The Gmail Phish: Why Publicize, and Why Now?

This Google Gmail phishing case has gotten quite a bit of attention, so I thought I’d throw in my two cents’ worth. (These are notes I collated for a segment I did for Al Jazeera earlier today. I didn’t do a particularly good job of getting these points across, and some of the stuff came in after it was done. )

Google says the attack appears to originate from Jinan, but doesn’t offer evidence to support that. I think it would be good if they did. Jinan is the capital of Shandong Province, but it’s also a military region and one of at least six where the PLA has one of its technical reconnaissance bureaus. These are responsible for, among other things, exploitation of foreign networks, which might include this kind of thing. The city is also where the Lanxiang Vocational School is based, which was linked to the December 2009 attacks on Google’s back end systems. That also targeted human rights activists. Lanxiang has denied any involvement the 2009 attacks.

I’d be very surprised if this kind of thing wasn’t going on all the time. And I’m very surprised that senior government officials from the U.S., Korea and elsewhere are supposedly using something like Gmail. There are more secure ways to communicate out there. I think it’s worth pointing out that this particular attack was first identified by Mila Parkour, a researcher, back in February. Screenshots on her blog suggest that at least three U.S. government entities were targeted.

I asked her what she thought of the release of the news now, four months later. Does this mean, I asked, that it took Google a while to figure it out?

As for any other vendor, investigations take time especially if they do not wish to alert the actors and make sure they shut down all the suspicious accounts.

And why, I asked, are they making it public now?

I think it is great they took time to unravel and find more victims and try to trace it. Looks like they exhausted all the leads and found out as much as they could to address it before going public . It has been three months and considering that hundreds of victims [are] involved, it is not too long.

This is not the first time that Google and other email accounts have been hacked in this way, and it’s probably not the last. It’s part of a much bigger battle going on. Well, two: one pits China–who are almost certainly behind it, or at least the ultimate beneficiaries of any data stolen, against regional and other rivals–and the other is Google making these things public. For Google it’s a chance to point out the kind of pressures it and other companies are under in China. Google in January 2010 said it and other companies had been under attack using tricks that exploited vulnerabilities in Google’s network to gain unauthorized access.

Google says it went public because it wants to keep its users safe. This from Myriam Boublil, Head of Communications & Public Affairs at Google Southeast Asia:

“We think users should be aware of the disturbing campaign we’ve uncovered to collect user passwords and monitor user email.  Our focus now is on protecting our users and making sure everyone knows how to stay safe online”

This  attack is not particularly sophisticated, but it involves what is called spear phishing, which does involve quite extensive social engineering techniques and reveals the object of the attacker’s interest is not random, but very, very specific. If you judge a perpetrator of a crime by their victim, you don’t have to be a rocket scientist to figure out who is the ultimate recipient of any intelligence gathered.

Data, WikiLeaks and War

I’m not going to get into the rights and wrongs of the WikiLeaks thing. Nor am I going to look at the bigger implications for the balance of power between governed and governing, and between the U.S. and its allies and foes. Others have written much better than I can on these topics.

I want to look at what the cables tell us about the sorting, sifting and accessing of this information. In short, what does this tell us about how the world’s most powerful nation organized some of its most prized data?

To start, with, I want to revisit a conversation I had sitting in the garden of a Kabul pub called the Gandermack a few weeks back when it struck me: the biggest problem facing NATO in winning the war in Afghanistan is data.

I was talking to a buff security guy—very buff, in fact, as my female companions kept remarking—who was what might have once been a rare breed, but are now in big demand in Afghanistan. He was a former marine (I think), but was also a computer guy with an anthropology or sociology degree under his black belt somewhere. This guy knew his stuff.

And he was telling the NATO forces where they were going wrong: data management.

The problem, he explained, is not that there isn’t enough of it. It’s that there’s too much of it, and it’s not being shared in a useful way. Connections are not being made. Soldiers are drowning in intelligence.

All the allied forces in Afghanistan have their own data systems. But, I was told, there’s no system to make sense of it. Nor is there one to share it. So data collected by a garrison from one country in one part of the country is not accessible by any of the other 48 nations.

