Spy in the Sky – are planes hacker-proof?

My take on aviation cybersecurity for Reuters: Plane safe? Hacker case points to deeper cyber issues:

“Plane safe? Hacker case points to deeper cyber issues

BY JEREMY WAGSTAFF

Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the FBI and accused of hacking into flight controls via his underseat entertainment unit.

Other security researchers say Roberts – who was quoted by the FBI as saying he once caused ‘a sideways movement of the plane during a flight’ – has helped draw attention to a wider issue: that the aviation industry has not kept pace with the threat hackers pose to increasingly computer-connected airplanes.

Through his lawyer, Roberts said his only interest had been to ‘improve aircraft security.’

‘This is going to drive change. It will force the hand of organizations (in the aviation industry),’ says Jonathan Butts, a former US Air Force researcher who now runs a company working on IT security issues in aviation and other industries.

As the aviation industry adopts communication protocols similar to those used on the Internet to connect cockpits, cabins and ground controls, it leaves itself open to the vulnerabilities bedevilling other industries – from finance to oil and gas to medicine.

‘There’s this huge issue staring us in the face,’ says Brad Haines, a friend of Roberts and a security researcher focused on aviation. ‘Are you going to shoot the messenger?’

More worrying than people like Roberts, said Mark Gazit, CEO of Israel-based security company ThetaRay, are the hackers probing aircraft systems on the quiet. His team found Internet forum users claiming to have hacked, for example, into cabin food menus, ordering free drinks and meals.

That may sound harmless enough, but Gazit has seen a similar pattern of trivial exploits evolve into more serious breaches in other industries. ‘It always starts this way,’ he says.

ANXIOUS AIRLINES

The red flags raised by Roberts’ case are already worrying some airlines, says Ralf Cabos, a Singapore-based specialist in inflight entertainment systems.

One airline official at a recent trade show, he said, feared the growing trend of offering inflight WiFi allowed hackers to gain remote access to the plane. Another senior executive demanded that before discussing any sale, vendors must prove their inflight entertainment systems do not connect to critical flight controls.

Panasonic Corp and Thales SA, whose inflight entertainment units Roberts allegedly compromised, declined to answer detailed questions on their systems, but both said they take security seriously and their devices were certified as secure.

Airplane maker Boeing Co says that while such systems do have communication links, ‘the design isolates them from other systems on planes performing critical and essential functions.’ European rival Airbus said its aircraft are designed to be protected from ‘any potential threats coming from the In-Flight-Entertainment System, be it from Wi-Fi or compromised seat electronic boxes.’

Steve Jackson, head of security at Qantas Airways Ltd, said the airline’s ‘extremely stringent security measures’ would be ‘more than enough to mitigate any attempt at remote interference with aircraft systems.’

CIRCUMVENTING

But experts question whether such systems can be completely isolated. An April report by the U.S. General Accountability Office quoted four cybersecurity experts as saying firewalls ‘could be hacked like any other software and circumvented,’ giving access to cockpit avionics – the machinery that pilots use to fly the plane.

That itself reflects doubts about how well an industry used to focusing on physical safety understands cybersecurity, where the threat is less clear and constantly changing.

The U.S. National Research Council this month issued a report on aviation communication systems saying that while the Federal Aviation Administration, the U.S. regulator, realized cybersecurity was an issue, it ‘has not been fully integrated into the agency’s thinking, planning and efforts.’

The chairman of the research team, Steven Bellovin of Columbia University, said the implications were worrying, not just for communication systems but for the computers running an aircraft. ‘The conclusion we came to was they just didn’t understand software security, so why would I think they understand software avionics?’ he said in an interview.

SLOW RESPONSE

This, security researchers say, can be seen in the slow response to their concerns.

The International Civil Aviation Organisation (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them.

Researchers like Haines have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controllers.

And that’s just the start. Aviation security consultant Butts said his company, QED Secure Solutions, had identified vulnerabilities in ADS-B components that could give an attacker access to critical parts of a plane.

But since presenting his findings to vendors, manufacturers and the industry’s security community six months ago he’s had little or no response.

‘This is just the tip of the iceberg,’ he says.

(Additional reporting by Siva Govindasamy; Editing by Ian Geoghegan)”

The End of the Google+ Era?

Alex Chitu of the Google Operating System sees in Google’s decision to buy into the Twitter firehose the End of the Google+ Era:

Google announced that it will start to display tweets in Google Search for mobile. “When you’re searching on the Google app or any browser on your phone or tablet, you can find real-time content from Twitter right in the search results,” informs Google.

