In a word, wow!


I am not sure if this is a report that contains stuff taken out of context, but if its true that PM Lee thinks that his government did not have clarity in vision, what does that mean to all the justifications of paying sky-high wages to the “ministers” who were, after all, the ones who should have looked out for us?

I await back-peddling and clarifications before commenting on what appears to me an admission of failure.

While we are talking about failures, let me point a huge failure playing out in the Singapore civil service in the form of the fiasco called the  “Standard Operating Environment”. There is no one in the civil service that has anything positive to say about the fiasco that they have to be living with for the next umpteen years. The amount of tax dollars wasted and continued to be wasted because of the closed, proprietary software chosen is appalling. We need to stop it. Now!

Mr Prime Minister, I made an offer to help set up a Singapore Open Institute that will propel the Singapore public sector rapidly forward with the adoption and use of open source software and make it innovative and forward thinking. The offer still has not been taken up by you or your office.

Let’s make rapid changes and changes for the better. I look forward to hearing from you at h dot pillay at ieee dot org.

Doing the right thing and a proposal


I am glad to read the the Prime Minister has decided to probe the sale the applications (built and paid using tax dollars) by the PAP Town Councils to the PAP-owned company AIM.

<stand up> <applause> <applause> <applause> <applause> <applause> <sit down>

I would like to know the following:

  1. Who will head this?
  2. What kind of time frame will this have to be done by – one month, one year, by next general election?
  3. In the meantime, what happens to the monies that have been spent (and to be spent) in the transaction
  4. Will there be a public disclosure of companies that are PAP-owned and a list of transactions done by them with public sector agencies. I would expect the same from the WP and other political parties as well.

I would also like to hear from the Prime Minister on how we can ensure that all technology used/developed/deployed in any public sector entity in Singapore will FIRST consider open source solutions and failing to find something, then with a request for exemption (RFE), filed, published and approved, to look at non-open source options.

The time is NOW to make the bold and exciting change, Mr Prime Minister. I am sure this is of no concern to you, but rest assured your legacy will be being acknowledged as the Open Source Prime Minister.

While it might be premature to say “well done”, any progress is good progress. Doing the right thing is what this is all about.

As citizens, we need to keep a watchful eye on this probe to ensure that nothing is left unturned and keep the pressure on.

Again, my offer to help build an open source solution to managing Town Council system remains.

Let me take this opportunity to flesh out a proposal of how this can be accomplished.

Proposal

  • We establish a Singapore Open Institute, funded by government and/or corporate sponsors.
  • SOI’s role will be primarily at assessing all the open source solutions being developed around the world especially for government (and education) and finding local use of them. Likewise, local public sector agencies can seek SOI’s help in creating open source solutions.
  • SOI will be the trusted agency that public sector entities will seek advise and clearance in projects they want to undertake.
  • SOI will also create a Public Sector Software Exchange (PSX). The PSX will be open to anyone, anywhere to contribute to as well as to consume code from. All code in PSX could be on a GPLv3 or Apache License v 2 or something Singapore-branded, like the EU open license. PSX will also host SMEs, start-ups and individuals who can provide solutions. Parts of the Instruction Manual will have to be amended as needed to accomodate this.
  • SOI will also be the entity to which requests for exemption (RFE) has to be applied for by public sector agencies before going for closed source products. RFEs will have an expiry period and will be specific to a project.
  • SOI will also be the catalyst in creating and running programming contests, hack-a-thons etc (both with open source software and hardware). This is principally to encourage as many people to learn coding and build solutions.
  • Mindef, Police, SCDF and security related agencies are exempted from SOI but are strongly encouraged to create an equivalent of forge.mil.
  • SOI will also be the thought leader for Open Data, Open Source, Open Hardware and Open Standards.

It is an idea whose time has come for Singapore to act on, Mr Prime Minister.

Let’s do the right thing.

It’s not a contest per se, it’s a Sahana-moment!


So, my 3 am post from January 3rd 2013 is now on http://www.tremeritus.com, probably not a good thing, but then this is the way things move.

For what it’s worth, going by the comments in that post, this is not about scoring points against the Coordinating Chairman or the PAP or the WP.  It is about highlighting the facts in a way that was clearer and not wrapped up in words and more importantly, offering a better way to do things for the betterment of this country.

