Readaloo

The investment arms of the CIA and Google are both backing a company that monitors the web in real time — and says it uses that information to predict the future.

The company is called Recorded Future, and it scours tens of thousands of websites, blogs and Twitter accounts to find the relationships between people, organizations, actions and incidents — both present and still-to-come. In a white paper, the company says its temporal analytics engine “goes beyond search” by “looking at the ‘invisible links’ between documents that talk about the same, or related, entities and events.”

The idea is to figure out for each incident who was involved, where it happened and when it might go down. Recorded Future then plots that chatter, showing online “momentum” for any given event.

“The cool thing is, you can actually predict the curve, in many cases,” says company CEO Christopher Ahlberg, a former Swedish Army Ranger with a PhD in computer science.

Which naturally makes the 16-person Cambridge, Massachusetts, firm attractive to Google Ventures, the search giant’s investment division, and to In-Q-Tel, which handles similar duties for the CIA and the wider intelligence community.

It’s not the very first time Google has done business with America’s spy agencies. Long before it reportedly enlisted the help of the National Security Agency to secure its networks, Google sold equipment to the secret signals-intelligence group. In-Q-Tel backed the mapping firm Keyhole, which was bought by Google in 2004 — and then became the backbone for Google Earth.

This appears to be the first time, however, that the intelligence community and Google have funded the same startup, at the same time. No one is accusing Google of directly collaborating with the CIA. But the investments are bound to be fodder for critics of Google, who already see the search giant as overly cozy with the U.S. government, and worry that the company is starting to forget its “don’t be evil” mantra.

America’s spy services have become increasingly interested in mining “open source intelligence” — information that’s publicly available, but often hidden in the daily avalanche of TV shows, newspaper articles, blog posts, online videos and radio reports.

“Secret information isn’t always the brass ring in our profession,” then CIA-director General Michael Hayden told a conference in 2008. “In fact, there’s a real satisfaction in solving a problem or answering a tough question with information that someone was dumb enough to leave out in the open.”

U.S. spy agencies, through In-Q-Tel, have invested in a number of firms to help them better find that information. Visible Technologies crawls over half a million web 2.0 sites a day, scraping more than a million posts and conversations taking place on blogs, YouTube, Twitter and Amazon. Attensity applies the rules of grammar to the so-called “unstructured text” of the web to make it more easily digestible by government databases. Keyhole (now Google Earth) is a staple of the targeting cells in military-intelligence units.

Recorded Future strips from web pages the people, places and activities they mention. The company examines when and where these events happened (“spatial and temporal analysis”) and the tone of the document (“sentiment analysis”). Then it applies some artificial-intelligence algorithms to tease out connections between the players. Recorded Future maintains an index with more than 100 million events, hosted on Amazon.com servers. The analysis, however, is on the living web.

“We’re right there as it happens,” Ahlberg told Danger Room as he clicked through a demonstration. “We can assemble actual real-time dossiers on people.”

Recorded Future certainly has the potential to spot events and trends early. Take the case of Hezbollah’s long-range missiles. On March 21, Israeli President Shimon Peres leveled the allegation that the terror group had Scud-like weapons. Scouring Hezbollah leader Hassan Nasrallah’s past statements, Recorded Future found corroborating evidence from a month prior that appeared to back up Peres’ accusations.

That’s one of several hypothetical cases Recorded Future runs in its blog devoted to intelligence analysis. But it’s safe to assume that the company already has at least one spy agency’s attention. In-Q-Tel doesn’t make investments in firms without an “end customer” ready to test out that company’s products.

Both Google Ventures and In-Q-Tel made their investments in 2009, shortly after the company was founded. The exact amounts weren’t disclosed, but were under $10 million each. Google’s investment came to light earlier this year online. In-Q-Tel, which often announces its new holdings in press releases, quietly uploaded a brief mention of its investment a few weeks ago.

Both In-Q-Tel and Google Ventures have seats on Recorded Future’s board. Ahlberg says those board members have been “very helpful,” providing business and technology advice, as well as introducing him to potential customers. Both organizations, it’s safe to say, will profit handsomely if Recorded Future is ever sold or taken public. Ahlberg’s last company, the corporate intelligence firm Spotfire, was acquired in 2007 for $195 million in cash.