He sees this as the final nail in the coffin of Google+ as a real time social media service: 

It’s the end of the Google+ era. Even if Google+ will continue to exist in one way or another, Google will stop promoting it aggressively and will probably use it as a backend service. Bloomberg reports that Google “is set to reveal an online picture sharing and storage service that will no longer be part of the Google+ social network” and “will let users post images to Facebook and Twitter”.

He could well be right. I know that a lot of folk see positives in Google+ as an active network for certain interests, but Google has never been interested in anything less than mega scale, and won’t settle for that, I’m sure. 

(Via Google Operating System)

BBC: The Rise of Disappearables

The transcript of my BBC World Service piece on wearables. Reuters original story here

Forget ‘wearables’, and even ‘hearables’, if you’ve ever heard of them. The next big thing in mobile devices: ‘disappearables’.

Unless it really messes up, Apple is going to do for wearables with the Watch what is has done with the iPod for music players, the phone with its iPhone, the iPad for tablets. But even as Apple piques consumer interest in wrist-worn devices, the pace of innovation and the tumbling cost, and size, of components will make wearables smaller and smaller. So small, some in the industry say, that no one will see them. In five years, wearables like the Watch could be overtaken by hearables – devices with tiny chips and sensors that can fit inside your ear. They, in turn, could be superseded by disappearables – technology tucked inside your clothing, or even inside your body.

This all may sound rather unlikely, until you consider the iPhone is only 8 years old, and see what has happened to the phone since then. Not only do we consider the smartphone a status symbol in the salons of New York, but they’re something billions of people can afford. So it seems highly plausible that the watch as a gizmo is going to seem quaint in 10 years — as quaint as our feature phone, or net book or MP3 player is now.


So how is this all going to play out? Well this year you’ll be able to buy a little earpiece which contains a music player, 4 gigabytes of storage, a microphone to take phone calls – just nod your head to accept – and sensors that monitor your position, heart rate and body temperature.

Soon after that you’ll be able to buy contact lenses that can measure things like glucose levels in tears. Or swallow a chip the size of a grain of sand, powered by stomach juices and transmitting data about your insides via Bluetooth. For now everyone is focused on medical purposes, but there’s no reason that contact lens couldn’t also be beaming stuff back to you in real time — nice if you’re a politician being able to gauge the response to your speech so you can tweak it in real time.

Or you’re on a date and needing feedback on your posture, gait, the quality of your jokes. 

In short, hearables and wearables will become seeables and disappearables. We won’t see these things because they’ll be buried in fabric, on the skin, under the skin and inside the body. We won’t attack someone for wearing Google Glasses  because we won’t know they’re wearing them. 

Usual caveats apply. This isn’t as easy as it looks, and there’ll be lots of slips on the way. But the underlying technologies are there: components are getting smaller, cheaper, so why not throw in a few extra sensors into a device, even if you haven’t activated them, and are not quite sure what they could be used for? 

Secondly, there’s the ethical stuff. As you know, I’m big on this and we probably haven’t thought all this stuff through. Who owns all this data? Is it being crunched properly by people who know what they’re doing? What are bad guys and governments doing in all this, as they’re bound to be doing something? And how can we stop people collecting data on us if we don’t want them to? 

All good questions. But all questions we should be asking now, of the technologies already deployed in our street, in our office, in the shops we frequent, in the apps we use and the websites we visit. It’s not the technology that’s moving too fast; it’s us moving too slow.

Once the technology is too small to see it may be too late to have that conversation.  

Technorati Tags: , , , ,

Truth-app.jpg

The path to a wearable future lies in academia | Reuters

The path to a wearable future lies in academia | Reuters:

My oblique take on wearables

IMG 0563

For a glimpse of what is, what might have been and what may lie ahead in wearable devices, look beyond branded tech and Silicon Valley start-ups to the messy labs, dry papers and solemn conferences of academia.

There you’d find that you might control your smartphone with your tongue, skin or brain; you won’t just ‘touch’ others through a smart Watch but through the air; and you’ll change how food tastes by tinkering with sound, weight and color.

Much of today’s wearable technology has its roots in these academic papers, labs and clunky prototypes, and the boffins responsible rarely get the credit some feel they deserve.

Any academic interested in wearable technology would look at today’s commercial products and say ‘we did that 20 years ago,’ said Aaron Quigley, Chair of Human Interaction at University of St. Andrews in Scotland.

