Missing Observer column from March 3

The New York Times’ was broken into recently. In a two-minute scan performed on a whim, a 21-year old hacker named Adrian Lamo — who also works as an offbeat security consultant — discovered no fewer than seven mis-configured proxy servers acting as doorways between the public Internet and the newspaper’s private intranet, making the latter accessible to anyone capable of properly configuring their Web browser.

Once on the Times’ network, Lamo exploited weaknesses in its password policies to broaden his access, eventually reaching confidential data such as the names and Social Security numbers of the paper’s employees, logs of stop and start orders for home delivery customers, computer dial-up instructions for stringers to file stories and lists of contacts used by the Metro and Business desks.

More interestingly, Lamo gained access to a database of 3,000 contributors to the Times op-ed page — the bully pulpit of America’s elite. This gave him Social Security numbers for, inter alia, former U.N. weapons inspector Richard Butler, Democratic spin-doctor James Carville, ex-NSA chief Bobby Inman, former secretary of state James Baker, Stanford professor Larry Lessig and actor Robert Redford. He also obtained the home phone numbers of people like William F. Buckley Jr., Jeanne Kirkpatrick, Rush Limbaugh, Vint Cerf, Warren Beatty and former president Jimmy Carter, plus fascinating information on contributors’ areas of expertise , what books they’ve written and the odd note on how easily they succumb to editing or how much they were paid.

No lasting harm was done — save to the Times’s substantial dignity — because Mr. Lamo notified the newspaper’s managers through a reporter. (As it happens, he has done things like this before [^] and indeed has built an unusual reputation exposing security holes at large corporations, then voluntarily helping them fix the vulnerabilities he exploited. According to a leading online security journal, he was praised last December by communications giant WorldCom after he discovered security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.)

So Mr. Lamo is thus a Good Egg. His little exploit, however, ought to make us pause. What if he’d been differently motivated? For example: what if instead of rummaging around on the paper’s intranet, he’d actually got to the paper’s published website and made some subtle alterations to the copy. (It’s not as though it couldn’t happen: the Times’ site was hacked once before in 1998, but the intruders contented themselves then with vulgar defacement.) We live, remember, in an age where news and comment flashes around the globe at the speed of light and where, in particular, stock markets are incredibly (and often irrationally) sensitive to bad news. Our world is one in which information published in an organ like the ‘Times’ is taken seriously — and acted upon.

We’ve had some dry runs for these ‘semantic attacks’ — as security expert Bruce Schneier calls them. On 25 August 2000, for example, the press release distribution service Internet Wire received a forged e-mail that appeared to come from the Emulex corporation. reporting that the company’s CEO had resigned and its earnings would be restated. Internet Wire posted the press release, not bothering to verify either its origin or contents. Several financial news services and Web sites further distributed the false information, and the stock dropped 61% (from $113 to $43) before the hoax was exposed.

“Despite its amateurish execution”, writes Schneier, (the perpetrator, trying to make money on the stock movements, was caught in less than 24 hours), “$2.54 billion in market capitalisation disappeared, only to reappear hours later. With better planning a similar attack could do more damage and be more difficult to detect”. The only question is when will it materialise. And whether it will be covered by the Times.

45% of UK homes now online
New figures from Oftel indicate that 11 million homes, or 45 percent of all homes, are now online, up from 30 percent last year.

Excellent New Scientist feature on Open Source ideas.

What a lovely title for a book: Small Pieces, Loosely Joined: a unified theory of the Web. Forthcoming from David Weinberger who is better known as the co-author of the Cluetrain Manifesto. He thinks the multiplicity of Blogs and personal sites represents more than just “a flood of new content.” The Internet, Weinberger says, “is unleashing our natural desire to find other people interested in the same things as we are, our group-forming tendencies. The Internet has long passed the point of being a gigantic on-line library where we can track down content that matters to us. [It] is a conversation.” Amen.

Thoughtful article in the Globe and Mail about the riches of the Web and the mindset of those who graze (and provide) them.

“The Web has always attracted a sizable minority of literate dissenters, interested in more than Limp Bizkit MP3s and streaming video-porn clips. While institutionally supported sites such as Slate (Microsoft), the Atlantic Online (Atlantic Monthly), and Brookings.org (Brooking Institution) remain important stopovers, they more and more feel peripheral to the main attractions.

Instead of self-contained essays, the Web’s new intellectual hothouses offer diverse networks of opinion, and active participation. Reader power is where the Web really comes into its own.”

Digital Biology. The very idea!
New York Times review of Peter Bentley’s new book.

“Bentley describes how Adrian Thompson, a British engineer, came up with a few dozen random arrangements of transistors and programmed a computer to test how well they did various jobs, like distinguishing between high-pitched and low-pitched tones. The first generation of chips always performed miserably, but some of them a little less miserably than the rest. The computer saved the less miserable designs and combined them into hybrids. In the process, it also sprinkled a few random changes into the designs, mutations if you will. A few offspring could distinguish between the tones slightly better than their parents — and they produced a third generation. By mimicking evolution for a few thousand rounds, the computer produced chips that did their job exquisitely well. But Thompson doesn’t quite know how they work. To understand them, he resorts to measuring the temperature of parts of the chips, like a neurologist using an M.R.I. scanner to probe a brain. ..”

Virtual Reality used to get at the truth
New York Times story. Much to the chagrin of Ulster Unionists, the official inquiry into ‘Bloody Sunday’ — January 30 1972 when British paratroops shot dead 14 unarmed civil rights marchers in Derry — proceeds apace. One problem faced by the inquiry is that so much of the physical topography of the city has changed in the 30 years since the atrocity. The 10-storey block of Rossville Flats, for example, which played a key role in the story, have long been demolished. To help witnesses re-orient themselves to 1972 Derry, the inquiry commissioned a virtual reality reconstruction of the relevant part of the city.

“The Mouse that Ate the Public Domain”. Another fine article on the background to the US Supreme Court’s decision to have a look at the Sonny Bono Copyright Term Extension Act. Contains the interesting statistic that Disney gave $6.3 million in campaign contributions in 1997-98. Who says money can’t buy you friends?

Interesting, accessible article by a law professor pointing out that the Democrats take far more money ($24.2 million) from the entertainment industry than do the Republicans ($13.3). Which prompts the thought: copyright is an issue where Republicans could, for once, champion the interests of consumers. Will they break the habits of a lifetime?

More wireless networking developments!

Sputnik “envisions a world where people enjoy high-speed wireless access to email, the Web, instant messaging and more — wherever they are. That’s why we created Sputnik Gateway Software and the Sputnik Network, Earth’s first planetary broadband wireless network. When you set up a Sputnik Gateway, you can share unused bandwidth with other Sputnik Subscribers. In turn, you can access bandwidth on the Sputnik Network whenever you are within range of a Sputnik Gateway.”