I’m An Airline, Fly Me

This an email from a bona fide airline: 

Dear Sir/Madam,

Please be informed that your transaction with [international carrier] has been confirmed. Due to fraud prevention procedure against Credit Card transaction, we would like to validate your recent transaction with [international carrier] by filling information below :

Passenger(s) name :
Route :
Date of Travel :
Cardholder name :
Address :

Also, we need to confirm and validate your name and last four digit of your card number. Please kindly provide scanned/image of your front side credit card that used to buy the ticket. You may cover the rest information on the card. Please reply in 8 hours after received this email or we will cancel the reservation.

Thank you for your cooperation.

Best Regards,
Verification Data Management

All at sea: global shipping fleet exposed to hacking threat

[Original link: this one includes links to the source material where available]

(Reuters) – The next hacker playground: the open seas – and the oil tankers and container vessels that ship 90 percent of the goods moved around the planet.

In this internet age, as more devices are hooked up online, so they become more vulnerable to attack. As industries like maritime and energy connect ships, containers and rigs to computer networks, they expose weaknesses that hackers can exploit.

Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again; Somali pirates help choose their targets by viewing navigational data online, prompting ships to either turn off their navigational devices, or fake the data so it looks like they’re somewhere else; and hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers, made off with their smuggled drugs and deleted the records.

While data on the extent of the maritime industry’s exposure to cyber crime is hard to come by, a study of the related energy sector by insurance brokers Willis this month found [PDF] that the industry “may be sitting on an uninsured time bomb”.

Globally, it estimated that cyber attacks against oil and gas infrastructure will cost energy companies close to $1.9 billion by 2018. The British government reckons cyber attacks already cost UK oil and gas companies around 400 million pounds ($672 million) a year.

In the maritime industry, the number of known cases is low as attacks often remain invisible to the company, or businesses don’t want to report them for fear of alarming investors, regulators or insurers, security experts say.

There are few reports that hackers have compromised maritime cyber security. But researchers say they have discovered significant holes in the three key technologies sailors use to navigate: GPS, marine Automatic Identification System (AIS), and a system for viewing digital nautical charts called Electronic Chart Display and Information System (ECDIS).

“Increasingly, the maritime domain and energy sector has turned to technology to improve production, cost and reduce delivery schedules,” a NATO-accredited think-tank wrote in a recent report. “These technological changes have opened the door to emerging threats and vulnerabilities as equipment has become accessible to outside entities.”

TIP OF THE ICEBERG

As crews get smaller and ships get bigger, they increasingly rely on automation and remote monitoring, meaning key components, including navigational systems, can be hacked.

A recent study by security company Rapid7 found more than 100,000 devices – from traffic signal equipment to oil and gas monitors – were connected to the internet using serial ports with poor security. “The lines get blurry, and all industries and all technologies need to focus more on security,” said Mark Schloesser, one of the authors of the study.

Mark Gazit, CEO of ThetaRay, an internet security company, said an attacker managed to tilt a floating oil rig to one side off the coast of Africa, forcing it to shut down. It took a week to identify the cause and fix, he said, mainly because there were no cyber security professionals aboard. He declined to say more.

Lars Jensen, founder of CyberKeel, a maritime cyber security firm, said ships often switch off their AIS systems when passing through waters where Somali pirates are known to operate, or fake the data to make it seem they’re somewhere else.

Shipping companies contacted by Reuters generally played down the potential threat from hackers. “Our only concern at this stage is the possible access to this information by pirates, and we have established appropriate countermeasures to handle this threat,” said Ong Choo Kiat, president of U-Ming Marine Transport, Taiwan’s second-largest listed shipping firm by market value. The company owns and operates 53 dry cargo ships and oil tankers.

VIRUS-RIDDLED

A study last year by the Brookings Institution of six U.S. ports found that only one had conducted an assessment of how vulnerable it was to a cyber attack, and none had developed any plan to response to any such attack. Of some $2.6 billion allocated to a federal program to beef up port security, less than 1 percent had been awarded for cyber security projects.

When CyberKeel probed the online defences of the world’s 20 largest container carriers this year it found 16 had serious security gaps. “When you look at the maritime industry there’s extremely limited evidence of systems having been breached” compared to other sectors, said CyberKeel’s Jensen. “That suggests to us that they’ve not yet been found out.”

Michael Van Gemert, a security consultant to the oil and gas industry, said that on visits to rigs and ships he has found computers and control systems riddled with viruses. In one case, he said it took 19 days to rid a drilling rig en route from South Korea to Brazil of malware which had brought the vessel’s systems to a standstill.

