STE WILLIAMS

Opinion The EU Justice Commissioner Viviane Reding, Vice-President of the European Commission, and the German Federal Minister for Consumer Protection, Ilse Aigner, have come forward with a joint statement claiming that proposals to reform the 1995 Data Protection Directive will be published by the end of January 2012.

It is clear that their promise for “to achieve a robust data protection framework for Europe’s internal market that can successfully address the challenges of today’s digital world” is at odds with the UK view that there is little to change.

The joint statement says the following:

Data protection is highly relevant for consumers and businesses regardless of borders. It therefore needs to be addressed at the European level, through high, common European standards with global appeal. The Lisbon Treaty provides Europe with a unique opportunity to modernise and strengthen data protection rules now. We both believe that as a result of this reform process, consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies, which process their personal data, are established

If true, this promises a much. The relatively weak data protection regime “enjoyed” by UK citizens following Durant appears to coming to an end.

We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a ‘cloud’ [my emphasis].

This will not appeal to USA companies selling services into Europe. I expect the USA to argue that the European Union is practising economic protectionism justified in terms of a bogus privacy requirement. Facebook is also on notice to reform its privacy practices.

In modernising the EU’s data protection rules, we believe that consumers must be more empowered than they are today. Users should be in control of their data. This is why in our view, EU law should require that consumers give their explicit consent before their data are used. And consumers generally should have the right to delete their data at any time, especially the data they post on the internet themselves [my emphasis].

Quick memo to marketing department. Please note that “explicit consent” is not an “opt-out” – lots of love, data protection officer! Also the right to delete is almost as impracticable as a right to forget (see references); it is not the way to deal with this issue.

We will work closely together to make sure that the modernisation of the EU’s data protection rules addresses these issues and that the EU’s data privacy principles are turned into a reality for consumers and businesses everywhere in Europe.

Note that the above commentary is limited to business personal data and does not include anything about extension of a new data protection directive to law enforcement. Reading the runes, I think this means that new data protection regime could well become split into two: one component relating to upgrading Directive 95/46/EC without the law enforcement and another component dealing with just the law enforcement elements.

This in turn increases the prospect of a regulation just to upgrade Directive 95/46/EC, as the contentious law enforcement extension has been separated off for detailed discussion in a further initiative.

Also politically, I sense that the UK is in a weak position as euro-zone ministers are getting fed up with the barracking comments from UK finance ministers to “get your house in order”. I am beginning to wonder whether the Euro-sceptic tone from the UK means that any UK view on European data protection standards will be quietly sidelined.

Indeed, one way that Sarkozy, Murkel et al “can get pay-back” from the UK is to impose Euro-standards of data protection, by regulation, on the UK. After all, it won’t cost them a penny but they know it would sure upset the Brits.

References:

UK government’s position on data protection.

Commission’s view of what is wrong with the UK’s implementation of the Data Protection Act (PDF).

Reding and Aigner’s statement is here.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/16/data_protection_directive_implications/

The newsfeeds of numerous Facebook users have become flooded with filth – specifically violent and pornographic images – as the result of an attack against the social network over the last day or so.

Objectionable content such as photoshopped images of celebrities such as Justin Bieber in sexual situations, violent pictures and depictions of an abused dog have appeared on the social network. Victims confronted by these images have taken to Twitter to vent express their outrage, as is the local custom.

Net security firm Sophos was among the first to warn of the apparent outbreak, following first-hand reports of the outrage by readers of its Naked Security blog. The mechanism behind the spread of the offensive content remains unclear, although some form of clickjacking attack is one obvious contender.

The motives behind that attack – much less its perps – also remain anybody’s guess, though one obvious suspect has to be Anonymous. The shock content fits Anonymous’ style, or at least its 4chan roots, and supposed members of the group have been threatening Facebook of late.

A supposed 5 November campaign against Facebook, disavowed by prominent members of Anonymous months ago, came to nothing. We were inclined to write off another threat that surfaced on Friday as probably another hoax (or damp squib) but perhaps we spoke too soon.

