About the Cyber Kill Chain

The Cyber Kill Chain introduced by Lockheed Martin is a cybersecurity model to describe, in general, how a computer intrusion (hacking) through IT network is carried out in 7 distinguished stages. It was developed based on military attack kind of thought.

Anyhow, there is no common SOP in cyber-attack, and hackers are not necessary following the Cyber Kill Chain of planning and action in their attacks.

This model is however useful to plan for cyber-defense strategy and measure, and also for cyber-threat analysis to a networked computer system.

The 7 stages in Cyber Kill Chain are:

• Reconnaissance - the victim is observed, analyzed and studied by the attacker.
• Weaponization - tools are developed or obtained to exploit the weaknesses found in the victim.
• Delivery - the "weapon" is deployed to the targeted victim.
• Exploitation - once the "weapon" is successfully deployed, it will start working by looking for vulnerabilities in the victim's computer system.
• Installation - at the stage, access is silently obtained by the "weapon". It will find it way to communicate to the attacker using the computer network. Normally, a backdoor is established to enable such linkage.
• Command and Control - remote access to the victim's computer system is made available to the attacker. The attacker can take over control of the compromized system and issue command to it.
• Actions on Objectives - with the control, the attacker is able to proceed with the objectives of the attack, such as data exfiltration, data destruction, data encryption for ransom, etc.

With reference to this model, the defending party can plan for countering the attack by the famous 4 Fs strategy, namely:

• Find the enemy
• Fix the enemy
• Fight the enemy
• Finish the enemy

Cryptography - the essential technique in today computing world

Cryptography is the method of converting plaintext information into non human-readable form called ciphertext through a process called encryption, and reverse process to convert the ciphertext back to original form called decryption.

Today, knowledge in cryptography is crucial for every computer programmers and computer engineers. It is applied in everywhere in the cyberspace and it is a sin of omission if not applied properly to provide cybersecurity protection in the areas of confidentiality, integrity, authentication, and non-repudiation.

Cryptography is the integral part of blockchains and crypto-currencies such as Bitcoin, Ethereum, etc. It is used to secure data transmission in WiFi communication, 4G LTE network, HTTPS web access, etc. It is also extensively used to secure file system in Apple iOS, Windows Bitlocker, SSD encryption, etc. It enables the implementation of digital signature.

Cryptography makes use of digital key(s) to perform the encryption and decryption process. There is one kind of cryptography called hashing which does not make use of any key, and the ciphertext is non-reversible to original information.

Keyless Cryptography (Hashing)
Hashing is a one way function that convert its input message into irreversible string of text called hash or digest, which normally has a length much shorter than the input message. The key concept of hashing is that the generated digest is unique to the input message, so that same input message will always generate the same digest, and different input message will not generate the same digest.

Hashing is commonly used:

• To store password for identity authentication
• To generate checksum or fingerprint to verify if the original information has not been tampered or changed
• In database and data storage for more efficient data searching
• In computer geometrics and computer graphics

Examples of hashing function are:

• MD5 (Message Digest 5) - designed to replace earlier version of MD2 and MD4. Still commonly used despite MD6 has been around to replace it.
• SHA-3 (Secure Hash Algorithm 3) - winner of the NIST hash function competition.  Commonly used in digital certificates. Supersedes earlier version of SHA-0, SHA-1 and SHA-2.
• BLAKE2 - Used in RAR compressed file checksum. Supersedes earlier version of BLAKE.

Symmetric Key Cryptography (Private Key Cryptography)
The same private key is used for message encryption and decryption.

It is commonly used in secured data transmission, such as SSH, WiFi with password, 4G LTE communication, etc.

Examples of symmetric key cryptography are:

• DES (Data Encryption Standard) - designed by IBM in 1970's. Modern supercomputer is able to decrypt DES encrypted information within just a few days. Still commonly used in smart cards, SIM cards, etc.
• 3DES (Triple DES) - more secure version of DES.
• IDEA (International Data Encryption Algorithm) - commonly used in Pretty Good Privacy (PGP) email signing and secured email transfer.
• ThreeFish - is the successor of Blowfish and TwoFish. Commonly used in SSH secured remote access.
• RC6 (Rivest cipher 6) - designed by RSA Security, patent just expired in 2017. Commonly used for secured data transmission and in bank ATM machines. Is the successor of RC2, RC4, RC5.
• AES (Advanced Encryption Standard) - commonly used by USA government and commercial sector to protect top secret documents.

