1. My attempt to summarise the unfolding HBGary / Wikileaks story

    Posted February 16, 2011 in comment  |  2 Comments so far

    You might not have heard of HBGary Federal before. I certainly hadn’t, or at least not until February 4th when their CEO Aaron Barr boasted to the press that he had unmasked members of Anonymous and was going to pass their details to the FBI. This was presumably in retaliation for Anonymous having slowed down the servers of Visa, Mastercard and Paypal for a few hours back in December 2010, a crime that will no doubt live in infamy.

    As it turns out HBGary Federal is a computer security consultancy that does a lot of work for the US government, trading on a reputation as experts in the field. Their CEO was obviously looking to generate headlines with his Anonymous story. And he succeeded, but not quite in the way he was expecting.

    Within a few hours of his boasting to the press about having “infiltrated” Anonymous, Anonymous struck back. And they struck back hard. The HBGary Federal website was compromised and defaced, Aaron Barr’s Twitter and Facebook profiles were hijacked, and – most damagingly for HBGary – the company’s email server was breached, the emails extracted and put into the public domain via BitTorrent.

    At this point, the damage done to HBGary was already severe. How could “experts” in information security be so thoroughly compromised, so quickly, and in such a humiliating manner? As Aaron Barr put it, soon after the attack took place:

    I knew some folks would take my research as some kind of personal attack which it absolutely was not. I thought they might take down our Web site with a DDoS attack. I did not prepare for them to do what they did…

    But the worst was yet to come. It took a few days for the contents of the email dump to be reviewed, and what it revealed was even more damning – not just for HBGary Federal, but for the shady culture of impunity it portrayed among firms contracting for the US government.

    The new twist in the tale came when a project proposal was discovered among the emails. The proposal, titled “The Wikileaks Threat” (link to the full presentation), had been created by HBGary Federal in conjunction with two other companies for Hunton & Williams, a law firm that works with Bank of America. It outlined a systematic plan of attack against Wikileaks and its supporters which included tactics ranging from DDoS attacks, falsification of information, and what could be seen as extortion of prominent free-speech supporters such as Salon writer Glenn Greenwald. The exact quote about people in this category was that they could be pushed to “choose career preservation over cause”.

    Slide from the Palantir, HBGary and Berico proposal

    If you want to know more without reading the whole thing, this Tech Herald article has a good overview, but you should definitely read Glenn Greenwald’s response over at Salon:

    The very idea of trying to threaten the careers of journalists and activists to punish and deter their advocacy is self-evidently pernicious; that it’s being so freely and casually proposed to groups as powerful as the Bank of America, the Chamber of Commerce, and the DOJ-recommended Hunton & Williams demonstrates how common this is. These highly experienced firms included such proposals because they assumed those deep-pocket organizations would approve and it would make their hiring more likely.

    To put it mildly, the tactics outlined in this proposal are indefensible and the other companies involved have since apologised to the proposed victims and distanced themselves from HBGary Federal. Indeed the chief of Berico has called the proposal “reprehensible” (PDF link to company statement).

    But this doesn’t bring the matter to a close. The leaked proposal is almost certainly the tip of a very large iceberg, giving us a glimpse of a corporate culture surrounding the US government that has grown accustomed to operating outside the law. As Glenn Greenwald puts it:

    The exemption from the rule of law has been fully transferred from the highest level political elites to their counterparts in the private sector. “Law” is something used to restrain ordinary Americans and especially those who oppose this consortium of government and corporate power, but it manifestly does not apply to restrain these elites.

    The story began with a so-called security expert bragging to the media and has ended with the disgrace of his company. Andy Greenberg at Forbes:

    Rarely in the history of the cybersecurity industry has a company become so toxic so quickly as HBGary Federal …many of the firm’s closest partners and largest clients have cut ties with the Sacramento startup. And now it’s cancelled all public appearances by its executives at the industry’s biggest conference in the hopes of ducking a scandal that seems to grow daily as more of its questionable practices come to light.

    These questionable practises, which are still being uncovered, are too many to list here, but this timeline over at Ars Technica is worth a read if you want to know more about Aaron Barr’s techniques.

    It’s a shame that this story isn’t getting more press attention, because it reveals a lot about what’s happening on the front line of the struggle for internet freedom – and by “front line” I mean the hand-to-hand trench combat as opposed to the high-profile court cases taking place in the US and in the UK.

