Category Archives: Information security strategy

The colors of blockchain


blockchain colors

I am writing next article about explaining blockchain to my wife , continuing last one published on TechInAsia and Medium -blockchain. Here is a prelude quoted from “RISKS AND OPPORTUNITIES FOR SYSTEMS USING BLOCKCHAIN AND SMART CONTRACTS”

“Traditionally, these transactions are supported by trusted third-parties such as government agencies, banks, legal firms, accounting firms and service providers in specific industries. Blockchains provide a different way to support these transactions. Instead of trusting 3rd parties, we would trust a majority of the collective. ”



NetBIOS resurrection

The ransomware incident is believed to related to a Microsoft Windows Vulnerability (MS17-010 – Critical) affecting Microsoft Windows SMB Server from Windows 2008 to Win7. The attack is on Microsoft Server Message Block 1.0 (SMBv1) server.

When I was an IT aduitor in banks, I always asked for justifications on using SMB services and opening of port 137. It is a standard hardening procedure to turn off NetBIOS. I would had thought after 10 years such procedures are still enforced.

The widespread of this attack may means the IT security industry and practitioners are too young to this dated protocol !


On Internet, the most clicked link is truth.


With information overload, we rely on algorithms to help us comprehend the world. At the end, algorithms and their creators are shaping reality. Data scientists will need to follow the same professional ethics as journalist.

“Google was built on the premise of truth,” O’Neil said. “Now that people on the internet love lying, Google is screwed.”

How to hack a hackathon, by a 42-years old guy?

At 42 yr old, I joined a travel tech hackathon for the first time 2 days ago, Sabre Destination Hackathon here in Singapore. Installing Eclipse and reading API docs brought back lot of memories when I started my career 15 years ago as a Java developer. At the end, I won small prize by developing Sabre Red App Widget. The new widget is to show relevant credit card offers when shopping for flights and hotels. As a first time Red App developer, it is really a surprise that proof of concept demo can win support from the audience and judges.


I registered hoping to find developers to create a VOIP app using Twilio APIs connecting with Powerdata2go portable wifi router, with global coverages. However, listen to Red App presentations, I found the Red Workspace is a uniquely positioned platform. Then with coaching from two awesome Sabre development leads (Alexandre Meneghello and Julian Macagno) and hours reading the SDK doc, I managed to create my first Red App Widget. The process on bouncing ideas and implement it with right away, focused, debugging and finally see it working within 24 hours is the greatest reward. Obviously, the endorsement from judges was a bonus.

Hackathon is like a new intellectual sport, where likeminded people (regardless of age) join and compete on ideas and coding skills. Below are few things I noted in these 2 days.

1. Be there early and talk to people.

The people you meet at hackathon participate for many reasons. You will likely bump into students, freelancers and even industry people trying to learn coding. With a room so diverse, hackathon becomes an excellent opportunity to meet new people, besides coders. Also talk to the organizer team, know their business, challenges, competition and product roadmap. Most hackathon have a commercial goal, be it launching new product/platform or building ecosystem or just brand awareness. And the organizer is more than happy to share their views since they want you to help them find new ideas and new projects. Their sales, marketing, technical and even finance may be there. There is no better place to learn.

2. Join a chat room

Nowadays, there is a chat room for every development project, as emails are no good for team real time communications. Expedia development manager Poi created a HipChat room for people to ask questions on Expedia APIs. I joined and discovered lots of interesting questions. Reading their questions and comments helped me to understand different challenges facing mobile apps and web apps. The exchange of ideas and problem solving skills


After this event, I believe chat room interactions are invaluable asset for recruiters. I would suggest recruiter to join each chat room and listen to their conversations. A friend also joined trying to recruit developers, with a passion in travel tech. I saw her talking to participants, distributing business cards and encouraging developers to know more about her new iOS App. This way she cast her net wide and try to talk to as much developers as possible. Another way is to be more focus and do researches in chat rooms. Find out which user are asking relevant questions, contributing answer and with good manners. These are the right people to work with, who are focusing on their project and helping others to achieve their goals. Then send him/her an email for a coffee. During the hackathon, a developer would like to spend time on their codes, there are tons of improvement he/she can make. There is no time for a recruiter.