Asymmetric Key Cryptography (Public Key Cryptography)
Consists of a key pair. The private key that should be kept secret with the owner, and the public key that needs to be known by others.

In the scenario of digital signing, the private key is used to sign the digital document, and the public key is used to verify the digital signature.

In the scenario of data encryption, the public key is used to encrypt the document to be sent to the private key owner, and the encrypted document can only be decrypted using the corresponding private key.

It is commonly used in Secure Socket Layer (SSL), Transport Layer Security (TLS), S/MIME, digital signature, blockchains and crypto-currencies.

Examples of asymmetric key cryptography are:

• RSA (Rivest-Shamir-Adleman) - named after its 3 designers. Patent expired in 2000. Compared with DSA, it is slower in digital signing and faster in verification.
• DSA (Digital Signature Algorithm) - patented but can be used royalty free. Commonly used in SSH and digital signature. Compared with RSA, it is faster in digital signing and slower in verification.
• ECC (Elliptic Curve Cryptography) - derived from DSA and based on Elliptic Curves theory. Commonly used in Bitcoin, Ethereum, iOS, etc.
• Diffie-Hellman - is used for public key exchange and not for digital signing or data encryption.

Is your organization still following the outdated password policy?

If you were told or forced to set up a so-called "strong password" which required to be determined as complex (must consist of combination of uppercase letters, lowercase letters, numbers, special characters, and so on...) just to safeguard your user account from password guessing, peeping, and/or brute-force attack, the policy is outdated and should be obsoleted as soon as possible.

If you were also told or forced to change your password periodically, let's say every month or so, that thinking also has been admitted by certain cybersecurity experts to be foolish and will not make your account more secured.

Indeed, it only serves to make your life more difficult, and makes your account much more vulnerable if you eventually did either one of the following attempts to help remembering your latest password:

• Write your latest password on Post-It notes or inside your diary book.
• Tape your password somewhere near your computer (similar way to what character Nolan Sorrento in movie Ready Player One did).
• Keep your password in a computer file (text, Word, Excel, ...), either password protected or not.
• Store it with your web browser's auto-complete feature.

Apparently, the outdated password policy that required complex password and frequent change was derived from a 2003 National Institute of Standards and Technology (NIST) report namely "NIST Special Publication 800-63. Appendix A."

Interestingly, it is also NIST who has overthrown its own password guidelines in its recent NIST Special Publication 800-63A report namely "Digital Identity Guidelines:  Enrollment and Identity Proofing Requirements." released in June 2017. You can download the complete report here for free.

The new report has made the following important suggestions:

• Verifier SHOULD NOT impose annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. They make most people remembering password by Post-It notes or computer file. It's better to allow people to use pass phrases.
• Verifier SHOULD NOT bother user with password expiration. That was an old idea for an old way we used computers. Only force a password change when there's indication of compromise.
• SHOULD use dual factor authentication (2FA). This is the proven to be the more robust and secure way.

Dual factor authentication adds an additional layer of security by requiring not only the password, but also another piece of information that only the account holder has or know. One of the most commonly used method for dual factor authentication is one-time-password (OTP) which could be  event-based (OTP is generated by triggering an event, such as a keypress, explained in RFC 4226) and/or time-based (OTP will keep on changing by time, explained in RFC 6238).

The account holder need to read the OTP from a token, and use it for successful account login. The token can be generated from a hardware device such as key fob, display card, USB authentication key, OCRA keypad, etc. It can also be generated and delivered to the account holder by software, in the form of SMS, email, mobile app display, push app notification, etc.

