Getting some context

To recap, wikileaks, a Swedish organization led by Julian Assange, an Australian citizen, got its hands on roughly 250,000 pages of communications between American diplomats and other government. The materials were acquired in the same illegal fashion as things like the Pentagon papers, information about Watergate, or Valerie Plame’s ties to the CIA, but the reaction could not have been more different.

In the case of the Pentagon papers, the US government went through the traditional legal channels to try to stop publication and lost. In the case of Watergate, Deep Throat, the government information was spilled the beans on the inner working of the White House, was left untouched. And in the Plame affair, the only indicted person found his sentence commuted by the President.

A strong reaction

However, in the case of Wikileaks, Julian Assange, an Australian citizen, has been called a US traitor despite the fact that he’s not a US citizen. He’s also landed on an Interpol list over allegation that he did not use a condom during sex, a violation of Swedish law.

Meanwhile, Amazon booted Wikileaks off its hosting services, Paypal stopped providing donation services to Wikileaks, and EveryDNS stopped providing web addressing services for wikileaks.org. Effectively, there seems to have been a concerted effort to keep Wikileaks offline by any means necessary. At the current time, the site has moved to a new address in Switzerland: wikileaks.ch

Examining the reaction

To be honest, I haven’t read any of the papers wikileaks. In fact, I wasn’t paying much attention to them even as the cables were released. I thought the leak was interesting but since it was based on documents that were old and not classified top secret, I figured that it probably was mostly gossip (as someone who travelled a fair amount, I ended up spending a fair amount of time around diplomatic folks and it seems that this type of gossip was always in the background).

And, based on most of the reporting, it turned out that yes, indeed, it was mostly gossip about powerful people. There were a few revelations about some of the cross-country negotiations (eg. Saudi pushing the US to bomb Iran) but, for the most part, nothing there that anyone in diplomatic circle would not be aware off.

What was there, though, was the fact that such gossip exists and thus, it kind of pierced the appearance that diplomacy is based on complex assessments and studies. It destroyed the myth of the diplomat as someone who put their own opinion aside and based their decision on facts. And that, to most of the people diplomatic circle, was quite embarrassing.

In and of itself, that wasn’t enough to warrant my interest though. What changed my view, and the reason I decided to devote this week’s entry to Wikileaks is the fact that the internet industry, traditionally a space where libertarianism seem to foster, seemed to act differently this time.

Out of step with past reactions

While many digeratis have come out in the defense of hackers, copyright pirates, and other free speech hedge cases, the online reaction seemed to now be moving the other way. Amazon, for example, has been a supporter of the EFF in the past.

Meanwhile, David Ulevitch, the founder of DynDNS, was profiled by the New York Times in 2007 and the following was an interesting take-away from the article:

Mr. Ulevitch shies away from the idea that OpenDNS is part of the computer security market, which so far has grown to billions of dollars in revenue while doing little to stem the tide of malware that now pervades the Internet.

“I don’t want to be seen as a security company,” he said. “They live off the bad guys.”

Then, there was also the case of Paypal, which was initially founded with a libertarian ethos and the goal to create an alternate currency not dominated by any government. A 2005 Reason magazine article lamented some of the departure and reminded people of the history:

Thiel and Levchin had hoped PayPal would grow to become an extra-governmental system of currency, something reminiscent of the world described in Neal Stephenson’s novel Cryptonomicon, in which programmers use encryption to create an offshore data haven free from government control.

But those all points to pre-existing situation that would justify why all those organization would support Wikileaks over the last 4 years (according to Wikipedia, it was founded in 2006). It also would explain why all those organizations supported Wikileaks when it published the Standard Operating Procedures for Guantanamo Bay in 2007, a set of documents it clearly didn’t own. And the same crowd also seemed OK with Wikileaks distributing screenshots from Sarah Palin’s email mailbox in 2008. When, in 2009, thousands of emails related to climate research were distributed again through Wikileaks, there didn’t seem to be an issue to host them. And when 500,000 private text messages sent and received during the 9/11 disaster were released through wikileaks, there wasn’t much controversy.

In fact, all those documents were released BEFORE wikileaks even joined Amazon as a host and wikileaks moved that content to the Amazon cloud because it was looking for a more hack-proof host provider (at the time, though, they did not move the illegally acquired Iraq war documents they were distributing to Amazon).

So the fact that Wikileak is a host of documents that they didn’t own is hardly news. It is, really, at the core of their existence and mission. The trove of data they had was move to Amazon and it made news in tech circles that they were moving that way. Yet Amazon didn’t do a thing about it until this week, when they finally gave them the boot, saying:

WS does not pre-screen its customers, but it does have terms of service that must be followed. WikiLeaks was not following them. There were several parts they were violating. For example, our terms of service state that “you represent and warrant that you own or otherwise control all of the rights to the content… that use of the content you supply does not violate this policy and will not cause injury to any person or entity.”