Google Ventures did not return requests to comment for this article. In-Q-Tel Chief of Staff Lisbeth Poulos e-mailed a one-line statement: “We are pleased that Recorded Future is now part of IQT’s portfolio of innovative startup companies who support the mission of the U.S. Intelligence Community.”

Just because Google and In-Q-Tel have both invested in Recorded Future doesn’t mean Google is suddenly in bed with the government. Of course, to Google’s critics — including conservative legal groups, and Republican congressmen — the Obama Administration and the Mountain View, California, company slipped between the sheets a long time ago.

Google CEO Eric Schmidt hosted a town hall at company headquarters in the early days of Obama’s presidential campaign. Senior White House officials like economic chief Larry Summers give speeches at the New America Foundation, the left-of-center think tank chaired by Schmidt. Former Google public policy chief Andrew McLaughlin is now the White House’s deputy CTO, and was publicly (if mildly) reprimanded by the administration for continuing to hash out issues with his former colleagues.

In some corners, the scrutiny of the company’s political ties have dovetailed with concerns about how Google collects and uses its enormous storehouse of search data, e-mail, maps and online documents. Google, as we all know, keeps a titanic amount of information about every aspect of our online lives. Customers largely have trusted the company so far, because of the quality of their products, and because of Google’s pledges not to misuse the information still ring true to many.

But unease has been growing. Thirty seven state Attorneys General are demanding answers from the company after Google hoovered up 600 gigabytes of data from open Wi-Fi networks as it snapped pictures for its Street View project. (The company swears the incident was an accident.)

“Assurances from the likes of Google that the company can be trusted to respect consumers’ privacy because its corporate motto is ‘don’t be evil’ have been shown by recent events such as the ‘Wi-Spy’ debacle to be unwarranted,” long-time corporate gadfly John M. Simpson told a Congressional hearing in a prepared statement. Any business dealings with the CIA’s investment arm are unlikely to make critics like him more comfortable.

But Steven Aftergood, a critical observer of the intelligence community from his perch at the Federation of American Scientists, isn’t worried about the Recorded Future deal. Yet.

“To me, whether this is troublesome or not depends on the degree of transparency involved. If everything is aboveboard — from contracts to deliverables — I don’t see a problem with it,” he told Danger Room by e-mail. “But if there are blank spots in the record, then they will be filled with public skepticism or worse, both here and abroad, and not without reason.”

As Pentagon leaders go, Defense Secretary Robert Gates and Joint Chiefs of Staff Chairman Adm. Mike Mullen are fairly mild-mannered — prone to quiet, careful assessments, not table-pounding bluster. But they could barely contain their anger on Thursday at WikiLeaks for publishing tens of thousands of secret documents about the Afghanistan war. Mullen, the chairman of the Joint Chiefs of Staff, went so far as to say that the transparency activists “might already have on their hands the blood of some young soldier” or an Afghan partner during a Pentagon press briefing, his voice elevating slightly.

Neither Mullen nor Gates considered the documents WikiLeaks obtained to have strategic value or even particular utility to understanding the war. But that didn’t diminish their anger at WikiLeaks’s huge disclosure on Sunday, which they described as having consequences on the battlefield and beyond. The consequences of the leak are “potentially severe and dangerous for our troops, our allies and our Afghan partners,” said Gates, a former CIA director with a famous penchant for secrecy. “Tactics, techniques and procedures will become known to our adversaries.” An internal department investigation into who leaked is already underway, aided by the FBI.

Ever since the first Gulf War, there’s been an effort to broaden and flatten access to information within the military in order to foster an ethic of small-unit initiative. Beyond the inquiry’s narrow question of who leaked, Gates said that the “massive breach” will force department leaders to reconsider whether that information needs to be stovepiped again.

“We want those soldiers at a forward operating base to have all the information necessary, not just for their own security, but to accomplish their mission,” Gates said. “Should we change the way we approach that or do we continue to take the risk” of more exposures? (So long, SIPRNET access?) Gates added that he couldn’t confirm whether there have been new leaks waiting to come to light since WikiLeaks obtained its tranche of documents, some thousands of which it has yet to release.

