Microsoft’s pre-emptive strike for the moral high ground

Today’s Observer column on the fallout from the ‘ransomeware’ attack.

The attack was good for the computer-security companies, some of whose shares rose sharply. But other companies exploited the marketing opportunities offered by the crisis. First out of the blocks was Microsoft, whose product deficiencies lay at the heart of the problem. Brad Smith, the company’s president, made a pre-emptive strike for the high moral ground. “We take every single cyber-attack on a Windows system seriously,” he blogged, “and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported.”

Smith went on to castigate governments – correctly – for stockpiling vulnerabilities rather than reporting them to companies. But what took the biscuit was his implication that the root of the problem was that so many people were foolish enough to continue using old versions of Windows rather than upgrading to the latest version (and forking out for both the upgrades and the new kit needed to run them). So the solution is to keep buying the latest version.

You have to admire the sheer brazenness of this: blaming users for continuing to use your defective product. It’s like Mark Zuckerberg’s idea that the solution to the problems caused by social media is… more Facebook. And it’s the kind of thinking that gives hypocrisy a bad name…

Read on

The Internet of Insecure Things is up and running

This morning’s Observer column:

Brian Krebs is one of the unsung heroes of tech journalism. He’s a former reporter for the Washington Post who decided to focus on cybercrime after his home network was hijacked by Chinese hackers in 2001. Since then, he has become one of the world’s foremost investigators of online crime. In the process, he has become an expert on the activities of the cybercrime groups that operate in eastern Europe and which have stolen millions of dollars from small- to medium-size businesses through online banking fraud. His reporting has identified the crooks behind specific scams and even led to the arrest of some of them.

Krebs runs a blog – Krebs on Security – which is a must-read for anyone interested in these matters. Sometimes, one fears for his safety, because he must have accumulated so many enemies in the dark underbelly of the net. And last Tuesday one of them struck back.

The attack began at 8pm US eastern time, when his site was suddenly hit by a distributed denial of service (DDoS) attack…

Read on

Collateral damage and the NSA’s stash of cyberweapons

This morning’s Observer column:

All software has bugs and all networked systems have security holes in them. If you wanted to build a model of our online world out of cheese, you’d need emmental to make it realistic. These holes (vulnerabilities) are constantly being discovered and patched, but the process by which this happens is, inevitably, reactive. Someone discovers a vulnerability, reports it either to the software company that wrote the code or to US-CERT, the United States Computer Emergency Readiness Team. A fix for the vulnerability is then devised and a “patch” is issued by computer security companies such as Kaspersky and/or by software and computer companies. At the receiving end, it is hoped that computer users and network administrators will then install the patch. Some do, but many don’t, alas.

It’s a lousy system, but it’s the only one we’ve got. It has two obvious flaws. The first is that the response always lags behind the threat by days, weeks or months, during which the malicious software that exploits the vulnerability is doing its ghastly work. The second is that it is completely dependent on people reporting the vulnerabilities that they have discovered.

Zero-day vulnerabilities are the unreported ones…

Read on

Getting to bedrock

This morning’s Observer column:

The implication of these latest revelations is stark: the capabilities and ambitions of the intelligence services mean that no electronic communications device can now be regarded as trustworthy. It’s not only your mobile phone that might betray you: your hard disk could harbour a snake in the grass, too.

No wonder Andy Grove, the former boss of Intel, used to say that “only the paranoid survive” in the technology business. Given that we have become totally dependent on his industry’s products, that knowledge may not provide much consolation. But we now know where we stand. And we have Edward Snowden to thank for that.

Read on

Flaming hell: we need a new security paradigm

This morning’s Observer column about the implications of the Flame virus.

The PC security business does offer a degree of protection from the evils of malware, but suffers from one structural problem: its products are, by definition, reactive. When a particular piece of malicious software appears, it is analysed in order to determine its distinctive “signature”, which will enable it to be detected when it arrives at your machine. Then a remedy is devised and an update or “patch” issued – which is why your PC is forever inviting you to download updates – and why IT support people always look pityingly at you when you explain sheepishly that you failed to perform the aforementioned downloads.

So the security companies are always playing catch-up, profitably slamming stable doors after the horses have bolted. Until recently, the industry has tactfully refrained from emphasising this point, and most of its customers have been too clueless to notice.

