Tag Archives: analyst

The Real Revolution

This is also a podcast, from my weekly BBC piece. 

While folks at the annual tech show in Vegas are getting all excited about a glass-encased laptop, the world’s thinnest 55″ TV and a washing machine you can control from your phone, they may be forgiven for missing the quiet sound of a milestone being crossed: there are now more smartphones in the world than there are ordinary phones.

According to New York-based ABI Research, 3G and 4G handsets now account for more than half of the total mobile phone market. Those old ‘dumb phones’ and the so-called feature phones–poor relations to the computer-type iPhone or Android device can–are now officially in decline.

This is, in the words of ABI Research’s Jake Saunders, “an historic moment.” While IDC, another analyst company, noticed that this happened in Western Europe in the second quarter of last year, Saunders points out: “It means not just mobile phone users in Developed Markets but also Emerging Market end-users are purchasing 3G handsets.”

So why is this a big issue? Well, a few years back it would have been hard to convince someone in an emerging market to shell out several hundred bucks for a phone. A phone for these folks was good for talking and sending text messages. That was a lot. And enough for most people–especially when the handset cost $20 and the monthly bill was even less.

Now, with prices falling and connectivity improving in the developing world a cellphone is so much more: It’s a computer. It’s an Internet device. It’s a portable office and shop front. It’s a music player. A TV. A video player. A way to stay in touch via Facebook and Twitter.

And for the industry these people in emerging markets are a life saver. For example: The developed world is pretty much saturated with smartphones. People aren’t buying them in the numbers they used to.

But that’s not to say the feature phone is dead. In fact, for some companies it’s still an important part of their business. Visionmobile, a UK based mobile phone research company, says that Nokia–busy launching its new Windows Lumia phones in Vegas–is still the king of feature phones, accounting for more than a quarter of the market.

And they just bought a small company called, confusingly, Smarterphone, which makes a feature phone interface look more like a smartphone interface. So clearly at least one company sees a future in this non-smartphone world. In a place like Indonesia, where the BlackBerry leads the smartphone pack, nearly 90% of phones sold in the third quarter of last year were feature phones, according to IDC.

So companies see a big chance for growth in these parts of the world. But they also need the spectrum. If you’re a mobile operator your biggest problem now is that smartphone users do a lot of downloading. That means bandwidth. The problem is that one piece of spectrum is for that 3G smartphone, and another is for your old-style 2G phone. The sooner you can get all your customers to upgrade their handset to 3G, the sooner you can switch that part of the spectrum you own to 3G.

So this is a big moment. We’re seeing a tipping point in the world’s use of cellphone use, from a simple, dumb communication device to something vastly more useful, vastly more exciting, vastly more lucrative. All those people moving over to smartphones

ABI Research reckons there’ll be 1.67 billion handsets sold this year. That’s one in four people buying a new device. Forget fancy Vegas. The real revolution just started.

DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

The Fate of New Acquisitions: Whither or Wither?

By Jeremy Wagstaff

I’m writing this on a Windows PC using a great piece of Microsoft software called Windows Live Writer. And that’s only part of the problem.

As you no doubt know, Microsoft have announced they bought Skype, the Internet telephony company, for $8.5 billion. You’ll have to look under a lot of stones to find someone who thinks this is a good deal for Microsoft. Skype made $20 million last year on revenue of $860 million, posting a net loss of $69 million because of interest expenses. In short, this is not a company about to fill Microsoft’s coffers with dosh.

Whenever a big company goes on a buying spree I reach for my gun and head for the hills. These things never end well. A few weeks back we heard about Cisco buying and then killing Flip, those great little pocket cameras so simple to use people actually use them. I used to keep a list of these acquisitions, because I naively used to think that a big company buying a smaller one was a happy ending. I’ve nearly always been proved wrong.

Yahoo bought a browser bookmarking service called delicious that they parked in a siding until eventually selling it, a few weeks back, to someone who actually seems to understand the product. In fact a fun game is to quiz Yahoo PR people about the state of their company’s lesser known products and count how many “I’ll have to get back to you on that one” responses. I’ll give you a head start: Ask about Konfabulator, a sort of desktop widgets program which was excellent, but has quietly withered on the Yahoo vine. The developer’s blog hasn’t been updated since 2007.