Then there’s the consequence to America’s partners, particularly Afghans who put their lives at risk working with U.S. troops and whose identities are now exposed in the WikiLeaks documents. Gates said there was a “moral obligation” for the United States to “take some responsibility for their security,” but didn’t elaborate what measures the military might take. “Will people whose lives are on the line trust us to keep their identities secret?” Gates asked. “Will other governments trust us to keep their documents secret?”

Reporters challenged Mullen’s comment about WikiLeaks having blood on its hands, but the usually soft-spoken chairman didn’t back away. While he said he didn’t know that anyone has died because of the leaks, Mullen said that people who don’t handle battlefield reports of the sort that WikiLeaks published “can’t appreciate, in my opinion, how this information is networked together…. The potential threat is there to risk the lives of soldiers, sailors, airmen, marines,” as well as U.S. foreign allies in Afghanistan, “as well as Afghan citizens. And there’s no doubt in my mind about that.”

Also available: rating information from the same business review sites that appear in Google Maps search results. So show me the best-rated coffee shop within a mile of me that's described as dog-friendly in user reviews. That would be awesome.

How it Might Be Used

When Google first began discussing the Places API in April, we discussed as an example a pizza restaurant that edited its delivery area on Google and then made that information available to apps that pinged the API for information.

Those kinds of examples are less likely to be implemented at first, since the first developers being allowed access to the API are people building check-in apps. But the possibilities beyond checking in are many and diverse.

Just as Google Maps made it easy for any developer to add a map and display location, the Places API could make it easy for any developer to search up to date information about any location for their application. At least that's what seems to be possible. The Terms of Service favoring search and prohibiting caching may prove frustratingly prohibitive.

That data may be free, but it will come at the expense of integrating with Google's Adsense platform. "Note that in order to be issued credentials for this service," the API documentation reads, "you must provide a valid Adsense publisher id that matches the Google account with which you are currently logged in." That's pretty smart of Google and maybe a little nefarious, but someone's got to pay the bills.

Why is Location so Hot?

Why is location becoming such a hot commodity? From one perspective, the proliferation of smartphones and the development of easy-to-use, compelling applications like Foursquare and MyTown are making it easier than ever for consumers to publish and leverage information about their location. Consumers want to do that for a variety of reasons, from recording their travel history to letting family know where they are to bragging about the hip places they hang out.

For developers, location data is a whole new world to pivot on when looking at feeds of user activity data. Our online activity has to date gone on in the placeless ether. Applications could offer features, highlight content or make recommendations based on things like our interests and social connections - but now any of that and more can be sorted by location. That's a very potent column to add to any spreadsheet, too. We're just beginning to see what all the recombinations of these types of data can look like.

It's an exciting new location-based world, and much of it may be powered by the Google Places API.

About 80% of U.S. households have come to do their banking over the Internet, banking consultancy Novantas says. Many consumers believe online banking is every bit as safe as branch banking. But that's clearly not the case, banking and tech security specialists say.

Cyberattacks against individual online accounts have become so sophisticated and pervasive that the American Bankers Association (ABA) is now asking consumers to "partner" with banks to keep cyberrobbers in check.

The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a "continuous, almost daily, basis," says Doug Johnson, the ABA's vice president of risk-management policy. That's because PCs and smartphones have become "the online bank branch for a lot of individuals," he says. "The customer needs to really recognize that security is most effective when they work in partnership with their financial institution."

This shifting burden has come about because of developments that the banking industry did not anticipate a decade ago, when it began promoting personal computers as convenient venues for consumer banking. Ambitious online attacks soon followed. Banks have spent heavily to shore up cyberdefenses, and they've kept a policy of reimbursing individual online account holders who can verify that they've been ripped off, Johnson says.

Even so, cyberrobbery has evolved into a multifaceted, multibillion-dollar global industry that shows little sign of cooling. Last year, the number of malicious software programs designed to pilfer online bank accounts — referred to as banking Trojans — rose to 65,098 in December, up from 4,295 at the start of 2009, according to Panda Security, a Madrid-based antivirus software supplier.

Writers of malicious software code are prolific, always focusing on new ways to get past the latest defenses erected by banks and antivirus companies, says Panda Security researcher Sean-Paul Correll.