At the expense of being ridiculed for stating the obvious, all the information and analysis done at 3 am on January 3rd 2013 that is in my original post is from that one media release put out by the Coordinating Chairman on January 2, 2013.

There is confusion about what the various issues which sadly are related albeit tangentially.

Let me try to give a map of the issues that are being looked at.

a) The Ministry of National Development put out a  Town Council Management Report for 2012 on December 14, 2012. Of the 15 town councils, all except for the Aljunied Hougang Town Council scored green in S&CC Arrears Management – Examines the extent of Town Councils’ S&CC arrears that residents have to bear.” AHTC is the only non-PAP Town Council.

b) Because of that red score, the question arose as to what happened? To that extent, the AHTC released their comments.

c) It then was known to all of us that there was a company, Action Information Management Pte Ltd, that was providing the IT solutions to the town councils.

d) That was when the issue blew up with regards to who is AIM, why did this company get to do this business, how did they come to own the IT system etc etc.

So, there are two chunks of issues:

1) The poor performance from the Town Council Management Report 2012 perspective of Aljunied Hougang Town Council

2) Who is this AIM and what is their role in all of this?

Both are important issues. I am in no position to comment on the first point.  That is for the AHTC to address to the satisfaction of the residents of AHTC as well as us Singaporeans.

My interest centers in the second point. As a computing professional, having been in this industry since 1982, this interests  me personally. I am also an advocate of using and growing the use of open source technologies especially in the public sector. The Town Councils are public sector organizations. It pains me to see good money being thrown at IT solutions only for the vendor(s) to obsolete it in a relatively short time, and get the customer to pay up again and again. This becomes even more acute with public sector IT spending. It is yours and my tax dollars that get spent wastefully.

Sure, there as a time when the open source solutions and frameworks did not quite provide good alternatives to address the varied IT needs. But that was a long, long time ago. Today open source is so very prevalent in every nook and corner that there is no longer any justifiable reason not to consider open source first for any IT need, especially in government and public sector.

People who know me would have heard the repeating groove that I have become, in that we need, at least in Singapore, an official government policy to do open source FIRST for all public sector IT procurement and for government agencies to file justifications for exemptions if they want to go with a proprietary solution and these exemptions have to be public knowledge.

Why is that needed? It is because monies spent by publicly funded agencies especially in reusable technologies like software, should not be wasted and locked away in some proprietary solution.

I am not proposing nor suggesting that open source solutions don’t come at a price. They do. They will need to be supported (as any software needs to, open or otherwise). But the huge upside when used in the public sector is that the solution can be worked on and enhanced and re-factored by entities that the public sector organizations could engage. This grows the local, domestic IT sector. It grows it in a way that benefits the local econoomy and SMEs who then get opportunities to become conversant in domains that otherwise will be hard to get into. With the code being open, anyone can contribute, but, and this is the part most people miss out, you STILL NEED commercially contracted support. 

This opens up opportunities to SMEs in Singapore to take up the various solutions to manage and maintain and gain expertise and in the process begin expanding outside Singapore as well.

Eight years ago, as a reservist SCDF officer, I was mobilized to support SCDF’s Ops Lion Heart to help with Search and Rescue after the 2004 Boxing Day Indian Ocean tsunami. My country called me to serve at a time of need and I put on my uniform and was on the ground in Banda Aceh for about two weeks.

The lessons I learned then was that in a disaster situation, the various international agencies and military/civil defense forces on the ground had very little common technology (other than walkie talkies) that could be used to coordinate the work. We, the SCDF, had our comms equipment (we had a Immarsat vsat satellite and satellite phones and GPS devices) but other than that, nothing else to interface with the other forces on the ground. Why? Because each of those entities had their own proprietary software tools to work with. At a time when there was a massive natural disaster, as rescuers we were not assisted by the technologies because of vendor lock-in.

Out of that disaster, came Project Sahana –  put together by Sri Lankan open source developers. Sahana is now a UN sanctioned tool for disaster management.

Why do I bring this up? Because it seems that we are heading to a Sahana-moment in Singapore. Public sector IT services should be decoupled from political parties.  Public sector IT solutions must open up the source code so that there are no opportunities for being taken for a ride.

