Les anglonautes

About | Search | Vocapedia | Learning | Podcasts | Videos | History | Arts | Science | Translate

 Previous Home Up Next


History > 2013 > USA > Internet (I)




Closing the Door on Hackers


April 4, 2013
The New York Times


IRVINE, Calif.

FOR most of my teenage years, I made a hobby of hacking into some of the world’s largest government and corporate computer systems. I was “lucky” enough to be raided by the F.B.I. when I was 17 years old. After that wake-up call, I eventually started a software security company and now find myself helping to plug security holes, not exploit them.

The nature of hacking has changed, too, since I left it in the late 1990s — from a game of curiosity and occasional activism into a central tool in cybercrime and nation-state attacks.

Alongside that shift has come a loud and often misguided conversation about what to do to stop this new breed of hacking. Too much of the debate begins and ends with the perpetrators and the victims of cyberattacks, and not enough is focused on the real problem: the insecure software or technology that allows such attacks to succeed. Instead of focusing solely on employees who accidentally open e-mails, we should also be pressuring software makers to make significant investments in their products’ security.

When you read headlines about the latest cyberattack, you typically do not hear about how attackers were able to put a virus or other malware on a system in the first place. In many cases, it begins with attackers exploiting a software vulnerability or weakness in order to install their malware.

The unspoken truth is that for the most part, large software companies are not motivated to make software secure. It’s a question of investment priorities: they care more about staying competitive with their products, and that means developing the latest features and functions that consumers and businesses are looking to buy. Security issues are often treated more as a marketing challenge than an engineering one.

A result is an open door to hackers inside some of the world’s most popular software systems. Perhaps most famously, during the early to middle parts of the last decade, hackers discovered a significant number of glaring security weaknesses in Microsoft products (some of which were discovered by my company). Several of these weaknesses were exploited in high-profile computer virus and worm attacks.

To be fair, securing software is not a trivial task. Often it means building in multiple barriers to entry and keeping those defenses current with the latest developments in hacker techniques. Security has to be a central and significant investment in any software development project.

Still, given the heightened impact of recent attacks on both corporate and government operations, we must begin to hold software companies accountable for such vulnerabilities.

Fortunately, there is a lot a company can do to secure its code, should it choose to. After Microsoft’s software vulnerabilities drew significant negative attention — one of the few times the public has correctly affixed blame to a software company — Bill Gates himself addressed the issue in 2002 in his now famous “Trustworthy Computing” memo.

In that memo, sent to all Microsoft employees, Mr. Gates made it clear that the company’s future depended on building software and a platform that could be reliably secure. It was more than talk: in the decade or so since, Microsoft fundamentally changed its software development process to make security a core part of the program.

Too many other companies, though, seem to have missed the memo.

Take Oracle, and specifically the security challenges surrounding its Java software, which the company inherited through its 2010 acquisition of Sun Microsystems. Java, one of the most ubiquitous pieces of software in the world, is so full of security holes — including multiple avenues for hackers to take control of a computer remotely — that the Department of Homeland Security recommends that its users completely disable the software in their browsers.

Oracle is not alone. Adobe, which makes the popular Adobe Reader and Flash applications, has seen a significant number of security weaknesses over the years and also a sharp increase in its software’s being a gateway for cyberattacks. The risks associated with Flash were one reason Apple decided not to allow it on iPhones.

Like Microsoft, Adobe has made strides to increase the security of its technology over the last couple of years, and more recently some of those security improvements seem to be paying off. But it still has work to do.

In his 2002 memo, Mr. Gates cast the security challenge as not just a Microsoft problem, but one for the overall industry. A computer or a network is only as secure as its weakest link — no matter how secure one program might be, a poorly protected bit of software could compromise everything.

That means that on top of investing in their own security, companies have to make efforts to coordinate with other developers to present a united front. Adobe and Microsoft have worked together in recent years to identify and close off mutual vulnerabilities, and other companies should follow suit.

A lot of the talk around cybersecurity has centered on the role of government. But investing in software security and cooperating across the software industry shouldn’t take an act of Congress. It will, however, take a new mind-set on the part of developers. They should no longer see security as an add-on feature, nor should they regard holes in their competitors’ security efforts as merely a competitive advantage. As the world comes to depend more and more on their products, it should demand nothing less.

    Closing the Door on Hackers, NYT, 4.3.2013,






As Web Search Goes Mobile,

Competitors Chip at Google’s Lead


April 3, 2013
The New York Times


Say you need a latté. You might pull out your phone, open the Yelp app and search for a nearby cafe. If instead you want to buy an espresso machine, you will most likely tap Amazon.com.

Either way, Google lost a customer.

Google remains the undisputed king of search, with about two-thirds of the market. But the nature of search is changing, especially as more people search for what they want to buy, eat or learn on their mobile devices. This has put the $22 billion search industry, perhaps the most lucrative and influential of online businesses, at its most significant crossroad since its invention.

No longer do consumers want to search the Web like the index of a book — finding links at which a particular keyword appears. They expect new kinds of customized search, like that on topical sites such as Yelp, TripAdvisor or Amazon, which are chipping away at Google’s hold. Google and its competitors are trying to develop the knowledge and comprehension to answer specific queries, not just point users in the right direction.

“What people want is, ‘You ask a very simple question and you get a very simple answer,’ ” said Oren Etzioni, a professor at the University of Washington who has co-founded companies for shopping and flight search. “We don’t want the 10 blue links on that small screen. We want to know the closest sushi place, make a reservation and be on our way.”

People are overwhelmed at how crowded the Internet has become — Google says there are 30 trillion Web addresses, up from 1 trillion five years ago — and users expect their computers and phones to be smarter and do more for them. Many of the new efforts are services that people do not even think of as search engines.

Amazon, for example, has a larger share than Google of shopping searches, the most lucrative kind because people are in the mood to buy something. On sites like Pinterest and Polyvore, users have curated their favorite things from around the Web to produce results when you search for, say, “lace dress.”

On smartphones, people skip Google and go directly to apps, like Kayak or Weather Underground. Other apps send people information, like traffic or flight delays, before they even ask for it.

People use YouTube to search for things like how to tie a bow tie, Siri to search on their iPhones, online maps to find local places and Facebook to find things their friends have liked.

And services like LinkedIn Influencers and Quora are trying to be different kinds of search engines — places to find high-quality, expert content and avoid weeding through everything else on the Web. On Quora, questions like “What was it like to work for Steve Jobs?” get answered by people with firsthand knowledge, something Google cannot provide.

“There is a lot of pressure on search engines to deliver more customized, more relevant results,” said Shar VanBoskirk, an analyst at Forrester. “Users don’t need links to Web pages. We need answers, solutions, whatever intel we were searching for.”

But Google remains the one to beat, even as alternative search sites become popular. “They’re the specialty store you’re going into here and there,” said Danny Sullivan, an editor of Search Engine Land, a blog, “but they’re not your grocery store.”

Yet the promise of search is big enough that even though Microsoft loses billions of dollars a year on Bing and has failed to make a dent in Google’s market share, it keeps at it. Microsoft — which in February had 17 percent of the market, and 26 percent including the searches it powered for Yahoo — has said it views search as essential to its other products, from the Xbox to phones. And there is still a lot of money to be made as No. 2.

“You have millions of people a day saying exactly what they want, and if you’re an advertiser, it’s a beautiful vehicle,” Mr. Sullivan said.

EMarketer estimates that Google earns about three-quarters of search ad spending. Search engines bring companies troves of data and a measure of control as Internet users’ entry point to the digital world.

There are signs that people’s search behaviors are changing, however, with consequences for these companies.

Searches on traditional services, dominated by Google, declined 3 percent in the second half of last year after rising for years, according to comScore, and the number of searches per searcher declined 7 percent. In contrast, searches on topical sites, known as vertical search engines, climbed 8 percent.

While traditional searches increased again this year, other data reflects the threat to Google.

In the first quarter, spending on search ads fell 1 percent, a significant slowdown for Google, according to IgnitionOne, a digital marketing company. Last year, Google lost market share in search ads for the first time, according to eMarketer, falling to 72.8 percent from 74 percent.

This year, ad spending on traditional search engines is expected to grow more slowly than overall online ad spending, a reversal. Its growth significantly outpaced that of online ad spending until last year, eMarketer said.

Google is not watching from the sidelines. It is making more changes to search offerings, at a faster pace than it has in years.

Larry Page, its co-founder and chief executive, renamed the search division “knowledge.” Google’s mission, organizing the world’s information, was too narrow. Now he wanted people to learn from Google.

Google now shows answers instead of just links if you search something like “March Madness,” “weather” or even “my flight,” in which case it can pull flight information from users’ Gmail accounts.

The company’s biggest step happened last year, when it introduced the knowledge graph. While search generally matches keywords to Web sites, the knowledge graph uses semantic search, which understands the meanings of and connections among people, places and things.

A typical search engine, for instance, responds to a search for “Diana” by showing Web pages on which that word appears, from Wikipedia entries on the goddess of the hunt and the Princess of Wales to an engagement ring company.

But a more knowledgeable, humanlike search engine could know that you were looking for your roommate Diana’s online profile, or that you were also interested in Kate Middleton.

“What Google is beginning to do is share some of the knowledge in the world that humans have in their minds,” said Ben Gomes, a Google fellow, “so users can begin to communicate with Google in a way that’s much more natural to their thinking.”

Google calls these small steps that show where it is headed.

In the future, Google could answer more complicated questions, Mr. Gomes said, like “How far is it from here to the Eiffel Tower?” and “Where could I go to a concert in warm weather next year?”

Despite the advances of alternative search services, online habits are just as hard to break as real-world ones, especially when they are useful, said Andrew Lipsman, vice president of industry analysis at comScore.

“Most people have this very strong Google habit,” he said. “I go there every day and it gives me information I want, so it’s a self-reinforcing cycle. Not anyone can come in and just do those things.”

    As Web Search Goes Mobile, Competitors Chip at Google’s Lead, NYT, 3.4.2013,






Facebook Is Expected to Introduce Its Phone


April 3, 2013
The New York Times


SAN FRANCISCO — Facebook does not have to build a phone, as its chief executive, Mark Zuckerberg, has long maintained.

But it needs to find a way to play a bigger role in delivering what consumers want from their phones: ways to communicate, find answers to questions, shop and be entertained. The company would especially like to become that workhorse for the vast majority of its users who live outside the United States and from whom, so far, it barely profits.

The company will make its biggest leap yet in that direction Thursday, when it is expected to introduce a moderately priced phone, made by HTC, powered by Google’s Android operating system, and tweaked to showcase Facebook and its apps on the home screen.

The Facebook phone adheres to two crucial product announcements in the last three months: A new search tool that encourages users to use their Facebook friend network to seek out everything from restaurants to running trails, and a news feed remade for mobile devices.

The details of the would-be Facebook-centric phone are under wraps. But the motivation is certain.

“Facebook would like to be, literally and figuratively, as close to its users as its users are to their phones, within arm’s reach when they are searching for information, news, time wasting, shopping, communication,” said Rebecca Lieb, an analyst with the Altimeter Group.

That can be especially attractive if the new phone is affordable to emerging market users: Brazil and India are home to the largest blocs of Facebook users after the United States, and their numbers are growing swiftly as smartphone penetration increases in those countries. Many Indian cellphone makers, for that reason, have Facebook already installed on their home pages.

But Facebook makes little money by advertising to those international users.

By partnering with HTC, a phone maker based in Taiwan, the social network is signaling that it is “making an international push,” says Michael Pachter, an analyst with Wedbush Securities.

“The more people you get to use it on phones, the more ads you can deliver,” Mr. Pachter said.

Facebook made a little more than $4 a user in North America and $1.71 in Europe, but barely more than 50 cents in the rest of the world, including large markets like Brazil and India.

Ads are its principal moneymaker, and Facebook is under intense pressure to show Wall Street that it can make more money, and fast. Its stock market value is still far below its initial public offering price, and many analysts blame the company’s belated push into mobile devices.

Mr. Zuckerberg announced last year that Facebook was retooling itself as a mobile-first company. He has consistently said that it is not in the company’s interest to manufacture a phone.

“It’s not the right strategy for us,” he told market analysts in an earnings call in January. He wanted rather to see Facebook integrated into every device that its billion users hold in their hands.

Two-thirds of Facebook’s roughly one billion users worldwide log in to the social network on mobile devices.

A study commissioned by Facebook and carried out by the research firm IDC found that those users checked their Facebook pages an average of 14 times a day; in short, users checked in two-minute bursts adding up to about half an hour each day. Mostly, the users check their news feed.

The new Facebook-optimized phone will use a modified version of the Android software, The New York Times reported last week. When turned on, it will display the Facebook news feed.

Facebook already functions much like a phone, allowing users to chat, send group messages and even, in one experiment with users in Canada, to make free phone calls over the Internet. Its platform hosts a variety of applications that deliver things like music and news, and its newsfeed has been tweaked to showcase photos, which is what Facebook users post by the millions everyday.

There are fledgling experiments with commerce. Facebook users can buy online and offline gifts on Facebook with their credit cards. Equally important, Facebook’s insistence on real names means that Facebook can be something like an identity verification service. It is well-positioned to be a kind of mobile wallet, containing the equivalent of an identity card and seamless way to buy things.

“They want to have all the services that consumers want to use in the mobile world,” said Karsten Weide, an analyst with IDC. “They want to be the major consumer Internet platform.”

The Thursday announcement, which Facebook has described as an opportunity to “come see our new home on Android,” illustrates a fundamental problem for the company. Facebook must accommodate itself to mobile operating systems controlled by Internet rivals, Apple and Google.

Mr. Weide described them as “frenemies, mutually dependent but competing.”

    Facebook Is Expected to Introduce Its Phone, NYT, 3.4.2013,






Cyberattacks Seem Meant to Destroy,

Not Just Disrupt


March 28, 2013
The New York Times


American Express customers trying to gain access to their online accounts Thursday were met with blank screens or an ominous ancient type face. The company confirmed that its Web site had come under attack.

The assault, which took American Express offline for two hours, was the latest in an intensifying campaign of unusually powerful attacks on American financial institutions that began last September and have taken dozens of them offline intermittently, costing millions of dollars.

JPMorgan Chase was taken offline by a similar attack this month. And last week, a separate, aggressive attack incapacitated 32,000 computers at South Korea’s banks and television networks.

The culprits of these attacks, officials and experts say, appear intent on disabling financial transactions and operations.

Corporate leaders have long feared online attacks aimed at financial fraud or economic espionage, but now a new threat has taken hold: attackers, possibly with state backing, who seem bent on destruction.

“The attacks have changed from espionage to destruction,” said Alan Paller, director of research at the SANS Institute, a cybersecurity training organization. “Nations are actively testing how far they can go before we will respond.”

Security experts who studied the attacks said that it was part of the same campaign that took down the Web sites of JPMorgan Chase, Wells Fargo, Bank of America and others over the last six months. A group that calls itself the Izz ad-Din al-Qassam Cyber Fighters has claimed responsibility for those attacks.

The group says it is retaliating for an anti-Islamic video posted on YouTube last fall. But American intelligence officials and industry investigators say they believe the group is a convenient cover for Iran. Just how tight the connection is — or whether the group is acting on direct orders from the Iranian government — is unclear. Government officials and bank executives have failed to produce a smoking gun.

North Korea is considered the most likely source of the attacks on South Korea, though investigators are struggling to follow the digital trail, a process that could take months. The North Korean government of Kim Jong-un has openly declared that it is seeking online targets in its neighbor to the south to exact economic damage.

Representatives of American Express confirmed that the company was under attack Thursday, but said that there was no evidence that customer data had been compromised. A representative of the Federal Bureau of Investigation did not respond to a request for comment on the American Express attack.

Spokesmen for JPMorgan Chase said they would not talk about the recent attack there, its origins or its consequences. JPMorgan has openly acknowledged previous denial of service attacks. But the size and severity of the most recent one apparently led it to reconsider.

The Obama administration has publicly urged companies to be more transparent about attacks, but often security experts and lawyers give the opposite advice.

The largest contingent of instigators of attacks in the private sector, government officials and researchers say, remains Chinese hackers intent on stealing corporate secrets.

The American and South Korean attacks underscore a growing fear that the two countries most worrisome to banks, oil producers and governments may be Iran and North Korea, not because of their skill but because of their brazenness. Neither country is considered a superstar in this area. The appeal of digital weapons is similar to that of nuclear capability: it is a way for an outgunned, outfinanced nation to even the playing field. “These countries are pursuing cyberweapons the same way they are pursuing nuclear weapons,” said James A. Lewis, a computer security expert at the Center for Strategic and International Studies in Washington. “It’s primitive; it’s not top of the line, but it’s good enough and they are committed to getting it.”

American officials are currently weighing their response options, but the issues involved are complex. At a meeting of banking executives, regulators and representatives from the departments of Homeland Security and Treasury last December, some pressed the United States to hit back at the hackers, while others argued that doing so would only lead to more aggressive attacks, according to two people who attended the meeting.

The difficulty of deterring such attacks was also the focus of a White House meeting this month with Mr. Obama and business leaders, including the chief executives Jamie Dimon of JPMorgan Chase; Brian T. Moynihan of Bank of America; Rex W. Tillerson of Exxon Mobil; Randall L. Stephenson of AT&T and others.

Mr. Obama’s goal was to erode the business community’s intense opposition to federal legislation that would give the government oversight of how companies protect “critical infrastructure,” like banking systems and energy and cellphone networks. That opposition killed a bill last year, prompting Mr. Obama to sign an executive order promoting increased information-sharing with businesses.

“But I think we heard a new tone at this latest meeting,” an Obama aide said later. “Six months of unrelenting attacks have changed some views.”