A 2009 ABA survey of 170 U.S. banks revealed that 85% of big banks are incurring losses stemming from cyberattacks on consumer online accounts. Banks responding to the survey rated the "threat level" of online attacks at 2.58 on a scale of zero to five; that's up from a 1.84 rating in 2007.

"Every single bank I've talked to in the last six months, big and small, has seen these attacks," says Avivah Litan, banking security analyst at research firm Gartner. "It's an arms race. There are solutions — until the next kind of attack comes along. And if you're caught in the middle, you're screwed."

Successful robbers are patient

Janis Stuart, a retired San Diego personal trainer, barely dodged one recent cutting-edge attack. Returning from an out-of-town trip in April, Stuart booted up her desktop PC and began checking e-mail. She found a notice from her community bank advising her that all future e-mails would be sent to a new e-mail address, as per her online instructions. Stuart never requested such a change.

"My immediate reaction was that they had confused accounts, and this was a big mistake," she recalls. Stuart drove down to the branch office. A clerk informed her that $5,836.66 was about to be transferred from her savings account to a woman Stuart had never heard of, in the form of a bill-payment check. Payment was stopped.

Stuart says bank officials advised her that she most likely had a computer infection that allowed an attacker to gain access to her account, change the e-mail address and set the bill payment in motion. The bank authorized the transfer because the thief knew the answers to Stuart's "secret questions" — such as her mother's maiden name and the city of her birth — and because a similar bill-payment check had been sent from Stuart's account to the same woman 12 months earlier. That initial check was never cashed, Stuart says.

It was a ruse that allowed the attacker to remain undetected while establishing the woman as an approved recipient of bill-payment checks from Stuart. After waiting a year, the attacker triggered the second payment. "It was a fluke that I caught it in time before the money disappeared," says Stuart. "I was very upset." Stuart says she "felt the bank was somehow responsible" for enabling an intruder access to her account.

Stuart's experience illustrates a prerequisite for accomplished cyberrobbers: patience. The cyberunderground has advanced to the point where very powerful hacking tools and tutorials are readily available for free, and a highly efficient and organized support infrastructure has been established to help thieves. Taking full advantage of such tools takes time.

Chasing thieves' technology

Instead of holding up a bank branch at gunpoint, modern-day cyberrobbers do their homework.

"To maximize their effectiveness and streamline their ability to move money quickly, criminals take the time to learn your online banking platform and do account reconnaissance," says Terry Austin, CEO of Guardian Analytics, which supplies fraud-detection systems.

First, they acquire valid account log-ons, often by purchasing them from specialist data thieves. Next, they quietly access accounts, making note of high cash balances and access to credit lines. They also familiarize themselves with the bank's protocols for authorizing the creation of new online accounts and approving cash transfers.

They look for coding security holes — and invariably find them in the Web browser, the tool banks rely on to run programs that serve as a virtual bank teller. But Internet Explorer, Firefox, Opera, Google Chrome and Apple Safari are designed to let users navigate the entire Internet; they weren't meant to execute secure financial transactions. Cyberrobbers craft banking Trojans that inject software code into the Web browser, letting the attacker take control of online banking sessions, alter what the account holder sees and make stealthy transactions.

"With the exception of some rare cases, the current online banking systems are at least one full generation behind the current techniques employed by cybercrooks," says Costin Raiu, Kaspersky Lab research director.

Cyberrobbers also take great care in setting up "drop" accounts — online accounts they control, usually at the same bank as victims — poised to receive cash transfers. They typically recruit "money mules," accomplices who execute the final, riskiest step of withdrawing cash from drop accounts and forwarding proceeds to the ring leaders.

Mules are recruited through work-at-home advertisements on employment websites and, increasingly, on popular social networks. Typical pitches promise high earnings for minimal work involving accepting deposits and handling cash transfers. Kaspersky Lab researcher Dmitry Bestuzhev recently tracked down one Facebook-based mule recruiter who had 224,000 friends. "Who knows how many of them accepted the offer to be a money mule?" Bestuzhev says.

In one caper recently investigated by SecureWorks, the attacker embedded a banking Trojan in the victim's Web browser by getting the person to click on a corrupted Web link in an instant message. The Trojan watched for when the victim next accessed his online bank account and sent a copy of the user name and password to the attacker. It also automatically injected a spoofed bank form into the legitimate banking Web pages.

