Memex 1.1

This morning’s Observer column about the implications of the Flame virus.

The PC security business does offer a degree of protection from the evils of malware, but suffers from one structural problem: its products are, by definition, reactive. When a particular piece of malicious software appears, it is analysed in order to determine its distinctive “signature”, which will enable it to be detected when it arrives at your machine. Then a remedy is devised and an update or “patch” issued – which is why your PC is forever inviting you to download updates – and why IT support people always look pityingly at you when you explain sheepishly that you failed to perform the aforementioned downloads.

So the security companies are always playing catch-up, profitably slamming stable doors after the horses have bolted. Until recently, the industry has tactfully refrained from emphasising this point, and most of its customers have been too clueless to notice.

This cosy arrangement was too good to last, and a few weeks ago the industry’s cover was finally blown…

This morning’s Observer column.

When Stuxnet was first discovered in 2010, it attracted a great deal of attention for several reasons. For one thing it was so remarkably sophisticated and complex that its creation would have required a large software team. This led many of us to suppose that it must be the work of the security services of a major industrial country: it was hard to imagine run-of-the-mill malware authors going to all that trouble when they could be harvesting stolen credit-card numbers without getting out of bed. But the most intriguing thing about Stuxnet was the way it targeted a very specific piece of equipment: the Siemens Simatic programmable logic controller. It is commonplace in industrial operations everywhere – oil refineries, chemical plants, water-treatment facilities and so on. And it is also the device that controlled the centrifuges of the Iranian nuclear programme. Stuxnet could – and did – instruct the Siemens controller to cause the centrifuges to accelerate until they disintegrated.

All this pointed toward one conclusion – that Stuxnet must have been the creation of either the US or Israel. But no one knew for sure. Now, thanks to some fine investigative reporting by David Sanger, we do. The Stuxnet project – codenamed “Olympic Games” – was actually started by the Bush administration and accelerated by Obama in his first months in office. What’s more, Sanger claims that Obama took a detailed, personal interest in the progress of the Stuxnet attack and that there were some agonised discussions in the White House when it was realised that the worm, instead of remaining inside the Natanz nuclear plant, had escaped into the wild, as it were…

Some time ago I wrote about the scourge of Kindlespam — the way in which opportunists were producing hundreds, and in some cases thousands, of phoney ‘ebooks’ using the Kindle Direct Publishing system. I wondered why Amazon wasn’t stamping on the practice, and cynically assumed that it was because the company continued to make money on every one of these ‘books’ sold on the site. If so, this seemed short-sighted, as it couldn’t be in Amazon’s long-term interests to have the Kindle marketplace swamped by this kind of spam.

Now, however, it looks as though the company has woken up. Witness this email received by an ebook self-publisher and posted on a forum that specialises in Kindle publishing under the heading “All My Amazon Ebooks have Been Taken Off The Shelf!”

Hello,

We’re contacting you regarding books you recently submitted via Kindle Direct Publishing.

Certain of these books are either undifferentiated or barely differentiated from an existing title in the Kindle store. We remove such duplicate (or near duplicate) versions of the same book because they diminish the experience for customers. We notify you each time a book is removed, along with the specific book(s) and reason for removal.

In addition to removing duplicate books from the Kindle store, please note that if you attempt to sell multiple copies or undifferentiated versions of the same book from your account, we may terminate your account.

If you have any questions regarding the review process, you can write to kdp-quality@amazon.com.

Best regards,

Kindle Direct Publishing

http://kdp.amazon.com

About time. Kindle Direct Publishing is a great idea for enabling user-generated content and it would be a shame to see it destroyed.

Further to my Observer column about Kindlespam, I’ve been brooding on the subject.

The most obvious question is why Amazon doesn’t do something about it. After all, the Kindle is now the company’s key product, and the stench of corruption coming from Kindlespam must pose a strategic threat. Users can’t do much about it — other than by ignoring the avalanche of fake ‘eBooks’ on the site. And it’s very difficult (if not virtually impossible) for an author who suspects that his or her content is being ripped off to check, because she can’t inspect the content without buying and downloading the suspected rip-off. So any comprehensive trawl for infringing content would be prohibitively expensive and tedious. The only outfit that can check stuff before it’s published on the site is Amazon. So why aren’t isn’t the company doing it?