On the surface it seems this problem was fixed. In the wake of 9/11 U.S. departments were told to stop being so secretive. Which is why we got to WikiLeaks–one guy apparently able to access millions of classified documents from pretty much every corner of the planet. If he could do then so could thousands of other people. And, one would have to assume, so could more than a few people who weren’t supposed to have access. To give you an idea of the trove unearthed, WikiLeaks has released about 1,000 so far, meaning it’s going to take them nearly seven years to get all the cables out. Cable fatigue, anyone?

So, it would seem that the solution to the problem of not having enough pooled information is to just let anyone have it. But that, it turns out, isn’t enough. That’s because what we see from the WikiLeaks material is how old it looks.

I spent much of the early 1980s trawling through this kind of thing as a history student. Of course, they were all declassified documents going back to the 1950s, but the language was remarkably similar, the structure, the tone, the topics, the look and feel. A diplomatic cable in 2010 looks a lot like a cable from 50 years ago. In the meantime communication has gone from the telegraph to the fax to email to blogs to the iphone to twitter to Facebook.

This, to me, is the problem. It’s not that we’ve suddenly glimpsed inside another world: We would have seen a lot of this stuff at some point anyway, though it’s useful to see it earlier. Actually we can take some succour from the fact that diplomats seem to be doing a pretty good job of reporting on the countries they’re posted to. Journalists shouldn’t be surprised; we’ve relied on diplomats for a while. (And they might rightly feel somewhat aggrieved we now do this to them.)

No, the problem that WikiLeaks unearths is that the most powerful nation on earth doesn’t seem to have any better way of working with all this information than anyone else. Each cable has some header material—who it’s intended for, who it’s by, and when it was written. Then there’s a line called TAGS, which, in true U.S. bureaucratic style doesn’t actually mean tags but “Traffic Analysis by Geography and Subject”—a state department system to organize and manage the cables. Many are two letter country or regional tags—US, AF, PK etc—while others are four letter subject tags—from AADP for Automated Data Processing to PREL for external political relations, or SMIG for immigration related terms.

Of course there’s nothing wrong with this—the tag list is updated regularly (that last one seems to be in January 2008). You can filter a search by, say, a combination of countries, a subject tag and then what’s called a program tag, which always begins with K, such as KPAO for Public Affairs Office.

This is all very well, but it’s very dark ages. The trouble is, as my buff friend in the Kabul garden points out, there’s not much out there that’s better. A CIA or State Department analyst may use a computer to sift through the tags and other metadata, but that seems to be the only real difference between him and his Mum or Dad 50 years before.

My buff friend made a comparison with the political officer in today’s ISAF with a political officer (sometimes called an agent) back in the days of the British Raj. Back then the swashbuckling fella would ride a horse, sleep on the ground and know the Afghan hinterlands like the back of his hand, often riding alone, sipping tea with local chieftains to collect intelligence and use it to effect change (in this case meaning extend the already bulging British sphere of influence.) He would know the ins and outs of local tribal rivalries, who hated whom, etc. All of it stored in his head or in little notebooks.

His modern equivalent may actually have the same information, but it’ll be gleaned from the occasional photo opportunity, a squillion intelligence reports, all suitably tagged, and perhaps footage from a couple of drones. If the chieftain he’s interested in coopting straddles a regional command, chances are that he won’t be able to access anyone else’s information on him–assuming they have any.

In short, the problem in the military and diplomatic world is the same we’re facing in the open world. We have a lot more information than we can use—or keep track of—and it’s not necessarily making us any smarter. Computers haven’t helped us understand stuff better—they’ve just helped us collect, share, and lose more of it.

I must confess I’ve not made much progress on this myself. My main contribution is persuading a researcher friend to use a program called PersonalBrain, which helps you to join the dots between people, things, organisations, whatever you’re trying to figure out. It’s all manual though, which puts people off: What you mean I have to make the connections myself? Well, yes. Computers aren’t magic.

Yet. It’s clear to me that 10 years down the track, I hope, we’ll finally get that writing in prose, and then adding a hierarchy of labels to a document, is no longer the way to go. Instead, we’ll be writing into live forms that make connections as we write, annotate on the fly, draw spindly threads to other parts of our text, and make everything come to life. I will be able to pull into the document visuals, audio, other people, old records, chronologies, maps, and work with the data in three dimensions.

If this sounds familiar, it’s probably because it sounds like science fiction, something like Minority Report. But it’s not; it’s a glimpse inside the mind of our imperial political agent; how he would make those connections because they were all in his head—neurons firing transmitters, axons alive, binding synapses.