Under Amazon’s own terms, the documents that wikileaks was posting when it first came to Amazon could be construed as “causing injury to person and entity.” Leaks inherently do so and it has been a tenet of good journalism that leaks can cause injuries. I am sure that some of the documentaries Netflix is distributing over the Amazon platform do cause injury to a person or entity (as journalism, good documentary making can reveal truths that can be injurious to certain parties) and yet I am not seeing Amazon asking Netflix to move off its cloud.

So the question, for anyone with cloud-based offerings now is what to do. If you are a publisher of any content, do you run servers in the cloud and augment them with your own infrastructure so content that may be deemed too hot to handle can be moved to servers others than the cloud ones?

A perspective from the courts

Wikileaks, to a large extent, is a case that has been 13 years in the making. In 1997, with ACLU vs. Reno, The United States Supreme Court established the broadest right to free speech on the internet, by including the following text in their decision:

As a matter of constitutional tradition, in the absence of evidence to the contrary, we presume that governmental regulation of the content of speech is more likely to interfere with the free exchange of ideas than to encourage it. The interest in encouraging freedom of expression in a democratic society outweighs any theoretical but unproven benefit of censorship.

Opponents of wikileaks ought to consider those words. In that decision, the court basically extended first amendment support to content on the internet. For the unaware, the first amendment to the US constitution reads as follows (the emphasis is mine):

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

But in the brave new world of cloud computing and the modern internet, it doesn’t seem to be abuse by the government that we have to fear but rather abuse by private entities, who seem to set the bar at a much higher level. And that seems to be a very worrisome trend.

The news challenge

Good journalism sometimes puts entities and individuals at risk in order to ensure that our society as a whole is aware of what is being done in our name. However, it often makes us squirm because it exposes things that are often disagreeable. But often, the only way to correct mistakes by our government is to air them in public. In the august word of Louis Brandeis, “Sunlight is said to be the best of disinfectants; electric light the most efficient policeman”. In a way, Wikileaks is walking in Brandeis footsteps and revealing to us all that there are no secrets, only information you don’t yet have and in the process, it forcing all of us to think hard about what we want journalism to look like in the 21st century.

Tristan Louis is the founder and CEO of Keepskor and writes the influential tnl.net weblog, where this was initially posted under the title Wikileaks tests internet freedom. You can follow him on twitter here or receive his weekly newsletter by subscribing here.

Along the way, I’ve started to think about why systems are hackable, why they are hacked, and what the next generation of applications may do (or decide not to do) to deal with the fact that software will always be hackable.

And, as the title obviously says, I’ve come to the conclusion that people, not algorithms, are the best way to fight hacking.

Here’s why.

The stack

A long time ago, as a tween and teenager, I got involved in some hacking activities. The goal was to break the security on games that were, in an off themselves, not that interesting. The challenge of undoing the security became more of a game than the challenge of completing the game itself. Either I or a friend would buy the program tape (in those days, software came on audio tapes), and then we’d load it on top of specialized software that would give us access to the core machine language code (granted, we’re not talking very advanced technology here as digital watches probably have processors that are more complex than the ones we were dealing with.)

A favorite trick was to read through the binary code and find the place where you could make the program jump from one call before the security to one that was after. And often, it came down to finding an exploit in the chip’s code and using that against the piece of software.

I’m relaying this anecdote because today’s world, while a lot more complex, has left us with hackers dealing with similar issues. Programs nowadays relying on a stack of other programs that weren’t written by the same people. Just think of a web site or web service: in order for any page or service call to be served, programmers will leverage their own code and code written for databases, for web servers, for software authoring (PHP, Java, C, .net, etc…), for networking, for operating systems, and for computer chips. Each of those presents multiple potential vectors of attack and there is no way one can patch all of them 100% (this insight came to me as I was discussing processing speed issues with a networking expert who was railing that the problem in terms of optimization often comes down to the languages in which web apps are written).

In the best scenario, a programmer may consider the potential attack vectors and mitigate for them but such decision generally come at a cost that can include impact on performance and stability. So the programmer might then decide to monitor the problem and be alerted if it happens but not do anything beyond that. Another way to deal with it is to move the potential hacker to something that “looks” like it’s been hacked but is, in fact, an observation area (systems that implement such measures are called honeypots.)

