Tag Archives: Southeast Asia

Big, or Bigger: Southeast Asia’s Tech Economy in 2025

Google and Temasek have been taking a crack at estimating and predicting the size of Southeast Asia’s ecommerce economy for the past four years, starting in 2016 (yes, I know that’s three years but they’ve put out four reports, the latest this week, so there.) 

I’ve not had a close look at this report, there’s obviously some good stuff in there, and it’s easy to pick holes in this kind of thing, but it pays to be humble. I’ve done my own chart, below, taken the data from each report about their predictions for 2025, and how they’ve changed over time. The four left columns are more or less the years of the estimate (2016 assessed 2015 for some reason, while the others did the year the report was released in); the right four stacks are the estimates for 2025 in 2016, 2017, 2018 and 2019 respectively. You can see how much their view has changed. 

The first year there was no separate estimate for ride hailing; it clearly wasn’t considered to be a significant sector, or likely to be one. I think a smarter analysis would have seen that one coming. It was 2016 already, and Grab was already the region’s biggest unicorn. Then there’s the huge disparity in estimates between 2017 and 2018, the third- and second-to right columns, and then between last year and this. Overall, between 2016 and 2019 the report upped its project by 50%, from $200 billion to $300 billion. 

Of course, it pays for all those involved to cheerlead the region; no one is going to say things are going to get better, and it’s a good headline to say ‘we goofed up by underestimating how well things are going’. But these are big numbers, and big discrepancies. If nothing else, it’s a good reminder that such estimates need to be taken with a big grain of salt. 

Google Temasek estimate of ecommerce market size in Southeast Asia 2016 2019

ASEAN Phishing Expeditions

Mila Parkour, the indefatigable phish researcher from DC, points to some recent spear-phishing attacks which to me help confirm that Southeast Asia, and ASEAN in particular, has become something of a focus for the chaps in China.

They also highlight just how vulnerable diplomats in the region are because of poor security.

One is a phish apparently coming from the Indonesian foreign ministry, in particular one Ardian Budhi Nugroho, whom the email correctly describes as from the Directorate of ASEAN Political Security Cooperation. The subject matter is topical and credible:

Dear Sirs/Mesdames,
Enclosed herewith letter from Director for ASEAN Political-Security Cooperation, informing the date of the next Direct Consultations between ASEAN and P5 Nuclear Weapon States, which will be held on 4 – 6 October 2011 in New York. A Tentative Programme of the Direct Consultations is also attached for your kind reference. Thank you for your attention and continued cooperation.

The only good thing about these phishes is that they reveal something of the attacker’s interests. These attacks are timed carefully a week or so ahead of key meetings–in this case a Oct 4-6 meeting in New York of ASEAN and P5 Nuclear Weapon states (one of those states, of course, is China). The email was sent on Sept 20.

The email address given, aseanindonesia@yahoo.com, doesn’t appear to be genuine, but it could easily be. Look, for example, at the email addresses listed here. More than half are either ISP or webmail addresses.

Diplomats need to get wise to these kinds of attacks by using their domain’s email addresses and being more sophisticated about their communications (not sending attachments, for one thing, and telling me they don’t.)

How does all this work? We don’t know who received this but it’ll probably be a list of diplomats attending the talks–not hard to find, as we can see from the above list. It only needs one member of each delegation to open the infected attachment for their whole delegation to be in danger of China–or whoever is behind this attack–to be able to monitor everything they do.

Southeast Asia’s Third Mobile Tier

The mobile revolution is moving from second tier countries in Southeast Asia to the third and final tier. Whereas previously Indonesia and the Philippines were seeing the biggest growth in mobile Internet traffic, now it’s Burma (Myanmar) and Cambodia which top the list in terms of user- and usage-growth, according to the Opera State of the Mobile Web report for July:

    • Myanmar and Cambodia lead the top 10 countries of the region in terms of page-view growth (6415.0 % and 470.1 %, respectively).
    • Myanmar and Cambodia lead the top 10 countries of the region in growth of unique users (1207.5 % and 179.1 %, respectively).
    • Myanmar and Cambodia lead the top 10 countries of the region in growth of data transferred (3826.6 % and 353.2 %, respectively)

Of course these figures are from a low base, and the Opera data is not the easiest to trawl through. (The Opera mobile report is always interesting reading, so long as you take into account that the Opera browser is for many people a Symbian browser and so of declining popularity in some quarters. Also their data is never presented in quite the order one would like, so you have to dig. )

Looking at the figures in more detail, and throwing them into a spreadsheet of my own, it’s clear that Burma is definitely an outlier. Cambodia’s growth is impressive, but Burma’s is by far the greatest out of all 27 countries surveyed. Here’s how it looks:

2011-07 Page view growth SEA

So is the Burma usage real, or is this just a jump from nothing to slightly more than nothing? I suspect it may actually be a sizeable jump. Opera are coy about the actual number of users (so we may actually be dealing with a small dataset). But the figures suggest that this is a real spurt in usage: Burmese mobile users are transferring more data per page view than any other of the 27 countries surveyed, and the page views per user is on a par with the Philippines and Thailand.