So, to draw back to the beginning. Mr Coordinating Chairman, this is not a contest per se. This is a genuine offer to help us, the collective us, to do the Right Thing

Why Open Standards and Open Source Matters in Government


I have offered to the powers that be (TPTB) running the various Town Councils in Singapore an opportunity for the open source community to help build an application to manage their respective towns following the unfolding fiasco around their current software solution which is nearing end of life.

I am not surprised to hear comments and even SMS texts from friends who say that I am silly to want to offer to create a solution using open source tools. I can only attribute that to their relative lack of understanding of how this whole thing works and how we can collectively build fantastic solutions for the common good of society not only in Singapore but around the world.

I work for a company called Red Hat. Red Hat is a publicly traded company (RHT on NYSE) and is a 100% pure play open source company. What Red Hat does is to bring together open source software and make it consumable for enterprises. Doing that is not an easy thing. A lot of additional engineering and qualifications have to go into it before corporates and enterprises feel confident to deploy it. Red Hat has been successful in doing all of that because of the ethos of the company in engaging with open source developers (and hiring them as full time employees where appropriate) so that we can help the world gain and use better and higher quality software for everything.

That means that in taking open source software, Red Hat has to ensure that improvements and enhancements done are put back out as well to benefit everyone else and at the same time, at a price, provide a service to enterprises that want to use these tools but also want accountability, support, continued innovation etc. That is the Red Hat business model. We are the corporate entity that enterprises deploying open source tools look to for sanity.

Naturally, everything we create is available to anyone else, including our competition, and, yes, we can be beaten at our own game. That’s the best part. The fact that we can be challenged by others with what we helped create is a fantastic situation to be in as it forces us to constantly innovate (and in the open) and show how we are a responsible open source community member while giving tremendous value to enterprises.

It is in that spirit that I made the offer to help form a team of open source developers in Singapore to create the management system software for the town councils.  Certainly, when the software is built and deployed, the town councils would need to have competent support and there is nothing stopping any of the IT SMEs in Singapore picking up that opportunity. This gives the Town Councils significant advantage in choosing vendors to support their needs while keeping the innovation forthcoming because the code is open.

Here’s an article in an IT publication which I was interviewed about open source and CIOs – yeah, self promotion :-). But, here’s a better article about how open source is so prevalent in the US  government as well (yes, Gunnar is a colleague of mine).

So, the offer to build an open source solution is genuine and sincere. It is not for me to make money out of it per se, but to foster a situation that will create even more opportunities for others to actively participate in create fantastic open source solutions for us not only for the Singapore public sector, but the world.

I hope this offer is taken up seriously by TPTB including parts of IDA and MND. And for the record, this offer has nothing to do with Red Hat.

My Conscience Is Bugging Me


I cannot let the media statement put out by the “Coordinating Chairman of the PAP Town Councils” regarding the sale of the town council management software system to a ex-PAP MP-owned company be left alone without it being shredded apart. The media statement appeared on January 2, 2013 on the PAP website.

I have italicised and indented the paragraphs from the media statement and my response follows each italicised segment.

Statement by Teo Ho Pin on AIM Transaction

On 28 December 2012, I issued a press release in response to Ms Sylvia Lim’s statement on the website of the Aljunied-Hougang Town Council. Ms Lim had made various assertions in her statement. However, her statement was made without citing the relevant facts. I now make this further statement to set out fully the relevant facts.

I am the co-ordinating Chairman of all the PAP-run Town Councils (“the TCs”). The PAP TCs meet regularly and work closely with one another. This allows the TCs to derive economies of scale and to share best practices among themselves. This improves the overall efficiency of the TCs, and ensures that all the PAP TCs can serve their residents better.

In 2003, the TCs wanted to harmonise their computer systems. Hence, in 2003, all the TCs jointly called an open tender for a vendor to provide a computer system based on a common platform. NCS was chosen to provide this system. The term of the NCS contract (“NCS contract”) was from 1 August 2003 to 31 October 2010. There was an option to further extend the contract for one year, until 31 October 2011.

In 2010, the NCS contract was going to expire. The TCs got together and jointly appointed Deloitte and Touche Enterprise Risk Services Pte Ltd (“D&T”) to advise on the review of the computer system for all the TCs. Several meetings were held with D&T.