The bank form asked for the last four digits of the user's debit card number, ostensibly to complete a security update. The victim complied and filled out the form. The attacker now had a key piece of information necessary to execute large cash transfers.

On a Wednesday shortly before noon, the attacker logged on and began a series of transactions. He changed the e-mail address associated with the account, so notices of any questionable transfers wouldn't reach the account holder. He next accessed a credit card line of credit and transferred the maximum loan amount into checking.

He then emptied the account of more than $20,000, via a series of transfers into a drop account. To execute the transfers, the thief had to answer this question: "What are the last four digits of your debit card account number?" It took four days for the bank to reimburse the victim.

Such attacks are likely to continue to be commonplace, says Joe Stewart, senior threat researcher at SecureWorks. "Cybercriminals can steal credentials for thousands of accounts at a time with very little effort," he says. "They have access to more accounts than they could possibly ever use, and most of those are personal accounts."

Consumer distrust increases

To slow down cyberrobberies, banks increasingly are asking "knowledge-based authentication" questions at key junctures of online banking sessions, says Johnson, the bankers association risk expert. Such questions, derived from data amassed by the big three credit bureaus, Experian, Equifax and TransUnion and by data aggregators LexisNexis and Axiom, ask about obscure personal details such as the name of one's mortgage holder or father-in-law, a previous address, even the color of one's car.

"The questions are going to get more difficult over time," Johnson says. "The threat is real, and (banks) are providing the tools to help customers protect themselves."

Citibank and Bank of America rank third and seventh among the top 10 most frequently attacked banks in the world, according to Kaspersky Lab. Each uses a variety of security systems and relies on consumers to help protect their online accounts.

"It is paramount that our customers know how to protect themselves," says Bank of America spokeswoman Tara Burke. "We recommend that customers always protect their passwords, ensure the bank has up-to-date contact information and review their accounts on a regular basis."

Litan, the Gartner banking security analyst, says banks need to move away from technologies that rely on common Web browsers, which is where banking Trojans thrive. Handheld optical readers, a more advanced technology, are available from Gemalto and Cronto. These devices must be used to take a picture of a visual cryptogram — a secure image produced by the bank — as part of authorizing any cash transfers.

Mandatory use of a verification device that operates separately from the browser would enable banks to ensure "secure transactions no matter what is on the customer's PC," says Paul Beverly, executive vice president at Gemalto.

But Litan says banks are a long way from even thinking about widely distributing such devices to consumers. "They don't want to get into the business" of providing hardware to customers, she says.

Banking and security experts say the only thing that will change the banking industry's current approach is widespread consumer backlash. Stuart's reaction to her brush with a near robbery could be a harbinger. The experience prompted her to get offline and revert to branch banking.

"It's inconvenient not to be able to check my account whenever I feel like it. I have to go by the bank and ask for printouts," says Stuart. "But at this point, I distrust the system of online banking."

Musician Kanye West performs onstage during the 2010 BET Awards held at the Shrine Auditorium on June 27, 2010 in Los Angeles, California.

Kanye West doesn't like his new rug. The rapper appears to be redecorating his house — buying gold-encrusted goblets, coveting 19th century artwork, and turning his home "real Kingish," as he puts it. But the rugs are all wrong. "I specifically ordered Persian rugs with cherub imagery!!!" He wrote on Twitter on July 28. "What do I have to do to get a simple Persian rug with cherub imagery uuuuugh."

Oh, Kanye. We've missed you.

Hip-hop's most ridiculous rapper has been relatively quiet in recent months — ever since that 2009 MTV Music Video Awards outburst about Beyonce's "Single Ladies" video being better than Taylor Swift's (which, by the way, it was) and someone on his PR team told him to shut it until the backlash died down. Well, time's up. Kanye has a new album out in September — formerly called Good Ass Job, it's currently without a name — and the promotional firestorm is kicking into gear. Kanye has already performed at the BET Awards and appeared at the khaki-clad offices of Facebook and Twitter. Then, on July 28, he opened a Twitter account. And here's what we discovered: Kanye is funny.

