DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

Real Phone Hacking

Interesting glimpse into the real world of phone hacking–not the amateurish stuff we’ve been absored by in the UK–by Sharmine Narwani: In Lebanon, The Plot Thickens « Mideast Shuffle.

First off, there’s the indictment just released by the Special Tribunal for Lebanon which, in the words of Narwani,

appears to be built on a simple premise: the “co-location” of cellular phones — traceable to the accused four — that coincide heavily with Hariri’s whereabouts and crucial parts of the murder plot in the six weeks prior to his death.

Indeed, the case relies heavily on Call Data Record (CDR) analysis. Which sounds kind of sophisticated. Or is it? Narwani contends that this could have been manufactured. Indeed, she says,

there isn’t a literate soul in Lebanon who does not know that the country’s telecommunications networks are highly infiltrated — whether by competing domestic political operatives or by foreign entities.

There is plenty of evidence to support this. The ITU recently issued two resolutions [PDF] basically calling on Israel to stop conducting “piracy, interference and disruption, and sedition”.

And Lebanon has arrested at least two men accused of helping Israel infiltrate the country’s cellular networks. What’s interesting about this from a data war point of view is that one of those arrested has confessed, according to Narwani, to lobbying for the cellular operator he worked for not to install more secure hardware, made by Huawei, which would have presumably made eavesdropping harder. (A Chinese company the good guy? Go figure.)

If this were the case–if Lebanon’s cellular networks were so deeply penetrated–then it’s evidence of the kind of cyberwar we’re not really equipped to understand, let alone deal with: namely data manipulation.

Narwani asks whether it could be possible that the tribunal has actually been hoodwinked by a clever setup: that all the cellular data was faked, when

a conspiring “entity” had to obtain the deepest access into Lebanese telecommunications networks at one or — more likely — several points along the data logging trail of a mobile phone call. They would have to be able to intercept data and alter or forge it, and then, importantly, remove all traces of the intervention.

After all, she says,

the fact is that Hezbollah is an early adherent to the concept of cyberwarfare. The resistance group have built their own nationwide fiber optics network to block enemy eavesdropping, and have demonstrated their own ability to intercept covert Israeli data communications. To imagine that they then used traceable mobile phones to execute the murder of the century is a real stretch.

Who knows? But Darwani asserts that

Nobody doubts Israel’s capacity to carry out this telecom sleight of hand — technology warfare is an entrenched part of the nation’s military strategies. This task would lie somewhere between the relatively facile telephone hacking of the News of the World reporters and the infinitely more complex Stuxnet attack on Iran’s nuclear facilities, in which Israel is a prime suspect.

In other words, there’s something going on here that is probably a lot more sophisticated than a tribunal can get behind. I’m no Mideast expert, but if only half of this is true it’s clear that cellphones are the weakest link in a communications chain. And that if this kind of thing is going on Lebanon, one has to assume that it’s going on in a lot of places.

Libya: We’re Back. Iran: We’re Not

In its latest quarterly report Opera looks a how quickly Libyans have gone back online with their mobile devices after six months in the dark. The graphic pretty much sums it up:

Talking of Internet blocking, Opera noticed that Iran continues to mess with Internet access for its citizens:

While we can speculate on government intervention or an operator shutting down Opera Mini access, the numbers are striking. Opera Mini usage in Iran dropped 36% in July. Most of the user loss occurred over five days, from July 4th to July 9th. Iran is no stranger to these quick drops. After reaching new highs, Opera Mini usage drops quickly. On June 14, 2011, Opera Mini reached an all-time high in Iran. The next day, usage plummeted more than 48%.

One can indeed only speculate, but the June plummet may be to do with the June 12 second anniversary of the 2009 election, when marchers took to the streets [Inter Press Service report via Asia Times]. (The lag between the Sunday June 12 march, the spike in traffic two days later, and then the plummet could either be explained by the marchers using their cellphones and then losing interest, or the sudden interest of the security services in curtailing mobile traffic to disrupt more planned marches.

The July drop in traffic I can’t explain: I’ve looked for events around that time, but can’t find any.

The Missed Call: The Decade’s Zeitgeist?

By Jeremy Wagstaff

(this is a longer version of an upcoming syndicated column.)

When people look back at the last decade for a technology zeitgeist they may choose SMS, or the iPod, or maybe even Facebook. Me? I’d choose the cellphone call that rings, briefly, and then is silent.

It’s one of those social phenomena that has so embedded itself in the culture that we don’t even notice it. It developed its own syntax, its own meaning, and even shifted the boundaries of cultural mores and social intercourse. Even I didn’t realise it was so widespread until I started researching this article. And yet, at least in the middle of the decade, it spanned all continents and was accounting for more than half of cellphone traffic in many developing countries.