Human Nature

Over time, as one reads a lot of code, one thing becomes clear: there are many ways to solve problems using computing software and there is no definite right way for everything. Each piece of code written by people ends up reflecting some element of their personality. In the early 90s, I knew a programmer who could almost always tell you who had written a particular part of an open source project by just looking at the code: it was an impressive party trick and, the most amazing part was that he was almost always right. Part of the reason for his success was that he had worked with a lot of the contributors and knew their personality and code-writing style (yes, there is such a thing as code-writing style, as much as there is one about writing styles).

Since we can safely assume that computer code reflects human nature, we can easily tie that to its potential impact on hacking. For the purpose of this, I will posit that there are no perfect humans: All of us make mistakes at some point or another in our lives. So it then becomes natural to understand that hackers who have a strong understanding of the personalities behind certain programs can more easily find things that make the software written by those people reveal its deepest secrets.

On a basic level, this can take the form of social engineering, where a hacker just asks someone with access for the information on how to access the system by posing as someone to who you ought to give the information. Surprisingly, this is still one of the most prevalent ways in which security get compromised: people leave their password on post-it notes by their computer, or click on links they’re not supposed to, or give away information they ought not to. The net-net is that systems get compromised through simple means and most of those successes are based on the fact that we, as a species, tend to be mostly nice people who want to help others.

Hacking 2.0

The last few years have seen the rise of a new software class called social software where the interactions between human beings are a part of the software core. As a category, this has been grouped under the term web 2.0, a shorthand to explain the intersection of people and programs.

As Fred Wilson points out:

Every successful social media system I have ever been involved with has to tackle the problem of spam. It is one of signs that you are successful. When the spammers start targeting you, it is a sign you have arrived.

In the last few days, we’ve also seen a report of hacking happening on Digg, where conservative people allegedly tried to censor stories they did not agree with.

And so I would expand Fred’s point (which I would call Wilson’s Law) to include all type of attempts to game the system. The corollary to this is that every startup that wants to be successful has to think about how to deal with the problem of spam in particular but also with other bad actors.

Roger Ehrenberg once reported on an interesting discussion at CIFOO camp on the subject:

The group pretty much determined that the “gaming the system function” is like a hump, with small sites and large sites less impacted by bad actors than those in between. Why? Because sheer numbers make large sites with large amounts of comments like Amazon hard to taint, while small, niche sites aren’t often the focus of bad actors. Those in the middle, however, are clearly vulnerable.

So the bad actors in this case are the hackers and the behavior highlighted in each of these cases are example of what I would call Hacking 2.0, a new field where hackers now work on finding exploits to make the social platforms act in ways other than the platforms’ administrators intend.

Motivation

The motivations of bad actors are many: for some, as it was for me as a kid, it’s more about the thrill of figuring out the way to the backdoor. For others, the motivation may be economic or ideological. Unfortunately, legal regimes are currently set up to deal with both sides as one and the same, with the goal of most legislation being around punishment more than education.

Maybe more hacking conviction ought to end up with a punishment that would include not just prison but also an agreement that the convicted person would help enforcement officials better understand the motivations and approaches such a person has (I’m thinking here of the way the government ended up getting Frank Abagnale to help improve security in the financial system).

Dealing with hacking 2.0

The challenge in those cases is that the hacking is no longer the work of a lone individual but the work of a collective so the question is how one can fight this.

Once again, looking to Roger’s note, it seems that the larger the site, the less the potential for such hacking to happen. This is because the larger the site, the larger the size of the collective needed to have any impact.

What else can you do if your site is not sizable?

For starters, you can create automated triggers that alert you when something looks outside of the norm (a group swarms on a story to upvote or downvote it; a set of comments move in one direction or another, a large amount of activity is triggered) but that only goes so far and the number of false positives you have to deal with might not work.

Another way to handle this is to appeal to the community itself. Upvotes and downvotes can be countered by community members, for example, forcing a restoration of equilibrium. Or members can be given rights to report suspicious behavior.

Ultimately, if you take the long view, the only way to deal with this problem is going to have to involve humans. Algorithms fail and hackers will always find a way around them but communities can find ways to hold on together and fight back.

On a final note, let me recount the story of an internet service provider I once was involved with. Most unix systems have a set of super users often called root. Root access generally allows whoever has it to get a system to do their bidding. In the 90s, such access was given based on being an employee of the company that owned the server. The ISP I dealt with at the time had a different view: anyone could get root based on three conditions:

1. No one would give them access. The person who wanted root access to the system would have to find a security hole that hadn’t been closed yet on this system.
2. Once someone had hacked their way in, he/she would do a check and see who else on the system had root access and send the list, along with an explanation of the way they had managed to get into the system and how they would fix it (close the door behind them) if they were administering the system.
3. They would fix the hole within a week of exploiting it and they would research holes exploited by people who were not supposed to be on the system in the first place (ie. they hadn’t reported how they got in) and fix those.

