Tag Archives: head

Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

SideWiki’s Wish Fulfilment

A piece in today’s Guardian attracted my attention–“SideWiki Changes Everything”—as I thought, perhaps, it might shed new light on Google’s browser sidebar that allows anyone to add comments to a website whether or not the website owner wants them to. The piece calls the evolution of SideWiki a “seminal moment”.

The column itself, however, is disappointing, given that SideWiki has been out six weeks already:

Few people in PR, it seems, have considered the way that SideWiki will change the lives of beleaguered PR folk. In time, this tool will significantly change the way brands strategise, think and exist. SideWiki is going to challenge PR by providing the masses with the tool for the ultimate expression of people power, something uncontainable that will need constant monitoring.

The author, one Mark Borkowski, offers no examples of this happening, so the piece is very much speculation. In fact, I’d argue that SideWiki has been something of a damp squib:

image

A, by the way, marks the launch, so the interest fell off dramatically almost immediately.

So who is right? I can find very little evidence that people are using SideWiki in the way that Borkowski suggests. A look at top 10 U.S. companies (not the top 10, but a cross section) indicates that only one company has ‘claimed’ its SideWiki page, and that few users, so far, have made use of SideWiki to express their views about the company:

Company Entries Claimed Comments
Walmart 2 No Even
Exxon Mobil 0 No
Chevron 0 No
GM 0 No
Apple 20+ No Even
Monsanto 0 No
Starbucks 0 No
White House 2 (blog posts) No
Blackberry 2 Yes Even
Microsoft 20+ No Negative

Now I’m not saying that SideWiki isn’t going to be an important way for people to get around websites’ absence of comment boxes or lack of contact information. I’d love it if that was the case. I’m just saying there’s very little evidence of it so far, so to argue that is premature at best, and poor journalism at worst.

And here’s the rub. Mark Borkowski is not a journalist. He doesn’t claim to be; he’s a PR guy. But how would you know that? The Guardian page on which his comment sits does not clearly indicate that; indeed, the format is exactly the same as for its journalist contributors:

image

Only at the bottom does one find out that he “is founder and head of Borkowski PR.”

image

I have no problem with PR guys writing comment pieces for my favorite newspaper. I just want to know that is who they are before I start reading. (I can hear the argument being made that Borkowski is a well-known name in the UK, so this shouldn’t be necessary. But that doesn’t hold water. The affiliation of all writers should be clearly indicated.)

The problem? Anyone who is not a journalist—and many who are–has an interest, and that interest should be clearly declared. In Borkowski’s case, he works in PR, and is clearly suggesting that PR agencies need to work harder in this space:

The social media world encloses our personal and professional actions – the only answer for PR folk is to take a more active role in being brand custodians, representing a higher degree of brand and reputation management.

In other words, he’s indirectly touting for business. Once again, nothing wrong with that if the piece is clearly tagged as an opinion piece—which it may be, in the print version. But here, online, there’s no such indication.

Of course, one should also check that the writer does not have a financial or business interest in the product and company being written about, in this case Google. I can find none on his website, but that I have to check—that it’s not clearly flagged on the piece itself—is not something I or other readers should have to do.

Bottom line? The Guardian isn’t alone in this. The Wall Street Journal does it too. But I don’t think it helps these great brands to, wittingly or unwittingly, dismantle the Chinese Walls between content by its own reporters and those outsiders who, however smart and objective they are, have interests that readers need to know about.

SideWiki changes everything | Mark Borkowski | Media | The Guardian

The Cup Final, the Uplifting Video and the iPod

image

Hang on, let me check my iPod first

Technology, however small, can be the difference between winning a cup final and losing it.

Manchester United faced Tottenham Hotspur in the Carling Cup Final on Sunday, and it’s instructive how video technology was, in a way, the difference between the two sides.

After no goals in 120 minutes, there was nothing between the sides, and it came down to a penalty shoot-out. (Each take five.)

Now I’m a Tottenham fan, if that means anything to you, so this is painful to relate, but it’s striking.

The Spurs manager, old school Harry Rednapp, had got his staff to put together a six-minute video of Spurs’ previous cup final victories. “It involves some of the Spurs teams over the years winning cups and how great it was,” he told the BBC. “We will show that with a bit of music to it and show how this particular team has scored some of the goals on the way to the final.”