Mr. Lewis, the computer security expert, agreed. “The Iranian attacks have tilted private sector opinion,” he said. “Hence the muted reaction to the executive order versus squeals of outrage. Companies are much more concerned about this and much more willing to see a government role.”

Neither Iran nor North Korea has shown anywhere near the subtlety and technique in online offensive skills that the United States and Israel demonstrated with Olympic Games, the ostensible effort to disable Iran’s nuclear enrichment plants with an online weapon that destabilized hundreds of centrifuges, destroying many of them. But after descriptions of that operation became public in the summer of 2010, Iran announced the creation of its own Cyber Corps.

North Korea has had hackers for years, some of whom are believed to be operating from, or through, China. Neither North Korea nor Iran is as focused on stealing data as they are determined to destroy it, experts contend.

When hackers believed by American intelligence officials to be Iranians hit the world’s largest oil producer, Saudi Aramco, last year, they did not just erase data on 30,000 Aramco computers; they replaced the data with an image of a burning American flag. In the assault on South Korea last week, some affected computers displayed an ominous image of skulls.

“This attack is as much a cyber-rampage as it is a cyberattack,” Rob Rachwald, a research director at FireEye, a computer security firm, said of the South Korea attacks.

In the past, such assaults typically occurred through a denial-of-service attack, in which hackers flood their target with Web traffic from networks of infected computers until it is overwhelmed and shuts down. One such case was a 2007 Russian attack on Estonia that affected its banks, the Parliament, ministries, newspapers and broadcasters.

With their campaign against American financial institutions, the hackers suspected of being Iranian have taken that kind of attack to the next level. Instead of using individual personal computers to fire Web traffic at each bank, they infected powerful, commercial data centers with sophisticated malware and directed them to simultaneously fire at each bank, giving them the horsepower to inflict a huge attack.

As a result, the hackers were able to take down the consumer banking sites of American Express, JPMorgan Chase, Bank of America, Wells Fargo and other banks with exponentially more traffic than hit Estonia in 2007.

In the attack on Saudi Aramco last year, the culprits did not mount that type of assault. Instead, they created malware designed for the greatest impact, coded to spread to as many computers as possible.

Likewise, the attacks last week on South Korean banks and broadcasters were far more sophisticated than coordinated denial-of-service attacks in 2009 that briefly took down the Web sites of South Korea’s president and its Defense Ministry. Such attacks were annoyances; they largely did not affect operations.

This time around in South Korea, however, the attackers engineered malware that could evade popular South Korean antivirus products, spread it to as many computer systems as possible, and inserted a “time bomb” to take out all the systems at once for greatest impact.

The biggest concern, Mr. Lewis said: “We don’t know how they make decisions. When you add erratic decision making, then you really have something to worry about.”

    Cyberattacks Seem Meant to Destroy, Not Just Disrupt, NYT, 28.3.2013,






He Has Millions and a New Job at Yahoo.

Soon, He’ll Be 18.


March 25, 2013
The New York Times


One of Yahoo’s newest employees is a 17-year-old high school student in Britain. As of Monday, he is one of its richest, too.

That student, Nick D’Aloisio, a programming whiz who wasn’t even born when Yahoo was founded in 1994, sold his news-reading app, Summly, to the company on Monday for a sum said to be in the tens of millions of dollars. Yahoo said it would incorporate his algorithmic invention, which takes long-form stories and shortens them for readers using smartphones, in its own mobile apps, with Mr. D’Aloisio’s help.

“I’ve still got a year and a half left at my high school,” he said in a telephone interview on Monday. But he will make arrangements to test out of his classes and work from the Yahoo office in London, partly to abide by the company’s new and much-debated policy that prohibits working from home.

Mr. D’Aloisio, who declined to comment on the price paid by Yahoo (the technology news site AllThingsD pegged the purchase price at about $30 million), was Summly’s largest shareholder.

Summly’s other investors, improbably enough, included Wendi Murdoch, Ashton Kutcher and Yoko Ono. The most important one was Li Ka-shing, the Hong Kong billionaire, whose investment fund supported Mr. D’Aloisio’s idea early on, before it was even called Summly.

“They took a gamble on me when I was a 15-year-old,” Mr. D’Aloisio said, by providing seed financing that let him hire employees and lease office space.

The fund read about Mr. D’Aloisio’s early-stage app on TechCrunch, the Silicon Valley blog of record, found his e-mail address and startled him with a message expressing interest.

The others signed up later. “Because it was my first time around, people just wanted to help,” he said.

For teenagers who fancy themselves entrepreneurs — and their parents, too — the news of the sale conjured up some feelings of inadequacy, but also awe. For Brian Wong, the 21-year-old founder of Kiip, a mobile rewards company, the reaction was downright laughable: “I feel old!”

A few years ago, Mr. Wong was described in the news media as the youngest person ever to receive venture capital funding. But a couple of younger founders came along — “and then Nick broke all of our records,” Mr. Wong said on Monday.

Among the attributes that helped Mr. D’Aloisio, he said, was a preternatural ability to articulate exactly what he wanted Summly to be. “There were no umms, no uhhs, no hesitations, no insecurities,” Mr. Wong said.

Mr. D’Aloisio, for his part, sounded somewhat uninterested in answering questions about his age on Monday. He acknowledged that it was an advantage in some pitch meetings, and certainly in the news media, “but so was the strength of the idea.” He was more eager to talk about his new employer, Yahoo, which is trying to reinvent itself as a mobile-first technology company (having dropped the digital media tagline it used before Marissa Mayer became chief executive last year).

“People are kind of underestimating how powerful it’s going to become and how much opportunity is there,” he said.

For a company that badly wants to be labeled innovative, those words are worth a lot.

Mr. D’Aloisio’s father, who works at Morgan Stanley, and his mother, a lawyer, had no special knowledge of technology. But they nurtured their son’s fascination with it and he started coding at age 12. Eventually he decided to develop an app with what he calls an “automatic summarization algorithm,” one that “can take pre-existing long-form content and summarize it.” In other words, it tries to solve a problem that is often summed up with the abbreviation tl;dr: “too long; didn’t read.”

Summly officially came online last November. By December, Mr. D’Aloisio was talking to Yahoo and other suitors.

Yahoo said in a statement that while the Summly app would be shut down, “we will acquire the technology and you’ll see it come to life throughout Yahoo’s mobile experiences soon.”

Other news-reading apps have attracted corporate attention as of late, reflecting the scramble by media companies to adapt to skyrocketing traffic from mobile devices. The social network LinkedIn was said to be pursuing an app called Pulse earlier this month. Still, the eight-figure payday for a teenage entrepreneur on Monday struck some as outlandish and set off speculation that Yahoo was willing to pay almost any price for “cool.”

Mr. D’Aloisio, though, will have plenty of time to prove his and his algorithm’s worth. As for the sizable paycheck from Yahoo, he said he did not have any specific plans for the sudden windfall. “It’s going to be put into a trust fund and my parents will help manage it,” he said.

He did say, however, that “angel investing could be really fun.” When not working at Yahoo, he will keep up with his hobbies — cricket in particular — and set his sights on attending college at Oxford. His intended major is philosophy.

    He Has Millions and a New Job at Yahoo. Soon, He’ll Be 18., NYT, 25.3.2013,






Big Data Is Opening Doors, but Maybe Too Many


March 23, 2013
The New York Times


IN the 1960s, mainframe computers posed a significant technological challenge to common notions of privacy. That’s when the federal government started putting tax returns into those giant machines, and consumer credit bureaus began building databases containing the personal financial information of millions of Americans. Many people feared that the new computerized databanks would be put in the service of an intrusive corporate or government Big Brother.

“It really freaked people out,” says Daniel J. Weitzner, a former senior Internet policy official in the Obama administration. “The people who cared about privacy were every bit as worried as we are now.”

Along with fueling privacy concerns, of course, the mainframes helped prompt the growth and innovation that we have come to associate with the computer age. Today, many experts predict that the next wave will be driven by technologies that fly under the banner of Big Data — data including Web pages, browsing habits, sensor signals, smartphone location trails and genomic information, combined with clever software to make sense of it all.

Proponents of this new technology say it is allowing us to see and measure things as never before — much as the microscope allowed scientists to examine the mysteries of life at the cellular level. Big Data, they say, will open the door to making smarter decisions in every field from business and biology to public health and energy conservation.

“This data is a new asset,” says Alex Pentland, a computational social scientist and director of the Human Dynamics Lab at the M.I.T. “You want it to be liquid and to be used.”

But the latest leaps in data collection are raising new concern about infringements on privacy — an issue so crucial that it could trump all others and upset the Big Data bandwagon. Dr. Pentland is a champion of the Big Data vision and believes the future will be a data-driven society. Yet the surveillance possibilities of the technology, he acknowledges, could leave George Orwell in the dust.

The World Economic Forum published a report late last month that offered one path — one that leans heavily on technology to protect privacy. The report grew out of a series of workshops on privacy held over the last year, sponsored by the forum and attended by government officials and privacy advocates, as well as business executives. The corporate members, more than others, shaped the final document.

The report, “Unlocking the Value of Personal Data: From Collection to Usage,” recommends a major shift in the focus of regulation toward restricting the use of data. Curbs on the use of personal data, combined with new technological options, can give individuals control of their own information, according to the report, while permitting important data assets to flow relatively freely.

“There’s no bad data, only bad uses of data,” says Craig Mundie, a senior adviser at Microsoft, who worked on the position paper.

The report contains echoes of earlier times. The Fair Credit Reporting Act, passed in 1970, was the main response to the mainframe privacy challenge. The law permitted the collection of personal financial information by the credit bureaus, but restricted its use mainly to three areas: credit, insurance and employment.

The forum report suggests a future in which all collected data would be tagged with software code that included an individual’s preferences for how his or her data is used. All uses of data would have to be registered, and there would be penalties for violators. For example, one violation might be a smartphone application that stored more data than is necessary for a registered service like a smartphone game or a restaurant finder.

The corporate members of the forum say they recognize the need to address privacy concerns if useful data is going to keep flowing. George C. Halvorson, chief executive of Kaiser Permanente, the large health care provider, extols the benefits of its growing database on nine million patients, tracking treatments and outcomes to improve care, especially in managing costly chronic and debilitating conditions like heart disease, diabetes and depression. New smartphone applications, he says, promise further gains — for example, a person with a history of depression whose movement patterns slowed sharply would get a check-in call.

“We’re on the cusp of a golden age of medical science and care delivery,” Mr. Halvorson says. “But a privacy backlash could cripple progress.”

Corporate executives and privacy experts agree that the best way forward combines new rules and technology tools. But some privacy professionals say the approach in the recent forum report puts way too much faith in the tools and too little emphasis on strong rules, particularly in moving away from curbs on data collection.

“We do need use restrictions, but there is a real problem with getting rid of data collection restrictions,” says David C. Vladeck, a professor of law at Georgetown University. “And that’s where they are headed.”

“I don’t buy the argument that all data is innocuous until it’s used improperly,” adds Mr. Vladeck, former director of the Bureau of Consumer Protection at the Federal Trade Commission.

HE offers this example: Imagine spending a few hours looking online for information on deep fat fryers. You could be looking for a gift for a friend or researching a report for cooking school. But to a data miner, tracking your click stream, this hunt could be read as a telltale signal of an unhealthy habit — a data-based prediction that could make its way to a health insurer or potential employer.

Dr. Pentland, an academic adviser to the World Economic Forum’s initiatives on Big Data and personal data, agrees that limitations on data collection still make sense, as long as they are flexible and not a “sledgehammer that risks damaging the public good.”

He is leading a group at the M.I.T. Media Lab that is at the forefront of a number of personal data and privacy programs and real-world experiments. He espouses what he calls “a new deal on data” with three basic tenets: you have the right to possess your data, to control how it is used, and to destroy or distribute it as you see fit.

Personal data, Dr. Pentland says, is like modern money — digital packets that move around the planet, traveling rapidly but needing to be controlled. “You give it to a bank, but there’s only so many things the bank can do with it,” he says.

His M.I.T. group is developing tools for controlling, storing and auditing flows of personal data. Its data store is an open-source version, called openPDS. In theory, this kind of technology would undermine the role of data brokers and, perhaps, mitigate privacy risks. In the search for a deep fat fryer, for example, an audit trail should detect unauthorized use.

Dr. Pentland’s group is also collaborating with law experts, like Scott L. David of the University of Washington, to develop innovative contract rules for handling and exchanging data that insures privacy and security and minimizes risk.

The M.I.T. team is also working on living lab projects. One that began recently is in the region around Trento, Italy, in cooperation with Telecom Italia and Telefónica, the Spanish mobile carrier. About 100 young families with young children are participating. The goal is to study how much and what kind of information they share on smartphones with one another, and with social and medical services — and their privacy concerns.

“Like anything new,” Dr. Pentland says, “people make up just-so stories about Big Data, privacy and data sharing,” often based on their existing beliefs and personal bias. “We’re trying to test and learn,” he says.

    Big Data Is Opening Doors, but Maybe Too Many, NYT, 23.3.2013,






Face-Lift at Facebook,

to Keep Its Users Engaged


March 6, 2013
The New York Times


SAN FRANCISCO — Facebook plans to announce on Thursday a substantial redesign of its News Feed — a makeover aimed at both keeping users glued to the social network and luring more advertising dollars.

Company executives have broadly said they want to make the News Feed, the first page every user sees upon logging in, more relevant.

In an earnings call with Wall Street analysts in January, the company’s founder and chief executive, Mark Zuckerberg, offered some hints of what a reimagined News Feed might look like: bigger photos, more videos and “more engaging ads.”

“Advertisers want really rich things like big pictures or videos, and we haven’t provided those things historically,” Mr. Zuckerberg said at the time.

Facebook declined to comment on the redesign, which is scheduled to be announced at its headquarters in Menlo Park, Calif. But the adjustments will reflect the tricky balance Facebook faces now that it is a public company: to keep drawing users to the site while not alienating them with more finely targeted advertisements, which is Facebook’s chief source of revenue.

The pressures are acute, given Facebook’s still anemic performance on Wall Street. It came out of the box last May with an extraordinarily high valuation of $38 a share, which slumped to half last fall, and has remained for the most part under $30.

“They have to walk a fine line between the user’s needs and advertiser’s needs,” said Karsten Weide, an analyst with IDC. The user, he went on, could use “better, more intelligent filtering,” while the advertiser needs “smarter, more flexible advertising formats.”

Facebook’s challenge is all the more important considering some warning signs of boredom.

Earlier this year came worrying news that 61 percent of users had taken a sabbatical from the social network, sometimes for months at a time; boredom was one of the reasons cited in the survey by the Pew Research Center. Even worse, 20 percent had deactivated their account entirely.

Advertisers have for years wanted to find new ways to show targeted ads to Facebook users, based on the vast data that the social network has about them. But Facebook has at times run into problems with new advertising products.

For example, last year, just before it filed for its public offering, it began to show advertisements in the News Feed, largely in the form of the controversial Sponsored Stories, where one user’s “like” for a brand was deployed to market that brand to a user’s Facebook “friends.”

Last fall, again in an effort to drum up new revenue, Facebook offered brands and individual users a way to pay Facebook to promote a particular post on the News Feed. Those who did not pay could expect an average post to reach about a third of their Facebook friends, according to the company’s own analysis. That immediately drew criticism, including from Mark Cuban, a technology investor and owner of the Mavericks basketball team, who wrote in an angry post on his blog (http://blogmaverick.com/) last fall that Facebook had made it too expensive for a brand like the Mavericks to reach its fans.

This week, responding to fresh criticism, Facebook said it did not “artificially suppress” content to feature paid posts.

The social networking giant has tweaked its News Feed over the years. Since 2009, Facebook has filtered what every user sees on the News Feed, based on the wisdom of its proprietary algorithm, called Edge Rank, which determines which posts a particular user is likely to find most interesting.

In 2010, it allowed users to chronologically filter the contents of the scrolling feed. The next year, it introduced a separate right-hand-side ticker — Twitter-esque, some said — of everything that every “friend” and brand page had posted.

At the heart of Facebook’s business is to hold the attention of its one billion users worldwide. That means keeping them entertained and on the site as frequently as possible.

It seems to be losing this battle somewhat with its youngest users. Teenagers are increasingly turning to other services, including Instagram, which Facebook now owns, so much so that David A. Ebersman, the company’s chief financial officer, said last week in a conference sponsored by Morgan Stanley that Facebook considered the photo-sharing site a competitor.

Instagram is not its only worry. Americans are increasingly turning to Pinterest to share shopping desires with their friends; Tumblr is a popular forum for self-expression, and Twitter continues to grow as a platform for news and entertainment.

Many people may no longer know all their “friends” on Facebook, which makes it difficult for the company to stuff the News Feed with posts that users will find relevant. Then there are ads.

“The bigger opportunity for Facebook is in cracking the relevance nut,” said Travis Katz, founder of an online travel service, Gogobot, that is integrated with Facebook.

“The noise-to-signal ratio in the feed has increased dramatically,” he added, “to the point where I often miss stories that were important to me.”

At the Morgan Stanley conference, Mr. Ebersman said the company’s filtering algorithms get “smarter” the more a Facebook user clicks on what is displayed on the News Feed.

“So of all the information we are able to show you on Facebook, we are trying algorithmically to pick out which pieces of content to put at the top of your News Feed because we think you will find them most engaging.”

    Face-Lift at Facebook, to Keep Its Users Engaged, NYT, 6.3.2013,






As Hacking Against U.S. Rises,

Experts Try to Pin Down Motive


March 3, 2013
The New York Times


SAN FRANCISCO — When Telvent, a company that monitors more than half the oil and gas pipelines in North America, discovered last September that the Chinese had hacked into its computer systems, it immediately shut down remote access to its clients’ systems.