If I were the U.S. government, I would take Cablegate as a wake up call. Not at the affrontery of this humiliation, but as a chance to rethink how its data is being gathered and made use of. Cablegate tells us that the world of the cable is over.

The Missed Call: The Decade’s Zeitgeist?

By Jeremy Wagstaff

(this is a longer version of an upcoming syndicated column.)

When people look back at the last decade for a technology zeitgeist they may choose SMS, or the iPod, or maybe even Facebook. Me? I’d choose the cellphone call that rings, briefly, and then is silent.

It’s one of those social phenomena that has so embedded itself in the culture that we don’t even notice it. It developed its own syntax, its own meaning, and even shifted the boundaries of cultural mores and social intercourse. Even I didn’t realise it was so widespread until I started researching this article. And yet, at least in the middle of the decade, it spanned all continents and was accounting for more than half of cellphone traffic in many developing countries.

So what is the miscall and why is it—was it–so big? The miscall is simple: I call your cellphone but hang up before you pick up. Instead of you thinking there’s a mistake, you know exactly why I called, and either call me back, or don’t, depending on how we’ve agreed on what the miscall means. It’s a form of communication that requires no words, no speech, and, most importantly, no expense. At least for you and me. Not, sadly, for the cellphone operator.

But initially cellphone operators weren’t too bothered.

There’s a temptation, after all, to regard the miscall as a poverty thing, done by poor people. I don’t have any money; you have money, so you call me. Indeed, in Ethiopia it’s called miskin—Amharic, deriving from the Arabic for “poorest of the poor”, with a distinct connotation of being worthy of pity. And among youth the lure of the cellphone is matched only by the limits on a budget. So, someone somewhere is going to call back, so money will be spent on a call, somehow.

But two researchers for Norway-based Telenor Hanne Geirbo and Per Helmersen found that was only part of the picture, even in a place like Bangladesh. Combing the data from a single day of Grameenphone’s traffic, they concluded that “the charged traffic generated from an initial missed call is minimal compared o the missed call activity.” In short, a missed call didn’t result in a real call.

This was communication in itself, not just a plea for communication.

Not only that: making the missed call was so easy—hit the green button, wait for a ring and then hit red—that it was stopping other services, like SMS, from getting any traction. And we’re not talking small potatoes here: Missed calls constituted upwards of 70% of Grameenphone’s total network traffic in any hour. Some people were sending miss call after miss call, one after the other—100, or even several hundred, miscalls in a short period. This, in the words of the researchers, was “a major cause of congestion at peak periods,” leading to calls disconnected, or not being connected in the first place. In 2005 one Kenyan cellular network estimated that four million miscalls were being made daily on its network.

A miscall, then, is a lot more than a call me back thing. It’s a fast way to communicate a key piece of information to someone who is already expecting it around that time, and only needs to be activated:  “I’m home, throw the gate keys down.” The timing is the context that gives the unspoken, unwritten message meaning: A miscall at 6 pm may mean I just left work.

And, if there isn’t any specific time context it may just mean: “I’m missing you.”

Then there’s the another parameter: how many missed calls are made can vary the message. Two missed calls means “I’m running late” or “I’m at home, where are you?” depending, it would seem, on what part of Bangladesh you’re in. In Syria five missed calls in rapid succession means “I’m online, let’s chat.” There are business uses too: Farmers in Bhutan, according to UNCTAD’s annual Information Economy Report published in October, know how much milk their customers want by the number of miscalls. They then miscall the customer back within 15 minutes; no miscall means no stock. Researchers in India, where miscalls accounted for about 40% of all calls, found that the miscall was used by print and ticketing shops to let their customers know their orders were ready.

Missed calls can be fun if you don’t have much else going on in your life. Try to irritate your friends by miscalling them; if someone is doing it to you, try to pick up before they hang up, losing them credit and the game. This may sound inane, but these calls are likely to be serious network congesters. If the power goes off, the researchers found, Bangladeshis would entertain themselves by miscalling friends, relatives, and even complete strangers. The researchers found one young woman met her boyfriend that way. If you call communicating only by cellphone a relationship. Who said blackouts couldn’t be fun?