A purported member of Anonymous announced its intention to release a “highly sophisticated” worm onto Facebook last week. The so-called Fawkes Virus consists of a “highly sophisticated worm, with advanced network self-replication and remote abilities,” according to the message. It “sends out malicious links and gains access to your account”, something that might fit with the outbreak of filth reported by Sophos.

“If it’s not a hoax, it appears to have the characteristics of 2008’s KoobFace, but unlike its predecessor it should also receive commands from a remote attacker and simulate ‘basic actions on Facebook accounts, such as sending a friend request or a message’,” Razvan Livintz, an analyst at Romanian anti-malware firm BitDefender wrote last Friday.

The supposed activist released a video discussing the malware, whose original creation date matched that of a Trojan, called Bifrose-AAJX, detected by Romanian anti-malware firm BitDefender since 8 July.

Last Friday (11 November), links to download Bifrose-AAJX appeared on Facebook under the guise of a scam purporting to offer a “New Facebook Video Chat with Voice Features”. Users were encouraged to follow a link to download the software, actually a backdoor that logs keystrokes and gets up to all manner of other mischief.

Aside from the timing there’s nothing much to link the Bifrose-AAJX scam with the Fawkes virus, as BitDefender acknowledges. “It doesn’t have the self-replication component Anonymous said it should have. It does connect to a remote server in Egypt instead, which is something the video ‘forgot’ to mention,” Bitdefender staffer George Lucian Petre wrote on Saturday.

So to summarise a somewhat confusing situation: objectionable content is appearing in users’ news feeds on Facebook for reasons unknown. This may or may not be linked to a threatened malware-powered attack against the social network by someone purporting to represent Anonymous.

We’re asking Facebook to comment on the situation and will update this story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/facebook_filth_outbreak/

Computer scientists say they’ve identified a fundamental flaw in the Bitcoin electronic currency system that could eventually stunt its development unless developers change the way users are rewarded for their participation.

With about 7.5 million Bitcoins in circulation, the highly decentralized system relies on public-key cryptography and a peer-to-peer network to record who is the rightful owner of each individual piece of currency. When Alice wants to pay Bob 50 coins, she signs the transaction with her private key and broadcasts the details to other nodes. Other participants then receive a small fee in return for verifying the payment, which is done by inverting the cryptographic hashes generated by in the transaction record.

As the currency grows into maturity and an ancillary scheme that allows Bitcoins to be created out of thin air is phased out, the verification of other transactions will be Bitcoin’s sole reward scheme. And therein lies the flaw that could represent a chief stumbling block.

With each participant rewarded only for verifying a proposed transaction, there will be little incentive for participants to broadcast transactions to others. Instead, they will want to keep the deals secret so they don’t have to share the rewards with others.

“The consequences of such behavior may be devastating,” the researchers wrote in a paper (PDF) that they recently submitted to a peer-reviewed conference. “As only a single node in the network works to authorize each transaction, authorization is expected to take a very long time.”

Shahar Dobzinski, one of the paper’s authors, told The Register the security of Bitcoin isn’t likely to suffer as a result of the flaw. The use of private encryption keys ensures that each transaction is authorized only by the entity everyone else already agrees is the rightful owner of a given Bitcoin. That helps prevents theft and also keeps a user from spending a unique coin more than once.

The system also doesn’t consider a transaction to be fully approved until nodes controlling the majority of the network’s CPU power have accepted it, rather than a majority of the nodes themselves. This largely forecloses the likelihood of “Sybil” attacks, in which large numbers of fraudulent identities are used to subvert reputation-based systems.

“This is different problem,” Dobzinski, who is a computer scientist at Cornell University, said of the flaw his paper identifies. “We’re afraid the majority of the CPUs might not be able to know about the transaction.”

The paper goes on to propose a modified reward scheme that shares a small portion of the verification fee with participants who forward it to other nodes in the network. Attached to each transaction would be a chain of its forwarding nodes. When a participant solves a discreet block of the transaction, all nodes in the chain that would receive a cut. To prevent additional Sybil attacks in which a single participant forwards himself the same transaction multiple times, the paper proposes canceling rewards when the number of links in the chain reach a certain threshold.