Company officials and American intelligence agencies then grappled with a fundamental question: Why had the Chinese done it?

Was the People’s Liberation Army, which is suspected of being behind the hacking group, trying to plant bugs into the system so they could cut off energy supplies and shut down the power grid if the United States and China ever confronted each other in the Pacific? Or were the Chinese hackers just trolling for industrial secrets, trying to rip off the technology and pass it along to China’s own energy companies?

“We are still trying to figure it out,” a senior American intelligence official said last week. “They could have been doing both.”

Telvent, which also watches utilities and water treatment plants, ultimately managed to keep the hackers from breaking into its clients’ computers.

At a moment when corporate America is caught between what it sees as two different nightmares — preventing a crippling attack that brings down America’s most critical systems, and preventing Congress from mandating that the private sector spend billions of dollars protecting against that risk — the Telvent experience resonates as a study in ambiguity.

To some it is prime evidence of the threat that President Obama highlighted in his State of the Union address, when he warned that “our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems,” perhaps causing mass casualties. Mr. Obama called anew for legislation to protect critical infrastructure, which was killed last year by a Republican filibuster after intensive lobbying by the Chamber of Commerce and other business groups.

But the security breach of Telvent, which the Chinese government has denied, also raises questions of whether those fears — the subject of weekly research group reports, testimony and Congressional studies — may be somewhat overblown, or whether the precise nature of the threat has been misunderstood.

American intelligence officials believe that the greater danger to the nation’s infrastructure may not even be China, but Iran, because of its avowal to retaliate for the Stuxnet virus created by the United States and Israel and unleashed on one of its nuclear sites. But for now, these officials say, that threat is limited by gaps in Iranian technical skills.

There is no doubt that attacks of all kinds are on the rise. The Department of Homeland Security has been responding to intrusions on oil pipelines and electric power organizations at “an alarming rate,” according to an agency report last December. Some 198 attacks on the nation’s critical infrastructure systems were reported to the agency last year, a 52 percent increase from the number of attacks in 2011.

Researchers at McAfee, a security firm, discovered in 2011 that five multinational oil and gas companies had been attacked by Chinese hackers. The researchers suspected that the Chinese hacking campaign, which they called Night Dragon, had affected more than a dozen companies in the energy industry. More recently, the Department of Energy confirmed in January that its network had been infiltrated, though it has said little about what damage, if any, was done.

But security researchers say that the majority of those attacks were as ambiguous as the Telvent case. They appeared to be more about cyberespionage, intended to bolster the Chinese economy. If the goal was to blow up a pipeline or take down the United States power grid, the attacks would likely have been of a different nature.

In a recent report, Critical Intelligence, an Idaho Falls security company, said that several cyberattacks by “Chinese adversaries” against North American energy firms seemed intended to steal fracking technologies, reflecting fears by the Chinese government that the shale energy revolution will tip the global energy balance back in America’s favor. “These facts are likely a significant motivation behind the wave of sophisticated attacks affecting firms that operate in natural gas, as well as industries that rely on natural gas as an input, including petrochemicals and steelmaking,” the Critical Intelligence report said, adding that the attack on Telvent, and “numerous” North American pipeline operators may be related.

American intelligence experts believe that the primary reason China is deterred from conducting an attack on infrastructure in the United States is the simple economic fact that anything that hurts America’s financial markets or transportation systems would also have consequences for its own economy. It could interrupt exports to Walmart and threaten the value of China’s investments in the United States — which now include a new, big investment in oil and gas.

Iran, however, may be a different threat. While acknowledging that “China is stealing our intellectual property at a rate that qualifies as an epidemic,” Representative Mike Rogers, the Michigan Republican who chairs the House Intelligence Committee, added a caveat in an interview on Friday. “China is a rational actor,” he said. “Iran is not a rational actor.”

A new National Intelligence Estimate — a classified document that has not yet been published within the government, but copies of which are circulating for final comments — identifies Iran as one of the other actors besides China who would benefit from the ability to shut down parts of the American economy. Unlike the Chinese, the Iranians have no investments in the United States. As a senior American military official put it, “There’s nothing but upside for them to go after American infrastructure.”

While the skills of Iran’s newly created “cybercorps” are in doubt, Iranian hackers gained some respect in the technology community when they brought down 30,000 computers belonging to Saudi Aramco, the world’s largest oil producer, last August, replacing their contents with an image of a burning American flag.

The attack did not affect production facilities or refineries, but it made its point.

“The main target in this attack was to stop the flow of oil and gas to local and international markets and thank God they were not able to achieve their goals,” Abdullah al-Saadan, Aramco’s vice president for corporate planning, told Al Ekhbariya television.

President Obama has been vague about how the United States would respond to such an attack. No one in the administration argues that the United States should respond with cyber- or physical retaliation for the theft of secrets. Attorney General Eric H. Holder Jr. has made clear that would be dealt with in criminal courts, though the prosecutions of cybertheft by foreign sources have been few.

But the question of whether the president could, or should, order military retaliation for major attacks that threaten the American public is a roiling debate.

“Some have called for authorizing the military to defend private corporate networks and critical infrastructure sectors, like gas pipelines and water systems,” Candace Yu, who studies the issue for the Truman National Security Project, wrote recently. “This is unrealistic. The military has neither the specialized expertise nor the capacity to do this; it needs to address only the most urgent threats.”

But the administration has failed to convince Congress that the first line of defense to avert catastrophic cyberattack is to require private industry — which controls the cellphone networks and financial and power systems that are the primary target of infrastructure attacks — that it must build robust defenses.

A bill containing such requirements was defeated last year amid intense lobbying from the United States Chamber of Commerce and others, which argued that the costs would be prohibitive. Leading members of Congress say they expect the issue will come up again in the next few months.

“We are in a race against time,” Michael Chertoff, the former secretary of homeland security, said last week. “Most of the infrastructure is in private hands. The government is not going to be able to manage this like the air traffic control system. We’re going to have to enlist a large number of independent actors.”

The administration’s cybersecurity legislation last year failed despite closed-door simulations for lawmakers about what a catastrophic attack would look like.

During one such simulation that the Department of Homeland Security allowed a New York Times reporter to view at a department facility in Virginia, a woman played the role of an “evil hacker” who successfully broke into a power plant’s network. To get in, the hacker used a method called “spearphishing,” in which she sent a message to a power plant employee that induced the employee to click on a link to see pictures of “cute puppies.”

When the employee clicked on the link, it surreptitiously allowed the hacker to gain access to the employee’s computer, enabling her to easily turn the switches to the plant’s breakers on and off.

Although the officials providing the briefing acknowledged that the simulation was a bit simplistic, their message was clear: with so many vulnerable critical infrastructure systems across the country, such an attack could easily occur, with huge consequences. No one rules out that scenario — whatever the current motivations and abilities of countries like China and Iran.

“There are 12 countries developing offensive cyberweapons; Iran is one of them,” James Lewis, a former government official and cybersecurity expert at the Center for Strategic and International Studies in Washington, said at a security conference in San Francisco. Those countries have a long way to go, he said, but added: “Like nuclear weapons, eventually they’ll get there.”


Nicole Perlroth and Michael S. Schmidt reported from San Francisco,

and David E. Sanger from Washington.

    As Hacking Against U.S. Rises, Experts Try to Pin Down Motive, 3.3.2013,






Soldier to Face More Serious Charges in Leak


March 1, 2013
The New York Times


FORT MEADE, Md. — Military prosecutors announced on Friday that they had decided to try Pfc. Bradley Manning on the most serious charges they have brought against him and seek a sentence that could be life without parole, despite his voluntary guilty plea to 10 lesser charges that carry a maximum total sentence of 20 years.

Private Manning admitted in court on Thursday that he had provided about 700,000 government documents to WikiLeaks, the antisecrecy group, in the most extensive leak of confidential and classified material in American history. But he pleaded guilty to the lesser charges in what is known as a “naked plea” — one made without the usual agreement with prosecutors to cap the potential sentence in return.

After the plea, prosecutors and their boss, the commanding general of the Washington Military District, had the option of settling for the 10 charges to which he had admitted his guilt and proceeding directly to sentencing. Instead, they said they would continue with plans for a court-martial beginning June 3, with 141 prosecution witnesses scheduled to testify.

“Given the scope of the alleged misconduct, the seriousness of the charged offenses, and the evidence and testimony available, the United States intends to proceed with the court-martial to prove Manning committed the charged offenses beyond the lesser charges to which he has already pled guilty,” said a statement from the military district.

Eugene R. Fidell, who teaches military law at Yale, said the prosecutors’ decision suggested that they believed that his admissions, as extensive as they were, did not capture the full seriousness of his crimes or guarantee an adequate sentence. Most important, he said, the government wants to deter others from taking advantage of the Internet and portable storage devices to follow his example and leak government secrets on a grand scale.

“They want to scare the daylights out of other people,” Mr. Fidell said.

On Thursday, Private Manning, slight and bespectacled and dressed in a crisp Army uniform, was permitted to read a 35-page statement he had written to explain how he came to deliver to WikiLeaks voluminous archives of war reports from Iraq and Afghanistan, detainee assessments from the prison at Guantánamo Bay, Cuba, a quarter-million diplomatic cables and video showing helicopter gunships killing civilians in Iraq.

His statement allowed him to put on the record his political motives — he said he leaked the material in part “to spark a debate about foreign policy” — which have drawn support from a long list of critics of American policies and open-government advocates around the world. Private Manning may also have won some points with the judge, Col. Denise R. Lind, for not forcing the government to prove that he supplied the documents to WikiLeaks and for acknowledging that he broke the law.

But the confession, to the unauthorized possession and transmission of “protected information,” appears to have done nothing to alter the government’s determination to make an example of him or to limit the sentence he will ultimately serve. The military prosecutors’ statement said they would seek to prove all the charges to which Private Manning pleaded not guilty: aiding the enemy, violating the Espionage Act and the Computer Fraud and Abuse Act, larceny and the improper use of government information systems.

Perhaps the biggest battle in what is expected to be a 12-week trial will be over the prosecutors’ attempt to prove the rare charge of aiding the enemy — in the words of the charging document, that Private Manning did “without proper authority, knowingly give intelligence to the enemy, through indirect means.” That charge can carry the death penalty, but since prosecutors have ruled that punishment out, he would face a maximum sentence of life without parole if convicted.

The government has said that some of the documents that Private Manning gave to WikiLeaks ended up in the hands of Osama bin Laden, and the prosecution and defense sparred on Friday over whether and how that evidence would be presented at trial. Prosecutors said they wanted a witness who participated in the 2011 raid that killed Bin Laden to testify in disguise at the trial.

In his testimony on Thursday, Private Manning went out of his way to suggest that while he corresponded online with someone from WikiLeaks who he assumed to be the group’s founder, Julian Assange, no one from the organization directed his actions.

That could be significant for a continuing federal grand jury investigation of WikiLeaks in Alexandria, Va. Prosecutors are exploring whether Mr. Assange or his associates conspired with Private Manning to break any laws. Mr. Assange, now hiding out in the Ecuadorean Embassy in London to avoid being extradited to Sweden to face sexual offense charges, has maintained that he merely publishes documents that others provide to the group.

Reached by The Associated Press, Mr. Assange called Private Manning a political prisoner and accused the United States of trying to punish critics of its military and foreign policies.

    Soldier to Face More Serious Charges in Leak, 1.3.2013,






Soldier Admits Providing Files to WikiLeaks


February 28, 2013
The New York Times


FORT MEADE, Md. — Pfc. Bradley Manning on Thursday confessed in open court to providing vast archives of military and diplomatic files to the antisecrecy group WikiLeaks, saying that he released the information to help enlighten the public about “what happens and why it happens” and to “spark a debate about foreign policy.”

Appearing before a military judge for more than an hour, Private Manning read a statement recounting how he joined the military, became an intelligence analyst in Iraq, decided that certain files should become known to the American public to prompt a wider debate about foreign policy, downloaded them from a secure computer network and then ultimately uploaded them to WikiLeaks.

“No one associated with WLO” — an abbreviation he used to refer to the WikiLeaks organization — “pressured me into sending any more information,” Private Manning said. “I take full responsibility.”

Before reading the statement, Private Manning pleaded guilty to 10 criminal counts in connection with the huge amount of material he leaked, which included videos of airstrikes in Iraq and Afghanistan in which civilians were killed, logs of military incident reports, assessment files of detainees held at Guantánamo Bay, Cuba, and a quarter-million cables from American diplomats stationed around the world.

The guilty pleas exposed him to up to 20 years in prison. But the case against Private Manning, a slightly built 25-year-old who has become a folk hero among antiwar and whistle-blower advocacy groups, is not over. The military has charged him with a far more serious set of offenses, including aiding the enemy, and multiple counts of violating federal statutes, including the Espionage Act. Prosecutors now have the option of pressing forward with proving the remaining elements of those charges.

That would involve focusing only on questions like whether the information he provided counted as the sort covered by the Espionage Act — that is, whether it was not just confidential but also could be used to injure the United States or aid a foreign nation.

Private Manning described himself as thinking carefully about the kind of information he was releasing, and taking care to make sure that none of it could cause harm if disclosed.

The only material that initially gave him pause, he said, were the diplomatic cables, which he portrayed as documenting “back-room deals and seemingly criminal activity.”

But he decided to go forward after discovering that the most sensitive cables were not in the database. He was also motivated, he said, by a book about “open diplomacy” after World War I and “how the world would be a better place if states would not make secret deals with each other.”

“I believed the public release of these cables would not damage the United States,” he said. “However, I did believe the release of the cables might be embarrassing.”

Private Manning said the first set of documents he decided to release consisted of hundreds of thousands of military incident reports from Afghanistan and Iraq. He had downloaded them onto a disk because the network connection at his base in Iraq kept failing, and he and his colleagues needed regular access to them.

Those reports added up to a history of the “day-to-day reality” in both war zones that he believed showed the flaws in the counterinsurgency policy the United States was then pursuing. The military, he said, was “obsessed with capturing or killing” people on a list, while ignoring the impact of its operations on ordinary people.

Private Manning said he put the files on a digital storage card for his camera and took it home with him on a leave in early 2010. He then decided to give the files to a newspaper.

“I believed if the public — in particular the American public — had access to the information” in the reports, “this could spark a debate about foreign policy in relation to Iraq and Afghanistan,” he said.

Private Manning said he first called The Washington Post and spoke to an unidentified reporter for about five minutes. He decided that the reporter did not seem particularly interested because she said The Post would have to review the material before making any commitment.

He said he then tried to reach out to The New York Times by calling a phone number for the newspaper’s public editor — an ombudsman who is not part of the newsroom — and leaving a voice mail message that was not returned.

In January 2010, around the time when Mr. Manning called the public editor’s line, voice mail messages were checked by Michael McElroy, the assistant to Clark Hoyt, then the public editor. Both Mr. Hoyt, now the editor at large at Bloomberg News, and Mr. McElroy, now a staff editor at The Times, said on Thursday that they had no recollection of hearing such a message.

“We got hundreds of calls a week, and I tried to go through them all,” Mr. McElroy said. “If I’d heard something like that, I certainly hope I would have flagged it immediately.”

Private Manning eventually decided to release the information by uploading it to WikiLeaks. To do it, he said, he used a broadband connection at a Barnes & Noble store because his aunt’s house in a Maryland suburb, where he was staying, had lost its Internet connection in a snowstorm.

In February 2010, after he returned to Iraq, Private Manning sent more files to WikiLeaks, including a helicopter gunship video of a 2007 episode in Iraq in which American forces killed a group of men, including two Reuters journalists, and then fired again on a van that pulled up to help the victims.

Private Manning said the video troubled him, both because of the shooting of the second group of people, who “were not a threat but merely good Samaritans,” and because of what he described as the “seemingly delightful blood lust” expressed by the airmen in the recording. He also learned that Reuters had been seeking the video without success.

Private Manning said he copied the files from the secure network onto disks, which he took back to his quarters and transferred to his personal laptop before uploading them to WikiLeaks — initially through its Web site, and later using a directory the group designated for him on a “cloud drop box” server.

One set of files, he said, described the arrest by the Iraqi police, supported by Americans, of 15 people for printing “anti-Iraqi” pamphlets. None were tied to militants, he said, and the pamphlets were “merely a scholarly critique” of government corruption. To his frustration, WikiLeaks did not publish those files.

After that episode, Private Manning said, he became interested in detainees, which led him to the Guantánamo files. He said the United States was holding detainees who were “innocent, low-level foot soldiers, or didn’t have useful intelligence and who would be released” if they were still in the war zone.

At the same time, he was increasingly engaged in online conversations with someone from WikiLeaks who he said he assumed was a senior figure like Julian Assange, its founder, whose name he mispronounced as “as-sahn-JAY.” He said he greatly valued those talks because he felt isolated in Iraq. But, in retrospect, he said the relationship was “artificial.” He did not elaborate.

The judge, Col. Denise Lind, pressed Private Manning to explain how he could admit that his actions were wrong if his motivation was the “greater good” of enlightening the public. Private Manning replied, “Your Honor, regardless of my opinion or my assessment of documents such as these, it’s beyond my pay grade — it’s not my authority to make these decisions” about releasing confidential files.


Scott Shane contributed reporting from Washington.