Talking of flirting, missed calls can create a private space between two people who couldn’t otherwise connect without fear of exposure or ridicule. One 44-year old Bangladeshi admitted to expressing his love by sending the object of his affections hundreds of miscalls. In Damascus it’s no different: One young man proudly explained to a journalist from Syria’s Forward Magazine last year that he sometimes gets 250 miscalls from his girlfriend.  Young couples in a relationship miscall each other to check the line is free or to keep the line busy—either way ensuring their paramour is not otherwise engaged, so to speak. Starting to feel sorry for the network operator yet?

Husbands expect calls from spouses at fixed times as signals that the house is running smoothly. Children check in with their parents. Newly married women get their mothers to call without incurring the wrath of their mothers-in-law. Friends miscall a member of their circle who couldn’t make their evening out, as if to say: we’re missing you.

There are rules, of course, about who one can and cannot miscall. No one below you in the hierarchy, either in the family, the office, or the community (one man is quoted as specifying “driver and electricians…it’s a matter of prestige.” And don’t miscall your teacher or your boss. At least in Bangladesh. in Africa, where it’s called variously “flashing” and “biper”,  there are complex rules about who can be flashed. Among friends, one commenter on a Nigerian blog said, it’s about exclusion: with miscalls “there is complete communication beyond the scope of outsiders.”

In other words, the missed call is not some reflection of not having enough credit. It’s a medium of exchange of complex messages that has become surprisingly refined in a short period. Much of it is not communication at all, at least in terms of actual information. It’s what the researchers identify as phatic communication: where the interaction is the motivation not the content of the message itself. Or, as a Filipino professor, Adrian Remodo put it to a language conference in Manila in 2007 at which they votedfto make miscall, or miskol in Tagalog, the word of the year: A miskol is often used as “an alternative way to make someone’s presence felt.”

Indeed, the fact that the message itself has no content is part of its beauty. Just as the SMS is confined to 160 characters—meaning it can either be pithy or ambiguous, depending on the effect you’re looking for—so can the missed call be open to all kinds of interpretation. A lover receiving a missed call can fill her evening contemplating what was meant by those few unanswered rings.

The Telenor researchers speak of how this “practice contains valuable information about the communication needs and preferences of our customers.” Very true. But one gets the feeling that their call for more research to “provide the telecom industry with a much-needed window into the socio-cultural life space of our customers , and suggest new service offerings that better match their needs and circumstances” may have fallen on deaf ears.

I’ve not found much evidence of this, and that was written back in 2008. Some African cell providers gave away five free “Please call me” text messages to each subscriber. A Swiss company called Sicap has had some success in Africa with a service called Pay4Me, which is a sort of reverse charge call for mobile phones. The only difference I can see between this and the miscall is that the callee doesn’t have to make the call, so to speak. That, and the fact that most prepaid services nowadays don’t let you make a call if you have a zero balance—which accounts for 30% of African users, and 20% of Indian cellphone users, according to Telenity, one company hoping to offer the callback service.

Telcos in Afghanistan offer polling services where respondents, instead of texting back their answers, miscall a number depending on their choice of answer. More creatively, some socially minded organisations have used the miscall as a cheap way to communicate: Happypill, for example reminds you to take medication if you fail to miscall them at an appointed time each day.

The point is that while usage may vary it’s common in many countries—and has been for much of the past decade. As soon as mobile phones came with prepaid vouchers, and operators included the name and number of the caller on the handset display, so did the opportunity arise for someone to pay for your call.  In France and in French-speaking Africa it’s called “un bip”, I’m told, and one commenter said that it’s included in some prepaid packages. In Iran it’s called “tak”; in Australia “prank” and in the U.S. “drop call”. In Italy, apparently, it’s called “squillo” and in Oman a “ranah” (where there’s even a pop song based on the practice).

And it goes further back than that: “Call me and hang up when you arrive,” my mum used to say to her impoverished student son.

Of course, there are reasons to be concerned about this. One Indian columnist wrote:

What, then, will happen to the human voice? If two rings on the mobile are sufficient to say “I miss you”, what will become of the impassioned verses that poets have so far written to appease their beloved? I wonder how a dialogue will sound in a world where voices have become ringtones.

It may be that the miss call culture is in decline. Jonathan Donner, a Microsoft researcher who has looked into this phenomenon more than most, noted back in 2007 a “beep fatigue”, leading some to turn off their caller ID function and ditch phone numbers that clearly indicate they are on a postpaid package. And in some places where the costs of a call and an SMS have fallen to pretty much nothing, the appeal of the miscall has waned in some places.

