I read an alarming guest editorial at the Wall Street Journal's Web site the other day. The article, “The U.N Threat to Internet Freedom,” was written by Robert M. McDowell, a commissioner of the Federal Communications Commission.*

The article is quite a piece of work. McDowell believes the United Nations' International Telecommunications Union (ITU), under pressure from Russia and China, is poised to wrest control of the Internet away from existing technical advisory groups such as the Internet Assigned Numbers Authority (IANA), the Internet Engineering Task Force (IETF), and the Internet Society (ISOC). McDowell warns that the future of the Internet will no longer be in the hands of level-playing-field technologists, but under the control of national governments.

Among other things, McDowell predicts that the ITU is preparing to renegotiate a 1988 treaty and seize the power to, in his words:

• Allow foreign phone companies to charge fees for "international" Internet traffic, perhaps even on a "per-click" basis for certain Web destinations, with the goal of generating revenue for state-owned phone companies and government treasuries;

• Impose unprecedented economic regulations such as mandates for rates, terms and conditions for currently unregulated traffic-swapping agreements known as "peering";

• Establish for the first time ITU dominion over important functions of multi-stakeholder Internet governance entities such as the Internet Corporation for Assigned Names and Numbers, the nonprofit entity that coordinates the .com and .org Web addresses of the world;

• Subsume under intergovernmental control many functions of the Internet Engineering Task Force, the Internet Society and other multi-stakeholder groups that establish the engineering and technical standards that allow the Internet to work;

• Regulate international mobile roaming rates and practices.

It all sounds very dire. McDowell's article has sparked a ruckus at reddit, techdirt, and other technology-oriented online forums.

I agree with McDowell that a government takeover of Internet management would likely be disastrous. The Internet has grown and prospered largely because the technologists who administer it and plot its future are not beholden to national interests.

But I'm not going to ring the alarm bells just yet. As The Register points out, the ITU's publicly posted agenda doesn't include any of the issues that worry McDowell. The ITU lacks the resources to take over the Internet. An Internet takeover is contrary to the ITU's mission. And the ITU doesn't have the authority to execute the takeover McDowell fears.

Blogger Jerry Brito has additional doubts about McDowell's dire predictions:

Assuming every other country agrees to centralize control of the Internet, wouldn’t true control require the U.S. handing over the root to the UN? Why would we ever do that? And what does it mean to “Subsume under intergovernmental control many functions of the Internet Engineering Task Force, the Internet Society and other multi-stakeholder groups that establish the engineering and technical standards that allow the Internet to work”? These are volunteer-run non-profits. How can they be “subsumed” by the ITU? Why would they submit?

And even if they are subsumed, all the power they now employ is merely putting out technical recommendations. It is the voluntary adhesion to these recommendations by the thousands of networks that make up the Internet which make them powerful. How would you mandate compliance with new standards from a centralized global body? Would nations have to make it illegal to belong to a rebel IETF putting out recs to compete with the ITU? I’m having a hard time envisioning how you ”repeal and replace” such a large, distributed, and successful bottom-up process.

The ITU is meeting at the World Conference on International Telecommunications in Geneva this week. If they agree to formulate an Internet regulatory plan, as McDowell fears, the plan could pass into law at the ITU's 2012 World Conference On International Telecommunications, slated for December in Dubai. The 1988 regulations governing the relationship between the UN and the Internet – the International Telecommunication Regulations – will be subject to renewal and renegotiation in Dubai.

A more comprehensive overview of what is at stake is available in The 2012 World Conference On International Telecommunications: Another Brewing Storm Over Potential UN Regulation Of The Internet, an article written by two attorneys at Washington-based law firm/lobbying enterprise Wiley Rein. I presume that the lawyers are speaking on behalf of an industry client. A history of Wiley Rein's lobbying efforts is available at OpenSecrets.org. It's not clear – to me, at least – who the firm's client might be in the current issue.

Is independent governance of the Internet really vulnerable to government takeover? I think it is. We've seen U.S. law-enforcement agencies take an increasingly aggressive stance regarding use of the Internet as a crime-detection and suspect-tracking tool (the news is full of more and more disturbing reports), and countries throughout the world are looking to censor or control the Internet for their own purposes. Governments are not doing enough to protect us from corporate interests and they are doing to much to morph the 'net into a tool for monitoring and controlling citizens.

Still, despite the real threats, I think McDowell is overreacting in this case. If other countries are (understandably) eager to reduce the U.S. government's control over the Internet, that may not be such a bad thing. The Internet is a global resource, and global participation in governance bodies is something to be desired, not feared.

