Posted on

The internet of hacking or WTF is happening with my smart home?

Mirai – is a bot network that is powered by a range of devices including infected home routers and remote camera systems. It took over these systems by using their default passwords. The network of compromised machines is then targeted to overload a target network or service. Last week the Dyn DNS service was targeted which restricted access to lots of other services for users on the east coast of the US.

DNS is like a telephone directory of internet destinations, if no one knows where to go it becomes a lot harder to get in touch.

DDoSing
Mirai didn’t spring miraculously out of thin air. It finds its history in passionate gamers who used distributed denial of service (DDoS) attacks to slow down or even kick opponents off online gaming platforms. Eventually the gaming companies got hip to it and went after the cheaters, not to be outdone the cheaters went after the gaming companies.

Taking a service offline using DDoS became a source of extortion against online banking and e-commerce services. Attacks can be used as a form of ‘digital hit’ to take out opponents or critics like online security commentator Brian Krebs.

Computing
Moore’s Law meant that computing power has become so small and plentiful that it is surprising what we often have in the palms of our hands. The first Cisco router was built on the circuit board of a Sun Microsystems workstation. Home routers now are basically small computers running Linux. A CCTV camera box or a DVR are both basic PCs complete with hard drives.

Back in 2007, BlackBerry co-founder Mike Lazaridis described the iPhone as

“They’ve put a Mac in this thing…”

The implication being that the power of a sophisticated PC was essentially in the palm of one’s hand. The downside of this is that your thermostat is dependent on a good broadband connection and Google based cloud services and your television can get malware in a similar manner to your PC.

Security
For a range of Chinese products that have been acknowledged as part of the botnet; the manufacturer acknowledged that they were secured with a default admin password. They fixed the problem in a later version of the firmware on the device. Resetting the default password is now part of the original device set-up the first time you use it.

The current best advice for internet of things security is protecting the network with a firewall at the edge. The reality is that most home networks have a firewall on the connected PCs if you were lucky. The average consumer doesn’t have a dedicated security appliance on the edge of the home network.

Modern enterprises no longer rely on only security at the edge, they have a ‘depth in defence’ approach that takes a layered approach to security.

That would be a range of technology including:

  • At least one firewall at the edge
  • Intrusion detection software as part of a network management suite
  • A firewall on each device
  • Profile based permissions across the system (if you work in HR, you have access to the HR systems, but not customer records
  • Decoy honey post systems
  • All file systems encrypted by default so if data is stolen it still can’t be read

Processes:

  • Updating software as soon as it becomes available
  • Hard passwords
  • Two-factor authentication

Depth in defence is complex in nature, which makes it hard to pull off for the average family. IoT products are usually made to a price point. These are products as appliances, so it is hard for manufacturers to have a security eco-system. The likelihood of anti-virus and firewall software for light bulbs or thermostats is probably small to non-existent.

The Shenzhen eco-system
Shenzhen, just across the border from Hong Kong has been the centre of assembly for consumer electronics over the past 20 years. Although this is changing, for instance Apple devices are now assembled across China. Shenzhen has expanded into design, development and engineering. A key part of this process has been a unique open source development process. Specifications and designs are shared informally under legally ambiguous conditions – this shares development costs across manufacturers and allows for iterative improvements.

There is a thriving maker community that allows for blurring between hobbyists and engineers. A hobbyists passion can quickly become a prototype and then into production . Shenzhen manufacturers can go to market so fast that they harvest ideas from Kickstarter and can have them in market before the idea has been funded on the crowdsourcing platform.

All of these factors would seem to favour the ability to get good security technologies engineered directly into the products by sharing the load.

China
The European Union were reported to be looking at regulating security into the IoT eco-system, but in the past regulation hasn’t improved the security of related products such as DSL routers. Regulation is only likely to be effective if it is driven out of China. China does have a strong incentive to do this.

The government has a strong design to increase the value of Chinese manufacturing beyond low value assembly and have local products seen as being high quality. President Xi has expressed frustration that the way Chinese manufacturing appears to be sophisticated, yet cannot make a good ballpoint pen.

Insecurity in IoT products is rather like that pain point of poor quality pens. It is a win-win for both customers, the Chinese manufacturing sector and by extension the Party.

More Information
WSJ City – Massive Internet Attack Stemmed From Game Tactics
Your brilliant Kickstarter idea could be on sale in China before you’ve even finished funding it | Quartz
Asus lawsuit puts entire industry on notice over shoddy router security | Ars Technica
Europe to Push New Security Rules Amid IoT Mess — Krebs on Security
Why can’t China make a good ballpoint pen? | Marketplace.org

Posted on

The Yahoo! Data Breach Post

Yahoo! had a data breach in 2014, it declared the breach to consumers on September 22. This isn’t the first large data breach breach that Yahoo! has had over the past few years just the largest.

In 2012, there was a breach of 450,000+ identities back in 2012. Millions of identity records were apparently being sold by hackers in August 2016 that the media initially linked to the 2012 breach. It would be speculative to assume that the records for sale in August was part of the 2014 raid.