His blog, Kanyeuniversecity.com, has made us laugh for years, but it was sometimes hard to tell if we were laughing with Kanye or at him. The all-caps rants — such as the January 2009 post that began with the phrase, YOOOO WHY WON'T YOU LET ME BE GREAT!!! and ended with the request that we all "LOOK HOW FRESH MY SUIT IS" — seemed to be accidentally hilarious. And when fans complained that he showed up two hours late for a 2008 Bonaroo performance, Kanye didn't apologize, he blogged an obscenity-laced rant and called everyone at Bonaroo "squid brains." Basically, Kanye seemed like a diva. But on Twitter, he's different. He's more sarcastic, even tongue-in-cheek. Maybe we've had Kanye all wrong.

According to Twitter, here are some things Kanye West has done in the past two days:

• Flown on a private jet

• Complained that the private jet he flew on was too small.

• Called himself king and then posted a photo of one of Napoleon's thrones

• Drank wine out of a gold goblet

• Bemoaned the lack of cherubs

• Listened to the "William Tell Overture" ("Classical music is tight, yo")

• Listened to Leonard Bernstein. ("[His] flute player is snapping write now!!! Are those Christmas bells?")

• Put fresh flowers in his house

• Explained what it was like to date a model: "I had to learn to like small dogs and cigarettes"

• Asked for decorating advice: "Is the Versace sofa too hood? Might need to cover it in plastic!!!"

• Ordered his salmon cooked medium instead of medium well ("I didn't want to ruin the magic")

• Posted photos of Louis XIV's credenza

• Asked someone to give him this horse

Close to 300,000 people are now following his Twitter account and looking at his pictures of furniture. The number of people Kanye is following? Zero.

It seems that Kanye West is doing a tour of the Silicon Valley’s nerd hubs. After freestyling over at Facebook headquarters in Palo Alto, California, the other day — and subsequently joining Twitter  yesterday — he jammed on over to Twitter Central and treated Biz Stone and Co. to a performance as well.

As pointed out yesterday, Kanye West has an almost embattled relationship with the micoblogging service. Last year, he busted out with the following rant on his blog — which now only yields an “Error 404″ when you try to locate it. Regardless, here it is:

“I DON’T HAVE A F*CKING TWITTER… WHY WOULD I USE TWITTER??? I ONLY BLOG 5 PERCENT OF WHAT I’M UP TO IN THE FIRST PLACE. I’M ACTUALLY SLOW DELIVERING CONTENT BECAUSE I’M TOO BUSY ACTUALLY BUSY BEING CREATIVE MOST OF THE TIME AND IF I’M NOT AND I’M JUST LAYING ON A BEACH I WOULDN’T TELL THE WORLD. EVERYTHING THAT TWITTER OFFERS I NEED LESS OF. THE PEOPLE AT TWITTER KNOW I DON’T HAVE A F*CKING TWITTER SO FOR THEM TO ALLOW SOMEONE TO POSE AS ME AND ACCUMULATE OVER A MILLION NAMES IS IRRESPONSIBLE AND DECEITFUL TO THERE FAITHFUL USERS. REPEAT… THE HEADS OF TWITTER KNEW I DIDN’T HAVE A TWITTER AND THEY HAVE TO KNOW WHICH ACCOUNTS HAVE HIGH ACTIVITY ON THEM. IT’S A F*CKING FARCE AND IT MAKES ME QUESTION WHAT OTHER SO CALLED CELEBRITY TWITTERS ARE ACTUALLY REAL OR FAKE. HEY TWITTER, TAKE THE SO CALLED KANYE WEST TWITTER DOWN NOW …. WHY? … BECAUSE MY CAPS LOCK KEY IS LOUD!!!!!!!!!”

Now it seems that West has full-on embraced the service, even noting once — in the midst of a torrent of tweets — “awwwww man this is addictive I might get in trouble on here!!!!” So much for only blogging “5%” of what he’s up to.

When it was written about his entrance on to Twitter yesterday, West had around 20,000 followers — now he has 228,862.

What do you think of the rapper’s reversal of his previous opinion? Do you think his embracing social media can save his tarnished image? Let us know.

A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them. The attacks demonstrated Wednesday targeted standalone ATMs. But they could potentially be used against the ATMs operated by mainstream banks.

Criminals have long known that ATMs aren't tamperproof.