“The industry is massively in need of help, they have no idea what the risks are,” he said.

The main ship navigation systems – GPS, AIS and ECDIS – are standards supported by bodies such as the International Maritime Organisation (IMO). Indeed, that body has made AIS and ECDIS mandatory on larger commercial and passenger vessels.

Researchers from the University of Texas demonstrated last July that it was possible to change a ship’s direction by faking a GPS signal to dupe its onboard navigation system.

Marco Balduzzi and colleagues at anti-virus vendor Trend Micro last month showed that an attacker with a $100 VHF radio could exploit weaknesses in AIS – which transmits data such as a vessel’s identity, type, position, heading and speed to shore stations and other ships – and tamper with the data, impersonate a port authority’s communications with a ship or effectively shut down communications between ships and with ports.

In January, a British cyber security research firm, NCC Group, found flaws in one vendor’s ECDIS software that would allow an attacker to access and modify files, including charts. “If exploited in a real scenario,” the company concluded, “these vulnerabilities could cause serious environmental and financial damage, and even loss of life.”

When the USS Guardian ran aground off the Philippines last year, the U.S. Navy in part blamed incorrect digital charts. A NATO-accredited think-tank said the case illustrated “the dangers of exclusive reliance upon electronic systems, particularly if they are found vulnerable to cyber attack.”

“Most of these technologies were developed when bandwidth was very expensive or the internet didn’t exist,” said Vincent Berk, CEO of security company FlowTraq.

NO QUICK FIX

Fixing this will take time, and a change in attitude.

“Security and attack scenarios against these technologies and protocols have been ignored for quite some time in the maritime industry,” said Rapid7’s Schloesser.

Researchers like Fotios Katsilieris have offered ways to measure whether AIS data is being faked, though he declined to be interviewed, saying it remained a sensitive area. One Google researcher who has proposed changes to the AIS protocol wrote on his blog that he had been discouraged by the U.S. Coastguard from talking publicly about its vulnerabilities.

Indeed, AIS is abused within the industry itself.

Windward, an Israeli firm that collects and analyses AIS data, found 100 ships transmitting incorrect locations via AIS in one day – often for security or financial reasons, such as fishing boats operating outside assigned waters, or smuggling.

In a U.N. report issued earlier this year [PDF] on alleged efforts by North Korea to procure nuclear weapons, investigators wrote that one ship carrying concealed cargo turned off its AIS signals to disguise and conceal its trip to Cuba.

It’s not clear how seriously the standards bodies treat the threat. Trend Micro’s Balduzzi said he and his colleagues were working with standards organisations, which he said would meet next year to discuss his research into AIS vulnerabilities.

The core standard is maintained by the International Telecommunications Union (ITU) in association with the IMO. In a statement, the IMO said no such report of vulnerabilities had been brought to its attention. The ITU said no official body had contacted it about the vulnerabilities of AIS. It said it was studying the possibility of reallocating spectrum to reduce saturation of AIS applications.

Yevgen Dyryavyy, author of the NCC report on ECDIS, was sceptical that such bodies would solve the problems soon.

First, he said, they have to understand the IT security of shipboard networks, onboard linked equipment and software, and then push out new guidelines and certification.

Until then, he said, “nothing will be done about it.”

($1 = 0.5949 British Pounds) (Additional reporting by Keith Wallis; Editing by Ian Geoghegan)

ZTE confirms security hole in U.S. phone

This is a piece I wrote with my colleague Lee Chyen Yee on the ZTE vulnerability. 

ZTE Corp, the world’s No.4 handset vendor and one of two Chinese companies under U.S. scrutiny over security concerns, said one of its mobile phone models sold in the United States contains a vulnerability that researchers say could allow others to control the device.

The hole affects ZTE’s Score model that runs on Google Inc’s Android operating system and was described by one researcher as “highly unusual.”

“I’ve never seen it before,” said Dmitri Alperovitch, co-founder of cybersecurity firm, CrowdStrike. The hole, usually called a backdoor, allows anyone with the hardwired password to access the affected phone, he added.

Read the rest at ZTE confirms security hole in US phone

 

True Video Lies

This is a longer version of a piece I recorded for the BBC World Service.

The other day my wife lost her phone out shopping. We narrowed it down to either the supermarket or the taxi. So we took her shopping receipt to the supermarket and asked to see their CCTV to confirm she still had the phone when she left.

