Informazioni personali

Cerca nel blog

Translate

domenica 29 marzo 2015

Pavia - Shenzhen 4:I think what I need here is a surviving guide

I think what I need here is a surviving guide 🙂

I have had the chance to talk with some western colleagues, apparently we share, more or less, the same difficulties.

Language Barriers

Let be clear, if you want to take shenzhen metro, well it is a piece of cake, all indications are in chinese and english, the train are modern as the stations. Every stop is clearly described on the train (and announced in both languages) so it is a great way to travel here.

The things get differents when you need a cab.

you have to wait on the street hoping to find a free taxi running, then you try to call it somehow (being italian make me easy to work with gestures, lol). and beware of the color, not all taxi can go everywhere, so if you are a little far form the centre may be you find red and green ones. not all can drive you where you want or need.

And once you are in… welcome language barrier. trying to explain where you need to go is not easy, so better you write or print the direction, i have my hotel business card always with me, just to be sure I can show him the direction.

I have not found any cab driver able to talk in english as of now.

Alas if you plan to use your google translator here, you could have problems, golden firewall blocks google tools.

surviving tips:

1) download an offline maps for your phone, will be useful.

2) if you plan to stay here a bit, and you want to connect using a 4g\3g network i suggest you to buy a sim in Hong Kong, there are plans without roaming from china, with 6 and more gb\month and it is outside the golden firewall, that means you can easily have all your tools working.

3) download a vpn software before being here if you plan to use a local sim or some roaming (but is so expensive, would you really like to go on roaming?)

4) if you buy a phone here, be aware that chinese android version is different, it does not run some google key engine so some apps could not work, eventually you can install a new rom (in some shops they do it for foreign people)

I am still struggling to find a decent translator. The hardest point is being able to translate written text of course. I have this issue also at work, chinese love to send communication with graphics instead plain text. Visually nice sure, but hard to deal if you are not a chinese speaker.

Food is great

I love chinese food, but you should be aware of some things:

They do not use to drink at lunch or dinner, beside some tea. And the water is usually warm, a sort of very light lemonade i think. if you want cold water or even cold beer you should ask for it. Do not give for granted that they bring cold beer if you ask one.

And do not give for granted the have cold drinks at all.

As in hotel even if they have a fridge it is probably empty and disconnected.

(now mine has some bottles of water and a beer, lol)

Food is generally cheap here and of good quality, if you plan to eat western style you have to spend a little more, but usually you can eat under 200 yuan.

Well I cannot guarantee for the quality of western food, i tried Pizza Hut and I was quite disappointed. But I have seen also a lot of KFC here and some Starbucks. I have had coffee at starbucks and was good, but not sure it was because of quality or because I were missing coffee so much 🙂

You should also be aware that chinese way at restaurants is different:

restaurants are usually loud, people talk normally.

Chinese food is shared, they bring you several different things, and all people take with the chopsticks. they usually leave bones and stuffs on table, spitting directly on the table. You have to be used to this, can be a little strange at the beginning.

 

martedì 17 marzo 2015

Some times they come back

I wrote a few time ago about double standards in IT security that affect eastern countries’ companies as Chinese Huawei and  ZTE or Russia’s ones  when dealing with western countries.

I wrote this effect is quite evident every time you read news on cyber security threats. Guess what… I was reading some news lately and I encounter some statements that make me think (again) about it:

Let’s take the FREAK attack as an example.

FREAK attack is a security vulnerability that breaks HTTPS protection. The troubles today owe to ‘export grade encryption’ – a deliberately weaker form of encryption baked into products shipped outside of the United States, enforced by the American government. The restrictions were removed in the late 1990s, but the encryption remains a part of software still used to this day: even in products now bought and sold in the United States.

According to Washington Post “export grade encryption” was the originating issue for this vulnerability, this is a several years old problem, although “discovered” recently.

Same day other news, in an article reported by the Boston Business Journal (click the link for the article)  mr Gregory J. Touhill (the deputy assistant secretary for cybersecurity operations and programs in the office of Cybersecurity and Communications) states at the last cybersecurity panel discussion on Tuesday organized by the New England chapter of the National Association of Corporate Directors, which represents board members of the largest companies around the region :

Who’s doing the hacking? State-sponsored hacking — from countries like China or Russia, for example — “they get the get the big splash in the newspapers, but they represent less than 2 percent of the attacks that we see,” said Touhil. Hacktivists — people who use hacking to further their political agenda — are a large and growing group.

so basically the same who create the FREAK issue are blaming others for activities yet to be proven.