That ISP ended up with a few people who got through and an increasingly complex set of systems to hack. It also become a mini think tank on security, and discovered that, over time, fewer and fewer people got in, even though the number of attempts kept increasing. Yes, the system was hacked, but the sophistication of the hackers who got in increased with any subsequent successful attempt.

The secret this ISP had discovered long before web 2.0 is that relying on the good of people, and even the good of white hat hackers, is generally a sound policy and the best way to deal with hacking. And such good is something that no algorithm will ever be able to deliver.

Tristan Louis is the founder and CEO of Keepskor and writes the influential tnl.net weblog, where this was initially posted under the title Fighting Hacking 2.0. You can follow him on twitter here or receive his weekly newsletter by subscribing here.

While it currently carries a non-destructive payload, some Anti Virus developers are worried that its plug-in architecture could turn it into a much more dangerous virus, opening backdoors in computer systems and escalating the war between virus makers and anti-virus developers.

First discovered in South America by Kapersky Labs, a Russian anti-virus developer, the worm has spread through email to Europe and the United States at an increasing pace.

“Hybris is one of the more common virus we’re seeing right now,” said Brian Kinj, a member of the technical staff at the CERT coordination center.

Because it carries a non-destructive payload, the anti-virus community has been split over the threat level the virus represents. In the United States, the Joint Task Force Computer Network Defense, a division of the US department of defense, has upgraded the virus to a high-risk status. Meanwhile, European virus tracker Peter Kruse, of virus112.com, has announced on Usenet that his company was upgrading the virus threat to a medium risk status, due to the recent spread of the virus in Europe.

Companies like Symantec and Sophos, however, have given the virus a low risk status since it is carrying a non-destructive payload. McAfee, on the other hand has upgraded the virus to a medium risk status based on “its prevalence and commonality.”

In its original version, the virus was spreading as an email attachment but recent reports indicate that it can also propagate itself using ICQ, an instant messaging platform used by over 30 million people. It infects WSOCK32.DLL so it can control the internet connection and intercept email addresses of incoming messages using a method similar to that of the MTX virus. Once it has obtained an address, the virus automatically sends itself to the next computer.

The virus can also modify the winsock DLL if it has been write-protected. What the virus does in this case is make a copy of wsock32.dll, infects the copy and then writes the name of the infected copy in WINIT.INI, therefore replacing wsock32 with an infected version the next time the system is rebooted. The virus also makes a copy of itself with a random name and creates an entry in the Run_Once windows registry key, ensuring that it can recopy itself if erased.

Its originality, however, lies in its plug-in architecture. Using this new model, the virus can connect to either to the alt.comp.virus Usenet newsgroup or to a series of web sites and download new updates, in a way similar to trojan horse programs. By upgrading this component the author is able to completely change the appearance of the worm in unpredictable ways in an attempt to defeat anti-virus products detecting it. Not only is the virus payload updatable but so are the methods for updating in that they are also upgradeable components. To date, all the plug-ins included in the virus have been using a very strong encryption algorithm.

One of the components of the virus searches the PC for .ZIP and .RAR archive files. When it find one, it searches inside it for a .EXE file, which it renames to .EX$, and then adds a copy of itself to the archive using the original filename.

Another component takes the infected files on your system and uploads them to the alt.comp.virus newsgroup. That component also grabs email addresses from newsgroups the user is subscribed to and sends itself to those email addresses. Over the past few weeks, this seems to have increasingly become the way by which the virus is propagating.

The only existing danger is a payload component, which on the 24th of September of any year, or at 1 minute to the hour at any day in the year 2001, displays a large animated spiral in the middle of the screen which is difficult to close. Due to the fact that most of the plug-ins are non destructive, anti-virus companies see Hybris as a low to medium risk virus.

Given its ability to become malicious, it’s up there but there are more malicious viruses out there said Jeremy Pacquette, vulnerability analyst for securityfocus.com. However, writing code like this is probably more challenging than writing code to stop it.

As medium risks go this is on the higher end of the spectrum, said Patrick Nolan, virus researcher for McAffee.

It illustrates that virus writers are not lazy that a few of them have taken it upon themselves certain skills in order to enhance the cat and mouse games they’re playing with virus software.

Apart from the standard practice of updating your virus file on a daily or weekly basis, Pacquette also recommends that IT manager educate their users about safe ex, the practice of being careful about who you communicate with and not opening plug-ins coming from unfamiliar sources. Kinj added that system administrators should consider installing a centralized email filtering system to protect their users. Nolan adds that people who share their hard drive either through a cable modem, a DSL line or a direct connection to the Internet should password protect that share to ensure that it doesn’t get accessed by the virus writers.