Besides Dobzinski, the researchers included fellow Cornell University computer scientist Sigal Oren and Microsoft researchers Moshe Babaioff and Aviv Zohar. They compared their solution to the winning entry in the 2009 DARPA Network Challenge, in which participants competed to locate 10 red weather balloons that were dispersed across the United States. A team from the Massachusetts Institute of Technology collected the $40,000 prize using a rewards system that created incentives for individuals not involved in the competition to help.

Hunters who found a balloon received $2,000 per discovery, while those who directly recruited a successful hunter received $1,000. A recruiter of a direct recruiter received $500, and so on. The Register‘s coverage of the competition is here.

Nils Schneider, a developer who works on the Bitcoin project, said the transaction propagation problem described in the paper isn’t considered a problem now. In an email to The Register he wrote:

“The paper describes a very interesting theoretical problem but I doubt there will be any need to implement their solutions anytime soon.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/bitcoin_flaw/

The next version of Microsoft’s Windows operating system will introduce changes that are designed to make automatic updates less disruptive by eliminating popup notifications and reducing the number of times machines must be restarted.

In a blog post published on Monday, Microsoft Program Manager for the Windows Update Group Faranza Rahman said the forthcoming Windows 8 will consolidate all restarts required in a single month and synchronize them with the regularly scheduled release on the second Tuesday of each month.

“This means that your PC will only restart when security updates are installed and require a restart,” she wrote. “With this improvement, it does not matter when updates that require restarts are released in a month, since these restarts will wait till the security release.”

Windows 8 will also eliminate popup windows and dialog boxes concerning pending restarts and instead display the notifications in the login screen. The notifications will give users three days to reboot the machine after installing and update. If the machine hasn’t been shutdown or restarted by then and Windows Update doesn’t detect any critical applications are running, it will automatically restart the machine.

In the event applications are running in the background or there is potentially unsaved work, users will see a message at login asking them to save their work, along with a warning that the machine will be restarted within 15 minutes.

The Power options on the Windows lock screen will also change to offer choices to “Update and restart” and Update and shutdown” immediately after the update occurs.

Rahman said engineers arrived at the changes after analyzing the updating habits of millions of users. In one week, 90 percent of users who need an update have successfully completed the installation, including any restart. About 39 percent of Windows 7 users elect to have updates installed just prior to shutting down their systems, while another 30 percent allow the operating system to restart PCs as needed.

“Allowing restarts to occur without user interaction has helped us to rapidly update a major portion of the Windows ecosystem with critical updates,” she wrote. “On average, within a week of releasing a critical update, 90% of PCs have installed the update.”

The changes are likely to come as good news for users who want fewer interruptions as they use their PCs to watch movies, play games or work. The bad news is that there are no plans for Windows Update to install security patches required by third-party applications.

“The wide variety of delivery mechanisms, installation tools, and overall approaches to updates across the full breadth of applications makes it impossible to push all updates through this mechanism,” Rahman wrote. “As frustrating as this might be, it is also an important part of the ecosystem that we cannot just revisit for the installed base of software.” ®

Follow @dangoodin001 on Twitter.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/16/windows_8_auto_updates/

The European Commission has adopted new rules for the use of body scanners at airports.

From now on, any European Union country that wants to use the controversial technology with have to do so “under strict operational and technical conditions”, the EC said in a statement.

“Security scanners are not a panacea but they do offer a real possibility to reinforce passenger security,” Transport Commissioner Siim Kallas said in the statement.

“It is still for each Member State or airport to decide whether or not to deploy security scanners, but these new rules ensure that where this new technology is used it will be covered by EU-wide standards on detection capability as well as strict safeguards to protect health and fundamental rights.”

Under the new legislation, security scanners can’t store, copy, print or retrieve images and any unauthorised access and use of the image is prohibited: fairly rudimentary stuff. But interestingly, the regulations also stipulate that the person looking at the image should be in a separate location and the image and the person should not be linked in any way (presumably unless they do turn out to be a terrorist).

Passengers must be informed about the conditions under which the body scan is taking place, and they have the right to refuse to do it as long as they accept an alternative method of screening.

