Original URL: https://www.theregister.co.uk/2012/01/01/reg_review_of_2011_part_two/

2011 Reg roundup: Hacking hacks, spying apps and an end to Einstein?

Smartphones, privacy and a year of tears

By Gavin Clarke

Posted in Business, 1st January 2012 10:02 GMT

Part Two As mobile sales and connections continued to soar and break records, just how much your phone knows about you and who can see that information were big subjects in 2011.

The long-smouldering issue in the UK of newspaper journos paying private investigators to break into mobile voicemail inboxes in search of scoops finally exploded.

The idea of PIs working for News International hacking into voicemails of people in the public eye had already been investigated. In 2011, however, it was the story that the News of the World had hacked into the voicemail of a murdered schoolgirl, Milly Dowler, that caused a storm. Other claims followed: that the voicemails of relatives of deceased British soldiers, and victims of the 7/7 London bomb attacks, had also been heard. Suddenly it was no longer the rich and famous who were victims. Now it was ordinary people.

Rupert and James Murdoch

The Murdochs appeared before a Parliamentary committee

PM David Cameron launched an inquiry headed by Lord Justice Leveson into phone hacking and the subject of police bribery by the media - a televised affair that has seen and heard from alleged hacking victims who came forward to tell their stories. Cameron's director of communications Andy Coulson, who had also served as a NotW editor, was also forced to resign and was arrested. He's now suing NotW's publisher, News International.

With advertisers abandoning the aforementioned Sunday tabloid and the political climate turning hostile, News International chief Rupert Murdoch switched to damage-limitation mode. He closed the NotW on 10 July after 168 years, and after standing by former NotW editor Rebekah Brooks, Murdoch he later accepted her resignation as NI chief executive. It wasn't enough.

Rupert and son James, head of his dad's UK business and therefore in charge of the NotW, were summoned before a Parliamentary committee on media affairs to give evidence on the hacking claims. There, both men denied they had any knowledge of the practice of phone hacking inside NotW, a remarkable claim given James had signed off hundreds of thousands of pounds in settlements related to hacking and given Rupert's famously fastidious involvement in the paper's running. When a News International lawyer challenged James' account, Murdoch junior was called back to Parliament for a heated showdown with committee members, but he stood by his claims of knowing nothing.

The fallout hit Rupert's business plans, too, as he binned his plot to buy the remainder of satellite broadcaster BSkyB.

The relationship of Murdoch and News International to power was also laid bare: a former senior investigator for the independent Information Commissioner – who'd followed up on possible breaches of the Data Protection Act and who came across 17,000 requests for confidential information from journalists in notebooks owned by a private investigator – told Leveson he was told to lay off because the press was "too big" to take on.

Ironically, Scotland Yard officers later reported, in December, that the voicemails deleted on Dowler's phone – the catalyst for the entire firestorm – were found to have been deleted not by intrusive NotW journos, but by the voicemail system

Ironically, Scotland Yard officers later reported, in December, that the voicemails deleted on Dowler's phone – the catalyst for the entire firestorm – were found to have been deleted not by intrusive NotW journos, but by the voicemail system itself, which automatically canned messages after a period of 72 hours.

Voicemails weren't the only weak point on smartphone privacy; the subject of your phone spying on you also became a hot topic.

An Android app developer published what he said was conclusive proof that 141 million smartphones were secretly monitoring the key presses, geographic locations, and received messages of users with a piece of software from Silicon Valley company Carrier IQ.

Who's that inside my phone?

Carrier IQ's code was confirmed to exist on devices from Apple, AT&T, Sprint, HTC, and Samsung. Verizon, Nokia and Research in Motion denied reports saying they use it.

Trevor Eckhart, the Android app developer who initially uncovered the presence of the spying app, posted his evidence to YouTube. Meanwhile, Carrier IQ vice-president of marketing Andrew Coward rejected claims that the software posed a privacy problem because it doesn't capture key presses and doesn't report back in real-time.

It seemed Carrier IQ was intended for diagnostics, hence the reporting aspect. Coward told The Reg that data is dumped out of a phone's internal memory almost as quickly as it goes in.

In a world where a single researcher can quickly broadcast his results via YouTube, the handset makers, carriers and the software company are left looking like they have something to hide.