Meanwhile the Chinese official response to Obama administration accusations on being unfair with new cyber security rules state:

“With transparent procedures, China’s anti-terrorism campaign will be different from what the United States has done: letting the surveillance authorities run amok and turn counter-terrorism into paranoid espionage and peeping on its civilians and allies.”

Xinhua, China’s state-run news agency, addressing President Obama’s criticism earlier this week of a proposed Chinese law that would require tech companies doing business in that nation to install backdoors in their software and turn over their encryption keys. “Contrary to the accusations of the United States, China’s anti-terror law will put no unfair regulatory pressures on foreign companies, because the provisions will apply to both domestic and foreign firms,” Xinhua also wrote.

The BBC reports: Fu Ying, parliamentary spokeswoman, pointed out that the U.S. government had imposed restrictions on Chinese companies it considered potential security threats, such as Huawei and ZTE. She also said Beijing’s proposals were in line with the same kind of access to online communications sought by the U.S and British governments.

This westeast friction is changing slightly with rising of cyber security  awareness, this have been pointed out also by computer weekly that in a recent article

US technology companies facing growing UK pressure over internet spying

talked about rising friction between UK and USA over cyberspying issues (i wrote on the same issue many times ago, see: PRISM Lessons On Privacy, Cloud and US IT Companies).

Let be clear, this is not just a USA problem, recently France have had its part of glory with the fake Google certificates delivered by ANSSI (human mistake was the official explanation) or the Casper malware affair.

And also UK while complaining with USA for the PRISM consequences has its own fingerprint in the NSA-GCHQ affair.

So who can we trust?

If someone is familiar with X-Files may be recognize the statement “Trust no one”. This is the basis when implementing security. This does not means that all commercial product are un-trustable, but from a security perspective we should assume the worst.

Can be sponsored state, human error or criminal intent something can go wrong everywhere (shit happens).

From a security perspective this means that processes are assuming the greatest importance, while from an HWSW point of view a multivendor approach with a not all from the same country attitude, could be reasonable.

To rise confidence vendors are approaching several correction, from a safer software writing cycle to a better control to supplier and resellers, in order to avoid unwanted tampering with their solution from an external source. This kind of processes are today even more important according to the recent news and outbreaks so the bigger is the vendor the stronger has to be its politics in controlling the whole chain, from production to delivery.

But nevertheless we could not assume that any vendor is 100% secure (again shit happens), so implementing continuous and sound process of auditing, penetration and vulnerability testing and quality analysis of the IT structures will give us a better perspective of surviving the current threat environment. We should also remember that without contingency plan for disaster recovery and cyber threat attack all our effort could be vain.

 

 

Related articles

 

Some times they come back

I wrote a few time ago about double standards in IT security that affect eastern countries’ companies as Chinese Huawei and  ZTE or Russia’s ones  when dealing with western countries.

I wrote this effect is quite evident every time you read news on cyber security threats. Guess what… I was reading some news lately and I encounter some statements that make me think (again) about it:

Let’s take the FREAK attack as an example.

FREAK attack is a security vulnerability that breaks HTTPS protection. The troubles today owe to ‘export grade encryption’ – a deliberately weaker form of encryption baked into products shipped outside of the United States, enforced by the American government. The restrictions were removed in the late 1990s, but the encryption remains a part of software still used to this day: even in products now bought and sold in the United States.

According to Washington Post “export grade encryption” was the originating issue for this vulnerability, this is a several years old problem, although “discovered” recently.

Same day other news, in an article reported by the Boston Business Journal (click the link for the article)  mr Gregory J. Touhill (the deputy assistant secretary for cybersecurity operations and programs in the office of Cybersecurity and Communications) states at the last cybersecurity panel discussion on Tuesday organized by the New England chapter of the National Association of Corporate Directors, which represents board members of the largest companies around the region :

Who’s doing the hacking? State-sponsored hacking — from countries like China or Russia, for example — “they get the get the big splash in the newspapers, but they represent less than 2 percent of the attacks that we see,” said Touhil. Hacktivists — people who use hacking to further their political agenda — are a large and growing group.

so basically the same who create the FREAK issue are blaming others for activities yet to be proven.

Meanwhile the Chinese official response to Obama administration accusations on being unfair with new cyber security rules state:

“With transparent procedures, China’s anti-terrorism campaign will be different from what the United States has done: letting the surveillance authorities run amok and turn counter-terrorism into paranoid espionage and peeping on its civilians and allies.”