“By laying down specific operational conditions and by providing passengers with the possibility of opting out, the legislation safeguards fundamental rights and the principles recognised in particular by the Charter of Fundamental Rights of the European Union,” the EC said.

X-ray doesn’t mark the spot

On the technology side, the main concern for the EU is health and safety. The Commission’s rules state that only security scanners that don’t use X-ray tech are authorised for passenger screening.

“All other technologies, such as that used for mobiles phones and others, can be used provided that they comply with EU security standards,” the Commission added.

EU countries including the UK, Finland, Germany and France have already been trialling body scanners, despite the ongoing controversy surrounding the technology. The main concerns are the health and safety ones about being bombarded by X-rays or other radiation and the human rights ones about a camera that essentially takes a nude picture of passengers.

In July, America’s Transport Security Administration made some concessions to those who objected to being photographed in the nip by rolling out a new software that presents a generic human form with any discovered objects on the actual person super-imposed, rather than that person’s actual naked outline. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/eu_airport_body_scanner_rules/

The newsfeeds of numerous Facebook users have become flooded with filth – specifically violent and pornographic images – as the result of an attack against the social network over the last day or so.

Objectionable content such as photoshopped images of celebrities such as Justin Bieber in sexual situations, violent pictures and depictions of an abused dog have appeared on the social network. Victims confronted by these images have taken to Twitter to vent express their outrage, as is the local custom.

Net security firm Sophos was among the first to warn of the apparent outbreak, following first-hand reports of the outrage by readers of its Naked Security blog. The mechanism behind the spread of the offensive content remains unclear, although some form of clickjacking attack is one obvious contender.

The motives behind that attack – much less its perps – also remain anybody’s guess, though one obvious suspect has to be Anonymous. The shock content fits Anonymous’ style, or at least its 4chan roots, and supposed members of the group have been threatening Facebook of late.

A supposed 5 November campaign against Facebook, disavowed by prominent members of Anonymous months ago, came to nothing. We were inclined to write off another threat that surfaced on Friday as probably another hoax (or damp squib) but perhaps we spoke too soon.

A purported member of Anonymous announced its intention to release a “highly sophisticated” worm onto Facebook last week. The so-called Fawkes Virus consists of a “highly sophisticated worm, with advanced network self-replication and remote abilities,” according to the message. It “sends out malicious links and gains access to your account”, something that might fit with the outbreak of filth reported by Sophos.

“If it’s not a hoax, it appears to have the characteristics of 2008’s KoobFace, but unlike its predecessor it should also receive commands from a remote attacker and simulate ‘basic actions on Facebook accounts, such as sending a friend request or a message’,” Razvan Livintz, an analyst at Romanian anti-malware firm BitDefender wrote last Friday.

The supposed activist released a video discussing the malware, whose original creation date matched that of a Trojan, called Bifrose-AAJX, detected by Romanian anti-malware firm BitDefender since 8 July.

Last Friday (11 November), links to download Bifrose-AAJX appeared on Facebook under the guise of a scam purporting to offer a “New Facebook Video Chat with Voice Features”. Users were encouraged to follow a link to download the software, actually a backdoor that logs keystrokes and gets up to all manner of other mischief.

Aside from the timing there’s nothing much to link the Bifrose-AAJX scam with the Fawkes virus, as BitDefender acknowledges. “It doesn’t have the self-replication component Anonymous said it should have. It does connect to a remote server in Egypt instead, which is something the video ‘forgot’ to mention,” Bitdefender staffer George Lucian Petre wrote on Saturday.

So to summarise a somewhat confusing situation: objectionable content is appearing in users’ news feeds on Facebook for reasons unknown. This may or may not be linked to a threatened malware-powered attack against the social network by someone purporting to represent Anonymous.

We’re asking Facebook to comment on the situation and will update this story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/facebook_filth_outbreak/

What does the modern chief information security officer (Ciso) look like? The role used to be little more than acting as a glorified sysadmin but things have changed.

These days, Cisos must be all-rounders, concentrating not just on technology but on business too.

“In recent years, the role of the Ciso has become more business and risk focused,” says Adrian Davies, principal analyst for the Internet Security Foundation (ISF).

Cisos have to contend not only with tasks such as project management, but also cost-benefit analysis and stakeholder engagement.