So what is the miscall and why is it—was it–so big? The miscall is simple: I call your cellphone but hang up before you pick up. Instead of you thinking there’s a mistake, you know exactly why I called, and either call me back, or don’t, depending on how we’ve agreed on what the miscall means. It’s a form of communication that requires no words, no speech, and, most importantly, no expense. At least for you and me. Not, sadly, for the cellphone operator.

But initially cellphone operators weren’t too bothered.

There’s a temptation, after all, to regard the miscall as a poverty thing, done by poor people. I don’t have any money; you have money, so you call me. Indeed, in Ethiopia it’s called miskin—Amharic, deriving from the Arabic for “poorest of the poor”, with a distinct connotation of being worthy of pity. And among youth the lure of the cellphone is matched only by the limits on a budget. So, someone somewhere is going to call back, so money will be spent on a call, somehow.

But two researchers for Norway-based Telenor Hanne Geirbo and Per Helmersen found that was only part of the picture, even in a place like Bangladesh. Combing the data from a single day of Grameenphone’s traffic, they concluded that “the charged traffic generated from an initial missed call is minimal compared o the missed call activity.” In short, a missed call didn’t result in a real call.

This was communication in itself, not just a plea for communication.

Not only that: making the missed call was so easy—hit the green button, wait for a ring and then hit red—that it was stopping other services, like SMS, from getting any traction. And we’re not talking small potatoes here: Missed calls constituted upwards of 70% of Grameenphone’s total network traffic in any hour. Some people were sending miss call after miss call, one after the other—100, or even several hundred, miscalls in a short period. This, in the words of the researchers, was “a major cause of congestion at peak periods,” leading to calls disconnected, or not being connected in the first place. In 2005 one Kenyan cellular network estimated that four million miscalls were being made daily on its network.

A miscall, then, is a lot more than a call me back thing. It’s a fast way to communicate a key piece of information to someone who is already expecting it around that time, and only needs to be activated:  “I’m home, throw the gate keys down.” The timing is the context that gives the unspoken, unwritten message meaning: A miscall at 6 pm may mean I just left work.

And, if there isn’t any specific time context it may just mean: “I’m missing you.”

Then there’s the another parameter: how many missed calls are made can vary the message. Two missed calls means “I’m running late” or “I’m at home, where are you?” depending, it would seem, on what part of Bangladesh you’re in. In Syria five missed calls in rapid succession means “I’m online, let’s chat.” There are business uses too: Farmers in Bhutan, according to UNCTAD’s annual Information Economy Report published in October, know how much milk their customers want by the number of miscalls. They then miscall the customer back within 15 minutes; no miscall means no stock. Researchers in India, where miscalls accounted for about 40% of all calls, found that the miscall was used by print and ticketing shops to let their customers know their orders were ready.

Missed calls can be fun if you don’t have much else going on in your life. Try to irritate your friends by miscalling them; if someone is doing it to you, try to pick up before they hang up, losing them credit and the game. This may sound inane, but these calls are likely to be serious network congesters. If the power goes off, the researchers found, Bangladeshis would entertain themselves by miscalling friends, relatives, and even complete strangers. The researchers found one young woman met her boyfriend that way. If you call communicating only by cellphone a relationship. Who said blackouts couldn’t be fun?

Talking of flirting, missed calls can create a private space between two people who couldn’t otherwise connect without fear of exposure or ridicule. One 44-year old Bangladeshi admitted to expressing his love by sending the object of his affections hundreds of miscalls. In Damascus it’s no different: One young man proudly explained to a journalist from Syria’s Forward Magazine last year that he sometimes gets 250 miscalls from his girlfriend.  Young couples in a relationship miscall each other to check the line is free or to keep the line busy—either way ensuring their paramour is not otherwise engaged, so to speak. Starting to feel sorry for the network operator yet?

Husbands expect calls from spouses at fixed times as signals that the house is running smoothly. Children check in with their parents. Newly married women get their mothers to call without incurring the wrath of their mothers-in-law. Friends miscall a member of their circle who couldn’t make their evening out, as if to say: we’re missing you.

There are rules, of course, about who one can and cannot miscall. No one below you in the hierarchy, either in the family, the office, or the community (one man is quoted as specifying “driver and electricians…it’s a matter of prestige.” And don’t miscall your teacher or your boss. At least in Bangladesh. in Africa, where it’s called variously “flashing” and “biper”,  there are complex rules about who can be flashed. Among friends, one commenter on a Nigerian blog said, it’s about exclusion: with miscalls “there is complete communication beyond the scope of outsiders.”

