Time to celebrate! 1 year of yellowcapped blogs - Q&A blog
Ladies and gentlemen, we made it! It has officially been a year since I started this blog and it is also 6 months of me being in Japan. So, to celebrate this moment, I thought I would do a blog to mark it down. The only problem with that is what topic would I do for a celebration blog?
Ladies and gentlemen, we made it! It has officially been a year since I started this blog and it is also 6 months of me being in Japan. So, to celebrate this moment, I thought I would do a blog to mark it down. The only problem with that is what topic would I do for a celebration blog? Life in Japan? Well, that would be a shortlist like: Blossom, rain, rain, too hot, oh and work. Okay, I'm selling it a bit short but I think you get the point, work has taken up most of my time lately and the weather hasn't helped either. Although don't worry, there are plenty more blogs on their way so what do I talk about then? Well, how about a Q&A?
Now I have tried to do a Q&A before via a google form in past blogs but I never got any questions and ended up just leaving it on the back burners. But with the idea of doing a Q&A stuck in my head again, I decided to try again although this time I asked Twitter directly and I got results! Time for a quick thank you to AtomicNicos, Mrs_Skelli, BushidoToken, Binarysleeper, SU1PHR, and juan_spinel. And finally, the main event, question time!
juan_spinel Q: Biggest culture shock you've noticed within your work?
A: So, I have a bit of a conundrum with this question, I know what Juan is asking about but the thing is... I work for a British company. Well, we call it a British-Japanese company but the work environment I am in isn't anything new so therefore I haven't had my socks blown off.
Although that doesn't mean I don't have an answer for Juan. So, drumroll please…. Business cards!
Why is a small piece of card a “culture shock”? Well in Japan, they are incredibly important to the Japanese work environment. In Japan, it is said that a business card (meishi) is an extension (or the face) of the person who gave it to you. If there is a requirement that must be filled whenever you are doing business with the Japanese, it is having business cards and knowing how to handle them correctly. Now if you don’t believe me then a good sign of how important it is, is the fact that there is basically a ritual of exchanging business cards. And like many ceremonies in Japan, there is even a hierarchal order to follow that governs business card exchange based on rank/position and age. If there is one way to kill a business deal in Japan, it is disrespecting the culture of business cards because knowing how to handle a business card when giving and receiving one can keep you from losing the race before it even stops. So, what is the process?
- Try to prepare the number of cards you will be exchanging. Most people will tell you that you need to prepare them in advance which is the right thing to do but isn’t easy to do. Because it’s hard to know exactly how many will be there in the meeting so your best bet is to have about 20 or so in your business card holder and then when you reach the meeting, take out the required number. Now there is a reason why I said business card holder, a lot of people would say taking your business cards out of your wallet or pocket is rude. But my trick is taking them out of my wallet before the meeting!
- Now it’s time to begin the ritual, firstly make sure that the card is facing the person to who you are giving it to so they can read it when they receive it.
- Then slightly bow and give a short introduction of who you are while presenting your card with both hands holding the top corners while making sure you aren’t covering any part of the card like logo or name.
- Now to exchange, use your right hand to pass your card while receiving their card with your left hand. Now if it’s one person who is giving the card then they pass with both hands and the other person receives it with both hands.
- Time to score bonus points, actually read their card! This stage is where a lot of foreigners either skip the stage or mess it all up. Now the way you mess it up is by putting it away in your pocket or your business cardholder. Remember a business card in Japanese society is seen to be like the face of the person, you wouldn’t put someone’s face in your pocket, especially as most pockets are near specific places of the human body… I think you now understand why people mess it up. But you can get away with just scanning the card and then putting it down in front of your seat as that is the next step but carefully admiring and inspecting it will cash in a load of bonus points for you as this is when you show respect to the person who gave you the card. Plus it is a chance for you to learn their name and position!
