackers have gained some "skillz" and the two teams apparently did quite well in last year's defcon. They even have a CTF in Korea, "CodeGate", with probably the largest monetary award for the winners for a CTF that I have seen. (As you can see, Japan is not doing well compared to others...)

So I forget who were the Korean hackers and what exactly they did but I guess there were some Korean hackers that while flaunting their l33t haXin skillz, they were wearing this shirt or something to that effect...
For those of you who do not know, Dokdo is the name of an island that is almost equidistant between South Korean and Japan which both countries claim as their own territory. This was big in the news a couple months ago when many South Koreans got super pissed off after Japan wrote in their textbooks that this small useless island where only Koreans live was actually part of Japan.

So it is the classic "Hacker Ego" scenario. Someone angers your ego by saying they are smarter than you so you devote all of your time just to try to prove that you are actually better/smarter than them.

Well, whatever gets the fire burning I guess.....


Fighting Flames with Fire

This is somewhat old news, but last month (Feb 6th), 19 individuals were referred to prosecutors (criminally charged without being physically arrested) for posting death threats and false allegations to a comedian, Smiley Kikuchi's blog. Smiley Kikuchi is a minor comedian who has had false allegations (defamation) written about him for the past decade that claims he was involved in a murder case back in 1989. His talent agency was forced in the past to shut down a forum due to the flood of misplaced malice directed toward him.

Kikuchi was mistakenly accused of being one of the murderers due to being a similar age to the criminals (born in 1972) and hailing from the slummy areas of Adachi-ku where the crime happened. According to Smiley himself, the rumors showed up verbatim in a “taboos of the entertainment industry” book, which his tormentors then used to back up their claims. It did not help Kikuchi that he has based his whole comedy career on being a jerk. His own boss describes him as “a suspicious person you’ll never forget once you’ve seen him,” and Wikipedia summarizes his comedic style as “getting laughs by saying mean things with a big smile on his face.” Not exactly a charmer.

Now after setting up a new blog with Ameblo earlier last year, Kikuchi enabled comments between January and April, using a system specially designed for celebrity bloggers. All comments appeared immediately on the site but were then subjected to moderation, usually resulting in harmful comments being deleted after 15 minutes. During this time Kikuchi was apparently still inundated with the age-old accusations in the comments section, until he finally suspended blogging in May (it is back up now). Though Ameblo initiated a pre-clearance moderation system in May, Kikuchi has explained that he filed a complaint with the police after he started receiving threats offline and began fearing for his life.

The police then traced back and filed criminal charges against 19 people all throughout Japan ranging from a 17 year old girl to a 45 year old guy. Perhaps maybe because in Japan people can not say what they truly want or criticize others in person due to social pressures, they go crazy when they find an assumed anonymous medium such as the Internet. (Although it is just my gut feeling, it seems that I see a lot of unnecessarily mean comments on Japanese forums which I recall seeing a lot of in the past in the states, while I am starting to see less and less of unnecessarily mean comments with more respectful ones in the U.S. Perhaps it is because after years of receiving and seeing these ugly negative comments people are finally realizing that that is not nice and it is better to be polite and respectful even if you will never meet them in person and they probably won't be able to track you down and physically harm you even if you talk bad about them... I could be wrong though...There is still too much negativity and ignorance out there...(I admit I too have foolishly fell victim to writing negative things in which I highly regret later on...)

Anyways, I do not think there has been any other cases where people have been arrested for merely flaming a person? This certainly would never happen in the U.S. Please let me know if you know of any related cases though.

I do think people who make death threats on the Internet should be arrested. That's just not cool, right? I think if you have a problem with people flaming or trying to defame you publicly, you should just moderate your posts before they go public. And if you get negativity privately, just delete the email, pray to Buddha that that person will realize their foolish ways and better themselves, and forget about it is probably the best action.
The problem with people making death threats on the Internet is that they can be anonymous and you never know if they are telling the truth. There have been several new agencies created to monitor the Internet for these threats after the big incident were one crazy guy ran a truck into some people and then went on a stabbing spree killing 7 people in Tokyo's famous electric town, Akiharaba. He was ranting on online forums that he was going to commit this horrendous killing spree in this exact fashion months prior, but no one took him seriously.