    Soldier Admits Providing Files to WikiLeaks, NYT, 28.2.2013,






A New Cold War, in Cyberspace,

Tests U.S. Ties to China


February 24, 2013
The New York Times


WASHINGTON — When the Obama administration circulated to the nation’s Internet providers last week a lengthy confidential list of computer addresses linked to a hacking group that has stolen terabytes of data from American corporations, it left out one crucial fact: that nearly every one of the digital addresses could be traced to the neighborhood in Shanghai that is headquarters to the Chinese military’s cybercommand.

That deliberate omission underscored the heightened sensitivities inside the Obama administration over just how directly to confront China’s untested new leadership over the hacking issue, as the administration escalates demands that China halt the state-sponsored attacks that Beijing insists it is not mounting.

The issue illustrates how different the worsening cyber-cold war between the world’s two largest economies is from the more familiar superpower conflicts of past decades — in some ways less dangerous, in others more complex and pernicious.

Administration officials say they are now more willing than before to call out the Chinese directly — as Attorney General Eric H. Holder Jr. did last week in announcing a new strategy to combat theft of intellectual property. But President Obama avoided mentioning China by name — or Russia or Iran, the other two countries the president worries most about — when he declared in his State of the Union address that “we know foreign countries and companies swipe our corporate secrets.” He added: “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems.”

Defining “enemies” in this case is not always an easy task. China is not an outright foe of the United States, the way the Soviet Union once was; rather, China is both an economic competitor and a crucial supplier and customer. The two countries traded $425 billion in goods last year, and China remains, despite many diplomatic tensions, a critical financier of American debt. As Hillary Rodham Clinton put it to Australia’s prime minister in 2009 on her way to visit China for the first time as secretary of state, “How do you deal toughly with your banker?”

In the case of the evidence that the People’s Liberation Army is probably the force behind “Comment Crew,” the biggest of roughly 20 hacking groups that American intelligence agencies follow, the answer is that the United States is being highly circumspect. Administration officials were perfectly happy to have Mandiant, a private security firm, issue the report tracing the cyberattacks to the door of China’s cybercommand; American officials said privately that they had no problems with Mandiant’s conclusions, but they did not want to say so on the record.

That explains why China went unmentioned as the location of the suspect servers in the warning to Internet providers. “We were told that directly embarrassing the Chinese would backfire,” one intelligence official said. “It would only make them more defensive, and more nationalistic.”

That view is beginning to change, though. On the ABC News program “This Week” on Sunday, Representative Mike Rogers, Republican of Michigan and chairman of the House Intelligence Committee, was asked whether he believed that the Chinese military and civilian government were behind the economic espionage. “Beyond a shadow of a doubt,” he replied.

In the next few months, American officials say, there will be many private warnings delivered by Washington to Chinese leaders, including Xi Jinping, who will soon assume China’s presidency. Both Tom Donilon, the national security adviser, and Mrs. Clinton’s successor, John Kerry, have trips to China in the offing. Those private conversations are expected to make a case that the sheer size and sophistication of the attacks over the past few years threaten to erode support for China among the country’s biggest allies in Washington, the American business community.

“America’s biggest global firms have been ballast in the relationship” with China, said Kurt M. Campbell, who recently resigned as assistant secretary of state for East Asia to start a consulting firm, the Asia Group, to manage the prickly commercial relationships. “And now they are the ones telling the Chinese that these pernicious attacks are undermining what has been built up over decades.”

It is too early to tell whether that appeal to China’s self-interest is getting through. Similar arguments have been tried before, yet when one of China’s most senior military leaders visited the Joint Chiefs of Staff at the Pentagon in May 2011, he said he didn’t know much about cyberweapons — and said the P.L.A. does not use them. In that regard, he sounded a bit like the Obama administration, which has never discussed America’s own cyberarsenal.

Yet the P.LA.’s attacks are largely at commercial targets. It has an interest in trade secrets like aerospace designs and wind-energy product schematics: the army is deeply invested in Chinese industry and is always seeking a competitive advantage. And so far the attacks have been cost-free.

American officials say that must change. But the prescriptions for what to do vary greatly — from calm negotiation to economic sanctions and talk of counterattacks led by the American military’s Cyber Command, the unit that was deeply involved in the American and Israeli cyberattacks on Iran’s nuclear enrichment plants.

“The problem so far is that we have rhetoric and we have Cyber Command, and not much in between,” said Chris Johnson, a 20-year veteran of the C.I.A. team that analyzed the Chinese leadership. “That’s what makes this so difficult. It’s easy for the Chinese to deny it’s happening, to say it’s someone else, and no one wants the U.S. government launching counterattacks.”

That marks another major difference from the dynamic of the American-Soviet nuclear rivalry. In cold war days, deterrence was straightforward: any attack would result in a devastating counterattack, at a human cost so horrific that neither side pulled the trigger, even during close calls like the Cuban missile crisis.

But cyberattacks are another matter. The vast majority have taken the form of criminal theft, not destruction. It often takes weeks or months to pin down where an attack originated, because attacks are generally routed through computer servers elsewhere to obscure their source. A series of attacks on The New York Times that originated in China, for example, was mounted through the computer systems of unwitting American universities. That is why David Rothkopf, the author of books about the National Security Council, wrote last week that this was a “cool war,” not only because of the remote nature of the attacks but because “it can be conducted indefinitely — permanently, even — without triggering a shooting war. At least, that is the theory.”

Administration officials like Robert Hormats, the under secretary of state for business and economic affairs, say the key to success in combating cyberattacks is to emphasize to the Chinese authorities that the attacks will harm their hopes for economic growth. “We have to make it clear,” Mr. Hormats said, “that the Chinese are not going to get what they desire,” which he said was “investment from the cream of our technology companies, unless they quickly get this problem under control.”

But Mr. Rogers of the Intelligence Committee argues for a more confrontational approach, including “indicting bad actors” and denying visas to anyone believed to be involved in cyberattacks, as well as their families.

The coming debate is over whether the government should get into the business of retaliation. Already, Washington is awash in conferences that talk about “escalation dominance” and “extended deterrence,” all terminology drawn from the cold war.

Some of the talk is overheated, fueled by a growing cybersecurity industry and the development of offensive cyberweapons, even though the American government has never acknowledged using them, even in the Stuxnet attacks on Iran. But there is a serious, behind-the-scenes discussion about what kind of attack on American infrastructure — something the Chinese hacking groups have not seriously attempted — could provoke a president to order a counterattack.



This article has been revised to reflect the following correction:

Correction: February 24, 2013

An earlier version of this article gave an incorrect month

for a visit to the Pentagon by a senior Chinese military leader.

The visit took place in May 2011, not April 2011.

    A New Cold War, in Cyberspace, Tests U.S. Ties to China, NYT, 24.2.2013,






Some Victims of Online Hacking Edge Into the Light


February 20, 2013
The New York Times


SAN FRANCISCO — Hackers have hit thousands of American corporations in the last few years, but few companies ever publicly admit it. Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless.

Rarely have companies broken that silence, usually when the attack is reported by someone else. But in the last few weeks more companies have stepped forward. Twitter, Facebook and Apple have all announced that they were attacked by sophisticated cybercriminals. The New York Times revealed its experience with hackers in a front-page article last month.

The admissions reflect the new way some companies are calculating the risks and benefits of going public. While companies once feared shareholder lawsuits and the ire of the Chinese government, some can’t help noticing that those that make the disclosures are lauded, as Google was, for their bravery. Some fear the embarrassment of being unable to fend off hackers who may still be in high school.

But as hacking revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.

“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”

In 2010, when Google alerted some users of Gmail — political activists, mostly — that it appeared Chinese hackers were trying to read their mail, such disclosures were a rarity. In its announcement, Google said that it was one of many — two dozen — companies that had been targeted by the same group. Google said it was making the announcement, in part, to encourage other companies to open up about the problem.

But of that group, only Intel and Adobe Systems reluctantly stepped forward, and neither provided much detail.

Twitter admitted that it had been hacked this month. Facebook and Apple followed suit two weeks later. Within hours after The Times published its account, The Wall Street Journal chimed in with a report that it, too, had been attacked by what it believed to be Chinese hackers. The Washington Post followed.

Not everyone took advantage of the cover. Bloomberg, for example, has repeatedly denied that its systems were also breached by Chinese hackers, despite several sources that confirmed that its computers were infected with malware.

Computer security experts estimate that more than a thousand companies have been attacked recently. In 2011, security researchers at McAfee unearthed a vast online espionage campaign, called Operation Shady Rat, that found more than 70 organizations had been hit over a five-year period, many in the United States.

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice president for threat research, wrote in his findings.

“In fact,” said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Of that group, there are still few admissions. A majority of companies that have at one time or another been the subject of news reports of online attacks refuse to confirm them. The list includes the International Olympic Committee, Exxon Mobil, Baker Hughes, Royal Dutch Shell, BP, ConocoPhillips, Chesapeake Energy, the British energy giant BG Group, the steel maker ArcelorMittal and Coca-Cola.

Like Google, some companies have stepped forward in the interest of increasing awareness and improving security within their respective industries, often to little avail. In 2009, Heartland Payment Systems, a major payment processing company, took the unusual step of disclosing a major data breach on its systems that potentially exposed millions of credit and debit card customers to fraud. It did so against the advice of its lawyers.

“Until then, most people tried to sweep breaches under the rug,” said Steve Elefant, then Heartland’s chief information officer. “We wanted to make sure that it didn’t happen to us again and didn’t want to sit back while the bad guys tried to pick us off one by one.”

Heartland helped set up the Payments Processors Information Sharing Council to share information about security threats and breaches within the industry. Again, the company’s lawyers thought it was a bad idea. “But we felt it was important.”

The effort did not stop its other members from sweeping their own breaches under the rug. Last year, Global Payments, a major payment processor, did not disclose that it had been the victim of two major breaches that potentially affected millions of accounts, until the attacks were reported by a well-known security blogger. Even then, it did not offer details that other companies could use to fortify their systems. Last week, President Obama signed an executive order that encouraged increased information-sharing about online threats between the government and private companies. But compliance with the order is voluntary, a weakened alternative to an online security bill that stalled in Congress last year after the Chamber of Commerce, a lobbying group that itself was hacked, led an effort to block it, saying that the regulations would be too burdensome.

In Washington on Wednesday, several senior administration officials presented a new strategy for protecting American intellectual property by urging firms to step forward when attacked.

“There has been a reluctance by companies to come forward because of the concern about the impact on their shareholders or others,” said Lanny A. Breuer, the assistant attorney general in charge of the criminal division of the Justice Department.

In October 2011, the Securities and Exchange Commission issued a new guidance that specifically outlined how publicly traded companies should disclose online attacks, but few disclosures have come because of it.

“Quite frankly, since then, there hasn’t been an abundance of reporting on cyberevents despite the fact that they are clearly happening,” said Jacob Olcott, a specialist in online risks who managed a Senate investigation into the disclosure practices.

The best hope, Mr. Olcott said, is that as investors start paying more attention to the threats, they will demand that companies disclose them. “I wouldn’t hold my breath,” Mr. Elefant said. “There are an awful lot of lawyers out there trying to keep companies from exposing that these breaches are happening. And they are happening.”


David E. Sanger contributed reporting from Washington.

    Some Victims of Online Hacking Edge Into the Light, NYT, 20.2.2013,






China’s Cybergames


February 19, 2013
The New York Times


Washington has not had much success persuading Beijing to rein in its hackers even though American officials and security experts have long known that China is the main source of cyberattacks on the United States. Two recent developments, however, should raise the political costs for China and may cause it to alter its calculus. Refusal to change its conduct could make its relations with the United States even more difficult than they are.

On Tuesday, a new report from Mandiant, an American computer security firm, publicly documented an explicit link between Chinese hackers and the People’s Liberation Army. The report cites a growing body of digital forensic evidence that most of the attacks on American corporations, organizations and government agencies originate in and around a 12-story office tower on the outskirts of Shanghai that is the headquarters of P.L.A. Unit 61398.

Mandiant tracked individual members of the most sophisticated of the Chinese hacking groups, known as “Comment Crew” or “Shanghai Group,” to the headquarters of the military unit, which is central to China’s computer espionage operations. It followed “Comment Crew” for six years, monitoring 141 attacks by looking at Web domains, malware, Internet protocol addresses and embedded codes.

Reporters for The Times confirmed the evidence contained in the report with American intelligence officials who say they have tapped into the activity of the army unit for years.

Chinese officials denounced the report, but their reaction was hardly a denial. “Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don’t know how the evidence in this so-called report can be tenable,” said Hong Lei, a Foreign Ministry spokesman.

In a second development that could further raise the stakes for Beijing, Washington decided to share with American Internet providers and antivirus vendors information about the unique signatures of the largest of the Chinese groups, including those originating from the area where Unit 61398 is based. The government warnings will not link the hackers and their computers to the Chinese Army per se, but the effects will be felt when the hackers and computers are denied access to American networks, as many of the Internet providers and antivirus vendors are expected to do.

American officials are increasingly concerned about cyberattacks intended not just to steal corporate secrets but also, as President Obama said in his recent State of the Union address, to “sabotage our power grid, our financial institutions, our air traffic control systems.”

As a defensive measure, Mr. Obama last week signed an executive order promoting increased information-sharing about cyberthreats between the government and private companies that oversee the country’s critical infrastructure, including its electrical power grid, gas lines and waterworks. Congress still has not acted on legislation setting minimum requirements for how this infrastructure should be protected. A reasonably strong bill offered in the Senate last summer has been stymied by objections from some legislators that it would be too intrusive. So far, Mr. Obama has chosen not to have a public collision with China. He and his aides have largely raised their concerns in private. But patience is wearing thin as China-emanated attacks have grown and the administration pursues a more aggressive response.

China and the United States have to cooperate on numerous international security issues. But that won’t happen if they end up in a cyberwar. Publicizing China’s transgressions and blocking Internet access to hackers should be a warning to Beijing. Washington is right to defend its interests. But the two nations need to take the lead in negotiating new international understandings about what constitutes cyberaggression and how governments should respond.

    China’s Cybergames, NYT, 19.2.2013,






The Trouble With Online College


February 18, 2013
The New York Times

Stanford University ratcheted up interest in online education when a pair of celebrity professors attracted more than 150,000 students from around the world to a noncredit, open enrollment course on artificial intelligence. This development, though, says very little about what role online courses could have as part of standard college instruction. College administrators who dream of emulating this strategy for classes like freshman English would be irresponsible not to consider two serious issues.

First, student attrition rates — around 90 percent for some huge online courses — appear to be a problem even in small-scale online courses when compared with traditional face-to-face classes. Second, courses delivered solely online may be fine for highly skilled, highly motivated people, but they are inappropriate for struggling students who make up a significant portion of college enrollment and who need close contact with instructors to succeed.

Online classes are already common in colleges, and, on the whole, the record is not encouraging. According to Columbia University’s Community College Research Center, for example, about seven million students — about a third of all those enrolled in college — are enrolled in what the center describes as traditional online courses. These typically have about 25 students and are run by professors who often have little interaction with students. Over all, the center has produced nine studies covering hundreds of thousands of classes in two states, Washington and Virginia. The picture the studies offer of the online revolution is distressing.

The research has shown over and over again that community college students who enroll in online courses are significantly more likely to fail or withdraw than those in traditional classes, which means that they spend hard-earned tuition dollars and get nothing in return. Worse still, low-performing students who may be just barely hanging on in traditional classes tend to fall even further behind in online courses.

A five-year study, issued in 2011, tracked 51,000 students enrolled in Washington State community and technical colleges. It found that those who took higher proportions of online courses were less likely to earn degrees or transfer to four-year colleges. The reasons for such failures are well known. Many students, for example, show up at college (or junior college) unprepared to learn, unable to manage time and having failed to master basics like math and English.

Lacking confidence as well as competence, these students need engagement with their teachers to feel comfortable and to succeed. What they often get online is estrangement from the instructor who rarely can get to know them directly. Colleges need to improve online courses before they deploy them widely. Moreover, schools with high numbers of students needing remedial education should consider requiring at least some students to demonstrate success in traditional classes before allowing them to take online courses.

Interestingly, the center found that students in hybrid classes — those that blended online instruction with a face-to-face component — performed as well academically as those in traditional classes. But hybrid courses are rare, and teaching professors how to manage them is costly and time-consuming.

The online revolution offers intriguing opportunities for broadening access to education. But, so far, the evidence shows that poorly designed courses can seriously shortchange the most vulnerable students.

    The Trouble With Online College, NYT, 18.2.2013,






Chinese Army Unit Is Seen

as Tied to Hacking Against U.S.


February 18, 2013
The New York Times


On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors.

The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.

An unusually detailed 60-page study, to be released Tuesday by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.

“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”

Other security firms that have tracked “Comment Crew” say they also believe the group is state-sponsored, and a recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.

Mandiant provided an advance copy of its report to The New York Times, saying it hoped to “bring visibility to the issues addressed in the report.” Times reporters then tested the conclusions with other experts, both inside and outside government, who have examined links between the hacking groups and the army (Mandiant was hired by The New York Times Company to investigate a sophisticated Chinese-origin attack on its news operations, but concluded it was not the work of Comment Crew, but another Chinese group. The firm is not currently working for the Times Company but it is in discussions about a business relationship.)

While Comment Crew has drained terabytes of data from companies like Coca-Cola, increasingly its focus is on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks. According to the security researchers, one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America. The unit was also among those that attacked the computer security firm RSA, whose computer codes protect confidential corporate and government databases.

Contacted Monday, officials at the Chinese embassy in Washington again insisted that their government does not engage in computer hacking, and that such activity is illegal. They describe China itself as a victim of computer hacking, and point out, accurately, that there are many hacking groups inside the United States. But in recent years the Chinese attacks have grown significantly, security researchers say. Mandiant has detected more than 140 Comment Crew intrusions since 2006. American intelligence agencies and private security firms that track many of the 20 or so other Chinese groups every day say those groups appear to be contractors with links to the unit.