The facts so far:

  • 500 million records were stolen by the hackers. Based on the latest active email account numbers disclosed for Yahoo! many of these accounts are inactive or forgotten
  • Some of the data was stored unencrypted
  • Yahoo! believes that it was a state sponsored actor, but it has offered no evidence to support this hypothesis. It would be a bigger reputational issue if it was ‘normal’ hackers or an organised crime group
  • There are wider security implications because the data included personal security questions

The questions

Vermont senator asked the following questions in a letter to Yahoo!:

  • When and how did Yahoo first learn that its users’ information may have been compromised?
  • Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers. Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo’s systems have gone undetected?
  • What Yahoo accounts, services, or sister sites have been affected?
  • How many total users are affected? How were these users notified? What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?
  • What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?
  • What is Yahoo doing to prevent another breach in the future?
  • Has Yahoo changed its security protocols, and in what manner?
  • Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?

Added to this, shareholders and Verizon are likely to want to know:

  • Chain of events / timing on the discovery on the hack?
  • Has Yahoo! declared what it knew at the appropriate time?
  • Could Yahoo! be found negligent in their security precautions?
  • How will this impact the ongoing attrition in Yahoo! user numbers?

Additional questions:

  • How does Yahoo! know that it was a state sponsored actor?
  • Was there really Yahoo! web being sold on the dark web in August?
  • Was that data from the 2014 cache?
  • How did they get in?

More information
An Important Message About Yahoo User Security | Yahoo – Yahoo!’s official announcement
UK Man Involved in 2012 Yahoo Hack Sentenced to Prison | Security Week
Congressional Leaders Demand Answers on Yahoo Breach | Threat Post

Posted on

Google: uncomfortably close to the edge

Google has had a transformative effect on the world. It reminds me of Dieter Rams on the concept of design had said something to the effect of good design being invisible – once you see the product you couldn’t imagine things exist any other way.

That’s a really good description of the web with Google. In the markets where it operates (with the exceptions of Czech Republic, South Korea, Japan and Russia) it’s a monopoly. Different regulatory authorities are investigating them for leveraging their monopoly into market domination in other categories.
urban dictionary on Google SERP
With SERP (Search Engine Results Page) like this one above, I am not surprised that antitrust authorities are gaining an upper hand. This Urban Dictionary integration seems to cross the boundary from being useful to feature bundling. It deprives Urban Dictionary of an opportunity to put ad inventory in front of its audience.
urban dictionary SERP
It would be interesting to see if Google got into some sort of content agreement with Urban Dictionary or have just gone ahead and done this?

Posted on

20th anniversary: A Declaration of the Independence of Cyberspace

Back on February 9, 1996, John Perry Barlow wrote his declaration of of the independence of cyberspace. The declaration pointed out the folly of trying to govern something thought to be virtually ungovernable at the time.
Cyberspace and is smart fusion really smart ?
Barlow first came to prominence writing lyrics for The Grateful Dead. His ethos came from the libertarian do your own thing ethic that underpinned much of the hippy movement. This probably come more naturally to Barlow than other people having grown up on a cattle ranch and being the son of the Republican politician.

By the time he wrote the declaration, he was already had published extensively about the internet. He was on the board of directors of The WELL – an online community that sprang out of Stewart Brand’s back to the land influence catalogue of useful things The Whole Earth Catalog (The WELL stands for The Whole Earth eLectronic Link). He contributed to Wired magazine (founded by aging hippies Kevin Kelly and Stewart Brand), Barlow’s essay Economy of Ideas published in the March 1994 issue provides a clear view of the thinking that prompted him to write the declaration. He had already founded The Electronic Frontier Foundation with by John Gilmore and Mitch Kapor in response to a series of actions by law enforcement agencies that led them to conclude that the authorities were gravely uninformed about emerging forms of online communication.

The declaration was a reactionary document, brought upon by the 1996 Telecommunications Act in the US. The act eventually resulted in consolidation of US media ownership.

I suspect the similarities in style between the declaration and the Doc Searl’s et al later Cluetrain Manifesto are an intentional nod to Barlow on cyberspace.

A Declaration of the Independence of Cyberspace

by John Perry Barlow <barlow@eff.org>

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.

We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.

Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.

You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.

You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don’t exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract . This governance will arise according to the conditions of our world, not yours. Our world is different.

Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live.

We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.

We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.

Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here.

Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge . Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.

In the United States, you have today created a law, the Telecommunications Reform Act, which repudiates your own Constitution and insults the dreams of Jefferson, Washington, Mill, Madison, DeToqueville, and Brandeis. These dreams must now be born anew in us.

You are terrified of your own children, since they are natives in a world where you will always be immigrants. Because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. In our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. We cannot separate the air that chokes from the air upon which wings beat.

In China, Germany, France, Russia, Singapore, Italy and the United States, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace. These may keep out the contagion for a small time, but they will not work in a world that will soon be blanketed in bit-bearing media.