3. A good chef cooks with what is given to them

Unless you have a workable product ready and plan to showcase it, I suggest keeping your mind open and explore possibilities. Within 24 hours, there is not enough time to build a full feature app and your brilliant idea may be totally trashed by poor executions. Let people share their experiences, identify the real problem statement together and co-create a solution. It is far more collaborative and also build friendships. After all a hackathon is like a sport, where people participate to make friends and enjoy the process.

Writing this piece helped me to recognize that hackathon is very much like a sport, when people and teams compete and achieve a certain goal within a defined time. Just like any sport there are amateurs, professionals and observers. The younger and more energetics one will definitely enjoy the party and football table. But even you are not a coder or consider yourself too old, it is still an excellent opportunity to collaborate with people with different skills, culture and age.

Feel free to leave your comments and connect with me at LinkedIn or Twitter.

Smart Nation is a process

If you ever took MRT to Singapore Ayer Rajah Crescent startup community Blk 71-79, you must know there is one traffic light about 100 meters on right of exit. A typical traffic light: open area, under the sun, wait 60 seconds and walk 10 sec. Nothing special. However, if you are a native to this community or a savvy frequent visitor, you most likely will take THE shortcut.

Few people accept this sub-par but safe design, the community vote with their feet and jaywalk cross a moderate busy two-way traffic. They choose to take the risk and decide their own fate.

Today I found out that with enough people jaywalking, LTA or JTC responded. Not with a permanent fence or intimidating notice. They are adaptive and officially ended the jaywalking with a pavement!


Before pavement is built 


Having worked in Singaporean government before, I know there are SOPs in LTA on where, how and what traffic light should be placed. It must be well articulated internally, like thousands of other traffic lights. Each traffic light installation is a science, choosing the optimal uses of resources taking consideration of all stakeholders, car owners, predisisent , and traffic flow. No matter how well planned it is, users still choose the own best option balancing risk and reward. In this traffic light case, the young, confident and time-conscious geek community choose jaywalking.

A smart nation is not about collecting user behavior data and crunching the data to control. It is about being adaptive and make intelligent move when the data suggesting you were wrong. LTA and JTC did it. I am faithful other government agencies will follow suit.

Singapore on StackOverflow


Everyone is buzzing about big data these days.  Without something interesting, I would rather be a reader or an audience. Until now, while I am doing my own website researches, I have noticed something which you may like to know too.

As IT geek coming from Hong Kong and working in Singapore, I can’t remember how many times I was asked “How Singapore is different from Hong Kong?”. There are many similarities between these two ex-British colonies in Asia. People like to compare and contrast both economies on their business readiness, innovations and productivity. In many city indexes, Singapore and Hong Kong are often competing.

After living in Singapore for over 2 years, I usually answered the question more based on my own observations and experience.  For people who is more interested in food, I can talk about the difference in food in the two places.  For someone who cares more in politics, I can talk about the difference in the election systems.  So, in the context of IT industry, “How Singapore is different from Hong Kong?” Which place is having a better competitive edge? Which will better leverage IT advancements to support economic growth?

I have gotten the opportunity to meet with IT professionals from both the public and private sectors in Singapore. Singapore Government dedication and investment on technology is impressive. We see many projects (some experimental) to reinvent this city state. Industry associations like Singapore Computer Society and SITF are working hand in hand to build the competitive edge of Singapore in the IT arena.  However, I am not a PR consultant and should dig deeper. With my IT engineering background, I am trained to be fact-based. So, instead of settling with a conclusion based on what I experienced or how I felt, I would like to finalize my conclusion with hard fact: Data!

So, I turn to, which is a website that tracks Internet usages and ranks websites in each region or country. The ranking of website reveals how netizen surf Internet which tells a lot of their digital life and thus indirectly on digital economy. From there, I looked into the Top 100 websites in Hong Kong and Singapore listed in Alexa website.