After a comprehensive review, D&T identified various deficiencies and gaps in the system. The main issue, however, was that the system was becoming obsolete and unmaintainable. It had been built in 2003, on Microsoft Windows XP and Oracle Financial 11 platforms. By 2010, Windows XP had been superseded by Windows Vista as well as Windows 7, and Oracle would soon phase out and discontinue support to its Financial 11 platform.

From what is mentioned above, D&T noted deficiencies and gaps in the system, which it seems was only about parts of the application infrastructure becoming obsolete and unmaintainable. It would be good to know what other gaps and deficiencies were reported.

It is now clear that the application that was developed ran on the system from Oracle Corporation, called “Oracle Financials 11”. It also is clear that, possibly both the server and client OS was Microsoft Windows XP. I do wonder how that original application was spec’ed out?

We have here a classic case of all of the component systems needed to run an application reaching end of life or becoming unsupported even as the application could still be used.

That, in itself, is not a big deal. Forced obsolescence is the norm in the IT industry. It is not the best state of affairs, but it is what it is.

The TCs were aware of and concerned about the serious risks of system obsolescence identified by D&T, and wanted to pre-empt the problem. In addition, as the NCS Contract was about to expire, they sought a solution which would provide the best redevelopment option to the TCs, and in the interim would allow them to continue enjoying the prevailing maintenance and other services.

Fair enough.

As Coordinating Chairman of the TCs, I had to oversee the redevelopment of the existing computer system for all TCs. It was clear to me that the existing computer software was already dated. The NCS contract would end by 31 October 2011 (if the one year extension option was exercised). However, assessing new software and actually developing a replacement system that would meet our new requirements would take time, maybe 18-24 months or even longer. We thus needed to ensure that we could get a further extension (beyond October 2011) from NCS, while working on redevelopment options.

Not sure why the preceding was needed, for it is a restatement of the first discussion.

D&T also raised with the TCs the option of having a third party own the computer system, including the software, instead, with the TCs paying a service fee for regular maintenance. This structure was not uncommon.

By stating that D&T saying that it is a common method for “third party own the computer system”, it is not clear how that would help with a rapidly aging computer system. Sounds incredulous for D&T to suggest that.

We decided to seriously consider this option. Having each of the 14 individual TCs hold the Intellectual Property (IP) rights to the software was cumbersome and inefficient. The vendor would have to deal with all 14 TCs when reviewing or revising the system. It would be better for the 14 TCs to consolidate their software rights in a single party which would manage them on behalf of all the TCs, and also source vendors to improve the system and address the deficiencies.

This paragraph contains the biggest amount of doublespeak and warped sense of value if there ever was one. What does it mean that each of the TCs holds the “Intellectual Property”?

It was stated that the reason for creating the application was (from above) “(t)his allows the TCs to derive economies of scale and to share best practices among themselves. This improves the overall efficiency of the TCs, and ensures that all the PAP TCs can serve their residents better.” which puts to lie “(t)he vendor would have to deal with all 14 TCs when reviewing or revising the system”.

It would seem that whatever that was built, ended up being 14 versions of the application and not one. How does reviewing and revising the system become any more efficient by “consolidat(ing) their software rights in a single party”? Humbug.

If that indeed was a valid reason, all the TCs could have done was to agree to trust one TC to be the custodian and decision maker. How does each giving up their ownership to an external party be any better?

I suspect the Coordinating Chairman is pulling a fast one here.

The TCs thus decided to call a tender to meet the following requirements:

1. To purchase the software developed in 2003, and lease it back to the TCs for a monthly fee, until the software was changed;

2. To undertake to secure extensions of the NCS contract at no extra cost i.e. take on the obligation to get an extension on the existing rates, until the TCs obtained new or enhanced software. This was put in to protect the financial position of the TCs; and

3. To work with the TCs to understand their enhancement and redevelopment needs and look for a suitable vendor to provide these upgrades.

If you look at the actual tender noticeall it states is that they are selling a “developed application software” and that the tenderer should be “experienced and reputable company with relevant track record”.

The devil is in the details which is only available if you fork out $214.
So, the PAP TCs wanted to sell out to someone else who fits their criteria of an experienced and reputable company with RELEVANT track record. The tender advertisement sounds very thin and vague.

