LEGO Friends “Lessons of Friendship” Meme Contest Winners

LEGO Friends recently launched their new friendship campaign and partnered Alvinology.com for a giveaway.

To join the meme contest, participants just have to do the following:

  1. Watch the “Lessons of Friendship” film
  2. Do a screen capture of the video
  3. Write a nice Friendship-related statement with the screen capture as a meme and email it to alvinologist@gmail.com by 15 Nov 2013.

Here are some of the amazing entries I have received for the contest:

Grace Tan –

Robert Sim –

Carol Lim –

Henri Soh –

Megan –

Karis See –

Chan CL –

Jaime Chan –

Erlina Husada –

Farizah Rahman –

There are a total of 3 prizes to giveaway:

Top Prize
1 x Friendship Diary
1 x Heartlake Pet Salon (usual price: S$59.90)

Runner Up Prizes (x2)
1 x Friendship Diary
1 x Mia’s Magic Tricks (usual price: S$19.90)

The winners are….

Congratulations to Grace Tan for winning the top prize; Robert Sim and Farizah Rahman for wininng the runner up prizes! I will be providing your emails to the organisers and they will be contacting you on the prize collection details.

Thank you for joining this contest everyone. Do continue to support this blog. 🙂

Online food delivery portal FoodPanda comes to Singapore

Online food delivery service is not new in Singapore, what is important is the variety of food offering and the assurance of quality service.

FoodPanda is an online food delivery portal which delivers food from various local restaurants, right to your doorstep. They are currently operating in 30 countries worldwide, including Singapore and is founded by Rocket Internet, the same company behind online shopping site, Zalora.

Sick of the usual fast food delivery options? Why not try ordering from FoodPanda for a variety of international cuisines from a slew of local restaurants?

Welcome to FoodPanda
Welcome to FoodPanda

I just made a dinner order on FoodPanda last night and was pretty satisfied with their service.

There is a variety of different cuisines available on FoodPanda, ranging from Italian to Japanese to Indian. I had a craving for briyani last night and was very happy to see a few Indian restaurants which deliver to my home.

I made the order at around 7pm from my office. The estimated delivery time was indicated as 70 minutes and the charges were all reflected upfront, with no hidden costs:

Browsing through the menu for Aromas of India
Browsing through the menu for Aromas of India

My wife texted me at around 7.30pm to inform me that the delivery has been made. Love it. Fuss-free and easy to use. Dinner is just a few clicks away with FoodPanda.

The total bill from Aromas of India restaurant came to S$28.27. Food cost was S$25.70 with an additional 10% (S$2.57) service fee. There is no 7% GST.

My order
My order

Here was how my order looks like when it came:

A salad, mutton briyani and chicken briyani to share between two pax
A salad, mutton briyani and chicken briyani to share between two pax
Salad to share
Salad to share
Chicken briyani
Chicken briyani
Mutton briyani
Mutton briyani

The portal also offers periodic discounts and alerts, much like many of the online coupon websites, except that they will be tempting you with food offerings exclusively.

FoodPanda is also available on both iOS and Android mobile platforms.

I had a good experience ordering from FoodPanda and will do so again.

On Anonymous declaring “War” on Singapore PAP government – Note from a regular IT dude

This post is contributed by a friend of mine, Wei Kiat, who is a regular IT dude. He has some interesting perspectives to share on the recent Anonymous and Messiah saga. If you found what was written here useful, do share this post to stop the fear-mongering:

1. Fear Mongering & the State of things

There had been a number of cyber attacks over the past few days by someone who calls himself “Messiah”. The attacks sparked panic island-wide, with people fearing about a “cyber” doomsday where everything would magically stop working and the whole island in chaos. I thought it would be prudent to set the records straight, to help layman understand what these attacks actually entail and to prevent the spread of needless panic and fear. Cases of blind-leading-blind when it comes to attacks and its implications are too rampant.

The usual disclaimer:

1) I’m not an IT security professional or a white or black hat hacker, merely a programmer, IT consultant & entrepreneur. If I have made any factual mistakes, please kindly feedback and I will rectify them.
2) The following are my theories. Many of my assumptions on the capabilities of Messiah I do not know as facts. I may be wrong. Please take it with a kilogram of salt.

Now, let’s consider Messiah’s technical capabilities.