Your increasingly obsolete information industries would perpetuate themselves by proposing laws, in America and elsewhere, that claim to own speech itself throughout the world. These laws would declare ideas to be another industrial product, no more noble than pig iron. In our world, whatever the human mind may create can be reproduced and distributed infinitely at no cost. The global conveyance of thought no longer requires your factories to accomplish.

These increasingly hostile and colonial measures place us in the same position as those previous lovers of freedom and self-determination who had to reject the authorities of distant, uninformed powers. We must declare our virtual selves immune to your sovereignty, even as we continue to consent to your rule over our bodies. We will spread ourselves across the Planet so that no one can arrest our thoughts.

We will create a civilization of the Mind in Cyberspace. May it be more humane and fair than the world your governments have made before.

Davos, Switzerland

February 8, 1996

So two decades later, how does Barlow’s declaration stand in comparison that what’s actually happened? At first blush not very well. The digital economy outside China is dominated by an oligarchy of four main players: Amazon, Apple, Facebook and Google.

Scott Galloway’s presentation at DLD conference this year, highlights the winner take all nature of the online world. This is partially down to the nature of the online platform. Amazon grew to critical mass in the US as for a critical amount of time buyers didn’t need to pay state sales tax until state legislation started to catch up.

Zuckerberg and his peers marked a changing of the guard in Silicon Valley as yuppies took over from the the hippies.

Inside China there is a similar state-directed oligarchy of Alibaba, Tencent, Netease and Sina.

The oligarchy impact has been most pronounced in Europe, where consumer demand and a lack of effective competition saw Google go to 90+ percent in market share across the EU, when the US market share was less than 70 percent at the time.

Futurist and science fiction author Bruce Sterling summed it up rather well:

“Globalization” is over for 2016. We have entered an era of Internet Counter-Revolution. The events of 1989 feel almost as distant as those of 1789. The globalizing, flat-world, small-pieces-loosely-joined Internet is behind us, it’s history. The elite geek Internet could not resist those repeated tsunamis of incoming users.

It turned out that normal people like the “social” in social media a lot better than they ever liked the raw potential of media technology. In Russia and China in 2016, digital media is an arm of the state. Internet has zero revolutionary potential within those societies, but all kinds of potential for exported cyberwar. The Chinese police spy and firewall model, much scoffed at in the 1990s, is now the dominant paradigm. The Chinese have prospered with their authoritarian approach, while those who bought into borderless friction-free data have been immiserated by the ultra-rich.

In the USA it’s an older American story: the apparent freedom of Henry Ford’s personal flivver has briskly yielded to the new Detroit Big Five of Google, Apple, Facebook, Amazon, and, in last place, Microsoft.

In 2016, everything that looks like digital innovation, “big data,” “the cloud,” the “Internet of Things,” are actually promotional slogans that play into the hands of the GAFAM “Big Five.” Anybody who lacks broadband and a mobile OS is in deadly peril, especially the digital old-school likes of IBM, Cisco, Hewlett-Packard, Oracle… and the hapless TV networks, whose median viewer age is now in the 60s.

The GAFAM Big Five, the “Stacks,” will turn their wrath on the victims closest to them, well before they complete their lunge for control of cars and thermostats. However, their destiny is obvious. The rebels of the 1990s are America’s new mega-conglomerates. Google is “Alphabet,” Apple pruned the “computer” from its name, Amazon is the Washington Post. In 2016, that’s how it is, and in 2017, 189, 19, much more so.

So the not-evil guys are the new evil guys, but don’t be scared by this. It’s quite like watching the 1960s Space Age crumble from giant-leaps-for-mankind to launching low-orbit gizmos for profit. It’s comprehensible, it can be dealt with. Sure, it’s tragic if your head was in the noosphere, but if you have any historical awareness of previous industrial revolutions, this is really easy to understand. It’s already in your pocket and purse, it’s written on every screen you look at It could scarcely be more obvious.

Yes, Internet Counterrevolution is coming, much of it is here already, and it’s properly considered a big deal, but it’s not permanent. This too shall pass.

And this post hasn’t even touched on how government has looked to plug itself into all facets of online life in the interest of discovering terrorist plots, organised crime or paedophile rings. Assaults on cyberspace sovereignty are numerous, from Pakistan’s special editable version of YouTube to several governments looking for cryptographic backdoors.

At DLD 2016, you have a German politician talking about the mechanism of how the government needed to rollback citizen rights to privacy to give German start-ups a chance. In this winner takes all world, the beneficiaries are likely to be Google, Facebook Amazon and Microsoft rather than a local champion.

I started on this post in mid-January and scheduled it to go out on February 8, 2016. danah boyd also published on the declaration of Cyberspace and I recommend you go and check out here.

More information
Economy of Ideas | Wired 
The Cluetrain Manifesto
A Declaration of the Independence of Cyberspace | EFF
Bruce Sterling & Jon Lebkowsky: State of the World 2016 | The WELL
Pakistan lifts ban on YouTube after launch of own version | The Daily Star
John Perry Barlow 2.0 | Reason

Posted on

PrivaTegrity: the flawed model of distributed keys

Dave Chaum’s idea to to try and balance between state actors demand for internet sovereignty and the defacto end of citizen privacy, with the need to address emotive causes such as terrorism, paedophile rings and organised crime got a lot of attention from wired.
Yesterday evening on a bus stop in Bow
The principle behind PrivaTegrity is that there would be a backdoor, but the back door could only be opened with a nine-part key. The parts would be distributed internationally to try and reduce the ability of a single state actor to force access.