To my surprise they admitted us into their control room. Banks of monitors covering nooks, crannies, whole floors, each checkout line. There they let us scroll through the security video—I kind of took over, because the guy didn’t seem to know how to use it—and we quickly found my wife, emptying her trolley at checkout line 17. Behind her was our daughter in her stroller, not being overly patient. It took us an hour but in the end we established what look liked a pretty clear chain of events. She had the bag containing the phone, which she gave to our daughter to distract her at the checkout. One frame shows the bag falling from her hands onto the floor, unnoticed by my wife.

Then, a few seconds later, the bag is mysteriously whisked off the floor by another shopper. I couldn’t believe someone would so quickly swoop. The CCTV records only a frame a second, so it took us some time to narrow it down to a woman wearing black leggings, a white top and a black belt. Another half hour of checks and we got her face as she bought her groceries at another till. No sign of the phone bag by this time, but I was pretty sure we had our man. Well, woman.

Except I’m not sure we did. What I learned in that control room is that video offers a promise of surveillance that doesn’t lie. It seems to tell us a story, to establish a clear chain of events. But the first thing I noticed was when I walked back out into the supermarket, was that how little of the floor it covered, and how narrow each camera’s perspective was.

For the most part we’ve learned that photos don’t always tell the truth. They can be manipulated; they offer only a snapshot, without context. But what about videos? We now expect to see cameraphone footage in our news bulletins, jerky, grainy recordings taken by unseen hands, raw and often without context.

This is not to say videos are not powerful truth tellers. But we tend to see what we want to see. When a policeman pepper sprays protests at the University of California there is outrage, and it does indeed appear to be unwarranted. But when four of the videos are synchronized together a more complex picture emerges. Not only can one see the incident within context, but also one gets a glimpse of a prior exchange, as the officer explains what he is about to do to one protester, who replies, almost eagerly: “You’re shooting us specifically? No that’s fine, that’s fine.”

This is not to condone what happens next, but this exchange is missing from most of the videos. The two videos that contain the full prelude are, of course, longer, and have been watched much fewer times: 12,658 (15 minutes) and 245,226 times (8 minutes) versus 1,346,781 times (1 minute) for the one that does not  (the other video has since been taken down).

I’m not suggesting that the more popular video has been deliberately edited to convey a different impression, but it’s clearly the version of events that most are going to remember.

We tend to believe video more than photos. They seem harder to doctor, harder to hoodwink us, harder to take out of context. But should we?

It’s true that videos are harder to fake. For now. But even unfaked videos might seem to offer a version of the facts that isn’t the whole story. Allegations that former IMF president  Dominique Strauss-Kahn may have been framed during a sexual encounter at a New York Hotel, for example, have recently been buttressed by an extensive investigation published recently in the New York Review of Books. There’s plenty of questions raised by the article, which assembles cellphone records, door key records, as well as hotel CCTV footage.

The last seems particularly damning. A senior member of the hotel staff is seen high-fiving an unidentified man and then performing what seems to be an extensive dance of celebration shortly after the event. This may well be the case, but I’d caution against relying on the CCTV footage. For one thing, if this person was in any way involved, would they not be smart enough to confine their emotions until they’re out of sight of the cameras they may well have installed themselves?

Back to my case: Later that night we got a call that our phone had been recovered. The police, to whom I had handed over all my CCTV evidence, said I was lucky. A woman had handed it in to the mall’s security people. I sent her a text message to thank her. I didn’t have the heart to ask her whether she had been wearing black trousers and white top.

But I did realise that the narrative I’d constructed and persuaded myself was the right one was just that: a story I’d chosen to see.

Carrier IQ’s Opt-Out Data Collection Patent

ZDNet writes here about an Carrier IQ patent that outlines keylogging and ability to target individual devices . Which is interesting. But Carrier IQ owns a dozen patents, including this one, which to me is much more interesting. This patent indicates what Carrier IQ software could do—not what it does—but it is revealing nonetheless:

A communication device and a data server record and collect events and event-related data to create an activity record. A user of the communication device may request that events and related data be recorded and collected using a configuration option on the communication device or through an interaction with the data server. Data are grouped into data sets and uploaded to the data server either automatically or upon user approval. The data server uses the uploaded data to create an activity record which the user may access through a website. The user uploads additional data which are associated with the activity record. In some instances, the data server embeds a link pointing to the additional data in an entry in the activity record corresponding to an event associated with the additional data.