- So, you have done all the exchanges and you haven’t screwed up by putting the cards away in your pocket or cardholder, what’s next? Well as I said in the 5th step, you put them down in front of where you are sitting. Make sure to arrange the cards in the seating order of the meeting as it makes it so much easier to remember the names of who is who! Now you leave them on display until you must leave the meeting or it has ended which is when you carefully pick them up and put them in your business cardholder.
- Is there anything you should avoid doing?
A. Not having business cards at all is the first thing. (Unless you are shopping as a consumer of a store/shop then it’s okay not to exchange your business card too).
B. Not being able to handle a business card correctly.
C. Putting it away after receiving it especially putting it away in your pockets.
D. Writing on them – unless they have told you that there is a writing space on it but I would just recommend not writing on them at all.
And there we go, one of the few things I will never forget when it comes to Japan and its culture!
SU1PHR Q: What is the biggest difference in terms of infosec practices that you've noticed in Japan?
A: Then again, it is a similar situation to Juan's question, but there are a few things I have noticed. The biggest difference isn't that unique when you think about it but misconfiguration is a big problem in Japan. It's the concept of "Do we have this? Yes. Have we configured it correctly? No". I have heard a couple of stories that goes along the lines of the C-Suites asking IT if they have the recent high tech cybersecurity measures. If they don't then here's a nice cheque for them. To be fair, this isn't a first in Japan as it is a common practice as such, for example, Stand Up Paddling Boarding (SUP), one of my past SUP instructors has gone out with me many times over the years during my visits to Japan and a common thing we see is a Japanese SUPer decked out in the latest gear and equipped with the latest paddle and board but they have no technique and probably will end up harming themselves from overstretching...
But why don't the IT staff just configure the new measures the company buy? Well, two reasons: not enough time and not being skilled enough. These reasons are interconnected but the concept behind the reasons is these IT personals are the usual IT team you would be able to find in most companies nowadays. Therefore, most of the team aren't trained/specialised in cybersecurity to the degree required to configure the measures to the required level to be counted as secure. So why don't they train some of the IT staff on how to configure these measures. Well, training requires time so it can have a major cost to the team. Well surely someone is going to be trained to the level required eventually? Yes but.... then the problem of “Hey, we got this new tech that we need you to learn how to use while configuring past tech and management want you to connect one of the security measures to the SOC (Security Operation Center) as well” comes up. Hopefully, you are getting the image now. Plus, when you are adding in the fact that Japan has a shortage of specialised IT/computing professionals, the problem just starts to snowball down the hill.
Binarysleeper Q: What thing (object/product/service/cultural aspect etc.) from Japan would you miss most if you had to return to the UK?
A: This answer is a bit vague but I would say convenience. Now hear me out, there are many things that I miss about Japan whenever I return from visiting but when it comes to Japan vs the UK, the difference in the convenience of doing things like using public transport is a cut above the rest. Now not everyone who reads these blogs is from the UK or have visited Japan so let me use some examples to demonstrate the difference.
Public transport (e.g., trains): I would bet a fiver that most of you have seen/heard the stories of trains in Japan leaving the station 10-20 seconds early and that it makes national news in Japan. Now if we compare it with the UK, I have ended up waiting up to an hour for trains to arrive after their scheduled arrival time. But why is this convenient? Well apart from not being late all the time because of the trains, it’s just reassuring to know that I will be on time if I walk at the average walking speed (Although I walk quite quickly most of the time). Now the benefit of that is I can give people a spot-on ETA with very little worry of being late. Now, this is quite important in Japan as most things are scheduled perfectly, especially in Tokyo where the city is like a machine; each person, car, train, bus, etc are a clog in it so time is valuable as all it takes is a small delay and the machine of Tokyo starts to crash (which is one of the inconveniences of Tokyo).