Only in cases of a phone crash or a dropped call is information transferred to servers under the control of the cellular carrier so engineers can troubleshoot the problem. Not that this stopped Washington's politicians from jumping in: while the story was breaking, US senator Al Franken called on Carrier IQ to explain why its diagnostic software isn't a massive violation of US wiretap laws.

Privacy also became easy fodder in a low-scoring battle between tech's big names: Microsoft and Google.

Researchers this year discovered that Apple's iPhone and iPad were constantly tracking users' physical location and storing the data in unencrypted files that could be read by anyone with physical access to the device. Elsewhere, it was found Google's Android can store your Wi-Fi router's precise location and broadcast it for the world to see. Hacker Samy Kamkar said Google was compiling a publicly accessible database of router locations in its goal to build a service like Skyhook, which pinpoints the exact location of internet users who use its sites.

Apple and Google weren't alone, however. It emerged that Windows Phone 7 builds from Dell, HTC, LG, Nokia and Samsung were transmitting info to Microsoft that included unique device IDs, details about nearby Wi-Fi networks and the phone's GPS-derived exact latitude and longitude.

Caught out, Microsoft sent a lofty letter to members of the US Congress in May saying it would stop identifying specific mobile devices that use its location-tracking services. Andy Lees, then president of Microsoft's mobile communications business, wrote: "The location-based feature of a mobile operating system should function as a tool for the user and the applications he or she elects to use, and not as a means to generate a database of sensitive information that can enable a party to surreptitiously 'track' a user."

Google also contacted The Reg to say it's not accurate to say the company collects a "unique identifier" from every phone that informs the company of its location.

Clearly this was a touchy subject. It reminded us of the furore in the 1990s and more recently when Windows was caught "reporting" back to Redmond. In the event, it was information useful for improving security, producing software fixes and ruining software pirates' afternoons - but the fact that Microsoft hadn't been upfront poisoned the atmosphere as the company was entering a browser anti-trust bubble.

Carrier IQ, phone makers and network providers are also now suffering from the same lack of trust because we're now in a world where a single researcher can quickly broadcast his or her results via YouTube. What other hidden code could be lurking inside our smartphones and watching what we are doing?

Diagnostics is one thing, but knowing where you are and what you're doing happen to be two vital pieces of data. The ability to access this information would be a huge boon to those making and selling phones and related mobile services. Social networks such as Facebook and Foursquare rely on being able to monetise such data. Google and Microsoft want to refine context-sensitive ads around it. This means the issue of data privacy and smartphones is an onion that has plenty of layers left to peel.

Neutrinos, Phobos-Grunt and Neil Armstrong's embarrassment

Space and science saw earthly breakthroughs and extraterrestrial setbacks.

Nearly two years ago, the the largest and most powerful particle accelerator on the planet, the Large Hadron Collider, went live. LHC's mission has been to track down the Higgs boson: its existence could help explain why some particles have mass, helping explain the fabric of the universe.

Prof Brian Cox by Brian Lee

Cox: time-traveling neutrinos taking scientists back to basics

As the year wound down, boffins reckoned they were getting closer to pinning down the elusive boson but the LHC threw up one particular result that had atom-smashers scratching their domes and time-travel fans hunting eBay for DeLoreans.

Physicists working for CERN in September fired a beam of 15,000 neutrinos from Geneva, LHC's HQ, to Gran Sasso in Italy – only to find the particles completed the 730km journey 60 nanoseconds faster than light would have.

Translated: the neutrinos had traveled faster than light, but Albert Einstein in 1905 had said no object could be accelerated to the speed of light. His assertion underpins the theory of space-time and of relativity and it cements our understanding of cause and effect, of past and present – of time travel.

Backwards and forwards, forwards and back

If the neutrino result stands, it means a re-writing of the basic geometry used by physicists to keep past and future in their places.

CERN's boffins have been working to understand the neutrino results but have been bumping their heads: the team that ran the original tests re-ran their experiment in November and confirmed the results. However, a group on the Gran Sasso side of the experiment refuted the results. Other scientists, according to rock-star physicist Brian Cox are going back to basics to ask whether something fundamental has been missed, such as the effect of the Earth's gravitational field on the readings.

While scientists grappled with their understanding of how the universe works, rocket men in the US and Russia struggled in their attempts to get back into space. Neil Armstrong, the first man to walk on the moon, told a US Congressional hearing in September that his country's space programme is "embarrassing and unacceptable".