Basically this patent offers a way for a “user”—which could be either the user of the device or the service—to have a record of everything they do:

image

While most of the patent is clearly about a product that would create a ‘lifestream’ for the user—where they can access all the things they’ve done with the device, including photos etc, in one tidy presentation, there’s clearly more to it than that. Buried in the patent are indications that it could do all this without the user asking it to. It’s paragraph 0023 which I think is most interesting:

A user of a mobile device requests that events and event-related data be collected by a data server and data collection begins. Alternately, data collection may be a default setting which is turned off only when the device user requests that data collection not occur. In yet another embodiment, a request from a server can initiate, pause, or stop data collection. The mobile device is configured to record events performed by the mobile device as well as event-related data. Typical events that the mobile device records include making or receiving a phone call; sending or receiving a message, including text, audio, photograph, video, email and multimedia messages; recorded voice data, voice messages, taking a photograph; recording the device’s location; receiving and playing an FM or satellite radio broadcast; connecting to an 802.11 or Bluetooth access point; and using other device applications. The data most often related to an event include at least one of: the time, date and location of an event. However, other event-related data include a filename, a mobile device number (MDN) and a contact name. Commonly, the mobile device records events and provides a time, date and location stamp for each event. The events and event-related data can be recorded in sequence and can be stored on the mobile device.

This seems to suggest that

  • basically all activity on the phone can be logged
  • the software can be turned on by default
  • the software can be turned on and off from the server

All this information would be grouped together and uploaded either with the user’s permission or without it:

[0025] The mobile devices may be configured to store one or more data sets and upload the data sets to the data server. In one embodiment, the data sets are uploaded automatically without user intervention, while in other embodiments the mobile device presents a query to the user beforehand. When the mobile device is ready to upload one or more sessions to the data server, a pop-up screen or dialog may appear and present the user with various options. Three such options include (1) delete session, (2) defer and ask again and (3) upload now. The user interface may present the query every time a session is ready to upload, or the user may be permitted to select multiple sessions for deletion, a later reminder or upload all at once. In another embodiments, the uploading of sessions may occur automatically without user intervention. Uploads may also be configured to occur when the user is less likely to be using the device.

This point—about the option to collect such data without the user’s say-so—is confirmed in [0030]:

Although typically the device and the server do not record, upload and collect data unless the user requests it, in other embodiments the communication device and the server automatically record, upload and collect data until the user affirmatively requests otherwise.

And in [0046]:

In embodiments where participation in the data collection services is the default configuration for a mobile device (e.g., an “opt-out” model), it is not necessary to receive a request from a user prior to recording data.

An ‘opt-out’ model is hard to visualize if this is a product that is a user-centric lifestream.

While patents only tell part of the story, there’s no evidence of any such consumer-facing product on Carrier IQ’s website, so one has to assume these capabilities have been, or could be, wrapped into their carrier-centric services. In that sense, I think there’s plenty of interest in here.

Former Soviet Bloc, Allies, Under Lurid Attack

Trend Micro researchers David Sancho and Nart Villeneuve have written up an interesting attack they’ve dubbed LURID on diplomatic missions, government ministries, space-related government agencies and other companies and research institutions in the former Soviet bloc and its allies. (Only China was not a Soviet bloc member or ally in the list, and it was the least affected by the attack.)

Although they don’t say, or speculate, about the attacker, it’s not hard to conclude who might be particularly interested in what the attacks are able to dig up:

Although our research didn’t reveal precisely which data was being targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets.

Russia had 1,063 IP addresses hit in the attacks; Kazakhstan, 325; Ukraine, 102; Vietnam, 93; Uzbekistan; 88; Belarus, 67; India, 66; Kyrgyzstan, 49; Mongolia, 42; and China, 39.

The campaign has been going for at least a year, and has infected some 1,465 computers in 61 countries with more than 300 targeted attacks.

Dark Reading quotes Jamz Yaneza, a research director at Trend Micro, as saying it’s probably a case of industrial espionage. But who by? ”This seems to be a notable attack in that respect: It doesn’t target Western countries or states. It seems to be the reverse this time,” Yaneza says.

Other tidbits from the Dark Reading report: Definitely not out of Russia, according to Yaneza. David Perry, global director of education at Trend Micro, says could be out of China or U.S., but no evidence of either. So it could be either hacktivists or industrial espionage. Yaneza says attackers stole Word files and spreadsheets, not financial information. “A lot of the targets seemed to be government-based,” he says.