Take multi-touch – where you use more than one finger to interact with a screen: Apple (AAPL.O) popularized it with the iPhone in 2007, but Japanese academic Jun Rekimoto used something similar years before.

And the Apple Watch? Its Digital Touch feature allows you to send doodles, ‘touches’ or your heartbeat to other users. Over a decade ago, researcher Eric Paulos developed something very similar, called Connexus, that allowed users to send messages via a wrist device using strokes, taps and touch.

‘I guess when we say none of this is new, it’s not so much trashing the product,’ says Paul Strohmeier, a researcher at Ontario’s Human Media Lab, ‘but more pointing out that this product has its origins in the research of scientists who most people will never hear of, and it’s a way of acknowledging their contributions.’

VAMBRACES, KIDS’ PYJAMAS

Those contributions aren’t all pie-in-the-sky.

Strohmeier and others are toying with how to make devices easier to interact with. His solution: DisplaySkin, a screen that wraps around the wrist like a vambrace, or armguard, adapting its display relative to the user’s eyeballs.

Other academics are more radical: finger gestures in the air, for example, or a ring that knows which device you’ve picked up and automatically activates it. Others use the surrounding skin – projecting buttons onto it or pinching and squeezing it. Another glues a tiny touchpad to a fingernail so you can scroll by running one finger over another.

Then there’s connecting to people, rather than devices.

Mutual understanding might grow, researchers believe, by conveying otherwise hidden information: a collar that glows if the wearer has, say, motion sickness, or a two-person seat that lights up when one occupant has warm feelings for the other.

And if you could convey non-verbal signals, why not transmit them over the ‘multi-sensory Internet’? Away on business? Send a remote hug to your child’s pyjamas; or deliver an aroma from one phone to another via a small attachment; or even, according to researchers from Britain at a conference in South Korea last month, transmit tactile sensations to another person through the air.

And if you can transmit senses, why not alter them?

Academics at a recent Singapore conference focused on altering the flavor of food. Taste, it seems, is not just a matter of the tongue, it’s also influenced by auditory, visual and tactile cues. A Japanese team made food seem heavier, and its flavor change, by secretly adding weights to a fork, while a pair of British academics used music, a virtual reality headset and color to make similar food seem sourer or sweeter to the eater.

MAKING THE GRADE

It’s hard to know just which of these research projects might one day appear in your smartphone, wearable, spoon or item of clothing. Or whether any of them will.

‘I don’t think I’m exaggerating when I say that 99 percent of research work does not end up as ‘product’,’ says Titus Tang, who recently completed a PhD at Australia’s Monash University, and is now commercializing his research in ubiquitous sensing for creating 3D advertising displays. ‘It’s very hard to predict what would turn out, otherwise it wouldn’t be called research.’

But the gap is narrowing between the academic and the commercial.

Academics at the South Korean conference noted that with tech companies innovating more rapidly, ‘while some (academic) innovations may truly be decades ahead of their time, many (conference) contributions have a much shorter lifespan.’

‘Most ‘breakthroughs’ today are merely implementations of ideas that were unimplementable in that particular time. It took a while for industry to catch up, but now they are almost in par with academic research,’ says Ashwin Ashok of Carnegie Mellon.

Pranav Mistry, 33, has risen from a small town in India’s Gujarat state to be director of research at Samsung America (005930.KS). His Singapore conference keynote highlighted a Samsung project where a camera ‘teleports’ viewers to an event or place, offering a real-time, 3D view.

But despite a glitzy video, Samsung logo and sleek black finish, Mistry stressed it wasn’t the finished product.

He was at the conference, he told Reuters, to seek feedback and ‘work with people to make it better.’

(Editing by Ian Geoghegan)”

Chinese hackers target Southeast Asia, India, researchers say

Chinese hackers target Southeast Asia, India, researchers say | Reuters

My piece on FireEye’s report about hackers. Other reports have appeared since. 

Hackers, most likely from China, have been spying on governments and businesses in Southeast Asia and India uninterrupted for a decade, researchers at internet security company FireEye Inc said.

In a report released on Monday, FireEye said the cyber espionage operations dated back to at least 2005 and ‘focused on targets – government and commercial – who hold key political, economic and military information about the region.’

‘Such a sustained, planned development effort coupled with the (hacking) group’s regional targets and mission, lead us to believe that this activity is state-sponsored – most likely the Chinese government,’ the report’s authors said.

Bryce Boland, Chief Technology Officer for Asia Pacific at FireEye and co-author of the report, said the attack was still ongoing, noting that the servers the attackers used were still operational, and that FireEye continued to see attacks against its customers, who number among the targets.