Web recommendation: AT&T Bell Labs is rightly legendary in the programming world – indeed, in many technical fields. I enjoyed these observations about how and why Bell Labs was able to make such breakthroughs, an analysis by Jon Gertner of The New York Times. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He walks everywhere these days.

* The FCC is by law a five-commissioner body, but it's currently down to three members. President Obama has nominated a pair of attorneys, Jessica Rosenworcel and Ajit Pai, to fill the empty seats, but political wrangling is preventing their timely confirmation.

Apple is regaining a place of central importance in the technology world that it hasn't held since the 1970s.

For decades, it was easy to dismiss Apple as a niche vendor of overpriced boutique systems – nice systems, but not mainstream, and certainly not viable targets for most development projects. But that view is obsolete. Apple's dominance of mobile platforms, and its ability to leverage that dominance across the laptop and desktop markets, make the company a formidable force in our field. And, increasingly, a magnet for development efforts.

Here's what's new at Apple:

2011 iOS sales surpass 28 years of cumulative Mac sales. A Finnish market analyst named Horace Dediu, who blogs at asymco.com, plucked some statistics from a presentation made by Apple CEO Tim Cook at a Goldman Sachs conference in San Francisco last week. The really interesting conclusion is that Apple sold more iOS-based devices in 2011 than it sold Macintosh computers, ever. It's an astonishing accomplishment, and I think it's something developers should be thinking carefully about. You can read the transcript of Cook's presentation here and Dediu's short analysis – which includes a killer chart – here.

iOS apps are quietly acquiring and storing user data. Apple is the latest company to get stung by this sort of problem. It turns out that a bunch of the most popular apps in Apples App Store upload user data – including the user's entire contact list – to the software vendors' servers. The vendors hang on to this information indefinitely. The public outcry has been intense, and members of Congress are questioning Apple about the apps. This kind of bad behavior is already prohibited by Apple policy. iOS apps are supposed to notify users that their data will be uploaded and ask for permission. But vendors have not always observed the policy. Apple says it will address this issue, but no one really knows what that means. It could issue a statement to the development community, it could police the App Store more strictly, or it could modify APIs to require that permissions are acquired (and that data is encrypted before transmission). There's a pretty good article about this at Ars Technica.

OS X Mountain Lion will include iOS features. Apple is readying the next version of its OS X operating system for the Mac. Like all recent releases, it is based on the NextStep OS Apple acquired when it bought Steve Jobs's Next Computing and restored Jobs to Apple's top job. But the new version of the OS will apparently include a bundle of programs ported from iOS, including Messages, Notes, Reminders, Game Center, Notification Center, Spare Sheets, OS-wide Twitter integration, and AirPlay Mirroring. Many of the apps will allow synching between OS X and iOS devices. Registered Mac developers can download Mountain Lion now.

Mountain Lion's Gatekeeper feature generates controversy. Apple has built a controversial feature into the new version of OS X. Gatekeeper is a “security feature” that, in its default configuration, prevents users from installing apps unless the apps come from Apple's App Store or a certified OS X developer. Users who wish to install other applications – those written by members of the IT department, say – must override Gatekeeper's default settings. It's one more way Apple is trying to isolate and maintain control over its users.

New iPad(s) to be introduced in early March. Rumor-mongers – including the Wall Street Journal – are predicting that Apple will introduce at least one new iPad in the coming weeks. The consensus is that the iPad 3 will have LTE support for 4G connectivity. Apple may also introduce a lower-priced version of the iPad with an eight-inch screen, perhaps to steal sales away from Amazon's Kindle Fire.

A labor rights activist group will audit Apple's manufacturing facilities in China. As you know from my previous posts, Apple is receiving lots of criticism for low pay, bad working conditions, and terrible living standards at the Chinese companies that manufacture, assemble, and package its hardware. (The same companies also work for other high-tech firms, but Apple has taken the brunt of the criticism because its connections with the Chinese firms have been widely publicized.) The most widely known of the Chinese companies is called Foxconn. Apple responded to the criticism by asking the Fair Labor Association to conduct an audit of its Chinese partners. Meanwhile, Foxconn has raised its workers' hourly wages, which were already high by Chinese standards. The Fair Labor Association's CEO has conducted a preliminary visit to Foxconn, and told reporters, “We're finding tons of issues.”

New CEO changes Apple culture in at least one tangible way. Under Steve Jobs, Apple was notoriously stingy when it came to charitable giving. Tim Cook appears to be changing that. One of the new CEO's first actions was to establish a matching program for employees' charitable donations, under which Apple will match employees' donations dollar-for-dollar up to $10,000 per year. In a recent companywide address, Cook detailed corporate level giving, including $50 to Stanford's hospitals and another $50 million to Project RED.