Vending machines: When I think of vending machines in the UK, I think of the ones hidden away in the dark corners of gyms or down the quiet corridors of my university but in Japan, they are everywhere, well there should be one every 12m. Now that is obvious convenience if you ever need a drink on the go but the other convenience, in my opinion, is it means you have a wide selection of drinks every 12m plus sometimes you will find a group of vending machines so you will have a large selection of drinks to choose from. Unlike in the UK where most people must go to a convenience store or buy a weird sport’s drink. Although the UK does have one advantage, there is a good percentage of snack/sweet vending machines in the UK. Now I am not saying Japan doesn’t have vending machines like that but they are less common and you have a 2/20 chance of finding a snack vending machine, a 3/20 chance of finding an ice cream vending machine, a 15/20 chance of finding a drink vending machine. But what if you are really hungry and can’t find a snack vending machine? Well, this is where Japanese convenience stores take the main stage.
Convenience stores: If I was honest with myself, the co-op is the only good convenience store for more than just snacks. But when compared to Japan’s range of convenience stores, you realise why Japan is famous for its convenience stores: Family Mart, 7-Eleven and Lawsons. The best way of understanding why Japanese convenience stores are seen as one of the best is imagining a supermarket that is your post office, pharmacist, bank, and much more which is then shrunk into a size of a co-op… that is your standard Japanese convenience store.
Now you could argue that the co-op is a “mini-supermarket” which is at a similar standard to your standard Family Mart but there is one thing that helps Japanese convenience stores reach the next level… clothes, specifically office wear.
Let’s say you spill soya sauce on your work shirt and you have a meeting in an hour, what are you going to do? Well in the UK, you either would have to find a clothing store and buy another one or go back home to get a new one and hope you aren’t late. But in Japan, you could in a decently sized Family Mart, walk to the second row and buy everything you might need in terms of office wear apart from a suit jacket and shoes.
Now some of the really small stores might not have a clothing section but like the vending machines in Japan, convenience stores are EVERYWHERE. And I mean it, in walking distance of 10 minutes from my apartment is 10 convenience stores ranging from mini ones to your standard co-op sized ones. And on the note of convenience stores, something else that helps them reach their famous status is their food is actually good for convenience stores but I am going to stop myself from writing any more about them or I will end up writing a whole blog about convenience stores within this blog.
There are a couple more reasons why convenience in Japan is God tier but I will leave those for another time.
BushidoToken Q: Japan has been attacked by APTs such as Lazarus, Kimsuky, BlackTech, Tick, APT10, DarkHotel, and other state-sponsored adversaries. Should Japan consider hacking back?
A: The funny thing is I recently had a conversation about this exact topic with someone over ramen. So, what's my answer? Well, I think it would be best to answer another question first, can Japan hack back? On paper, it is definitely possible but to be honest, anyone with a computer and the knowledge on how to hack, can attempt to hack back. So, the question I should be answering first is, “is Japan's ability to hack back good enough?” The answer to that question depends on who you ask but, in my opinion, I would say not yet. So, to answer the question, based on what I know, seen and heard, Japan probably won’t be considering hacking back for a while. But why, you might wonder?
Well, firstly quite a few Japanese companies are still in a similar position as they were 4-5 years ago while most are playing catch up against the rest of the world. But why are Japanese companies in this position? Well, it all starts with a bit of history, World War 2 history to be exact. After the war, the constitution of Japan was formed and came into effect on 3rd May 1947, a big part of this constitution was Article 9 which was written by the American officials who occupied Japan at the time. But what's so special about this specific article and why does it apply to hacking?