Under the tender, the TCs sold only the IP in the old software. The ownership of the physical computer systems remained with the individual TCs. We wanted to sell the IP rights in the old software because it had limited value and was depreciating quickly. Had we waited until the new system was in place, the IP to the superseded old software would have become completely valueless.

Ah huh! They wanted to monetize their “IP” as it were. Time was running out. Not sure who else on the planet would want their “IP”, but they must monetize it.

The TCs advertised the tender in the Straits Times on 30 June 2010. Five companies collected the tender documents. These were CSC Technologies Services Pte Ltd, Hutcabb Consulting Pte Ltd, NCS, NEC Asia Pte Ltd and Action Information Management Pte Ltd (“AIM”).

I am sure four of the companies listed above, after wasting the $214, are run by level-headed management who realized that this tender was a huge scam and wanted no part in it and so decided not to respond.

I am aware that NCS considered bidding but in the end, decided not to do so as it was of the view that the IP rights to software developed in 2003 on soon to be replaced platforms were not valuable at all.

Another company withdrew after it checked and confirmed that it was required to ensure renewal of the NCS contract without an increase in rates. The company did not want to take on that obligation. The others may also have decided not to bid for similar reasons.

In the end, only AIM submitted a bid on 20 July 2010.

Does the Coordinating Chairman really think that NCS would have fallen into the scam as well? They would have known that there really is nothing in the application that they could “salvage”, having built it in the first place, let alone helping their customer monetize it.

We evaluated AIM’s bid in detail. First, AIM’s proposal to buy over the software IP would achieve our objective of centralising the ownership of the software, consistent with the model suggested by D&T.

This is circular logic which needs no further response.

AIM was willing to purchase our existing software IP for S$140,000, and lease it back at S$785 per month from November 2010 to October 2011. The lease payments to AIM would end by October 2011, with the expiration of the original NCS contract. Thus after October 2011, the TCs would be allowed to use the existing software without any additional lease payments to AIM, until the new software was developed.

Let’s do the math:

14 PAP Town Councils AIM
Contract Award $140,000 (perhaps each TC got $10K) ($140,000)
Lease (Nov 2010 – Oct 2011) ($785*14*12 => $131,880) $131,880
Nett $8,120

This meant that the TCs expected to gain a modest amount (about S$8,000) from the disposal of IP in the existing software.

So, the so called “Intellectual Property” is really only worth $8,120.

Second, AIM was willing to undertake the risks of getting an extension of the NCS contract with no increase in rates. This was the most important consideration for us, as it protected the TCs from an increase in fees.

And AIM will have the needed clout to negotiate with NCS – because they own the software – but the 14 PAP Town Councils being the original customer of NCS could not garner? Is that really true, Mr Coordinating Chairman? You are saying that you cannot do better than AIM against NCS? Say it ain’t so, Mr Coodinating Chairman.

Third, we were confident that AIM, backed by the PAP, would honour its commitments.

Wow, the PAP link. That’s the magic bullet.  Cronyism at its best. “Backed by the PAP” because the three directors are former PAP MPs or because the company is funded by the PAP?  Perhaps the other companies who picked up the tender document realized that they are not a PAP-{owned, funded} entity and would therefore not win.

That statement alone reeks of contempt of the free market, the principles of transparency, meritocracy and everything we hold dear in this country.
Are you, Mr Coordinating Chairman, also saying that AIM has deep pockets that they can withstand the possibility of NCS not agreeing? The directors of AIM have been reported not to be taking in director fees. That’s noble of them. It does look like the PAP Town Councils found their shining white knight in AIM.

Given the above considerations, AIM had met the requirements of the tender on its own merits. We assessed that the proposal by AIM was in the best interests of the TCs, and thus awarded the tender to AIM.

Of course! AIM has to be trustworthy and reputable given their PAP pedigree. Of course! D’oh!

Under the contract with AIM, the TCs could terminate the arrangements by giving one month’s notice if the TCs were not satisfied with AIM’s performance. Similarly, AIM could terminate by giving one month’s notice in the event of material changes to the membership of a TC, or to the scope and duties of a TC, like changes to its boundaries. This is reasonable as the contractor has agreed to provide services on the basis of the existing TC- and town-boundaries, and priced this assumption into the tender. Should this change materially, the contractor could end up providing services to a TC which comprises a much larger area and more residents, but at the same price.