Nice, and uplifting, I’m sure.

The Manchester United backroom fellas had spent their time differently: collecting recordings of the Spurs players taking penalties. What they do, which side they put the ball, whether they hit it hard or place it. This in itself isn’t that unusual, but here’s the key bit:

No one knows in advance who is going to be taking those five penalties. It depends on a lot of factors—who has been substituted, and by whom, who is tired, injured, or just doesn’t want to take the responsibility. So it would be tricky for a goalkeeper to store in his head for 120 minutes or more all the vagaries of the other team’s players.

So the backroom boys stored the videos on an iPod (video or Touch, I don’t know) and showed it to the goalkeeper just before the shoot-out. Ben Foster is quoted as telling The Guardian:

“I did a bit of research for the penalties,” said the 25-year-old. “We tried to find out everything we could about Spurs beforehand and, just before the shoot-out, I was looking at a video on an iPod with Eric Steele, our goalkeeping coach, and Edwin [Van der Sar].

It’s not an amazing use of technology—there’s lot of it used in soccer, as with any sport, these days—but it proved to be Spurs’ undoing. Foster emerged the hero of the shoot-out, diving to his left to parry away the first Tottenham penalty by Jamie O’Hara. Foster relates:

It’s a new innovation he’s brought in since coming to the club and on it were some of Tottenham’s penalties, including one from O’Hara. I was told that, if he was taking one, to stay as big as I can.

The lesson to me is a simple one that every organisation seems to miss: Technology is not always the big stuff. It’s the Hinge Factor.

In this case it was the difference between one guy using it in a very non-specific way—splicing together a few clips of past glories to lift the lads—and another very specific way: anticipating the possibility of the game going to penalties, gathering videos of all possible penalty takers and then—most important—making sure they’re in a format that can be accessed on the pitch at the crucial moment.

But this in a company or organisational environment, and it’s the standard vs the unconventional. The corporate promotional video commissioned for millions of dollars vs a personalised twitter feed put together by one sparky individual in their lunch break. It’s the glitzy press launch with silly goody bags vs a blog. It’s the expensive software development project vs an open source content management system put together for peanuts and endlessly adaptable.

In organisations I’ve worked with or in, I notice that technology is always pushed into the background, usually literally: The tech guys have a cubby hole at the back, with cables and spare parts, being summoned to fix things but never to innovate. I’ve never heard their opinions being sought, and I’ve rarely seen non-technical people try to build bridges with them to try to marry technology with innovative ideas.

The result is that these moments of competitive advantage wrought by small but crucial deployments of technology are rare.

In this case it’s just one guy with an iPod that made the difference. Go figure.

Photo credit: Guardian/Matthew Peters/Manchester United/Getty Images

Watching TV With The Community

image

Been watching the veep debates on Livestation, which has an interesting feature: a live chat connected to the program with some LiveStation folks guiding the discussion.

It works pretty well: It’s great to be able to watch TV with a bunch of other people, though I had one eye on that chat, and one eye on some Skype, Google Talk, twitter, Facebook and FriendFeed chat windows too.

This makes all sorts of sense, and I commend Livestation for doing this kind of thing. The IRC format is a bit old school; it would be nice to see something beyond the noisy chat format. Or, even better, being able to drag our other communities into the window to watch together.

But that’s down the road. This is a good way to share information—live and visual—and I think this is an exciting way forward.

Update: Livestation points out that the chat is directly connected to Al Jazeera via Russell Merryman, Head of New Media, who was feeding comments through to the studio to guide the post-debate discussion.

The Gecko in the Machine

 (This is the text of my weekly Loose Wire Service column, syndicated to newspapers like The Jakarta Post. If you’re an editor interested in subscribing to the service, drop me a line. Regular readers of the blog, meanwhile, will be familiar with some of the themes here)

image

I found myself reading the words of one Timo Veikkola one morning.

Frankly, before then I did not know that Timo existed, although I do know of his colleague at Nokia, Jan Chipchase. Not only do these men have far more interesting names than I, they also have far more interesting jobs: peering into the way we use technology and how we might use it in the future.