According to Armstrong, America is losing its lead over other countries as - since the space shuttle was retired earlier this year - Americans now have no direct access to low-Earth orbit or the International Space Station. The space shuttle, the vehicle the US had been using to reach the ISS, flew its last mission in July. Atlantis landed on 21 July, marking three decades and more than 130 flights for the fleet.

To reach the ISS, or to even go further, the US now relies one of two taxi services. The Russian space program - a project that under its previous branding of the Soviet Union, America had raced to beat. Armstrong's first footsteps on the moon were the pinnacle achievement of the East-West space race. The US also relies on the rockets of the private sector, such as the United Launch Alliance's Evolved Expendable Launch Vehicle (EELV) Atlas V 541 that in November put NASA's Mars Science Laboratory (MSL) in to orbit and en route for Mars.

On board the Atlas V 541 was the nuclear-powered Curiosity rover due to reach the Red Planet next August and described as being as big as a Mini Cooper. This will be NASA's third Martian rover, joining Spirit and Opportunity. These completed their primary missions in 2004 but Spirit only ceased communications in 2010 while Opportunity is still examining craters. Popular Mechanics magazine just awarded them lifetime achievement awards.

Given this rich heritage and the surrender of the American government's space independence, it was not surprising that one of those pioneers from the early days, a man who's seen how small and blue Earth is from the outside, should go to Washington to knock heads together.

"For a country that has invested so much for so long to achieve a leadership position in space exploration and exploitation, this condition is viewed by many as lamentably embarrassing and unacceptable," Armstrong said.

He pointed out that NASA is caught in the crossfire between the Obama administration and Congress - "a fractious process that satisfies neither".

Space shuttle Atlantis. Pic NASA

Atlantis' last landing ended the US government's space independence

Not that Russians were exactly knocking space exploration out of the atmosphere. On November 8 Russia finally successfully launched its first planetary probe since 1996. Called Phobos-Grunt, it lifted off from the Baikonur Cosmodrome in Kazakhstan aboard a two-stage Zenit-2SB41.1.

The mission was simple: travel to Mars, orbit the uninviting planet, land on the Martian moon Phobos, gather samples, lift off and arrive back on Earth in 2014. Coming along for the ride was a Chinese satellite Yinghuo-1 to study magnetic and gravity fields, ionosphere and the surface of Mars.

Failing Grunt

One day in to the mission, however, and Phobos-Grunt was stuck in orbit around the Earth as both engines had failed to fire, and the Russian space command, Roscosmos, lost contact with its probe. Only after weeks of trying were Roscosmos and the European Space Agency able to achieve intermittent contact. The probe spent November and December in a slowly decreasing orbit, and by mid December it was clear the many attempts to re-start Phobos-Grunt had been fruitless: Roscosmos said it expected the dud Martian probe to re-enter the Earth's atmosphere and that the bits that didn't burn up would crash somewhere between January 6 and January 19, although it couldn't give an exact date or place.

Over to you, China.

You can read The Reg's detailed review of the year in space here.

Nokia's burning platforms and AT&T's burned fingers

Change often comes slowly and in predictable ways in telecoms.

For AT&T, the largest wireless carrier in the US with 95.5 million subscribers, change meant one thing and one thing only during 2011: getting even bigger. AT&T decided to realise this goal through the tried-and-tested method of corporate acquisition, and its target was America's fourth-largest carrier, T-Mobile USA and its 23 million subscribers. The deal, announced in March, would make AT&T's position as America's largest wireless carrier unassailable. The price-tag: $39bn.

AT&T glossed over the benefits to itself and instead talked up the positives for everybody else. The pros: merging the companies' GSM networks would boost US national security by strengthening and expanding critical infrastructure, there would be "significant customer, share owner and public benefits", thousands of jobs would be created, and the deal would somehow answer the call of the Federal Communications Commission (FCC) and President Obama to connect "every part of America to the digital age". According to Bloomberg went all out to lobby for the deal. AT&T wooed Democratic-leaning labor unions and drew letters of support filed with the FCC from groups representing cattle ranchers, songwriters, balloonists, governors and technology companies.

In reality, the deal would mean a major act of market consolidation in the US wireless market. It would eliminate one of the top-five suppliers and put AT&T in a commanding number-one spot in a nation where there already exists limited choice of wireless provider in local markets.