There's plenty more news. Apple has posted a new getting started guide for iOS on its Web site for developers, the iOS Developer Library. And every day brings more news regarding patent lawsuits, both those directed toward Apple and those initiated by Apple and directed toward others. The iPad is legally banned in some Asian locales because judges have ruled that the name infringes on a Hong Kong company's trademark, but it appears that Apple jumped through all the right hoops when it acquired the trademark a few years ago. And much much more.

Keep hacking.

Web recommendation: Long before the Agile Manifesto was written, Mark Twain was advocating Agile principles – or so say the troublemakers at Agile Scout, a site that mixes occasional humor with serious news about Agile development. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He has been studying the field of business intelligence and has come to think this technology has real promise.

The terms “hacker” and “social network” don't really go together. Social networks are gathering places for n00bs and kids. Real hackers don't use services like Facebook – they build them. Heck, real hackers are probably too cool even to build them. They'd rather implement obscure networking protocols or write compilers for multicore processors or build robotic systems.

That's what I've always thought, anyway. But according to Facebook founder and CEO Mark Zuckerberg, hacking is a core value at Facebook, not just among the coders, but as a way of seeing the world.

Zuckerberg's statement appears on page 69 of Facebook's Securities and Exchange Commission S-1 form, which the company filed yesterday as a matter of law as the first step in its initial public offering, the process whereby a privately held company issues stock for sale to the public. The S-1 statement is full of boilerplate legalese, but it offers interesting glimpses into Facebook's history, finances, business model, and future plans. The document includes a letter to shareholders from Zuckerberg. Such letters are often included in S-1 filings, but they are not required.

It is in the shareholders' letter that Zuckerberg claims that Facebook operates according to a set of principles he calls “the Hacker Way.” The idealistic statement includes a few elements of the Agile Manifesto mixed with a description of Facebook's internal tech process:

As part of building a strong company, we work hard at making Facebook the best place for great people to have a big impact on the world and learn from other great people. We have cultivated a unique culture and management approach that we call the Hacker Way.

The word “hacker” has an unfairly negative connotation from being portrayed in the media as people who break into computers. In reality, hacking just means building something quickly or testing the boundaries of what can be done. Like most things, it can be used for good or bad, but the vast majority of hackers I’ve met tend to be idealistic people who want to have a positive impact on the world.

The Hacker Way is an approach to building that involves continuous improvement and iteration. Hackers believe that something can always be better, and that nothing is ever complete. They just have to go fix it — often in the face of people who say it’s impossible or are content with the status quo.

Hackers try to build the best services over the long term by quickly releasing and learning from smaller iterations rather than trying to get everything right all at once. To support this, we have built a testing framework that at any given time can try out thousands of versions of Facebook. We have the words “Done is better than perfect” painted on our walls to remind ourselves to always keep shipping.

Hacking is also an inherently hands-on and active discipline. Instead of debating for days whether a new idea is possible or what the best way to build something is, hackers would rather just prototype something and see what works. There’s a hacker mantra that you’ll hear a lot around Facebook offices: “Code wins arguments.”

Hacker culture is also extremely open and meritocratic. Hackers believe that the best idea and implementation should always win — not the person who is best at lobbying for an idea or the person who manages the most people.

To encourage this approach, every few months we have a hackathon, where everyone builds prototypes for new ideas they have. At the end, the whole team gets together and looks at everything that has been built. Many of our most successful products came out of hackathons, including Timeline, chat, video, our mobile development framework and some of our most important infrastructure like the HipHop compiler.

To make sure all our engineers share this approach, we require all new engineers — even managers whose primary job will not be to write code — to go through a program called Bootcamp where they learn our codebase, our tools and our approach. There are a lot of folks in the industry who manage engineers and don’t want to code themselves, but the type of hands-on people we’re looking for are willing and able to go through Bootcamp.

Not bad, huh? Zuckerberg's letter hasn't convinced me that Facebook is as cool a social network as – oh, reddit, for example. Nor that it would be a great place for programmers to work (though I have read that it is). Still, I give Zuckerberg credit for his letter. He didn't have to say all of that.

You can read the whole S-1 statement here. Take a look. I found it pretty interesting.

Web recommendation: David Letterman just celebrated his 30th anniversary as a late-night talk-show host. I don't watch him anymore, but I remember when he burst onto the scene, replacing old-style comedians with an engaging, self-deprecating, thoroughly distinct voice. Letterman's ironic comedy and laid-back style have become the template for a new generation of hosts. The Huffington Post has collected a series of memorable moments from Letterman's 30 years on late-night TV. I watched them this morning and marveled anew at the comic's genius. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He made a passable turkey soup for lunch today.