However it has a number of flaws to it:

  • It assumes that bad people will use a  cryptographic system with a known backdoor. They won’t they will look elsewhere for the technology
  • It has a known backdoor, there is no guarantee that it can’t be opened in a way that the developers hadn’t thought of
  • Nine people will decide what’s evil
  • If you’re a state actor or a coalition of state actors, you know that you have nine targets to go after in order to obtain access by hook-or-by-crook. It was only Edward Snowden who showed us how extraordinarily powerful companies where bent to the will of the US government. The UK government is about to grant itself extra-territorial legal powers to compel access. There is no reason why a form of extra-ordinary rendition couldn’t be used to compel access, rather like Sauron in The Lord of the Rings bending the ring bearers to his will. Think of it as Operation Neptune Spear meets a Dungeons & Dragon quest held at a black site

More information
The Father of Online Anonymity Has a Plan to End the Crypto War | WIRED
Privategrity

Posted on

Jason Matthews on trade craft and social engineering

Jason Matthews is a former CIA spy who used to run agents. He retired and became a novelist. In his Talk at Google he talks about the spy game, but its also interesting in terms of thinking about social engineering in a wider sense.

Posted on

Tim Cook at The White House Cybersecurity Summit

Whilst on the surface this is a puff piece for Apple, but Cook uses the Obama administration’s call to cooperate making life easier for the intelligence industrial complex get access to consumer data and lays out an opposing vision.

He basically kicked Washington DC in the teeth, other significant companies just decided to turn up with a significantly less senior representative to send the same message.

Posted on

Lady Gaga, the lawyer and the Irish Web 2.0 debacle

The Irish Independent ran the story of Ate My Heart Inc.; a company owned and controlled by popstar Lady Gaga who

‘demanded I roll over and hand over my ladyaga.ie domain name and trademark’

This action was taken against an Irish-based cookery blogger. This surprised me for a number of reasons:

  • The two brands and domains whilst similar couldn’t be mistaken for each other, giving the Ate My Heart legal team a relatively weak positon if it ever went to court
  • You would have a harder time differentiating the Lady Gaga brand from the many social accounts run by dedicated Lady Gaga fans
  • Lady Gaga and her management seem to be exceptionally savvy about the use and abuse of social media; and its power hence the LittleMonsters.com community that they run

It also reminded me of IT@Cork / O’Reilly Publications debacle that broke out over the use of web 2.0 in 2006. IT@Cork was a small local group interested in business technology who decided to host a session on web 2.0. They invited Tim O’Reilly along to speak alongside other representatives from web 2.0 firms. They were legalled by CMP who run the Web 2.0 Expo and Web 2.0 Conference with a cease and desist letter.

The subsequent online firestorm caused Tim O’Reilly to come back off holiday and broker a smarter solution.

Ate My Heart could have reduced their risk and had a win-win situation like O’Reilly eventually opted for, but instead went all in on a relatively weak legal position, hoping presumably that the blogger would buckle rather than publishing their letter online and calling them out, but they chose not to.

I guess the implicit message to Irish Lady Gaga fans were that they didn’t matter all that much.  From a PR perspective, something to keep an eye on in case clients take a similar gung-ho approach to reputation management through litigation; not everyone will be as lucky as Lady Gaga was on this occasion.

Archived from blog posts I wrote for PR Week

Posted on

Brand extension or violation?

I saw this on the way into work yesterday morning at the café-bar around the corner from the office. I just imagine the lawyers in Sunnyvale hitting the speed dial button for the corporate travel agent and booking a business class return flight to Hong Kong.
Untitled

Posted on

Network analysis and why people are so afraid of the Draft Communications Bill

This is going to be a convoluted long post, so I just decided to pick a point and start.

The Draft Communications Bill, what is it?

The Draft Communications Bill is a piece of legislation that builds upon work done by the European Union and the previous Labour administration. It is designed (as the government sees it) to maintain capability of law enforcement to access communications. It builds on a number of different pieces of legislation.

Communications Data Bill 2008 – sought to built a database of connections:

  • Websites visited
  • Telephone numbers dialled
  • Email addresses contacted

This data would be collected by internet service providers. The current government had described these plans at the time as Orwellian.

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or public communications networks and amending Directive 2002/58/EC – requires data retention to identify users and details of phone calls made and emails sent for a period between six months and two years. This information is to be  made available, on request, to law enforcement authorities to investigate and deal serious crime and terrorism.

The UK already has used non-legislative means to force 95 per cent of internet access through a filtered system, predominantly BT’s Cleanfeed which blogs blacklisted sites or pages. It has been used to filter child pornography, there were discussions about using it to block content that was deemed to glorify terrorism and has the potential to block content in a similar way to other more authoritarian nations. In a well-known case Cleanfeed had blocked a Wikipedia page on The Scorpions Virgin Killer album originally issued in 1976.