Yahoo are probably the most egregious offenders but everyone does it. Google boughtJaiku, a twitter-like service that was better than twitter, but have done precisely nothing with it. Nokia bought dopplr, a social networking service for people who travel, and have done precisely nothing with it. (Product blog hasn’t been updated since September 30 2009, two days after Nokia bought it.)

So why do it? Buying companies makes people money, somewhere in the chain. It disguises ineptitude, or it is what is called a defensive play: I’ll buy it so you can’t.

The Skype deal neatly illustrates Microsoft’s problem is a simple one: It lacks direction. It doesn’t seem to know what it wants to do so it creates a new brand, a new product, a new division—often out of an old one. The product I’m writing this on is part of (frankly the only good part of) the Windows Live array of products—whatever that is; I’ve never quite figured that part out. (Type live.com into your browser and something different seems to happen each time; now it’s a sort of stream of consciousness page that’s more of a stew of Microsoft’s various offerings. ) Windows Live Writer was part of a product Microsoft bought called Onfolio; it has survived, somehow, though few people seem to know about it outside a very narrow group of enthusiasts.

And here’s the rub. Microsoft has no idea what to do with all these products it spews out or inherits, so it forgets about them. Most of you know that Hotmail and Bing are Microsoft products. But how about Lync? Or Kin? Anyone remember Zune? And what is the difference between Windows Live and Windows Live Essentials, for example? Or Windows Messenger, Office Communicator, Windows Live Messenger and MSN Messenger? Or Sync Center, Live Mesh, SkyDrive, FolderShare and Live Sync?

No, I’m not sure either.

Go to Windowsmarketplace.com and you’ll be told that “Windows Marketplace has transitioned from an ecommerce site to a reference site.” Confused yet? Go togetpivot.com, the website of what was billed a year or so back as “the most ambitious thing to come out of Live Labs” and you’ll get directed to, er, bing.com. Live Labs itself was disbanded a few months later. Now old links to Live Labs go to bing.com, which was where those members of the team ended up that didn’t quit. Out of the 14 projects initiated by the lab counted on Wikipedia, all but five are dead. Of those, only a couple seemed to still have any life in them.

When a company diverts a link from one of its own press releases barely a year old to, effectively, nowhere, it’s a pretty good sign that’s where the vision has gone too. This was after all Microsoft’s big research team—at least the most exciting one (Microsoft spends about $9 billion per year on R&D, according to Jean-Louis Gassée, a French analyst.) Microsoft products seem to get lost in a labyrinth of confusing branding, branching and segmentation tunnels, confusing and demoralizing the user to the degree they throw up their hands and go buy a Mac.

Not I. I know about Microsoft products because I use them. A lot. And the more I usemy Mac the more impressed I am with parts of Windows 7.  The problems with the operating system could be fixed in an afternoon: Watch a couple of users try it out and then ask them what was missing. Build those bits into a new version, ditch the trash and you’re good to go. (Some clues: something like iPhoto but better than Photo Gallery for handling photos. Something like iMovie but not Movie Maker. Apple’s products all come pre-installed. Microsoft’s are a confusing, lengthy and intrusive download and reboot away. Oh, and something half way between Microsoft Word ($200 or thereabouts) and the freebie WordPad; Apple’s equivalent Pages costs $20. It’s not as good as Word, but it’s a 10th the price.)

So where is Skype going to fit into all this? Well, the problems start with Skype itself. Since eBay bought it in 2005 it has been something of an orphan, passed around with little idea of what its future might be. It wasn’t always thus. I drank the Kool-Aid back in 2005, and thought like others it was going to change the way we communicated and did business online. I joined the vision of a world where everyone from clairvoyants to business consultants (ok, that’s not such a wide swathe) would offer services over Skype. Audio, text, video, you name it.