Kaspersky warns that the replacement of certain components could turn it from harmless to hazardous. What we have here is perhaps the most complex and refined malicious code in the history of virus writing, said Eugene Kaspersky, Head of Kapersky Labs’ Anti-Virus Research Center, in a statement on the company’s site. It is defined by an extremely complex style of programming and all the plugins are encrypted with very strong RSA 128-bit crypto-algorithm key. The components themselves give the virus writer the possibility to modify his creation “in real time,” and in fact allow him to control infected computers worldwide.

Those plugins are possibly encrypted with a PGP key or similar scheme used by virus writers, adds Nolan.

The architecture of the plug in approach is interesting and it makes it achievable for a programmer to turn it into a dangerous virus said Pacquette. New threats like this are going to promote changes in the work to fight viruses. These kinds of threats are an evolutionary pressure on AV technology.

However, Kinj said that once a virus has been discovered and analyzed, those sources are disabled and that limits the impact of the virus. Nolan adds that the plug-ins can’t work without the base executable and we now know how to stop the base executable file.

On the other hand, the morphing nature of the virus could spawn several new versions. Already, older anti-virus can’t recognize Hybris because it evades CRC checks. When you’re dealing with something that changes, you can’t use CRC checks but our algorithms go beyond that and can identify threats like Hybris based on other factors said Nolan.

According to warnings on the web sites of several anti-virus developers, the infected message reads:

Today, Snowhite was turning 18.

The 7 Dwarfs always where very educated and polite with
Snowhite. When they go out work at mornign, they promissed
a *huge* surprise.

Snowhite was anxious.

Suddlently, the door open, and the Seven Dwarfs enter…

and has been spotted as coming from the address hahaha@sexyfun.net. New variants are also sending emails with no subject and no user name but including attachments carrying Hybris.

The virus only attacks windows-based systems and most anti virus packages have released a patch to their software to deal with it. Pami Katcho, spokesperson for Microsoft, said that Microsoft is not currently planning to release a fix, but that users should download the latest virus definitions from their AV vendor.

Sources in both the virus and anti-virus community have confirmed that the virus has emerged from Brazil. It’s a cousin of Babylonia, which was touted as the first of its kind in 1999, and it looks like it was written by the same author, said Nolan.

As to whether Hybris is the beginning of a new trend, there is some disagreement. It’s more a proof of concept than anything, says Nolan. It’s phase 2 of the existing technology and has the potential to really be something else. System administrators should not be overly concerned about it right now. I doubt there will be a phase 3 because the writer has proven his point. But in virus writing circles, Hybris is providing a roadmap. This is a great tool to learn new ways to propagate a payload, said a virus writer who prefers to be unidentified. New variants of this will come out and I think that within 6 months, Hybris and its kids could be the most widespread trojans making the rounds.

Tristan Louis is the founder and CEO of Keepskor and writes the influential tnl.net weblog, where this was initially posted under the title New Virus Evolves. You can follow him on twitter here or receive his weekly newsletter by subscribing here.

The AIM client allows any users on the Internet to create a “buddy list” and carry on text-based chat with other people on their buddy list. With 27 million AOL users and 21 million registered AIM users, America Online has become the leading provider of instant messaging software, dwarfing its competitors in terms of user base. According to MediaMetrix, Yahoo Messenger is the second most popular instant messaging client, with 10.6 million users, followed by Microsoft’ MSN Messenger, with 10.3 million registered users.

AOL has aggressively promoted its AIM messaging platform as a corporate tool, cutting deals with Novell and Lotus to incorporate it in their offerings. However, its focus on security issues has not been as strong as its marketing. In the past AOL has covered up security breaches instead of being forthcoming about them, said Dave Cassel, editor of the AOL Watch Newsletter, an email mailing list sent out to 50,000 subscribers.

Two areas in which AIM security has already been compromised are password theft and buffer overflow, a way for hackers to remotely crash a computer system by sending a certain set of characters to an AIM client. Furthering the problem is the fact that the client does not need to be running at the time in order to be exploited. Simply installing it on a machine is enough to expose it to the buffer overflow problem.

In January 2000, hackers were coming to the press with that problem because they wanted the buffer overflow security hole closed, said Cassel. But AOL didn’t respond so the hackers thought that negative press would spur AOL into action. After I wrote an article about it, AOL said they would close the hole but in December 2000, the hole could still be exploited.

In December, @Stake, an Internet security consulting firm, issued a security advisory about the buffer overflow problem. In it, the company described how a hacker could use the AIM client to shutdown a computer or execute local commands on the victim’s desktop.