Note that the use of SMS or email for OTP is also outdated method which is vulnerable to trojan horse interceptions and/or malicious software crack-in. You can search the Internet for the following keywords to read more about how insecure to use SMS for OTP:

• ZeuS-in-the-Mobile (ZitMo)
• SpyEye-in-the-Mobile (SPITMO)
• Android.Bankosy

Besides, the OTP in SMS and email is very likely to be sent in plain text form, which subject to ISMS threats of interruption, interception, modification and fabrication along its way.

Therefore, all organizations should update their password policy for all users to be:

• Use pass phrases instead of password
• Use dual factor authentication with secure token (avoid using the outdated SMS or email method)

Google Chrome and Firefox will distrust websites with SSL/TLS certificate issued by Symantec / Verisign / Thawte / GeoTrust / RapidSSL

Web browsers Google Chrome (with 57.69% global market share as of March 2018) and Firebox (with 5.4% global market share as of March 2018) will start to distrust all the websites with SSL/TLS certificate issued by Symantec, Verisign, Thawte, GeoTrust and RapidSSL.

This means that soon in the near future, every time when you visit such websites using HTTPS protocol with Google Chrome, Firebox and possibly other web browsers which follow suit, the browser will give you a security warning before you can read their webpage.

Some of the affected popular websites including (but not limited to)...

 

In late 2017, DigiCert has acquired Symantec's Website Security and related PKI solutions which was the Certificate Authority for those affected Symantec, Verisign, Thawte, GeoTrust and RapidSSL SSL/TLS certificates.

Webmasters of all the affected websites can make arrangement with DigiCert to replace their SSL/TLS certificates with a new one issued by DigiCert, which is still trusted by Google Chrome and Firefox.

You can click here to read for more information about this issue.

How to enable using F8 during boot up to enter safe mode in Windows 10

Seasoned MS Windows users are very likely to have experience using F8 during computer boot up to enter into "safe mode" of the Windows operating system.

In many occasions, "safe mode" can save your day to enable you to fix something that is broken in the Windows system. Such occasions including but not limited to:

• Windows update has caused problem and instability to the system. 
• Problematic hardware device driver (normally arises after new driver update). 
• Incompatible screen resolution with the monitor causing blank screen or distorted display.
• Windows is infected by virus or malware that unable to be removed in "normal" mode.
• Problematic software/application that causes system crash (and unfortunately it autorun during Windows start up)
• Minor damage to Windows registry or system file due to improper power off.

You can keep on pressing the F8 key on your keyboard during boot up of Windows 7 to enter a boot up menu that include the "safe mode" boot up option. However, this F8 function is disabled by default in Windows 8 and Windows 10.

You can still reboot Windows into "safe mode" if you are able to boot into the login screen of Windows 8/10 and the login screen is still functioning properly. You just need to hold down the Shift key on your keyboard while clicking on the Power icon in the login screen and select the Restart option to reboot your computer.

You can also create a bootable Windows recovery USB drive that can be used to fix Windows problem.

If you want to enable using F8 during boot up to enter safe mode in Windows 8/10 as another rescue resort, here are the steps.

Step 1: Enter Command Prompt with Administrator's right

Click on the Magnifying Glass in Windows Quick Launch bar and search for "cmd".

You should be able to find "Command Prompt". Right click on it, and select "Run as administrator". This will open the Command Prompt window with Administrator's right.


Step 2: Change the Boot Menu Policy to Legacy

In the Command Prompt, type the following command and press .

bcdedit /set {default} bootmenupolicy legacy

This command edits the boot configuration data (BCD) to bring back the F8 safe mode function.

Upon successful execution, you will see the message "The operation completed successfully". You are done!


Step 3: Testing

Now, restart your Windows and test your F8 key. It should be able to call out the following Advanced Boot Options menu.

If for any reason you want to roll back and disable F8 during boot up, you can use the instruction in Step 1 to enter Command Prompt with Administrator's right again, and issue the following command instead:

bcdedit /set {default} bootmenupolicy standard

A family visit to Sewing World Gallery @ Sky Park One City Mall

In the older generation not too long ago, sewing machine had been a common item found in many household. At that time, sewing (and perhaps knitting, too) was an essential skill learnt by most housewives.