2. Messiah’s Technical Capabilities

2.1 The Difference between “Web Systems” & “Internal Systems”

In other to understand what really went on behind cyber attacks over the past few days, for the sake of simplicity, let’s divide computer systems into two main categories, web systems and internal systems. By “web systems”, I refer to all the servers and systems behind an organization’s website. By “internal systems”, I refer to mission critical systems used by an organization for their day to day functions. For example, LTA’s website is on a “web system”, LTA’s traffic controller system is an “internal” system.

The attacks over the last few days all involved web systems, which are easier targets for attack because these systems are more public while generally having weaker security mechanisms. There is no sign that Messiah was able to gain access to any internal systems to date. Fear-mongers have been preaching and misleading people in thinking that as an example, if LTA’s website got hacked, our traffic lights will stop working. That is simply not the case, and Messiah has not yet demonstrated his ability to carry out ”infrastructure crippling” attacks. Sad to tell you, but ERP will still continue to work even if LTA’s website is down.

2.2 Understanding attacks on “Web Systems”

To help layman in understanding the nature of attacks on websites, let’s imagine that every time you type in a URL on your web browser, a tiny truck comes out of your computer (a web request), look up the destination on street directory (a DNS server), drives to the warehouse (website server) to pick something up (the actual website) and bring it back to you (website loads on your screen).

To attack a website, the attacker can either prevent your tiny truck from ever reaching the factory while leaving the factory untouched, or enter the factory to shut it down (a.k.a hack into the server.)

Attacks over the past few days can be categorized into two main types: defacement attacks (when the website got vandalized, such as Straits Times’ Blog) and service availability attacks (when the website becomes inaccessible for a period of time, such as the supposed hack on government websites).

2.2.1 Defacement Attacks

A very strange pattern emerged. It seemed as if only sites running open source CMS (content management systems) and/or or cheaply outsourced were defaced. For example, only the blog section of Straits Times was hacked, because out of the entire Straits Times site, only the blog section uses an open source CMS. Hacking into a CMS involves gaining access to either (1) the CMS admin dashboard or (2) the web server. The CMS admin dashboard is a simple system that allows non-IT personnel to update the content of a website. Hacking into the CMS admin dashboard does not mean the hacker has complete access the entire web server.

Gaining access to CMS admin dashboard is easy. For open source CMS solutions, exploits are always discovered and published, in order for security fixes to be written and distributed in a very short amount of time. However, most solution vendors in Singapore hand off CMS to their clients immediately after project conclusion, and seldom advice their clients to do constant upgrades, opening huge opportunities for attack. Many CMS admin dashboards also use the same default username, such as “admin”. In most cases, such accounts are shared among different staff, so to help everyone in remembering the password, plain english passwords are commonly used. It is then easy to use a simple dictionary attack to hack. Dictionary attack simply involves using a program to try different passwords at high speed. Given enough time (days, months, years, centuries), any account could be hacked this way.

From the very specific targets of attack (only open source CMS sections of a website were hacked i.e. Straits Times Blog, and only websites using open source CMS were hacked i.e. CHC website), I think it is safe to conclude that Messiah did not attempt or did not have the necessary skills to hack into an actual server.

2.2.2 Service Availability Attacks

How about supposedly bringing down a couple of government websites as well as Straits Times, Stomp and Hardwarezone (all owned by SPH) for a couple of minutes? For this post, let’s assume the government websites were down because of a cyber attack, not a “scheduled maintenance”.

Server hacks are hard to recover from if there’s damage done. Looking at how fast we recovered from those attacks, it is possible to speculate that the servers were never actually hacked. Using the tiny truck analogy from above, the attacker simply prevented your tiny truck from ever reaching the factory (so when you try to access a website, it could not load). Two common methods are known as DoS (denial of service) and DNS Spoofing or poisoning.

Denial of service attack is an attack that doesn’t require much skills. To prevent your tiny truck from reaching the factory (connecting to the web site), the attacker simply had to send millions of tiny trucks to the same factory at the same time so that the highway became so congested your truck couldn’t get through.

While I am not too familiar with DNS poisoning, DNS servers are like street directories. DNS poisoning attack messes up the directories, causing your tiny truck to lose its way and can never reach the factory.

Let me repeat, both DoS and DNS poisoning attacks do not involve actual hacking (e.g the factory in the analogy above was never compromised). There is no need to infiltrate any government or SPH servers to execute these attacks.

