Category Archives: Geographic

How to hack a hackathon, by a 42-years old guy?

At 42 yr old, I joined a travel tech hackathon for the first time 2 days ago, Sabre Destination Hackathon here in Singapore. Installing Eclipse and reading API docs brought back lot of memories when I started my career 15 years ago as a Java developer. At the end, I won small prize by developing Sabre Red App Widget. The new widget is to show relevant credit card offers when shopping for flights and hotels. As a first time Red App developer, it is really a surprise that proof of concept demo can win support from the audience and judges.


I registered hoping to find developers to create a VOIP app using Twilio APIs connecting with Powerdata2go portable wifi router, with global coverages. However, listen to Red App presentations, I found the Red Workspace is a uniquely positioned platform. Then with coaching from two awesome Sabre development leads (Alexandre Meneghello and Julian Macagno) and hours reading the SDK doc, I managed to create my first Red App Widget. The process on bouncing ideas and implement it with right away, focused, debugging and finally see it working within 24 hours is the greatest reward. Obviously, the endorsement from judges was a bonus.

Hackathon is like a new intellectual sport, where likeminded people (regardless of age) join and compete on ideas and coding skills. Below are few things I noted in these 2 days.

1. Be there early and talk to people.

The people you meet at hackathon participate for many reasons. You will likely bump into students, freelancers and even industry people trying to learn coding. With a room so diverse, hackathon becomes an excellent opportunity to meet new people, besides coders. Also talk to the organizer team, know their business, challenges, competition and product roadmap. Most hackathon have a commercial goal, be it launching new product/platform or building ecosystem or just brand awareness. And the organizer is more than happy to share their views since they want you to help them find new ideas and new projects. Their sales, marketing, technical and even finance may be there. There is no better place to learn.

2. Join a chat room

Nowadays, there is a chat room for every development project, as emails are no good for team real time communications. Expedia development manager Poi created a HipChat room for people to ask questions on Expedia APIs. I joined and discovered lots of interesting questions. Reading their questions and comments helped me to understand different challenges facing mobile apps and web apps. The exchange of ideas and problem solving skills


After this event, I believe chat room interactions are invaluable asset for recruiters. I would suggest recruiter to join each chat room and listen to their conversations. A friend also joined trying to recruit developers, with a passion in travel tech. I saw her talking to participants, distributing business cards and encouraging developers to know more about her new iOS App. This way she cast her net wide and try to talk to as much developers as possible. Another way is to be more focus and do researches in chat rooms. Find out which user are asking relevant questions, contributing answer and with good manners. These are the right people to work with, who are focusing on their project and helping others to achieve their goals. Then send him/her an email for a coffee. During the hackathon, a developer would like to spend time on their codes, there are tons of improvement he/she can make. There is no time for a recruiter.

3. A good chef cooks with what is given to them

Unless you have a workable product ready and plan to showcase it, I suggest keeping your mind open and explore possibilities. Within 24 hours, there is not enough time to build a full feature app and your brilliant idea may be totally trashed by poor executions. Let people share their experiences, identify the real problem statement together and co-create a solution. It is far more collaborative and also build friendships. After all a hackathon is like a sport, where people participate to make friends and enjoy the process.

Writing this piece helped me to recognize that hackathon is very much like a sport, when people and teams compete and achieve a certain goal within a defined time. Just like any sport there are amateurs, professionals and observers. The younger and more energetics one will definitely enjoy the party and football table. But even you are not a coder or consider yourself too old, it is still an excellent opportunity to collaborate with people with different skills, culture and age.

Feel free to leave your comments and connect with me at LinkedIn or Twitter.

Smart Nation is a process

If you ever took MRT to Singapore Ayer Rajah Crescent startup community Blk 71-79, you must know there is one traffic light about 100 meters on right of exit. A typical traffic light: open area, under the sun, wait 60 seconds and walk 10 sec. Nothing special. However, if you are a native to this community or a savvy frequent visitor, you most likely will take THE shortcut.

Few people accept this sub-par but safe design, the community vote with their feet and jaywalk cross a moderate busy two-way traffic. They choose to take the risk and decide their own fate.

Today I found out that with enough people jaywalking, LTA or JTC responded. Not with a permanent fence or intimidating notice. They are adaptive and officially ended the jaywalking with a pavement!


