Tag Archives: the Telegraph

Phantom Mobile Threats

How secure is your mobile phone?

This is an old bugaboo that folks who sell antivirus software have tried to get us scared about. But the truth is that for the past decade there’s really not much to lose sleep over.

That hasn’t stopped people getting freaked out about it.

A security conference heard that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification” and send all this data to a website owned by someone in Shenzhen, China. Some outlets reported that it also transmitted the user’s passwords to their voicemail.

About 700 outlets covered the story, including mainstream publications like the Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.

Scary stuff.

Only it isn’t true. It’s not clear who misreported all this—the journalists and others covering the event, or the company releasing the fruits of their research, but it gradually emerged that the applications—downloadable wallpapers—only transmitted a portion of this data. (See a corrected version of a story here.)

Indeed, the whole thing got less suspicious the more you dig.

This is what the developer told me in a text interview earlier today: “The app [recorded’] the phone number [because] Some people complained that when they change the[ir] phone, they will lose the[ir] favorite [settings]. So I [store] the phone number and subscriber ID to try to make sure that when [they] changed the phone, they have the same favorites.”

Needless to say the developer, based in Shenzhen, is somewhat miffed that no one tried to contact him before making the report public; nor had any of the 700 or so outlets that wrote about his applications tried to contact him before writing their stories.

“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”

Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer shared with me some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)

In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters!

Not much longer. One website quoted Lookout as saying “We’ve been working with Google to investigate these apps and they’re on top of it.” They have: Google has now removed the apps from their site. So I guess Jackeey, as he asked me to call him, is going to have to look for other ways to spend his time. (He told me that Lookout had contacted him by email but not, apparently, before going public.) 

Seems a shame. Obviously, there is a mobile threat out there, but I’m not sure this is the way to go about addressing it. And I don’t think a guy in Shenzhen doing wallpaper apps is, frankly, worth so much hysterical column ink.

Let’s keep some perspective guys, and not embark on a witch-hunt without some forethought.

Lookout has since been backtracking a bit from its original dramatic findings. “While this sort of data collection from a wallpaper application is certainly suspicious,” it says on its blog, “there’s no evidence of malicious behavior.”

Suspicious? We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”

Conflict of interest, anyone?

Virus Grounds French Fighters

Here’s more evidence of how vulnerable armed forces are to software attacks, intended or not. The French navy’s fighter jets “were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand,” according to the Telegraph:

However, the French navy admitted that during the time it took to eradicate the virus, it had to return to more traditional forms of communication: telephone, fax and post.

Naval officials said the “infection”‘ was probably due more to negligence than a deliberate attempt to compromise French national security. It said it suspected someone at the navy had used an infected USB key.

Last month, you may recall, a virus closed down the British Ministry of Defence.

French fighter planes grounded by computer virus – Telegraph

The New Newswire: a Dutch Student Called Michael

Twitter is now a news service in its own right. ReadWrite Web, an excellent website dedicated to Web 2.0 stuff, points out that the recent earthquake in England–not that unusual in itself, apparently, but rarely actually strong enough to be felt by humans—was reported first by Twitterers and by a Twitter-only news service called BreakingNewsOn (www.twitter.com/BreakingNewsOn): 

This story broke over Twitter in the past half hour, and nothing is up yet on the BBC sites, the Guardian, or the Telegraph. This story is breaking live on Twitter.

Looking at the situation a few hours later, it’s certainly true that mainstream websites have been a bit slow with the story. From what I can gather, the timeline is something like this (all times are in GMT):

Quake hits south of Grimsby 00:56  
First tweets 00:57  
BreakingNewsOn 00:59 (“Unconfirmed reports of earthquake in London”)
BreakingNewsOn 01:01 (“Reports of earthquake, working to confirm”, followed by lots of tweets)
BreakingNewsOn 01:10 (confirmation from European-Mediterranean Seismological Centre)
Dow Jones Newswires 01:29 (quotes BBC report)
Associated Press 01:30 (garbled alert)
Reuters 01:36 (“Quake shakes Britain, no casualties reported”)
AFP 01:45 (“Moderate quake shakes Britain”)
BBC twitter feed 01:56 (“Tremors felt across England”)

There may be some holes in here: I don’t have the exact time when the BBC website first carried the story, but I’m guessing it’s a few minutes before the wires. And this is not the first BreakingNewsOn has been ahead: It was, according to some reports, first on the Benazir Bhutto assassination, although I’ve not been able to confirm that. 

So who or what is BreakingNewsOn, and how does it scoop the big guys on their own turf? The service is actually pretty much one guy, a 20-year old Dutch student called Michael van Poppel, according to this interview by Shashi Bellamkonda. He is a news junkie, and makes money from it too, doing something called web-trawling—searching the net for stuff he can sell to the big players. (He was the guy who last September dug up a videotape of Osama bin Laden, which he then sold to Reuters.) 