At first, I thought that Amazon’s rationale might be similar to the one Google takes on the issue of infringing or objectionable YouTube content: given that 48-hours’-worth of video is being uploaded every minute, it simply isn’t feasible to pre-scan stuff before it’s published. But Google will take it down on receipt of a complaint. That won’t get Amazon off the Kindlespam hook for two reasons: (1) Compared with video, pre-scanning of text is perfectly feasible, and computationally not that difficult; Amazon could easily do it. (2) Detection of infringing content in Kindlespam by rights holders is very difficult for the reasons outlined earlier, so while a take-down-upon-complaint policy is perfectly feasible, complaints will be much less frequent than they are on YouTube.

So we’re left with a puzzle. Pre-scanning for crap, spam and infringing content in Kindlespam is perfectly feasible — and indeed only Amazon can do it effectively. Yet it does not do it. Why?

One answer (suggested in my column) is that the company is making too much money from Kindlespam. (After all, Amazon get a 30 per cent slice on every bit of Kindlespam sold.) But another answer has just occurred to me. (I’m slow on the uptake.) If Amazon did pre-scan all the self-published stuff on the Kindle store, then it might have to take legal responsibility for the resulting content. It might have to take on the liabilities of a publisher, in other words.

So at the moment, Amazon is trying to have it both ways. It provides a platform (Kindle self-publishing) from which it rakes in dosh, but takes no responsibility for the avalanche of crap that the platform enables. Experience with conventional spam suggests, though, that this can’t continue: in the end the textual bindweed will choke the plant. And then what will Amazon do?

LATER: Behind all this is the whole problem of so-called content-farms — some of which are now probably using the Kindle as one of their outlets. They have been a scourge of the Web for a while, because essentially they are parasitic on Google’s AdSense system. The company has finally responded to the problem in classic Google style — with an algorithm, codenamed Panda. Virginia Heffernan has a good piece about this in today’s NYT. The headline — “Google’s War on Nonsense” — says it all.

From Good Morning Silicon Valley.

After weeks of dodging the issue of a recent widespread malware outbreak, Apple has changed course and is addressing affected customers’ concerns.

On Tuesday, Apple finally posted instructions on its support site on how to avoid or remove the malicious program, and said an Mac OS X update in the coming days will remove it or block it from installing in the first place.

The MacDefender malware, one of the few to actually target Mac operating systems, is a phishing program that fools users into thinking they are downloading anti-virus protection when it’s actually going after credit-card information. ZDNet estimates between 60,000 and 125,000 Mac users have been affected in the past month, and in an eyebrow-raising report quoted an Apple tech support insider who said they were expressly forbidden from helping callers remove the malicious program. That supported leaked internal documents that Gizmodo published last week which, among other things, told customer service reps: “AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not.”

While support from Apple is a welcome development, the company’s initial reaction is disturbing from a customer-service standpoint. Just as disturbing to many Mac users is the realization that their OS’s, so long considered safe from most Internet viruses, are not immune after all.

This is beginning to look like a pattern. Remember the clueless way Apple handled the problem with the iPhone 4 antenna and then the controversy about the ‘bug’ which enabled iPhones to accumulate and store unencrypted location data on the devices? The problem Apple has is that its reputation for effortless design superiority now leads to corporate paralysis whenever events threaten to undermine the image.

And of course there is the problem that as the Mac becomes more and more successful, the juicier a target it presents for malware.

UPDATE: The Apple advisory note is already out of date.

Ed Bott says “File that memo under, ‘Too little, too late.’”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part is a downloader. In the original version, this asked the user to enter his or her administrator password. The new version works on the assumption (generally correct) that most Macs are single-user machines –which means that the user has the requisite privileges and so the malware bypasses the admin-password dialogue. The software then installs an application named avRunner, which launches automatically and installs the second part, which is similar to the original Mac Defender. The installer then deletes itself from the user’s Mac, so no traces of the original installer are left behind.