But this column isn’t about them. It’s about you and your computer. Timo and Jan made me realize that often we focus on the minutiae of computing, as if that’s where the whole thing stops.

It’s as if we’re car owners who blame the car for our being stuck in traffic. It’s worth remembering that if we are not happy with our computers, it’s not all the computer’s fault.

First off, I can understand why you’re frustrated. Computers don’t work very well (though a lot of Mac users, and even Windows Vista users, convince themselves that their particular computers do). The truth is they don’t, because computers don’t help us think better.

They are merely tools, when they should be more than that. They help us send e-mails. They help us download and listen to music. They help us draft long resignation letters we never send. They help us crunch numbers.

All of this would make the early developers of the computer initially excited (“All that computing power in the head of a pin! Back in my day we had to make do with the computing power of a toilet brush in a box the size of Angkor Wat”). They were also, quickly, disappointed (“So everyone has these computers in their homes, bags and hands, and they do WHAT with them?”).

But it needn’t be like that. Computers can be used for good stuff. Here’s how:

* Collecting stuff: Computer hard drives are big enough now for you not to worry about storing stuff (unless you take 5,000 videos and photos a day, in which case you may want to consider an external hard drive or six.)

The trick about collecting stuff — whether it’s words, pictures or audio — is to organize it. After all, you want to find it again quickly. So, if you’re not a Mac user (who has Spotlight) install Google Desktop, which will index your hard drive and let you find stuff as easily as if it were on the Web.

But that shouldn’t be an alternative to organizing your stuff. Each batch of photos you store on your computer should have its own folder, usually organizing by date (for example, 20070722 as today’s date is best).

If you’re saving information you find on the web, save it to one place. I use something called MyInfo, an outlining program that includes a button you can install in your Firefox browser, which makes it very easy to save anything you read online.

* Brainstorming: there are some great tools out there to help you brainstorm, but in my view the best are those that bring mind mapping to the computer. (A mind map is a drawing where the central idea is put at the center of the piece of paper, and other ideas are added to it, floating off like branches.)

If you’ve not done mind maps I recommend them; if you’re a big computer user then it makes sense to do them on your computer. (Mindjet’s MindManager works on both Macs and Windows; for Mac users there’s also NovaMind, which looks promising.)

* Think stuff up: The computer won’t think for you, but it will do the next best thing — help you recall things you forgot. You’re probably aware of the fact that however smart you are you won’t be able to remember what you want into the kitchen to get. Most of what we do, read, hear and say is forgotten within minutes. This is where the computer can help.

But whereas it’s great about storing stuff, it’s not good at recalling things that we don’t know we knew. Search is great if we know what we’re looking for, but for that tip-of-the-tongue stuff I’d recommend something else: PersonalBrain.

PersonalBrain is a program that I have bored my friends with for several months now — it works on Mac, Linux and Windows, and has a free version available.

It looks odd, and will take some getting used to, but think of it as a place to throw everything you know into. You add “thoughts” and then you link those thoughts to other thoughts: The more the merrier.

For Timo Veikkola (the Nokia guy) I added a thought called “Timo’s predictions” and “Timo’s ideas”. To the latter I added all the ideas I liked, including one “travel is the best stimulant”.

This is something I know but I keep forgetting. So I linked that to another thought I had elsewhere in my PersonalBrain called “Guiding principles”.

Already linked to that thought were a bunch of ideas I had added (and promptly forgotten about) which, together, form a philosophy of sorts (if you call “Don’t write columns like this before your morning coffee because they won’t make any sense” a philosophy.)

Put simply, the brain works not by hierarchy, but by connections. We watch a movie and it reminds us we haven’t sent a letter to Auntie Marge. We find a website we like but it looks vaguely familiar: We don’t realize we actually visited the same website two days ago. We are looking for a friend in Nongkhai but can’t think of anybody, forgetting that Bob used to work there five years ago.

PersonalBrain helps you add this data when it first hits you and, more importantly, map its connections to other things so that you can find them again when you need them. When I add my friend Bob to my PersonalBrain, for example, I can link him not only to my other friends, but also to the places he’s worked at, the places he’s lived in — anything that may increase the chances of his name popping up when I might need him, but when I might not have thought of it.