It is difficult to find technology experts who are also astute in these areas, which is why single, well-rounded Cisos are so valuable. The alternative is to team up a business-focused Ciso with technical experts who can fill in the gaps, in the same way that chief executives often need chief operating officers to help bolster their capabilities.

Davis argues that the low cost of opportunity afforded by cloud computing has made the modern Ciso’s job harder. Any employee with a company credit card can now access a cloud-based resource, often without management even knowing about it.

Call a plumber

Signing up for your own online customer relationship management service and uploading a spreadsheet of customer data to an insecure web application is one way that data can leak out from the edges of an organisation, under the Ciso’s nose.

As these risks proliferate, mapping business risk to information technology risk becomes increasingly important and should be considered a foundational skill on the Ciso’s part.

That involves talking to people in different roles. The risks faced by the head of human resources are different to those faced by the accounting department or the chief marketing officer. The Ciso must represent everyone and be able to appreciate all perspectives.

This role also involves understanding and absorbing the needs of the broader employee base.

John Colley, managing director of Security Transcends Technology EMEA, calls for counter-intelligence to avert these unwitting security risks. Not, as he puts it, to slap wrists but rather to break down barriers.

Knowing me, knowing you

In many organisations, one critical security risk occurs when users start circumventing the IT framework to get the job done. Colley suggests focusing on what users need and finding the technology that would help them to achieve their goals.

“The ISF believes there is a need for top management to be more embedded in the business, and trying new things such as simply walking the floor and talking to people,” he says.

Good governance is not always present in information security

Davis says governance is also an important aspect. “When the security function adopts governance, it leads to better engagement with senior executives, helping to foster better understanding, minimise risk and limit reputation damage,” he says.

However, he adds that good governance is not always present in information security.

“Cisos can help their cause by taking a government approach, allowing them to demonstrate to stakeholders – customers, partners, shareholders and regulators – that corporate data is being protected according to industry best practice,” he says.

Increasingly, Cisos have to exhibit leadership qualities. They must listen and gather intelligence from a broad base of individuals. They must set the direction for a broad security effort and get others aligned behind their vision.

But there is one subtler challenge for the modern Ciso.

Parting of the ways

Inevitably, the business will find itself heading in a different direction. It may wish to roll out a service or product, or expand a particular operation, without being sure of the risks or security consequences. It may want to play down negative results from an internal security audit in case they adversely affect negotiations with a client.

The true challenge for Cisos is fulfilling their mandate in the face of resistance. They must ask the difficult questions and make the unpopular suggestions that will keep the company on the right track.

Do you have the cojones to speak up in the boardroom when the chief executive wants you to say something different? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/data_security/

A computer virus infection affecting the New Zealand Ambulance service last week forced dispatchers to resort to manual backup systems, according to local media reports.

Unnamed malware left the communications network supporting the St John Ambulance service hobbled. Mobile data and paging services were worst affected by the problem, suggesting that some sort of bandwidth-hogging worm overloaded the system. Dispatch staff normally send information on jobs over the ambulance crew via on-board mobile data terminals. Because of the malware, they had to call ambulance stations or the mobile phones of crew instead.

“Anti-virus software protected the systems but as a result of the virus it impacted on some of the systems services, mainly those related to paging and radio,” Alan Goudge, communications operations manager for the St John Ambulance service, told The Waikato Times. “Back-up systems immediately took over when it was detected and the workload was managed manually.”

The St John Ambulance network handles 90 per cent of the ambulance cover across New Zealand. It is unclear if any emergency call-outs were affected by the problem or what affect this might have had on response times.

The attack, which hit last Wednesday and was contained within hours, was probably not targeted at the service.

The incident is the latest example of a computer virus affecting the smooth running of a medical service. The Mytob virus affected a string of London hospitals back in 2008. Two years prior to this, a malware infection at the Northwest Hospital and Medical Centre in north Seattle stopped doctors’ pagers from working properly. Computers in the hospitals’s intensive care unit were also rendered unavailable as a result of the attack, the most serious of its kind.