That hasn’t happened. For most people it is just a way to avoid paying rip-off phone charges and do the odd video call. Everything else is marginal. The most recent Extra—the add-ons that were supposed to be part of this new Skype ecosystem–is dated January 2010 and that’s just an update on an old program. One guy I interviewed in 2005 had set up a network of 30,000 experts in 50 countries on a website called Jyve.com that was going to piggyback this new Skype-connected world. He’s nowhere to be found now and Jyve.com is an empty page.

eBay didn’t get it, of course, but that’s only part of the story. About a year ago I wrote a piece calling on Skype to realize that it was at heart the world’s most effective social network tool. I wrote:

If Skype dovetailed with Facebook, twitter and LinkedIn it could position itself at the heart of social media. After all, it’s probably the only application that most Internet users have installed, loaded and [have] active on their computer. Unlike Facebook et al, Skype is there, right in the moment. It’s the ultimate presence app.

Indeed, it’s much more like an instant Rolodex (remember those?) than all the other networking services we use. If I want to contact someone the first place I check is Skype—if they’re online, what’s the point of contacting them any other way?

In other words, Skype offers a granularity that other social networking tools don’t: Not only is it comfortable with one to all (the status update message), it’s also comfortable with the one to several (add people to a chat or call), it’s also great at instantly connecting one on one. You can even reach people offline via it, if they have call forwarding enable, or you have their SMS details stored.

No other social network offers that.

Skype sits on every computer (and most smartphones.) By definition all the people the user is connected to are people he wants to actually communicate with—rather than just ‘friending’ or ‘ ‘connecting to’. It’s an easier way to share stuff—photos, files etc–and it’s now pretty easy to set up groups and stuff (In Afghanistan we used it as a way to share security updates; people could see the information in real time or catch up on messages when they got online. In Singapore I use it to talk to my students via teams and the whole class.)

Unfortunately Skype may have read my piece, or they may not. Either way, they half went down this road by trying to throw in lots of things that people didn’t need—including an annoying Firefox extension that turned every number on a webpage into a phone number, including bank accounts. Now Skype is so big and clunky it crashes on my Android phone and my Windows computer.

But in a perfect world Skype works. It’s simple. For many people it’s a telephone. For others it’s a presence indicator: I’m online, I’m not. My computer is connected to the internet (green button showing) or there’s a problem with the connection (grey downer button showing). For some people it’s become a very useful way to organize teleconferences (though don’t talk to my colleagues on an Indonesia project about this; they spend hours trying to get a connection going.)

Skype wasn’t first but it worked better than others, which is why everyone has a Skype account, and why asking for someone’s Skype ID is almost as natural as telling asking for their email address.

But unfortunately I’m not sanguine about a Microsoft/Skype future. Either they integrate the technology behind it into their other smorgasbord of products, in which case you wonder why they didn’t develop the technology themselves, or they leave it as it is. Either way it’s not good: While analysts have focused on how Skype might fit into Microsoft’s non-PC products like Kinect and Xbox, it’s hard to imagine that Microsoft won’t try to shoehorn Skype users into one of its misbegotten sub-brands, losing non-Windows users along the way.

Skype Messenger anyone? Live Skype? Skype Office? Skype Explorer? I shudder to think what will happen. I may be wrong—I’ve been plenty wrong about Skype before—but my fear is of a Skype that gets as clunky and overloaded as MSN Messenger, as bewildering as the Live family of products, as impossible to separate from other Microsoft products as Microsoft Word, as doomed as Outlook Express and anything from the Live Labs mob.

I do hope I’m wrong because of all the networks I have on my computer and cellphone, Skype is still the one I actually need. Skype: whither or wither?

Data, WikiLeaks and War

I’m not going to get into the rights and wrongs of the WikiLeaks thing. Nor am I going to look at the bigger implications for the balance of power between governed and governing, and between the U.S. and its allies and foes. Others have written much better than I can on these topics.

I want to look at what the cables tell us about the sorting, sifting and accessing of this information. In short, what does this tell us about how the world’s most powerful nation organized some of its most prized data?

To start, with, I want to revisit a conversation I had sitting in the garden of a Kabul pub called the Gandermack a few weeks back when it struck me: the biggest problem facing NATO in winning the war in Afghanistan is data.