PersonalBrain is the kind of software that makes you realize a) You spend way too much time using your computer to watch YouTube videos; and b) Your brain may be big, but you can’t remember anything that happened more than 30 seconds ago.

So, grumble as much as you like about your computer and what pain it causes you. But then set your sights higher and turn it into something that really complements you and the way you do things.

The Humiliation Of Being An Editor

Grammar, words and spelling are humiliating. I used to be good at this kind of thing in school, but going back to editing reminds me how shaky are the foundations of one’s knowledge. Where do commas go when you use quotation marks? Is ‘none’ singular or plural? Is ‘willpower’ one word or two? These are all questions that came up recently, and oftentimes the answer is not what I expected. I console myself that these differences are the little cracks between American and British English, but I think I’m fooling myself.

I only recently realised, for example, that I’ve always been saying ‘esconced’ for some reason. Only yesterday did I find out it should be ‘ensconced’, as I’m sure you all know. (Well, maybe not all of you: There are more than 5,000 sites where the word ‘esconced’ is used. But you’re right to laugh at me.)

This doesn’t stop me having my bugbears. I once nearly got myself fired for suggesting to his face that the then head of the multinational news organisation I was working for was using the word ‘enervated’ incorrectly, and that it meant the opposite of how it sounded. (It means ‘lacking energy’.)

Then I noticed a couple of newspapers recently have misspelled ‘loath’ as ‘loathe’. Loathe is the verb, loath is the adjective. I am loath to point such a thing out, but loathe it when I see the words misused.

I must stop being an editor. Two things happen: You quickly turn into a pedant, while at the same time realising that you knew far less about the English language than you thought you did.

Terror And The Hole In Our Mindset

It’s amazing how hard it is to let go of a security mindset when you’ve been living in a place where bombs are (of late) a fact of life. In Hong Kong these things don’t seem to matter so much, so when I was standing at the ATM machine in a subway station today it was only me who was mildly freaked out by a sizeable cardbox box unattended nearby.

By the time I had got to the head of the line it was a good five minutes, still no sign of anyone claiming it, or even caring about it. So I called the security guys over an intercom in the wall, and, to their credit, they sent someone down. But I don’t think they get many calls like this. The security guy, friendly but not in the prime of life, was just about to lift it up — and I about to stop him — when he had second thoughts and walkie-talkied for back-up first. I didn’t want to make him nervous by hanging around to see how he finished his job, but I’m not convinced they called in the sniffer dogs.

Some places are more aware of this kind of thing than others. Australians seems to, so do Europeans and Americans. Japan, too, I guess. And most of Southeast Asia. But Hong Kong doesn’t seem to consider itself a target, which I suppose will remain true until something happens.

The Grim Reality Of The Phishers

Good piece in this month’s US Banker magazine on phishing. Some tidbits:

Phishing is getting more and more sophisticated. I’ve detailed some of those tricks in this blog, but here’s one I hadn’t heard of:

Crooks [the unfortunately named Ted Crooks, vp of identity protection solutions at Fair Isaac] says that “the level of cleverness is disturbing.” He notes how in one phishing scheme, phishers sent out an e-mail that requested sensitive information and to prove to customers the request was legitimate included two numbers the phishers said were the last two digits of each customer’s account number. As Crooks points out, a random two-digit combination has a one in 100 chance of being right, so if a phisher sent such an e-mail to one million users, 10,000 people’s accounts will match those two numbers.

Another thing regular readers will know is the sometimes absurd figure attached to losses associated with phishing:

TowerGroup estimates that direct fraud losses attributable to phishing will top $137.1 million globally in 2004, a figure far below widely cited levels of $1 billion and just a fraction of the total fraud at banks.

But I guess what is worrying is that phishers will start to target those smaller institutions that don’t have the clout to do much about it:

TowerGroup predicts the number of phishing attacks will top 31,300 in 2004 and rise to more than 86,000 by 2005 as they spread to smaller institutions, new merchant/service-provider categories, and new global markets.