My tuppennies’ worth? Seems unlikely to be hactivists, at least the type we think of. This was a concerted campaign, specifically aimed to get certain documents. Much more likely to be either industrial espionage or pure espionage. Which means we might have reached the stage where groups of hackers are conducting these attacks because a market exists for the product retrieved. Or had we already gotten there, and just not known it?

Either way, Russia and its former allies are now in the crosshairs.

More reading:

Massive malware attacks uncovered in former USSR | thinq_

Cyberspy attacks targeting Russians traced back to UK and US • The Register

Taking Shady RAT to the Next Level

I know I’ve drawn attention to this before, but the timeline of McAfee’s Operation Shady RAT by Dmitri Alperovitch raises questions again about WikiLeaks’ original data.

Alperovitch points out that their data goes back to mid-2006:

We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. Note that the actual intrusion activity may have begun well before that time but that is the earliest evidence we have for the start of the compromises.

This was around the time that Julian Assange was building up the content that, he recounted in emails at the time, that his hard drives were filling up with eavesdropped documents:

We have received over 1 million documents from 13 countries, despite not having publicly launched yet! (Wikileaks Leak, Jan, 2007)

Although Assange has since denied the material came from eavesdropping, it seems clear that it was, until McAfee’s report, the earliest example of a significant trove of documents and emails stolen by China-based hackers. This may have been the same channel stumbled upon a year later by Egerstad (Dan Egerstad’s Tor exit nodes get him arrested and proves a point I made in July | ZDNet).

There were, however, reports in mid 2006 of largescale theft of documents: State Dept (May), and NIPRNet (June), US War College (Sept) and German organisations (October).

I would like to see more data from McAfee and, in the interests of transparency, at least the metadata from the still unrevealed WikiLeaks stash in order to do some note comparing and triangulation. I’d also like to see this material compared with the groundbreaking work by three young Taiwanese white hats, who have sifted through malware samples to try to group together some of these APTs: APT Secrets in Asia – InSun的日志 – 网易博客.

The work has just begun.

Data, WikiLeaks and War

I’m not going to get into the rights and wrongs of the WikiLeaks thing. Nor am I going to look at the bigger implications for the balance of power between governed and governing, and between the U.S. and its allies and foes. Others have written much better than I can on these topics.

I want to look at what the cables tell us about the sorting, sifting and accessing of this information. In short, what does this tell us about how the world’s most powerful nation organized some of its most prized data?

To start, with, I want to revisit a conversation I had sitting in the garden of a Kabul pub called the Gandermack a few weeks back when it struck me: the biggest problem facing NATO in winning the war in Afghanistan is data.

I was talking to a buff security guy—very buff, in fact, as my female companions kept remarking—who was what might have once been a rare breed, but are now in big demand in Afghanistan. He was a former marine (I think), but was also a computer guy with an anthropology or sociology degree under his black belt somewhere. This guy knew his stuff.

And he was telling the NATO forces where they were going wrong: data management.

The problem, he explained, is not that there isn’t enough of it. It’s that there’s too much of it, and it’s not being shared in a useful way. Connections are not being made. Soldiers are drowning in intelligence.

All the allied forces in Afghanistan have their own data systems. But, I was told, there’s no system to make sense of it. Nor is there one to share it. So data collected by a garrison from one country in one part of the country is not accessible by any of the other 48 nations.

On the surface it seems this problem was fixed. In the wake of 9/11 U.S. departments were told to stop being so secretive. Which is why we got to WikiLeaks–one guy apparently able to access millions of classified documents from pretty much every corner of the planet. If he could do then so could thousands of other people. And, one would have to assume, so could more than a few people who weren’t supposed to have access. To give you an idea of the trove unearthed, WikiLeaks has released about 1,000 so far, meaning it’s going to take them nearly seven years to get all the cables out. Cable fatigue, anyone?

So, it would seem that the solution to the problem of not having enough pooled information is to just let anyone have it. But that, it turns out, isn’t enough. That’s because what we see from the WikiLeaks material is how old it looks.

I spent much of the early 1980s trawling through this kind of thing as a history student. Of course, they were all declassified documents going back to the 1950s, but the language was remarkably similar, the structure, the tone, the topics, the look and feel. A diplomatic cable in 2010 looks a lot like a cable from 50 years ago. In the meantime communication has gone from the telegraph to the fax to email to blogs to the iphone to twitter to Facebook.