Then, sewing machine had been unconsciously become lesser and lesser seen in household nowadays. It prone to become industrial item found in clothes and fashion factories.

Meanwhile, the Mostwell Group which is the sole distributor of Janome sewing machines in Malaysia has been endeavoring to bring back the continuation of sewing arts and crafts into today's households by organizing numerous events, trainings and programmes to teach everybody from age 7 onwards who are interested to learn about sewing to master the skill.

The Sewing World Gallery located at 1st floor of Sky Park @ One City Mall with close proximity to the LDP USJ toll (accessible via a junction near to Shell petrol station) is an over 10,000 square feet gallery showcasing many sewing products made by their students. There, you will open your eye to realize that sewing is indeed a kind of arts and crafts similar to drawing, calligraphy, pottery, painting, etc.

 

Entrance to the Sewing World Gallery is free of charge. Inside the gallery there is also a small museum of sewing machines and tools, a small auditorium, and a classroom for interested parties to sign up for their sewing classes.

Sewing inspires creativity. They show you how old jeans can be transformed into new life as cushions, handbags, and other creative items.

There are also interested stuffed toys, some of which are as big in size as a human.

Inside the gallery, you can also find the largest bag in the world recorded in Guinness World Records which is as large as a garage.

There is also the largest display of handmade fabric flowers recorded in Guinness World Records, showcasing 99 names of Allah (known as Asma'ul Husna).

The Sewing World Gallery is really a nice educational place to spend your leisure time with your family and friend. If I am not mistaken, it is the first and only gallery of its kind in Asia.

My Ooree 8 inch USB table fan (UF108)

If you need a small table fan at your workplace or study desk, or you tend to work with your laptop at outdoor café and nice to have some cooling breeze, perhaps you can consider this Ooree UF108 8 inch USB table fan.

This USB table fan is good enough to generate breezing wind that you can feel within 1 meter in front of it, yet its size (8 inch diameter end-to-end) and weight (416 gram) are also good enough for it to be portable.

It is powered by USB source, which can be the USB port of your laptop / desktop / monitor, or the USB charging port of your power bank / charging adapter. By powering it with a mobile electricity source such as  power bank, you can use it anytime and anywhere, such as during camping, during electricity blackout, etc. The fan has a low power consumption of around 2.5W only.

Its 1.2 meter USB cable is detachable. It has an on/off switch behind too.

It will have some noise of fan rotating during operation, but overall still considered pretty quiet.

Note that the 8 inch as advertised is the diameter of its metal frame. The diameter of its fan blade is around 5.5 inch only. Its build is pretty solid, despite its packaging box is hollow inside (without any foam or paper support) which does not provide much protection to the fan during delivery.

As you can see, its packaging box deformed during the courier process, which is the main complaint I have with this product. Luckily the fan is not too fragile and still in good condition during unboxing.

Its price is quite reasonable. If you search around carefully, you can find online seller selling it at less than RM20, despite most of the sellers are putting a price tag of RM30-RM40 to it.

There is another model UF110 which is 10 inch and with double speed control, selling at a higher price. If you need stronger wind, you can probably look into the UF110 model.

My Cashido 10 second ozone anti-bacterial water-treatment machine

Ozone has been used over the past 150++ years for water treatment since its discovery by a German-Swiss chemist called Christian Friedrich Schönbein.

A brief history of ozone usage in water treatment is as below:

• 1886: The ability of ozone to disinfect polluted water is recognized in Europe.
• 1891: Test results from Germany show that ozone is effective against bacteria.
• 1893: The Netherlands started to use ozone in large scale as disinfectant in drinking water.
• 1906: France city Nice commissioned first municipal ozone plant for drinking water.
• 1909: Ozone is used as a food preservative for cold storage of meats.
• 1915: Ozone is widely used in Europe with at least 49 major installations throughout the region.
• 1939: Ozone is found to be able to prevent the growth of yeast and mold during the storage of fruits.
• 1965: Scotland employs ozone for colour control in surface water.
• 1970: French exploited the use of ozone in algae control.

