Korean Banks

The Washington Post report that it seems the attack on South Korea’s Nonghyup agricultural bank back in April was the work of North Korea. The evidence?

South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.

This is interesting. Command and control servers are compromised computers that are used by bad guys to “run” other computers—zombies—that actually do the grunt work. There’s definitely a common thread between the 2009 and 2011 DDOS attacks, and plenty of circumstan

Malware Inside the Credit Card Machine

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

Is New Media Ready for Old Media?

image

I’m very excited by the fact that newspapers are beginning to carry content from the top five or so Web 2.0/tech sites. These blogs (the word no longer seems apt for what they do; Vindu Goel calls them ‘news sources’) have really evolved in the past three years and the quality of their coverage, particularly that of ReadWrite Web, has grown in leaps and bounds. Now it’s being carried by the New York Times.

A couple of nagging questions remain, however.

1) Is this old media eating new media, or new media eating the old? On the surface this is a big coup for folk like ReadWriteWeb—which didn’t really exist three years ago—but look more closely, and I suspect we may consider this kind of thing as the beginning of the acknowledgement by old media that they have ceded some important ground that they used to dominate. This, in short, marks the recognition of traditional media that theses news sources are, to all intents and purposes, news agencies that operate on a par with, and have the same values as, their own institutions.

2) Is new media ready for old media? I have a lot of respect for ReadWriteWeb, and most of the other tech sites included in this new direction. But they all need to recognise that by participating with old media they need to follow the same rules. There’s no room for conflicts of interest here: Even the NYT has reported on potential conflicts of interest for Om Malik and Michael Arrington (here’s a great piece from The Inquistr about the issue, via Steve Rubel’s shared Google Reader feed.)

The thing with conflicts of interest is that they’re tough. It’s hard to escape them. And it’s not enough to disclose them. You have, as a writer (let’s not say journalist here, it’s too loaded a word, like blogger), a duty to avoid conflicts of interest. Your commitment as a writer has to be to your reader. If your reader doesn’t believe that you’re writing free of prejudice or favor, then you’re a hack. And I don’t mean that in a nice way.

Which means you have to avoid not only all conflicts of interest, but appearances of conflict of interest. Your duty is not just to disclose conflicts of interest, and potential conflicts of interest, but to avoid them. If that means making less money, then tough.

So, for these ‘news sources’, the issue is going to become a more central one. Of course, the question will grow larger as these outfits move mainstream. But it may become more pressing for the carrier of the news, not for the provider: Who, say, accepts responsibility for errors and conflicts of interest? NYT and The Washington Post, or the carriers of the news? I’m sure there will be lots of caveats in the small print, but if material is on the NYT website, I think a reader would assume it reflects that paper’s ethical standards. If you’re in doubt, think of the recent United Airlines case.

That story’s reappearance started on Google News, and then was picked up by Income Securities Advisors, a financial information company, which was then picked up by Bloomberg. The technical error was Google’s, in finding it on a newspaper website and miscategorising it  as new, but the human error was in the ‘news source’, which saw it and then fired it off to their service, which is distributed via Bloomberg. Who is to blame for that mess? Well, the focus is all on Google, but to me the human element is the problem here, namely the reporter/writer who failed to double check the source/date etc of the piece itself.

The bottom line? It’s great that old media are recognising the quality of new media. What I want to see is this rising tide lifting all boats. Old media needs to not only grab at these news sources out of desperation but learn from their ingenuity, easy writing style and quality, and these outfits need—or at least some of them need—to take a cue from old media, take a look long and hard at themselves and ask themselves whether they could serve their readers better by shedding all conflicts—real, potential, or perceived—of interest.

Scoble Shift

Robert Scoble, Microsoft blogger and the subject of a couple of Loose Wire WSJ columns in the past, has quit Microsoft for PodTech, a podcaster and videocaster. Techmeme, the technology bloggers’ portal, is full of the news. It’s as if the Pope has quit his day job and joined AC Milan.