I was talking to a buff security guy—very buff, in fact, as my female companions kept remarking—who was what might have once been a rare breed, but are now in big demand in Afghanistan. He was a former marine (I think), but was also a computer guy with an anthropology or sociology degree under his black belt somewhere. This guy knew his stuff.

And he was telling the NATO forces where they were going wrong: data management.

The problem, he explained, is not that there isn’t enough of it. It’s that there’s too much of it, and it’s not being shared in a useful way. Connections are not being made. Soldiers are drowning in intelligence.

All the allied forces in Afghanistan have their own data systems. But, I was told, there’s no system to make sense of it. Nor is there one to share it. So data collected by a garrison from one country in one part of the country is not accessible by any of the other 48 nations.

On the surface it seems this problem was fixed. In the wake of 9/11 U.S. departments were told to stop being so secretive. Which is why we got to WikiLeaks–one guy apparently able to access millions of classified documents from pretty much every corner of the planet. If he could do then so could thousands of other people. And, one would have to assume, so could more than a few people who weren’t supposed to have access. To give you an idea of the trove unearthed, WikiLeaks has released about 1,000 so far, meaning it’s going to take them nearly seven years to get all the cables out. Cable fatigue, anyone?

So, it would seem that the solution to the problem of not having enough pooled information is to just let anyone have it. But that, it turns out, isn’t enough. That’s because what we see from the WikiLeaks material is how old it looks.

I spent much of the early 1980s trawling through this kind of thing as a history student. Of course, they were all declassified documents going back to the 1950s, but the language was remarkably similar, the structure, the tone, the topics, the look and feel. A diplomatic cable in 2010 looks a lot like a cable from 50 years ago. In the meantime communication has gone from the telegraph to the fax to email to blogs to the iphone to twitter to Facebook.

This, to me, is the problem. It’s not that we’ve suddenly glimpsed inside another world: We would have seen a lot of this stuff at some point anyway, though it’s useful to see it earlier. Actually we can take some succour from the fact that diplomats seem to be doing a pretty good job of reporting on the countries they’re posted to. Journalists shouldn’t be surprised; we’ve relied on diplomats for a while. (And they might rightly feel somewhat aggrieved we now do this to them.)

No, the problem that WikiLeaks unearths is that the most powerful nation on earth doesn’t seem to have any better way of working with all this information than anyone else. Each cable has some header material—who it’s intended for, who it’s by, and when it was written. Then there’s a line called TAGS, which, in true U.S. bureaucratic style doesn’t actually mean tags but “Traffic Analysis by Geography and Subject”—a state department system to organize and manage the cables. Many are two letter country or regional tags—US, AF, PK etc—while others are four letter subject tags—from AADP for Automated Data Processing to PREL for external political relations, or SMIG for immigration related terms.

Of course there’s nothing wrong with this—the tag list is updated regularly (that last one seems to be in January 2008). You can filter a search by, say, a combination of countries, a subject tag and then what’s called a program tag, which always begins with K, such as KPAO for Public Affairs Office.

This is all very well, but it’s very dark ages. The trouble is, as my buff friend in the Kabul garden points out, there’s not much out there that’s better. A CIA or State Department analyst may use a computer to sift through the tags and other metadata, but that seems to be the only real difference between him and his Mum or Dad 50 years before.

My buff friend made a comparison with the political officer in today’s ISAF with a political officer (sometimes called an agent) back in the days of the British Raj. Back then the swashbuckling fella would ride a horse, sleep on the ground and know the Afghan hinterlands like the back of his hand, often riding alone, sipping tea with local chieftains to collect intelligence and use it to effect change (in this case meaning extend the already bulging British sphere of influence.) He would know the ins and outs of local tribal rivalries, who hated whom, etc. All of it stored in his head or in little notebooks.

His modern equivalent may actually have the same information, but it’ll be gleaned from the occasional photo opportunity, a squillion intelligence reports, all suitably tagged, and perhaps footage from a couple of drones. If the chieftain he’s interested in coopting straddles a regional command, chances are that he won’t be able to access anyone else’s information on him–assuming they have any.

In short, the problem in the military and diplomatic world is the same we’re facing in the open world. We have a lot more information than we can use—or keep track of—and it’s not necessarily making us any smarter. Computers haven’t helped us understand stuff better—they’ve just helped us collect, share, and lose more of it.