Xinhua, China’s state-run news agency, addressing President Obama’s criticism earlier this week of a proposed Chinese law that would require tech companies doing business in that nation to install backdoors in their software and turn over their encryption keys. “Contrary to the accusations of the United States, China’s anti-terror law will put no unfair regulatory pressures on foreign companies, because the provisions will apply to both domestic and foreign firms,” Xinhua also wrote.

The BBC reports: Fu Ying, parliamentary spokeswoman, pointed out that the U.S. government had imposed restrictions on Chinese companies it considered potential security threats, such as Huawei and ZTE. She also said Beijing’s proposals were in line with the same kind of access to online communications sought by the U.S and British governments.

This westeast friction is changing slightly with rising of cyber security  awareness, this have been pointed out also by computer weekly that in a recent article

US technology companies facing growing UK pressure over internet spying

talked about rising friction between UK and USA over cyberspying issues (i wrote on the same issue many times ago, see: PRISM Lessons On Privacy, Cloud and US IT Companies).

Let be clear, this is not just a USA problem, recently France have had its part of glory with the fake Google certificates delivered by ANSSI (human mistake was the official explanation) or the Casper malware affair.

And also UK while complaining with USA for the PRISM consequences has its own fingerprint in the NSA-GCHQ affair.

So who can we trust?

If someone is familiar with X-Files may be recognize the statement “Trust no one”. This is the basis when implementing security. This does not means that all commercial product are un-trustable, but from a security perspective we should assume the worst.

Can be sponsored state, human error or criminal intent something can go wrong everywhere (shit happens).

From a security perspective this means that processes are assuming the greatest importance, while from an HWSW point of view a multivendor approach with a not all from the same country attitude, could be reasonable.

To rise confidence vendors are approaching several correction, from a safer software writing cycle to a better control to supplier and resellers, in order to avoid unwanted tampering with their solution from an external source. This kind of processes are today even more important according to the recent news and outbreaks so the bigger is the vendor the stronger has to be its politics in controlling the whole chain, from production to delivery.

But nevertheless we could not assume that any vendor is 100% secure (again shit happens), so implementing continuous and sound process of auditing, penetration and vulnerability testing and quality analysis of the IT structures will give us a better perspective of surviving the current threat environment. We should also remember that without contingency plan for disaster recovery and cyber threat attack all our effort could be vain.

 

 

Related articles

 

mercoledì 4 marzo 2015

Pavia Shenzhen step 3

[发怒][抓狂][骷髅][弱]
OK I am pissed off. Sometimes apparently the easiest things are the hardest to solve.
I am trying to get my second visa to China and I were hoping this time things would have goon smoothly.

Yesterday I took my train, went to Milan and, happy-go-lucky the whole computer systems was down, spent there just a 5 hours waiting for the system turning back, no luck…

image

So I took my train today, hoping for a better result…

image

Guess what… Murphy’s laws …. The invitation letter was wrong (same old story), states 30 day stay not 60 as needed, and could not be nor annual nor multi entry because a company is not entitled to make those requests. …

So at the end….
I will not have the annual  multientry Visa but just a 6 months 2 entry. And only 30 days stay so I will be forced to go to Hong Kong and get back to shenzhen just to be able to stay the 6 weeks requested, cheaper than change flights already purchased anyway…

Then for the next trip, other visa other money other go back and forth from the consulate.. just Hoping I got the visa on Friday
[抓狂]arrrrrghhhhhhh

Posted from WordPress for Android

Pavia Shenzhen step 3

[发怒][抓狂][骷髅][弱]
OK I am pissed off. Sometimes apparently the easiest things are the hardest to solve.
I am trying to get my second visa to China and I were hoping this time things would have goon smoothly.

Yesterday I took my train, went to Milan and, happy-go-lucky the whole computer systems was down, spent there just a 5 hours waiting for the system turning back, no luck…

image

So I took my train today, hoping for a better result…

image

Guess what… Murphy’s laws …. The invitation letter was wrong (same old story), states 30 day stay not 60 as needed, and could not be nor annual nor multi entry because a company is not entitled to make those requests. …

So at the end….
I will not have the annual  multientry Visa but just a 6 months 2 entry. And only 30 days stay so I will be forced to go to Hong Kong and get back to shenzhen just to be able to stay the 6 weeks requested, cheaper than change flights already purchased anyway…

Then for the next trip, other visa other money other go back and forth from the consulate.. just Hoping I got the visa on Friday
[抓狂]arrrrrghhhhhhh

Posted from WordPress for Android