In other words, the missed call is not some reflection of not having enough credit. It’s a medium of exchange of complex messages that has become surprisingly refined in a short period. Much of it is not communication at all, at least in terms of actual information. It’s what the researchers identify as phatic communication: where the interaction is the motivation not the content of the message itself. Or, as a Filipino professor, Adrian Remodo put it to a language conference in Manila in 2007 at which they votedfto make miscall, or miskol in Tagalog, the word of the year: A miskol is often used as “an alternative way to make someone’s presence felt.”

Indeed, the fact that the message itself has no content is part of its beauty. Just as the SMS is confined to 160 characters—meaning it can either be pithy or ambiguous, depending on the effect you’re looking for—so can the missed call be open to all kinds of interpretation. A lover receiving a missed call can fill her evening contemplating what was meant by those few unanswered rings.

The Telenor researchers speak of how this “practice contains valuable information about the communication needs and preferences of our customers.” Very true. But one gets the feeling that their call for more research to “provide the telecom industry with a much-needed window into the socio-cultural life space of our customers , and suggest new service offerings that better match their needs and circumstances” may have fallen on deaf ears.

I’ve not found much evidence of this, and that was written back in 2008. Some African cell providers gave away five free “Please call me” text messages to each subscriber. A Swiss company called Sicap has had some success in Africa with a service called Pay4Me, which is a sort of reverse charge call for mobile phones. The only difference I can see between this and the miscall is that the callee doesn’t have to make the call, so to speak. That, and the fact that most prepaid services nowadays don’t let you make a call if you have a zero balance—which accounts for 30% of African users, and 20% of Indian cellphone users, according to Telenity, one company hoping to offer the callback service.

Telcos in Afghanistan offer polling services where respondents, instead of texting back their answers, miscall a number depending on their choice of answer. More creatively, some socially minded organisations have used the miscall as a cheap way to communicate: Happypill, for example reminds you to take medication if you fail to miscall them at an appointed time each day.

The point is that while usage may vary it’s common in many countries—and has been for much of the past decade. As soon as mobile phones came with prepaid vouchers, and operators included the name and number of the caller on the handset display, so did the opportunity arise for someone to pay for your call.  In France and in French-speaking Africa it’s called “un bip”, I’m told, and one commenter said that it’s included in some prepaid packages. In Iran it’s called “tak”; in Australia “prank” and in the U.S. “drop call”. In Italy, apparently, it’s called “squillo” and in Oman a “ranah” (where there’s even a pop song based on the practice).

And it goes further back than that: “Call me and hang up when you arrive,” my mum used to say to her impoverished student son.

Of course, there are reasons to be concerned about this. One Indian columnist wrote:

What, then, will happen to the human voice? If two rings on the mobile are sufficient to say “I miss you”, what will become of the impassioned verses that poets have so far written to appease their beloved? I wonder how a dialogue will sound in a world where voices have become ringtones.

It may be that the miss call culture is in decline. Jonathan Donner, a Microsoft researcher who has looked into this phenomenon more than most, noted back in 2007 a “beep fatigue”, leading some to turn off their caller ID function and ditch phone numbers that clearly indicate they are on a postpaid package. And in some places where the costs of a call and an SMS have fallen to pretty much nothing, the appeal of the miscall has waned in some places.

An SMS would work, but requires typing, and in a place like Bangladesh, where more than half the population is illiterate that’s not a popular option. And text messages sometimes take a couple of minutes to arrive: a call is immediate—something that’s apparently important to my Filipino friends.

Then there’s the fact that the missed call can be discreet in a way that a phone call, or an SMS, can’t be. You could make a miscall from inside one’s bag or pocket (and I frequently do, though that’s by accident.)  Which may explain why, a student  in Pakistan wrote earlier this year:

what amazes me the most is unlike other fads such as texting obsessively etc have gone away pretty quick ,this ‘miss call’ culture still reigns supreme in most of our society.

My tupennies’ worth? As the SMS, which created its own culture out of the limitations of what was not supposed to be a commercial service, so has the miscall created its own norms. Whether these survive the next decade is unlikely. But we should watch these things carefully, not because they represent commercial opportunities—we’re bound to mess that up—but because they speak volumes about the inventiveness of the human spirit, and its ability to squeeze rich new forms of communication out of something that, on the surface, seems to be nothing—a briefly ringing, and unanswered phone.