The issue was fixed, said Nicholas Graham, a spokesperson for AOL. We encourage our users to upgrade but it’s not an issue at this point.

Weld Pond, manager of research and development for @Stake, added that while the December issue was not exactly the same one as the January one, it did fall into the same class of problems. What that illuminates is the fact that they are not using secure policies, he said. It’s sort of like finding out that one of your windows has no lock and not going around to check the other windows.

We answer instances of security on a case by case basis, defends Graham. Our latest client is the most secure one to date and we intend to continue providing a more robust and more secure client as time goes on.

Buffer overflow and the hijacking of AIM screen names have been problems since AIM was introduced a few years back, said an active AOL hacker who preferred to remain anonymous. Product integrity and security has never been a specialty of AOL and this is very obvious from the numerous exploits I and others have found in the service in the past three years.

While AOL has issued a new version of its client correcting the problem, the security risks posed by the AIM client should remain a concern among system administrators. The funny thing is that upgrading to the most recent version of AIM solves nothing, said the hacker. Most of the exploits are what we call server side hacks, which means the software client has nothing to do with the hack at all. The buffer overflow hack was the only major hack so that involved the actual client software.

Some of my buddies used the hijacked AIM accounts to carry on fake conversations with the friends of the person who originally owned it. The conversations resulted in my buddies tricking the real owner’s friends into providing personal information and even credit card information. People have no reason to believe that accounts have been hacked unless the real owner notifies them.

This was the problem that Habeeb Dihu, a senior principal at Diamond Cluster, an ebusiness consulting firm., encountered when a hacker kidnapped his instant messenger ID. I was working on the Covisint deal, he said, referring to the B2B exchange developed by General Motors, Chrysler, Ford, Oracle, and Commerce One.

Because we have consultants working at several clients, the way we keep in touch with each others is through instant messaging. Somewhere in the middle of the Covisint deal, my AIM screen ID got hacked. Someone masqueraded as me and started to talk to my coworkers. I took care of it by alerting all my co-workers but AOL was very unresponsive in terms of tech support. I was completely ignored by the support people there and was finally contacted by the head of press relations for AOL after I talked to the press. Relative to how much AIM is used in the corporate world, the security behind this thing is abysmal.

Following the incident, the company instituted a review of different instant messaging solutions and standardized on Yahoo’s Instant Messenger. Despite the fact that you could have some ID theft issue behind Yahoo, no one has managed to hack into the yahoo user database to the extent of the problems with MSN and AOL, he added. We looked at Yahoo’s corporate solution but the cost of corporate yahoo was prohibitive compared to the free products available out there, he said, adding that his company has been involved in the development of Jabber, another IM client. Our hope is that jabber will increase security and we’ll be able to migrate there but it’s not quite there yet in terms of robust user interface for non technical people.

Instant Messaging is used as much if not more than email these days in the corporate world. The lack of security and lack of completeness in the solution is pretty alarming from my perspective. The only messaging solution that hasn’t been hacked is Yahoo’s and it’s only a matter of time before it happens.

If you just want to talk to people in your company, you’re better off using some other piece of software that wouldn’t be under as much scrutiny from hackers, said Cassel.

Using a third party to do your corporate communication that has no legal standing is a dangerous thing, said Pond. Unlike the phone, it’s unregulated and insecure. When you are using AOL IM, you’re sending your communication in the clear over the Internet to AOL’s server and back, whether you are talking to someone in a remote location or in the office next door. People think of it as the phone but they shouldn’t. AOL has full control of communication for corporations who use AIM for communication.

We’re moving to a world were there are more and more clients that people are running on their machines, out of the control of the IT department. Companies should set security policies set up at corporate level and work on an approval process for those clients.

However, there’s no one size fits all solution. Different environments can put the expense out there to create more secure environments. Thinking you can sort of read about a security problem and know what the best solution is without taking the environment into consideration is not possible.

There are far better products out there such as MSN Messenger and Yahoo Messenger, said the hacker. But these products haven’t taken off in popularity due to AOL’s huge market share. These other products are far more secure and reliable than the AIM service. Any hacker will tell you this.

Network managers can solve the issue by either blocking out connection to the AOL IM servers or install different clients on their users’ desktops. Groove is doing a similar kind of tool but it’s an encrypted chat in a peer to peer environment, which ends up being more secure, said Pond.

If you have to use it, spend as little time as possible on it, adds Cassel. When I’m through with my messaging conversation, I close it out the software in both my window and my tray. Yes, I can’t be messaged but I also can’t be hacked. I just keep my email window open and then people can reach me that way. Your email client is definitely more secure than IM.”