This, to me, is the problem. It’s not that we’ve suddenly glimpsed inside another world: We would have seen a lot of this stuff at some point anyway, though it’s useful to see it earlier. Actually we can take some succour from the fact that diplomats seem to be doing a pretty good job of reporting on the countries they’re posted to. Journalists shouldn’t be surprised; we’ve relied on diplomats for a while. (And they might rightly feel somewhat aggrieved we now do this to them.)

No, the problem that WikiLeaks unearths is that the most powerful nation on earth doesn’t seem to have any better way of working with all this information than anyone else. Each cable has some header material—who it’s intended for, who it’s by, and when it was written. Then there’s a line called TAGS, which, in true U.S. bureaucratic style doesn’t actually mean tags but “Traffic Analysis by Geography and Subject”—a state department system to organize and manage the cables. Many are two letter country or regional tags—US, AF, PK etc—while others are four letter subject tags—from AADP for Automated Data Processing to PREL for external political relations, or SMIG for immigration related terms.

Of course there’s nothing wrong with this—the tag list is updated regularly (that last one seems to be in January 2008). You can filter a search by, say, a combination of countries, a subject tag and then what’s called a program tag, which always begins with K, such as KPAO for Public Affairs Office.

This is all very well, but it’s very dark ages. The trouble is, as my buff friend in the Kabul garden points out, there’s not much out there that’s better. A CIA or State Department analyst may use a computer to sift through the tags and other metadata, but that seems to be the only real difference between him and his Mum or Dad 50 years before.

My buff friend made a comparison with the political officer in today’s ISAF with a political officer (sometimes called an agent) back in the days of the British Raj. Back then the swashbuckling fella would ride a horse, sleep on the ground and know the Afghan hinterlands like the back of his hand, often riding alone, sipping tea with local chieftains to collect intelligence and use it to effect change (in this case meaning extend the already bulging British sphere of influence.) He would know the ins and outs of local tribal rivalries, who hated whom, etc. All of it stored in his head or in little notebooks.

His modern equivalent may actually have the same information, but it’ll be gleaned from the occasional photo opportunity, a squillion intelligence reports, all suitably tagged, and perhaps footage from a couple of drones. If the chieftain he’s interested in coopting straddles a regional command, chances are that he won’t be able to access anyone else’s information on him–assuming they have any.

In short, the problem in the military and diplomatic world is the same we’re facing in the open world. We have a lot more information than we can use—or keep track of—and it’s not necessarily making us any smarter. Computers haven’t helped us understand stuff better—they’ve just helped us collect, share, and lose more of it.

I must confess I’ve not made much progress on this myself. My main contribution is persuading a researcher friend to use a program called PersonalBrain, which helps you to join the dots between people, things, organisations, whatever you’re trying to figure out. It’s all manual though, which puts people off: What you mean I have to make the connections myself? Well, yes. Computers aren’t magic.

Yet. It’s clear to me that 10 years down the track, I hope, we’ll finally get that writing in prose, and then adding a hierarchy of labels to a document, is no longer the way to go. Instead, we’ll be writing into live forms that make connections as we write, annotate on the fly, draw spindly threads to other parts of our text, and make everything come to life. I will be able to pull into the document visuals, audio, other people, old records, chronologies, maps, and work with the data in three dimensions.

If this sounds familiar, it’s probably because it sounds like science fiction, something like Minority Report. But it’s not; it’s a glimpse inside the mind of our imperial political agent; how he would make those connections because they were all in his head—neurons firing transmitters, axons alive, binding synapses.

If I were the U.S. government, I would take Cablegate as a wake up call. Not at the affrontery of this humiliation, but as a chance to rethink how its data is being gathered and made use of. Cablegate tells us that the world of the cable is over.

A pale white man shows us what journalism is

My weekly Loose Wire Service column.

Is the Internet replacing journalism?

It’s a question that popped up as I gazed at the blurred, distorted web-stream of a press conference from London by the founder of WikiLeaks, a website designed to “protect whistleblowers, journalists and activists who have sensitive materials to communicate to the public”.

On the podium there’s Julian Assange. You can’t make a guy like this up. White haired, articulate and defensive, aloof and grungy, specific and then sweepingly angry. Fascinating. In a world of people obsessed by the shininess of their iPhones, Assange is either a throwback to the past or a gulf of fresh air.

WikiLeaks, which has been around for a few years but has, with the release of mounds of classified data about the Afghan War, come center stage.