What a lot of nonsense is this? It is unbelievable that the Coordinating Chairman can include a poison pill clause in the contract if the “boundaries of the Town Councils change”. I believe the boundaries of the West Coast Town Council changed after the May 2011 elections. I don’t see AIM doing anything about terminating the contract (correct me if I am wrong Mr Coordinating Chairman).

How does changes in the “larger area and more residents” materially change the way the software works? Is Mr Coordinating Chairman taking the tax payers and constituents of the PAP Town Councils to be daft? Wait a minute, a former PAP prime minister says we are (search for daft in that link)!

Since winning the tender, AIM has negotiated two extensions of the NCS contract until April 2013, at no increase in rates. The first extension was from November 2011 to October 2012, and the second from November 2012 to April 2013. The TCs received a substantial benefit in terms of getting the extensions from NCS beyond the original contract period, without any increase in prices.

Now, this is confusing. But I shall hold back for more juicy parts following.

What is not known now is the maintenance charges NCS charged as part of their original contract with the PAP Town Councils.

AIM has also been actively working with several vendors to explore new software options and enhancements for the TCs. AIM has identified software from a number of possible vendors, and has invited them to make presentations to the TCs in order for a suitable option to be chosen.

Are any of these open source solutions? Or is this going to be another closed, proprietary system that will face the same issues as the older one? Why are the Town Councils (via AIM) not looking at maximizing the tax dollars that goes into this by using open source solutions?

My offer to help build a fully open source solution remains.

Following the expiry of the initial lease arrangement for the software from AIM on 31 October 2011, no further lease payments for the software were made to AIM. During the period of its contract extension from November 2011 to April 2013, the management fee payable to AIM for the whole suite of services it provided was S$33,150, apart from what was payable to NCS for maintenance. In the end, inclusive of GST, each TC paid slightly more than $140 per month for AIM to ensure continuity of the existing system, secure the maintenance of this system at no increased costs, and identify options for a new system to which the TCs could migrate.

We entered into the transaction with AIM with the objective of benefitting the TCs. Over the last two years, the intended benefits have been realised. There is thus no basis to suggest that the AIM transaction did not serve the public interest, or was disadvantageous to residents in the TCs.

Bingo! The smoking gun perhaps?

So, AIM is not charitable and is asking the TCs to pay from November 2011 till April 2013. This is what the math looks like:

14 PAP Town Councils AIM
Contract Award $140,000 (perhaps each TC got $10K) ($140,000)
Lease (Nov 2010 – Oct 2011) ($785*14*12 => $131,880) $131,880
Nett $8,120
Nov 2011 – Apr 2013 ($33,150) $33,150
Nett ($25,030)

So, contrary to the rationale of “monetizing the IP” (a load of crap), the 14 PAP Town Councils will incur a loss of $25,030 in this deal.

This amount is on top of the cost of the D&T report and the “apart from what was payable to NCS for maintenance.”

It does seem that the PAP, having been in power for over 50 years, has found many creative means to “misdirect” tax monies.

I am saddened to have done this analysis.


Please, Mr Coordinating Chairman, please, come clean. You made a mistake. You thought you got a good deal. But that was not what it was. You have been drinking from the PAP water fountain for too long that you cannot see what is right and what is wrong. Your “media statement” is so full of holes that we can drive the Airbus A380 through it with room to spare.

Again, my offer to form a team of open source developers to build a solution that can benefit not only the town councils but anyone else remains.

Software for Public Sector Applications


The ongoing egg-in-the-face of the PAP over the “tender” (thanks to Alex for posting it via an anonymous source) awarded to AIM over the acquisition of a piece of software created for the use of the Town Councils is really disappointing.

Looking at the Today Online story, it would seem that Mr Teo and Mr Das have a lot of explaining to do.

Here’s an example of how proprietary software companies abuse their customers.  If you happen to have acquired a new laptop and it came with Windows 7 Starter Kit installed, when you set it up, you will be presented with a set of terms and conditions. Most people will just click OK and accept the terms and conditions without reading a word. But in this case, if you did not read anything you’d have missed out a juicy bit of restriction.