In addition, the UK government had evaluated (and rejected) internet connections being filtered for pornographic content by default – apparently due to a lack of appetite from parents for content filtering.

The Digital Economy Act of 2010 allowed sites to be blocked and allowed prosecution of consumers based on their IP address which was problematic.

So there is already a complex legal and regulatory environment that the Draft Communications Bill is likely to be part of.

In essence, the Draft Communications Bill gives the capability to build a database of everyone’s social graph. Everyone you have called, been in touch with or been in proximity to.  It requires:

  • A wide range of internet services, not just ISPs to keep a record of user data for 12 months
  • That retained data to be kept in safe and secure way; just like say credit card information or user names and passwords
  • The ability to search, filter and match data from different sources allowing a complex near-complete picture to be built up of our digital lives. Which would be of interest to hackers, criminals, private investigators or over-zealous journalists (a la the recent News International phone hacking scandals)

What the government have been keen to stress is that the process would not look at the content inside the communication. If we use the analogy of the postal service, recording all the external information on an envelope or parcel, but not peaking inside. The reason for this can be found in a successful case taken by Liberty and other organisations against the UK government in 2008. Article eight of the European Convention on Human Rights focuses on respect for private and family life, home and correspondence.

During the 1990s, the UK government had intercepted calls, faxes and electronic communication placed internationally by people in Ireland via a specially built microwave communications tower in Capenhurst. The Electronic Test Facility was uncovered by Richard Lamont in 1999 and was subsequently covered by Channel 4 news and The Independent.

Once the Electronic Test Facility came out into the public domain, the court case followed.

There are concerns about how this information can be used indiscriminately to build up a Stasi-like picture of the UK population. This is more sensitive given the controversial  black list provided to the construction industry by The Consulting Association. Latent public anxiety about commercial services like Facebook and behavioural advertising also contribute to this mindset.

Why all the power?

Modern police work and intelligence work doesn’t look like Spooks, James Bond or Starsky and Hutch. In reality, it looks more like The Wire. Investigations revolve around informants and painstaking investigation work.

A key part in this is network analysis. Understanding the structure of  relationships between participants allows them to be caught. A key part in the film The Battle of Algiers shows how French paratroopers looked to break suspects to find out the structure of their terrorist cells. If they can break them fast enough before conspirators flee, the French could roll up the terrorist infrastructure. The film’s main protagonist who instigates this policy is a portmanteau of numerous counterinsurgency specialists including Jacques Massu, Marcel Bigeard and Roger Trinquier, all of whom had been involved in the French counterinsurgency campaign from 1954 – 57 which had successfully  rolled up Algerian separatist networks in the capital Algiers.

Move forward five decades and the US counterinsurgency work in Afghanistan and Iraq puts a lot of focus on degree centrality and social network analysis as part of its efforts to dismantle al-Qaeda and other fellow travellers.

Secondly, good operational security techniques from the use of stenography or encryption of communications if implemented well can be difficult even for governments to crack. If you know the network structure, this gives you two options to gain information on the communications:

  • Look at the communications metadata: how much is going on, where is it being sent to, is the volume larger or less than normal. These can all be used as indicators that something maybe happening, changes in power within an organisation (who is giving the orders)
  • Focus resources on cracking communications that would be deemed important, for instance those to a particular number

The all-up data picture would be deemed important to provide a better picture of network analysis. When I think about myself for a minute:

I have a range of different online identities, many of which are due to the limitations of the service on which they are held or when I set them up.

I have one main UK mobile phone number, but I have had different ancillary ones:

  • Work phones
  • Temporary PAYG numbers to sell things on The Gumtree and Craigslist
  • SIMs that I have used for data only on my iPad and smartphones over the years

Now, let’s do a thought experiment, imagine a gang of drug dealers each with a set of pill boxes like old people have labelled up for each day of the week. In each section of the box would be a SIM card. They would then swap those SIMs in and out of their phones on a regular basis making their communications hard to track if you were just following one number. They could be using regularly changed secondhand mobile phones so that the IMEI number changes as well.

The SIMs could be untraceable, they could be bought and topped up for cash if they were bought outside the UK. I can go into my local convenience store here in Hong Kong and buy and top-up them up for cash or a pre-paid credit card with no one asking to see my ID.

Untraceable UK SIMs could be acquired along with bank accounts from students going home, paid off electronically, perhaps even with the debit cards attached to the accounts and the accounts topped up with ATM deposits.

But if you interrogate a database once you have one or more numbers and look for numbers that appear on a network in the same location immediately after the number you know disappears you are well on the way to tracking down more of the mobile graph of the drug dealers.

Now imagine the similar principles being applied to messaging clients, email addresses or social networking accounts in order to provide the complete network analysis of the gang of drug dealers created in the thought experiment.

How does this fit in with the people?