This cosy arrangement was too good to last, and a few weeks ago the industry’s cover was finally blown…

Stuxnet, Obama and the necessary hypocrisy of statecraft

This morning’s Observer column.

When Stuxnet was first discovered in 2010, it attracted a great deal of attention for several reasons. For one thing it was so remarkably sophisticated and complex that its creation would have required a large software team. This led many of us to suppose that it must be the work of the security services of a major industrial country: it was hard to imagine run-of-the-mill malware authors going to all that trouble when they could be harvesting stolen credit-card numbers without getting out of bed. But the most intriguing thing about Stuxnet was the way it targeted a very specific piece of equipment: the Siemens Simatic programmable logic controller. It is commonplace in industrial operations everywhere – oil refineries, chemical plants, water-treatment facilities and so on. And it is also the device that controlled the centrifuges of the Iranian nuclear programme. Stuxnet could – and did – instruct the Siemens controller to cause the centrifuges to accelerate until they disintegrated.

All this pointed toward one conclusion – that Stuxnet must have been the creation of either the US or Israel. But no one knew for sure. Now, thanks to some fine investigative reporting by David Sanger, we do. The Stuxnet project – codenamed “Olympic Games” – was actually started by the Bush administration and accelerated by Obama in his first months in office. What’s more, Sanger claims that Obama took a detailed, personal interest in the progress of the Stuxnet attack and that there were some agonised discussions in the White House when it was realised that the worm, instead of remaining inside the Natanz nuclear plant, had escaped into the wild, as it were…

So is Amazon finally stamping on Kindlespam?

Some time ago I wrote about the scourge of Kindlespam — the way in which opportunists were producing hundreds, and in some cases thousands, of phoney ‘ebooks’ using the Kindle Direct Publishing system. I wondered why Amazon wasn’t stamping on the practice, and cynically assumed that it was because the company continued to make money on every one of these ‘books’ sold on the site. If so, this seemed short-sighted, as it couldn’t be in Amazon’s long-term interests to have the Kindle marketplace swamped by this kind of spam.

Now, however, it looks as though the company has woken up. Witness this email received by an ebook self-publisher and posted on a forum that specialises in Kindle publishing under the heading “All My Amazon Ebooks have Been Taken Off The Shelf!”


We’re contacting you regarding books you recently submitted via Kindle Direct Publishing.

Certain of these books are either undifferentiated or barely differentiated from an existing title in the Kindle store. We remove such duplicate (or near duplicate) versions of the same book because they diminish the experience for customers. We notify you each time a book is removed, along with the specific book(s) and reason for removal.

In addition to removing duplicate books from the Kindle store, please note that if you attempt to sell multiple copies or undifferentiated versions of the same book from your account, we may terminate your account.

If you have any questions regarding the review process, you can write to

Best regards,

Kindle Direct Publishing

About time. Kindle Direct Publishing is a great idea for enabling user-generated content and it would be a shame to see it destroyed.

Why isn’t Amazon stamping out Kindlespam?

Further to my Observer column about Kindlespam, I’ve been brooding on the subject.

The most obvious question is why Amazon doesn’t do something about it. After all, the Kindle is now the company’s key product, and the stench of corruption coming from Kindlespam must pose a strategic threat. Users can’t do much about it — other than by ignoring the avalanche of fake ‘eBooks’ on the site. And it’s very difficult (if not virtually impossible) for an author who suspects that his or her content is being ripped off to check, because she can’t inspect the content without buying and downloading the suspected rip-off. So any comprehensive trawl for infringing content would be prohibitively expensive and tedious. The only outfit that can check stuff before it’s published on the site is Amazon. So why aren’t isn’t the company doing it?

At first, I thought that Amazon’s rationale might be similar to the one Google takes on the issue of infringing or objectionable YouTube content: given that 48-hours’-worth of video is being uploaded every minute, it simply isn’t feasible to pre-scan stuff before it’s published. But Google will take it down on receipt of a complaint. That won’t get Amazon off the Kindlespam hook for two reasons: (1) Compared with video, pre-scanning of text is perfectly feasible, and computationally not that difficult; Amazon could easily do it. (2) Detection of infringing content in Kindlespam by rights holders is very difficult for the reasons outlined earlier, so while a take-down-upon-complaint policy is perfectly feasible, complaints will be much less frequent than they are on YouTube.