While the unit’s existence and operations are considered a Chinese state secret, Representative Mike Rogers of Michigan, the Republican chairman of the House Intelligence Committee, said in an interview that the Mandiant report was “completely consistent with the type of activity the Intelligence Committee has been seeing for some time.”

The White House said it was “aware” of the Mandiant report, and Tommy Vietor, the spokesman for the National Security Council, said, “We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so.”

The United States government is planning to begin a more aggressive defense against Chinese hacking groups, starting on Tuesday. Under a directive signed by President Obama last week, the government plans to share with American Internet providers information it has gathered about the unique digital signatures of the largest of the groups, including Comment Crew and others emanating from near where Unit 61398 is based.

But the government warnings will not explicitly link those groups, or the giant computer servers they use, to the Chinese army. The question of whether to publicly name the unit and accuse it of widespread theft is the subject of ongoing debate.

“There are huge diplomatic sensitivities here,” said one intelligence official, with frustration in his voice.

But Obama administration officials say they are planning to tell China’s new leaders in coming weeks that the volume and sophistication of the attacks have become so intense that they threaten the fundamental relationship between Washington and Beijing.

The United States government also has cyberwarriors. Working with Israel, the United States has used malicious software called Stuxnet to disrupt Iran’s uranium enrichment program. But government officials insist they operate under strict, if classified, rules that bar using offensive weapons for nonmilitary purposes or stealing corporate data.

The United States finds itself in something of an asymmetrical digital war with China. “In the cold war, we were focused every day on the nuclear command centers around Moscow,” one senior defense official said recently. “Today, it’s fair to say that we worry as much about the computer servers in Shanghai.”

A Shadowy Unit

Unit 61398 — formally, the 2nd Bureau of the People’s Liberation Army’s General Staff Department’s 3rd Department — exists almost nowhere in official Chinese military descriptions. Yet intelligence analysts who have studied the group say it is the central element of Chinese computer espionage. The unit was described in 2011 as the “premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence” by the Project 2049 Institute, a nongovernmental organization in Virginia that studies security and policy issues in Asia.

While the Obama administration has never publicly discussed the Chinese unit’s activities, a secret State Department cable written the day before Barack Obama was elected president in November 2008 described at length American concerns about the group’s attacks on government sites. (At the time American intelligence agencies called the unit “Byzantine Candor,” a code word dropped after the cable was published by WikiLeaks.)

The Defense Department and the State Department were particular targets, the cable said, describing how the group’s intruders send e-mails, called “spearphishing” attacks, that placed malware on target computers once the recipient clicked on them. From there, they were inside the systems.

American officials say that a combination of diplomatic concerns and the desire to follow the unit’s activities have kept the government from going public. But Mandiant’s report is forcing the issue into public view.

For more than six years, Mandiant tracked the actions of Comment Crew, so named for the attackers’ penchant for embedding hidden code or comments into Web pages. Based on the digital crumbs the group left behind — its attackers have been known to use the same malware, Web domains, Internet protocol addresses, hacking tools and techniques across attacks — Mandiant followed 141 attacks by the group, which it called “A.P.T. 1” for Advanced Persistent Threat 1.

“But those are only the ones we could easily identify,” said Mr. Mandia. Other security experts estimate that the group is responsible for thousands of attacks.

As Mandiant mapped the Internet protocol addresses and other bits of digital evidence, it all led back to the edges of Pudong district of Shanghai, right around the Unit 61398 headquarters. The group’s report, along with 3,000 addresses and other indicators that can be used to identify the source of attacks, concludes “the totality of the evidence” leads to the conclusion that “A.P.T. 1 is Unit 61398.”

Mandiant discovered that two sets of I.P. addresses used in the attacks were registered in the same neighborhood as Unit 61398’s building.

“It’s where more than 90 percent of the attacks we followed come from,” said Mr. Mandia.

The only other possibility, the report concludes with a touch of sarcasm, is that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multiyear enterprise-scale computer espionage campaign right outside of Unit 61398’s gates.”

The most fascinating elements of the Mandiant report follow the keystroke-by-keystroke actions of several of the hackers who the firm believes work for the P.L.A. Mandiant tracked their activities from inside the computer systems of American companies they were invading. The companies had given Mandiant investigators full access to rid them of the Chinese spies.

One of the most visible hackers it followed is UglyGorilla, who first appeared on a Chinese military forum in January 2004, asking whether China has a “similar force” to the “cyber army” being set up by the American military.

By 2007 UglyGorilla was turning out a suite of malware with what the report called a “clearly identifiable signature.” Another hacker, called “DOTA” by Mandiant, created e-mail accounts that were used to plant malware. That hacker was tracked frequently using a password that appeared to be based on his military unit’s designation. DOTA and UglyGorilla both used the same I.P. addresses linked back to Unit 61398’s neighborhood.

Mandiant discovered several cases in which attackers logged into their Facebook and Twitter accounts to get around China’s firewall that blocks ordinary citizen’s access, making it easier to track down their real identities.

Mandiant also discovered an internal China Telecom memo discussing the state-owned telecom company’s decision to install high-speed fiber-optic lines for Unit 61398’s headquarters.

China’s defense ministry has denied that it is responsible for initiating attacks. “It is unprofessional and groundless to accuse the Chinese military of launching cyberattacks without any conclusive evidence,” it said last month, one of the statements that prompted Mandiant to make public its evidence.

Escalating Attacks

Mandiant believes Unit 61398 conducted sporadic attacks on American corporate and government computer networks; the earliest it found was in 2006. Two years ago the numbers spiked. Mandiant discovered some of the intrusions were long-running. On average the group would stay inside a network, stealing data and passwords, for a year; in one case it had access for four years and 10 months.

Mandiant has watched the group as it has stolen technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of its clients, mostly in the United States. Mandiant identified attacks on 20 industries, from military contractors to chemical plants, mining companies and satellite and telecommunications corporations.

Mandiant’s report does not name the victims, who usually insist on anonymity. A 2009 attack on Coca-Cola coincided with the beverage giant’s failed attempt to acquire the China Huiyuan Juice Group for $2.4 billion, according to people with knowledge of the results of the company’s investigation.

As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy.

The attack on Coca-Cola began, like hundreds before it, with a seemingly innocuous e-mail to an executive that was, in fact, a spearphishing attack. When the executive clicked on a malicious link in the e-mail, it gave the attackers a foothold inside Coca-Cola’s network. From inside, they sent confidential company files through a maze of computers back to Shanghai, on a weekly basis, unnoticed.

Two years later, Comment Crew was one of at least three Chinese-based groups to mount a similar attack on RSA, the computer security company owned by EMC, a large technology company. It is best known for its SecurID token, carried by employees at United States intelligence agencies, military contractors and many major companies. (The New York Times also uses the firm’s tokens to allow access to its e-mail and production systems remotely.) RSA has offered to replace SecurID tokens for customers and said it had added new layers of security to its products.

As in the Coca-Cola case, the attack began with a targeted, cleverly fashioned poisoned e-mail to an RSA employee. Two months later, hackers breached Lockheed Martin, the nation’s largest defense contractor, partly by using the information they gleaned from the RSA attack.

Mandiant is not the only private firm tracking Comment Crew. In 2011, Joe Stewart, a Dell SecureWorks researcher, was analyzing malware used in the RSA attack when he discovered that the attackers had used a hacker tool to mask their true location.

When he reverse-engineered the tool, he found that the vast majority of stolen data had been transferred to the same range of I.P. addresses that Mandiant later identified in Shanghai.

Dell SecureWorks says it believed Comment Crew includes the same group of attackers behind Operation Shady RAT, an extensive computer espionage campaign uncovered in 2011 in which more than 70 organizations over a five-year period, including the United Nations, government agencies in the United States, Canada, South Korea, Taiwan and Vietnam were targeted.

Infrastructure at Risk

What most worries American investigators is that the latest set of attacks believed coming from Unit 61398 focus not just on stealing information, but obtaining the ability to manipulate American critical infrastructure: the power grids and other utilities.

Staff at Digital Bond, a small security firm that specializes in those industrial-control computers, said that last June Comment Crew unsuccessfully attacked it. A part-time employee at Digital Bond received an e-mail that appeared to come from his boss, Dale Peterson. The e-mail, in perfect English, discussed security weaknesses in critical infrastructure systems, and asked the employee to click a link to a document for more information. Mr. Peterson caught the e-mail and shared it with other researchers, who found the link contained a remote-access tool that would have given the attackers control over the employee’s computer and potentially given them a front-row seat to confidential information about Digital Bond’s clients, which include a major water project, a power plant and a mining company.

Jaime Blasco, a security researcher at AlienVault, analyzed the computer servers used in the attack, which led him to other victims, including the Chertoff Group. That firm, headed by the former secretary of the Department of Homeland Security, Michael Chertoff, has run simulations of an extensive digital attack on the United States. Other attacks were made on a contractor for the National Geospatial-Intelligence Agency, and the National Electrical Manufacturers Association, a lobbying group that represents companies that make components for power grids. Those organizations confirmed they were attacked but have said they prevented attackers from gaining access to their network.

Mr. Blasco said that, based on the forensics, all the victims had been hit by Comment Crew. But the most troubling attack to date, security experts say, was a successful invasion of the Canadian arm of Telvent. The company, now owned by Schneider Electric, designs software that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems.

Telvent keeps detailed blueprints on more than half of all the oil and gas pipelines in North and South America, and has access to their systems. In September, Telvent Canada told customers that attackers had broken into its systems and taken project files. That access was immediately cut, so that the intruders could not take command of the systems.

Martin Hanna, a Schneider Electric spokesman, did not return requests for comment, but security researchers who studied the malware used in the attack, including Mr. Stewart at Dell SecureWorks and Mr. Blasco at AlienVault, confirmed that the perpetrators were the Comment Crew.

“This is terrifying because — forget about the country — if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent,“ Mr. Peterson of Digital Bond said. “It’s the holy grail.”

Mr. Obama alluded to this concern in the State of the Union speech, without mentioning China or any other nation. “We know foreign countries and companies swipe our corporate secrets,” he said. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”

Mr. Obama faces a vexing choice: In a sprawling, vital relationship with China, is it worth a major confrontation between the world’s largest and second largest economy over computer hacking?

A few years ago, administration officials say, the theft of intellectual property was an annoyance, resulting in the loss of billions of dollars of revenue. But clearly something has changed. The mounting evidence of state sponsorship, the increasing boldness of Unit 61398, and the growing threat to American infrastructure are leading officials to conclude that a far stronger response is necessary.

“Right now there is no incentive for the Chinese to stop doing this,” said Mr. Rogers, the House intelligence chairman. “If we don’t create a high price, it’s only going to keep accelerating.”

    Chinese Army Unit Is Seen as Tied to Hacking Against U.S., NYT, 18.2.2013,






Facebook Says Hackers Breached Its Computers


February 15, 2013
6:22 pm
The New York Times


Facebook admitted that it was breached by sophisticated hackers in recent weeks, two weeks after Twitter made a similar admission. Both Facebook and Twitter were breached through a well-publicized vulnerability in Oracle's Java software.

In a blog post late Friday afternoon, Facebook said it was attacked when a handful of its employees visited a compromised site for mobile developers. Simply by visiting the site, their computers were infected with malware. The company said that as soon as it discovered the malware, it cleaned up the infected machines and tipped off law enforcement.

"We have found no evidence that Facebook user data was compromised," Facebook said.

On Feb. 1, Twitter said hackers had breached its systems and potentially accessed the data of 250,000 Twitter users. The company suggested at that time that it was one of several companies and organizations to be have been similarly attacked.

Facebook has known about its own breach for at least a month, according to people close to the investigation, but it was unclear why the company waited this long to announce it. Fred Wolens, a Facebook spokesman, declined to comment.

Like Twitter, Facebook said it believed that it was one of several organizations that were targeted by the same group of attackers.

"Facebook was not alone in this attack," the company said in its blog post. "It is clear that others were attacked and infiltrated recently as well."

The attacks add to the mounting evidence that hackers were able to use the security hole in Oracle's Java software to steal information from a broad range of companies. Java, a widely used programming language, is installed on more than three billion devices. It has long been hounded by security problems.

Last month, after a security researcher exposed a serious vulnerability in the software, the Department of Homeland Security issued a rare alert that warned users to disable Java on their computers. The vulnerability was particularly disconcerting because it let attackers download a malicious program onto its victims' machines without any prompting. Users did not even have to click on a malicious link for their computers to be infected. The program simply downloaded itself.

After Oracle initially patched the security hole in January, the Department of Homeland Security said that the fix was not sufficient and recommended that, unless "absolutely necessary", users should disable it on their computers completely. Oracle did not issue another fix until Feb. 1.

Social networks are a prime target for hackers, who look to use people's personal data and social connections in what are known as "spearphishing" attacks. In this type of attack, a target is sent an e-mail, ostensibly from a connection, containing a malicious link or attachment. Once the link is clicked or attachment opened, attackers take control of a user's computer. If the infected computer is inside a company's system, the attackers are able to gain a foothold. In many cases, they then extract passwords and gain access to sensitive data.

Facebook said in its blog post that the updated patch addressed the vulnerability that allowed hackers to access its employees' computers.

Hackers have been attacking organizations inside the United States at an alarming rate. The number of attacks reported by government agencies last year topped 48,500 - a ninefold jump from the 5,500 attacks reported in 2006, according to the Government Accountability Office.

In the last month alone, The New York Times, The Wall Street Journal and The Washington Post all confirmed that they were targets of sophisticated hackers. But security experts say that these attacks are just the tip of the iceberg.

A common saying among security experts is that there are now only two types of American companies: Those that have been hacked and those that don't know they've been hacked.

    Facebook Says Hackers Breached Its Computers, NYT, 15.2.2013,






Keeping an Eye on Bouncing Prices Online


January 27, 2013
The New York Times


Jen Hughes used to have the time to hunt for online coupon codes and refresh her Web browser to see if the clothes she wanted had gone on sale yet. But after she had her first child, she said, trying to track e-commerce prices had to go.

“I spend my day chasing my daughter around, so I don’t have the luxury of sitting at my computer,” said Ms. Hughes, 29, of Reading, Mass. Many sites “have sales every other day, but I don’t have time to go on and see if the things I actually want have made it onto the sale yet.”

Now she doesn’t have to.

With retailers’ Internet prices now changing more often — sometimes several times within the space of a day — a new group of tools is helping shoppers outwit the stores. Rather than requiring shoppers to do the work by entering an item into price-comparison engines throughout the day, the tools automatically scan for price changes and alert customers when the price drops.

Some tools, including one from Citibank’s Citi Card, even scour sites for lower prices after a purchase and help customers get a refund for any price difference.

Web sites that help shoppers compare prices and track online deals have existed as long as e-commerce itself. But rapid changes in pricing at many major retailers have made it more difficult for shoppers to keep on top of it all.

The research company Dynamite Data, which follows prices on behalf of retailers and brands, tracked hundreds of holiday products at major retailers in 2011 and 2012. During a two-week period around Thanksgiving, Amazon and Sears were changing prices on about a quarter of those products daily, a significant increase from the previous year. Walmart, Toys “R” Us, Kmart and Best Buy also changed prices more frequently in 2012.

Even the Web browser a customer uses can make a difference. The Web site Digital Folio, which shows consumers price changes, did side-by-side comparisons of televisions. On Newegg using the Chrome browser, the firm was offered a $997 price on a Samsung television. Using Firefox and Internet Explorer, the price was $1,399.

The firm found a difference on another Samsung television model at Walmart.com, where using Firefox yielded a $199 price and Chrome and Internet Explorer $168.

“A lot of times the price will have a big difference on consumer behavior,” said Larry S. Freed, chief executive of ForeSee, which analyzes customer experiences.

One of the new price-tracking tools is Hukkster, introduced last year by two former J. Crew merchants. It asks shoppers to install a “hukk it” button on their browsers. Then, when a shopper sees an item she likes, she clicks the button, chooses the color, size and discount she is interested in, tells Hukkster to alert her when the price drops, and waits for an e-mail to that effect.

“We wanted a way to know, on a specific style we want, when it goes on sale,” said a co-founder, Erica Bell. Hukkster also looks for coupon codes that apply to specific items, so a J. Crew nightshirt that was originally $128 came out to $62.99 after a site markdown combined with a 30 percent discount code that Hukkster found.

Currently, Hukkster makes money from referral traffic — it is paid a fee when shoppers buy something via a link from its e-mails. The founders say they are approaching retailers about ways of working with them by, for instance, offering personalized discounts based on shoppers’ “hukks.”

“Retailers are forced to do, say, 30 percent off all sweaters when what they’re really trying to move is the green merino sweater. This provides them the option to do that on a one-to-one basis,” a co-founder, Katie Finnegan, said.

Ms. Hughes, the Massachusetts mother, “hukks” items in specific sizes and colors, and then waits for the notification, like one on a Boden sweater she recently bought for her daughter.

“Now, of course, I’m hukking everything under the sun, including diapers, which I don’t think is their target audience,” she said.

Digital Folio charts the 30-day price history on electronics items at a number of retailers so shoppers can see not only where the lowest price is, but also whether that price might go lower still.

Rather than coming back to the site each time they want to check a product, shoppers can use Digital Folio as a sidebar in the browser. As a shopper pokes around Amazon’s electronics section, for example, the sidebar lists live comparison pricing for the products.

Alerts can give shoppers a competitive edge, said Patrick Carter, president of Digital Folio. He gave the example of a Nikon L26 camera: Amazon was out of stock, but at 10 p.m. one evening, it got the cameras back in stock at a reduced price. By the next morning, Amazon was out of stock again. “You get the alert and you get in on the feeding frenzy,” he said.

