HSBC drops Firefox support

Today I tried to complete an online purchase using my HSBC Visa Card (issued in Hong Kong), and when the merchant redirected me to HSBC for the Verified by Visa page, instead of the password prompt I used to receive, I saw the following:

Thinking that this must be an error (since it used to work fine before), I called up HSBC’s customer service hotline to find out what was going on.

I was shocked to hear that HSBC now officially only supports IE, and no other browsers are supported for Verified by Visa. I asked them what I’m supposed to do if I have a Mac and don’t have IE, and they responded that I’m supposed to use IE or nothing at all.

I asked why Firefox is unsupported since it used to work fine before and they gave a vague response that Firefox cannot exchange data with Visa properly (which does not make sense at all). They also said that their entire online platform is “built for Internet Explorer”.

The message from HSBC Hong Kong is clear: if you’re not using IE, don’t bother making online purchases with our Visa card.

My message to HSBC is this: if you’re not going to support Firefox, don’t count on me using your Visa card to make any purchases (online or offline).

In case anyone wants to comment on this, this is where the complaints need to go:

HSBC
Attn: Credit Card Services
8 Floor, Block 2 & 3
HSBC Centre
1 Sham Mong Road
Kowloon
Hong Kong

India TV Airs News with Fake Photos

No doubt many of my readers will be aware of the horrendous debacle at India TV which resulted in them broadcasting a report with a fake photo of Syedna Mohammed Burhanuddin (TUS) “performing” the nikah of the Taleban terrorist, Baitullah Mehsud in Afghanistan.

Of course, Syedna Mohammed Burhanuddin (TUS) never performed this nikah and during the time of the said nikah, Syedna Mohammed Burhanuddin (TUS) was in Mumbai, not Afghanistan.

The TV channel has published an apology and also aired an apology for the indicident which can be seen here:

Source: Youtube

The source image and the doctored image can also be seen below:

India TV Source Image
India TV Source Image
India TV Fake Image
India TV Fake Image

Without making any attempt to justify what is obviously abhorrent or non-existent editorial control, I do have a suspicion regarding how this came to pass. Rather than a deliberate attempt to slander Dawoodi Bohras, it is more likely the case that the “reporter” (and I use this word in the loosest term possible) did a Google Search on “nikah”, and found these results:

Google Search Results for nikah
Google Search Results for "nikah"

The first usable photo became the “source” for the doctored “news report”. While this in no means justifies what happened and it should never have happened to begin with, it does mean that objectively, there was likely no intended malice towards Dawoodi Bohras.

Does it excuse the event? Absolutely not. Does it mean that it’s acceptable for news stations to doctor images to fake news events? No way. Everything that happened here should never have happened. But I think it does provide an insight into how it came about.

Also of interest to some readers may be the search engine referral statistics for Planet Bohra on 8 April, 2009. I’ve made these available as a PDF.

Flying from Chek Lap Kok to Kai Tak

Yesterday I piloted a Boeing 737-800NG simulator. It was my first attempt at a flight from Hong Kong’s new airport Chek Lap Kok to the now out of service old airport Kai Tak. I control the yoke (steering) and yaw. My co-pilot controls the thrust, flaps and trim (and generally gives me some helpful directions since he’s a pilot and I’m not).

The 737 NG has some pretty sophisticated navigational equipment which is very helpful. One of the nice things was an indicator that shows your turn trajectory and projects it onto a runway extension – very useful for landings at Kai Tak.

Of note is that pilots who landed at Kai Tak back in the day had no such help, making those landings all the more impressive.

My landing is not on the runway centreline, but on the runway and close to where one should hope to land, so I’m happy with that for a first attempt at flying a 737 in a proper sim.

Link to video: Chek Lap Kok to Kai Tak in B737-800NG (Cockpit View)

Official iPhone 2.1.1 OS retains 2G unlock

I just upgraded Zainab’s iPhone 2G (purchased from an Apple Store in the US) today from OS version 2.1 to 2.2.1. Originally this iPhone was unlocked using iJailBreak on 1.1.4 and then was jailbroken/unlocked on 2.0/2.1 using PwnageTool.

The instructions I read were to upgrade to 2.2.1 using iTunes and then run QuickPwn to jailbreak/unlock the iPhone 2G. Interestingly, after I upgraded to 2.2.1 using iTunes (without any custom IPSW – downloaded the release from Apple) the phone upgrade went without a hitch and the iPhone remained unlocked after the upgrade. That was a surprise.

Of course the phone is not jailbroken but I have no interest in that and it seems that once an iPhone 2G is unlocked there are at least some circumstances where it will remain so after a normal upgrade using the official IPSW.

So right now she’s using an iPhone 2.G with 2.2.1 OS without any jailbreaks or custom hacks, but with a non AT&T SIM. That’s from my POV ideal and a pleasant surprise.