There’s lots of speculation, but Scoble says there was no acrimony, no scrimped expense accounts, and lots of effort on the part of Microsoft to get him to stay. For sure the loser in this is going to be Microsoft. While there are thousands of other Microsoft bloggers, none of them had Scoble’s long leash and roaming brief. For many people, especially opinion formers and early adopters, Scoble was Microsoft — more than Gates or that other guy, whatsisname (Ballmer – ed). As Mathew Ingram of the Globe and Mail puts it: “Flack or not, corporate shill or not, I think he has single-handedly done more to humanize Microsoft than all the millions of dollars spent getting Bill Gates to kiss babies or hug orphans or whatever they do to make MSFT seem less like the Borg.”

It will be interesting to see how this pans out for Scoble, and for Microsoft. Will Microsoft continue to feed Scoble the inside dope that is the staple of his blog? And if so, will he appear more or less credible as a result? Will Microsoft move to fill his shoes by hiring another high profile blogger, or move one of the 3,000 other bloggers into his unique slot? Will Microsoft revert to the Evil Empire in the eyes of the technology community, or has Scobe succeeded in convincing it that this view was outdated and unfair?

I think Scoble is a pretty unique character, and it was partly his ebullience and personal approach — not just his Microsoft access — that won him fans. That will make it harder for Micosoft to replace him, and it should make it easier for him to move his brand and followers somewhere else. (As a footnote it’s interesting that while most folk outside geekdom have never heard of Scoble, his move did get some coverage from mainstream media. Here’s one from Reuters, used by The Washington Post website.)

An Agency for the Citizen Reporter

My friend Saigon-based Graham Holliday has helped launch a words version of Scoopt, the world’s first commercial citizen journalism photography agency. With Scoopt Words :

[w]e believe that your blog writing can be every bit as valuable as professional journalism. It’s the same idea that lies behind Scoopt the picture agency: in the right circumstances, amateur photography is just as valuable as professional photography… as we have proven again and again.

So if your content is valuable, why shouldn’t you be paid for it? Why is it OK for a newspaper to lift your words or publish your writing for free just because you’re an ‘amateur’? If it’s good enough to print, it’s good enough to pay for.

Great idea, a bit like BlogBurst, I guess, a syndication service that places your blog content on top-tier online destinations, though BlogBurst doesn’t pay you, so perhaps closer in spirit to OhmyNews, which ScooptWords quotes approvingly. Rightly so; OhmyNews helped to overturn South Korean media and throw a few people out of office. (OhmyNews has recently teamed up with the International Herald Tribune to swap headline links on each others’ websites.)

I like the ScooptWords idea, but I have my reservations. ScooptWords’ FAQ quotes an essay by Betty Medsger, former Washington Post reporter and Professor of Journalism, “about the knowledge and experience of many professional journalists”, suggesting that one shouldn’t feel intimidated by the power of the traditional press. But Medsger’s message wasn’t quite that. She did point out that most journalists who have won awards and fellowships never studied journalism, but her conclusion was not that experience wasn’t necessary, in fact, it may be, she says, quite the opposite:

Journalists put information and ideas from other disciplines into public vessels of various kinds — breaking news stories, investigative pieces, analytical work, cultural criticism. These non-journalism graduates clearly know how to think journalistically, and they are adept at filling various vessels with quality work. But their thinking and learning did not originate in journalism education programs. Mentors in newsrooms apparently have been their teachers. Or perhaps it was experience itself, which again is not surprising.

I never studied journalism either, and I don’t know many folk outside the U.S. (and a couple in Australia) who did. But the newsroom experience sure has helped. Those mentors are pretty useful people, even if they drive you nuts eventually.

I’m not opposed to citizen journalism, or bloggers selling their work to traditional media outlets. I think it’s an important step to dismantle some of the walls around the ivory tower that is many journalists’ citadel. Many have important things to say, and an eyewitness report of a significant event is always going to be the best journalism anybody will ever write or read. But what I think will happen, should happen, is that this new influx should help improve and better define journalism, to refine the standards journalists allegedly abide by, rather than ignore or belittle those standards. Journalists should understand bloggers. But bloggers and citizen reporters also need to understand journalists.

Hopefully Scoopt Words will help do just that. More strength to you, Graham.