However, what do you do when the Yokozuna gets an anonymous death threat on the net? Do you stop the Sumo tournament for the day? or put everyone who comes in through metal detectors and piss off a few thousand people?

This is certainly not a simple problem to solve.

This is not that first time that Japanese celebrities have had trouble with defamation on their blogs, but is surely the most well known now as the media went crazy about this after people started getting semi-arrested.

Also, this is not just a problem for Japan. The other major incident was when Jin-sil Choi, Korea's top actress was found dead after she committed suicide. The reason was: depression from being flamed on the Internet.

While many people around the globe can just shake off negative criticism like its nothing, most people in countries like Japan and South Korea are EXTREMELY sensitive to what others say about them. Even myself... just living in Japan, I have completely changed changed from a "I don't care what others think! Whatever! I'll do what I want!" typical American to a "I have to focus all of my strength on making sure I do not make a single regret in anything I say or do publicly that could directly or indirectly risk anyone thinking badly about me" typical Japanese.

(Even Linus admits that the reason that not more Japanese people work on the Linux kernel is not because of language barriers but due to culture barriers of most Japanese not being able to put up with the "fairly abrasive and impolite" flaming that goes on in the mailing lists)

This huge culture difference will probably result in drastically different punishment and handling of online flaming in the future...



Jumping to Conclusions?

On Feb. 26th, Finjan, a secure web gateway vendor wrote on their blog that there is a possible "Sino-Japanese Cyber War" going on....

This is completely groundless and it seems that they just got caught up with the recent media headlines as calling everything a "cyber war between countries" or "cyber terrorists" is what all of the cool kids are doing these days.

They found out that two highly popular blogging sites in Japan, livedoor and yaplog, were hacked through a web application vulnerability and used to distribute malware that is downloaded from servers located in China.

Yea, I think I've heard this same story about 100 times for the past 2-3 years now.

They conclude the blog with:
"This Chinese attack is very popular and is known to infect hundreds of websites all over the world. However, we can’t ignore the fact that two very popular Japanese websites were infected in such a short period of time."

Well, I do not see any logical reasoning that just because the attackers and the victims happen to reside in countries that have had a certain history a long time ago means that this was a politically motivated attack. They were probably just looking for easy targets that gets lots of hits... And is really a Sino-Japanese War if the attacks are only happening from one side and it is nothing really out of the ordinary??

Now if they reported that this malware infected users creating a botnet which was then used to DDoS the Yasukuni Shrine website or if the Chinese hackers posted a message on the homepage or either site specifically stating "We are Chinese hackers, we hacked you because we dislike what Japan is doing, etc...", like some Chinese hackers have done in the past, then maybe this might be interesting.

Even the consensus from the comments on slashdot.jp was "Yeah, whoever wrote this blog posting is an ignorant foreigner that doesn't understand the meaning of his words"(referring to the "Cyber Sino-Japanese War")

For more information about Chinese hackers, I highly recommend checking out The Dark Visitor.

Finjan MCRC Blog - Cyber Sino-Japanese War?


Japan and the iPhone

Although not related to security, it seems to be a hot topic these days so I figure I would throw in my two cents.

Last Friday, someone was spreading rumors that Japan hates the iPhone.

This was followed up a couple days latter with someone claiming that this was all a lie.

I mostly agree with the second article.

I think there is a big misconception outside of Japan regarding cellphones here. Yes, we all know that Japan is several years ahead of the rest of the world IN HARDWARE but it doesn't mean Japan has the best cellphones in the world. That is mainly because only fancy hardware does not make a good phone. You need both good hardware and good software. And by far, the iPhone has the best software available to a phone that I have seen. (Although Android is probably going to catch up or surpass it in the next couple years...) There is no other phone in Japan with as big of a screen, a full fledged web browser (although not perfect...), millions of apps to satisfy your every needs, etc... (although it would be much better if if was jailbroken by default).