    But it’s unlikely to get much coverage because it’s a messy, data-intensive, and fast-changing story; in other words, the type of story that is extremely difficult to get across within the constraints of traditional news media forms. Traditional media seems to be more comfortable talking about Julian Assange’s personal hygiene or Downing Street’s new cat than covering this sort of thing.

  2. Felix Salmon on the problems with Twitter’s transience

    Posted December 31, 2010 in comment, social media  |  No Comments so far

    I’m posting this from my phone, so apologies in advance for any typos. But I wanted to share this article from Felix Salmon on how the Wired/Wikileaks discussions of the last few days have highlighted a problem with Twitter’s new role in online debates:

    As commentators use their blogs for increasingly journalistic content, the conversational aspect of blogging moves on to Twitter. This leads to two problems.

    First, these conversations become very hard to join mid-stream. If you weren’t following from the beginning, you’ll have a hard time catching up. This is especially true of conversations that involve more than two people, as the “in reply to” functionality is no help. A commment thread on a blog or forum, on the other hand, can be read from the beginning even if you’re coming late to the party, and its linear structure makes it easy to catch up.

    The second problem is that Twitter loses these discussions after a couple of months, so they’re not available for future reference. This ephemerality is part of Twitter’s appeal for users, but from an archiving point of view it’s definitely a weakness. It’s good to be able to look back on how topics were discussed in their time, but Twitter currently doesn’t let us do that.

    Maybe Twitter will evolve to address these problems over time. If it doesn’t, however, there could be an opportunity for third party products that do.

  3. Amazon’s moral failure over Wikileaks – why we were entitled to expect more

    Posted December 4, 2010 in comment, politics  |  No Comments so far

    I’m not sure exactly how much I’ve spent with Amazon in the last year, but it’s a lot. If I buy something online, I’ll probably buy it from Amazon even if it’s slightly cheaper elsewhere. I buy books, MP3s and big-ticket items like computers too. So I guess I have a strong “brand relationship” with Amazon.

    Like many people, I’m re-evaluating this relationship after Amazon dropped Wikileaks in an apparent concession to US government pressure (their official statement didn’t impress me much either) and I may stop buying things from them.

    But here’s a good question – if you plan on boycotting Amazon for not hosting Wikileaks, why not boycott every firm that doesn’t host Wikileaks? This is my answer, and it’s grounded in Amazon’s ambitions (specifically the Kindle) rather than a general sense of corporate morality.

    The Kindle strategy: mediate between reader and book

    When Amazon started out, it just sold books. As it grew it started selling lots of other stuff (encountering more than a few UX problems along the way) but books and their readers remained key to its identity, as was affirmed by the launch of the Kindle in 2007.

    Before the Kindle, Amazon’s relationship with the reader began with browsing for a new book and ended soon after it arrived. The packaging discarded, the book was opened and Amazon was forgotten: the relationship was now directly between the reader and the book.

    With the Kindle, this relationship was to change. Rather than just enabling the book’s purchase, Amazon would remain in the equation while the book was being read. The relationship, instead of being a direct one between reader and book, would – through the Kindle – be mediated by Amazon, who would enjoy a more meaningful connection with the reader.

    It’s a great strategy, and well-executed too: the Kindle is a joy to use. But underlying this strategy – and this is where Wikileaks becomes relevant again – is the increased need for trust between Amazon and the reader.

    Trust, neutrality, and moral failure

    Trust isn’t important when Amazon sells me a book. I need to trust that they won’t rip me off, yes, but that would be illegal – the trust is backed up by law. And once I’ve got the book in my hands, what can Amazon do? They can’t stop me reading it.

    In the world of the Kindle, however, trust changes and becomes absolutely essential. This is because, in this transformed relationship where Amazon is the mediator, Amazon can remove books from your Kindle. It can do so remotely, without warning, at its own discretion, even if you paid for them or got them elsewhere. The reader must therefore trust Amazon not to do this. If she doesn’t, her relationship with the written word is no longer free.

    When Amazon remotely wiped 1984 and Animal Farm from Kindles in 2009  this trust was damaged. That was due to rights & ownership problems – it wasn’t political, it was commercial. But the Wikileaks incident shows that Amazon will remove content for reasons that are ultimately political.

    This doesn’t just damage that trust, it destroys it completely, and with it Amazon’s credibility as an organisation fit to mediate my relationship with the book. What if there was political uproar over a controversial novel, and Amazon was pressurised to remove it from the possession of people who had paid for it? We know now that they’d do it, and the implications are depressing.