I must confess I’ve not made much progress on this myself. My main contribution is persuading a researcher friend to use a program called PersonalBrain, which helps you to join the dots between people, things, organisations, whatever you’re trying to figure out. It’s all manual though, which puts people off: What you mean I have to make the connections myself? Well, yes. Computers aren’t magic.

Yet. It’s clear to me that 10 years down the track, I hope, we’ll finally get that writing in prose, and then adding a hierarchy of labels to a document, is no longer the way to go. Instead, we’ll be writing into live forms that make connections as we write, annotate on the fly, draw spindly threads to other parts of our text, and make everything come to life. I will be able to pull into the document visuals, audio, other people, old records, chronologies, maps, and work with the data in three dimensions.

If this sounds familiar, it’s probably because it sounds like science fiction, something like Minority Report. But it’s not; it’s a glimpse inside the mind of our imperial political agent; how he would make those connections because they were all in his head—neurons firing transmitters, axons alive, binding synapses.

If I were the U.S. government, I would take Cablegate as a wake up call. Not at the affrontery of this humiliation, but as a chance to rethink how its data is being gathered and made use of. Cablegate tells us that the world of the cable is over.

Phone as Beacon

The idea that your cellphone may become a beacon of your availability took one small step closer yesterday, although you’d be forgiven for not noticing amid all the post-turkey bloat.

The theory is this. Cellphones have gotten smarter, but they still miss one vital ingredient that computer users have had for years: presence. Anyone using an instant messenger, from ICQ to Skype, will know that they can indicate to their buddies, colleagues and family whether they’re at their computer, in a meeting, dead, or whatever.

I’m not available. Leave a message

This is useful information: It’s a bit like knowing whether someone is at home before you phone them. But this only works if the computer is on, connected to the Internet and the user has the software installed and sets their ‘presence’ accordingly.

Think how more powerful this concept would be if you carried it with you: if your cellphone could transmit to friends, colleagues and family whether you were available — and even where you were. This is not that hard to do, via the same instant messaging programs that now operate only on your PC. This is the vision of companies like instant messaging developer Followap, bought yesterday by a company called NeuStar, which handles a lot of cellphone number traffic via its directory services. (Followap press release here.)

The problem remains twofold: how to get all the instant messaging users onto their cellphone, and how to make these services work with each other, or interoperate. After a decade of these services, few still allow a message sent from one service to reach another. NeuStar, according to Frost & Sullivan analyst Gerry Purdy, has been developing the standards for mobile instant messaging, or Mobile IM, not just in terms of Session Internet Protocol (which sets up the communication between two users) but also for interoperability and directory standards.

Clearly NeuStar, positioned at the hub of cellphone traffic, are well placed to see the potential of Mobile IM and to act on it. Followap have the software and the ears of some cellular operators. I should have spotted that both companies occupied booths next to each other at Singapore’s recent 3GSM Asia confab, and were busy singing each other’s praises. (I wrote something about Followap in my weekly column earlier this month, tho subscription only, I’m afraid.)

Of course, it’s going to be a long march to persuade the big players like Yahoo!, AOL and Microsoft to share their IM traffic with each other (something they’ve not yet managed to do on the PC) but also with cellular operators, but something like that needs to happen if Mobile IM is going to take off. Says Mr. Purdy in his most recent note (sorry, can’t find this online): “And, maybe – just maybe – the NeuStar-Followap combination will lead to the Holy Grail in messaging – where all portal users and wireless subscribers will be able to freely IM each other. That would be huge.”

It would be huge, but don’t underestimate the power of SMS. Gerry sees SMS as having inherent limitations — 160 characters only, lack of message threading — but these aren’t necessarily downsides. The character limit has never been considered a real burden for most users, who either enjoy the brevity or else can simply send a longer message and have it split. As for message threading, this is a simple software problem that is being fixed in many phones. Mobile IM will only really take off if it is cheaper than SMS and includes powerful features that extend the use of the phone to a device to signal one’s availability, or presence.