Wikipedia Goes to Washington

All this stuff about people obsessively airbrushing their Wikipedia biographies is getting out of hand. In December we heard that even Jimmy Wales himself, the guy who has done more than anyone else to make Wikipedia what it is now, was not above tweaking the entry on himself. My conclusion then was that

Of course, Wales is not alone in monitoring his biography, and I’m sure if I had one, I would monitor it obsessively too. But when does ensuring that you’re not being accused of masterminding the assassination of presidents become Stalinesque airbrushing of history? And the logical result of this is that every biography on Wikipedia becomes an autobiography, which may keep the subjects happy, but may mark the end of Wikipedia as a useful tool.

Clearly I spoke way too soon. The Washington Post is following up an earlier story (reg req) about a congressman’s profile being altered by his intern with Wikipedia’s Help From the Hill which seems to suggest everyone on Capitol Hill is doing it:

The scope of the scandal keeps growing, and now that an investigation has been launched, a growing list of Capitol Hill members and their staff appear to be involved. No, this isn’t about fallout from the shenanigans of former lobbyist Jack Abramoff. This concerns Wikipedia — the online encyclopedia written and edited by anyone who wants to contribute — and the suspected perpetrators of untruths about certain lawmakers.

A good piece, and an example of how things can get even more absurd than any of us might imagine. Where does it stop? Is any entry on anyone, living or dead, untampered with? Why were these tweaks not spotted (Obvious answer: no one cares about these politicians and their tawdry little histories)? What does this say about Wikipedia as an objective resource?

I think we should rest easy. Wikipedia will institute safeguards and everyone will take with a pinch of salt political biographies of the living — and perhaps a few other folk — on that website. But it does give us pause for thought. Would, if Wikipedia wasn’t a huge success, these folk have bothered getting their underlings to remove less palatable aspects of their past from its pages? The bottom line for me is that Wikipedia seems to have arrived. It’s being taken seriously enough by the powers-that-be for them to try to manipulate it to their advantage. That’s one in the eye for those who consider it a nerdy irrelevance.

Did A Computer Virus Bring Down The Soviet Union?

Did software, deliberately programmed by the CIA to fail, hasten the end of the Soviet Union?

The Washington Post reports (registration required) that “President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline.”

It quotes a new memoir by Thomas C. Reed, a former Air Force secretary who was serving in the National Security Council at the time (At the Abyss: An Insider’s History of the Cold War, to be published next month by Ballantine Books) as saying the pipeline explosion was just one example of “cold-eyed economic warfare” that made the Soviet Union eventually “understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation.”

Aspects of this operation have been revealed before, but it’s still a pretty extraordinary tale, and makes one realise the power that software holds over us. And given that all this happened in 1982 or even earlier, does that make the CIA the first successful virus writers? The record is presently held by Fred Cohen, who created his first virus when studying for a PhD at the University of Southern California and presented his results to a security seminar on 10 November, 1983, according to the BBC website.

The iPod Battery Controversy Hits The Mainstream

The discussion about iPod batteries has entered the mainstream. You may recall posts on this blog a few weeks back about two brothers who took their complaint that Apple would not replace their worn out battery — saying the warranty had expired, and suggesting they buy a new iPod — public, via a video posted onto the net and public defacement of Apple billboards. I tried to get a comment from Apple at the time, but felt they had less of a case the more I looked at the story: It turned out that Apple did replace batteries (for $99, which would give you a refurbished iPod) or alternatively, you could do it yourself with third party batteries, saving yourself up to $40.

Now The Washington Post has written up the experience of the Neistat brothers, and presented it as an example of the disposability of electronics, and of irate consumers fighting back.

It’s a great piece. Trouble is, I don’t think the story is quite as simple as that. First off, there’s some suggestion the brothers haven’t been completely upfront. According to one academic who briefly hosted their video on his server, Dave Schroeder, there are some holes in their version: He says Apple began offering the replacement program nearly a week before the brothers’ website was registered (ipoddirtysecret.com, on November 20; Apple’s replacement program was announced on November 14). As Schroeder acknowledges in his letter to the Washington Post (posted at Slashdot), it was ‘coincidentally close’, but was before Apple had was aware of the brothers’ video. (The Post article says the Apple announced expanded warranties for new iPod owners to purchase for $59, and also introduced a new $99 battery-replacement mail-in service for others “days after the movie made the rounds” of websites like Schroeders. The Neistat brothers themselves are more cautious on their website, saying “After we finished production of the film, but not necessarily in response to it, Apple began offerring a battery replacement program for the iPod for a fee of $99 and an extended warranty for the ipod for $59”.)