    In fact they’re so depressing that I feel glad that the Kindle wasn’t invented a century earlier. How much more effective would Soviet suppression of samizdat have been if the Kindle was in widespread use back then? What would have happened to Lolita, Lady Chatterly’s LoverUlysses, or any of the hundreds of books that were banned and burnt in supposedly less enlightened eras? How much would we have lost?

    The banning of Wikileaks raises questions that are particularly sensitive given Amazon’s lofty aspirations. How can you promise to manage someone’s relationship with the written word – and therefore with culture, politics, literature, and arguably thought itself – when you can’t be trusted to remain neutral and impartial? Amazon has to be held to a particular moral standard, and it is this standard it has failed to meet. We were within our rights to expect more.

  4. The dangers of blindly trusting your smartphone

    Posted November 23, 2010 in comment  |  No Comments so far

    Yesterday I was wondering if it was really a good thing that we seem to be engaging less with technology while at the same time becoming ever more dependent on it.

    That post was inspired by Stuxnet, the ultra-advanced software weapon seemingly aimed at Iran’s nuclear facilities. But a more everyday example of the risks technology can pose to overly oblivious users has appeared on the BBC’s website, with Rory Cellan-Jones discovering how easy it is to compromise an iPhone 4 and steal personal information.

    [Security experts] used a netbook computer to set up a wireless access point. They called it “BTOpenzone”, a network my phone and many others look out for and join. I watched as they showed me a range of devices in their office in London’s Soho looking at the network – including my phone.

    This wasn’t the only exploit used – the demonstration also included the iPhone 4 PIN hack, SMS number spoofing, and the interception of cookies sent via Facebook. As you’d expect, Cellan-Jones is at pains to mollify Apple and Facebook, the two companies whose products are shown to be compromised in the article. But none of this stuff is hyper-technical – for a hacker to pull this stuff off is relatively trivial.

    The demonstration and the article as a whole is a great example of how blind, unquestioning trust in the technology we use can expose us to massive risks, not just from uber-hackers but from anyone with malicious intent and basic networking knowledge. It reinforces the point that we could do well to understand the technology that surrounds us a bit more than we currently do.

  5. Technology today: increasingly important, increasingly invisible

    Posted November 22, 2010 in comment  |  No Comments so far

    Stuxnet is a piece of extremely advanced attack software, currently active in several Iranian nuclear facilities while being studied intently by malware experts around the world. No-one knows who made it. It’s completely unprecedented – a militarised program, engineered to near perfection, something that’s more accurately described not as a computer virus, but as a weapon.

    Langner, a security consultancy that’s been analysing the code, recently described Stuxnet as being “like the arrival of an F-35 fighter jet on a World War I battlefield.” Kaspersky Labs called it “a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race.” These claims sound hyperbolic, but the more I learn about Stuxnet, the more inclined I am to agree.

    I’m interested in Stuxnet not so much because I have plans to disrupt centrifuge controllers in distant nuclear power plants (well, not in the near future anyway), but because it’s an example of how invisible technologies can have such a concrete effect on the world.

    We’re living in a period where our use of technology and our dependence on it is growing. But at the same time our technology is disappearing from view. It gets smaller, it gets lighter, it gets better at understanding us without the aid of clunky input devices, it gradually disappears – as Adam Greenfield describes the phenomenon in his book Everyware, it “dissolves in behaviour”. We use technology, but we’re becoming less engaged with it.

    We’re becoming a bit like the Eloi in The Time Machine, completely dependent on things we don’t understand. You can see the results of this pattern wherever you look. Whether it’s Microsoft’s adverts for Windows Phone 7 whose core message could be translated as “phones suck”, or workplace cultures where it’s embarrassing to be seen as technologically adept, there’s a strong theme of technology as an enabler, but still something that should be on the fringes of our lives.

    I’m not setting out to criticise this trend or pattern, however, or argue that everyone should become a hardcore techie. If we were burdened with a detailed knowledge of every technological process we initiate in the course of a normal day, we’d probably all suffer from constant migraines. It’s good that, say, checking Twitter on my mobile phone feels like a casual and trivial  thing to do, and that we’re not forced to confront and experience the mind-boggling combination of technologies that are actually invoked when we do it. Technology couldn’t be as ubiquitous as it is if it hadn’t developed this Houdini-like talent for making itself invisible.

    But then, when I read about Stuxnet, I’m reminded that these deeper layers of technology are still there, still real, and still have a concrete and tangible effect on our lives. We might push technology aside and keep it out of view, but there are others – like the organisation behind the Stuxnet worm – who obviously aren’t, and their ability to change the world should not be underestimated.