Tristan Louis is the founder and CEO of Keepskor and writes the influential tnl.net weblog, where this was initially posted under the title AIM Not Secure. You can follow him on twitter here or receive his weekly newsletter by subscribing here.

Yes, L.A. is starting to feel that it has now has to open war on a second front as its leading industry is starting to get threatened by the Internet. The noise is nowhere near as strong as the one you can hear about music but as bandwidth continues to increase, so does the risk of movies becoming widely exchangeable on the Internet. Napster-like tools Gnutella, Freenet and Scour Exchange are the new contenders to the title. Coupled with a new compression format called DivX (not the failed DVD format but a new codec), this spells disaster for the movie industry. So let’s look at this challenge and see what can be done to face it.

For starters, expect the movie industry to sue. It’s already happening and it will end up in failure. Witness the recent case over napster. Sure the music industry won the right to eventually shut down napster but it hasn’t yet managed to shut down similar services. As a result, lawsuits against distribution of digital media have become the equivalent of a giant game of whack-a-mole: take down one company and a slew of others will pop up.

Actually, the lawsuits are only furthering the problem as they bring increased publicity to the subjects and potential users start flooding the new services in increased numbers. Napster, Gnutella, and Freenet were relatively fringe movements until the Napster trial propelled them to the front page, increasing each of those services member base an thus increasing the amount of pirated content available. Confirming the principles of Metcalfe’s Law, the value of those networks increases exponentially for every new user that is in the network and is added to the network. Hence, lawsuits are only making matters worse.

The music industry may be trying to avoid the issue but it will not go away. In the case of the movie industry, it gets worth. In the current world, copies of recent movies are relatively difficult to come by in most places. If you are in a city center like New York (where I live), you can get videos of recent releases on the street, taped by people who sneaked into the movie theater with a video camera. Generally, the video and sound quality of those second-hand productions is less than stellar and they are not worth the $5 they retail for.

However, I’ve noticed that a new phenomenon is starting to spring up: people making digital copies of movies with digital video cameras. What surprised me more than anything on this particular matter was that some of the copies I’ve seen are not made off cameras pulled into a movie theater but off actually production reels. I was recently visiting a hacker friend of mine who recently showed me a complete copy of “The Art of War”, a new movie starring Wesley Snipes which is not going into wide release until… next week! When I asked him how he had acquired it, he told me that it was available for download on IRC a couple of weeks earlier. He then went on to explain to me the nomenclature for some of those files:

• wp usually means workprint, or an exact copy from studio original production reels, as was the case of this movie.
• a screener is a movie that was taped in a movie theater with a video camera.

Generally, the files are available in a variety of formats but there has been an increase in the use of DivX, a new format that makes fairly compact high quality video files (on average, a 2 hours MPEG-encoded movie takes about 1 Gb of space, while the same movie in asf will run about 500 Mb. DivX film can offer the same quality as MPEG for about 1/10th of the size (about 100 Mb per movie).

Of course, 100 Mb is not something that you’re going to download with a regular modem but on a cable modem or DSL line, it is something you might consider. After all, if you can get a movie in less than a half-hour for free a few weeks before it is released in the movie theater, it becomes a very tempting prospect.

Coupled with the increasing distribution of P2P tools, this format makes movie pirating the next big Internet trend.

So how should the movie industry deal with this? Here are a few way to deal with it.

First, continuing the crackdown with lawsuits against companies will not work. How about starting to work with those companies in terms of identifying potential problem area. If a new film pops up, alert the service immediately instead of suing them.

However, if you are dealing with services like Gnutella and Freenet, you are not dealing with companies. In order to alleviate some of that, spread the wealth: start packaging complete clips of the film in some ad packages and flood the networks with them. In a way, this can become an extended 5–10 minutes trailer. DirectTV already does that to some extent with their pay-per-view channels: you get the first 5 minutes of a movie for free but have to pay if you want to continue watching.

The other thing to do is to cater to the fan base: seek out their input. Listen to them and see what they would want. Maybe they do want to see the movies directly off the Internet. Offer that as a potential option. Maybe a high speed website with ticketed access to the site (let’s say $5–10 for a first run movie). That might alleviate part of the user base, which will only watch the movie once anyway.

Then start cutting deals with large ISP. In the case of AOL, it seems that WB could start offering an extra “channel” for an extra fee. Think of it as a premium cable channel. Imagine offering a movie of the month package as part of AOL Extra, a new service that would include high-speed access and offer a new movie on demand every month. Look at experiments like Intertainer, which intends to become a premium service for Internet cable subscribers.

