chain

The leaking of Facebook continues. Following our stories yesterday about their new Photos mobile app and "Project Spartan" (a new mobile app platform), Nick Bilton of The New York Times reports that Facebook will soon release an iPad app. Yes, finally. We had also heard in recent weeks that despite Facebook's seemingly anti-iPad stance, such an app does exist internally, and has for some time. But we hadn't been able to find anyone who had actually seen it. Well, until right now. We can now confirm the app's existence with someone who has actually seen it. "It looks pretty slick. Photos are fullscreen & really nice UI," says a person who has played with the app. I've long complained about Facebook's lack of an iPad app. While their regular site works pretty well on the iPad, even Facebook CTO Bret Taylor recognized the need for a UI more custom-tailored for big touch screens. More importantly, third-party Facebook apps have been flying off the virtual shelves since day one of the iPad (including a few that have tricked people into thinking they were official apps). Facebook needed to get on top of this situation, to ensure that they own their own brand on the device, not some third party. And now they are. We have not heard a specific date the app will be released, but NYT says that it will hit the App Store in the "coming weeks". One interesting tidbit we did hear was that the app has been done for some time, but that Facebook may have been holding it back as a bit of leverage over Apple. Those two companies have been in the news a bunch recently following Apple's inclusion of Twitter in iOS 5, despite talking about a similar deal with Facebook previously. And then there was our story yesterday about Project Spartan. We heard (and have seen) indications that Facebook was targeting mobile Safari with the mobile platform. HTML5-based apps as well as Facebook Credits are the key parts of the plan. Since our story, Facebook PR has gone on the offensive, trying to spin this to other journalists as not being a move against Apple, but rather a way to "complement" their devices (while at the same time declining to admit the project even exists — heh). That's a bunch of horseshit, and they know it. But honestly, does anyone expect them to say anything else? It's not like they're going to declare war on Apple (or anyone else) publicly. You don't announce to someone that you're going to punch them in the face before you punch them in the face. That would be madness. (Madness?! This. Is. Sparta[n]!) Again, developers actually working on this new platform say it's very clear that Project Spartan is step one in an attempt to gain control over the mobile space. That means getting on the devices currently controlled by Apple and Google, and doing so without fear of restrictions (hence, HTML5). And it means disrupting the current mobile distribution channels (App Store, Android Market, etc) which are controlled by the gatekeepers. Facebook has to do this because they do not have their own devices. At least not yet. Source: thecrunch

Notorious hackivist group Lulzsec has brought down Australian domain registrar and web hosts Distribute.IT and publicly published a list of 62,000 international email addresses and passwords. The data files appear to be cobbled together from a variety of sources, but the Australian email details include a number from Australian universities and government departments including AusAID, the Victorian Department of Childhood and Early Education and several local councils in NSW and Victoria. The Australian policy authority and industry self-regulatory body for the .au domain space, auDA, would not comment on the matter. The latest hack attack from LulzSec follows on from its CIA security violation yesterday. Distribute.IT remains offline (at press time) after being initially attacked on Saturday. The immobilised company described the attack as "despicable" and is working with authorities providing usable information to locate the source. "The extent of the attack is quite broad and recovery efforts have been underway since the Network was locked down Saturday evening (11/6/11). This attack was a deliberate aim at the Company and our clients," the company said in a blog post. The company is still attempting to restore services and has ceased providing any customer phone support due to the volume of service queries. It remains unclear how many customer details were compromised but initial estimates run into the thousands. The latest update from DistributeIT stated that "engineers have confirmed that routing issues affecting some VDS clients have now been resolved and normal services returned to affected customers. Work is continuing on the recovery of the remaining shared servers, but we are still unable to provide any accurate indication of time for resolution on these." Meanwhile Lulzsec claims it hit 2000 downloads of their latest data heist before it was taken down Source: theregister