We all know that high-tech firms do their best to retain valuable employees. Salaries and stock options are just the beginning. There are also awards programs, aid for ongoing education, and many more perks. Some of the industry's biggest companies have the most creative retention programs—for example, Google's laid-back Googleplex workplace is specifically designed to help the company attract and keep the programming cream of the crop.

Given the competition over scarce superprogrammer resources, you would expect high-tech companies to raid each other's cubicle farms like crazy. But according to documents recently made public by the U.S. Department of Justice, that is not the case. In fact, just the opposite has occurred. It appears that top execs at Google, Apple, Pixar, Adobe, Intel, Intuit, and Lucasfilm made gentlemen's agreements not to recruit each other's employees.

According to the documents, the six companies not only agreed not to “poach” employees from each other, but they also agreed not to give employees offers if they applied voluntarily. The companies even agreed to notify each other when employees tried to switch jobs. The agreements were apparently made at the companies' very highest executive levels. For example, the court papers include an e-mail message from Adobe CEO Bruce Chizen to Apple's Steve Jobs titled “Recruitment of Apple Employees.”

The problem with these agreements is that they can be illegal—especially if they are made for the purpose of preventing bidding wars for talent, hindering employees' efforts to negotiate for higher salaries, and artificially keeping compensation low.

The Department of Justice examined the documents in 2010 and negotiated a settlement with the companies. The six companies did not have to admit wrongdoing, but they had to promise to end their illegal hiring practices.

Now a group of employees has launched a class-action suit against the companies. The plaintiffs are seeking compensation for salaried employees who worked for the six companies during a four-year period during the late 2000s. If the suit is successful (or if a settlement is negotiated), a lot of tech workers could receive a lot of money.

The case will be heard starting next week by Judge Lucy H. Koh in United States District Court in San Jose, California.

Web recommendation: This page made me laugh out loud. And the more I poked around the site, the more impressed I was at the resources that were gathered there. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He is finishing this blog early so he can go for a short walk before the sun sets.

I have written several times about proposed legislation that would give copyright holders and law-enforcement agents unprecedented powers to censor the Internet. Although both the House and Senate versions of the legislation continue to grind their way through the adoption process, they have encountered setbacks that seem to ensure that the final versions, if approved, will no longer incorporate their most damaging provisions.

Most news reports, including mine, have referred to the legislation as SOPA, the Stop Online Piracy Act. In fact, the House and Senate versions of the bill have different names. SOPA is the name of the House's version, authored by Lamar Smith of Texas. The Senate version is called the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act – the PROTECT IP Act-- or PIPA for short.

Both bills are essentially the same. It is common for proposed legislation to make its way through the House and Senate separately. Once both houses of Congress have passed the legislation, it goes to a committee that sands and polishes the language until it has created a single bill that reflects the wishes of both chambers. That bill then gets a final vote, as a formality, in the House and Senate. It's a complicated process.

In the past few days, both the House and Senate versions of the bill have experienced setbacks.

The Senate version of the bill – PIPA – was written by Sen. Patrick Leahy, a Democrat from Vermont. In response to public outcry and expert testimony before the Senate, Leahy now says the DNS-blocking provision of the bill requires “further study” and should not be implemented when and if the bill is passed. Leahy posted a statement on his Web site.

In the House, SOPA author Lamar Smith, a Republican from Texas and chairman of the Judiciary Committee, has taken a further step. He has rewritten the bill to strike the DNS-blocking provision entirely. Like Leahy, he posted a statement on his official Web site.

Both versions of the bill retain other controversial provisions. For example, search engines will be instructed to block links to sites accused of direct and indirect copyright infringement – including, it appears, links to copyrighted material hosted on other sites. Suspected infringers will also lose access to payment services such as PayPal. U.S. companies will be prohibited from advertising on sites suspected of infringement.

Note that in all cases I said “suspected” of infringement. The penalties go into effect without the benefit of due process. First the site is booted off the Internet. Then, perhaps, if the site operator has sufficient cash to protest the move, a trial begins.

A further blow to the proposed legislation has come in the form of a statement from the Obama administration. In response to a petition at the recently created We the People Web site, the President's technical advisors have composed a statement against the current versions of SOPA and PIPA. “Any effort to combat online piracy must guard against the risk of online censorship of lawful activity and must not inhibit innovation by our dynamic businesses large and small,” the statement says.

