Zero-days and the iPhone

This morning’s Observer column:

Whenever there’s something that some people value, there will be a marketplace for it. A few years ago, I spent a fascinating hour with a detective exploring the online marketplaces that exist in the so-called “dark web” (shorthand for the parts of the web you can only get to with a Tor browser and some useful addresses). The marketplaces we were interested in were ones in which stolen credit card details and other confidential data are traded.

What struck me most was the apparent normality of it all. It’s basically eBay for crooks. There are sellers offering goods (ranges of stolen card details, Facebook, Gmail and other logins etc) and punters interested in purchasing same. Different categories of these stolen goods are more or less expensive. (The most expensive logins, as I remember it, were for PayPal). But the funniest thing of all was that some of the marketplaces operated a “reputation” system, just like eBay’s. Some vendors had 90%-plus ratings for reliability etc. Some purchasers likewise. Others were less highly regarded. So, one reflected, there really is honour among thieves.

But it’s not just credit cards and logins that are valuable in this underworld…

Read on

Microsoft’s pre-emptive strike for the moral high ground

Today’s Observer column on the fallout from the ‘ransomeware’ attack.

The attack was good for the computer-security companies, some of whose shares rose sharply. But other companies exploited the marketing opportunities offered by the crisis. First out of the blocks was Microsoft, whose product deficiencies lay at the heart of the problem. Brad Smith, the company’s president, made a pre-emptive strike for the high moral ground. “We take every single cyber-attack on a Windows system seriously,” he blogged, “and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported.”

Smith went on to castigate governments – correctly – for stockpiling vulnerabilities rather than reporting them to companies. But what took the biscuit was his implication that the root of the problem was that so many people were foolish enough to continue using old versions of Windows rather than upgrading to the latest version (and forking out for both the upgrades and the new kit needed to run them). So the solution is to keep buying the latest version.

You have to admire the sheer brazenness of this: blaming users for continuing to use your defective product. It’s like Mark Zuckerberg’s idea that the solution to the problems caused by social media is… more Facebook. And it’s the kind of thinking that gives hypocrisy a bad name…

Read on

The Internet of Insecure Things is up and running

This morning’s Observer column:

Brian Krebs is one of the unsung heroes of tech journalism. He’s a former reporter for the Washington Post who decided to focus on cybercrime after his home network was hijacked by Chinese hackers in 2001. Since then, he has become one of the world’s foremost investigators of online crime. In the process, he has become an expert on the activities of the cybercrime groups that operate in eastern Europe and which have stolen millions of dollars from small- to medium-size businesses through online banking fraud. His reporting has identified the crooks behind specific scams and even led to the arrest of some of them.

Krebs runs a blog – Krebs on Security – which is a must-read for anyone interested in these matters. Sometimes, one fears for his safety, because he must have accumulated so many enemies in the dark underbelly of the net. And last Tuesday one of them struck back.

The attack began at 8pm US eastern time, when his site was suddenly hit by a distributed denial of service (DDoS) attack…

Read on

Collateral damage and the NSA’s stash of cyberweapons

This morning’s Observer column:

All software has bugs and all networked systems have security holes in them. If you wanted to build a model of our online world out of cheese, you’d need emmental to make it realistic. These holes (vulnerabilities) are constantly being discovered and patched, but the process by which this happens is, inevitably, reactive. Someone discovers a vulnerability, reports it either to the software company that wrote the code or to US-CERT, the United States Computer Emergency Readiness Team. A fix for the vulnerability is then devised and a “patch” is issued by computer security companies such as Kaspersky and/or by software and computer companies. At the receiving end, it is hoped that computer users and network administrators will then install the patch. Some do, but many don’t, alas.

It’s a lousy system, but it’s the only one we’ve got. It has two obvious flaws. The first is that the response always lags behind the threat by days, weeks or months, during which the malicious software that exploits the vulnerability is doing its ghastly work. The second is that it is completely dependent on people reporting the vulnerabilities that they have discovered.

Zero-day vulnerabilities are the unreported ones…

Read on

Getting to bedrock

This morning’s Observer column:

The implication of these latest revelations is stark: the capabilities and ambitions of the intelligence services mean that no electronic communications device can now be regarded as trustworthy. It’s not only your mobile phone that might betray you: your hard disk could harbour a snake in the grass, too.

No wonder Andy Grove, the former boss of Intel, used to say that “only the paranoid survive” in the technology business. Given that we have become totally dependent on his industry’s products, that knowledge may not provide much consolation. But we now know where we stand. And we have Edward Snowden to thank for that.

Read on

Flaming hell: we need a new security paradigm

This morning’s Observer column about the implications of the Flame virus.

The PC security business does offer a degree of protection from the evils of malware, but suffers from one structural problem: its products are, by definition, reactive. When a particular piece of malicious software appears, it is analysed in order to determine its distinctive “signature”, which will enable it to be detected when it arrives at your machine. Then a remedy is devised and an update or “patch” issued – which is why your PC is forever inviting you to download updates – and why IT support people always look pityingly at you when you explain sheepishly that you failed to perform the aforementioned downloads.

So the security companies are always playing catch-up, profitably slamming stable doors after the horses have bolted. Until recently, the industry has tactfully refrained from emphasising this point, and most of its customers have been too clueless to notice.

This cosy arrangement was too good to last, and a few weeks ago the industry’s cover was finally blown…

Stuxnet, Obama and the necessary hypocrisy of statecraft

This morning’s Observer column.