An SMS would work, but requires typing, and in a place like Bangladesh, where more than half the population is illiterate that’s not a popular option. And text messages sometimes take a couple of minutes to arrive: a call is immediate—something that’s apparently important to my Filipino friends.

Then there’s the fact that the missed call can be discreet in a way that a phone call, or an SMS, can’t be. You could make a miscall from inside one’s bag or pocket (and I frequently do, though that’s by accident.)  Which may explain why, a student  in Pakistan wrote earlier this year:

what amazes me the most is unlike other fads such as texting obsessively etc have gone away pretty quick ,this ‘miss call’ culture still reigns supreme in most of our society.

My tupennies’ worth? As the SMS, which created its own culture out of the limitations of what was not supposed to be a commercial service, so has the miscall created its own norms. Whether these survive the next decade is unlikely. But we should watch these things carefully, not because they represent commercial opportunities—we’re bound to mess that up—but because they speak volumes about the inventiveness of the human spirit, and its ability to squeeze rich new forms of communication out of something that, on the surface, seems to be nothing—a briefly ringing, and unanswered phone.

Afghanistan’s TV Phone Users Offer a Lesson

By Jeremy Wagstaff

IMG_20100831_202009-1

There’s something I notice amid all the dust, drudgery and danger of Kabul life: the cellphone TVs.

No guard booth—and there are lots of them—is complete without a little cellphone sitting on its side, pumping out some surprisingly clear picture of a TV show.

This evening at one hostelry the guard, AK-47 absent-mindedly askew on the bench, had plugged his into a TV. I don’t know why. Maybe the phone gave better reception.

All I know is that guys who a couple of years ago had no means of communication now have a computer in their hand. Not only that, it’s a television, itself a desirable device. (There are 740 TVs per 1,000 people in the U.S. In Afghanistan there are 3.)

But it doesn’t stop there. I’ve long harped on about how cellphones are the developing world population’s first computer and first Internet device. Indeed, the poorer the country, the more revolutionary the cellphone is. But in places like Afghanistan you see how crucial the cellphone is as well.

Electricity is unreliable. There’s no Internet except in a few cafes, hotels and offices willing to pay thousands of dollars a month. But you can get a sort of 3G service over your phone. The phone is an invisible umbilical cord in a world where nothing seems to be tied down.

Folk like Jan Chipchase, a former researcher at Nokia, are researching how mobile banking is beginning to take hold in Afghanistan. I topped up my cellphone in Kabul via PayPal and a service based in Massachusetts. This in a place where you don’t bat an eyelid to see a donkey in a side street next to a shiny SUV, and a guy in a smart suit brushing shoulders with a crumpled old man riding a bike selling a rainbow of balloons.

Of course this set me thinking. For one thing, this place is totally unwired. There are no drains, no power infrastructure, no fiber optic cables. The cellphone is perfectly suited to this environment that flirts with chaos.

But there’s something else. The cellphone is a computer, and it’s on the cusp of being so much more than what it is. Our phones contain all the necessary tools to turn them into ways to measure our health—the iStethoscope, for example, which enables doctors to check their patients’ heartbeats, or the iStroke, an iPhone application developed in Singapore to give brain surgeons a portable atlas of the inside of someone’s skull.

But it’s obvious it doesn’t have to stop there. iPhone users are wont to say “There’s an app for that” and this will soon be the refrain, not of nerdy narcissists, but of real people with real problems.

When we can use our cellphone to monitor air pollution levels, test water before we drink it, point it at food to see whether it’s gone bad or contains meat, or use them as metal detectors or passports or as wallets or air purifiers, then I’ll feel like we’re beginning to exploit their potential.

In short, the cellphone will become, has become, a sort of Swiss Army penknife for our lives. In Afghanistan that means a degree of connectivity no other medium can provide. Not just to family and friends, but to the possibility of a better life via the web, or at least to the escapism of television.

For the rest of us in the pampered West, we use it as a productivity device and a distraction, but we should be viewing it as a doorway onto a vastly different future.

When crime committed is not just saved on film—from Rodney King to the catwoman of Coventry—but beamed live thro to services that scan activity for signs of danger, the individual may be protected in a way they are presently not.

We may need less medical training if, during the golden hour after an accident, we can use a portable device to measure and transmit vital signs and receive instruction. Point the camera at the wound and an overlay points out the problem and what needs to be done. Point and click triage, anyone?

