Did A Computer Virus Bring Down The Soviet Union?

Did software, deliberately programmed by the CIA to fail, hasten the end of the Soviet Union?

The Washington Post reports (registration required) that “President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline.”

It quotes a new memoir by Thomas C. Reed, a former Air Force secretary who was serving in the National Security Council at the time (At the Abyss: An Insider’s History of the Cold War, to be published next month by Ballantine Books) as saying the pipeline explosion was just one example of “cold-eyed economic warfare” that made the Soviet Union eventually “understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation.”

Aspects of this operation have been revealed before, but it’s still a pretty extraordinary tale, and makes one realise the power that software holds over us. And given that all this happened in 1982 or even earlier, does that make the CIA the first successful virus writers? The record is presently held by Fred Cohen, who created his first virus when studying for a PhD at the University of Southern California and presented his results to a security seminar on 10 November, 1983, according to the BBC website.

Who’s In Charge? The Machines, Or Us?

Are we liberated by technology, or its captive?

I love my handphone and I congratulate myself, as I’m checking my email in the middle of some dusty Indonesian kampung, that I have harnessed technology and not the other way round. But sometimes I wonder.

A recent poll by Siemens callled the Mobile Lifestyle Survey (no URL available, I’m afraid) indicated that more than half of the people in Indonesia confessed that if they forgot their mobile phone at home, they would go back for them. If you’ve seen Jakarta traffic you’ll know that’s no small chore. Two thirds of Indonesian men and women see their mobile phone as an extension of their personality, directly reflecting their moods (whatever that means).

And just in case you think it’s just handphones that we can’t live without, the British Press Association quotes a survey by pollsters MORI that one in three adults and 44% of youngsters class their machine as a “trusted friend”, while 16% of adults and 13% of 11 to 16-year-olds said: “I often talk to my computer.” And I don’t think they’re using dictation software.

Counting The Cost Of Online Crime

Phishing is beginning to bite.

British police at a high-tech crime congress (noted by USC Annenberg Online Journalism Review) say that 83% of Britain’s 201 largest companies reported experiencing some form of cybercrime. The damage has cost them more than £195 million ($368 million) from downtime, lost productivity and perceived damage to their brand or stock price.

Much of the damage is being done to financial companies, three of whom lost lost more than £60 million ($130 million). Phishing has hit banks like Barclays, NatWest, Lloyds TSB and 50 other British businesses, Reuters quoted Len Hynds, head of Britain’s National Hi-Tech Crime
Unit (NHTCU) as saying.

Of course, it’s probably much worse than this. Most companies don’t report ‘cyber-crime’ to the police for fear that making the matter public would harm their reputation.  The National Hi-Tech Crime Unit (NHTCU) said that of the companies hit by cyber-crime, less than one-quarter reported the matter to police. But that’s better than two years ago, when NO companies were reporting.

Security experts warn that a new wave of cybercrime attacks will be nastier than what companies have already experienced. David Aucsmith, chief technology officer for Microsoft Corporation’s security and business unit predicted criminals would target banking systems, company payroll and business transaction data.

Here are some other interestnig facts from Bernhard Warner’s Reuters report:

  •  Seventy-seven percent of respondents said they were the victim of a virus attack, costing nearly 28 million pounds.
  •  Criminal use of the Internet, primarily by employees, was reported by 17 percent of firms at a cost of 23 million pounds.
  •  More than a quarter of firms surveyed did not undertake regular security audits.

Going Public With Sensitive Data

Forget phishing for your passwords via dodgy emails. Just use Wi-Fi.

Internet security company Secure Computing Corporation have today released a report prepared by security consultants Canola/Jones Internet Investigations which “documents the serious risks of password theft that business travelers encounter when using the Internet in hotels, cafes, airports, and trade show kiosks.”  The full report is available (in PDF format) here.

Posing as a business traveler, the author “found multiple methods available to cyber-criminals that could be used to steal passwords and corporate information”. Wireless access points are especially vulnerable: “Tests conducted at an airport Internet cafe and at a popular chain of coffee shops showed that unencrypted streams of data from the laptops of patrons could easily be seen in many instances by another patron sitting nearby with wireless ‘sniffer’ software.”

Even hotel broadband is risky. Canola/Jones shows “how a hotel guest can use widely available snooping software with a laptop logged onto the hotel network. The guest can successfully snoop on the hard drives of fellow guests who have file sharing” enabled on their PCs. Corporate data and passwords can easily be stolen.” Gulp. Other holes: keyboard logging software secretly installed on public terminals, and the hardy perennial, shoulder surfing, where a ne’er-do-well passes your terminal just as you happen to be entering a banking password.