So Apple is now embarked on the same game of whack-a-mole that Microsoft has had to play for years. The evidence so far suggests that Steve Jobs & Co aren’t experienced players. Maybe they need help from Redmond, where they know more about this than anybody else.

Wow! Amazing Bloomberg report.

For three pennies an hour, hackers can rent Amazon.com Inc. (AMZN)’s servers to wage cyber attacks such as the one that crippled Sony Corp. (6758)’s PlayStation Network and led to the second-largest online data breach in U.S. history.

A hacker used Amazon’s Elastic Computer Cloud, or EC2, service to attack Sony’s online entertainment systems last month, a person with knowledge of the matter said May 13. The intruder, who used a bogus name to set up an account that’s now disabled, didn’t hack into Amazon’s servers, the person said.

The incident helps illustrate the dilemma facing Chief Executive Officer Jeff Bezos: Amazon’s cloud-computing service is as cheap and convenient for hackers as it is for customers ranging from Netflix Inc. (NFLX) to Eli Lilly & Co. (LLY) Last month’s attack on Sony compromised more than 100 million customer accounts, the largest data breach in the U.S. since intruders stole credit and debit card numbers from Heartland Payment Systems in 2009.

“Anyone can go get an Amazon account and use it anonymously,” said Pete Malcolm, chief executive officer of Abiquo Inc., a Redwood City, California-based company that helps customers manage data internally and through cloud computing. “If they have computers in their back bedroom they are much easier to trace than if they are on Amazon’s Web Services.”

My piece in today’s Observer.

In 1971, Bob Thomas, an engineer working for Bolt, Beranek and Newman, the Boston company that had the contract to build the Arpanet, the precursor of the internet, released a virus called the "creeper" on to the network. It was an experimental, self-replicating program that infected DEC PDP-10 minicomputers. It did no actual harm and merely displayed a cheeky message: "I'm the creeper, catch me if you can!" Someone else wrote a program to detect and delete it, called – inevitably – the "reaper".

Although nobody could have known it 40 years ago, it was the start of something big, something that would one day threaten to undermine, if not overwhelm, the networked world…

According to the NYTimes, it’s beginning to look that way.

Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.

Changing the speed “sabotages the normal operation of the industrial control process,” Eric Chien, a researcher at the computer security company Symantec, wrote in a blog post.

Those fluctuations, nuclear analysts said in response to the report, are a recipe for disaster among the thousands of centrifuges spinning in Iran to enrich uranium, which can fuel reactors or bombs. Rapid changes can cause them to blow apart. Reports issued by international inspectors reveal that Iran has experienced many problems keeping its centrifuges running, with hundreds removed from active service since summer 2009…

More detail here.

This morning’s Observer column

In the normal course of events, a Siemens Simatic Programmable Logic Controller PLC would not be of interest to anyone other than a hardcore industrial process engineer. It’s a small, dedicated computer used to control the operations of specialised machinery in a wide range of manufacturing industries. Since June, however, the Siemens controllers have become a topic of intense interest to people like journalists and policymakers who, in normal circumstances, have difficulty controlling a microwave oven.

How come? The reason is the Stuxnet worm, a piece of computer malware as malicious software is called, that has caused a huge stir in the mainstream media…

Well, well. Even I’m surprised by this.

Following in the footsteps of Germany last week, France is now advising its population to use an alternative browser pending a patch for an Internet Explorer vulnerability.

The French Computer Emergency Response Team (CERT) published an advisory on Friday January 15 stating “pending a patch from the publisher, CERT recommends using an alternative browser.” In the advisory Internet Explorer 7 and 8 are both listed despite Microsoft confirming the vulnerability is only exploitable on Internet Explorer 6.

Last week the German Federal Office for Security in Information Technology (BSI) issued a similary advisory urging its population to stop using IE. According to the BSI the flaw will, put simply, “perform reconnaissance and gain complete control over the compromised system.” The BSI noted that even running Internet Explorer in Protected Mode isn’t enough to stop the flaw. Microsoft issued further insight into the vulnerability this morning in a company blog posting. The software giant confirmed the exploit is only effective against Internet Explorer 6.

Wonder if French and German users will pay any attention to this.