2.3 What does this say about Messiah?

In summary, Messiah was only able to breach certain web systems; he was not reported to have breached any internal systems. In cases where web systems were breached, Messiah was only able to do so via the CMS. He was never able to hack into the actual web server. For websites that does not use weak CMS, he simply did a service availability attack. This doesn’t sound like someone who is an extremely skilled hacker as proclaimed in the video.
Conversely, the skill-set required for the attacks we have seen so far are very different from those crazy hardcore attacks we have seen Anonymous do on news reports. I am speculating that Messiah may not even be from Anonymous.

3. What’s next?

I think Messiah will continue looking for easy exploits among high profile websites, and when he or they can’t hack, they will simply do a DoS or DNS poisoning attack to make a statement.

I trust the security capabilities of our government sites, and I still believe that unless there are different hackers who join today, our data on government servers and infrastructures will remain safe.

As an average Joe, I don’t think there’s much to fear about these attacks because:

1) As concluded above, Messiah doesn’t seem competent enough to actually compromise important servers
2) Once again, “web systems” and “internal sustems” are different. Hacking into LTA website does not equate hacking into LTA. Your traffic lights will still work. They are different things.
3) Assuming that even if he or they have the ability, there is no reason for Messiah to try to gain unauthorized data, or to abuse or leak them. The youtube video called for support from Singaporeans. There will be more haters than supporters if such things happened.
4) The attacks so far are more in line trying to “make a statement” than to retrieve or leak any sensitive data. This trend may continue.

Hope this post help provide some insights into the confusing world of cyber security, and to maybe help with allaying the fear and reducing confusion after all the blind-leading-blind articles that have been popping up lately.

That said, organizations and individuals should remember to always exercise prudence and preemptive diligence when it comes to security. Cyber attacks are very real and may strike you when you least expect it.

On Anonymous declaring “War” on Singapore PAP government

Via Yahoo! Singapore News (31 Oct 2013):

A hacker group claiming to be the notorious Anonymous collective has put up a YouTube video promising that it will declare war on the Singapore government if it does not stand down from an internet licensing framework that critics have said restricts freedom of speech.

The video, which surfaced online two days ago, was removed from YouTube just minutes after it went viral on Facebook and Twitter today with over 4,000 shares. The video, however, has been reposted on Facebook, other channels on YouTube, and various video platforms.

The message goes: “the primary objective of our invasion was to protest the implementation of the internet licensing framework by giving you a sneak peak of the state of your cyberspace if the ridiculous, communistic, oppressive and offensive framework gets implemented.”

It continues: “We have faced much larger and more secured corporations such as the FBI and the NSA. Do you think the IDA will be a problem for us? … so mark our words when we say that we Anonymous stand firm on our belief that no Government has the right to deprive their citizens the freedom of information.”

The video then called on “fellow Singaporean brothers and sisters” to start a public protest by dressing in black and red on November 5 and blacking out their Facebook profile pictures.

A day later, via Yahoo! Singapore News (1 Nov 2013):

Activist group Anonymous hacked a Singapore newspaper website Friday over Internet freedom in the city-state, where government agencies are now reportedly on alert for wider cyber attacks.

The website of the pro-government Straits Times was hacked early in the day by apparent members of the group, which is opposing recently introduced licensing rules for news websites in Singapore on censorship grounds.

The attackers, using the name “Messiah”, took over the blog of a Straits Times journalist, saying she had distorted “our words and intentions” in a report on the group’s threat a day earlier to “wage war” on the Singapore government.

“We oppose any form of Internet censorship among other things,” said a post on the journalist’s hacked blog, which is part of the newspaper’s website and has been taken offline.

The hackers urged the journalist to apologise within 48 hours “to the citizens of Singapore for trying to mislead them”.

If she fails to apologise, “then we expect her resignation”, the hacker said in the hacked account, still visible in online caches.

“If those demands are met we will be on our way. But in the event our demands are not met in the next 48 hours, we will place you in our ‘to do’ list and next time you wont (sic) be let off this easy.”

Asian media giant Singapore Press Holdings, which publishes the newspaper, said: “We have made a police report, and the police are investigating.”

Reported on AsiaOne another day later (2 Nov 2013):

Many government websites were down on Saturday since 1.30pm.

Besides gov.sg, many users also complained of difficulties accessing other government ministries websites.

The list of government websites down so far: ACRA.gov.sg, AVA.gov.sg, Careers.gov.sg, CNB.gov.sg, GOV.SG, IDA.gov.sg, ISD.gov.sg, ICA.gov.sg, LTA.gov.sg, PUB.gov.sg, MHA.gov.sg, Prisons.gov.sg, SGDI.gov.sg, Singpass.gov.sg, SPF.gov.sg.