Despite these developments, a January 18 protest will apparently go ahead as planned. On that day, a large number of Web sites will “go dark,” pulling themselves off the Internet temporarily to dramatize what they see as the legislation's censorship of the Internet. Reddit, Wikipedia, the Cheezburger Network, Destructoid, Red 5 Studios, Major League Gaming, Mozilla, Tucows, the Free Software Foundation, and many other sites are participating in the blackout.

The tide appears to have turned against this poorly conceived legislation, but even with the DNS-blocking language removed, the bills go too far. Here's hoping the legislators' waffling on the legislation's most onerous provisions proves too little, too late, and the blackout puts a stake through SOPA's heart.

Web recommendation: The hacker collective Anonymous is agitating against SOPA too – no surprise there. Have you ever watched one of their videos? I just did today, on YouTube. It's here. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He spends far too long reading blogs and news on the Web every day.

As far as I am concerned, security concerns dominated the high-tech world in 2011. The past year has seen the first documented attacks on American utilities, a probably act of cyber-war against an Iranian nuclear-processing target, fearless (and effective) attacks by the hacker collective known as Anonymous, and the emergence of cellular phones as malware targets.

There is no reason to believe these concerns will be any less urgent in 2012.

As snow falls over much of the U.S. and partiers around the globe prepare to celebrate New Year's Eve, security stories continue to dominate the headlines.

• Under the headline “A cyber-remedy for poison,” the Economist took a break from its in-depth coverage of political and economic policy to bring its stodgy readers up-to-speed on the vulnerability of DNS servers to “poison” redirection. The Economist's article is basically a sales pitch for OpenDNS and its DNSCrypt privacy tool.
• Another general-interest news organization, the Huffington Post, has published a report about the vulnerability of train systems to DDoS attacks. “Hackers could shut down train lines with DDoS attack: expert” is an in-depth evaluation of the vulnerability of train control systems that are increasingly interconnected via the Internet. The report is a bit breathless, but it brings a serious vulnerability to the attention of HuffPo readers.
• Reuters has published a summary of research to be published by Karsten Nohl, head of Germany's Security Research Labs. “GSM phones vulnerable to hijack scams: researcher” is a preview of findings that Nohl will present at an upcoming hacking convention in Berlin. Nohn says virtually any of the world's billions of GSM phones could be subverted by hackers and instructed to send text messages or make calls to expensive premium services.
• Identity Finder LLC has released details of its analysis of the recent Anonymous attack on Strategic Forecasting Inc., commonly known as Stratfor. The summary shows that activist hackers raided Stratfor's servers and emerged with more than 50,000 unique credit-card numbers, 86,000 e-mail addresses, 27,000 phone numbers, 44,000 passwords, and more. Hackers behind the break-in claim to have downloaded 2.7 million e-mail messages. The hackers have already used stolen credit-card numbers to make donations to charity.

Best wishes for a happy – and secure – 2012.

Web recommendation: Hey, this is fun: Odd technology job interview questions revealed. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks most cheesecake is too sweet – it ought to be creamy and rich, but not sweet. A thin layer of sour cream on top is a good sign.

In an earlier post, I suggested that the Stuxnet worm (some experts are pointedly calling it a trojan – I think both terms apply) could be considered the opening salvo in an as-yet undeclared cyber-war. Go ahead, accuse me of being melodramatic. Although no one is unambiguously taking credit for Stuxnet, the current consensus is that the malware was indeed an attack upon one nation by another.

In subsequent posts I have detailed the escalating vulnerability of civilian populations worldwide as intelligence and connectivity are added to elements of the critical infrastructure, including manufacturing, transportation, utilities, communications, and municipal services. The computerish components that automate services and coordinate communication are not well protected, to put it mildly. Many of the embedded systems used in industrial automation employ manufacturers' default passwords that are listed in documentation available for download over the Internet. Some default passwords are burned into ROM chips.

In the face of all this vulnerability, an unsettling idea has emerged. Since we probably can't make our intelligent networks invulnerable, maybe we should proactively launch the first attacks ourselves.

That, at least, is the suggestion of Herbert Lin, chief scientist at the Computer Science and Telecommunications Board at the U.S. National Research Council. In a presentation at a recent MIT/Harvard conference co-sponsored by the Council on Foreign Relations, Lin noted that experts are unable to build effective defenses against cyber-attack. The MIT Technology Review quotes Lin as saying, “Since you don't know how to do good defense, you can't prevent offensive dominance. And you can't do good deterrence because effective retaliation is hard. So if you want to take advantage of cyberspace, you will do offensive operations for nondefensive purposes.”