Reuters couldn’t independently confirm any of the assertions made in the report.

China has always denied accusations that it uses the Internet to spy on governments, organizations and companies.

Asked about the FireEye report on Monday, foreign ministry spokesman Hong Lei said: ‘I want to stress that the Chinese government resolutely bans and cracks down on any hacking acts. This position is clear and consistent. Hacking attacks are a joint problem faced by the international community and need to be dealt with cooperatively rather than via mutual censure.’

The Cyberspace Administration of China, the Internet regulator, didn’t immediately respond to written requests for comment.

China has been accused before of targeting countries in South and Southeast Asia. In 2011, researchers from McAfee reported a campaign dubbed Shady Rat which attacked Asian governments and institutions, among other targets.

Efforts by the 10-member Association of Southeast Asian Nations (ASEAN) to build cyber defenses have been sporadic. While ASEAN has long acknowledged its importance, ‘very little has come of this discourse,’ said Miguel Gomez, a researcher at De La Salle University in the Philippines.

The problem is not new: Singapore has reported sophisticated cyber-espionage attacks on civil servants in several ministries dating back to 2004.

UNDETECTED

The campaign described by FireEye differs from other such operations mostly in its scale and longevity, Boland said.

He said the group appeared to include at least two software developers. The report did not offer other indications of the possible size of the group or where it’s based.

The group remained undetected for so long it was able to re-use methods and malware dating back to 2005, and developed its own system to manage and prioritize attacks, even organizing shifts to cope with the workload and different languages of its targets, Boland told Reuters.

The attackers focused not only on governments, but on ASEAN itself, as well as corporations and journalists interested in China. Other targets included Indian or Southeast Asian-based companies in sectors such as construction, energy, transport, telecommunications and aviation, FireEye says.

Mostly they sought to gain access by sending so-called phishing emails to targets purported to come from colleagues or trusted sources, and containing documents relevant to their interests.

Boland said it wasn’t possible to gauge the damage done as it had taken place over such a long period, but he said the impact could be ‘massive’. ‘Without being able to detect it, there’s no way these agencies can work out what the impacts are. They don’t know what has been stolen.’

Pornchai Rujiprapa, Minister of Information and Communication Technology for ASEAN member Thailand, said the government was proposing a new law to combat cyber attacks as existing legislation was outdated.

‘So far we haven’t found any attack so big it threatens national security, but we are concerned if there is any in the future. That’s why we need a new law to handle it,’ he told Reuters.

(Additional reporting by Ben Blanchard in BEIJING and Pracha Hariraksapitak in BANGKOK; Editing by Miyoung Kim and Ian Geoghegan)”

(Via.)

BBC: Cluetraining Disruption

Has technology, convinced of its own rectitude, lost its sense of moral direction? 

Disruptive innovation is one of those terms that worms its way into our vocabulary, a bit like built-in obsolescence or upselling. It’s become the mantra of the tech world, awhich sees its author Clayton Christensen, as a sort of messiah of the changes we’re seeing in industries from taxis, hotels and media. Briefly put the theory goes: existing companies are undercut and eventually replaced by competitors who leverage technology to come up with inferior but good enough alternatives — think the transistor radio displacing vacuum tube radios — or come up with wholly new products that eventually eclipse existing markets — think the iPhone killing off the MP3 player (and radios, and watches, and cameras, and guitar tuners etc.) 

Backlash 

A backlash has emerged against this theory, partly because it’s somewhat flawed — even Prof Christensen himself has misapplied it, as in the case of the iPhone — but also because it’s scary. Uber may be a great idea if you’re looking for a ride, but not if you’re an old-style cabbie. Airbnb is great for a place to crash, but feels like a car crash if you’re running a real b’n’b. And don’t get me started on being a journalist.   But there’s a much bigger problem here. The tech world is full of very inspiring, bright, charismatic people and that’s one reason I choose to write about it for a living. But it has changed in the past decade or so, undeniably. 15 years ago, just before the last dot.com crash, a tome appeared: The Cluetrain Manifesto, and you’d either read it or you hadn’t. It was a collection of writings by some fine thinkers, the great bloggers of the day like Doc Searls and Dave Weinberger. The main thesis: the Internet is unlike ordinary, mass media, because it allows human to human conversations — and that this would transform marketing, business, the way we think. Markets are conversations, it said.   For a while we were giddy with the power this gave us over corporations. We could speak back to them — on blogs, and later on what became known as social media. Even Microsoft hired a blogger and let him be a tiny bit critical of things at Redmond.