But did the brothers know about this before they posted their video? Schroeder says yes, saying he agreed to post their video on condition the brothers post a link on the same site to the Apple replacement program, something which he says they never did. (Schroeder has kept a record of their communications here.) If this is true, I don’t see any way one can link the Neistat’s campaign with Apple’s decision to offer a refurbishing service.

But what about the allegation that Apple is building in obsolescence into what are already pricey gadgets, using batteries that die after 18 months and steering punters into replacing the whole unit for $400, while making it hard to replace the batteries without damaging the unit? not everyone agrees it’s hard to replace the battery: Here’s an example of one user who felt confident her mother could do it without help. But I have to say, I’ve fiddled around with my iPod a bit, trying to get the back off according to instructions, and would conclude that my mother wouldn’t enjoy doing it. It’s certainly tricky, and hard to do without scratching the iPod body.

My conclusion? I think Apple have been remiss in a) not introducing a refurbish program earlier, b) not making it easier to replace the batteries, and c) not immediately guiding the brothers to websites which sell do-it-yourself batteries. While the iPod is beautifully designed, I can’t really see a reason for not including screws in the casing.

But having said all that, I think we must be careful about guerrilla consumer actions such as those undertaken by the Neistat brothers. We may not not yet know the whole story (I’ve emailed both them and Apple asking for more information), but so far it seems that their campaign may have misled hundreds of thousands of users by not including, either in it or on websites where it was posted, information about alternatives to buying a new iPod. Consumer activism should not copy advertising. It should be informative, not deceptive.

Column: Under the Wire

UNDER THE WIRE

The Latest Software and Hardware Upgrades, Plug-Ins and Add-Ons

from the 5 June 2003 of edition of the Far Eastern Economic Review , (c) 2003, Dow Jones & Company, Inc.

History Scanned

The past is being digitized — fast. The ProQuest Historical Newspapers program has just finished scanning more than a century of copies of The Washington Post to its existing database. The database includes each page from every issue, in PDF files, from 1877-1987. The program has already done The New York Times (1851-1999), The Wall Street Journal (1889-1985) and The Christian Science Monitor (1908-1990).

Cellphone with Character

Somewhat belatedly, Nokia is getting into the handwriting phone thing, aiming itself squarely at the huge Chinese market. On May 20, it unveiled the 6108, created in the firm’s product-design centre in Beijing. The keypad flips open to reveal a small area on which Chinese words can be handwritten with a stylus. A character-recognition engine will convert the scrawls into text, which can then be sent as a message. The phone will be available in the third quarter.

Security Compromised

A new survey reckons “security breaches across the Asia-Pacific region have reached epidemic levels.” In a report released last week, Evans Data Corp. said that 75% of developers reported at least one security breach — basically any kind of successful attack on their computer systems — in the past year. China is worst off, from 59% of developers reporting at least one security breach last year to 84% this year. It doesn’t help that most of the software is compromised: Tech consultant Gartner has recommended its clients drop Passport, the Microsoft service that allows users to store all their passwords, account details and other valuable stuff on-line, saying Passport identities could be easily compromised. This follows a flaw revealed earlier this month by Microsoft after an independent researcher in Pakistan noticed he could get access to any of the more than 200 million Passport accounts used to authenticate e-mail, e-commerce and other transactions. Microsoft says it has resolved the problem and does not know of any accounts that were breached. Gartner’s not impressed: “Microsoft failed to thoroughly test Passport’s security architecture, and this flaw — uncovered more than six months after Microsoft added the vulnerable feature to the system — raises serious doubts about the reliability of every Passport identity issued to date.”

Son of Napster

Apple’s apparent success with iTunes seems to have prodded some action in the on-line music market. Roxio, maker of CD recording software among other things, said last week it would buy PressPlay from Universal Music and Sony Music Entertainment for about $40 million in cash and rename the whole caboodle Napster, which it earlier bought for $5.3 million. Pressplay offers radio stations and unlimited tethered downloads for $9.95 a month in addition to song downloads that allow for CD burning. My tuppennies? None of this will work unless companies put no restrictions on the files downloaded. Emusic does it that way and it’s why a lot of people keep coming back.