Google has downplayed concerns that refinements to its search technology could leave surfers more exposed to search engine manipulation attacks. Google Inside Search aims to speed up web searches by pre-loading content from remote sites. The so-called Instant Pages technology only works with Google Chrome. Miscreants often manipulate search engine results so that links to scareware portals and the like appear prominently in search results for newsworthy terms. These search engine poisoning tactics rely on establishing link farms after hacking into portions of popular websites, using search engines' "sponsored" links to reference malicious sites and injecting HTML code, among other tricks. Scareware affiliates normally rely on potential victims to click on links to malicious sites among search results before they are whisked away towards dangerous domains. However, the Instant Pages technology might remove this requirement, pre-fetching content from malicious websites and "creating a possibility that a user can be exploited by simply searching, without even clicking on a link," warns Dan Hubbard of Websense Security Labs. Google maintains that is being careful to minimise the possibility of harmful content getting pre-fetched. "We've thought hard about this issue, and we don't believe there is any additional risk to users," a Google spokesman explained. "Sites marked as potentially harmful by our Safe Browsing technology will not be pre-rendered, nor will sites that Chrome detects as suspicious. We also exclude sites with SSL certificate issues and those that try to download files or display popup alerts." Google added that search engine poisoning to promote scareware sites and the like is an industry-wide problem. Source: theregister

An industry standard graphics engine recently added to Mozilla's Firefox browser allows attackers to surreptitiously steal any image displayed on a Windows or Mac computer just by visiting a booby-trapped website, security researchers have warned. The vulnerability, reported Thursday by UK-based Context Information Security, is unique to Mozilla's implementation of the 3D-accelleration API known as WebGL, but researchers with the firm said it's related to serious design flaws in the cross-platform technology. The report comes five weeks after Context first warned of data-theft and denial-of-service threats in WebGL, which is also built into Google Chrome and developer versions of Opera and Apple's Safari. Apple on Thursday announced that iPhones and iPads will offer limited support for the technology when iOS 5 is released later this year. The report, coincidentally or otherwise, came the same day researchers from Microsoft's Security Research Center published a brief analysis titled "WebGL Considered Harmful" that concurred that it suffers from a variety of weaknesses that will be hard to fix. "The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need[ed] to worry about before," the Microsoft critique stated. "Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern." Microsoft products that implemented WebGL would have a tough time passing the company's rigorous Security Development Lifecycle, the analysis added. Microsoft has instead relied on a home-grown technology known as Direct3D to make graphics faster in its applications. A Context representative said Microsoft didn't commission the Context report. A Microsoft spokeswoman declined to say if Microsoft provided any support. Exposing GPU memory to world+dog The Context researchers have developed a proof-of-concept exploit that allows an attacker to steal images displayed on computers that do nothing more than use a current version of Firefox on a WebGL-enabled machine to browse a site with a malicious payload. The attack works by "spraying" memory in the computer's graphics card to collect data that's already been processed. "The vulnerability we discovered enables any graphics image that has been displayed on the system to be stolen by an attacker by reading unitialised data from graphics memory," the Context report stated. "This is not limited to WebGL content but includes other web pages, a user's desktop and other applications." A video included with the report shows images from an encrypted session on LinkedIn.com being stolen from a computer running Apple's OS X. The exploit also works against PCs running Microsoft Windows. A spokeswoman for Mozilla said the vulnerability will be fixed with the introduction of Firefox 5, due next week. A statement issued by representatives of Khronos, the firm that acts as the gatekeeper for the WebGL standard, said that the threat "is due to a bug in Firefox's WebGL implementation, and cannot be generalized across other browsers' WebGL implementations." The Context report raised other concerns about the security and stability of WebGL, including the failure of both Firefox and Chrome to pass a suite of conformance tests that prove their implementations adhere to official specifications. "Between disparate platforms the browser must be exposing some aspect of the underlying graphics implementation to the web page for problems to arise, even if it is something trivial such as incorrect return values," the report concluded. The Context researchers also found problems in a previously-released extension designed to mitigate the effects of vulnerabilities that make it easy for websites to completely crash machines that have WebGL enabled. So far, only graphics cards made by NVidia support the GL_ARB_robustness extension, and even then it doesn't work on machines running Windows XP, the Context researchers claimed. Mozilla has responded with a forthcoming GL_ARB_robustness_2 extension, further calling into question the effectiveness of the current extension, they added. The Khronos spokesman's statement said: "All browser vendors are still working toward passing the WebGL conformance suite. Only once they have successfully done so can they claim support of Canvas.getContext("webgl") instead of Canvas.getContext("experimental-webgl")." The statement continued: "Browser vendors are still in the process of supporting the GL_ARB_robustness extension, so it is expected that the previously reported denial-of-service issues are still present. It is expected that the reported denial-of-service issues will be solved with the integration of this extension." Still in its adolescence A Google spokesman said that Chrome doesn't run WebGL on some system configurations when lower level stack issues are identified and that many parts of WebGL, including the GPU process, run in separate processes that are sandboxed in the browser to help prevent the kinds of attacks described by Context. Context researchers recommend users disable WebGL in both Firefox and Chrome, while the US Computer Emergency Readiness Team has suggested administrators review the Context findings and "update their systems as necessary to help mitigate the risks." The two reports from Context, and the responses from Khronos, strongly suggest that WebGL is still in its adolescence and will require a more work among browser makers and hardware manufacturers for it to become mature. Disabling WebGL is probably an overreaction. Then again, at this early stage, users who turn it off probably aren't missing much. For those who decide to forgo the benefits of WebGL, Context's report provides step-by-step instructions for turning off the graphics-acceleration interface in both Firefox and Chrome. Source: theregister