Under the previous Labour administration councils were given wide-ranging surveillance powers that were used to deal with incidents such as putting the wrong kind of materials in the recycling bins. This annoyed and educated British consumers on privacy. The Draft Communications Bill smacks to many as a similar kind of snoopers charter.

The internet itself, has been political and has become political. If one goes back to the roots of the early public internet, one can see the kind of libertarian themes running through it in a similar way to the back to the land efforts of the hippies which begat the modern environmental movement. This was about freedom in the same way the American pioneers could go west for physical freedom the internet opened up a new virtual frontier where one could make one’s own fate. It was no coincidence that people involved in ‘the hippy movement’ like Stewart Brand and Kevin Kelly were involved in setting the political tone of the internet.  Or that the Grateful Dead have had an online presence since 1995.

When these freedoms have been overly curtailed or threatened, internet users have struck back; sometimes unsuccessfully. The Pirate parties that sprang out of The Pirate Bay | copyright discussion have had limited political success, which has misled many to believe that the internet isn’t a political issue. What they managed to do is highlight the issue and their concerns to a wider range of people, in a similar way to how far right movements put immigration on mainstream political agendas across Europe.

It is also coupled with a decline in trust in authority, partly due to the financial crisis and the cosy relationship with the media which came to light during the phone hacking scandal.

Even The Economist realised that something was going on and called internet activism the new green. It takes mainstream political systems a while to adjust to new realities. It took at least two decades for green issues to become respectable amongst mainstream politicians and it seems to be even harder for them to grasp the abstract concepts behind the digital frontier.

The signs are all there for a change in the public’s attitude; when you have The Mail Online providing critical commentary of the Draft Communications Bill and providing recommendations of encryption software readers can use to keep their communications confidential you know that something has changed.

How does this differ from what companies can derive anyway?

This is probably where I think that things get the most interesting.

Network analysis tools are available off the shelf from the likes of Salesforce.com, IBM or SAS Institute. They have been deployed to look for fraudulent transactions, particularly on telecoms networks, and are also used to improve the quality of customer service. Many of them get inputs directly from social network such as Twitter and Facebook.

Deep packet inspection software and hardware again is available off the shelf from a number of suppliers. Companies like Narus and TopLayer Networks pioneered deep packet inspection for a wide range of reasons from surveillance to prioritising different types of network traffic. The security implications became more important (and lucrative) after 9/11; now the likes of Cisco and Huawei provide deep packet inspection products which are used for everything from securing corporate networks, preventing denial of service attacks and in the case of Phorm – behavioural advertising.

Skyhook Wireless and Google have location data that services can draw down on providing accurate information based on cell tower triangulation and a comprehensive map built-up of wi-fi hotspots.

Credit information can be obtained from numerous services, as can the electoral role. If this data is put together appropriately (which is the hard part), there is very little left of a life that would be private anyway.

Companies are trying to get to this understanding, or pretend that they are on the way there. Google’s Dashboard shows the consumer how much it infers about them and information that consumers freely give Facebook makes it an ideal platform for identity theft.

One of the most high-profile organisations to get close to this 360 view of the consumer is Delta Airlines who recently faced a backlash about it.

So what does this all mean?

We should operate on the basis that none of our electronic information is confidential. Technology that makes communication easier also diminishes privacy.  The problem isn’t the platforms per se but our behavioural adjustment to them.

More information
Giant database plan Orwellian | BBC News
Directive 2006/24/EC (PDF)
Written answers on internet pornography – They Work For You
UK government rejects ‘opt in’ plans for internet porn – TechRadar
Internet Filtering: Implications of the “Cleanfeed” System School of Law, University of Edinburgh Third Year PhD Presentation Series TJ McIntyre Background Document for 12 November 2010 Presentation (PDF)
Councils’ surveillance powers curbed | The Guardian
The new politics of the internet Everything is connected | The Economist
Blacklist Blog | Hazards magazine
UK government plans to track ALL web use: MI5 to install ‘black box’ spy devices to monitor British internet traffic | Mail Online
Most UK citizens do not support draft Data Communications Bill, survey shows | Computer Weekly
How Britain eavesdropped on Dublin | The Independent
Cases, Materials, and Commentary on the European Convention on Human Rights By Alastair Mowbray
U.S. Army Counterinsurgency Handbook By U S Dept of the Army, Department of Defense
Draft Communications Data Bill – UK Parliament
Deep packet inspection (DPI) market a $2 billion opportunity by 2016 – Infonetics Research
Google Dashboard
Big Brother Unmasked… As Delta Airlines – smarter TRAVEL

Posted on

Interview with cut-up artist Girl Talk

Girl Talk’s work sits at the intersection of art and intellectual property law, like The Avalanches his work is made up of lots of other people’s work. When does copyright infringement become a new work in its own right? Why is Andy Warhol art and sampling theft?

Girl Talk Interview — Some Conference 2012 from somehome.org on Vimeo.

The video is on Vimeo, so may not be available to all readers.

Posted on

Olympic brand ambush marketing?