There are many types of attacks in use today, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, hiding tiny surveillance cameras to capture PIN codes, covering the dispensing slot to intercept money and even hauling the ATMs away with trucks in hopes of cracking them open later.

Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were standalone machines, the type seen in front of convenience stores, rather than the ones in bank branches.

His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

He showed off his results here at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

His attacks have wide implications because they affect multiple types of ATMs and exploit weaknesses in software and security measures that are used throughout the industry.

His talk was one of the conference's most widely anticipated, as it had been pulled a year ago over concerns that fixes for the ATMs wouldn't be in place in time. He used the extra year to craft more dangerous attacks.

Jack, who works as director of security research for Seattle-based IOActive Inc., showed in a theatrical demonstration two ways he can get ATMs to spit out money:

-- Jack found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got to pictures of other keys, found on the Internet.

He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

-- Jack also hacked into ATMs by exploiting weaknesses in the way ATM makers communicate with the machines over the Internet. Jack said the problem is that outsiders are permitted to bypass the need for a password. He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs. It's to raise the issue and have ATM manufacturers be proactive about implementing fixes."

The remote style of attack is more dangerous because an attacker doesn't need to open up the ATMs.

It allows an attacker to gain full control of the ATMs. Besides ordering it to spit out money, attackers can silently harvest account data from anyone who uses the machines. It also affects more than just the standalone ATMs vulnerable to the physical attack; the method could potentially be used against the kinds of ATMs used by mainstream banks.

Jack said he didn't think he'd be able to break the ATMs when he first started probing them.

"My reaction was, 'this is the game-over vulnerability right here,'" he said of the remote hack. "Every ATM I've looked at, I've been able to find a flaw in. It's a scary thing."

Jack wouldn't identify the ATM makers. He put stickers over the ATM makers' names on the two machines used in his demonstration. But the audience, which burst into applause when he made the machines spit out money, could see from the screen prompts on the ATM that one of the machines was made by Tranax Technologies Inc., based in Hayward, Calif. Tranax did not immediately respond to e-mail messages from The Associated Press.

Triton Systems, of Long Beach, Miss., confirmed that one of its ATMs was used in the demonstration. It said Jack alerted the company to the problems and that Triton now has a software update in place that prevents unauthorized software from running on its ATMs.

Bob Douglas, Triton's vice president of engineering, said customers can buy ATMs with unique keys but generally don't, preferring to have a master key for cost and convenience.

"Imagine if you have an estate of several thousand ATMs and you want to access 20 or so of them in one day," he wrote in an e-mail to the AP. "It would be a logistical nightmare to have all the right keys at just the right place at just the right time."

Other ATM manufacturers contacted by the AP also did not immediately respond to messages.

Jack said the manufacturers whose machines he studied are deploying software fixes for both vulnerabilities, but added that the prevalence of remote-management software broadly opens up ATMs to hacker attacks.

Source: Woopra

How it Works

"Explore the web like never before," declares the StumbleUpon sign up page. And indeed the beauty of StumbleUpon is how easy it makes browsing the Web. It's often called a 'serendipity engine' for its ability to turn up strange and new content.

Here's how StumbleUpon works as a user. You firstly download and install a browser add-on, then select categories that interest you. Now you're ready to explore. Simply click the Stumble button in your browser to be magically transported to an unknown web page. Where you're taken is driven by StumbleUpon's sophisticated recommendation engine, which is fueled by data from its users - who vote on whether they 'like' or 'dislike' web pages across the Web.

What's Popular on StumbleUpon?

It's simple for the users, yet surprisingly difficult for the media industry to get its collective head around. Its randomness and lack of an easily identifiable core audience are two things that make StumbleUpon hard to understand. So what kind of content is popular there?

Much like Digg, another crowd-sourced recommendation engine, the most popular content on StumbleUpon tends to be easily digestable and entertaining. Lists, bizarre things, scientific discoveries, animals, humor, images, and so on. Among the most stumbled content of 2009 were these articles: '99 Things You Should Have Seen On The Internet' (471K Stumbles), 'Life Summarized in 4 Bottles' (439K Stumbles), '14 Rare Color Photos From the FSA-OWI' (341K Stumbles),... you get the idea.