Decide.com, which offers price alerts and predictions about where prices are going, recently introduced a price guarantee. If shoppers become a Decide.com member for $4.99 a month and follow Decide’s recommendations to buy something, Decide will refund the difference if it finds a lower price within two weeks of the purchase.

Retailers generally appreciate the sales traffic generated by the tracking tools and do not try to block them even if that means some customers will reap extra discounts.

In some cases, retailers are even changing their practices to adapt to the new landscape. Target, for example, announced this month that it would match prices from online competitors like Amazon, extending a promotion it tried during the holidays..

Even banks see a potential role for themselves as price monitors. Citibank recently added a feature to its consumer credit cards that gives customers a refund when it finds a lower price on an item within 30 days of purchase.

“Everyone can relate to the buyer’s remorse of buying an item and seeing it for a lower price a day or a couple of days later,” said Jud Linville, chief executive of Citi Cards.

For Citi, the idea is to get consumers using their Citi cards rather than competitors’ cards on big purchases, Mr. Linville said. Consumers must register the purchase online, and there is a long list of exclusions (live animals don’t qualify, nor do antiques, boats or airline tickets).

The price difference must be $25 or more, and Citi searches the retailers’ sites itself. When Citi finds a big enough difference, it e-mails the consumer, asks for a receipt and then mails a check for the difference.

Mr. Linville said about a quarter of purchases over $100 that had been registered so far got a refund, and almost 40 percent of those over $1,000. Some eligible items included a Whirlpool washer, a DKNY suit and a Canon Rebel camera. On average, said a Citi spokeswoman, those who register items get back $80 an item.

While those budget-conscious shoppers are clearly interested in buying, they may not be the type of long-term customers that retailers want to cultivate, said Mr. Freed of ForeSee.

Shoppers who are not price-sensitive, he said, “are the consumers they really want, that they can build loyalty out of — not the consumers that are strictly taking a deal.”

    Keeping an Eye on Bouncing Prices Online, NYT, 27.1.2013,






Search Option From Facebook Is Privacy Test


January 18, 2013
The New York Times


SAN FRANCISCO — Facebook’s greatest triumph has been to persuade a seventh of the world’s population to share their personal lives online.

Now the social network is taking on its archrival, Google, with a search tool to mine that personal information, just as people are growing more cautious about sharing on the Internet and even occasionally removing what they have already put up.

Whether Facebook’s more than one billion users will continue to divulge even more private details will determine whether so-called social search is the next step in how we navigate the online world. It will also determine whether Facebook has found a business model that will make it a lot of money.

“There’s a big potential upside for both Facebook and users, but getting people to change their behaviors in relation to what they share will not be easy,” said Andrew T. Stephen, who teaches marketing at the University of Pittsburgh and studies consumer behavior on online social networks.

This week, Facebook unveiled its search tool, which it calls graph search, a reference to the network of friends its users have created. The company’s algorithms will filter search results for each person, ranking the friends and brands that it thinks a user would trust the most. At first, it will mine users’ interests, photos, check-ins and “likes,” but later it will search through other information, including status updates.

“While the usefulness of graph search increases as people share more about their favorite restaurants, music and other interests, the product doesn’t hinge on this,” a Facebook spokesman, Jonathan Thaw, said.

Nevertheless, the company engineers who created the tool — former Google employees — say that the project will not reach its full potential if Facebook data is “sparse,” as they call it. But the company is confident people will share more data, be it the movies they watch, the dentists they trust or the meals that make their mouths water.

The things people declare on Facebook will be useful, when someone searches for those interests, Tom Stocky, one of the creators of Facebook search, said in an interview this week. Conversely, by liking more things, he said, people will become more useful in the eyes of their friends.

“You might be inclined to ‘like’ what you like so when your friends search, they’ll find it,” he said. “I probably would never have liked my dentist on Facebook before, but now I do because it’s a way of letting my friends know.”

Mr. Stocky offered these examples of how more information may be desirable: A single man may want to be discovered when a friend of a friend is searching for eligible bachelors in San Francisco or a restaurant that stays open late may want to be found by a night owl.

“People have shared all this great stuff on Facebook,” Mr. Stocky said. “It’s latent value. We wanted a way to unlock that.”

Independent studies suggest that Facebook users are becoming more careful about how much they reveal online, especially since educators and employers typically scour Facebook profiles.

A Northwestern University survey of 500 young adults in the summer of 2012 found that the majority avoided posting status updates because they were concerned about who would see them. The study also found that many had deleted or blocked contacts from seeing their profiles and nearly two-thirds had untagged themselves from a photo, post or check-in.

“These behavioral patterns seem to suggest that many young adults are less keen on sharing at least certain details about their lives rather than more,” said Eszter Hargittai, an associate professor of communication studies at Northwestern, who led the yet unpublished study among men and women aged 21 and 22.

Also last year, the Pew Internet Center found that social network users, including those on Facebook, were more aggressively pruning their profiles — untagging photos, removing friends and deleting comments.

Graph search is something of a coming-of-age moment for social search. Companies from Google to Yelp to TripAdvisor to small start-ups like Hunch have all tried to make search more social, by providing personal answers from people you know and not just links to Web sites, in an effort to bring word-of-mouth recommendations online. Bing, which has a partnership with Facebook, announced this week that it would add more social recommendations to standard Web links in search queries.

But no company has tried social search on Facebook’s scale.

“This is a watershed moment,” said Oren Etzioni, a computer science professor at the University of Washington and a co-founder of the price comparison site Decide.com.

“There have been other attempts at social search,” he continued, “but it’s the scale at which Facebook operates, especially once they fully index everything we’ve said or say or like.”

Facebook’s social search is also a step forward in a new type of Web search, one in which Google has made great strides. Engineers call it structured or semantic search, which means search engines that understand how people, places and things relate to one another, and not just key words.

Graph search holds great value for advertisers seeking to target more precise audiences — like mothers in their 30s who listen to hip-hop and run marathons — and advertising remains Facebook’s principal source of profit. Additionally, the more data people share and search for, the longer they are glued to the site.

But the company is aware of concerns about privacy. When announcing the tool, it took pains to point out that it would respect users’ privacy. If people do not want an embarrassing photograph to be ferreted out by a potential employer, for instance, they can make it visible only to those who have been winnowed down as “close friends.”

Users have been encouraged to check their privacy settings in order to fine-tune whom they wish to share with. At the same time, Facebook eliminated a longstanding option that users enjoyed: if someone is searching for them, they will no longer be able to remain obscure.

Still, some Facebook users may be skeptical. Jana Uyeda, 35, a photographer and social media consultant in Seattle, said, “I love my friends, but sometimes their taste in restaurants is terrible.”

Like the subjects of the Northwestern study, Ms. Uyeda, said she was not so sure she wanted to reveal more. “I’m slowly trying to close down the doors on Facebook, instead of opening myself up,” she said.

Ms. Uyeda added, “There would have to be a lot of other incentives, and I don’t even know what that would be, in order for me to add more information about myself and be more open.”

    Search Option From Facebook Is Privacy Test, NYT, 18.1.2013,






Google Gains From Creating Apps

for the Opposition


January 13, 2013
The New York Times


For many people, smartphone shopping comes down to a choice of Apple’s iPhone or one powered by Google’s Android software.

But now consumers can get an iPhone and fill it with Google.

Google has become one of the most prolific and popular developers of apps for the iPhone, in effect helping its competitor make more appealing products — even as relations between the companies have deteriorated.

While some of its Internet services were built into the iPhone from the start, Google has stepped up its presence in the last eight months, pumping out major new iPhone apps or improving old ones. It also has expanded efforts to hire developers to make more such apps.

A maps app Google released in December has been the most downloaded program for the iPhone for much of the last month. The company has cranked out a YouTube app, an iPhone version of its Chrome Web browser and better software for gaining access to its Gmail service. Two dozen iPhone apps from Google are available on Apple’s App Store, with variations for the iPad.

Google’s strategy may look self-defeating at first. But analysts and technology executives say it is simply acknowledging the obvious: that there is an enormous market of avid iPhone users it wants to reach, an audience that is a target for ads and that can yield a bonanza of data that will allow Google to improve the online products that produce much of its profits.

Google’s support for the iPhone also looks like a win for Apple, which, after all, makes money when it sells an iPhone that is used to gain access to Google services.

But potential risks lie in Google’s growing presence on Apple’s devices, especially when it comes to apps that replace basic functions like Web browsing, maps and e-mail.

IPhone users who spend much of their time in Google apps could deprive Apple of valuable data it needs to improve its own online services like maps. And those apps could help Google build a deeper connection with users that makes them more likely to switch entirely to Android smartphones later.

“The best way to recruit users to those devices is to get them using the services,” said Chris Silva, a mobile analyst at Altimeter Group, a tech industry research business. “Find them where they are, get them using the services and ramp them up so when they have devices equivalent to the iPhone, they are already in the market.”

Stephen Stetelman, a real estate agent in Hattiesburg, Miss., is a prime example of an iPhone user whose loyalties are divided between Apple and Google. The first thing Mr. Stetelman, 25, said he did when he got a new iPhone two weeks ago was to download all of Google’s major apps, including Gmail, Chrome and Google Maps — all of which he said he considered better than the comparable Apple apps that came with the phone.

“It’s a little ironic,” Mr. Stetelman said. “But I think honestly the grace of Apple is in their design and in their hardware. As far as online services and applications and stuff, I think Google is still top of the line.”

People like Mr. Stetelman make executives at Apple nervous. Early in the iPhone era, Steven P. Jobs, the company’s former chief executive, who died in October 2011, did not want Apple to approve any apps for the device that replaced its core functions, one former senior Apple employee said.

Apple executives have long believed that they would need to build up many of the same services that Google offers to compete long-term in the mobile market, according to this person, who did not want to be named to avoid jeopardizing relationships.

Eventually, under scrutiny from federal regulators, Apple softened its stance and began allowing apps for the iPhone, like Web browsers, that competed with important built-in apps.

Natalie Kerris, a spokeswoman for Apple, declined to comment for this article.

Apple has moved to reduce the presence of Google services in apps that come installed on its phones. Last year it removed the YouTube app — one that Apple created for the earliest iPhones so they would have access to YouTube videos. It also stopped using Google data to power its mapping application.

Instead, Apple began using its own maps service, which has been widely criticized for mistakes, including misplaced landmarks and inaccurate addresses. Timothy D. Cook, Apple’s chief executive, issued a rare apology last September for its maps product and later shook up the company’s management ranks, in part because of the problems.

Apple’s decision to stop including Google’s services on its devices forced Google to quickly ramp up its own software development for Apple’s mobile operating system, iOS.

While Google had engineers devoted to iOS projects, it had to hire outsiders to help quickly design a Google Maps app for the iPhone.

That app appears to be a huge hit. Widely praised by technology reviewers, Google Maps for the iPhone was downloaded more than 10 million times in the 48 hours after its release last December, Jeff Huber, a Google senior vice president, said in an online post at the time.

Other Google apps are among the most commonly used on the iPhone. Last November there were 11.8 million unique users of a new Google-created YouTube app for the iPhone in the United States, and 6.4 million users of its Google Search app, placing them both in the top 20 list of iPhone apps with the biggest audience, according to Nielsen.

In October, Google updated its search application for the iPhone with voice capabilities that more closely resembled those of Siri, the often-maligned virtual assistant included in the iPhone.

Google also bolstered its efforts last year to hire more iOS developers, many of whom might be unlikely to consider working for the company because of its focus on promoting the Android operating system on mobile devices.

Last July, Google bought Sparrow, a Paris-based start-up that made a popular app for using Gmail on the iPhone, and moved some of its engineers to Silicon Valley.

Last December, it began posting Web ads to recruit iOS developers, providing a link to a Q.&A. on the subject with the headline, “Wait, Google has iOS mobile apps teams?”

Chris Hulbert, a freelance programmer who spent three months working for Google in Australia last year, wrote a blog post in which he compared working on iOS apps there to “working behind enemy lines.”

Google said it had not changed its strategy on Apple devices, but rather was continuing to build apps for all devices.

“Our goal is to make a simple, easy-to-use Google experience available to as many people as possible,” said Christopher Katsaros, a Google spokesman. “We’ve developed apps for iOS for some time now, and we’re delighted to see the recent enthusiasm for them.”

Unlike Apple, Google makes its money not from selling phones but from selling ads that appear on those phones. So it cares less about which phone a consumer uses and more about whether that consumer uses Google apps — and shares data with Google and sees Google ads.

When a consumer uses Chrome on the desktop at work, for instance, then opens the same tabs and continues using Chrome on phones elsewhere, Google knows much more about that consumer’s behavior, including the consumer’s location and the searches. The company’s hunger for such data has, of course, raised privacy concerns.

Chetan Sharma, an independent mobile analyst, says Google’s focus on iOS should concern Apple. “It just pushes Apple to up their game in software,” he said. “They’re kind of behind.”

    Google Gains From Creating Apps for the Opposition, NYT, 13.1.2013,






A Data Crusader, a Defendant and Now, a Cause


January 13, 2013
The New York Times


At an afternoon vigil at the Massachusetts Institute of Technology on Sunday, Aaron Swartz, the 26-year-old technology wunderkind who killed himself on Friday, was remembered as a great programmer and a provocative thinker by a handful of students who attended.

And he was recalled as something else, a hero of the free culture movement — a coalition as varied as Wikipedia contributors, Flickr photographers and online educators, and prominent figures like Julian Assange, the WikiLeaks founder, and online vigilantes like Anonymous. They share a belief in using the Internet to provide easy, open access to the world’s knowledge.

“He’s something to aspire toward,” said Benjamin Hitov, a 23-year-old Web programmer from Cambridge, Mass., who said he had cried when he learned the news about Mr. Swartz. “I think all of us would like to be a bit more like him. Most of us aren’t quite as idealistic as he was. But we still definitely respect that.”

The United States government has a very different view of Mr. Swartz. In 2011, he was arrested and accused of using M.I.T.’s computers to gain illegal access to millions of scholarly papers kept by Jstor, a subscription-only service for distributing scientific and literary journals.

At his trial, which was to begin in April, he faced the possibility of millions of dollars in fines and up to 35 years in prison, punishments that friends and family say haunted him for two years and led to his suicide.

Mr. Swartz was a flash point in the debate over whether information should be made widely available. On one side were activists like Mr. Swartz and advocacy groups like the Electronic Frontier Foundation and Students for Free Culture. On the other were governments and corporations that argued that some information must be kept private for security or commercial reasons.

After his death, Mr. Swartz has come to symbolize a different debate over how aggressively governments should pursue criminal cases against people like Mr. Swartz who believe in “freeing” information.

In a statement, his family said in part: “Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. attorney’s office and at M.I.T. contributed to his death.”

On Sunday evening, M.I.T.’s president, L. Rafael Reif, said he had appointed a prominent professor, Hal Abelson, to “lead a thorough analysis of M.I.T.’s involvement from the time that we first perceived unusual activity on our network in fall 2010 up to the present.” He promised to disclose the report, adding, “It pains me to think that M.I.T. played any role in a series of events that have ended in tragedy.”

M.I.T.’s Web site was inaccessible at times on Sunday. Officials there did not provide a cause, but hackers claimed responsibility.

While Mr. Swartz viewed his making copies of academic papers as an unadulterated good, spreading knowledge, the prosecutor compared Mr. Swartz’s actions to using a crowbar to break in and steal someone’s money under the mattress. On Sunday, she declined to comment on Mr. Swartz’s death out of respect for his family’s privacy.

The question of how to treat online crimes is still a vexing one, many years into the existence of the Internet.

Prosecutors have great discretion on what to charge under the Computer Fraud and Abuse Act, the law cited in Mr. Swartz’s case, and how to value the loss. “The question in any given case is whether the prosecutor asked for too much, and properly balanced the harm caused in a particular case with the defendant’s true culpability,” said Marc Zwillinger, a former federal cybercrimes prosecutor.

The belief that information is power and should be shared freely — which Mr. Swartz described in a treatise in 2008 — is under considerable legal assault. The immediate reaction among those sympathetic to Mr. Swartz has been anger and a vow to soldier on. Young people interviewed on Sunday spoke of the government’s power to intimidate.

“Using certain people as poster children for deterring others from doing that same action, ultimately it won’t work,” Jennifer Baek, a third-year student at New York Law School, said by telephone, referring to Pfc. Bradley Manning, who has been charged with multiple counts in the leaking of confidential documents, and Mr. Swartz. Ms. Baek, a member of the board of Students for Free Culture, said the comments on blogs and discussion boards she had visited since Mr. Swartz’s death showed that “people aren’t afraid to say this is what the injustice was.”

The ingredients for trouble perhaps lay in Mr. Swartz’s personal and direct approach to solving problems. As one mentor, Cory Doctorow of the popular Web site Boing Boing, wrote in tribute, he was highly impressionable and sought after and was forgiven by those he worked with and worked for.

A permanent “kid genius,” Mr. Swartz had often put his skills to the task of making information more accessible. At 14 he was a co-creator of RSS, a tool that allows online content to be distribute, and then made a tidy sum as one of the creators of the social-news site Reddit, now part of Condé Nast.

But even before, and certainly after, he crusaded for open access to data. His projects include a range of influential efforts like the Internet Archive, Creative Commons, Wikipedia and the Recap collection of legal documents.

He also began more traditional projects for subjects he took an interest in. At 19, he volunteered to upload the archive of a defunct magazine he loved, Lingua Franca. In 2005, he called up the writer Rick Perlstein to offer to create a Web page for him after reading a book of his he liked.