I wonder if Haribo is an Olympic sponsor? I wasn’t aware that they were and didn’t see anything obvious on their website to indicate that they were an Olympic sponsor. So I was a bit surprised to see these Gold Medal sweets that I thought would have violated the brand protection measures of the UK Olympic Act?
Are Haribo an Olympic sponsor?

Posted on

Facebook: the Yahoo! patents case

I had delayed writing about this as I had a busy run-up to Easter and just about everyone of note in the Bay Area seems to have weighed in on the Yahoo! versus Facebook legal case over patents. Fred Wilson (aka A VC) channeled the concern that the start-up community in general over wide-ranging patents being a tax on innovation.

There is a certain amount of prejudice inbuilt against incumbents going on; Silicon Valley doesn’t make big money from existing large businesses but the new, new thing – for example:

  • IBM vs. Apple, VisiCalc, Oracle and countless Boston corridor enterprise technology brands before them
  • Beckman Instruments vs.the traitorous eight who went on to found just about every other semiconductor company from the late 1950s through to the early 1970s: Fairchild Semiconductor, Intel, Intersil, AMD, National Semiconductor, LSI Logic and venture capital firm Kleiner Perkins
  • Microsoft vs. Apple, Oracle, Sun Microsystems, the open source community
  • Google vs. Facebook and just about anybody else looking to make money from online advertising

I don’t necessarily hold this against them, it is the classic tale of David and Goliath that resonates at a deep level in the human psyche. It probably helped us move beyond being slightly smarter than the average ape and turn our use of tools into a decisive advantage with humans becoming the apex predator throughout the world.

What a lot of these arguments are failing to do is look at the underlying form:

  • Yes, the patent system is broken
  • Yes, Yahoo! has multiple business issues which would merit a series of posts in it’s own right
  • Yes, Yahoo! is unlikely to survive at least in its present form. Though for reasons that I have gone into previously  I don’t think that Microsoft is a suitable suitor (just look at what has happened to its continued inability to match Yahoo!’s previous returns on search with Microsoft AdCenter) and more controversially I didn’t think that it was serious about its takeover bid first time around
  • Yes, Yahoo! is likely to be outmaneuvered by Facebook and be on a hiding to nothing

But for me, the story isn’t about Yahoo! or the inequitable nature of patent laws, but about Facebook and its business practices in relation to data.

In the 1990s file formats: .doc, .xls, .ppt and others were used by Microsoft to leverage a competitive advantage. Competitor applications couldn’t open them; so your information was locked into using Microsoft Office software. This was one of the reasons why the web was so transformational; HTML opened up publishing of documents that had been previously locked into Microsoft Office – electronic versions of scientific papers, price lists etc.

Data portability is the document format of web 2.0 (or social web). During my time at Yahoo! we introduced the requirement to sign into Flickr using a Yahoo! ID, Stewart Butterfield and the team at Flickr worked hard to ensure that existing Flickr customers who didn’t want to have a Yahoo! ID could move their pictures off the service.

The idea was that the customer’s data was their property and allowing them to freely move was as American as apple pie, capitalism and the free market. Allowing customer’s data to be portable fitted in with the web being free as in speech ethic that had predominated up until then. Portable customer data kept you honest and encouraged you to innovate as losing a customer was only one export click away.

In the case of Facebook; the data that really matters is your address book. Whilst Facebook eventually allowed consumers to download their profile information (after it had gained hegemony in the US social network sector), it holds on fast to your address book. Om Malk over at GigaOM wrote a really good post on how Facebook leeched off Yahoo! user’s address book to build its business, but didn’t allow Yahoo! users to transfer data back the other way.

This had a detrimental effect Yahoo!’s already weakened business. It wasn’t only Yahoo!, Facebook did the same on Plaxo and has been in conflict with Google over the same issue. In the Yahoo! patent case; Yahoo! is in the position of shooter and patsy – but like the dreams of conspiracy theorists looking for a dark hand moving the pieces around the board – Facebook is responsible.

So consumers and some companies got screwed on their address book; but what the great and good of the start-up community who criticised Yahoo! forget is where Yahoo!, Plaxo and Google have gone before their start-ups could be tomorrow. The problem is the over-reliance on Facebook Connect as a federated ID and as a marketing tool using consumer news feeds in their word-of-mouth marketing campaign strategies.

Federated IDs are not a new concept, Microsoft tried to have their Passport technology adopted in a similar way some ten years ago and it was stymied because of early adopter and technology sector mistrust.

Like Facebook, the businesses adopting Facebook Connect usually rely on some sort of advertising-related business model, either for their revenue, or for garnering customers; yet with Facebook Connect – Facebook holds all the cards on targeting information that means:

  • Your advertising platform will always be worse than Facebook’s because they have a better customer view – as we’ve seen in search this is likely to turn into a zero-sum game
  • For more e-commerce-based businesses, Facebook data could be used by rivals to directly target your customers – because Facebook already has your customer list. By using Facebook Connect you already gave it to them and they could even infer a good estimate of customer engagement were by how often and how long they logged in

It has the potential to be digital equivalent of the way Standard Oil used its dominant position as a buyer of railroad transportation to screw over rivals. By supporting Facebook in the Yahoo! patents case; I believe that leading players within the start-up community inadvertently darkened their own futures.