Then there’s the need for banks to do more. Consumers don’t believe they are doing so, and I sometimes wonder whether the reason that banks give for not introducing more complicated and multi-layered log-in processes — that users don’t like it — is just an excuse. There are some interesting new approaches being tried out there:

Acknowledging the reality of what consumers will and will not do, Associated Bank, a $20 billion bank in Green Bay, WI, has implemented a voice biometric technology from Authentify to securely pass sensitive information to customers via the Internet. By logging onto the Web site to receive a PIN, a phone call is activated to the customer’s home or office. When the customer answers the phone, the voice biometric verifies that it is the customer and not a phisher requesting the PIN. This confirmation doesn’t require the customer to do anything out of the ordinary. It requires no training, no cost and no software installation.

Other efforts are being focused on foiling the phishers at their own point of sale:

One novel phishing countermeasure utilized by Cyota is bombarding the phishing Web site with bogus customer information. “It looks like real user names and passwords, but it’s just a hodgepodge,” [Cyota CEO Naftala] Bennett says. It compromises the phisher’s data, making it a painstaking process to sort out the legitimate accounts. “We want to change the equation for them. We want to make it harder to use the data and put them at risk of selling bad data to their customers,” Bennett says.

The bottom line, however, is well expressed by Gene Neyer, head of the Financial Services Technology Consortium’s counterphishing effort:

“Phishing has become a problem overnight because it has leveraged the infrastructure of spam,” says the FSTC’s Neyer. “And like spam, the concern is that with phishing every countermeasure spurs technology to get around the countermeasure. Unfortunately, scams that rely on social engineering can never be eliminated, but practical, tactical strategies can be put in place.”

The Moleskine Report, Part II

Continuing to add material that I could not include, or could not include much of, in my WSJ.com, piece (which comes out today), here’s the second emailed reply that I thought might interest readers. It’s from Mike Rohde, a graphic and web designer, working for the international engineering and web services firm MakaluMedia, and I include his reply in its entirety because it’s very interesting:

I work remotely from home with colleagues in Germany, Spain, France and Ireland, helping design and building web applications, web sites for small & medium-sized firms and corporate identity work.

I manage projects with my colleagues and clients via email, IM chat, voice over IP, phone and web, from my home office. So as you can see I work pretty digitally during the day.

Personally I am quite digitally oriented as well, writing a weblog, reading many weblogs, using email, chat and VOIP with international friends. Specifically, I have text and VOIP chats with one friend living in the UK on a weekly basis via Apple iChat.

I was introduced to PCs and technology as a teen, when my dad explored his interest in computers. I now see this was critical to the way I work now, as my experimentation and use of computers then, reduced the fear of technology very early, and gave me the sense that I could bend technology to my needs.

My higher education was focused on graphic design. Following graduation, I spent 9 years as a print designer and system manager for a design studio, moving into web design in the late 90s. In 1998 I began working with MakaluMedia, remotely from my home office.

As you know I have an interest in sketching with Moleskines; I also use a Miquelrius sketchbook for generating ideas and layouts for my business activities, like design ideas, logo concepts and so on.

However, after some thought, I chose to use a digital approach for recording my business diary, which I have found works quite well. Further, I enjoy using paper diaries to record personal thoughts and observations, mainly because I enjoy the tactile feel of paper and pen.

So, I enjoy both digital and analog means of recording thoughts, depending upon the use and context. Hopefully that provides you with a good starting point about me and my approach. 🙂

Here are my answers to the questions you have posed:

What do you use, exactly, in digital and paper terms?
How do you use them?

Digital:
———–
1. Business Diary: I keep a business journal as a plain text document on my Mac Powerbook. There I record MakaluMedia related thoughts, web links and comments of clients and colleagues. I separate entries by date and archive each month’s diary to dated plain text files (Makalu-Diary-2004-12.txt). The current month’s diary is synchronized to my palmOne Tungsten E PDA via DataViz DocumentsToGo.

2. Project Specific Notes: These kept in DayLite, a networked Mac OS X business application very much like ACT! for PC (http://www.marketcircle.com/). Notes relative to projects recorded in my business diary and emails are copied into DayLite as notes for access by myself and my MakaluMedia colleagues.