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

Twitteran: We Should Do What We Do Best

Paul Lamb over at MediaShift asks:

Is there still a need for vetting and fact checking of stories. Absolutely. But isn’t that something a machine, building off our collective intelligence, could be trained to do far better than any one human or editorial staff? Of course this ignores the fact that machines aren’t good at storytelling or understanding the nuances of human emotions and interactions – that which makes for good reporting and journalism. But maybe that’s something the machine could be taught as well? Maybe even doing it better than the tired old formulas used in most mainstream reporting?

The twitteran thing has been ably covered elsewhere, but I couldn’t resist posting a comment, which I narcissistically reproduce here:

Paul, I think you’re right in your comment that journalists need to think beyond storytelling and reporting, but that is part of a bigger crying need for us in the news industry to think harder about how we report, write and convey the news, and, indeed, what constitutes news.

In the case of Tehran, it’s a complex picture. Reporting political upheaval is difficult at the best of times, and Iran is not the first time that crowd-sourced news has done a better job of capturing an overall picture–of what is visible.

But reporting is also about uncovering the hidden information–the behind-the-scenes struggle, and I’ve not seen anything either on twitter or, frankly, in mainstream media, that’s captured that more difficult part of the story.

Smart media practitioners will learn from this lesson, not only that they can out-source to the crowd some of the ‘public’ events, but that their value lies in better reporting the ‘private’ events, those that go on behind closed doors.

We need to move with the times, and see as a positive development the emergence of tools that create a more comprehensive picture of mass events like this. After all, we’re supposed to be in the business of bringing light to the dark corners, and this could so easily have been–and may yet be–one of the darkest of recent times.

MediaShift Idea Lab . Twittering Away the Jobs of Journalists | PBS

Time to Give the Telephone Back to the Cellphone?

Was interviewing a guy intimately involved in the mobile phone industry the other day, and we were comparing the various features of our sophisticated smartphones, when he suddenly leaned over and said, “Off the record, but this is my favorite phone.” And he showed me this:


Nokia 1100, photo Mobile Phones UK

The Nokia 1100, according to Wikipedia, is the world’s best selling handset, having shifted 200 million units. It seems to cost about $20, often less, and has a battery life of about 400 hours. And, crucially for my friend, sports two important features: It makes and receives calls and SMS. Beyond that, in the words of Bryan Ferry, there’s nothing. (Well, actually there’s WAP, but who uses that?)

The point about the Nokia 1100 is that it’s a phone. It doesn’t pretend to be anything else (except a flashlight, if you press and hold the “c” key down (presumably “c” stands for torCh or flasChlight or “come into the light where I can see you, Mildred”.) It’s designed for conditions in developing countries — dustproof keyboard, non-slip sides — but for many of us that could describe an ordinary day in the office (dusty, slippery, in need of illumination).

“For email,” he said, “I use this,” waving a Nokia BlackBerry clone. “For phoning and SMS, I use my 1100.”

Clearly my interviewee friend is not alone. A glance at Mobile Phones UK’s page on the model, the phone has a sizeable fanclub, with comments from Romania, Pakistan, Iran, the Philippines, Argentina, UK, Zaire and Tanzania. (Typical comment: “I needed a simple, sharp looking, long life phone. I got it. I love it!”) Of course, there are some who aren’t happy, but with 200 million units out there, that’s not surprising.

I guess my worry is, and has been for a while: As phones get more sophisticated, when do they stop being phones? And if it takes you longer to make or receive a call (or an SMS) than it used to, at what point do we need to split the phone/SMS functionality from our smartphone and give it back to the likes of the 1100?

Update: No Dead Horses Around Here

  Further to my mention of Phlogging/moblogging, whatever you want to call it, just received an interesting email from Elan Dekel, founder of Fotopages. Elan reckons “we are experiencing a watershed moment. First of all the Internet is so accessible, even in dictatorships (we even have a fair number of Fotopages from Iran!), and digital cameras are so cheap, that (a) mass media has really become democratized – ie. everyone can get their message out to the world – and build relationships via the web with supporters and readers all over the world, and (b) it will be really hard for a dictatorship to keep its atrocities secret. Quite amazing in my humble opinion. In any case its fun to be a part of it.”
 
 
Interesting stuff. And if you thought all this sending photos to a website was phlogging a dead horse (sorry, couldn’t resist that), here are some sites that show something of what Elan is talking about (and his comments):
 
http://moja_vera.fotopages.com (an american soldier in iraq, who uploads photos from the “front line”. I find it amazing – this is the first time that soldiers on the front line can broadcast their day to day experiences and their personal view of the situation, in real time).
 
http://salampax.fotopages.com (this is Salam Pax’s Fotopage - the blogger from baghdad)
 
http://geeinbaghdad.fotopages.com (Gee – an Iraqi photographer).