A survey from Microsoft reveals just how widespread the fake tech support call scam is becoming. The crooks cold-call people at home and claim to be calling from Microsoft or a well-known security firm and offering "free security checks". The software giant surveyed 7,000 computer users in the UK, Ireland, US and Canada and found an average of 16 per cent of people had received such calls. In Ireland this rose to a staggering 26 per cent. More than a fifth of those who received such a call, or 3 per cent of the total surveyed, were tricked into following the crooks instructions which ranged from allowing remote access of their machines, downloading dodgy code or in some cases giving credit card information in order to make purchases. Microsoft said if someone claiming to be from Windows or Microsoft Tech Support calls you: "Do not purchase any software or services. Ask if there is a fee or subscription associated with the 'service'. If there is, hang up." Redmond said 79 per cent of those tricked suffered financial loss – the average loss was $875 (£542). Losses ranged from just $82 (£51) in Ireland to a whopping $1,560 (£967) in Canada. Microsoft warned that while the gangs were currently targeting English-speaking countries it was just a matter of time before they go after other countries. The company advised anyone who had already fallen for such a scam to change their passwords, scan their machines for malware and contact their bank and credit card providers. More on Microsoft scams HERE

Adobe has rolled out updates for its widely used Reader PDF viewer and Flash animation programs that fix flaws, some that hackers have been exploiting to hijack end user computers. The emergency patch for Flash was the second time in nine days that Adobe has rushed out a fix for a serious bug in the program. The vulnerability allows attackers to remotely execute malicious code on machines that run the software, and there are reports it's being actively exploited, Adobe said. The targeted vulnerability resides in Flash versions for Windows, Macintosh, Linux, Solaris and the Android mobile operating system. Tuesday's fix is available for all platforms except for Android. A separate update for Reader fixes at least 13 bugs. Adobe rated 11 of them "critical," a designation typically reserved for vulnerabilities that can be exploited with little or no interaction required by the user to install malware. The flaws involved memory corruption, buffer and heap overflows, DLL load hijacking and other bugs. Flash and Reader are among the most commonly targeted apps by criminals pushing malware. Users are better off using an alternative PDF reader such as Foxit. While the application has its share of security vulnerabilities, its smaller market share means it's mostly ignored by attackers. The patches added to the strain many IT admins were already shouldering from Tuesday's monster patch batch from Microsoft. Adobe has more about the Flash and Reader patches http://www.adobe.com/support/security/bulletins/apsb11-18.html http://www.adobe.com/support/security/bulletins/apsb11-16.html Source: theregister

As of yesterday, Twitter is the new owner of the domain name re-tweet.com (placeholder webpage) although it doesn't yet own retweet.com (currently used for some shady video monetization platform). Hat tip goes to Fusible, which thinks Twitter might be plotting to 'take on' Tweetmeme, a conclusion I believe is misguided. Re-tweet.com was sold through a Flippa auction a few months ago, ultimately selling for only $150. According to Fusible, Twitter gained ownership of the domain from an individual named David Quinlan on June 13, 2011. Twitter has long been trying to obtain a U.S. trademark for 'retweet' (which is a way for users to easily spread other people's public messages on Twitter) but has so far been unsuccessful. In August 2010, the company launched the Tweet button, which enables publishers to place 'tweet this' buttons on their websites. I've contacted Twitter to see if they have any product plans with the re-tweet.com domain name, but I highly doubt it. I'll update as soon as I hear back. As suspected