Today, Ozone is known to be a very strong oxidizing reagent which able to effectively:

• Kill bacteria and viruses.
• Remove 75% of pesticides.
• Remove bad smell (such as fish-smell, smoke odour, etc.)
• Remove colour formed by organic compound.
• Keep food fresh.
• Settle down heavy metals in water for easier filtration.

Its effectiveness is well supported by academic researches. To name a few of them:

 

 

However, Ozone in gas form, when inhaled into our lung, is harmful to human health. The following bodies have specified the safety level of maximum concentration of ozone permissible in occupied space:

• FDA: 0.05 ppm
• ASHRAE: 0.05 ppm
• EPA: 0.08 ppm
• OSHA: 0.10 ppm

My Cashido 10 second ozone anti-bacterial water-treatment machine is an electronic device that can generate ozone almost instantly and mix it with normal tap water to form ozonized water. Its operation is claimed to release less than 0.01 ppm ozone into the air, which is well controlled below the permissible level.

The ozone gas generated is directly transmitted via a soft silica tube to its ozone mixer installed at the water outlet of faucet. Therefore, very minimal amount of ozone gas is released into the air during its operation.

This machine has additional safety measures to prevent excessive ozone from being released into the air:

• It only start producing ozone when it has detected water flow at the faucet. It will immediately stop working once the water flow stopped, or it detected the water is just dripping instead of flowing.
• It will auto cut-off itself after 10 minutes of continuous operation, even if the water is still flowing.
• It has 2 LEDs. The red LED will turn on when it is connected with electric power, even when it is in standby mode. The blue LED will turn on whenever it is generating ozone to be mixed with the water, and will turn off when no ozone is generated.

With the ozone in the ozonized water made by this machine, we can use the water to:

• Wash our hands, face, legs and other body parts. (The machine can be installed for shower too)
• Rinse our mouth and teeth.
• Bath our pet(s).
• Wash fruits, vegetables and meats (before refrigerator storage and/or before cooking).
• Wash kitchen utensil, cups, bottles, baby products, toys, clothes, etc.
• Clean the floor, table, kitchen, bathroom, toilet, etc.
• Sanitize dentures, contact lens, etc.
• Wash and sanitize pimples, surface wound, insect bites, etc.

This Cashido machine is called 10 second machine because the generated ozonized water only needs as short as 10 seconds to complete its function to oxidize, disinfect, deodourize and decompose pesticides & harmful materials of the target object you are washing or cleaning with it. If the contact is less than 10 seconds, then the washing/cleaning is considered partial, with some left out remains untreated.

Note that the ozone in the water has a short half-life of 20 minutes and will eventually disappear from the water (released as oxygen), leaving no residue in the water.

Therefore, ozonized water cannot be stored as it will soon lost its effect in disinfection of bacteria and viruses, pesticides removal, bad smell removal, etc. due to its short half-life period. It needs to be generated on the spot when use.

With this Cashido 10 second ozone anti-bacterial water-treatment machine, we can expect a more hygiene living environment, healthier & fresher food, and better health (by eliminating as well as preventing bad breath, body odour, Athlete's foot, skin problems, etc.).

High endurance microSD card suitable for use in car dashcam

If you have a car dashcam, you will need to install a microSD card in it to store its video recording and emergency photo taking.

Even though certain dashcams come with some amount of internal memory, the storage capacity of this internal memory just won't be enough, and you probably would not like to give your whole dashcam (instead of the microSD card only) as evidence for investigation in case it really captured some critical event that happened to your car.

Most people found that the microSD card installed in their dashcam is unable to last long and will be unusable within a few months of usage. Most memory card manufacturers also exclude warranty if they found out the memory card is used in dashcam. Why? Because ordinary memory cards are not designed to be used in tough working conditions in your dashcam.

What kind of tough working conditions for the memory card to work in your dashcam, which installed right behind your car windscreen?