“I smelled a hustle, asking him how much it would cost, and he said, no, he wanted to do it for free,” Mr. Perlstein wrote in The Nation over the weekend. “I thought: ‘What a loser this guy must be. Someone with nothing better to do.’ ” Mr. Perlstein writes that he ended up becoming friends, and he sent chapters of his next book, “Nixonland,” to Mr. Swartz before he showed them to anyone else.

Mr. Swartz outlined his views in the manifesto: “It’s called stealing or piracy, as if sharing a wealth of knowledge were the moral equivalent of plundering a ship and murdering its crew. But sharing isn’t immoral — it’s a moral imperative. Only those blinded by greed would refuse to let a friend make a copy.”

And he said the stakes were clear: “We need to take information, wherever it is stored, make our copies and share them with the world. We need to take stuff that’s out of copyright and add it to the archive. We need to buy secret databases and put them on the Web. We need to download scientific journals and upload them to file sharing networks.”

Still, even many of his allies concede that Mr. Swartz’s passion for free information may have taken him too far in the Jstor downloads. According to the government’s indictment, in September 2010 Mr. Swartz broke into a computer-wiring closet on the M.I.T. campus; when retrieving a computer he connected, he hid his face behind a bicycle helmet, peeking out through the ventilation holes. At the time, he was a student at nearby Harvard.

Some would say that perhaps a punishment for trespassing would have been warranted, but the idea that he could have seen serious prison time was infuriating. Lawrence Lessig, the Harvard Law professor who founded Creative Commons to advocate greater sharing of creative material online, called the prosecution’s case absurd and said that boxing in Mr. Swartz with an aggressive case and little ability to mount a defense “made it make sense to this brilliant but troubled boy to end it.”

E.J. Hilbert, a former cybercrimes investigator for the Federal Bureau of Investigation, said that the broader issues around such activist transgressions raise many complex questions that are subject to “a lot of discretion from prosecutors.” He added that the United States Attorney’s Office for the District of Massachusetts has long been renowned for a particularly aggressive pursuit of cybercrimes.

Jstor, for its part, declined to pursue the case and posted a note over the weekend describing Mr. Swartz as “a truly gifted person who made important contributions to the development of the Internet and the Web from which we all benefit.”

Michael McCarthy, a 30-year-old animator from Providence who was also at the M.I.T. vigil, said Mr. Swartz was let down by the university. “If places like M.I.T. aren’t safe for people to be a little miscreant in their quest for truth and understanding, then we’re in a lot of trouble,” he said.

It’s unclear how much the impending case contributed to Mr. Swartz’s decision to take his own life. Years back, he wrote about his struggle with depression in his blog, Raw Thoughts.

The last post he wrote on that blog, in November, was a detailed analysis of the final installment of the “Batman” series.

Having warned his readers that he was about to reveal the conclusion of the movies, he ended the post by writing: “Thus Master Wayne is left without solutions. Out of options, it’s no wonder the series ends with his staged suicide.”


Jess Bidgood and Ravi Somaiya contributed reporting.

    A Data Crusader, a Defendant and Now, a Cause, NYT, 13.1.2013,






Internet Activist, a Creator of RSS,

Is Dead at 26, Apparently a Suicide


January 12, 2013
The New York Times


Aaron Swartz, a wizardly programmer who as a teenager helped develop code that delivered ever-changing Web content to users and who later became a steadfast crusader to make that information freely available, was found dead on Friday in his New York apartment.

An uncle, Michael Wolf, said that Mr. Swartz, 26, had apparently hanged himself, and that a friend of Mr. Swartz’s had discovered the body.

At 14, Mr. Swartz helped create RSS, the nearly ubiquitous tool that allows users to subscribe to online information. He later became an Internet folk hero, pushing to make many Web files free and open to the public. But in July 2011, he was indicted on federal charges of gaining illegal access to JSTOR, a subscription-only service for distributing scientific and literary journals, and downloading 4.8 million articles and documents, nearly the entire library.

Charges in the case, including wire fraud and computer fraud, were pending at the time of Mr. Swartz’s death, carrying potential penalties of up to 35 years in prison and $1 million in fines.

“Aaron built surprising new things that changed the flow of information around the world,” said Susan Crawford, a professor at the Cardozo School of Law in New York who served in the Obama administration as a technology adviser. She called Mr. Swartz “a complicated prodigy” and said “graybeards approached him with awe.”

Mr. Wolf said he would remember his nephew, who had written in the past about battling depression and suicidal thoughts, as a young man who “looked at the world, and had a certain logic in his brain, and the world didn’t necessarily fit in with that logic, and that was sometimes difficult.”

The Tech, a newspaper of the Massachusetts Institute of Technology, reported Mr. Swartz’s death early Saturday.

Mr. Swartz led an often itinerant life that included dropping out of Stanford, forming companies and organizations, and becoming a fellow at Harvard University’s Edmond J. Safra Center for Ethics.

He formed a company that merged with Reddit, the popular news and information site. He also co-founded Demand Progress, a group that promotes online campaigns on social justice issues — including a successful effort, with other groups, to oppose a Hollywood-backed Internet piracy bill.

But he also found trouble when he took part in efforts to release information to the public that he felt should be freely available. In 2008, he took on PACER, or Public Access to Court Electronic Records, the repository for federal judicial documents.

The database charges 10 cents a page for documents; activists like Carl Malamud, the founder of public.resource.org, have long argued that such documents should be free because they are produced at public expense. Joining Mr. Malamud’s efforts to make the documents public by posting legally obtained files to the Internet for free access, Mr. Swartz wrote an elegant little program to download 20 million pages of documents from free library accounts, or roughly 20 percent of the enormous database.

The government shut down the free library program, and Mr. Malamud feared that legal trouble might follow even though he felt they had violated no laws. As he recalled in a newspaper account, “I immediately saw the potential for overreaction by the courts.” He recalled telling Mr. Swartz: “You need to talk to a lawyer. I need to talk to a lawyer.”

Mr. Swartz recalled in a 2009 interview, “I had this vision of the feds crashing down the door, taking everything away.” He said he locked the deadbolt on his door, lay down on the bed for a while and then called his mother.

The federal government investigated but did not prosecute.

In 2011, however, Mr. Swartz went beyond that, according to a federal indictment. In an effort to provide free public access to JSTOR, he broke into computer networks at M.I.T. by means that included gaining entry to a utility closet on campus and leaving a laptop that signed into the university network under a false account, federal officials said.

Mr. Swartz turned over his hard drives with 4.8 million documents, and JSTOR declined to pursue the case. But Carmen M. Ortiz, a United States attorney, pressed on, saying that “stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data or dollars.”

Founded in 1995, JSTOR, or Journal Storage, is nonprofit, but institutions can pay tens of thousands of dollars for a subscription that bundles scholarly publications online. JSTOR says it needs the money to collect and to distribute the material and, in some cases, subsidize institutions that cannot afford it. On Wednesday, JSTOR announced that it would open its archives for 1,200 journals to free reading by the public on a limited basis.

Mr. Malamud said that while he did not approve of Mr. Swartz’s actions at M.I.T., “access to knowledge and access to justice have become all about access to money, and Aaron tried to change that. That should never have been considered a criminal activity.”

Mr. Swartz did not talk much about his impending trial, Quinn Norton, a close friend, said on Saturday, but when he did, it was clear that “it pushed him to exhaustion. It pushed him beyond.”

Recent years had been hard for Mr. Swartz, Ms. Norton said, and she characterized him “in turns tough and delicate.” He had “struggled with chronic, painful illness as well as depression,” she said, without specifying the illness, but he was still hopeful “at least about the world.”

Cory Doctorow, a science fiction author and online activist, posted a tribute to Mr. Swartz on BoingBoing.net, a blog he co-edits. In an e-mail, he called Mr. Swartz “uncompromising, principled, smart, flawed, loving, caring, and brilliant.”

“The world was a better place with him in it,” he said.

Mr. Swartz, he noted, had a habit of turning on those closest to him: “Aaron held the world, his friends, and his mentors to an impossibly high standard — the same standard he set for himself.” Mr. Doctorow added, however, “It’s a testament to his friendship that no one ever seemed to hold it against him (except, maybe, himself).”

In a talk in 2007, Mr. Swartz described having had suicidal thoughts during a low period in his career. He also wrote about his struggle with depression, distinguishing it from sadness.

“Go outside and get some fresh air or cuddle with a loved one and you don’t feel any better, only more upset at being unable to feel the joy that everyone else seems to feel. Everything gets colored by the sadness.”

When the condition gets worse, he wrote, “you feel as if streaks of pain are running through your head, you thrash your body, you search for some escape but find none. And this is one of the more moderate forms.”


Ravi Somaiya contributed reporting.



This article has been revised to reflect the following correction:

Correction: January 12, 2013

An earlier version of this article incorrectly identified the police who arrested Mr. Swartz, and when they did so. The police were from Cambridge, Mass., not the Massachusetts Institute of Technology campus force, and the arrest occurred two years before Mr. Swartz’s suicide, but not two years to the day.

    Internet Activist, a Creator of RSS, Is Dead at 26, Apparently a Suicide, NYT, 12.1.2013,






After Immigration Arrests,

Online Outcry, and Release


January 11, 2013
The New York Times


PHOENIX — Immigration agents arrested the mother and brother of a prominent activist during a raid at her home here late Thursday, unleashing a vigorous response on social media and focusing new attention on one of the most controversial aspects of the Obama administration’s policies on deportation.

The agents knocked on Erika Andiola’s door shortly after 9 p.m., asking for her mother, Maria Arreola.

Ms. Arreola had been stopped by the police in nearby Mesa last year and detained for driving without a license. Her fingerprints were sent to federal immigration officials as part of a controversial program called Secure Communities, which the Obama administration has been trying to expand nationwide.

That routine check revealed that Ms. Arreola had been returned to Mexico in 1998 after she was caught trying to illegally cross the border into Arizona with Erika and two of her siblings in tow. As a result, she was placed on a priority list for deportation.

After being seized on Thursday, she could have been sent back to Mexico in a matter of hours, but Obama administration officials moved quickly to undo the arrests. Officials had been pressured by the robust response from advocates — through phone calls, e-mails and online petitions, but primarily on Twitter, where they mobilized support for Ms. Andiola, a well-known advocate for young illegal immigrants, under the hashtag #WeAreAndiola.

The reaction offered the Obama administration a taste of what it might expect when it gets into the thick of the debate over an immigration overhaul, which Congress is expected to tackle this year. President Obama has already been under harsh criticism for the number of illegal immigrants deported since he took office — roughly 400,000 each year, a record unmatched since the 1950s.

Ms. Andiola, 25, posted a tearful video on YouTube shortly after her mother and brother were handcuffed and driven away. “I need everybody to stop pretending that nothing is wrong,” she said in the video, “stop pretending that we’re all just living normal lives, because we’re not. This could happen to any of us anytime.”

She is the co-founder of the Arizona Dream Act Coalition, one of the groups pushing for a reprieve for immigrants brought illegally to the United States as children, as she was. She has been arrested while camped in front of Senator John McCain’s office here, protested outside the United States Capitol, and appeared on the cover of Time magazine in June under the headline, “We are Americans — just not legally.”

In November, Ms. Andiola got a work permit under a program begun by the Obama administration last year that gives certain young illegal immigrants temporary reprieve from deportation. She graduated from Arizona State University in 2009.

On Friday afternoon, her mother returned home from a detention center in Florence, 70 miles southeast of Phoenix and usually the last stop for certain illegal immigrants before they are deported. Her brother, Heriberto Andiola Arreola, 36, who had been kept in Phoenix, was let go earlier, at 6 a.m.

Their swift releases underline the power of the youth-immigrant movement and their social media activism, which was critical in spreading Ms. Andiola’s story overnight.

In a statement, Barbara Gonzalez, a spokeswoman for Immigration and Customs Enforcement, said a preliminary review of the case revealed that it contains some of the elements outlined in the agency’s “prosecutorial discretion policy” and would “merit an exercise of discretion.” Advocates have long argued that the policy has done little to keep families from being broken apart by deportations.

Ms. Andiola said in an interview that she told her mother to go to her room before opening the door Thursday night; she suspected the men standing outside worked for immigration. By the time the men came in, her brother, who was outside talking to a neighbor, was already in handcuffs, she said.

“Where’s Maria?” the men asked her, she recalled.

Ms. Arreola walked out of the room and, in Spanish, the men asked her to accompany them outside, where they placed her under arrest.

Though she and her son are free, their future is uncertain, as they could be arrested again while their cases are under review or deported should the eventual ruling go against them, said Marielena Hincapié, executive director of the National Immigration Law Center, one of the groups helping the family.

Stories like this, Ms. Hincapié went on, “happen every day, in every state,” outside of the media spotlight. What made it different this time is that Ms. Andiola had connections and wasted no time mobilizing them. There are others, she said, whom “you never hear about.”


Julia Preston contributed reporting from New York.

    After Immigration Arrests, Online Outcry, and Release, NYT, 11.1.2013,






Bank Hacking Was the Work of Iranians,

Officials Say


January 8, 2013
The New York Times


SAN FRANCISCO — The attackers hit one American bank after the next. As in so many previous attacks, dozens of online banking sites slowed, hiccupped or ground to a halt before recovering several minutes later.

But there was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.

The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

“There is no doubt within the U.S. government that Iran is behind these attacks,” said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington.

Mr. Lewis said the amount of traffic flooding American banking sites was “multiple times” the amount that Russia directed at Estonia in a monthlong online assault in 2007 that nearly crippled the Baltic nation.

American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.

“The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Radware, a security firm that has been investigating the attacks on behalf of banks and cloud service providers. “There have never been this many financial institutions under this much duress.”

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

They employed DDoS attacks, or distributed denial of service attacks, named because hackers deny customers service by directing large volumes of traffic to a site until it collapses. No bank accounts were breached and no customers’ money was taken.

By using data centers, the attackers are simply keeping up with the times. Companies and consumers are increasingly conducting their business over large-scale “clouds” of hundreds, even thousands, of networked computer servers.

These clouds are run by Amazon and Google, but also by many smaller players who commonly rent them to other companies. It appears the hackers remotely hijacked some of these clouds and used the computing power to take down American banking sites.

“There’s a sense now that attackers are crafting their own private clouds,” either by creating networks of individual machines or by stealing resources wholesale from poorly maintained corporate clouds, said John Kindervag, an analyst at Forrester Research.

How, exactly, attackers are hijacking data centers is still a mystery. Making matters more complex, they have simultaneously introduced another weapon: encrypted DDoS attacks.

Banks encrypt customers’ online transactions for security, but the encryption process consumes system resources. By flooding banking sites with encryption requests, attackers can further slow or cripple sites with fewer requests.

A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks.

The group said it attacked the banks in retaliation for an anti-Islam video that mocked the Prophet Muhammad, and pledged to continue its campaign until the video was scrubbed from the Internet. It called the campaign Operation Ababil, a reference to a story in the Koran in which Allah sends swallows to defeat an army of elephants dispatched by the king of Yemen to attack Mecca in A.D. 571.

But American intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems. In the last three years, three sophisticated computer viruses — called Flame, Duqu and Stuxnet — have hit computers in Iran. The New York Times reported last year that the United States, together with Israel, was responsible for Stuxnet, the virus used to destroy centrifuges in an Iranian nuclear facility in 2010.

“It’s a bit of a grudge match,” said Mr. Lewis of the Center for Strategic and International Studies.

Researchers at Radware who investigated the attacks for several banks found that the traffic was coming from data centers around the world. They discovered that various cloud services and public Web hosting services had been infected with a particularly sophisticated form of malware, called Itsoknoproblembro, that was designed to evade detection by antivirus programs. The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims.

Botnets, or networks of individual infected slave computers, can typically be traced back to a command and control center, but security experts say Itsoknoproblembro was engineered to make it very difficult to tie it to one party. Security researchers have come up with a new name for servers infected with Itsoknoproblembro: they call them “bRobots.”

In an amateur botnet, the command and control center can be easily identified, but Mr. Herberger said it had been nearly impossible to do so in this case, suggesting to him that “the campaign may be state-sponsored versus amateur malware.”

Attackers used the infected servers to fire traffic simultaneously at each banking site until it slowed or collapsed.

By infecting data centers instead of computers, the hackers obtained the computing power to mount enormous denial of service attacks. One of the banks had 40 gigabits of Internet capacity, Mr. Herberger said, a huge amount when you consider that a midsize business may only have one gigabit. But some banks were hit with a sustained flood of traffic that peaked at 70 gigabits.

Mr. Herberger declined to say which cloud service providers had been compromised, citing nondisclosure agreements with Radware’s clients, but he said that each new bank attack provided evidence that more data centers had been infected and exploited.

The attackers said last week that they had no intention of halting their campaign. “Officials of American banks must expect our massive attacks,” they wrote. “From now on, none of the U.S. banks will be safe.”

    Bank Hacking Was the Work of Iranians, Officials Say, NYT, 8.1.2013,






Their Apps Track You. Will Congress Track Them?


January 5, 2013
The New York Times



THERE are three things that matter in consumer data collection: location, location, location.

E-ZPasses clock the routes we drive. Metro passes register the subway stations we enter. A.T.M.’s record where and when we get cash. Not to mention the credit and debit card transactions that map our trajectories in comprehensive detail — the stores, restaurants and gas stations we frequent; the hotels and health clubs we patronize.

Each of these represents a kind of knowing trade, a conscious consumer submission to surveillance for the sake of convenience.