Christopher Maxwell, 21, from Vacaville, California, was sentenced to three years’ imprisonment after he was arrested and convicted for releasing the malware that crippled the Seattle hospital’s systems.

Additional commentary on the problem of malware and medical networks can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/nz_ambulance_malware_outbreak/

An internet standard on online privacy is expected to be published by the middle of next year. In the meantime, the World Wide Web Consortium (W3C) has released a first draft of the so-called “Do Not Track” (DNT) mechanism, with input from the major browser makers.

Google, Mozilla, Apple and Microsoft have been debating with privacy groups and government regulators over what standard should be adopted.

But getting companies to find a consensus on what mechanism should be introduced that allows browser makers, social networks and other online outfits to profit from advertising while satisfying privacy watchdogs has proved, to say the least, problematic.

Add to that the fact that the three biggest browser players on the market today – Mozilla, Microsoft and Google – have all offered their own take on Do Not Track.

As The Register has reported previously, Mozilla added a DNT http header to Firefox, thereby giving surfers control of whether or not they want to be tracked by advertisers online.

Google, meanwhile, released a Chrome extension that lets a user opt-out of tracking cookies from multiple ad networks, including the web’s top 15.

Then there’s Microsoft’s approach. It brought out a method dubbed Tracking Protection Lists, that relies on predefined lists of domains known to track a web surfer’s behavior via advertising technologies.

Such lists are maintained by various third-party companies, and the user is free to choose from among them.

That method was already submitted to the W3C by Redmond in late 2010, following the release of its browser Internet Explorer 9. In February, the software vendor then rather sneakily added a submission of Mozilla’s Do Not Track browser header to its Tracking Protection proposal to the W3C.

In September, the standards-setting group confirmed that Microsoft and Mozilla’s proposals would provide the basis for the group’s work.

Now, a first draft compliance specification has been published, which was edited by Google policy wonk Heather West, fellow Googler Sean Harvey and two members of the Center of Democracy and Technology.

Clearly, at this stage all the obvious parties are mucking in. But it’s early days, and ultimately the browser industry is moving towards self-regulation that appeases privacy watchdogs and keeps ad revenues ticking over. The likely outcome, therefore, is that netizens will need to pro-actively switch the Do Not Track button on. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/do_not_track_standard_draft_1_w3c/

Hackers say they’ve reverse engineered the Siri personal assistant that debuted in last month’s release of the iPhone 4S, a feat that allows them to make it work from virtually any device.

To back up their claim, the hackers – from the mobile-application developer Applidium – released a collection of tools on Monday that they say can be used to build Siri-enabled applications on devices that were never authorized to offer the proprietary Apple feature. The tools, written in the Ruby, C, and Objective-C languages, are the result of painstaking sleuthing into the way Siri communicates with a remote server Apple dedicates to the service.

“Today, we managed to crack open Siri’s protocol,” the Applidium developers wrote in a blog post. “As a result, we are able to use Siri’s recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad!”

The chances of someone using the findings to mass produce a Siri app for unauthorized devices is slim, since the hack requires a valid iPhone 4S unique identifier to be sent to the server. That means Apple could easily revoke identifiers that are used an abnormally high number of times, or from an abnormally high number of different locations.

But there doesn’t appear to be anything stopping individual iPhone 4S owners from using the hack to expand the number of devices that work with Apple’s proprietary natural-language app.

The Applidium developers reverse engineered Siri by setting up their own HTTPS servers with an SSL, or secure sockets layer, certificate they signed themselves. That allowed them to observe the commands Siri sent to Apple’s server, which is located at guzzoni.apple.com. They eventually found that the body of such requests is little more than a binary plist whose contents can be deciphered using the Mac OS X plutil tool.

Interestingly, Siri sends a huge amount of data to the Apple server, and it uses the Speex audio codec to compress raw audio data before it is transmitted. When Siri operates in text-to-speech mode, Apple’s server applies a confidence score and time stamp to each word.

iPhone fans who are excited by the possibility of this hack are advised to move quickly. Apple has long killed iOS bugs that make jailbreaks possible shortly after they’re discovered, so it wouldn’t be surprising to see the closing of this hole that allows Siri to be ported to rival devices. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/siri_hack/