“We can't just defend,” agreed General Keith B. Alexander, head of the National Security Agency and the U.S. Cyber Command. Speaking at the U.S. Strategic Command's Cyber and Space Symposium last month, he said the U.S. must have the ability to attack other countries electronically. Such attacks might be launched in retaliation for state-sponsored cyber-espionage (it is widely believed that such spying has been conducted by Russia, China, and other governments) or for other reasons.

According to a November 2011 report to Congress, the Department of Defense “maintains, and is further developing, the ability to respond militarily in cyberspace.”

Earlier in 2011, Congress debated a bill that would give the President the power to shut off the Internet in the face of war and other national emergencies. The “kill switch” provision was removed from the bill after the Obama administration assured legislators that the War Powers Resolution already authorized such steps. Air Force General Robert Kehler, who heads the U.S. Strategic Command, told reporters, “I do not believe we need new explicit authorities to conduct offensive [cyber-war] operations of any kind.”

The authority to launch offensive cyber-war strikes is explicitly given to the President and the Pentagon in the fine print of the Defense Department's 2012 funding bill, which says, “Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace.” The bill continues, “[I]n certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged.”

Is it just me, or does all of this seem more than a little scary?

Web recommendation: I read a lot of government documents while preparing today's report, which was not much fun. The good parts are often buried deep in the fine print. That's the case with today's Web pick too. The page – it's here – is a National Transportation Safety Board analysis of a 2010 schoolbus crash in Gray Summit, Missouri. Investigators examined all the evidence and tried to identify the factors contributing to the crash. At the very end, the NTSB makes recommendations, including this one: “To the 50 states and the District of Columbia: (1) Ban the nonemergency use of portable electronic devices (other than those designed to support the driving task) for all drivers.” That's right, the NTSB is urging the states to outlaw the use of cell-phones, including hands-free devices, at all times. I actually think it's a pretty good suggestion, but I find it odd how the proposal is buried at the bottom of the page. It's a crazy world. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks this is shaping up to be a pretty good weekend.

It's no longer enough to create working code. We must now put serious energy and deliberate thought into securing our code, the data it works on, and the users who rely on it. I'm convinced that we are headed toward a series of crises – in fact, the crises have already begun. And as near as I can tell, there's no solution in sight.

There's more malware out there than ever before. Viruses, worms, trojans, rookits, back doors, intrusions, spyware, botnets, cross-site scripting, proxies, SMTP threats, SQL injection, header splitting, keystroke loggers, screen loggers, e-mail redirectors, IM redirectors, session hijackers, ransomware, transaction generators, dialers, denial-of-service attacks, DNS poisoning, SEO abuse, phishing, pharming, data-mining, man-in-the-middle attacks, pump-and-dump stock scams, social engineering exploits, riskware, pornware, identity theft, social-media character assassination...the list goes on and on. Most of this has been with us for years, of course, growing at a predictable (if alarming) rate. All indications are that the rate of infection has grown dramatically in recent months, and it is about to explode.

Part of the story is that hackers are becoming more sophisticated in their attack methods. There's real money to be made in hijacking user data, and the money has attracted a new breed of for-profit hackers. A quick search of the Internet will convince you that it's simple to download all the software components you need to breach most security systems. The software toolkits are powerful, effective, and widely shared. Globe-spanning hacker syndicates are at work 24 hours a day, devising and sharing techniques for breaking through defenses. It's big business.

At the same time, the number of vulnerable platforms with sufficient installation numbers to attract hackers has grown rapidly. Yes, most attacks are still targeted at Windows PCs and Web servers. But recent months have given us dramatic evidence that new platforms are vulnerable. Smart phones, SCADA installations, embedded systems, utility grids, and smart cities are all coming under attack. Portable systems fall into the wrong hands easily and frequently. Revisions to Windows, iOS, Linux, HTML, Java, Office, and Android promise to fall to new generations of malware. A recent report from Columbia University researchers demonstrates that Web-accessible laser printers can be instructed to make paper smoulder, and perhaps catch fire. Hackers can use your phone to track your location or take photographs under remote control. If your e-mail isn't being intercepted, read, and revised, it's because you haven't been targeted, not because hackers are incapable. If you've got the money, you can install a monitor to intercept data flowing through the fiber-optic cables that route Internet traffic across the ocean floor, SSL or no SSL.

Service providers are collecting terabytes of user data, often without disclosing the fact. Providers know what Web sites we visit, what we buy, where we take our mobile phones, when we read and answer e-mail, what we're reading on our tablets, which files we download to our e-readers, and all the details of our banking relationships. Even if they don't intend abuse, the data is now subject to external attack. It's not enough to secure the systems under our control – our service providers' systems must be secure too.