Ever since RockMelt launched its social browser, it's been known unofficially as the Facebook browser. Facebook chat, status updates and sharing are all built right into the browser. Now Facebook and RockMelt are officially working together in a product partnership, and the first fruits of that collaboration can be seen in the latest release available today, RockMelt 3. RockMelt is still an independent browser with only a few hundred thousand active users. Facebook made no investment in RockMelt, nor is it going to help promote or distribute the browser, at least initially. Its product teams, however, are working closely with RockMelt to make sure that its Facebook features shine. "The partnership is based on a shared belief that social should join navigation and search as fundamental capabilities of the browser," says RockMelt CEO Eric Vishria. There are several new features in RockMelt 3. To start with, RockMelt 3 adds Moves your Facebook buddy list from the left edge to the right edge of the browser. The buddy list is now scrollable, and it can be expanded to view not just pictures of your friends' faces, but their full names. The second new feature is that Facebook notifications, messages, and friend requests—what Facebook engineers internally call "the jewels"—are now visible at the top of RockMelt right in the chrome itself. You can visually see when you have a new notification, friend request, or message, and pop down a window to read more. RockMelt is now integrated with Facebook's unified messaging system. So if a contact is online, a chat window pops open. If he or she is not, it reverts to Facebook messages. RockMelt also knows when you are on Facebook.com, and strips away the redundant features from the site which are part of the browser. So the notification counters at the top pf Facebook disappear because they are now a feature of RockMelt. And when you are on Facebook.com, and a friend wants to chat, RockMelt's version of Facebook chat opens up instead of two chat windows duplicating each other, which is what happened before. So far, RockMelt has not taken off as much as its initial launch hype would have suggested. Since it opened up its beta to the public in March, it's seen modest growth, but high user engagement. A Facebook endorsement could help its cause. So did Marc Andreessen, who is both a Facebook and RockMelt board member, have anything to do with this partnership? Not initially. "Someone on Zuck's staff was an alpha user—one of our first 100 users—he showed it to Zuck and that is what got the partnership going," Vishria tells me. Certainly, it is not too difficult to imagine why Facebook would be interested in supporting the development of a social browser. Source:

The making of hacking tools and computer viruses should be a criminal act across Europe, EU ministers have said. The EU's Council of Ministers has backed the extension of criminal sanctions to tool—makers in response to European Commission plans to update EU laws tackling attacks against computer systems. Responding to European Commission plans to create a new anti-hacker Directive, the Council has said that the making of hacking tools should be criminalised, adding this to the list of currently criminal practices. "The following new elements [should include] penalisation of the production and making available of tools (eg, malicious software designed to create 'botnets' or unrightfully obtained computer passwords) for committing the offences [of attacks against computer systems]," the Council of Ministers said in a statement (pages 18-19 of 38-page/176KB PDF). "The term botnet indicates a network of computers that have been infected by malicious software (computer virus)," the Council statement said. "Such network of compromised computers ('zombies' may be activated to perform specific actions such as attacks against information systems (cyberattacks). These 'zombies' can be controlled

UK credit reference and credit recovery agency creditsafe.co.uk took its site offline on Tuesday, as a precaution, following a hacking attack. The site remains offline at the time of writing on Wednesday afternoon. Miscreants planted malicious code on Creditsafe Limited's1 website. This code had the effect of redirecting surfers to a hacker controlled website that attempted to drop malware onto the PCs of surfers, likely using unlatched browser exploits or similar methods Hackers often plant malicious code on legitimate sites as part of so-called drive-by download attacks. In the case of Creditsafe, the attack spawned concerns that its email and internal systems might also have been compromised. The possibility that customers' personally identifiable information was also exposed was quickly discounted. Following a review, creditsafe concluded that its internal systems were also safe. In an updated statement on its site, Creditsafe said it planned to restore its website to normal as soon as possible. A representative of the firm told El Reg that it hoped to restore the site either later on Wednesday afternoon or on Thursday. The initial attack itself remains under investigation, and it's not clear what kind of malware was been punted via the assault. Creditsafe promises to update the status of its site via its Twitter feed. Although Creditsafe's action disrupted its business it was wise to take its website offline while it established the scope of the breach against its systems. Consumers, in general, are more sensitive to the leak of personal information following high-profile breaches involving Sony, marketing outfit Epsilon and others over recent weeks. Oddly these incidents seem to have more of an effect than hacks that exposed credit card details and resulted in fraud to customers of TJX and Heartland in previous years. Firms in the financial service sector, in particular, need to be especially risk-averse, assuming the worst for the sake of their customers - as well as their own longer-term reputations. 1 Creditsafe Limited should not be confused with Creditsafe Business Solutions Limited, a separate firm unaffected by the security flap affecting its near-namesake. Source: theregister