For me the best thing about the Followap demo I received was that by switching your phone to silent your buddy list presence was automatically switched to ‘Do not Disturb.’ Immediately, all your buddies/colleagues/family know you not available without having to do anything. Now, that’s a glimpse of the future.

del.icio.us tags: , , , , ,
Technorati tags: , , , , ,

The Commuter’s Shopping Impulse

A good piece that explores the point I was trying to make earlier about the commuter element in cellphone service adoption, from Reuters’ Sachi Izumi (via textually.org).

Someone needs to look closely at the link between flat free pricing for mobile browsing and m-commerce (yeah I don’t like calling it that either, but it’s there to differentiate between buying online and buying on the mobile. I’m sure the distinction will blur eventually). Japan’s burst in mobile commerce ahead of the rest of the world is impressive, and it’s all to do with people being stuck with their phones for company for long periods. Jun Hasebe, an analyst at Daiwa Institute of Research: “Impulse shopping accounts for most of the purchases done on mobile phones, and that would not usually happen unless users are on flat fee-based services.” Phones, in a word, have become more like our friends than our friends are.

The only thing holding this back? Fear of fraud. Most people don’t like punching in their credit cards to their phones, although this may have as much to do with where they are (public places, public transport) than it is about actual fraud. One reason I think facial recognition as authentication will play a big role.

From the Ashes of Blue Frog

The Blue Frog may be no more,  but the vigilantes are. Seems that despite the death of Blue Security in the face of a spammer’s wrath, the service has built an appetite for fighting back. Eric B. Parizo of SearchSecurity.com reports on a new independent group called Okopipi who intend “to pick up where Blue Security left off by creating an open source, peer-to-peer software program that automatically sends “unsubscribe” messages to spammers and/or reports them to the proper authorities.”

Okopipi has already merged with a similar effort known as Black Frog and has recruited about 160 independent programmers, who are dissecting the open source code from Blue Security’s Blue Frog product. The idea seems to be the same: automatically sending opt-out requests to Web sites referenced in received spam messages, the idea is to over-burden the spammer’s servers (or those of the product he’s advertising) as a deterrence and incentive to register with Okopipi. By registering he can cleanse his spam list of Okopipi members.

Some tweaks seem to be under consideration: Processing will take place on users’ machines and then on a set of servers which will be hidden to try to prevent the kind of denial-of-service attack that brought down Blue Frog.

Possible problems: I noticed that some of the half million (quite a feat, when you think about it) Blue Frog users were quite, shall we say, passionate about the endeavour. These are the kind of folk now switching to Okopipi. This, then, could become an all-out war in which a lot of innocent bystanders get burned. The Internet is a holistic thing; if Denial of Service attacks proliferate, it may affect the speed and accessibility of a lot of other parts of it, as the Blue Frog experience revealed. (TypePad was inaccessible for several hours.)

Another worry: Richi Jennings, an analyst with San Francisco-based Ferris Research, points out on Eric’s piece that project organizers must ensure that spammers don’t infiltrate the effort and plant backdoor programs within the software. “If I’m going to download the Black Frog application,” Jennings said, “I want to be sure that the spammers aren’t inserting code into it to use my machine as a zombie.” I guess this would happen if spammers signed up for the service and then fiddled with the P2P distributed Black Frog program.

Another problem, pointed out by Martin McKeay, a security professional based in Santa Rosa, Calif., that spammers will quickly figure out that the weak link in all this is it rests on the idea of a legitimate link in the email for unsubscribing, and that spammers will just include a false link in there. Actually I thought the link Blue Frog used wasn’t unsubscribe (which is usually fake, since if it wasn’t would then pull the spammer back within the law) but the purchase link. How, otherwise, would folks be able to buy their Viagra?

One element I’d like to understand better is the other weakness in the Blue Frog system: That however the process is encrypted, spammers can easily see who are members of the antispam group by comparing their email lists before and after running it through the Blue Frog/Black Frog list. Any member who is on the spammer’s list will now be vulnerable to the kind of mass email attack that Blue Frog’s destroyer launched. How is Okopipi going to solve that one?

Russia Gets Serious About Its Virus Writers?

Is Russia finally getting serious about its virus writers?