Last blast

Looking back, it was probably the last naive blast of the old dying Internet rather than a harbinger of the new. The language, if not the underlying philosophy, lives on in conferences and marketing pitches. Most social media conversations are harsh, mostly inhuman — we refer to deliberate online baiters as trolls, which I suppose makes them subhuman — and we’ve largely given up influencing the companies we do business with except in the occasional diatribe or flash hashtag full frontal mob assault.

And more importantly, there is no longer any of that idealism or utopianism in any startup movement that I can see. For sure, we cheer on these players because they seem to offer something very seductive, from free email, calendars, spreadsheets to cheaper rides, stays, music, video and goodies, to shinier bling, gadgets, wearables and cars. And they all sing the same mantra: we’re disruptive, we’re disintermediating, we’re leveraging technology, we’re removing friction, we’re displacing old cozy cartels, we’re doing it all for you.

The problem is that underneath this lies an assumption, an arrogance, that technology is a natural ally of good, that disruption is always a good thing, that the geeks parlaying it into products are natural leaders, and that those opposing it are reactionaries, doomed to the scrapheap.

Rapid cycle

The result: we’re just getting into a more rapid cycle of replacing one lot of aloof, cloth-eared giants with another lot, who in short order will be replaced by another. Microsoft, IBM, and HP, the giants of when Cluetrain was written, have been replaced by Amazon, Apple, Alibaba, Facebook and Google, all of them as hard to hold a conversation with as Microsoft ever was. And the big players of tomorrow, which may or may not be Uber, Airbnb, Tencent and Twitter, don’t seem particularly interested in a conversation either.

We need to recover some of that old Cluetrain idealism, naivety, when we thought that what we were doing was building a new platform for anyone to use, to talk back to authority, to feel heard and appreciated — and not just a cult-like celebration of the rugged individuals who dismantled Babel only to build a bigger, shinier and more remote one its place.

This was a piece I wrote and recorded for the BBC World Service. It’s not Reuters content – JW

BBC: Beyond the Breach

The script of my Reuters story on cybersecurity. Podcast available here (

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

)

If you’re getting tired of internet security companies using images of padlocks, moats, drawbridges and barbed wire in their ads, then chances are you won’t have to put up with them much longer.

Turns out that keeping the bad guys out of your office network has largely failed. All those metaphors suggesting castles, unassailable battlements, locked doors are being quietly replaced by another shtick: the bad guys are in your network, but we’ll find them, watch what they do, and try to ensure they don’t break anything or steal anything valuable.

Which is slightly worrying, if you thought firewalls, antivirus and the like were going to save you.

You’re probably tired of the headlines about cybersecurity breaches: U.S. insurer Anthem Inc saying hackers may have made off with some 80 million personal health records, while others raided Sony Pictures’ computers and released torrents of damaging emails and employee data.

Such breaches, say people in the industry, show the old ways have failed, and now is the chance for younger, nimbler companies selling services to protect data and outwit attackers. These range from disguising valuable data, diverting attackers up blind alleys, and figuring out how to mitigate breaches once the data has already gone. It’s a sort of cat and mouse game, only going on inside your computers.

Cybersecurity, of course, is big business. $70 billion was spent on it last year.

Of course, we’re partly to blame. We insist on using our tablets and smartphones for work; we access Facebook and LinkedIn from the office. All this offers attackers extra opportunities to gain access to their networks.

But it’s also because the attackers and their methods have changed. Cyber criminals and spies are being overshadowed by politically or religiously motivated activists, and these guys don’t want to just steal stuff, they want to hurt their victim. And they have hundreds of ways of doing it.

And they’re usually successful. All these new services operate on the assumption that the bad guy is already inside your house, as it were. And may have been there months. Research by IT security company FireEye found that “attackers are bypassing conventional security deployments almost at will.” Across industries from legal to healthcare it found nearly all systems had been breached.

Where there’s muck there’s brass, as my mother would say. Funding these start-ups are U.S- and Europe-based venture capital firms which sense another industry ripe for disruption.

Google Ventures and others invested $22 million in ThreatStream in December, while Bessemer Venture Partners last month invested $30 million in iSIGHT Partners.

Companies using these services aren’t your traditional banks and  whatnot. UK-based Darktrace, which uses maths and machine learning to spot abnormalities in a network that might be an attack, has a customers like a British train franchise and a Norwegian shipping insurer.