Assange doesn’t mince his words. He shrugs off questions he doesn’t like by pointing his face elsewhere and saying “I don’t find that question interesting.” He berates journalists for not doing their job — never

something to endear an interviewee to the writer.
But in some ways he’s right. We haven’t been doing our job. We’ve not chased down enough stories, put enough bad guys behind bars (celebrities don’t really count.) His broadsides may be more blunderbuss than surgical strike, but he does have a point. Journalism is a funny game. And it’s changing.

Asked why he chose to work with three major news outlets to release the Afghan data, he said it was the only way to get heard. He pointed out that he’d put out masses of interesting leaks on spending on the Afghan war previously and hardly a single journalist had picked it up.

Hence the — inspired — notion of creating a bit of noise around the material this time around. After all, any journalist can tell you the value of the material is less intrinsic than extrinsic: Who else is looking for it, who else has got it, and if so can we publish it before them.

Sad but true. We media tend to only value something if a competitor does. A bit like kids in the schoolyard. By giving it to three major outlets — New York Times, The Guardian, Der Spiegel — Assange ensured there was not only a triple splash but also the matchers from their competitors.

So Assange is right. But that’s always been like that. Assange is part of — and has identified — a much deeper trend that may be more significant than all the hand-wringing about the future of the media.

You see, we’ve been looking at media at something that just needs a leg-up. We readily admit the business model of the media is imploding.

But very little discussion of journalism centers on whether journalism itself might be broken. Assange — and others – believe it is.

The argument goes like this.

The model whereby media made a lot of money as monopolistic enterprises — fleecing advertisers at one end, asking subscribers to pay out at the other, keeping a death grip on the spigot of public, official or company information in the middle — has gone. We know that.

But what we don’t perhaps realize is that the Internet itself has changed the way that information moves around. I’m not just talking about one person saying something on Twitter, and everyone else online reporting it.

I’m talking about what news is. We journalists define news in an odd way — as I said above, we attach value to it based on how others value it, meaning that we tend to see news as a kind of product to grab.

The Internet has changed that. It’s turned news into some more amorphous, that can be assembled from many parts.

Assange and his colleagues at WikiLeaks don’t just act as a clearing house for leaked data. They add extraordinary value to it.

Don’t believe me? Read a piece in The New Yorker in June, about the months spent on cracking the code on, and then editing video shot in Iraq.

In a more modest way this is being done every day by bloggers and folk online, who build news out of small parts they piece together —some data here, a report there, a graphic to make sense of it. None of these separate parts might be considered news, but they come together to make it so.

Assange calls WikiLeaks a stateless news organization. Dave Winer, an Internet guru, points out that this pretty much is what the blogosphere is as well. And he’s right. WikiLeaks works based on donations and collaborative effort. Crowd-sourcing, if you will.

I agree with all this, and I think it’s great. This is happening in lots of interesting places — such as Indonesia, where social media has mobilized public opinion in ways that traditional media has failed.

But what of journalism, then?

Jeff Jarvis, a future-of-media pundit, asked the editor of The Guardian, one of the three papers that WikiLeak gave the data too first, whether The Guardian should have been doing the digging.

He said no; his reporters add value by analyzing it. “I think the Afghan leaks make the case for journalism,” Alan Rusbridger told Jarvis. “We had the people and expertise to make sense of it.”

That’s true. As far as it goes. I tell my students, editors, colleagues, anyone who will listen, that our future lies not so much in reporting first but adding sense first. And no question, The Guardian has done some great stuff with the data. But this is a sad admission of failure — of The Guardian, of reporting, of our profession.

We should be looking at WikiLeaks and learning whatever lessons we can from it. WikiLeaks’ genius is manifold: It has somehow found a way to persuade people, at great risk to themselves, to send it reams of secrets. The WikiLeaks people do this by taking that data seriously, but they also maintain a healthy paranoia about everyone — including themselves — which ensures that sources are protected.

Then they work on adding value to that data. Rusbridger’s comments are, frankly, patronizing about WikiLeaks’ role in this and previous episodes.

We journalists need to go back to our drawing boards and think hard about how WikiLeaks and the Warholesque Assange have managed to not only shake up governments, but our industry, by leveraging the disparate and motivated forces of the Internet.

We could start by redefining the base currency of our profession — what news, what a scoop, what an exclusive is. Maybe it’s the small pieces around us, joined together.