It is hard to imagine now, but in the mid-1990s Silicon Valley was genuinely afraid of Microsoft:

Another big factor was the fear of Microsoft. If anyone at Yahoo considered the idea that they should be a technology company, the next thought would have been that Microsoft would crush them.

It’s hard for anyone much younger than me to understand the fear Microsoft still inspired in 1995. Imagine a company with several times the power Google has now, but way meaner. It was perfectly reasonable to be afraid of them. Yahoo watched them crush the first hot Internet company, Netscape. It was reasonable to worry that if they tried to be the next Netscape, they’d suffer the same fate. How were they to know that Netscape would turn out to be Microsoft’s last victim?

That was Y Combinator’s Paul Graham on Microsoft back in the day and how fear of it partly sewed the seeds of failure at Yahoo! Great ideas couldn’t get funded if they where considered to fall anywhere near the purview of Microsoft – and Microsoft wanted everything, at that time the company mission statement was:

A computer on every desk and in every home running Microsoft software

Now the vision uses softer language that also takes into account technological change with Steve Ballmer describing it as:

…enabling people and businesses to realize their full potential

Microsoft still isn’t a cuddly business by any means. Let me show you: Some six years ago I spent a weekend in San Francisco on the dime of the agency I worked with at the time. The reason why I had a free weekend was that I was originally going out there to pitch an international brief for an enterprise technology company – and the weekend should have been very busy and productive in preparation fo the pitch early the following week.

The US folks had checked the substantial non-compete list that we had been provided with by Redmond and senior clients had been checked in with and they were ok with it.

Happy days, I was put on a Thursday flight from Heathrow to San Francisco with British Airways. I deplaned, got through immigration and got a taxi into town. I went to the hotel first; dropped by bags off and washed my face and then got a taxi to our San Francisco office down near the ball park.

As I walked in the door, I could see of the office general manager getting off the phone. Apparently my trip was a waste of time; someone at head office had a call with someone at Microsoft who asked us to withdraw at the last minute as the company operated in a space that Microsoft would like to enter in the next five years.

I ended up spending the Martin Luther King day weekend at the Hotel Monaco close to Union Square and spent much of the Saturday exploring the Asian Art Museum, the then Sony Metreon centre and shopping off Haight.

The point I am trying to make is that fear is relative, Microsoft is a changed but still fiercely ambitious and competitive business.

Facebook is much more than Microsoft. If we look at address books as an example; Facebook bought and closed down Malaysian start-up Octazen to close the door on others using their technology to import contact lists in February 2010.

Facebook is keenly competitive in the way that Microsoft has been, but it has learned from Microsoft’s mistakes; it has lawyered and lobbied-up much earlier in its development, so with Facebook there will be no humiliating Judge Jackson trial which gifted the start-up culture of Silicon Valley a second chance.

I believe that in the medium-to-long-term Facebook will have a neutron bomb effect on the Bay Area start-up finance community and at the moment they only have themselves to blame.

Although it may seem counter-intuitive to the start-up community at the moment, fueling Yahoo!’s patent duel with Facebook may make more sense in the long run.

More information
Yahoo! Crosses The Line – A VC
Will Yahoo Torch its Search Deal With Microsoft, Outsource Search to Google? – Search Engine Watch (#SEW)
Is the internet too perfect a market? – renaissance chambara
A quick primer re @blakei @yahoo #delicious – renaissance chambara
Yahoo-Facebook patent fight: more than meets the eye | GigaOM
Google Renews Battle Over Facebook Contacts, Removes Phone Directory Sync On Nexus S – TechCrunch
Why Scoble Got the Boot from Facebook: Plaxo’s New Feature – Mashable
What happened to Yahoo – Paul Graham
Steve Ballmer: Microsoft Venture Capitalist Summit 2008 – Microsoft News Center
Facebook Acquires Contact Importing Startup Octazen – GigaOM

Posted on

UK government mulls short-term gain with a long-term loss

There was a great article by former Guardian journalist Bobbie Johnson on technology site GigaOM that I read this morning which talks about the inevitable censorship of online social media services like Facebook and Twitter. On the one hand this is potentially good news for law firms like Schillings who do reputational work but it isn’t good for the UK’s world reputation.

Yes the UK already has censorship; such as the D-notice, cinema classification board and the chilling effect of libel laws on old media.

But censorship for the good of (usually well-off) individuals rather than the national good puts the UK in a new category quite separate from more authoritative countries and will have a chilling effect on brand Britain in the eyes of many people abroad.

When one thinks about an aspirational Chinese middle-class or the very different legal structure and culture of American citizen; this will likely affect their view of the UK as a modern progressive state – which will then adversely affect UK economic activity. And if this isn’t important then why on earth do we have the huge carbuncle of the Olympics in the east end and the UK government investment over the years in the British Council or the BBC World Service?

More information
Google and Twitter may struggle to resist UK censors – GigaOM

Archived from my blog for PR Week.