But it’s early days. Most companies still blithely think they’re immune, either because they think they don’t have anything worth stealing or deleting, or because they think a firewall and an antivirus program are enough.

And of course, there’s another problem. As cyber breaches get  worse, and cybersecurity becomes a more valuable business, expect the hype, marketing and dramatic imagery to grow, making it ever more confusing for the lay person to navigate.

I’ve not seen them yet, but I’m guessing for these new companies the shield and helmet images will be replaced by those of SAS commandos, stealthily patrolling silicon corridors. Or maybe it’ll be Tom, laying mousetraps for his nemesis. Might be apt: Jerry the cheese thief always seemed to win.

Reuters: Beyond the Breach

My piece on disruption in the cybersecurity space. Too many companies and ideas to mention in Reuter-space, but it’s a start.  Thanks to Ian Geohegan, as ever, for his editing touch.  

Beyond the breach: cyberattacks force a defense strategy re-think | Reuters

(Reuters) – A barrage of damaging cyberattacks is shaking up the security industry, with some businesses and organizations no longer assuming they can keep hackers at bay, and instead turning to waging a guerrilla war from within their networks.

U.S. insurer Anthem Inc last week said hackers may have made off with some 80 million personal health records. Also, Amy Pascal said she would step down as co-chairman of Sony Pictures Entertainment, two months after hackers raided the company’s computers and released torrents of damaging emails and employee data.

Such breaches, say people in the industry, offer a chance for younger, nimbler companies trying to sell customers new techniques to protect data and outwit attackers. These range from disguising valuable data, diverting attackers up blind alleys, and figuring out how to mitigate breaches once the data has already gone.

“Suddenly, the music has completely changed,” said Udi Mokady, founder of U.S.-based CyberArk. “It’s not just Sony, it’s a culmination of things that has turned our industry around.”

Worldwide spending on IT security was about $70 billion last year, estimates Gartner. ABI Research reckons cybersecurity spending on critical infrastructure alone, such as banks, energy and defense, will reach $109 billion by 2020.

Several things are transforming the landscape. Corporations have been forced to allow employees to use their own mobile phones and tablets for work, and let them access web-based services like Facebook and Gmail from office computers. All this offers attackers extra opportunities to gain access to their networks.

And the attackers and their methods have changed.

Cyber criminals and spies are being overshadowed by politically or religiously motivated activists, says Bryan Sartin, who leads a team of researchers and investigators at Verizon Enterprise Solutions, part of Verizon Communications. “They want to hurt the victim, and they have hundreds of ways of doing it,” he said in a phone interview.

CLOSING THE DOOR

The result: companies can no longer count on defending themselves with decades-old tools like firewalls to block traffic and antivirus software to catch malware, and then assume all traffic that does make it within the network is legitimate.

Research by IT security company FireEye last month, for example, found that “attackers are bypassing conventional security deployments almost at will.” Across industries from legal to healthcare it found nearly all systems had been breached.

“Once an attacker has made it past those defenses they’re in the gooey center, and getting around is relatively simple,” said Ryan Wager, director of product management at vArmour.

Attackers can lurk inside a network for half a year before being detected. “That’s like having a bad guy inside your house for six months before you know about it,” says Aamir Lakhani, security strategist at Fortinet Inc, a network security company.

Security start-ups have developed different approaches based on the assumption that hackers are already, or soon will be, inside the network.

Canada-based Camouflage, for example, replaces confidential data in files that don’t need it, like training databases, with fictitious but usable data. This makes attackers think they have stolen something worthwhile. U.S.-based TrapX Security creates traps of ‘fake computers’ loaded with fake data to redirect and neutralize attacks.

California-based vArmour tries to secure data centers by monitoring and protecting individual parts of the network. In the Target Corp breach during the 2013 holiday shopping season, for example, attackers were able to penetrate 97 different parts of the company’s network by moving sideways through the organization, according to vArmour’s Wager.

“You need to make sure that when you close the door, the criminal is actually on the other side of the door,” he said.

‘THREAT INTELLIGENCE’

Funding these start-ups are U.S- and Europe-based venture capital firms which sense another industry ripe for disruption.

Google Ventures and others invested $22 million in ThreatStream in December, while Bessemer Venture Partners last month invested $30 million in iSIGHT Partners. Both companies focus on so-called ‘threat intelligence’ – trying to understand what attackers are doing, or plan to do.

Clients are starting to listen.