"Aspiring sincerely to an international peace based on order, the Japanese people forever renounce war as a sovereign right of the nation and the threat or use of force as means of settling international disputes. In order to accomplish the aim of the preceding paragraph, land, sea and air forces, as well as other war potential, will never be maintained. The right of belligerency of the state will not be recognized." — Article 9, The Constitution of Japan (1947)
This single article has had a massive impact on how Japan deals with international matters that have been knocking on its door. To put the article into layman terms, Japan has no right to declare war and is not allowed to maintain any capability that would allow it to wage war. Now things have changed slightly since then with the "U.S.-Japan Security Treaty" which allows Japan to maintain a defence capability like the self-defence force. But Japan still can't maintain any offensive capabilities which offensive hacking does fall under. Because of that, a lot of Japanese companies have hesitated when it comes to having red teams even for defence. As they are worried about losing face due to either public/consumer disgust or the government seeing it as possible misconduct. Now there have been many conversations around Article 9 but nothing has ever changed to it since it was originally formed. So okay, domestically Japanese companies have been hesitant about red teaming but domestic red teaming doesn’t exactly have "war potential". What about national-level red teaming? This is Japan, if you have ever heard me talking about the whole scene, you know that Japan is seen to be 1 step behind in terms of its cybersecurity measures. But when it comes to red teaming, I think it would be better to say they are 2 to 3 steps behind the front runners of the UK and USA.
Although Japan has some luck on their side, there is a lot of tension and politics around attacking Japan in terms of China and Russia targeting them and if any major attack occurred then Japan's allies could step in to help e.g. United States-Japan Alliance. So, the ultimate answer to the question "should Japan consider hacking back?" is Japan shouldn't consider hacking back right now.
I probably overexplained this answer but hey, it's time to have some fun with BushidoToken's bonus question.
BushidoToken Bonus Q: What moniker would you give a Japanese APT?
A: I have two answers to this question, a serious/professional moniker (nickname) and a fun one! So I'm a fan of the Crowdstrike naming cryptonym which uses animals (Or mythical creatures) to categorize where the threat actors are from or their intentions if they aren't state-sponsored. So what animal do you think of when you think of Japan...?
Now when I ask people this question, most answer with dragons, to be honest, that would work. BUT they usually agree that it also reminds them of china and this is where dragons have been removed from my list because the next question I ask people who say dragons is what kind of dragon? There are many stories of dragons from around the world and all of them are different, but what I find is 99% of the time, people are thinking of Chinese dragons.
Now they are very similar to Japanese dragons and they have been interchangeable with each other over the years but that's what crossed them off my list. Okay, what about Japan's national animal? Like we use pandas to categories the Chinese APTs so that would be another great starting point. Well, Japan doesn't really have a national animal as such but most sources would say unofficially the national animal is... a pheasant.
Yes, I said pheasant, the green pheasant is the unofficial national animal of Japan and is the official bird of Japan. The only other candidate is the national fish which everyone should know, the Koi! But they aren't scary enough, apart from when you're standing at the edge of a pond where 100+ koi are staring back at you while opening and closing their mouths!
Maybe, I am asking the wrong question? Maybe, I should ask what Japanese animal is intimidating enough to name an APT with? Well apart from bears, the only thing that came to mind was Yōkai which are Japanese spirits. But unless you are big into anime or Japanese culture, most people don't know what Yōkai is. Plus there are many kinds of Yōkai so it doesn't really work. When I was thinking of an answer to this question, I was on my way to my local Sega and as I was waiting to cross the road, I saw the first answer to this question.
What I saw was a statue of a tanuki, to be exact the mythical version of a tanuki. For those who aren't sure what a tanuki is, it is a raccoon-like canid which is why it is also known as the Japanese raccoon dog.
So how did one of the most common statues in Japan lead to me picking the tanuki as a nickname for a Japanese APT? Well, it turns out that the tanuki is quite significant in Japanese folklore as they are known for being mischievous and jolly, masters of disguise and shapeshifting.
Now I am going to do a blog on Japanese mythology soon so I won't go into too much detail but there is one story that comes to mind that I want to tell you about. The story goes that in 1795, it was believed that a tanuki had shapeshifted into a samurai and made its way into a Nagasaki brothel where it proceeded to take full advantage of all the services on offer. He was later discovered after falling asleep and was forcibly removed from the building. What the humans then found at the end of the day was that all the money the tanuki had used inside the brothel turned into dried leaves after he had left the site. This story reminds me of social engineering and to be honest when I talk to people who aren't in the infosec world about cybercriminals, their opinions of them are they are just trouble and are playing tricks on them to make them do things, just like the mythological version of the tanuki.