Before pavement is built 


Having worked in Singaporean government before, I know there are SOPs in LTA on where, how and what traffic light should be placed. It must be well articulated internally, like thousands of other traffic lights. Each traffic light installation is a science, choosing the optimal uses of resources taking consideration of all stakeholders, car owners, predisisent , and traffic flow. No matter how well planned it is, users still choose the own best option balancing risk and reward. In this traffic light case, the young, confident and time-conscious geek community choose jaywalking.

A smart nation is not about collecting user behavior data and crunching the data to control. It is about being adaptive and make intelligent move when the data suggesting you were wrong. LTA and JTC did it. I am faithful other government agencies will follow suit.

Privacy Protection Principles, compare ISO29100, with Singapore and Hong Kong legislations

ISO 29100:2011 Privacy Framework is now a public available document and it offers a comprehensive framework. Hong Kong and Singapore Gov both enacted privacy regulations, I compare both regions’ privacy protection requirements with ISO29100. Below is a summary table. Will write more on each comparison later.

ISO 29001:2011 Eleven Privacy Principles  Singapore Nine Data Privacy Obligations  Hong Kong Six Data Protection Principles 
Clause 5.2 Consent and choice
The Consent Obligation (PDPA sections 13 to 17): An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.
DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.
Clause 5.3 Purpose legitimacy and specification The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned. DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
Clause 5.4 Collection Limitation The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned. DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
Clause 5.5 Data minimization  No direct equivalent requirement  No direct equivalent requirement
Clause 5.6 Use, retention and disclosure limitation The Retention Limitation Obligation (PDPA section 25): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes. DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
Clause 5.6 Use, retention and disclosure limitation The Transfer Limitation Obligation (refer to PDPA section 26): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

“Prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances” is in legislation but not yet in operation 

Clauses 5.7 Accuracy and quality The Accuracy Obligation (PDPA section 23): An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation. DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
Clause 5.8 Opennes, transparency and notice The Notification Obligation (PDPA section 20): An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.  
Clause 5.8 Opennes, transparency and notice i)  The Openness Obligation (refer to PDPA sections 11 and 12): An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available. DPP5: formulates and provides policies and practices in relation to personal data.
Clause 5.9 Individual participation and access d)  The Access and Correction Obligation (PDPA sections 21 and 22): An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation. DPP6: individuals have rights of access to and correction of their personal data. Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.
Clauses 5.10 Accountability (include data breach notification)  No direct equivalent requirement  No direct equivalent requirement
Clause 5.11 Information Security f)  The Protection Obligation (PDPA section 24): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. DPP4: all practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.
Clause 5.12 Privacy Compliance  No direct equivalent requirement  No direct equivalent requirement

Microsoft tries to address PKI issues in IE11 (SmartScreen and SNDS)

Digital certificate is widely used and the Internet cannot work without it. However, PKI (the framework digital certificates based on) has lots of issues. Last year in ISO SC27 meeting at ENISA there was a special meeting on PKI. Many issues are only raised without a conclusion, same as most issues brought international meetings.

Microsoft with a 10% – 20% footprint (depends on which report ) of browser market is taking steps in managing this madness. In a recent blog post, “A novel method in IE11 for dealing with fraudulent digital certificates” explain their strategy. I think Microsoft action is very responsible and will help to mitigate issues with fraudulent digital certificates. Certificate and its associated private key is very sensitive and must be handled with security in mind. In my over 10 years audit experiences, I had seen many engineers or administrators treated private key same as a configuration file. In most enterprise, there is general lack of documented procedures or best practises to administrate digital certificate. Malicious attackers may abuse this weakness and create fraudulent certificates.

In IE11, Microsoft uses SmartScreen Filter to detect and report high risk uses of certificate. Three scenarios are explained in the blog post:

1. A website is using a certificate that is capable of being used as a subordinate CA. This would indicate the certificate has been issued wrongly

2. If a website suddenly presents a different certificate only to a certain region where a different CA issued the certificate. This might indicate a possible MITM attack in a specific country or region

3. There was a sudden and significant change in the fields a CA includes in certificates it issues. For example, omission or change in the OCSP responder location. This would indicate a CA was either compromised, or has not followed standard operating procedures.”