Design: It’s All About Alarm Clocks

Business writer and entrepreneur Seth Godin throws out product ideas like other people throw out orange juice cartons:

For twenty cents or so, alarm clock manufacturers can add a chip that not only knows the time (via a radio signal) but knows what day it is too. Which means that they can add a switch that says “weekends.” Which means that the 98% of the population that doesn’t want to wake up on the same time on weekends as they do on weekdays will be happier (and better rested.)

But he’s not touting a new alarm clock, he’s making a point: “So why doesn’t every alarm clock have this feature?” he asks. “Because most people in that business are busy doing their jobs (distribution, promotion, pricing, etc.), not busy making products that people actually want to buy–and talk about.”

Indeed, companies are always far too busy doing what they’re doing to think about what they’re doing and wonder whether they can do it better. And, as Seth points out, this is because companies are compartmentalized into responsibilities, and brave is the person who tries to straddle departments.

The weekend alarm clock won’t be made by a big alarm clock company, it’ll be designed by someone like Gauri Nanda, who I mentioned a few weeks back as the inventor of Clocky, the alarm clock that goes walkabout. Gauri, needless to say, was working on her own.

Actually what I suspect happens in companies is that they just ignore the user entirely. This is partly because technical products are built (and much of them designed) by programmers and engineers. I hate to generalize, but these people thrive on complexity, not on usability. For them creating and mastering the opaque is an achievement, not a symptom of failure.

What usually happens is that there are two sides to product development: the people in the company who think it’s a good idea and the people who have to build it. But in my limited experience there’s no one in between who speaks both languages, and, most importantly, can see what the customer might expect and want.

This is the hardest bit: it’s called usability and it seems to be the last thing people think about. If you’ve ever grappled with an alarm clock, to continue Seth’s example, you’ll know what I mean.

My favorite is the alarm clock that makes a beep every time you press a button: not so useful if you’re trying to quietly set the alarm but not wake your loved one. One clock I have, despite being sophisticated enough to tell me the temperature, the time in Lima and how many thous in a furlong, even makes a beep when I hit the backlight button. And no, it can’t be switched off without a PhD in molecular biophysics.

I wish I could say that this is confined to alarm clocks, but it’s not. Nearly every device or program is dumb in its own way. But there are bright spots. One of the things I love about Web 2.0 is that the people designing the tools really seem to understand usability.

Of course, given the fact that Web 2.0 is one big feedback loop, where new versions pop up like mushroom after rain, it’s inevitable. But the result is websites that are easy to navigate and to figure out.

Apple, of course, figured this out long ago, But everyone else seems to be having problems understanding it. I tried out a website the other day which was supposed to help me find the best form of transportation between two places. The search engine was not smart enough to know a building’s earlier name, or even to recommend alternatives if I got the name slightly wrong.

The internal calculator was not smart enough to get the distances right (one walk I was asked to make between bus-stops would have taken me into the sea and halfway to the next country); neither was it smart enough to realize that was an error. All should have been spotted by any usability tests. All undermine the whole point of the website, which is to make it easy to figure out a way to get from A to B.

I won’t bore you with more examples: You are users, and you come across this stuff all the time. What worries me more is that we’re not listened to, at least in a way in that makes sense.

I was sitting in a seminar the other day listening to an employee of a global cellphone operator talking about she and her colleagues have been canvassing opinions about how consumers use cellphones. This is good, and what should be done, but I was surprised by how she went about it: Getting users together and asking them to make collages about how they use technology.

Frankly, I don’t think making collages is the right way to go about things. We need to get out on the streets, into the offices, bars and clubs, into the villages and factories, and observe how people actually use technology. Don’t expect people to fill in forms or do collages for you: Follow them around. Spy on them. I do.

One of the side-effects of the cellphone revolution is that it’s taken technology out of the usual places (office, den) and into every other room in the house (texting in the bath, watching mobile TV in bed) and beyond, into the bus stops, the subways, the village gazebo. Technology is now a seamless part of our lives. Researchers need to get out more.

The sad truth is that we’ve moved on and the geeks need to catch up. Because, lame as the alarm clock that beeps all the time and doesn’t know it’s the weekend is, nearly all our devices are no better: They’re too smart in the sense of feature density and too stupid in the interface that lets us use those features.

So, companies: Hire a usability consultant to tell you about your products and how they might be better. Or just try your own products: sleep in on a weekend or let your spouse try to find the alarm light button in the middle of the night and see how you like being woken up.

Then rub your eyes, get out of bed and head for the design table.

Seth’s Blog: Alarm clocks