Small steps. But I can’t help wondering why I’m more inspired by the imaginative and enterprising use of cellphones in places like Afghanistan, and why I’m less than impressed by the vapid self-absorption of the average smart phone user in our First World.

Now I’m heading back to the guard hut to watch the late soap.

Welcome To Long Distance Bluesnarfing

(Please note: I’m not in possession of any bluesnarfing software and I’m not going to link to any. So please don’t bother leaving comments requesting it.)

Long distance Bluesnarfing is here.

Austrian researcher and Bluetooth expert Martin Herfurt tells me that he and some friends — Mike Outmesguine, John Hering, James Burgess and Kevin Mahaffey — were able to Bluesnarf a cellphone more than 1 mile away in Santa Monica Bay early on Wednesday. This follows a similar experiment late last month in which some of the same guys successfully connected to a Bluetooth phone 1 km away.

(Bluesnarfing is the practice of using a vulnerability in cellphones’ implementation of Bluetooth to steal data or to hijack a cellphone to make calls or send text messages without the user’s permission or knowledge.)

Martin says the distance was exactly 1.08 miles, or 1.78 km, which is in itself something of a feat, given they were using pretty basic stuff — a 19db antenna with a modified class 1 dongle on one side and on the other the victim’s unmodified phone. But it wasn’t just that: He says they were able to not only snarf the entire address book but also send an SMS from the victim’s phone.

Here’s Martin the victim in the foreground, the pier in the background near where the attacker is located:

I hope this kind of experiment lays to rest those folk who don’t see how this kind of thing would be a problem. Most of the naysayers claim that Bluesnarfing only works close by, but this shows that’s not true. What’s more, it shows how Bluesnarfing can be a sniper or a vacuum cleaner: Martin says they spotted dozens of Bluetooth phones in their experiment but just focused on the target phone. But if they’d wanted they could have sucked up the address books and data in most of those phones — information that might have proved very valuable.

The Dangers Of Snarf

Is Bluesnarfing something to worry about? Yes, according to an Austrian study.

In the middle of last month a researcher at Salzburg’s Research Forschungsgesellschaft mbH, Martin Herfurt, set up a laptop and Bluetooth dongle near the public restrooms in Hall 11 at CeBIT, Europe’s biggest IT-exposition in Hannover. He then started to sniff for Bluetooth cellphones. In four days he found 1,269 different devices.

Bluesnarfing, or SNARFing, involves connecting to a device without permission (what’s called pairing) and then accessing data on the device or using its features. Martin didn’t do anything to the devices he did find, but he makes clear he could have:

  • sent SMS (text) messages from the victim’s phone without her knowledge;
  • made phone calls from the victim’s phone and
  • altered the phone book and the record of dialled numbers on the victim’s phone.

Worst off: The Nokia 6310 and the more enhanced Nokia 6310i, which he says, “are very vulnerable to the SNARF attack. About 33 percent of all discovered devices of this type were disclosing personal phone book entries without requiring user-interaction.” And Martin thinks it could have been a lot worse: By basing himself near the restrooms, a lot of his victims were passing by, moving away before he could complete a full ‘attack’. (He stresses he has not kept any of the information he obtained this way.)

I’ve said in the past that this sort of thing sounds obscure, and therefore not something we think we should worry about. But just because we can’t think of how these vulnerabilities might be exploited doesn’t mean they won’t be, and that this is not a serious breach of our security. 

These tricks in themselves may not in themselves be dangerous, but highlight the fact that most of us walk around with a lot of personal data inside our phone/PDA — our address book, who we called, a record of messages sent and received, our name, our exact position, passwords and bank account numbers, email messages — which could be obtainable by someone with the interest and a modicum of equipment.

I don’t think the problem here is hijacking a phone to make a call, or SMS spam, or whatever. It’s that as cellphones and PDAs merge, these devices will inevitably become attractive targets of ID thieves, commercial spies and anyone else with an interest in finding out more about us. Unless we’re careful, Bluetooth will become just one more open door through which they can do it.

Update: One Of Microsoft Security Report Authors Fired

 One of the authors of the security paper (PDF file) that said Microsoft was a threat to national security has been fired, according to CNET. Cambridge, Mass-based @Stake, where Dan Geer worked as chief technical officer, said in a statement Thursday that the researcher had not gotten his employers’ approval for the study’s release, and that he was no longer associated with the company. Although independently financed and researched, the study was distributed by the Computer and Communications Industry Association (CCIA), a Washington-based trade association largely made up of Microsoft’s rivals.
 