Veradocs‘ CEO and co-founder Ajay Arora says that while his product is not officially live, his firm is already working with companies ranging from hedge funds to media entertainment groups to encrypt key documents and data.

UK-based Darktrace, which uses math and machine learning to spot abnormalities in a network that might be an attack, has a customer base that includes Virgin Trains, Norwegian shipping insurer DNK and several telecoms companies.

But it’s slow going. Despite being open for business since 2013, it’s only been in the past six months that interest has really picked up, says Darktrace’s director of technology Dave Palmer. 

“The idea that indiscriminate hacking would target all organizations is only starting to get into the consciousness.”

BBC : The Mantra of Disruption

A piece I recorded for the BBC World Service. Not Reuters content. 

Disruptive innovation is like one of those terms that worms its way into our vocabulary, a bit like built-in obsolescence or upselling.   It’s become the mantra of the tech world, awhich sees its author Clayton Christensen, as a sort of messiah of the changes we’re seeing in industries from taxis, hotels and media. Briefly put the theory goes: existing companies are undercut and eventually replaced by competitors who leverage technology to come up with inferior but good enough alternatives — think the transistor radio displacing vacuum tube radios — or come up with wholly new products that eventually eclipse existing markets — think the iPhone killing off the MP3 player (and radios, and watches, and cameras, and guitar tuners etc.) 

A backlash has emerged against this theory, partly because it’s somewhat flawed — even Prof Christensen himself has misapplied it, as in the case of the iPhone — but also because it’s scary. Uber may be a great idea if you’re looking for a ride, but not if you’re an old-style cabbie. Airbnb is great for a place to crash, but feels like a car crash if you’re running a real b’n’b. And don’t get me started on being a journalist. 

But there’s a much bigger problem here. The tech world is full of very inspiring, bright, charismatic people and that’s one reason I choose to write about it for a living. But it has changed in the past decade or so, undeniably.   15 years ago, just before the last dot.com crash, a tome appeared: The Cluetrain Manifesto, and you’d either read it or you hadn’t. It was a collection of writings by some fine thinkers, the great bloggers of the day like Doc Searls and Dave Weinberger. The main thesis: the Internet is unlike ordinary, mass media, because it allows human to human conversations — and that this would transform marketing, business, the way we think. Markets are conversations, it said. 

For a while we were giddy with the power this gave us over corporations. We could speak back to them — on blogs, and later on what became known as social media. Even Microsoft hired a blogger and let him be a tiny bit critical of things at Redmond. 

Looking back, it was probably the last naive blast of the old dying Internet rather than a harbinger of the new. The language, if not the underlying philosophy, lives on in conferences and marketing pitches. Most social media conversations are harsh, mostly inhuman — we refer to deliberate online baiters as trolls, which I suppose makes them subhuman — and we’ve largely given up influencing the companies we do business with except in the occasional diatribe or flash hashtag full frontal mob assault.  

And more importantly, there is no longer any of that idealism or utopianism in any startup movement that I can see. For sure, we cheer on these players because they seem to offer something very seductive, from free email, calendars, spreadsheets to cheaper rides, stays, music, video and goodies, to shinier bling, gadgets, wearables and cars. And they all sing the same mantra: we’re disruptive, we’re disintermediating, we’re leveraging technology, we’re removing friction, we’re displacing old cozy cartels, we’re doing it all for you. 

The problem is that underneath this lies an assumption, an arrogance,  that technology is a natural ally of good, that disruption is always a good thing, that the geeks parlaying it into products are natural leaders, and that those opposing it are reactionaries, doomed to the scrapheap. 

The result: we’re just getting into a more rapid cycle of replacing one lot of aloof, cloth-eared giants with another lot, who in short order will be replaced by another. Microsoft, IBM, and HP, the giants of when Cluetrain was written, have been replaced by Amazon, Apple, Alibaba, Facebook and Google, all of them as hard to hold a conversation with as Microsoft ever was. And the big players of tomorrow, which may or may not be Uber, Airbnb, Tencent and Twitter, don’t seem particularly interested in a conversation either. 

We need to recover some of that old Cluetrain idealism, naivety, when we thought that what we were doing was building a new platform for anyone to use, to talk back to authority, to feel heard and appreciated — and not just a cult-like celebration of the rugged individuals who dismantled Babel only to build a bigger, shinier and more remote one its place. 