Section 8 on Page 7 of the Software License Terms says:

8. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the features included in the software edition you licensed. The manufacturer or installer and Microsoft reserve all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must
comply with any technical limitations in the software that only allow you to use it in certain ways. You may not
· work around any technical limitations in the software;
· customize the desktop background;
· …;

Isn’t amazing that even though you thought you bought that piece of software (according to their rules, it is not sold only licensed), you are NOT allowed to change the desktop background. Changing it will be breaking the terms and conditions of Windows 7 Starter Kit. Wow.

It sure sounds like our friends at the PAP-run Town Councils and AIM took a chunks out of the proprietary software “let’s screw and milk the customer” book. Only this time, the customer is the tax-paying Singapore public.

My offer to the Town Councils, expecially Aljunied Hougang Town Council, to help them build a fully open source solution remains.

A helper note for family and friends about your connectivity to the Internet from July 9 2012


This is a note targeted at family and friends who might find that they are not able to connect to the Internet from July 9, 2012 onwards.

This only affects those whose machines were are running Windows or Mac OSX and have a piece of software called DNSChanger installed.  The DNSChanger modifies a key part of the way a computer discovers other machines on the internet (called the Domain Name Server or DNS).

Quick introduction to DNS:

For example, you want to visit the website, http://www.cnn.com. You type this in your browser and magically, the CNN website appears in a few seconds. The way your browser figured out to reach the http://www.cnn.com server was to do the following:

a) The browser took the http://www.cnn.com domain name and did what is called a DNS lookup.

b) What it would have received in the DNS lookup is a mapping of the http://www.cnn.com to a bunch of numbers.  In this case, it would have received something like:

http://www.cnn.com.        60    IN    A    157.166.255.18
http://www.cnn.com.        60    IN    A    157.166.255.19
http://www.cnn.com.        60    IN    A    157.166.226.25
http://www.cnn.com.        60    IN    A    157.166.226.26

c) The numbers you see in the lines above (157.166.255.18 for example) are the Internet Protocol (IP) number of the server on which http://www.cnn.com resides. You notice that there are more than one IP number.  That is for managing requests from millions of systems and not having to depend only on one machine to reply.  This is good network architecture. For fun, let’s look at http://www.google.com:

http://www.google.com.      59    IN    CNAME    www.l.google.com.
http://www.l.google.com.    59    IN    A    173.194.38.147
http://www.l.google.com.    59    IN    A    173.194.38.148
http://www.l.google.com.    59    IN    A    173.194.38.144
http://www.l.google.com.    59    IN    A    173.194.38.145
http://www.l.google.com.    59    IN    A    173.194.38.146

http://www.google.com has 5 IP #s associated to it but you notice that there is something that says CNAME (stands for Canonical Name) in the first line. What that means is that http://www.google.com is also the same as http://www.l.google.com which in turns has 5 IP#s associated with it.

d) The beauty of this is that in a few seconds, you got to the website that you wanted to without remembering the IP # that is needed.

What is this important? If you have a cell phone, how do you dial the numbers of your family and friends?  Do you remember by heart their respective phone numbers? Not really or at least not anymore You probably know your own number and a small close group (your home, your work, your children, spouse, siblings).  Even then, their names are in your contact book and when you want to call (or text) them, you just punch in their names and your phone will look up the number and send out.

The difference between your cell phone directory and the DNS is that, you control what is in your phone directory.  So, a name like “Wife” in your phone could point to a phone number that is very different from a similar name in your friend’s phone directory.  That is all well and good.

But on the global Internet, we cannot have name clashes and that is why domain names are such hot things and people have snapped up pretty much a very large chunk of names during the dot.com rush in the late 1990s.

Now on to the issue at hand

So, what’s that got to do with this alarmist issue of connecting to the Internet from July 9, 2012?

Well, it has to with the fact that there as a piece of software – malware in this case – that got added to those running Windows and Mac OSX.  In all computers, the magic to do the DNS lookup is maintained by a file which contains information about which Domain Namer Server to query when presented with a domain name like http://www.cnn.com.

For example, on my laptop (which runs Fedora), the file that directs DNS looks is called /etc/resolv.conf.  This is the same for a Mac OSX file and I think it there is something similar in the Windows world as well. Fedora and Mac OSX share a common Unix heritage and so many files are in common.