IDA said in their Facebook page that “government websites are under planned maintenance and will be back ASAP (as soon as possible).”

Some members of the public commented on IDA’s Facebook page, noting tha the IDA’s latest update was done via a mobilephone, which was highly unusual as all its previous Facebook updates were posted from a web browser.

A user said: “Shouldn’t planned maintenance be announced in advance?”

Another user also added: “Why did you plan a maintenance on a weekend when many Singaporeans are using websites like ICA’s to renew their passports and other important government functions? Why was this not publicised much earlier given that many Singaporeans are affected. If it’s planned, why is there a need to make it ASAP?”

What is next?

Will the hackers be caught and invited to ‘lim kopi’?

In a news article published in tabloid newspaper, The New Paper, an anonymous lawyer was quoted saying that “such videos proclaiming war against the Government actually contravene the penal code, and the possible penalty is death”.

DEATH.

Yes, you read it correctly.

What if the hacker was a ten year old computer genius?

Death sentence too?

The string of incidents is like a movie plot with one revelation made with each passing day. The deadline was given as 5 Nov 2013. I will be watching this date.

I wonder how many people will really dress in black or red this Tuesday to support the hacker group and how many will ‘black out’ their Facebook profile picture.

I am quite ambivalent over the whole saga.

The first thought which came to my mind was whether Anonymous had hacked into NS.SG since it was launched because it sucks so much…

Jokes aside, I find it alarming that most people online seems to be on the side of the hackers. Either that or they are like me, just sitting by and enjoying the show with popcorns in hands. There is not much love for the PAP government these days.

Meanwhile, my sympathy goes out to all the folks working in the IT department of government ministries, statutory boards and government-linked corporations in Singapore. While the rest of us were enjoying our Deepavali weekend, they were probably busy buffing up their security systems to keep Singapore safe.

[Sponsored Video] Ambi Pur Smelly to Smiley Challenge

Is it possible to turn #SmellyToSmiley?

Leading P&G air fresher brand, Ambi Pur did a test to find out just that.

Ambi Pur set up a room full of smelly items, with old shoes, durian, and dirty food cans. They then guided some real, blindfolded folks into the room, asked them to smell the room thoroughly, and then describe their experience.

Can  Ambi Pur undo the damage from the stinky items? Watch this video to find out:

I remember when I was serving my NS, our air-con bunk always smell of sweat and old socks. Repulsive. A healthy dose of Ambi Pur then would have made all of us happier and fitter to defend the nation – a real life scenario of #SmellyToSmiley.

Can you think of other real life #SmellyToSmiley scenerio?

Tweet and share them with Ambi Pur using #SmellyToSmiley. Here are some of the examples I thought of:

1.  School changing rooms, especially after a long PE lesson.

2. Car interior after transporting a cargo load of durians home for the family.

3. A guest lighted up and puffed away in your home with your air-con on.

4. Your parents just made their own belachan (nonya shrimp paste) in your kitchen.

5. You run and operate a stinky tofu stall.

6. Someone has body odour in the office and is not using any deodorant.

7. You love to eat blue cheese, but sadly, the rest of your family members don’t.

8. Your child brought his/her basketball teammates home after a sweaty match.

9. Your new citizen neighbours dislike curry smell.

10. You only do your laundry once a month and pile up all your cloths in one corner.

More details on Ambi Pur is available via their official website. 

This post sponsored by Ambi Pur.

On National Service – Guest Post by Ohad Levinkron, Israel

Singapore is not the only country in the world with a conscripted army. There is also Israel, South Korea and Taiwan, among others.

After stirring up a debate on the review of the NS system in Singapore, I am opening this blog up for guest blog posts from conscripted military personnels from around the world.

To kick start, here is an account written by Ohad Levinkron, a friend I got to know during my trip to Israel last year:

Maybe we should start with some background. I’m from Israel.

Yep, that’s the really small country we call the Jewish State, located somewhere in the Middle East. We call it that because it was founded, about 60 years ago, as a home for the Jewish people. We used to live here once, about 2000 years ago, then stuff happened, and to make a (really) long story short we’ve been wandering the planet ever since. That is, up until now. Anyway, I guess Singaporeans already know something about living in small, young countries.