Needless to say, this is all pretty scary. And Secure Computing would like to offer you a solution: their “two-factor authentication SafeWord line of tokens” which generate one-time-only passcodes for each user session. But there are other ways of foiling most of these exploits: Firewalls on your computer, common sense (don’t go to important websites like Internet banking on a public computer), and only using public Wi-Fi when you a) know it’s encrypted and b) you’re not dealing in sensitive data. Have I forgotten anything?

Spammers’ Shopfront Vigilantism, Part II

Further to my previous posting, here’s another way to keep the spammers out by checking out the links they want you to go to.

Sophos, the British virus people, say that their year old URL filtering “continues to prove to be an enormous success”. The filtering basically collects known spam sites and bans any email which contains them somewhere in the message. Today, Sophos says, the URL filter identifies over 50% of the spam detected by Sophos PureMessage email software.

An innovation, Spammer Asset Tracking, goes further by looking at the source and destination locations of the email, sniffing for suspicious spammer activity. This speeds up adding spam sites to the blocked list.

Not a bad idea, and a feature that home-based spam filtering, such as Bayesian filters, couldn’t really manage to do. No mention is made of scam emails in the press release, but I assume they must be in there somewhere, given Sophos’ interest in such matters. (Stopping them, I mean, not sending them.)

Stopping Spammers and Scammers By Patrolling Their Shopfront

America’s new anti-spam CAN-SPAM Act is a great way to stop spam, so long as the spammer is legit. The problem is, most spammers aren’t.

Mass.-based software company Ipswitch Inc. estimate that more than two-thirds of all spam is deceptive, meaning that spammers disguise the links to their website “behind unrelated graphics and pictures, or by camouflaging their site as a commonly used consumer e-tail site”. Some of this, of course, is real business (however sleazy) but a lot of it is scamming. From Ipswitch’s press release it’s not quite clear whether their software is aiming at the former, the latter or both.

“Over two-thirds of all spam messages include deceptive content intended to trick the recipient into believing the sender represents a legitimate business,” said John Korsak, messaging product marketing manager at Ipswitch. “Because of their legitimate look and feel, recipients do not associate these types of messages as spam when they appear in their email in-box. To protect people from unknowingly sharing private financial details, it is critical email providers employ a URL Domain Blacklist to verify the sender’s true identity.” That kind of sounds like most spam is scam, which can’t be right. It’s bad, but it is not yet that bad.

Anyway, the URL Domain Blacklist is one filter in 20 in Ipswitch’s IMail Server — the others are Bayesian Statistical filtering, Reverse DNS Lookups, SMTP filters, and whathaveyou — which “unmasks illegitimate spam messages by looking at the actual underlying link and comparing it to a growing list of more than 18,000 repeat spammers”.

It’s not a bad idea. Links are the one things all spams and scams have in common, and they’re relatively easy to identify, unlike text (which can be disguised by clever use of HTML, the language used to create webpages, or by images). But there are still problems, and the press release (and website) are maddeningly imprecise about what, exactly, is being targetted here: Spam or scam?

If it’s the latter, I don’t think URL blacklists are going to be much help. From what we know of phishing scams, the main email-based scam, the website addresses that scammers want us to go to don’t last very long — sometimes only a few hours — meaning that you need to have a very long and rapidly updating list of known scammers. And while Ipswitch is probably right in arguing that they don’t get many false positives — good email mistaken for spam — I don’t think that’s the problem here. The problem is you’re chasing the one element in your average scam email that’s changing most: The scammer’s Internet shopfront. That can be set up and pulled down in a matter of minutes.

Should Journalists Blog?

Kindly pointed out by my old friend Robin Lubbock from WBUR, here’s an interesting piece on journalists who blog in their spare time by Steve Outing.

Outing points out that in many cases, things don’t go well. Reporters “have been fired or punished because of their personal blogs,” he writes. Landmines include when “a simple family blog written by a reporter might contain a reference to trouble at work, or discontent with a boss. It’s so easy for such an item — meant for a tiny group but accessible by the entire Web world — to take on a life of its own and spread to a huge audience, embarrassing not only the employer but also the employee.” The result: Tightly controlled personal blogs, both by the employers, and by the writers, who tend to be increasingly careful of what they write for fear of creating trouble.

Outing also cites cases of “resentment and morale problems from those who consider the blogs they publish on their own time to be an important part of who they are.” A lot of these end up being anonymous, operating without the knowledge of their bosses. That means there may be a lot of ticking time bombs out there, once those folk are outed.