Yes, the camera sucks compared to all of the cameras in phones here, but when I ask my friends about it they say it is not a big factor in determining a phone. No, you can not charge money on it, or watch TV like with some local cellphones but people who actually use those functions are still an extreme minority.

I have only seen one DoCoMo P905i in real life that the first article claims that that is what everyone in Japan wants, and the person who owned it was American! And he does not even use any of the special features! It is completely false. That phone is way too expensive for anyone to buy here and just has extra fancy features that few would utilize.

To all of the friends here that I showed the iPhone to they are all very impressed and say they want one really bad.
The reaons why they do not buy one are:
1. No one I know has extra money to spend on a new cellphone even if it is only around $200. (Yes, the economy is bad and everyone is strapped for cash...big time...)
2. They can't change their carrier. The second article has some great insight in to why people do not like Soft Bank and would rather stick with their DoCoMo or AU.
3. They have no idea how to use it or what it is capable of.

Also, when the iPhone first came out, there was not very good marketing so no one knew what you could actually do with this phone. It got very bad reviews because the phone calls would drop, the browser would always crash, it didn't support emoji, etc...
Although all of these things have been fixed in the latest firmware, everyone still has the perception that this phone is nothing but problems.

Although it has emoji support now, it is still kind of lame and I can't put in as cool of images as my friends can do with their phones. Everyone I know is pretty crazy about having these cute little images in their text messages so this is actually still a big issue.
Also, typing on a touchscreen takes time getting used to and it is very difficult to do with one hand. This is also a big problem because most people do a lot of text messaging or fiddling with their phones on the trains where they need one hand to hold on to something so they only have one hand to manipulate their phone.

So Japan hates the iPhone as much as the U.S. hates Apple.
It is seen as a rich snobby person's toy that is impossible to use because they are not used to it.
It is the same reason why most of the world does not use OS X despite they it is a much superior operating system than Windows XP. They do not want the spend the time to learn a new OS, they do not want to pay for switching costs, there is a perception that all Macs require you to take out several loans in order to purchase, etc...

I do not want to make any specific predications of the future but I have a feeling that the iPhone will slowly but surely start replacing Japanese phones just like Macs are slowly but surely replacing people's PCs around the world.


Month of Information Security

Although most people do not know (even I didn't until now), February was the "Month of Information Security" in Japan, sponsored by NISC (the National Information Security Center).

In other parts of the globe, a "Month of Security Awareness" (MoBB, MoPB, MoAB) means some extremely talented hacker guy (or girl?) in his free time releases +-30 zero day exploits and vuln. information for widely deployed systems that results in quite a strong message regarding the security claimed by the vendors and reality.

In Japan, a month of security awareness means that you have seminars all of the country where people dressed up in suits who know enough about computers to operate windows xp, outlook and office get together to talk about all of these scary security issues such as winny, botnets, viruses, keyloggers, etc... No, there are no zero days, no hands on training, or anything of that sort.

So with large organizations and millions of yen of tax money, how do we fight for better information security, you ask???

With this!

Yes, that's right. The "Information Security Rangers" will save the day! Right now they still do not have any reverse engineering, penetration testing, malware analysis, or networking skills but they can sing a cute song that informs the world about spam, viruses, firewalls and the monsters living in the internet trying to get your personal information!

You can check out the music video here. Hopefully this year it will win a pwnie for best song of 2009.

Although I feel much more aware of the dangers of computers and the internet thanks to that minute and a half song, security is a very serious issue and we really need one more layer of awareness if we really want to be certain that the entire public is fully concious of informaiton security issues.

So that is why METI (the Ministry of Economy, Trade, and Industry) invested a heavy sum of tax money into creating CHECK PC!.

CHECK PC! is a site where Securina, two anime/doll like girls, teach you about the dangers of IT security such as phishing and viruses. They also have a music video here.

Although personally if I was in charge of the METI and had millions to spend on security awareness, I would probably prioritize marketing to a wider audience instead of just to Japanese girls age 6-9.
However, I suppose that is just as an important group that needs security education as much as everyone else.