• It will need to be able to endure the sunlight heat entering and developed in the car. At noon, when your car is parked in uncovered place, its cabin temperature can easily go above 35 degree Celsius (if you installed good window tint with high TSER value) , and can possibly go beyond 65 degree Celsius if your car is non-tinted and stays for long hours under hot sunlight.
• It will need to have high number of rewrite cycles for its lifespan. As you might aware, the electronic storage cells in the memory card has limited times of data rewrite. That is also the reason whereby disk defragmenting is highly discouraged for SSD hard disk as massive data rewrite will shorten its lifespan. Whenever your dashcam is working, it will keep on recording videos into your microSD card. If you are recording 1080p videos, it just takes a few hours to completely used up a 32 GB microSD card. When the microSD card is used up, older videos will be overwritten by new records, and the rewriting will occur.

Other than the above 2 essential conditions, the memory card used in your dashcam should also meet the following conditions:

• Shock and vibration proof - if it got damaged while writing data during accident shock, you will have difficulty retrieving what it had recorded.
• Water proof - what if the accident caused it to immerse in water?
• Class 10 - this is the minimum read/write speed required to smoothly record 1080p full HD video.

By the way, certain memory card manufacturers also include the following conditions, which I consider as "marketing gimmick" as it should be true for all flash memory cards:

• Magnetic proof - metal detector used for security scanning could induce magnetic field. Don't worry, only magnetic hard disk will be endangered by magnet. Flash memory should immune to magnet by nature. So, nothing to shout about.
• X-ray proof - x-ray is used for security scanning in airports. Flash memory should immune to X-ray as well. Nothing to shout about either.

Therefore, you need high endurance microSD card that can fulfil all of the above conditions to work in your car dashcam, to last for at least 24 months of operations, or a minimum of 5,000 hours of continuous 1080p full HD video recording.

The high endurance microSD card should have an operating temperature range of around -25ºC to 85 ºC and storage temperature range of around -40ºC to 85ºC.

Some of the available high endurance microSD cards in the market include:

• Sandisk high endurance video monitoring card
• Transcend high endurance MLC microSD card
• Silicon Power high endurance MLC microSD card
• Kingston Industrial Temperature microSD UHS-I
• Adata Premier Pro microSD UHS-I

The price of this kind of high endurance microSD card is much higher than ordinary microSD card. Among them, Sandisk high endurance video monitoring card has a relatively lower price, being a mid-range product of its kind. It has a 2 years warranty period which would not void even you use it in your dashcam.

My experience sharing of using Intel Optane technology accelerated hard disk

Recently I have purchased a Dell XPS 8930 desktop computer which comes with an ordinary 1 TB SATA hard disk, paired with a 16GB Intel Optane memory card.

As advertised by Intel, "the Intel Optane memory is a smart, adaptable system accelerator for PCs with at least a 7th Generation Intel Core processor and a hard disk drive. It provides uncompromising system responsiveness for large capacity storage drives, making everything you do fast, smooth and easy."

Intel has put up a short video to explain what is Optane memory about and how its Smart System Acceleration works, as below:

The main purpose of this Optane memory is to boost up the performance of ordinary SATA hard disk, which capacity is generally much higher than SSD and price is much more cheaper than SSD, so that the data access time of the Intel Optane accelerated hard disk can be comparably as fast as SSD.

I have this Dell XPS 8930 desktop with 1 TB Optane accelerated hard disk as its storage, running on Intel Core i5-8400 CPU and 8 GB memory. I also have a Dell Inspiron 5370 laptop with 256 GB SSD as its storage, running on Intel Core i7-8550U CPU and 8 GB memory. Both of them are running on MS Windows 10 operating system.

In my personal experience of using this desktop with Optane accelerated SATA hard disk which has storage capacity 4 times larger than my laptop, its boot up time is almost instantaneous and faster than my laptop. This is really amazing.

Well, to be fair, the Intel i5-8400 Coffee Lake processor in my desktop with 6 cores 6 threads processing power, is having a higher performance benchmark than the Intel i7-8550U Kabe Lake R processor in my laptop with 4 cores 8 threads processing power. This would probably explain why the desktop boot up time is faster than the laptop. However, without the acceleration of Optane memory, its boot up time with SATA hard disk will be much more slower.