When Stuxnet was first discovered in 2010, it attracted a great deal of attention for several reasons. For one thing it was so remarkably sophisticated and complex that its creation would have required a large software team. This led many of us to suppose that it must be the work of the security services of a major industrial country: it was hard to imagine run-of-the-mill malware authors going to all that trouble when they could be harvesting stolen credit-card numbers without getting out of bed. But the most intriguing thing about Stuxnet was the way it targeted a very specific piece of equipment: the Siemens Simatic programmable logic controller. It is commonplace in industrial operations everywhere – oil refineries, chemical plants, water-treatment facilities and so on. And it is also the device that controlled the centrifuges of the Iranian nuclear programme. Stuxnet could – and did – instruct the Siemens controller to cause the centrifuges to accelerate until they disintegrated.

All this pointed toward one conclusion – that Stuxnet must have been the creation of either the US or Israel. But no one knew for sure. Now, thanks to some fine investigative reporting by David Sanger, we do. The Stuxnet project – codenamed “Olympic Games” – was actually started by the Bush administration and accelerated by Obama in his first months in office. What’s more, Sanger claims that Obama took a detailed, personal interest in the progress of the Stuxnet attack and that there were some agonised discussions in the White House when it was realised that the worm, instead of remaining inside the Natanz nuclear plant, had escaped into the wild, as it were…

So is Amazon finally stamping on Kindlespam?

Some time ago I wrote about the scourge of Kindlespam — the way in which opportunists were producing hundreds, and in some cases thousands, of phoney ‘ebooks’ using the Kindle Direct Publishing system. I wondered why Amazon wasn’t stamping on the practice, and cynically assumed that it was because the company continued to make money on every one of these ‘books’ sold on the site. If so, this seemed short-sighted, as it couldn’t be in Amazon’s long-term interests to have the Kindle marketplace swamped by this kind of spam.

Now, however, it looks as though the company has woken up. Witness this email received by an ebook self-publisher and posted on a forum that specialises in Kindle publishing under the heading “All My Amazon Ebooks have Been Taken Off The Shelf!”


We’re contacting you regarding books you recently submitted via Kindle Direct Publishing.

Certain of these books are either undifferentiated or barely differentiated from an existing title in the Kindle store. We remove such duplicate (or near duplicate) versions of the same book because they diminish the experience for customers. We notify you each time a book is removed, along with the specific book(s) and reason for removal.

In addition to removing duplicate books from the Kindle store, please note that if you attempt to sell multiple copies or undifferentiated versions of the same book from your account, we may terminate your account.

If you have any questions regarding the review process, you can write to

Best regards,

Kindle Direct Publishing

About time. Kindle Direct Publishing is a great idea for enabling user-generated content and it would be a shame to see it destroyed.

Why isn’t Amazon stamping out Kindlespam?

Further to my Observer column about Kindlespam, I’ve been brooding on the subject.

The most obvious question is why Amazon doesn’t do something about it. After all, the Kindle is now the company’s key product, and the stench of corruption coming from Kindlespam must pose a strategic threat. Users can’t do much about it — other than by ignoring the avalanche of fake ‘eBooks’ on the site. And it’s very difficult (if not virtually impossible) for an author who suspects that his or her content is being ripped off to check, because she can’t inspect the content without buying and downloading the suspected rip-off. So any comprehensive trawl for infringing content would be prohibitively expensive and tedious. The only outfit that can check stuff before it’s published on the site is Amazon. So why aren’t isn’t the company doing it?

At first, I thought that Amazon’s rationale might be similar to the one Google takes on the issue of infringing or objectionable YouTube content: given that 48-hours’-worth of video is being uploaded every minute, it simply isn’t feasible to pre-scan stuff before it’s published. But Google will take it down on receipt of a complaint. That won’t get Amazon off the Kindlespam hook for two reasons: (1) Compared with video, pre-scanning of text is perfectly feasible, and computationally not that difficult; Amazon could easily do it. (2) Detection of infringing content in Kindlespam by rights holders is very difficult for the reasons outlined earlier, so while a take-down-upon-complaint policy is perfectly feasible, complaints will be much less frequent than they are on YouTube.

So we’re left with a puzzle. Pre-scanning for crap, spam and infringing content in Kindlespam is perfectly feasible — and indeed only Amazon can do it effectively. Yet it does not do it. Why?

One answer (suggested in my column) is that the company is making too much money from Kindlespam. (After all, Amazon get a 30 per cent slice on every bit of Kindlespam sold.) But another answer has just occurred to me. (I’m slow on the uptake.) If Amazon did pre-scan all the self-published stuff on the Kindle store, then it might have to take legal responsibility for the resulting content. It might have to take on the liabilities of a publisher, in other words.

So at the moment, Amazon is trying to have it both ways. It provides a platform (Kindle self-publishing) from which it rakes in dosh, but takes no responsibility for the avalanche of crap that the platform enables. Experience with conventional spam suggests, though, that this can’t continue: in the end the textual bindweed will choke the plant. And then what will Amazon do?

LATER: Behind all this is the whole problem of so-called content-farms — some of which are now probably using the Kindle as one of their outlets. They have been a scourge of the Web for a while, because essentially they are parasitic on Google’s AdSense system. The company has finally responded to the problem in classic Google style — with an algorithm, codenamed Panda. Virginia Heffernan has a good piece about this in today’s NYT. The headline — “Google’s War on Nonsense” — says it all.