I’d cautiously suggest that Burma, along with Cambodia and Laos, are beginning to show exhibit some of the signs of what one might pompously call “mobile societies”: using the mobile phone as an Internet device as a regular part of their activities. Take the page views per user, for example, which measures how much they’re using the mobile phone to view the Internet (Brunei seems to be in a league of its own; I don’t know what’s going on there, except that in terms of nightlife, I’d have to say not much):

2010-07 Page views per user SEA

It’s probably too much to conclude that mobile phones as Internet devices are now mainstream in this third tier of the region, but it’s a healthy sign, with lots of interesting implications.

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

Facebook’s ‘Locality of Friendship’

This visualization by Facebook intern Paul Butler illustrates what he calls

the locality of friendship. I was interested in seeing how geography and political borders affected where people lived relative to their friends. I wanted a visualization that would show which cities had a lot of friendships between them.

It’s a magnificent effort and scores marks for beauty:

and for the amazing amount of data it carries within it.

Look at how the world of social media breaks down into clusters:

Europe is hard to subdivide: 

image

But Australia and New Zealand are almost three countries:

image

But of greatest interest to me is my own patch, Southeast Asia:

image

Indonesia, Malaysia and Singapore are, perhaps unsurprisingly intimately connected:

image

North vs South

While the links between the southern  half of the region and Thailand and Indochina are by comparison quite weak:

image

Philippines stands alone

But the links between the Philippines and Hong Kong appear as strong as those between the Philippines and the southern half of Southeast Asia:

image

The other point to take into account is how spread out Facebook is in Southeast Asia. Indonesia is about as densely packed as Italy or England.

Facebook is not a phemenon limited to the country’s major cities (and this is true of the Philippines and Malaysia, of course.)

I’ll be updating my Facebook Asia Pacific data later this week.

(Thanks to the Guardian’s Simon Rogers.)

Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Facebook’s Asian Growth: Not Everywhere is North

I’ve seen some posts recently suggesting that Facebook is not doing well in Asia-Pacific. This, for example, from Forrester’s Reineke Reitsma:

For example, Facebook is struggling to gain ground in Asia Pacific:

With 58% of online adults accessing it, Orkut is the leading social platform in metropolitan India, while 27% of Japanese online adults use mixi; and in South Korea, Cyworld is most popular, attracting 63% of South Korean Internet users.

I won’t quarrel with her stats, but I’d suggest she’s missing a bigger picture: Facebook is growing at quite a clip in many Asian countries. My figures, based on Facebook data—which doesn’t include Japan and South Korea, admittedly–indicate that in 10 Asia-Pacific countries, Facebook membership has been growing at an average of nearly 9% per month for the past five months. That includes Australia, New Zealand, Indonesia, Singapore, Malaysia, Philippines, Thailand, Hong Kong, China and India.

By far the biggest growth is in Southeast Asia, with Indonesia growing at 14% per month, Thailand 15%, Malaysia 12% and Philippines 13%.

India is growing at a similar rate, but with a far smaller proportion of population: still less than 1%. Thailand is less than 5%, but 10% of Indonesians now have a Facebook account, as do 23% of Malaysians, 14% of Filipinos and 42% of Singaporeans. Only Hong Kong beats that, with 44% of the population having a Facebook account.

Hong Kong and Singapore join other developed economies at reaching a critical mass—Australia 38%, New Zealand 36%—where growth has understandably tapered off to 5% per month or less.

So while it may well be true that Facebook ain’t big in North Asia, it’d be a mistake to assume that’s true of the rest of the Asia-Pacific region. Facebook is still the one to watch, and showing consistent growth this year in all 10 countries I’m monitoring.

(This updates my post back in January on Facebook stats.)

Welcome to Setarbak

Not sure who to credit for this one. Let me know if it’s you. 

Not sure where this originates, but it’s doing the rounds. A terrible example of Indonesia’s rampant property rights abuse, or a reflection of Indonesian-ness? (For non-Bahasa speakers, just say the first word quickly. The second means coffee, not, in this case, copy. Although that would have been more apt.)

(This guy has a picture of the same stall, which he says is in Malaysia.)

Actually Starbucks has branches elsewhere. Like this one in Aceh from a couple of years ago:

Radio 68h

Bring your own Internet. The WiFi’s lousy.