Now tanuki is my fun answer as such so now for a non-animal nickname and don't worry, this answer is quite quick. When looking at threat groups like Cozy Bear or Stone Panda, they usually have a couple of other names like the Dukes or menuPass, so I wanted to suggest one for a possible Japanese APT. My answer is kuromaku (黒幕) which literally translates to black curtain and is related to Kabuki (a classical form of Japanese dance-drama) as a black curtain is used to hide the operations that are being conducted on the stage (e.g., change of scenes). Therefore, kuromaku is used as a Yakuza slang as it also means "a person who has influence behind the curtain" or in more general terms "a person who has real power". I just felt like this was an interesting nickname and I was struggling to come up with a good ninja-themed nickname. Although I might try again soon but will do it with specific sectors/targets in mind.
AtomicNicos Q: What is the square root of a tomato?
A: I think this graphic provides my answer to this question:
AtomicNicos Q: How bad is the cybersec sphere in Japan?
A: Here's my answer:
To be fair to the Japanese, the scene out here in Japan is slowly improving. During my time out here, I have seen quite a big drive by organisations in all sectors to improve their general standard of cybersecurity and with the increase in ransomware attacks, Japan is starting to wake up to the horrors that have been knocking on its door for a long time.
Although the problem is the public is still unaware of the cyber threats, and I can't really blame them with the Olympics and COVID being the main topics in the news around the world! But it is still going to be a nasty shock for them when all the dust from COVID and the Olympics settles. And for anyone who is wondering if there were any cyber attacks during the Olympics opening weekend, the answer is yes but are they anything to do with the Olympics? Not exactly, most of the attacks used the Olympics as a distraction.
AtomicNicos Q: Are hackerspaces a thing there?
A: There are a few hackerspaces out in Japan, especially in Tokyo. Unfortunately, almost all of them have closed due to being inactive or COVID. And because of that, I haven't been able to visit any of these spaces. But the main two that are recognised as "hacker groups" are Tokyo 2600 or Tokyo Hackerspace.
A decade ago, the computing scene was much bigger and more populated so therefore there were a lot more groups as Street Computing was incredibly popular due to the introduction of high-speed wireless Internet environments in public spaces and inexpensive/light laptops. Its popularity grew in places like Akihabara that is known for internet/maid cafe culture as "tribes" of people started to form. One common trait of street computing was the "Koike style" posture where individuals would be standing with their laptops resting on their upper thighs to make using a laptop more comfortable.
Now you could say street computing was the early form of the hacker groups in Japan but unfortunately, its popularity didn't pass onto the future generations and all that is left is a small number of hackerspaces in the whole of Japan.
Mrs_Skelli Q: What was the hardest part about moving to Japan?
A: Most of the things that people struggle with when moving to Japan haven't affected me so much. The main reason for that is I have been visiting Japan for the past 4 years (I nearly have spent 5% of my life in Japan which for someone as young as me is quite a bit)! So what is the hardest part for me? After a long time reflecting on this question, the hardest part about moving to Japan for me is understanding what the Japanese are trying to communicate to me.
A bit of an odd answer to be fair but I think the best way to showcase why is by going through the other things that people struggle with and why they aren’t my answer instead:
Eating/allergies - When it comes to people moving to Japan, the food is a big bonus in many people's eyes as it is usually always good quality food wherever you go in Japan. But when it comes to food allergies in Japan, they aren't that helpful with helping people with allergies in the form of ingredients lists, warnings, etc. Although, I got around the problem of allergies like sesame seeds which is used as a common ingredient in Japan by doing something similar to trial and error. Over the past few years, I have built up a "database" of foods and places I can eat by picking somewhere or something that looks nice and then asking about sesame seeds and my other allergies. To help me to do that, I learned the sentence "No sesame seed" as a way to check for sesame seeds.