As for the loading speed of applications in the desktop, and the speed of opening data files, it depends on whether they have already been cached in the Optane memory or not. I can feel that their loading speed is about the same with loading from SSD when they are cached, and is as slow as loading from SATA hard disk when they are not cached.

There is no mechanism for me to control which piece of data to be cached and which not to be cached. It is automatically determined by the Optane memory card itself. I can tell from experience that those frequently used one will stay in the cache and load up pretty fast.

Intel provides 2 options of Optane memory capacity, one is 16 GB and another is 32 GB. I think the 32 GB one is of better pick as it has double the caching capacity. However, the Dell XPS 8930 selling in Malaysia does not provide option for buyer to opt for 32 GB Optane memory, as only 16 GB Optane is available.

All in all, I am happy with the performance of this Intel Optane memory in my desktop computer. The only drawback is that current Intel Optane technology does not support RAID storage. It can only work with raw SATA hard disk.

I haven't have experience in using SSHD hybrid hard disk. Perhaps the experience is similar. I am also wondering what makes the different of using Optane memory with SATA hard disk from using SSHD.

How to determine a good car window tint film from TSER, UVR and VLT values?

The performance of car window tint film is generally determined by these 3 values:

• TSER - Total Solar Energy Rejected. This is the overall solar energy filtered by the film. The higher the TSER, the more heat from sun is blocked from entering into your car through its windscreens and windows.
• UVR - Ultraviolet Rejection. Ultraviolet rays can cause colour fading in upholstery and furnishings. It can also cause skin damage and skin cancer.
• VLT - Visible Light Transmission. This is determined by the darkness of the film. The darker the film, the lower its VLT will be. Note that JPJ has regulation for the minimum amount of VLT allowed for the tint film, so the VLT need to be equal or above the permitted value to abide to the regulation imposed. As VLT contributes quite a large portion of TSER, it will affect the TSER value pretty significantly.

Traditionally, many tint shops tend to use IRR (infra-red rejection) as an indicator, but the infra-red wavelength spectrum is very long and there is no standard of how much of the spectrum to be used to measure IRR, some products claim to have high IRR by measuring only a short portion of it right after the visible light spectrum, which does not have much meaning for the real heat rejection performance measurement. Therefore, unless the wavelength spectrum of IRR is clearly specified and the measurement is until 2,500 nm or more, otherwise this value can be neglected as TSER can provide a more meaningful value for consideration.

So, how to determine a tint film is good, moderate or poor, based on its TSER, UVR and VLT values?

First we look at VLT value, as it's minimum requirement is regulated in Malaysia. A good VLT value should be as low as possible (so that the TSER value will also be lower) but should not go below the JPJ standard. Otherwise, the enforcement officer may ask you to remove your tints from your windows due to violation of this regulation.

The minimum allowed VLT currently imposed by JPJ is as follow:

• Front windscreen: 70%
• Front side windows: 50%
• Rear side windows: 30%
• Rear windscreen: 30%

The MS2669:2017 standard has set the requirements for tint film for the following 3 tests:

• Solar test: VLT, UVT (opposite of UVR) and TSET (opposite of TSER).
• Weathering test: TSET/TSER value should be stable for a period of 5 years with less than 4% degradation. This is simulated with 1,000 hours shining from solar mercury lamp.
• Boil test: the tint film should not form bubbles under high temperature.

With reference to this MS2669:2017 standard, we can then determine the range of TSER and UVR which is considered to be good, moderate or marginal only.

TSER:

• Good: > 50%
• Moderate: 39% - 49.99%
• Marginal: 25% - 38.99%
• Failed: below 25%

UVR:

• Good: > 99.5%
• Moderate: 98.5% - 99.49%
• Marginal: 98% - 98.49%
• Failed: below 98%

Therefore, if you are looking for a good car window tint firm, you can look for those that meet the following realistic requirements:

• TSER: 56% - 62%
• UVR: 99.5% - 99.9%
• Front windscreen VLT: 70% - 75%
• Front side windows VLT: 50% - 60%
• Rear side windows VLT: 30% - 50%
• Rear windscreen VLT: 30% - 50%