But dealing with the problem online only does not solve it completely. Provide incentives to go to the theater, as you have done in the past with DVDs. Back in the 30s and 40s, movie theaters use to offer cartoons (where do you think all that Looney Tunes came from) and news reels, all of which created the movie experience. Nowadays, going to the movies feels more like going to a place with a very big TV: you end up with the same boring concession stand and the same theater-seats in pretty much every movie theater.

However, if you see pictures of movie premieres back in the pre-war era, you are treated to lavish (and almost outrageous) movie houses that were as carefully crafted as regular theaters. Back then, the industry was trying to create an experience. Now, it’s “here’s your ticket, the theater is this way, thanks for coming”: as a movie watcher, you feel like cattle, and the magic is gone.

Some of the bigger theaters are starting to get the idea, though. For example, one theater here in New York had displays of “Titanic” artifacts, when the movie by the same name came out. How about having some props displays go along with a new release? However, those would not be accessible until after you paid your ticket.

Other possibilities include giveaways (when “The Matrix” came out, they were giving away comic books that included some extra back story) or contests (if you keep your ticket, you will be entered in a raffle to win a free trip to Hollywood or some of the props from the movie!). The winning ticket would have two codes: the first one would be the number of the ticket. The second one would be a random list of numbers and letters. Once a week, you would publish the winning number on your site. People would check out the website (and see more ads for your movies) and if someone had the winning number, they would have to enter the second key from their ticket to confirm that they have the winning ticket. At that point, they would have to enter some contact info and details on how to claim their prize. You would contact them to verify that they really are holding the ticket.

Cut out the product ads before the movie. I don’t mind seeing movie trailers when I go to the movie theater (after all, they help me form an opinion as to what I want to see next) but do I really want to see ads for cars? Does anyone? They may be a great source of revenue for the movie theater but to be frank with you, the only impression they make on me is that they are wasting my time. Maybe you can replace those 5 minutes of ads with a “making of [include upcoming movie here]” featurette. This won’t cost you much more as you are already creating those segments for DVD and premium cable channels anyway.

Those may seem like silly ideas (but who knows, they may work), but they could become a starting point for new concepts.

Tristan Louis is the founder and CEO of Keepskor and writes the influential tnl.net weblog, where this was initially posted under the title Fear and Loathing in Los Angeles. You can follow him on twitter here or receive his weekly newsletter by subscribing here.

Unfortunately for them, it wasn’t quickly enough and tens of thousands of people got their hands on the software and started redistributing it. While it will most certainly be used for stealing copyrighted material, this category of software interested me at first because of the indexing technology that was built in them. One of the great thing they do is index the files on your system and make them available to everybody else who’s connected to the same server as you are (in Napster’s case) or to the network in general. This could be significant if you were to build a search engine.

Imagine search engine software that would be installed on every web server out there. Not only would it index the pages for the server administrator, but it could also report back to a mainstream search engine. Many studies have now come out about most of the large search engines (Inktomi, alltheweb, Google, etc…) only managing to index a fraction of the web. With a service a la Gnutella, you could have every web site call back the search engine directory to post the changes they had. This could happen throughout the day and might work better than the spider technology currently being used by most search engines.

The other potential use for tools like Gnutella is as a mass corporate cooperation tools. Right now, when you fire off Gnutella, it connects to Gnutellanet, or pretty much anyone who’s using Gnutella at the time. As I just checked on it, there are 700 people connected. There is no central source or server, which means that a tool like Gnutella could be used to share files without having to worry about a central server go down.

For years Sun has been claiming that the network is the computer. With a tool like GNUtella my hard drive can be become a portion of a larger hard drive. I could have a marketing hard drive, a finance hard drive, a HR hard drive of which only a portion would be sitting on my computer. Compare this to current corporate client-server systems where you have to deliberately save a file to the corporate server as well as to your hard drive if you are traveling… forget to save it to one or the other, and you’ll be stuck without your work or somebody else’s later revision. With a GNUtella like system, YOU would continually have the most updated versions of the files YOU author, without having to remember to separately save them.

At the same time, however, it seems to be lacking in a couple of critical areas: first of all, Gnutella could do with some sort of an authentication mechanism. That way, I would be able to create profiles and give access to certain files to certain people. For example, I would be able to mark a spreadsheet as accessible to the finance department while I would have a powerpoint presentation accessible to the marketing folks. The potentials are endless.

While Gnutella is considered a major threat to the music and movie industry, it is those corporate uses that interest me. I believe that, in the long run, those tools will make their way in corporate America and not just because someone wants to download the latest version of Santana’s new album or Julia Roberts’ new movie.

Tristan Louis is the founder and CEO of Keepskor and writes the influential tnl.net weblog, where this was initially posted under the title AOL’s dark little secret. You can follow him on twitter here or receive his weekly newsletter by subscribing here.