Reuters: With WebRTC, the Skype’s no longer the limit

Something I wrote for Reuters: 

With WebRTC, the Skype’s no longer the limit

By Jeremy Wagstaff

SINGAPORE Thu Dec 11, 2014 4:07pm EST

(Reuters) – WebRTC, a free browser-based technology, looks set to change the way we communicate and collaborate, up-ending telecoms firms, online chat services like Skype and WhatsApp and remote conferencing on WebEx.

Web Real-Time Communication is a proposed Internet standard that would make audio and video as seamless as browsing text and images is now. Installed as part of the browser, video chatting is just a click away – with no need to download an app or register for a service.

WebRTC allows anyone to embed real-time voice, data and video communications into browsers, programs – more or less anything with a chip inside. Already, you can use a WebRTC-compatible browser like Mozilla’s Firefox to start a video call just by sending someone a link.

Further ahead, WebRTC could add video and audio into all kinds of products and services, from GoPro cameras and educational software to ATMs and augmented reality glasses. Imagine, for example, wanting to buy flowers online and being able, at a click, to have the florist demonstrate arrangements to you live via a video link.

WebRTC will be a market worth $4.7 billion by 2018, predicts Smiths Point Analytics, a consultancy. Dean Bubley, a UK-based consultant, reckons over 2 billion people will be using WebRTC by 2019, some 60 percent of the likely Internet population.

Most of these will be mobile. Some versions of Amazon’s Kindle multimedia tablet, for example, have a ‘Mayday’ button which launches a WebRTC-based video call with a customer service representative.

By the end of the decade, consultants Analysys Mason reckon there will be 7 billion devices supporting WebRTC, nearly 5 billion of them smartphones or tablets. Automatic voice and video encryption means web conversations should be safe from eavesdropping or external recording.

FROM DREAM TO REALITY

“The promise is fantastic,” said Alexandre Gouaillard, chief technology officer at Singapore start-up Temasys. “There’s always a problem with timing, between dream and reality.”

Initially championed by Google, WebRTC was adopted by Mozilla and Norway’s Opera Software – between them accounting for more than half of the world’s browsers. In October, Microsoft committed to including a version of WebRTC on its Internet Explorer browser, leaving only Apple as the main holdout. An Apple spokesperson declined to discuss the company’s plans for WebRTC in detail.

Last month, technical experts agreed a compromise on a key sticking point: which of two encoding standards to use to convert video. All sides agreed to support both for now.

Some prominent names are staking out the WebRTC arena.

Skype co-founder Janus Friis this month launched Wire, a chat and voice messaging app that uses WebRTC, and Ray Ozzie, who created Lotus Notes and was chief software architect at Microsoft, is challenging messaging and conferencing services with Talko, an app using WebRTC. Mozilla has teamed up with U.S.-based TokBox to launch Hello, a plug-in-free, account-free web conferencing service within its Firefox browser.

Dozens of mobile apps already leverage WebRTC – including Movirtu’s WiFi-based CloudPhone, allowing voice calls over WiFi. Movirtu CEO Carsten Brinkschulte says WebRTC “gives us a lot of things that are free that are normally very hard to do.”

“A MAGNIFIER”

This makes some incumbents nervous. One is the $2 billion web and video conferencing industry. And telecoms firms are still reeling from free voice and messaging services like WhatsApp and Skype. Even those companies look vulnerable as WebRTC reduces the cost of setting up a competing service.

“WebRTC is a magnifier,” says Bubley, the consultant. “It makes the opportunities bigger and the threats worse, and everything faster.”

Some, though, are putting up a fight.

Microsoft is rolling out a web-based version of Skype that will, eventually, require no extra software and will be compatible with all WebRTC browsers. And Cisco, whose WebEx is king of web-based video conferencing, has been active in developing standards. But, says Bubley, “it’s in no desperate rush to accelerate.”

Among telecoms companies, Telefonica bought TokBox “to learn about the space, and they’ve largely left us to pursue that,” said TokBox CEO Scott Lomond. SK Telecom and NTT Docomo are also experimenting with the technology.

But those championing WebRTC say the technology isn’t so much about challenging what’s available today, but more about creating opportunities for new products and services tomorrow.

Cary Bran, vice president at Plantronics, a headset maker, sees a time when online gamers won’t just be able to see and talk to each other, but feed heart-rate and other sensor data into the game, “making it more difficult or easy based on the user’s level of engagement.”

More prosaically, TokBox is working with banks in the United States and Europe to provide branch visitors with video links to specialists, cutting down on staffing costs.

Such options, says TokBox’s Lomond, only scratch the surface of what’s possible. “I don’t think the broader market has fully appreciated how potentially disruptive this is,” he says.