Kaspersky Labs and F-Secure, two anti-virus manufacturers, report that Evgenii Suchkov (or Eugene Suchkov, sometimes known as Whale or Cityhawk) has been found guilty of writing two viruses, Stepar and Gastropod. Suchkov was sentenced in the Russian republic of Udmurtia, and while he was only fined 3,000 rubles ($100) — a sentence which has attracted some derision — Kaspersky’s analyst reckons now “Russian virus writers know that they are not always going to be able to hide from the law. And the world knows that Russia is doing something about virus writing”.

Suchkov, it appears, is no small fish. He’s believed to be a member of 29A, a notorious virus writing group, according to Kaspersky, which also believes he’s a member of the HangUp Team, a group I’ve tried to look more carefully at for their alleged role in phishing. Interestingly, a Czech member of 29A was recently recruited by a Czech software company, a move which has ignited some controversy, not least because it would appear to make virus writing a good way to prepare a CV for more legitimate work.

I tend to agree that hiring these guys might not be the best idea. Beyond the moral hazard issue — why should virus writers care about getting caught if they know it will lead to a job anyway? — there’s the issue of where this guy’s loyalties may lie. Is he going to try to stop his old buddies from doing their thing? Or tracking them down? And even if he did want to do good work for his new employer, he’s going to be a marked man for his former buddies who it’s believed, have active links to the Russian mafia.

The point to remember is that virus writing is now an industry, or sub-industry, of the criminal underworld. So no longer could one argue that these guys are just lonely geeks trying to get some attention. They do what they do for money, which means a virus, worm or trojan is a piece of code designed to do something specific. It’s probably done to order. If one of these virus writers is now working for the other side, I would hope his new employers take a good hard look at his motives: If he’s a good virus writer he could probably command significant amounts of money. Is he going to say goodbye to all that?

Finally, Mikko Hypponen of F-Secure suggests that there may also be traffic the other way. “F-Secure also has evidence which suggest that spammers have succesfully recruited anti-spam software developers to their side,” Hypponen says in a recent email. He points out that “spammers make money from their efforts; that’s why they can actually afford to invest in making their attacks better.” Anti-spammers going to the dark side? There must still be good money in it somewhere. I’ll try to find out more.

Is It Back To Basics For The PDA?

What do you want in a PDA? The Register carries a story that seems to belie the conventional wisdom that folk want everything in one device. It quotes Jupiter Research as saying that vendors are getting it wrong by focusing on the high-end, convergent devices, when actually they should be looking at the low-end, just-give-me the basics, market. “The adoption of portable devices increases as their size and complexity of use decreases,” the Jupiter report says.

But on closer inspection the report’s not just saying that folk want a basic PDA. It’s saying that basic PDAs will remain the core of sales, but will gradually be taken over by phones that offer those same functions. This is the market’s “sweet spot for handhelds”, it says, where untis offer voice (read telephone), personal information management, or a combination of the two, ditching other integrated functions. By other integrated functions it means game play, playing music, that kind of stuff.

The figures seem to back this up: They show pretty low — 7% — penetration of the U.S. market. Jupiter forecasts a U.S. installed base of handheld PDAs will number just over 14 million at the end of 2003 and will only grow to 20 million by 2008.

I think on the whole they’re probably right. Extra bits and pieces just tend to make things go wrong, and if the machine goes wrong, and you have to send it off for repairs, you’re stumped. On the other hand, no mention is made of cameras, an area where I do think both PDAs and phones are going to see strong growth (see my column in FEER — subscription required). But I also believe there are other add-ons which are useful: Good voice recording — not just short memos, but a proper voice recorder that can store several hours of conversation — is useful for your modern thrusting exec (or journalist like moi).

Still, I think Jupiter have a point. Most folk I know just want something they can store their stuff on, and maybe check email in the office. Bluetooth, Wi-Fi etc: They’re all nice to have, but let’s face it, most people won’t use them. And given that ordinary PDAs are getting cheaper by the minute — fellow Jupiter analyst Avi Greenhart recently spotted the Palm basic Zire model for $43 at Best Buy — why bother going for the high-end stuff?