The contents of my /etc/resolv.conf file is:

# Generated by NetworkManager
domain temasek.net
search temasek.net lan
nameserver 192.168.10.1

The file is automatically generated when I connect to the network and the crucial line is the line that reads “nameserver”. In this case, it points to 192.168.10.1 which happens to be my FonSpot wireless access point. But what is interesting is that my FonSpot access point is not a DNS server per se.  In the setup of the FonSpot, I’ve got it to look up domain names to Google’s public DNS server whose IP #s are 8.8.8.8 and 8.8.4.4.

Huh? What does this mean?  Simply put, when I type in http://www.cnn.com on my browser, that name’s IP# is looked up first by my browser asking the nameserver 192.168.0.1 which is the FonSpot will then return to my browser that it should go ask 8.8.8.8 for an answer. If 8.8.8.8 does not know, hopefully 8.8.8.8 will give an IP # to my browser to ask next.  Eventually, when an IP # is found, my browser will use that IP # and send a connection request to that site. All of this happens in milliseconds and when it all works, it looks like magic.

What if you don’t get to the site?  What if the entry in the /etc/resolv.conf file pointed to some IP # that was a malicious entity that wanted to “hijack” your web surfing?  There is a legitimate reason for this. For example, when you connect to a public wifi access point (like Wireless@SG for example), you will initially get a DNS nameserver entry that belongs to the wifi access provider. Once you successfully logged into that access point, then your DNS lookup will be properly directed. This technique is called “captive portal”. My FonSpot is a captive portal btw.

The issue here is that those machines who have the malware DNSChanger have the DNS lookup being hijacked and directed elsewhere.  See this note by the US Federal Bureau of Investigation about it.

It appears that the DNSChanger malware had set up a bunch of IP# to redirect maliciously all access to the Internet. If your /etc/resolv.conf file has nameserver entries that contain numbers in the following range:

85.255.112.0 to 85.255.127.255

67.210.0.0 to 67.210.15.255

93.188.160.0 to 93.188.167.255

77.67.83.0 to 77.67.83.255

213.109.64.0 to 213.109.79.255

67.28.176.0 to 67.28.191.255

you are vulnerable.

Here’s a test I did with the 1st of those IP#s on my fedora machine:

[harish@vostro ~]$ dig @85.255.112.0 www.google.com

; <<>> DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 <<>> @85.255.112.0 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34883
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        464951    IN    CNAME    www.l.google.com.
www.l.google.com.    241    IN    CNAME    www-infected.l.google.com.
www-infected.l.google.com. 252    IN    A    216.239.32.6

;; AUTHORITY SECTION:
google.com.        32951    IN    NS    ns2.google.com.
google.com.        32951    IN    NS    ns4.google.com.
google.com.        32951    IN    NS    ns3.google.com.
google.com.        32951    IN    NS    ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.        33061    IN    A    216.239.32.10
ns2.google.com.        33061    IN    A    216.239.34.10
ns3.google.com.        317943    IN    A    216.239.36.10
ns4.google.com.        33297    IN    A    216.239.38.10

;; Query time: 305 msec
;; SERVER: 85.255.112.0#53(85.255.112.0)
;; WHEN: Sun Jul  8 21:40:07 2012
;; MSG SIZE  rcvd: 242

Some explanation of what the is shown above. “dig” is a command “domain internet groper” that allows me, from the command line, to see what a domain’s IP address is. With the extra stuff “@85.255.112.0”, I am telling the dig command to use 85.255.112.0 as my domain name server and get the IP for the domain http://www.google.com. Currently 85.255.112.0 is being run as a “clean” DNS server by the those who’ve been asked to by the FBI.

Hence, what will happen on July 9th 2012 is that the request by FBI to give a reply when 85.225.112.0 is used, will expire. Therefore the command I executed above on July 8th 2012 will not return a valid IP number from July 9th 2012. While the Internet will work, there would be people whose systems have been compromised to point to the bad-but-made-to-work-OK DNS servers, will find that they can’t seem to get to any site easily by using domain names. If they instead used IP#s, they can get to the site with no issue.

A quick way to check if your system needs fixing is to go to http://www.dns-ok.us/ NOW to check. If it is OK, ie your system’s /etc/resolv.conf is not affected (or the equivalent for those still running Windows).

See the announcement from Singapore’s CERT on this issue.