Enterprise Deployment of Firefox

I am responsible for overseeing the IT infrastructure of an office with about 40 Windows-based computers. We always keep the OS and relevant software patched, though sometimes even keeping Windows/Office/IE patched to the most current level is not enough.

The workarounds provided by Microsoft for this issue are frankly, not acceptable because website functionality with security set to ‘High’ is unacceptable and generate user complaints (and doesn’t even solve the problem completely).

Events like this give me cause to consider a company-wide deployment of Firefox as the default browser. We have no internal applications that rely on IE so this is not a sticking point for us as it is for many corporations. Plus, Firefox has far fewer “vulnerable days” as compared to IE (and when Firefox is vulnerable the potential risk to the system is usually lower).

However, there are a couple of blockers that stop me from taking this step. These include:

  • Lack of an automated/scriptable way to deploy Firefox that is supported by Mozilla (though bug 231062 has been filed for an MSI install package – almost 5 years later there is still no resolution).
  • Lack of any way to force Firefox product/security upgrades upon users. Without this, Firefox is arguably even more insecure than IE because at least with IE we can be reasonably sure that updates are being pushed out on schedule.
  • Lack of any centralised way to make sure plugins are up to date (I will concede that IE is not up to par on this front either).

There are probably a few other points that I can’t think of at the moment. However, our company is an SME with less than 100 computers and I find these issues troubling. Imagine a Fortune 500 company – the problem for them would be multiplied many fold.

I am unhappy about the latest problems with IE and unhappy that there is no patch yet for an exploit that is so clearly in the wild and unhappy that there isn’t even an acceptable way to mitigate the risk.

Having said all this – at the moment I don’t see that switching to an alternative browser is an acceptable solution to this problem for enterprise users for the reasons above.

If work was done to make Firefox more enterprise friendly, this would go a long way towards adoption in the workplace. As it stands, there are just too many reasons not to deploy even though the product is clearly superior from an end user standpoint.

eJamaat and Data Retention

My religious community, numbering approximately one million worldwide has a centralised system for almost everything (both religious and non-religious). One of the non-religious centralised systems that has really irked me over the last couple of years has been the eJamaat system which is maintained by the religious administration.

The eJamaat system (update: now called ITS or Idaratut Ta’reef al Shakhsi) contains personal biodata (name, DOB, address, education, business details, levels of religious learning, blood type, family trees/relationships) of almost all community members worldwide. This system is mainly used to gather data about the community and also to perform registration for attendance of reglious events or sermons. Now – the administration seeks to make entering passport information mandatory as well.

Why does it irk me? It’s not because the system is not needed or because it performs no useful functions. In reality, there is a real need for this system and it is effectively used to manage registration for events. It irks me because of the administration’s compulsion for collecting data that is not required just for the sake of collecting it. Further, there is no disclosure as to how the information is used and no information about what steps are being taken to secure our personal data. For starters, communication is unencrypted because SSL is not used to secure HTTP conversations so any data entry is inherently insecure, especially if you do so over a public wifi signal.

When this system was first set up, I requested a copy of eJamaat’s privacy policy. It is not publicly listed anywhere and I never got a response. From this I can infer that either they don’t have one, or that it is not available for public viewing. In some jurisdictions the collection of this kind of personal data without a published privacy policy that meets certain guidelines is actually outright illegal (see below for details on relevant legislation within the UK).

I am genuinely concerned that if this data was to fall into the wrong hands, it would be a treasure trove for individuals seeking to engage in identity theft. With information including full name, father’s name, mother’s name (including maiden name), DOB, passport information, photographs, address, blood type, information about health conditions, business details, educational qualifications it is frankly quite scary to imagine what could happen if this information was stolen by a third party or misused by those with access to the data. Identity theft would be the tip of the iceberg.

It would be reassuring to the community if important information was disclosed (and more importantly followed) regarding what steps are taken to secure the data, under what circumstances data will be shared with other parties, if users will be informed in the case of a data breach, and also why data like passport information is required (personally, I can’t see a legitimate reason for this).

I think it would be naive to think that feeding all this information into a black box with no accountability is a good idea and that there will never be a major breach of confidentiality. With the scope of data contained, it is quite plausible that someone could call a bank and successfully obtain account information and effect transfers, or apply for a library card by post in someone else’s name.

I hope someone can demonstrate that my concerns are unfounded, but I doubt that will happen.

For those who are interested, the Data Protection Act 1998 is the most relevant piece of legislation in the United Kingdom to this discussion (and other countries may have their own equivalents). Accoring to the ICO, there are eight basic principles, which is to make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

[Source: Personal data, Personal rights – Data Protection Act (DPA) – ICO]

The page on legal obligations imposed on data controllers is also interesting:

  • Do I really need this information about an individual? Do I know what I’m going to use it for?
  • Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
  • If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this?
  • Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
  • Is access to personal information limited to those with a strict need to know?
  • Am I sure the personal information is accurate and up to date?
  • Do I delete or destroy personal information as soon as I have no more need for it?
  • Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
  • Do I need to notify the Information Commissioner and if so is my notification up to date?