So apart from my country being really small, it’s not in the greatest place you could think of. I mean, the location does have its advantages – Our forefathers walked this place, we all feel very attached to it, the beaches are pretty nice too, but security-wise, well, it could be better. Basically, in the last couple of millennia there weren’t that many of us around here, and when we started coming back the people around here weren’t very into that. Those are today’s Palestinians. Now these guys happened to be Arab, as are every one of the countries in our neighborhood, so it was pretty clear who was winning the regional popularity contest. Sadly, though, this didn’t just end up with them not speaking to us during lunch breaks, and every decade or so we find ourselves in some sort of war. There are better years and there are worse, but while the casual tourist may not notice this much, the conflict is something Israelis face constantly.

So there’s a brief intro* to the Middle East conflict for you.

Now all that leads up to one fine day, about 15 years ago. Back then I was a bored 11th grader, sitting in class as usual, paying as little attention as I possibly could. On that particular day, however, the teacher passed out a form. It was a form from the army (which generally aroused much excitement amongst us), and it was about giving the army permission to see all of our grades.

I think I was about the only one who didn’t sign it. What if I don’t get good grades, I thought to myself. Do I really want some government official to see my private info? Who knows where it’s going to end up, and who’s going to see it in 30 years, when I run for public office? (At the time I didn’t think about who was going to care). Well, holding on to those principles didn’t last very long. After a few months all my friends started getting summoned to exams for special units, and I had to go and chase those units down just to beg them to look at my grades. There’s principles for you.

In the end I was fortunate enough to get into a good unit, and serve in interesting and meaningful ways. In fact, I had so much fun that beyond the obligatory 3 years I even signed up for a couple more. I was also lucky to do my service in a comfortable office, and not in some watch tower, freezing my pants off and risking my life in the middle of some sleepless night. Most of my friends were in similar positions, as I met many of them in those formative years in service. Not all, though. Some were just wasting away their best years doing some useless clerical job. Many were out on the front lines (effectively in our back yard), dealing with the everyday routine of our conflict. Some got hurt. Most were affected, unoblivious to security issues for the rest of their lives – whether identifying with the system they were a part of, or shunning it away. Almost everyone came out with their best friends for life.

Eventually I did get out, and went on to study. When I was an undergrad, one of my best friends set me up with an interview for a small start-up company in the internet business. He had known one of the founders from University, and it also helped that the three of us had served in the same army unit. I didn’t actually know the guy during my service, but I believe the official “stamp of approval” from being in that unit, and the feeling of comradery we shared, did play some part in getting me the job. Further along, another army buddy offered me a position at a company he had set up. After graduation, when I was looking for my first “real” job, my army record again played no small part in impressing the future boss. I would be very conservative to estimate that 50% or more of the people in our company got in based on their military record, and I don’t think this is unusual. This by no means indicates they don’t deserve to be there – many are of the brightest I know, and of the best in their field; But that army clerk, signing off one kid to the barracks while his friend went to a high-techy R&D unit, played no small part in their lives.

In a country like ours, military service is inseparable from who we are. Almost all kids aged 18 enlist for 2-3 years. A common saying goes that this is only the beginning; Later they are released into reserve duty, which may mean up to a month of every year, of (frequently voluntarily) leaving work and family behind and going off to serve. One of the main issues of our 2013 elections was the exemption of certain groups of people from service. The injustice of this was enough to trigger widespread demonstrations in public, and heated debate at our homes. And every few years the situation here escalates, and we are again reminded that reserve duty is not just in theory. But army duty doesn’t just divide us, it also brings us together. These shared experiences we have: boot camp, and our drill sergeant; painting the grass green and the other stupidities of military bureaucracy; waiting for mom and dad to visit over the weekend, embarrassing us in front of our friends but bringing along some home-cooked food to make up for it – Like our history, they are much of what makes this strange mix of immigrants one united nation.

Is it a necessary result of our situation? Or one of its causes? Mandatory service in Israel is not really up for debate. We can’t even imagine what Israel would be like without it. But it surely has a big impact on our individual lives, and our society.

I believe that in a mature and open society, important issues should be eligible for public debate. After getting a glimpse of the discussion through Alvin’s (wonderful) blog, I can only hope that NS in Singapore will continue to be so. As an Israeli, I think we could learn from your example.

*Disclaimer: I think it’s also pretty accurate, but feel free to check out the details yourself.

If you would like to contribute a guest blog post on the topic of conscription or know of someone who would like to contribute, please email me at alvinologist@gmail.com.