The bottom line for me is this: Journalists (I don’t include columnists here, who are paid to have opinions) should be careful that anything they write or say in public does not compromise their objectivity. There are the obvious topics — usually politics — which journalists would be well advised to stay clear of, whether or not they’re writing on their spare time. Someone who reads a casual remark on a blog that indicates a political bias is justified in feeling that same journalist may not lend balance to his/her reporting when they’re on the job.

That said, journalists are inveterate writers, and blogs are a wonderful place to scratch that itch — especially, I imagine, for editors frustrated they are not out there reporting, or reporters on a beat that’s not their preferred one. I can’t see anything wrong with a political reporter getting hot under the collar about the disturbed migration patterns of the Lesser Bluebacked Hedge Warbler (I know I’m pretty upset), so long as the causes of the disturbance are not political in origin. (Of course, they almost certainly are, knowing politicians. But I can’t say that.)

The Commercialization of RSS

The future of newsfeeds: Trackable RSS.

The biggest drawback to the commercial exploitation of RSS feeds — items from blogs and other websites, parceled up and delivered to users who request them — is that there’s no easy way for the producers of the RSS material to know very much about what their customers are doing with it — even, in many cases, how many people are subscribing. This could all change, thanks to IMN.

IMN, Inc., a ‘direct marketing company’, has come up with a tool (afraid no URL yet available for this) that “transforms an RSS feed from a one-way news stream into a two-way marketing tool that lets marketers and feed subscribers learn from each other”. I’ve read the press release several times and I don’t quite understand how this works, but I think they’re pushing it to call it a “Trackable RSS Feed Capability”.

What I think happens is that the user can click on an item in an RSS feed in whatever aggregator (a program for reading and collecting RSS feeds) which will then take the user to a webpage for the whole document. It’s there, I think, that the tracking bit kicks in. Or as the press release puts it, “Marketers can then use IMN’s content tracking and reporting capabilities to learn subscribers’ preferences, segment them accordingly and then respond with even more relevant and meaningful content that the subscriber will welcome and value.”

All this, the press release says, would involve some significant tracking — read monitoring — of the user’s habits, including giving “each subscriber a unique identifier so that IMN’s reporting engines can track and analyze individual behavior. Marketers can then respond to individual subscribers via the feed, email, or the companion microsite using IMN’s dynamic content capabilities with truly personalized information and messaging based on the learning.” That does sound a bit like the end of RSS as we know it: Anonymous, untainted, anarchic.

I guess it’s inevitable (and somewhat hypocritical of me, given I make use of Amazon’s excellent software to guess what I might be interested in) but I still kind of hope that the pioneering sense of goodwill among the RSS and Blogging community may linger a little longer. But as IMN say, “marketers consider aggregator service subscribers who sign up for RSS feeds highly qualified target audiences.” That, and the fact there’s no spam filters on RSS feeds, make us a very desirable front lawn to park on.

Is Zip The Way To Thwart Viruses?

I like this idea from a Slashdot poster: Eliminate most viruses by zipping everything.

It works (I think) like this: Most viruses arrive as an attachment to an email. These are called executables in that if you click on them, something happens. (As opposed to a file attachment such as a Word document, or a web page, which just opens — although it may contain some malicious script.) Some email programs, like Microsoft Outlook, block these executables by default, but many other programs don’t, or else users change the default setting because they find they cannot access one or two attachments which are kosher. Result: virus mayhem like MyDoom.

The poster suggests that if all attachments are zipped. Zip files by definition have to be unzipped before they can be launched, opened or whatever. Most unzipping programs will open those files to a specific folder, during which time they’ll be checked for viruses. More importantly, this process gives the user a chance to view the contents of the file before clicking on it, and may perhaps give them pause for thought.

Of course a lot of people do this already, but they tend to be people who aren’t going to be send viruses around, and they’re also not the kind of people to open dodgy attachments. In short, the people who zip aren’t the people we’re worried about. Somehow, we’ve got to convince ordinary folk to zip up, preferably by making it an automatic part of the email program. Attach a file to an email? The thing is automatically zipped.

The poster then suggests that email systems are set to delete or quarantine any executable that’s not zipped. That should remove most virus threats (of course some viruses arrive as zipped files, and rely on some social engineering to persuade the unwitting user to open and execute them, but there’s not much you can do if someone is suicidal enough to do all that.) The last point he makes: Encourage zip program vendors to work closer with anti-virus companies “to provide better protection from viruses in zip archives”.

I can’t see much wrong with this. I think zip programs could be easier to use (ironically, Microsoft’s inbuilt zip viewer in Windows XP seems to work best), but if they can be persuaded to integrate seamlessly with email clients, we may go some way to stemming the virus flood.