First, it stunts me when I see StackOverflow ranked 37th in SG but 57th for HK. This difference tells something about IT industry in two very economies. is the most popular website for programmers globally. Developers and technical professionals share their knowledge via forum-like platform. I myself find it most useful for undocumented features of programming languages & APIs. You don’t spend time on StackOverflow trying to find next hotel deal or sangria receipt. Developers spend time on StackOverflow exchange ideas and share bug-killing joys.

When StackOverflow ranked higher in SG than HK, we may loosely read that the percentage of time SG people collectively spend on developing software is more than HK (i.e. bug killing is more popular in SG). Yet, I believe it is more likely that SG has more developers or SG developers are more hard working!

Absolute ranking in Alexa maybe affected by seasonal or other technical issues, it may not paint the true picture. To avoid such bias, let us use relative ranking, i.e. the distance between Stackoverflow with other popular daily websites (I have chosen online banking and local newspaper). Let us throw in some simple chart here.

Screen Shot 2015-11-29 at 6.12.38 PM

Left hand side  shows SG ranking of Online Banking (DBS.COM.SG), Local Newspaper ( and StackOverflow-SG. Right hand side shows HK (HSBC, and StackOverflow-HK.

A shorter distance between popular websites and StackOverflow reconfirm our observations with absolute ranking. Singapore netizens are more geek! Or, Singapore geeks are more active on the geek-forum! More time are spent on analyzing IT and killing bugs. Just a caveat though: StackOverflow is mainly English, Hong Kong developers may prefer similar forum in Chinese.

Screen Shot 2015-11-29 at 5.28.34 PM

When double check with StackOverflow own 2015 survey, Singapore has 31.7 devs per 1000 people. 6th globally, highest in APAC.

Even with user behavior data, the conclusion may still be too generalized.  However, I do think this gives an encouraging picture to SG policy maker (IDA,ITSC, MDA, LTA etc) and IT practitioners. Singapore have nurtured a culture for people to built and tinker. In the last two years, I met with different communities (like Null Security, iOS Dev Scout, Lean Startup) full of energetic people sharing their experiences and dreams.


CCSP , joint project from CSA and ISC2

(All comments and blog posts are personal opinions. Not related to any organisation.)

I like to share an exciting news about Certified Cloud Security Professional (CCSP℠). This week I received an email from ISC2 on awarding me CCSP designation. The blue color of CCSP (Certified Cloud Security Professional) Logo from ISC2 resembles the sky in a sunny day. Same as the sky here in Singapore.

Risks of running application and services on the cloud has been an impediment  and people (journalist in particular) tends to see the cloudy side! I involved in many discussions on cloud security in my volunteer works in CSA Hong Kong & Macau Chapter. Some of the concerns are valid , in particular the lack of experienced professionals and knowledge framework.

CCSP with the support from CSA and ISC2 is the answer to these concerns. In 2013, visionaries (like Aloysius Cheang from CSA APAC and Hord Tipton from ISC2 ) in both organisations joined together in response to market needs. In the past two years, A few other volunteers from CSA and I worked with ISC2 and their consultant Pearson VUE to develop CCSP CBK and examination questions. It was a rewarding experiences.

The process administrated is very structured and all rounded, with concept mapping, team discussions and psychometric analysis. As a security professional, I am thinking maybe system development life cycle (SDLC) should also make use of similar validation process to ensure each feature implemented is user facing and also balanced!

Developing Cloud Security certification is a challenge due to its extensive scope. The final CBK covers six domains:

  • Architectural Concepts & Design Requirements
  • Cloud Data Security
  • Cloud Platform & Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal & Compliance

Very few people acquired working experiences in all six domains. However, learning cloud technology knowledge and applying security principles in a virtualised environment are both achievable via CCSP CBK. Studying CCSP domains and passing the exam will help security professional to gain knowledge in a structure way, thus able to demonstrate their security skills are not outdated.