There is a practicality issues with item 2 above with a 24×7 website. Suppose Apple adm update the SSL certificate on midnight, APAC region users will be the first batch of users using this updated and also different certificate. Will IE11 warn user regarding this new SSL certificate although it is updated due to normal refresh? I hope Microsoft will add intelligent to their detection algorithm and take consideration of the effective date of old SSL cert.

Another important control Microsoft implemented is ” domain registrants could be notified by email when new certificates with their domain names appear in our database. The domain registrant would have the option to report suspicious certificates to us and notify the CA to revoke the suspicious certificate.” In short, Microsoft is sharing the uses of certificate of specific domain to who claimed to the domain owner. The domain owner will need to take action accordingly. This is a responsive strategy by increasing transparency. (There is a new trend in security industry on sharing info and responding timely, in additional to defence in depth principle. Will write on this trend later when I finish reading “Responsive Security” by Meng-Chow Kang)

It is a prefect design in theory. My first question is who read such warning email! Is the email recipient understand the risks when reported by SNDS? Time will tell.




Cloud Computing in Singapore Financial Industry

Cloud Computing industry is well developed in Singapore, so it is not a big surprise seeing MAS TRM guideline has a section only on Cloud Computing. Reading the document as whole, it seems MAS is accepting the fact that cloud computing is or will be part of financial industry development.

Section 5.2 Cloud Computing is group under a bigger topic which is IT Outsourcing. For banks, the uses of third party computing resources is indeed a form of outsourcing. Operationally and legally the relationship between banks and cloud services providers is not much different. 

From the text “Outsourcing can involve the provision of IT capabilities and facilities by a single third party or multiple vendors located in Singapore or abroad.” One can assume that outsourcing to overseas cloud computing is possible. The statement does not restrict Singapore data from being stored or processed abroad. This is important as most international organisation is hosting their application centrally in regional hubs. However, it does have some catches.

The TRM guideline (5.2.3 and 5.2.4) does not discuss much of the technical side of Cloud Computing, rather it stress on the importance on data governance, which include data segregation and removal of data on exit. I believe this is due to the enforcement of banking secrecy principle (more details are available on MAS website

In cloud computing setup, deleting all information related to one entity is tricky and costly. It would be possible for IaaS deployment where the data are stored in disk images. For SaaS or other data services, to identify each data owned by the exiting entity will be a daunting task ! The data schema must be able to cater for this unique requirement. Unless it is considered when the cloud service provider is developing the system, the cost to manual deleting data is going to escalate. 


What 4 hours RTO means

In last post I mentioned an analysis done by a group of VCPs. In their ppt, one slide is worth more discussion which is the 4 hours RTO defined in MAS notice to banks.

Recovery time objective is a well established concept and has been seeing it in large scale project design documents and also procurement RFPs. Wiki has this definition “The recovery time objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.”

The reader has to distinguish between recover to full services and recover to a service level. When disaster happens, everything has to be prioritized. Not all program are the same when you have limited resources and time. We may not expect to pay telephone bill via ATM when there is serious flooding but you expect the ATM shall still let you draw money.

The slide (shown below) highlighted the time differences between event happen and disaster is declared. Due to complexity of current system and network, the time to fully assess an system malfunction may take hours. Usually the incident handling procedure will require a few clarification (if not finger pointing) until senior staff is informed about the major outage. How a bank response to outage is now a critical element in meeting MAS requirement on RTO. The authors of this slide contended that it is far less than four hours and manual steps are not going to meet this requirement. I believe they do have a point.

Will the MAS TRM requirements and notice makes 24×7 internet banking a white elephant? Let us wait until the 2104 DBS annual report and found out their cost ratio.


VCPs technical analysis on the MAS Technology Risk Management guidelines.

Since Singapore MAS released the TRM guideline last month, I believe many people are studying them (including me). Big Four accounting firms are usually most active in publishing explanatory reports and article with a purpose to generate more business leads.

However, a group of Vmware certified professionals are taking the lead this time. They worked together and published a MAS TRM analysis report focusing on DR and visualization. Some of the observations are valid. The document could be found at Vmware website

 A few I like to share

  •  Process and Committee oriented. No Agile and rapid innovation. 
  • All social media sites, cloud-based storage, web-based emails are classified as “unsafe internet services”. No technical fact given to support why they they are all insecure.
  • Trust no employee :Sys Admin must be tracked.