ScaMS

F-Secure are calling these things SMS phishing (sometimes called smishing, unfortunately), but really they are more like Nigerian email scams delivered via SMS, which isn’t quite the same. The scam is basically this: send an SMS saying the recipient has won the lottery, have them call the scammer, and the scammer tricks them into giving their account details — or persuading the victim to transfer money to another account.

These things have been going on for a while in Indonesia (which is where F-Secure’s originated.) What’s interesting about F-Secure’s is that it’s targetted at Malaysians, indicating that some Indonesians are beginning to use their shared language to export their scamming skills.

clipped from www.f-secure.com

From the phone numbers that we got from the SMS, we know that they belong to the Indonesian mobile network Indosat and therefore the phisher is located somewhere in Indonesia. This was further confirmed when the phisher spoke to us in Malay with a clearly Indonesian accent.

The Tilted Software Piracy Debate

Software piracy is a tricky topic, that requires some skepticism on the part of the reporter, though the media rarely show signs of that in their coverage. Here’s another example from last week’s Microsoft press conference in Indonesia, one of the prime culprits when it comes to counterfeit software:

JAKARTA (AFP) – Software piracy is costing the Indonesian economy billions of dollars each year and is stymieing the creation of a local information technology industry, a Microsoft representative said.

There is some truth to these statements, but it’s not really what Microsoft is interested in. First off, is it really the Indonesian economy that’s suffering because of piracy? One could argue the Indonesian economy is largely built on pirated software, as a kind of subsidy (like gasoline, which was until recently heavily subsidized.)

Secondly, when did Microsoft ever support the creation of a “local information technology industry”? That’s not their job — and I don’t blame them — but why hide behind this kind of argument? (Interestingly, there’s a lively Linux development community in Indonesia, but I’m not sure that’s what Microsoft is talking about here).

Some 87 percent of computer software on the market in Indonesia in 2005 was pirated, Microsoft Indonesia’s Irwan Tirtariyadi said citing a study from the Business Software Alliance, an organisation representing manufacturers.

That’s probably about right. It’s huge. It’s hard to find a company that doesn’t use pirated software. You can buy pretty much every program ever written, and I don’t know of a single person who uses a computer and who doesn’t buy pirated software. This is not to condone it, but I also only know of about half a dozen shops in a city of 12 million people which actually sell legal software. And forget buying online: Most companies won’t ship to Indonesia.

Lax law enforcement and widespread corruption contributed to Indonesia clocking in with the fifth highest rate of software counterfeiting in the world, he said, after Vietnam, Ukraine, China and Zimbabwe. “I’ve heard when police come to a shop (selling pirated software) it is closed. Basically information is leaking and this is an indication of the quality of law enforcement in action,” Tirtariyadi said.

This is part of the problem, it’s true. The malls are full of shops openly selling pirated software, often on the ground floor near the entrance, with policemen patrolling by. When a raid is planned, everyone knows about it, the shops quietly shut, cover their wares in tarpaulins and keep their heads down for a day or two. (Sometimes it’s hard to tell whether the imminent raid is from the police or some Islamic group cracking down on the counterfeit DVD stores, which often sell software too.)

Tirtariyadi told a gathering of foreign reporters that if piracy dropped by just 10 percent, it would add 3.4 billion dollars to the economy, according to figures cited by the International Data Corporation.

Could someone please explain to me how that figure came about? To me it sounds suspiciously as if the argument is based on a false premise: That everyone who buys pirate software would pay full price for legitimate software if there was no alternative. Let me think about that: $3 for brand new software — often a collection of software — against $50–500 for the same thing, in a country where half the population earn less than $2 a day. I don’t think so.

Counterfeiting also inhibited an “inventive culture” and the development of a strong local information technology (IT) industry here, he said. “Some students like to create new software but three months later they find it’s pirated,” he said.

True, there is definitely an inhibiting factor. I wrote a year or so ago about a guy developing a machine translation program which wasn’t bad, but which required him to spend at least half his time developing anti-piracy features in the software. But I still think this is a disingenuous argument. Let’s face it: Microsoft (and Adobe, and all the other BSA big boys) are mainly interested in quashing piracy of their products and building up their market share; I don’t see much sign of Microsoft actually nurturing this “local IT industry”.

Indonesia, Southeast Asia’s largest economy, has less than 100 IT companies, whereas neighboring Singapore, with a far lower rate of piracy, has between 400 to 800 such companies, he added.

This is not a useful comparison. Singapore is a highly developed country and one of the world’s technology hub. Though, interestingly, it’s not really a locally creative industry, with the exception of a couple of big names.

All this makes me realise that Microsoft et al still don’t get it. Piracy is massive; they’re right. But you don’t deal with it by sponsoring misleading press conferences and well-telegraphed police raids.