Van Poppel works with a couple of other people and is clearly experienced and voracious in hoovering up web content. But it’s also about citizen journalism, crowd sourcing, whatever you want to call it: in the case of the UK quake, the first alerts actually came from witnesses, who twittered about the jolts they felt; it was BreakingNewsOn’s skill in harvesting that information, and staying sufficiently close to its readers for them to think to share their experience, that led to the fast turnaround. 

Of course, there’s much about this that is new. Everyone is now a reporter, if they find themselves in the middle of news. And everyone can be a media publisher: In this case it’s one 20-year old student with a twitter feed and an Internet-connected computer. And, finally, everyone can now subscribe to that once holiest-of-holies: a newswire service that updates in real time. Only now it’s not called a Reuters terminal or a Bloomberg but Twitter. 

But behind that, not much has changed. I’ve covered a few quakes in my time, and it’s all about finding the stuff out quickly by getting it out quickly. Nothing much has changed. No one was injured or killed, and it sounds like there was no falling masonry or damage to buildings. But that’s no excuse: earthquakes are news, and especially if they’re the strongest in the country for more than two decades

Twitter is perfectly suited for breaking news, because it’s all about short pithy sentences and updates. As ReadWrite Web points out, during the California wildfires last year, Twitter and other citizen journalism tools were used by people on the ground, scooping the mainstream press. And all this offers some lessons for the mainstream press that it would be wise to absorb: 

  • Mainstream media cannot afford to be slow off the mark on stories like this, since their value to high-paying subscribers is intimately tied to their speed;
  • Alert streams are no longer the province of market traders;
  • Traditional media needs to find a way to work with these new sources of news, or else find a way to add value that such services cannot. In this case it could have been finding a way to reflect in the headlines the unusual nature of this event;
  • Traditional media has to both monitor these new sources of news–the tweets from ordinary folk surprised to be shaken awake by a tremor—and work with them to ensure that they, too, benefit.

Some might say that what van Poppel does isn’t news. I’d contest that. He did everything right in reporting the story: it’s big enough an event to merit an “unconfirmed” snap, a quick follow-up which contains what we old newshounds would call an advisory letting subscribers know what he’s doing and to expect more. When he got confirmation he put out, all within 10 minutes. That’s a time-tested, old-fashioned and reasonable news approach. He leveraged the new media, but he showed an understanding of news values and what his readers needed. 

Kudos to him. We all could learn a lesson.

(An extended version of this post is available for publication to newsprint media as part of the Loose Wire Service. More details here, or email Jeremy Wagstaff directly.)

RSSpam, And The End Of A Medium’s Innocence

Will spam kill off RSS?

I’m a bit late spotting this, but I noticed today that Moreover’s RSS feeds contain a lot of ads. 2RSS.com noticed the same thing about a month ago. In fact there’s already been quite a discussion about the phenomenon, since not only Moreover does it. Indeed, there’s some talk that Blogger is actually inserting ads into the news feeds of its users.

What’s worrying is that all this is going on without much thought towards — or the consent of — the end-user. Moreover’s feeds, for example, not only include no AD: prefix that may help the user get a sense of what is actually part of the feed and what is RSSpam, but they also configure the spam so that every time you update your feed — or your RSS reader does it for you — the same piece of spam will pop up. This means, as this example from the Jason Murphy Show illustrates, large quantities of spam per valid item.

All this shows a lack of thought and consideration for what is still a very new medium. If you want to kill off RSS, Moreover has the answer. Of course, there’s also the need for these guys to make money. But this is not the way to do it. Ads are better served within the content, so that, for example, if you click on the item itself so that the full content loads, the ad itself will appear along with the content.

Another point: Folk argue whether ads included in RSS feeds are spam or not. I say anything that’s sent to you without you agreeing to it is spam. (I don’t recall agreeing to it when I included the Moreover RSS feed in my reader, although I’m willing to stand corrected. The only time I’ve had to click on something to acknowledge the existence of a user agreement was with the Telegraph feeds.) Folks need to be consulted before they sign up for a feed that it includes spam.

The bottom line here is that this grapeshot approach to ads in RSS feeds endangers the medium before it’s taken off. Apple are including RSS in a very interesting and imaginative way in their new OS but there aren’t going to be many takers if feeds are polluted by too many ads that aren’t even contextual (I noticed ads for free golf clubs and microdermabrasion, whatever that is, in my Moreover feed on East Timor news). Keep pulling that stunt, Moreover, and you’ll lose everyone’s interest very quickly. RSS was supposed to be the answer to mailboxes full of rubbish, not an alternative means of delivering that rubbish.