Steve Ballmer and Stephen Elop

Burning bright: Nokia's Elop and Microsoft's Ballmer sealed a deal

The US government wasn't buying AT&T's pitch. The US Department of Justice, the office that's taken on IBM and Microsoft over the years, filed an antitrust lawsuit to block the deal, saying that tens of millions of US consumers would face higher prices, fewer choices and lower quality products for mobile wireless services. The DoJ pointed out that AT&T and T-Mobile compete head-to-head in 97 of the country's top 100 regional wireless markets.

In November, the FCC took the unusual step of requesting an administrative hearing - the last such hearing came in 2002 with the attempted merger of EchoStar and DirecTV. Both companies threw in the towel. FCC staffers said the AT&T deal would be anti-competitive and not in the public interest and they took issue with the claimed creation of new jobs saying that it would instead lead to "massive" layoffs. Next, the FCC published a damning 143-page staff report that took down all the reasons offered to justify the deal.

Eight months after it was announced, the merger was looking dead in the water. With the combined forces of the US government against it, AT&T and T-Mobile's parent company Deutsche Telekom withdrew their application for the acquisition from the FCC. Also, plans to dump certain assets in order to obtain regulatory clearance had gone cold.

For Nokia, the once mighty handset manufacturer bleeding market share to the iPhone and Android, a more radical pace of change was embraced. Five months after naming former Microsoft president Stephen Elop as CEO, and breaking with the tradition of a Finn running the company, Nokia's US-born chief said that his former employer's smart-phone operating system would be the platform of choice for all Nokia smart phones. It was a huge decision.

For 15 years, Nokia had defined itself as being the anti-Microsoft - going with open source. It was knee deep in Symbian, Meego and Qt.

Nokia first helped create Symbian and then became so invested in Symbian on its handsets, Nokia bought out the partners to create the Symbian Foundation. It also released the Symbian code under and Eclipse Public License to help encourage developer adoption of the code and, therefore, drive application development for its phones. Nokia also bought the Qt cross-platform application and UI framework, and it joined Intel in backing Meego to deliver a Linux distro for use in mobile computing. Now everything old, and open source, was dead.

Elop heralded the Windows move in his February "burning platforms" memo. "Nokia, our platform is burning," he told employees in a metaphor-heavy piece of writing. The first phones were planned - and delivered - for late 2011: the Lumia.

Elop's move was a huge shot in the arm to Microsoft's smart-phone play: a handset manufacturer dedicated to making nothing but smart phones running Windows Phone.

Elop had bet Microsoft and Windows Phone could help Nokia in a number of ways: cut R&D costs and bring online applications for Nokia phones that had been built for Windows Phone and that would attract customers to Nokia handsets. He'd also bet Nokia could siphon off some of the business going to Android and the iPhone by offering something that looked like Android and the iPhone. There's the added unknown of what positive impact a merger of Windows Phone and Windows 8 core might have - this is expected with the Apollo edition of Windows Phone due in 2012. Elop's move, meanwhile, was a huge shot in the arm to Microsoft: finally, at long last, a handset manufacturer had dedicated itself to making nothing but smart phones running Windows Phone.

Would it work for Nokia? By the end of the year things weren't looking promising. IDC found people in Nokia's native Finland were abandoning the company's phones. OK, so Finland isn't exactly a huge market in the global sense but it had been a loyal home market. Europeans, meanwhile, were lukewarm to the new Nokia phones. The Lumia 800, meanwhile, was barely shifting - making up less than one-percent of devices sold in November.

And if Elop had bought into the idea Windows Phone would restart the fortunes of Microsoft on smart phones, and thereby the fortunes of Nokia, he must have been having second thoughts by September. That was when Steve Ballmer let slip sales of Windows Phone devices were behind targets. By November, Garter reckoned Microsoft's share of the world-wide smart-phone market had - in a booming market - crashed.

Still, there's always plan B: wait for the kids to finally grow bored of Apple's iPhone and fall in love with Nokia.

Anonymous, Lulzsec and the attack of the hacktivists

Hacktivism - people launching attacks and stealing data for purportedly political ends - arguably hit a high-water mark in 2011. It was accompanied the rise of street protest movement Occupy, and allowed itself to become associated with Robin Hood-types disgruntled with bankers and the excesses of the capitalist system. Hackers often justified their own actions on anti-establishment grounds or as a quest for revenge against perceived in-justice.

It was the year when Anonymous, a reasonably long-running and loosely grouped bunch, was joined by Lulzsec, a smaller but even more anarchic group.