The language - As many of you may know, I don't know that much Japanese. Well, I would say I know enough to get me around Tokyo. Now arguably that isn't enough but I use hands gestures as well to assist me when I am trying to talk to someone in Japanese as hand gestures are quite a universal way to communicate things. The other trick I use is talking slowly, especially with English words. I’ve found that Japanese people find it easier to understand English words if I slowly say them.
Food shopping - This is one that no one really talks about at first but food shopping in Japan can be quite expensive, especially when it comes to fresh fruit/vegetables (I bet most of you have seen or heard about the ridiculously expensive melons, don't worry, I plan to do a blog on it!). The main reason for this is the cost of importing the food which puts a massive increase on the food. How do I get around it? Well, there are three things I do:
1. Buy vegetables and fruits that are in season, they usually are a lot cheaper and you can buy packs of them at once.
2. Watch out for sales, the Japanese love a good sale on anything (which makes sense as Japan's national hobby is shopping!).
3. Buy meat and fish. The cost of importing meat is a lot less than other foods most of the time plus with Japan still having a large fishing industry (which is dying, unfortunately), it means it is way cheaper to buy a steak or red snapper than a pack of sweetcorn for example.
But don't panic, I know some of my readers don't eat meat or fish but there is one "bonus" to the veg and fruit as such which is they are usually much better quality than most countries will have. (Maybe I will do a blog on being vegan in Japan as well?)
Apartments/Banks/Phone contracts - I decided to group this up because these don't really affect me as much as they should do. The hardest one to get is a bank account but let start with apartments, an apartment in Tokyo can be quite expensive and are usually in high demand so it can be quite a struggle to find one which is an okay price and available. But another struggle with apartments is the landlords/landladies, there have been many cases of letting contracts falling through due to the tenants being foreigners. The reason for this is the owners believe that foreigners pose a great risk of running away by leaving the country and not paying them. So many foreigners find it harder to rent a place due to that fear.
The struggle with phone contracts is more of a security/privacy struggle than anything because, in Japan, you must show your ID to get a SIM card and most of the time, they will record the ID that was used to purchase the SIM card. Therefore, it is harder to have a burner phone as the rule with SIM cards is one SIM card per one ID. The only way to get more is being a company that needs contracts for their phones to run and even then, you still have to prove you are a legitimate company and show them your ID. And bank accounts are a similar situation but with even more paperwork and lots of security checks!
Now there are many more struggles but why has "understanding what the Japanese are trying to communicate to me" been the hardest part of moving to Japan for me? Well as I said above in the language paragraph, I have tricks when it comes to talking to the Japanese but I find it's a different story when it comes to the Japanese communicating with me. I believe the main cause of this struggle is more and more Japanese people aren't travelling outside of Japan (and it is expected to increase due to the impact of Covid) and therefore they are less exposed to foreigners who may speak English or any other foreign language. So, they haven't had the reason to find ways to deal with the language barrier.
This might not seem that major but it's a minor inconvenience that can occur quite often. The most common example of it is when either I or the Japanese individual are trying to get the other's attention, usually by saying something like "sumimasen", which commonly leads to the Japanese individual thinking I understand Japanese and then goes on to continue the conversation in Japanese. What I found is these conversations last for 2 minutes before they realise, I haven't understood what they are talking about and then it turns into a guessing game. Luckily, this is when my tricks are their most useful but it still can be a long and sometimes difficult conversation.
Conclusion:
I never planned for this blog to be so long so thank you to anyone who got this far. I think the best way to sum up this blog is it is a pile of my thoughts thrown into a washing machine and then poured into a readable format.
So, it is time to say a big thank you to everyone reading this week's blog. In terms of the next blog, it will be the onsen blog which is quite easy to do as I've already prepared most of the content for it. So, until next week, arigatou gozaimasu and sayōnara!