A Microsoft spokesman said the software maker had not pressured @Stake to make any decision on Geer’s status. Bruce
Schneier, a security expert and co-author of the report, saw things differently, according to CNET. He said the idea for the report had come from Geer and the other researchers, not from the CCIA or other Microsoft rivals. The group had found it hard to find other researchers to sign on to the idea, even if those approached agreed with the study’s premises, he said. “When we were conceiving and writing the report, a surprising number of researchers said ‘No,’ because of the fear of Microsoft,” Schneier said. “Dan was not talking for @Stake. We were speaking as researchers. The fact that @Stake couldn’t get around that shows the pressure that Microsoft brings to bear.”

News: We’re Losing the Virus Arms Race

This week’s New Scientist confirms what readers of this blog already knew about the growing imbalance in the virus arms race. Antivirus specialists, the mag says, are fighting a losing battle against malicious code like viruses and worms. Research undertaken at Hewlett-Packard’s labs in Bristol, UK, is the first to evaluate the effectiveness of antiviral software. It shows that the way we fight viruses is fundamentally flawed, because viruses spread faster than antivirus patches can be distributed. By the time the antivirus software catches up, the damage has already been done.
 
 
Hewlett-Packard researcher Matthew Williamson designed a computer model to mimic the way in which viruses spread, based on a model that tracks the spread of biological viruses. He then introduced parameters to represent the way the antivirus software responds to this spread. He found that even if a signature is available from the moment a virus is released, it cannot stop the virus spreading if it propagates fast enough. Should we be worried? Yes.

News: Have you been brand spoofed yet?

 SurfControl, an anti-spam company, says that “brand spoofing spam” – where a spammer sends fraudulent email that pretends to be from a well-known and trusted company — is getting worse, after only a few months of its existence.
 
 
The spammer, posing as a customer service or security official, directs the unsuspecting recipient of the spam to a phony Web site. The site then requests confidential financial information or a Social Security number that allows the spammer to commit fraud or identity theft. Over the last few months, SurfControl said in a press release, Best Buy, UPS,
 
Bank of America, PayPal and First Union Bank have been brand spoofed. Four large Australian banks also have been brand spoofed, including the Commonwealth Bank of Australia. Last Thursday, Sony Electronics reported that it had become aware of a deceptive spam e-mail that had been sent to consumers, requesting personal information such as password and e-mail address, claiming to come from “SonyStyle Customer Service.”
 
SurfControl says brand spoofing spam was first seen in March and has been growing steadily since then. Brand spoofing spam has grown from zero before March to more than five a month. The increase in such dangerous spam is linked to the growth in the availability of open proxy servers, which allow spammers to send anonymous, nearly untraceable e-mail. According to a researcher at the University of Oregon Computing Center, the number of identified open proxies grew from 1,000 in October 2002, to 100,000 in April 2003.

News: “Champagne or ink, sir?”

The chips are down
 
  Unsurprisingly, computer printer cartridges are more expensive than vintage champagne. An investigation by British consumer group Which? published yesterday found that “Epson inkjet cartridges stopped printing even though in some cases there was enough ink to print over a third more pages”.
 
 
Here’s the full press release:
 
“Many of the printers tested gave premature warnings to change ink and toner cartridges, but most gave users the option of continuing printing. However, embedded into Epson’s ink cartridges are chips that stop the cartridge working before the ink runs out. A Which? researcher managed to override this system and print up to 38 per cent more good quality pages, even though the chips stated that the cartridge was empty.
 
“Epson cartridges are pricey – a T026201 cartridge costs about £21 and holds approximately 12ml of ink. This works out at around £1.75 per millilitre for ink, which makes it over seven times more expensive than vintage champagne (a bottle of 1985 Dom Perignon works out at about 23p per millilitre).
 
“Epson said that customers are free to reset these chips to get more ink out, but it will continue to use them ‘to protect the customer from accidentally damaging their printer or producing sub-standard print quality, by unknowingly draining the ink cartridge and damaging the print head.’
 
“Which? experts think that damaging the print head is unlikely if consumers stop printing as soon as they see a drop in quality.”
 
I’ve harped on before about the sleazy price of cartridges. I hadn’t thought of comparing it to bubbly, though. Good one.