3. Business & Personal Links: I store interesting business and personal web bookmarks at my del.icio.us account (http://del.icio.us/rohdesign) and also in the Safari browser on my Mac.

4. Personal Blog: This is my public forum for thoughts, ideas, reflections, designs, sketches and whatever else seems pertinent to my personal and business life. I try to be encouraging, inspiring, humorous, serious here, but the entries are definitely for public consumption. I do share personal details but have an internal gut feel for where the line ought to be.

Because I built a reputation writing the Palm Tipsheet for many years (it was sold in ’03), many of my longstanding blog readers are Palm users who came from that newsletter. I do like to discuss mobile tech, but intentionally explore other topics, because I think life is broader than technology.

5. Personal Notes & Sketches: I also occasionally write notes (Memo Pad) or make digital sketches (Note Pad) with my palmOne Tungsten E, which are then synchronized to my Mac Powerbook.

Paper (Analog):
———————-
1. Business Concepts & Sketches: Stored in my Miquelrius gridded notebook. This is the place were I start ideas going, work out concepts (visual or textual) and sketch layouts for websites or logos. Often my sketches will be scanned and presented to clients and colleagues to show concepts or direction before I flesh out ideas on the computer.

2. Personal Sketches: Small Moleskine sketchbook for sketching (e.g. proj: exhibition sketchtoons), and a small Moleskine gridded notebook for ideas and concepts I come up with (e.g. ideas for home or personal projects, dream tech concepts, etc.).

3. Personal Diary: Small Italian-made notebook for recording thoughts of the day, reflections and goals. Usually I enter thoughts at night in bed, or at the café over coffee in this diary. Entries are not regular (daily) but rather entered when I have the need or urge to get something down.

(Note: I can provide scans from my paper sources if they are helpful)

Why still use paper?

Refuge & Escape from the Digital World. Paper is a refuge from my very digital lifestyle. I spend quite a bit of time on my Mac (at work and personally), so time with a nice pen, rich black ink or smooth pencil lead on crisp paper, are very much an escape from bits and pixels.

Immediacy. The immediacy of paper is very gratifying. I can knock out several concept sketches in the time it might take to fiddle around with Adobe Illustrator or Photoshop on just one tight drawing. Further, immediacy and looseness of ink or pencil on paper lets me explore with more latitude. I find that once I move to the computer, my ideas naturally tighten up and loose their loose qualities.

No batteries required. I love that my sketchbooks require no battery or wall connection. If the power goes dead, I can still work with my sketchbook and pen. The simplicity of a book and pen keeps me from getting hung up on technical issues as often pop up carrying a laptop and peripherals to support it, or choosing which café has WiFi so I can remain connected.

Portability. When I need to be creative, I just grab my sketchbook and head for a local café or library — the ideas just seem to flow. I also like that a sketchbook can be kept in a pocket at all times, without regard to cold or heat, or location. Sketchbooks can also take a beating better than techy gadgets. 🙂

Any particular Eureka moment on using paper?

Probably about a year ago I started realizing that I was using sketches less that I had in the past for my business design work at MakaluMedia. I decided to focus on making sketching an integrated part of my work. Since integrating sketching I’ve noticed my creativity has improved greatly.

Are you alone, or does everyone you know follow the same practice?

As I work alone from my home office, I can only comment on my own methods directly, though the posts I have made related to use of paper sketchbooks and diaries have brought interesting comments from other digital folks who also integrate paper into their lives. Mane are Moleskine fans like me, others feel that paper offers them options not easily available digitally.

Do you get odd looks for using paper?

Quite to the contrary — people who see my business or personal sketchbooks are always interested in having a look at them, and comment how they wish they could draw. I encourage them to give it a try, because a paper sketchbook or journal are just tools to get your mind working creatively.

Do you think paper and digital might merge, a laLogitech’s io Pen, or is that the wrong way of looking at things?

I think there is an overlap. I have not used a Wacom tablet for some time, but am actually considering one now, to see what options it might offer me on the digital side of things. I do think there is a wide open market for digital tools which work in conjunction with analog sketching and notes, such as the IO pen. I would love to try the IO pen as well.

Thanks, Mike, for such a long and interesting answer.