So we’re left with a puzzle. Pre-scanning for crap, spam and infringing content in Kindlespam is perfectly feasible — and indeed only Amazon can do it effectively. Yet it does not do it. Why?

One answer (suggested in my column) is that the company is making too much money from Kindlespam. (After all, Amazon get a 30 per cent slice on every bit of Kindlespam sold.) But another answer has just occurred to me. (I’m slow on the uptake.) If Amazon did pre-scan all the self-published stuff on the Kindle store, then it might have to take legal responsibility for the resulting content. It might have to take on the liabilities of a publisher, in other words.

So at the moment, Amazon is trying to have it both ways. It provides a platform (Kindle self-publishing) from which it rakes in dosh, but takes no responsibility for the avalanche of crap that the platform enables. Experience with conventional spam suggests, though, that this can’t continue: in the end the textual bindweed will choke the plant. And then what will Amazon do?

LATER: Behind all this is the whole problem of so-called content-farms — some of which are now probably using the Kindle as one of their outlets. They have been a scourge of the Web for a while, because essentially they are parasitic on Google’s AdSense system. The company has finally responded to the problem in classic Google style — with an algorithm, codenamed Panda. Virginia Heffernan has a good piece about this in today’s NYT. The headline — “Google’s War on Nonsense” — says it all.

Apple makes late entry into whack-a-mole game

From Good Morning Silicon Valley.

After weeks of dodging the issue of a recent widespread malware outbreak, Apple has changed course and is addressing affected customers’ concerns.

On Tuesday, Apple finally posted instructions on its support site on how to avoid or remove the malicious program, and said an Mac OS X update in the coming days will remove it or block it from installing in the first place.

The MacDefender malware, one of the few to actually target Mac operating systems, is a phishing program that fools users into thinking they are downloading anti-virus protection when it’s actually going after credit-card information. ZDNet estimates between 60,000 and 125,000 Mac users have been affected in the past month, and in an eyebrow-raising report quoted an Apple tech support insider who said they were expressly forbidden from helping callers remove the malicious program. That supported leaked internal documents that Gizmodo published last week which, among other things, told customer service reps: “AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not.”

While support from Apple is a welcome development, the company’s initial reaction is disturbing from a customer-service standpoint. Just as disturbing to many Mac users is the realization that their OS’s, so long considered safe from most Internet viruses, are not immune after all.

This is beginning to look like a pattern. Remember the clueless way Apple handled the problem with the iPhone 4 antenna and then the controversy about the ‘bug’ which enabled iPhones to accumulate and store unencrypted location data on the devices? The problem Apple has is that its reputation for effortless design superiority now leads to corporate paralysis whenever events threaten to undermine the image.

And of course there is the problem that as the Mac becomes more and more successful, the juicier a target it presents for malware.

UPDATE: The Apple advisory note is already out of date.

Ed Bott says “File that memo under, ‘Too little, too late.'”

Within 12 hours of Apple’s announcement, the author of the original Mac Defender program had a new variant available that renders key portions of the current Mac Defender prevention plan obsolete.

A security researcher for Intego, the Mac-centric security company that identified the original Mac Defender, found the first example of this new code via a poisoned Google search very early this morning.

Several factors make this specimen different. For starters, it has a new name: MacGuard. That’s not surprising, given that the original program already had at least three names. But this one is divided into two separate parts.

The first part is a downloader. In the original version, this asked the user to enter his or her administrator password. The new version works on the assumption (generally correct) that most Macs are single-user machines –which means that the user has the requisite privileges and so the malware bypasses the admin-password dialogue. The software then installs an application named avRunner, which launches automatically and installs the second part, which is similar to the original Mac Defender. The installer then deletes itself from the user’s Mac, so no traces of the original installer are left behind.

So Apple is now embarked on the same game of whack-a-mole that Microsoft has had to play for years. The evidence so far suggests that Steve Jobs & Co aren’t experienced players. Maybe they need help from Redmond, where they know more about this than anybody else.