We queried our community via Twitter to find out their main use cases. Here's a representative sample of the replies (you can see them all via Twitoaster):

@brettmorrison: "I use it to share things I find interesting and I use it to find randomly interesting things when I have a few free moments."

@EssenteeWeb: "So's I can share what I think is cool and find content I otherwise wouldn't have."

@andinarvaez: "I do, on occasion. Whenever I'm online, want to stay online, but just feel like browsing. [...] Even though they're [within] my interests, stumble upon helps me burst my usual browsing patterns & online bubble."

@rjanyk: "boredom... killing time a couple minutes at a time... entertainment. Sadly, almost thrilling not knowing what's coming next"

@MicaR: "Been a Stumbler for yrs. Great to get new ideas flowing when stuck, and, of course, great time waster. I've learned a lot, randomly."

@ezy80: "I find its a good source of 'random relevant' that nothing else provides in quite the same way..."

@lauratellsjokes: "i stumble when i am bored and to learn new things. i love stumbling through photos, art and philosophy."

@estateofflux: "I do, great for entertainment and uncovering hidden gems of content when you've exhausted all your usual sources!"

These and other replies often used words like "random" or "new." Also it seems that people tend to use StumbleUpon when they have a bit of spare time, or are bored.

Let us know in the comments whether you currently use StumbleUpon; and if so, how and why?

Jailbreaking Is "Fair Use" But Voids Warranty?

For those of you unfamiliar with the term, to "jailbreak" a phone is to hack a smartphone in order to gain access to additional features or install unapproved applications. Up until now, however, Apple claimed that jailbreaking an iPhone allowed people to install unapproved apps and should not be permitted. That claim has been rejected, with the Copyright Office saying that jailbreaking is actually fair use.

An Apple spokeswoman told Cult of Mac's Leander Kahney that, aside from possibly degrading the user experience, jailbreaking can void the warranty.

Apple's goal has always been to insure that our customers have a great experience with their iPhone and we know that jailbreaking can severely degrade the experience. As we've said before, the vast majority of customers do not jailbreak their iPhones as this can violate the warranty and can cause the iPhone to become unstable and not work reliably."

Jailbreaking Threatens Apple's Assets

While Apple has a valid point - that jailbreaking the iPhone and installing unverified third-party apps "can cause the iPhone to become unstable and not work reliably" - there is something bigger at stake here. Apple is saying it wants to preserve the quality of the user experience, but it also wants to protect its assets.

Apple and AT&T started offering wifi tethering at $20 per month in June. With a jailbroken iPhone, 10 spare minutes and $10, you can turn your iPhone into wifi hotspot and avoid the monthly fee. There are even other tethering apps that are completely free (though we've found MyWi to be reliable). How about those apps that Apple will only let you run over wifi connections, like FaceTime? Apps for jailbroken iPhones, such as My3G, allow users to run wifi-only apps over 3G. There are even apps to block Apple's new "iAd" advertising on jailbroken phones. It's even feasible that, with jailbreaking officially off the DMCA list of offenses, alternatives to programs like Apple's MobileMe could enter the market at less than the $99 per year pricetag.

In essence, a jailbroken phone is something that Apple can't closely control and it's a threat. Apps that would never make it through the App Store, for any number of reasons, can be installed onto a jailbroken phone. Say "hello" to third-party browsers, porn, bittorrents, direct-downloaded podcasts and TV shows and more.

The reality, so far, is that only a small percentage of iPhone owners have jailbroken their phones, but the flip-flop in legality could change this. As Kahney suggests, maybe "legitimate software companies will publish jailbreaking software, instead of shady rings of underground hackers" and maybe a "healthy market for unofficial and banned apps" will come from all of this.

What About The Warranty?

Oh yes, the warranty. While Apple is quick to say that jailbreaking an iPhone will void the warranty, there's one thing - it's but a simple step to restore your iPhone to its original condition and have that be that. As ReadWriteWeb's Sarah Perez writes in her latest jailbreaking guide, "if you have a jailbroken phone, you can't get support from Apple for any issues you may have. However, jailbreaking isn't permanent. You can revert your phone to its factory settings at any time via iTunes with no one the wiser."

Our suggestion? Go backup all your data and jailbreak that iPhone. There's a million reasons you should, it's not illegal and, if you run into trouble, you can easily restore everything to a clean slate.