And it's not just hackers we have to worry about. Government and law-enforcement agencies are increasing their power to access data, shut down Web sites, shutter businesses, and track users without the benefit of trial – or even, in many cases, the minimal protection of a subpoena. Congress is debating legislation that would extend much of this power to corporations.

We haven't even talked about cloud computing. IT shops are increasingly called upon to secure data that isn't stored on-site. Data-transfer channels are vulnerable to eavesdropping. Cloud service providers are vulnerable to attack. Providers may store information on servers in a country whose laws are not strict enough to provide base-level protection. Authentication systems and backup programs may not be sufficient to keep data secure.

As if all of this weren't enough, it is clear that skirmishes have already begun in a new generation of international cyberwar. State-sponsored and state-developed malware has targeted users, corporations, industries, and utility grids across international borders. Nations, including the United States, have gathered tremendous resources to blow through conventional firewalls, encryption routines, and user authentication systems with ease. Except for the Stuxnet trojan that apparently set back Iran's nuclear program a few months or years, most of these attacks have been small-scale efforts so far – proof-of-concept demonstrations, little more. When the real cyber-shooting starts, we will all sit in the crossfire.

My research has convinced me that the security technology we are currently employing to protect ourselves is laughably impotent in the face of current threats – much less the new threats that will arrive over the next 12 to 18 months.

This year saw the death of Robert Morris, a cryptographer and computer scientist who contributed to Unix and did research at AT&T Bell Labs for 26 years before joining the National Security Agency's Computer Security Center as chief scientist – essentially, cryptographer-in-chief of the United States. Morris had three simple rules for computer security: “Do not own a computer; do not power it on; and do not use it.”

Morris's tongue-in-cheek advice seems grimly relevant today.

Web recommendation: Ah, the Internet. What did we ever do before we had such an accommodating home for rants and flame wars? I admit it: I can't resist reading the occasional over-the-top Web post and scrolling through the outraged comments that follow. My new favorite is “Why I’ve finally had it with my Linux server and I’m moving back to Windows” over at ZDNet (right around the corner from us, in Web terms). I don't want to start a flame war here, so I'll simply say that I can relate to what blogger David Gewirtz has to say. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He believes the system he used for writing this column is virus-free. But hey, what are the odds?

Last week I wrote about the risk of malware to industrial systems that control critical infrastructure such as gas and oil pipelines, chemical plants, and water and sewage treatment facilities. These sites are increasingly subject to computer control, and therefore potential targets for worms and trojans that could wreak major damage. The security technology that protects industrial computers is very primitive compared to the monitors and barriers that are available to users of home PCs. I shared my conviction that the risk is “imminent and dire.”

I've continued researching this issue, and uncovered a vulnerability that I hadn't previously considered. We are even more vulnerable than I initially thought.

It turns out that electrical utilities throughout the country – all over the world – are in a mad rush to replace the electromechanical meters that have recorded home and business electricity usage for decades with new “smart” meters.

Smart meters make a lot of sense. They allow utilities to read customers' usage figures without the need to send a technician door-to-door to read meters. They alert utilities to power outages and energy theft. Utilities see them as hubs that coordinate the activities of energy-consuming appliances, scheduling them to run at off-peak hours when electricity is plentiful and inexpensive. Smart meters allow utilities to cut off electrical power without an on-site visit. Innovative pricing plans could be set up, in which customers play a low flat fee for baseline consumption plus a premium price for overages, for example. Overall electrical savings of up to 10 percent have been reported. Studies demonstrate that the cost of upgrading to smart meters is quickly recouped in increased efficiency.

The problem is that smart meters enable two-way communications between customers and utilities over pipelines that are at present minimally encrypted at best. In the U.S., most utilities are standardizing on wireless links based on the ZigBee spec. However, other sections of the wireless spectrum are also in use. In Maine, customers found that smart meters interfered with the use of wireless routers, cordless phones, electric garage doors, and answering machines.

Application code for smart meters is written as if it will be run in a secure sandbox. Monitor and control messages are relayed without authentication. Researchers have demonstrated that they can take over smart meters and inject malware that propagates from customer to customer. They can then turn power on or off, reveal power usage, or uncover sensitive system-configuration settings.

It would be a simple matter for a determined but relatively unskilled hacker to exploit these vulnerabilities to turn off the power to hundreds of thousands of customers at once – perhaps during the coldest days of winter, when the need for electricity to control and fuel heating systems is vital. The stakes are much higher than a virus infection on a home PC.