[Source: Personal privacy, legal obligations – Data Protection Act (DPA) – ICO]

Update 16 November 2008: I have been requested by a legal advisor to Dawat to temporarily remove this post while some issues are being worked on. Certain representations have been made which paint a positive picture of what is going on behind the scenes and if this is followed through it will be a very positive development for all eJamaat users.

Update 23 September 2009: eJamaat now has a privacy policy in place (see also locally archived copy dated 23/09/2009) which addresses many of the concerns stated above. It is good to know that positive steps are being taken and users are being told why data is being collected, why, and who will process it, and also how to opt out, and it is also being made clear that the entering of passport information is optional and not mandatory. The privacy policy is not perfect, it does not address how the data is being kept secure, but it is a step in the right direction.

Given that I was requested to remove the post only temporarily until action was taken, I am quite comfortable to put the entire post back online in the knowledge that action has already been taken (and there was ample opportunity to do so) and I hope that the privacy policy will be vigilantly enforced and that steps will continue to be taken to protect the privacy of eJamaat users.

One further step that I would like to see taken is for eJamaat to publish a list of organisations that they share our data with. In the privacy policy they mention that they only share information with organisations affliated with Dawat-e-Hadiyah but this could be a very extensive list and sometimes the distinction between being affiliated or not is an obscure one.

For example, the site Malumaat.com requires users to register with an eJamaat number and says that if incorrect information is entered then an account is liable to deactivation. This is interesting because it means that any one of the following cases must be true:

  1. Malumaat is able to access eJamaat records in order to verify that the numbers provided are correct. In this case, eJamaat is in violation of their own privacy policy because Malumaat is not an organisation which is affliated with Dawat-e-Hadiyah or Alvazaratus Saifiyah.
  2. Malumaat is not able to access eJamaat records in which case Malumaat is purporting to collect eJamaat numbers for a purpose otherwise than what they state and users have no guarantee about the privacy of their data provided (and in any case should be wary of providing unique personal identifiers to a site which has not issued them in the first instance).

Another point worth mention is that eJamaat, according to their privacy policy, does provide information to third parties. In this case it is legally incumbent upon eJamaat to ensure that the third parties they provide data to are also processing it in accordance with the protections that eJamaat is subject to otherwise the provision of said data to third parties may be unlawful.

One more easy improvement that could be made is to encrypt all website transactions using SSL (preferably EV SSL). At the moment all information entered by users on the eJamaat website is not encrypted and in this day and age there is no legitimate justification for this.

In short, the situation today is much better than it was a year ago, but data privacy is an aspect of data retention that needs to be continually addressed at every step of data processing and data sharing. A “write a privacy policy and forget about it” approach will not yield the correct result. The more users are reassured that their data is being sensibly and lawfully processed, the more comfortable they will be to provide sensitive data.

Officially Unlocked iPhones in Hong Kong

Is Hong Kong the first market in the world to get an iPhone 3G which is both officially unlocked at the time of purchase and not tied to a carrier plan? According to the Apple HK iPhone store page, quite possibly:

iPhone 3G purchased at the Apple Online Store can be activated with any wireless carrier. Simply insert the SIM from your current phone into iPhone 3G and connect to iTunes 8 to complete activation.

They’re not cheap though. The 8GB phone costs HK$5400 (approx US$700) and the 16GB is HK$6200 (approx US$800).

iPhone 2.0.2 Update and 3G Reception

There are a lot of reports out there that Apple’s 2.0.2 OS update for the iPhone fixes reception issues with 3G. Now I don’t know whether the issues are hardware, firmware, or software related (maybe all?), but I do know that the 2.0.2 update does not do anything to fix them, at least not for me here in Hong Kong.

In a city that has mobile coverage everywhere, including on underground trains, the iPhone sometimes shows 1 bar only for network strength in downtown Hong Kong, where most other phones show full signal strength. In areas where other phones have no problems getting reception, iPhone can show “No Service”.

I hope that iPhone OS 2.1 has a solution for these problems. The iPhone is a great computer, but it is lacking as a reliable mobile phone.

iPhone 10MB Limit for App Store Downloads over 3G

I came across this limit today while trying to download an application from the iPhone App Store. Apparently, if an application is over 10MB, the iPhone will not allow you to download it over the celluar data network, requiring you to either download over wifi, or via iTunes on your computer.

This seems like a pretty brain-dead limit, since 10MB is not a lot of data and they’re hyping up 3G so much as being as fast as broadband. Well, what’s the use if you’re artificially disallowed from downloadling more than 10MB?

Chalk one up for the bean counters at AT&T who no doubt convinced Apple to include this “feature”.