Their preferred weapon of choice, the Distributed Denial of Service (DDoS), was allied to hacking into insecure databases and mail spools before releasing their contents onto the net, to the embarrassment of victims.


Lulzsec burned bright but briefly in hacktivism

By the middle of the year, it seemed every day somebody somewhere was claiming another DDoS, web site re-direct, or data theft on behalf of Anonymous, Lulzsec or both.

Targets included entertainment industry firms for their stance against file sharing, newspaper sites of Rupert Murdoch's News International and his Fox TV station, NATO, banks, websites run by government of Egypt and Tunisia during the Arab Spring protests, FBI-affiliated security organisations and different law enforcement operations across the US out of revenge for the arrest of alleged members of Anonymous and Lulzsec.

Sites were knocked offline and gigabytes of personal data - email, credit card details, and social security numbers - lifted. Their actions made headlines, not just for who they attacked but also for the accompanying claims of robbed data. Hacktivists also liked to think they were untouchable: US security firm HB Gary Federal had threatened to reveal the identities of members of Anonymous at a security conference, Security B-Sides, but instead HB Gary Federal found itself hacked, its website defaced, Twitter feed hijack and its email spool released.

But just how apocalyptic was this? Many of the claims of data breaches couldn't be substantiated while some attacks seemed rather petty, such as Lulzsec posting a fake story on PBS about rapper Tupac Shakur being alive out of revenge for a PBS's documentary on Wikileaks' Julian Assange.

And when it came to dropping the big bomb, the hacktivists kept holding off. Anonymous held back on threats to release caches of classified NATO documents while Lulzsec didn't follow through on a threat to release News International emails that it claimed to have acquired during the redirection attack on The Sun's website.

Curiously, however, arguably the biggest hack story of the year - the breach and take down of Sony's Playstation Network, a vital artery that connects millions of Playstation gamers - was a coup that Anonymous couldn't walk away from fast enough.

The Sony Playstation Network hack saw the details of 77 million gamers compromised and the network offline for 23 days. Just prior the attack in April, Anonymous had posted a self-important and sanctimonious message warning Sony it would "experience the wrath of Anonymous" for its legal action against PlayStation 3 hacker George Hotz. Yet, Anonymous denied any role in the crippling PlayStation Network hack. Was it Anonymous all along: some member of the group whose actions those in the centre didn't agree with, or was it somebody - as yet - unknown?

The incident pointed to the real problem with Anonymous: it's not a functioning, centralised operation and is instead a chaotic affiliation of splinter cells and individuals with a generalised sense of identity. It is more a group when perceived from the outside.

By summer, the hacktivists also seemed to be on the back foot with arrests in full swing: 21 people cuffed in the US and seven in the UK for their alleged role in the December 2010 DDoS on Paypal, Amazon, MasterCard, Bank of America and Visa over their decision to stop handling the account of Wikileaks.

A pivotal moment came on June 22 when alleged Lulzsec member Ryan Cleary, aged 19, was arrested and charged with five computer crime offences, including allegations of building a botnet and unleashing distributed DDoS attacks, including a cyber-attack on Britain's Serious Organized Crime Agency (Soca).

Five days later, Lulzsec told the world on Twitter it was retiring - barely a month after it had established its presence on Twitter. The group told the AP it wasn't running because it was afraid of law enforcement, just: "The press are getting bored of us, and we're getting bored of us."

Was this the end? Anonymous, was still venting as late as October, stealing data and holding it to ransom. The group published a dossier of personal information on the head of Citigroup in retaliation for the arrest of protesters at an Occupy Wall Street demo.

Like the Occupy movement, however, a sustained focus was missing; the attacks seemed opportunistic - relying on the security oversights of their victims and the rather crude hammer of a DDoS to break badly protected systems rather than using some advanced form of hacking. The ideals, such as they were, were random and there was more talk than execution. A planned, idealistic campaign to expose members and associates of the notorious Los Zetas Mexican drug cartel was dropped in November amid some confusion while a rather questionable operation to use stolen credit card details to donate to charities, supposedly defrauding banks in the process, failed to pick up momentum.

2012 will tell whether the attacks resume and become more advanced, or whether the actions of law enforcement have given hacktivists pause for thought. Already, the victims are tooling up. Stung by the attacks, Sony has picked former US Department of Homeland Security exec Philip R Reitinger as senior vice-president and chief information security officer to oversee information security, privacy and internet safety across the entire company. ®