Less dramatic but still troubling is the potential for privacy loss. Utilities will no longer take once-a-month snapshots of electrical usage. They'll be updated on a minute-by-minute basis. Researchers have demonstrated that different devices within the home generate recognizable signatures in detailed usage records. Electric companies, which have previously had minimal reason to maintain data-security policies, will be in possession of terabytes of potentially sensitive information. In an October 2010 report, the U.S. Department of Energy declared that smart meters “could significantly increase the amount of potentially available information about personal energy consumption…whether their (customers’) homes are equipped with alarm systems, whether they own expensive electronic equipment such as plasma TVs, and whether they use certain types of medical equipment.”

Smart meters are being installed by the millions, both in the U.S. and around the world. The U.S. has invested about $8 billion in the transition so far. Utilities are eager to install the meters, in part because peculiar aspects of their regulation agreements specify that the amount they charge customers is related to the amount they spend on infrastructure improvements. (Don't get me started.)

In August, California's Public Utilities Commission drafted regulations that required its three largest utilities to implement baseline security measures in smart meters. But this legislation is lacking elsewhere.

I would worry even if security guidelines were universally implemented. Electric meters may get periodic firmware updates, but the basic hardware is replaced only after 15 or 20 years of use. History teaches us that encryption methods and other security measures that seem sufficient according to today's standards will be laughably inadequate in years to come.

The good news, I suppose, is that all of this technology deployment means more employment for software developers. Including, I predict, those with a solid background in implementing data-security measures.

Web recommendation: Programming blogs are a dime a dozen. Most start strong with a couple of long-overdue, comprehensive rants, then subside into irregular griping. Jeff Atwood's Coding Horror is an exception. Jeff shares enough personal detail to surface as a real human being, and his technical articles are well-written and interesting. Very good stuff. J.D. say check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He is slowly warming (no pun intended) to the Serbian notion of heating with wood.

The microprocessor has done much more than fuel IT installations, PCs and laptops, smartphones and tablets. It's also allowed designers to build intelligence into a wide range of brute-force hardware devices. Modern refrigerators, automobiles, and home thermostats routinely have more MIPS and RAM than my first PC. Microprocessors allow utilities, manufacturers, and municipalities to control networks of smart machines. Factories, power-generation stations, water infrastructures, streetlights, hospitals, airports, and urban-transit networks are all increasingly monitored and controlled by dedicated computer systems. And those systems rely on the Internet for the flow of information and control.

This is all part of a vision that is sometimes called “the Internet of things.” The idea is that we can embed and distribute a little bit of intelligence into each of the myriad objects that surround us. Intelligent systems will prevent supermarkets from running out of popular items, or from ordering too much fresh produce, resulting in spoilage.

The good news is that computers can make processes and networks run more efficiently. They can help us save materials and energy. And of course, where there are microprocessors, there are employment opportunities for programmers.

But there's a downside, too. This year has seen the first major outbreaks of malware against the Internet of things. For example, the Stuxnet trojan was apparently an attack against Iran's nuclear program. It infected the computers that controlled five uranium enrichment plants, damaging their centrifuges by causing them to spin out of control. Hackers have published security holes in widely used supervisory control and data acquisition (SCADA) systems from Siemens. The U.S. Department of Homeland Security reports that the hacker group Anonymous has shown interest in hacking industrial systems that control critical infrastructure such as gas and oil pipelines, chemical plants, and water and sewage treatment facilities.

Many things must change before we can address this vulnerability in essential infrastructure. Most importantly, those responsible for running industrial and government installations must acknowledge that the threat against them is real. Until now, they have believed themselves to be safe because they run custom hardware, their systems are not well-known to the general public, and they are not connected to the Internet in the same way offices, individuals, and IT departments are. But none of this constitutes real protection. Real progress toward securing these installations will not be made until we acknowledge our vulnerability.

The potential for hackers to disrupt essential services – and even cause loss of life – is imminent and dire.

Web recommendation: It's not just nuclear waste recycling stations that face the threat of malware. Research shows that smartphones are starting to show up on the radar screens of the hacker community – and not in a good way. The researchers at Juniper Network have completed a report showing a 472 percent increase in malware infection on the Android platform since July 2011. The figures are a little misleading – the infection rate for phones is much lower than for Windows PCs, even after a half-year of explosive growth. But it's certain that smart phones in general – and Android devices in particular – are now subject to infectious malware. Juniper summarizes its report here. J.D. say check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks marrying sauces to the right kind of pasta is a subtle and demanding artistic specialty