But now legislators, regulators, advocacy groups and marketers are squaring off over newer technology: smartphones and mobile apps that can continuously record and share people’s precise movements. At issue is whether consumers are unwittingly acquiescing to pervasive tracking just for the sake of having mobile amenities like calendar, game or weather apps.

For Senator Al Franken, the Minnesota Democrat, the potential hazard is that by compiling location patterns over time, companies could create an intimate portrait of a person’s familial and professional associations, political and religious beliefs, even health status. To give consumers some say in the surveillance, Mr. Franken has been working on a locational privacy protection bill that would require entities like app developers to obtain explicit one-time consent from users before recording the locations of their mobile devices. It would prohibit stalking apps — programs that allow one person to track another person’s whereabouts surreptitiously.

The bill, approved last month by the Senate Judiciary Committee, would also require mobile services to disclose the names of the advertising networks or other third parties with which they share consumers’ locations.

“Someone who has this information doesn’t just know where you live,” Mr. Franken said during the Judiciary Committee meeting. “They know the roads you take to work, where you drop your kids off at school, the church you attend and the doctors that you visit.”

Yet many marketers say they need to know consumers’ precise locations so they can show relevant mobile ads or coupons at the very moment a person is in or near a store. Informing such users about each and every ad network or analytics company that tracks their locations could hinder that hyperlocal marketing, they say, because it could require a new consent notice to appear every time someone opened an app.

“Consumers would revolt if this was the case, and applications could be rendered useless,” said Senator Charles Grassley, the Iowa Republican, who promulgated industry arguments during the committee meeting. “Worse yet, free applications that rely on advertising could be pushed by the consent requirement to become fee-based.”

Mr. Franken’s bill may seem intended simply to protect consumer privacy. But the underlying issue is the future of consumer data property rights — the question of who actually owns the information generated by a person who uses a digital device and whether using that property without explicit authorization constitutes trespassing.

In common law, a property intrusion is known as “trespass to chattels.” The Supreme Court invoked the legal concept last January in United States v. Jones, in which it ruled that the government had violated the Fourth Amendment — which protects people against unreasonable search and seizure — by placing a GPS tracking device on a suspect’s car for 28 days without getting a warrant.

Some advocacy groups view location tracking by mobile apps and ad networks as a parallel, warrantless commercial intrusion. To these groups, Mr. Franken’s bill suggests that consumers may eventually gain some rights over their own digital footprints.

“People don’t think about how they broadcast their locations all the time when they carry their phones. The law is just starting to catch up and think about how to treat this,” says Marcia Hofmann, a senior staff lawyer at the Electronic Frontier Foundation, a digital rights group based in San Francisco. “In an ideal world, users would be able to share the information they want and not share the information they don’t want and have more control over how it is used.”

Even some marketers agree.

One is Scout Advertising, a location-based mobile ad service that promises to help advertisers pinpoint the whereabouts of potential customers within 100 meters. The service, previously known as ThinkNear and recently acquired by Telenav, a personalized navigation service, works by determining a person’s location; figuring out whether that place is a home or a store, a health club or a sports stadium; analyzing weather and other local conditions; and then showing a mobile ad tailored to the situation.

Eli Portnoy, general manager of Scout Advertising, calls the technique “situational targeting.” He says Crunch, the fitness center chain, used the service to show mobile ads to people within three miles of a Crunch gym on rainy mornings. The ad said: “Seven-day pass. Run on a treadmill, not in the rain.”

When a person clicks on one of these ads, Mr. Portnoy says, a browser-based map pops up with turn-by-turn directions to the nearest location. Through GPS tracking, Scout Advertising can tell when someone starts driving and whether that person arrives at the site.

Despite the tracking, Mr. Portnoy describes his company’s mobile ads as protective of privacy because the service works only with sites or apps that obtain consent to use people’s locations. Scout Advertising, he adds, does not compile data on individuals’ whereabouts over time.

Still, he says, if Congress were to enact Mr. Franken’s location privacy bill as written, it “would be a little challenging” for the industry to carry out, because of the number and variety of companies involved in mobile marketing.

“We are in favor of more privacy,” Mr. Portnoy says, “but it has to be done within the nuances of how mobile advertising works so it can scale.”

A SPOKESMAN for Mr. Franken said the senator planned to reintroduce the bill in the new Congress. It is one of several continuing government efforts to develop some baseline consumer data rights.

“New technology may provide increased convenience or security at the expense of privacy and many people may find the trade-off worthwhile,” Justice Samuel Alito wrote last year in his opinion in the Jones case. “On the other hand,” he added, “concern about new intrusions on privacy may spur the enactment of legislation to protect against these intrusions.”

    Their Apps Track You. Will Congress Track Them?, NYT, 5.1.2013,






Google Wins an Antitrust Battle


January 4, 2013
The New York Times


Google scored a big victory last week when the Federal Trade Commission concluded that the company was not manipulating search results in ways that harmed consumers. But the agency’s finding does not completely settle the question of whether the company, which is used for more than 70 percent of all Internet searches in the United States, has abused its dominance. The European Commission and attorneys general in Texas, New York and other states who are also investigating Google could come to very different conclusions about that question.

While reaching a settlement with Google on a handful of relatively modest issues, the F.T.C. has left unresolved the legitimate fears that Internet companies like Expedia and Yelp have about how Google uses its power to push into online businesses like travel bookings and restaurant reviews while pushing aside rivals.

Even if that does not immediately leave users worse off, Google’s critics rightly argue that it could eventually result in fewer choices for consumers if worthy Internet services fail because Google actively makes it difficult for people to find them. Competitors of Google, including Microsoft, have argued that Google often displays search results to highlight its own products, like Google Maps, Google Flights and Google Shopping. They say that by doing so it is acting as Microsoft did in the 1990s when it forced PC makers to pre-install its Internet Explorer software with the Windows operating system at the expense of rivals like Netscape.

But the F.T.C. did not buy that argument and concluded that Google had not harmed competition in the marketplace, even if it may have hurt individual rivals.

Although Google dominates Internet search today, Web users have many options. And the company’s continued dominance is far from assured when it comes to the fast-growing world of smartphones and tablets, where many users download apps without relying on Google. But the company clearly stepped over the line with the practices it has agreed to change.

Google will now be required to make it easier for competitors to license certain patents that it had previously agreed to provide. It will also change policies that make it hard for businesses to manage their advertising campaigns on Google and other search engines, and it will give Web sites the ability to opt out of having their content used to bolster its specialized services like Google Local.

Fifteen years ago, few people predicted that Microsoft’s commanding position would be undercut so drastically by the rise of Google, Apple and others. History, however, is not necessarily prologue to the future. Antitrust regulators must remain watchful that Google does not abuse its dominant position in ways that unfairly limit consumer choices and competition.

    Google Wins an Antitrust Battle, NYT, 4.1.2013,






Is Google Like Gas or Like Steel?


January 4, 2013
The New York Times


AFTER a two-year investigation, the Federal Trade Commission concluded this week that Google’s search practices did not violate antitrust law. Those who wanted to see an epic battle like the one the government fought with Microsoft in the 1990s were sorely disappointed. But the analogy to the browser war of the Web’s early days was never the right one. It failed to capture the dangers free speech would have faced if regulators had agreed with Google’s critics.

The theories that many critics advanced — that search must be “neutral” because it is akin to a public utility, or that computer-generated search results are not speech and therefore not protected under the First Amendment — would have undermined free press principles across the Internet. That the F.T.C. decision permits Google to continue to use its judgment in analyzing search requests and presenting pertinent results is a victory for online expression and is consistent with First Amendment law since the 1940s.

Seven decades ago, a lawsuit against The Associated Press applied antitrust rules to the media and was resolved in a way that ultimately protected First Amendment interests. This case was always a better parallel than Microsoft to the F.T.C. investigation of Google. Like Google today, The A.P. had extraordinary influence. Then as now there were questions about whether something more than common antitrust law should govern companies that play such an important role in the delivery of information to the public.

Back then, the Justice Department alleged that A.P. bylaws allowed its member papers to impede local competitors by denying them access to The A.P.’s expansive news network. A trial court agreed but applied a theory far broader than routine antitrust law. It held that news was not an “ordinary” product like “steel” governed solely by antitrust, but rather something more “vital” because it was “clothed with a public interest.”

In other words, the trial court wanted to treat the mass media like a public utility, which carried considerable consequences. For example, while it would be illegal under antitrust law for a large steel company to conspire with competitors to fix prices, that company has no obligation to sell to every carmaker that wants steel. A public utility, on the other hand, has to serve everyone in the marketplace equally. Applying that standard to The A.P. would have opened the door to far broader regulation and could, in theory, have meant something as absurd as requiring newspapers to cover every press release or publish every letter to the editor.

When the case reached the Supreme Court in 1945, the modern understanding of the First Amendment, with its insistence on an independent news media, had yet to take shape. So it was with great significance that — even though The A.P. lost its appeal and had to allow more access to its services — the court steered entirely clear of the public-utility model. It looked instead to standard antitrust law in finding The A.P.’s conduct to be a classic restraint on trade.

The court went further in setting down a marker that to this day restrains government regulation of the media. Justice Hugo L. Black, who would become a leading champion of the First Amendment, wrote that nothing in the ruling could “compel A.P. or its members to permit publication of anything which their ‘reason’ tells them should not be published.”

This began a historic run in which the court transformed the media into an institution with the autonomy to serve as a check on government power. The First Amendment as we know it would look very different if public utility obligations had been forced onto the press that day.

If The A.P. was concerned about a regulator in every newsroom, Google was concerned about a regulator in every algorithm.

Advocates of aggressive action against Google saw the computer algorithms behind search as a utility that should be heavily regulated like the gas or electricity that flows into our homes. But search engines need to make choices about what results are most relevant to a query, just as a news editor must decide which stories deserve to be on the front page. Requiring “search neutrality” would have placed the government in the business of policing the speech of the Internet’s information providers. To quote Justice Black, it would have made search engines publish those results “which their ‘reason’ tells them should not be published.”

Others argued that the F.T.C. did not need to be guided by First Amendment concerns at all because search results are created by computers, not by human beings. Yet computers “speak” in many ways today. Lawmakers could have used F.T.C. precedent against Google to regulate the content of Amazon’s book recommendations, the locations on Bing’s maps, the news stories that trend on Facebook and Twitter, and many other online expressions of social and political importance.

The F.T.C. resisted these harmful theories, and as a result speakers all over the Internet won. But that doesn’t mean Google is exempt from regulation. The First Amendment is not a grant of immunity for any business, and antitrust scrutiny does not end where editorial judgment begins. But the A.P. case shows that antitrust laws can be enforced while protecting the right of a free press to print what it chooses and nothing more.

This makes regulation of the media difficult. But regulating speech should not be easy, like regulating a public utility, but hard, as the F.T.C. has correctly found.


Bruce D. Brown is the executive director

of the Reporters Committee for Freedom of the Press

and a lecturer at the University of Virginia Law School.

Alan B. Davidson is a visiting scholar at M.I.T.’s Technology and Policy Program

and a former director of public policy for the Americas at Google.

    Is Google Like Gas or Like Steel?, NYT, 4.1.2013,






Google Pushed Hard Behind the Scenes

to Convince Regulators


January 3, 2013
The New York Times


SAN FRANCISCO — For 19 months, Google pressed its case with antitrust regulators investigating the company. Working relentlessly behind the scenes, executives made frequent flights to Washington, laying out their legal arguments and shrewdly applying lessons learned from Microsoft’s bruising antitrust battle in the 1990s.

After regulators had pored over nine million documents, listened to complaints from disgruntled competitors and took sworn testimony from Google executives, the government concluded that the law was on Google’s side. At the end of the day, they said, consumers had been largely unharmed.

That is why one of the biggest antitrust investigations of an American company in years ended with a slap on the wrist Thursday, when the Federal Trade Commission closed its investigation of Google’s search practices without bringing a complaint. Google voluntarily made two minor concessions.

“The way they managed to escape it is through a barrage of not only political officials but also academics aligned against doing very much in this particular case,” said Herbert Hovenkamp, a professor of antitrust law at the University of Iowa who has worked as a paid adviser to Google in the past. “The first sign of a bad antitrust case is lack of consumer harm, and there just was not any consumer harm emerging in this very long investigation.”

The F.T.C. had put serious effort into its investigation of Google. Jon Leibowitz, the agency’s chairman, has long advocated for the commission to flex its muscle as an enforcer of antitrust laws, and the commission had hired high-powered consultants, including Beth A. Wilkinson, an experienced litigator, and Richard J. Gilbert, a well-known economist.

Still, Mr. Leibowitz said during a news conference announcing the result of the inquiry, the evidence showed that Google “doesn’t violate American antitrust laws.”

“The conclusion is clear: Google’s services are good for users and good for competition,” David Drummond, Google’s chief legal officer, wrote in a company blog post.

The main thrust of the investigation was into how Google’s search results had changed since it expanded into new search verticals, like local business listings and comparison shopping. A search for pizza or jeans, for instance, now shows results with photos and maps from Google’s own local business service and its shopping product more prominently than links to other Web sites, which has enraged competing sites.

But while the F.T.C. said that Google’s actions might have hurt individual competitors, over all it found that the search engine helped consumers, as evidenced by Google users’ clicking on the products that Google highlighted and competing search engines’ adopting similar approaches.

Google outlined these kinds of arguments to regulators in many meetings over the last two years, as it has intensified its courtship of Washington, with Google executives at the highest levels, as well as lawyers, lobbyists and engineers appearing in the capital.

One of the arguments they made, according to people briefed on the discussions, was that technology is such a fast-moving industry that regulatory burdens would hinder its evolution. Google makes about 500 changes to its search algorithm each year, so results look different now than they did even six months ago.

The definition of competition in the tech industry is also different and constantly changing, Google argued.

For instance, just recently Amazon and Apple, which used to be in different businesses than Google, have become its competitors. Google’s share of the search market has stayed at about two-thirds even though competing search engines are “just a click away,” as the company repeatedly argued. That would become the company’s mantra to demonstrate that it was not abusing its market power.

To underline these arguments, Google spent $13.1 million on lobbying in the first three quarters in 2012, up from $5.9 million in the same period in 2011. And Google’s lobbyist in chief, Eric E. Schmidt, the company’s executive chairman and former chief executive, has made himself a Washington insider as a close adviser to President Obama.

Then there were the lessons of the Microsoft case.

“Google had the Microsoft case as a template,” said Kevin Werbach, an associate professor at the Wharton School at the University of Pennsylvania. “Google just had to convince the regulators it was sufficiently different from Microsoft.”

One lesson for Google executives was to play nicely with the regulators. Microsoft’s executives were known for their uncooperative demeanors during their tangle with the government. But even Mr. Schmidt, known for speaking candidly, was on his best behavior.

Google, and its lawyers and hired experts, also argued forcefully that this case was different than the one against Microsoft. For one, they pointed out again, the technology world is so different. At the time of the Microsoft inquiry, its software was the main on-ramp to the Internet.

“Search today is not a bottleneck monopoly for anything,” said Tim Bresnahan, an economics professor at Stanford who studies competition in computing and has worked as a paid expert for Google recently and for Microsoft in the past.

“That’s not the same as everyone who wants to do mass market computing has to go through Google, like back then everyone who wanted to do mass market computing had to go through Microsoft,” he added.

Microsoft, leading a chorus of unsatisfied Google competitors, said Thursday that it was disappointed in the F.T.C.’s decision.

In a blog post published Thursday night, Dave Heiner, a Microsoft vice president and deputy general counsel, called the decision a “missed opportunity.” “The F.T.C.’s overall resolution of this matter is weak and — frankly — unusual,” Mr. Heiner wrote. “We are concerned that the F.T.C. may not have obtained adequate relief even on the few subjects that Google has agreed to address.”

Mr. Heiner added that Microsoft remained hopeful that other antitrust agencies, including those in Europe, would take more forceful action against Google.

Harsh criticism of the decision also came from Gary Reback, an experienced Silicon Valley antitrust lawyer who represents a collection of Internet companies that complained to the F.T.C. about Google’s behavior.

“I’ve been doing this almost 40 years, been involved in scores of antitrust investigations,” he said. “I’ve never seen anything so incomplete and lacking and even incompetent as what happened here.”

Richard Feinstein, director of the F.T.C.’s bureau of competition, dismissed Mr. Reback’s comment as “silly.”

“This was a very thorough, very professional investigation performed by very diligent and dedicated staff,” he said.

Regulators had anticipated criticism from Google’s rivals and tried to answer the complaints in their news conference.

“Some believe the commission should have done more in this case, perhaps because they are locked in a hand in hand combat with Google around the world,” Mr. Liebowitz said. But, he said, “We really do follow the facts where they lead.” He added, “The focus of our law is on protecting competition, not competitors.”

Tim Wu, a law professor at Columbia who was a senior adviser to the F.T.C. until last summer, said the outcome of the Google case reflected a change in thinking about antitrust enforcement. “It used to be like the way we dealt with the mob,” said Mr. Wu, who was involved in the agency’s Google inquiry but who emphasized that he was not speaking for the F.T.C.

“I don’t believe it’s the position of antitrust agencies to invent competition where there isn’t any,” he said. “People like Google better than Bing. Microsoft is trying to do everything it can to change that, but people still seem to prefer Google.”

Still, some veterans of the technology industry said that even though the agency did not find an antitrust violation, it still was sending a message to Google that it was not off the hook for good.

“There’s a long track record of government never really going away,” said David Farber, a professor of computer science at Carnegie Mellon University and a former chief technology for the Federal Communications Commission who testified as a government witness in the Microsoft case. “They will come back.”


Claire Cain Miller reported from San Francisco,
and Nick Wingfield from Seattle.

Google Pushed Hard Behind the Scenes to Convince Regulators,




home Up