Updated Prolific hacker pranksters LulzSec took out sci-fi game EVE Online on Tuesday as part of a run of attacks apparently perpetrated purely for the lulz. A DDoS attack left EVE Online offline for around five hours as part of an operation called Titanic Takeover Tuesday. CCP Games, the firm behind the popular multiplayer game, said that it took both EVE Online and its own website offline as a precaution, fearing that the DDoS attacks could act as a smokescreen for deeper penetrating assaults. CCP Games said this drastic action was warranted though we doubt many gamers would agree, especially since it seems to more severe attack actually happened so the gaming firm had effectively thrown in the towel without attempting to stand up to LulzSec's assault. A range of other targets including Escapist magazine's website as well as online games Minecraft and League of Legends were also attacked by LulzSec. LulzSec invited fans of its hijinks to suggest targets, much like DJs would invite record requests. It's difficult to see any pattern behind the latest string of assaults. LulzSec has appeared from nowhere to become the most notorious hacking group on the planet with attacks on FBI affiliates, Sony, the US Senate, a popular porn site and a string of gaming firms. Previous attacks have highlighted security weakness involving Bethesda and Nintendo. Neither of these attacks actually affected gamers directly, unlike the latest assault on EVE Online. Last month we reported how EVE Online had become a battlefield for botnets. Rival groups from eastern Europe are using botnets to DDoS opponents before taking over their territories, sometimes for the purpose of farming virtual currencies. Our gut feeling is that the LulzSec DDoS is nothing to do with this, not least because its sensibilities are rooted in riffs of Americana and its members' main (native) language is English. The group maintains an anarchic Twitter feed memorably described by Boing Boing as "like watching a rabid elephant on PCP wearing a top hat rampage through a crowded market with explosive banana diarrhoea". Nobody quite knows who LulzSec is but one plausible theory, advanced by security author and FT journalist Joseph Menn among others, is that the group is composed of a breakaway faction of Anonymous who want to reconnect with the anarchic spirt of 4chan that spawned Anonymous in the first place. Some have praised LulzSec for its gonzo-security antics, saying it graphically highlighted security problems that experts have warned about for years but have often been ignored. It's unlikely that law enforcement agents would take anything like as charitable a view on its activities. The longer LulzSec continues, and the more brazen its activities become, the more likely it is that a member will become careless, get complacent and get caught, or its members will get bored and desert. These seem like the two most plausible endgames of this cavalcade of hacking antics Source: theregister

Games developer Codemasters has taken its website offline and advised users to change their passwords in the aftermath of a hack attack last week. Unknown attackers made off with a treasure trove of personal information following an attack on Codemaster' website last Friday (3 June). Hackers got access to the Codemasters CodeM database, EStore, and code redemption pages. Details lost included members' names, usernames, screen names, email addresses, dates of birth, encrypted passwords, newsletter preferences, biographies entered by users, details of last site activity, IP addresses and Xbox Live Gamertags. In addition, telephone numbers, encrypted passwords and order histories were accessed and compromised from the Codemasters electronic store. Payment card details are handled and stored by an external payment provider, and are not affected by the breach. Although payment details ought to be safe users are exposed to severe risk if cases where they also use their Codemasters password/login name with other (perhaps more sensitive) accounts, such as webmail or e-banking. These passwords need to be changed quickly. In addition, users should be wary of the possibility of receiving phishing emails that use data from the Codemasters heist to give them extra plausibility. Codemasters said its website "will remain offline for the foreseeable future" as a result of the hack with traffic re-directed to the Codemasters Facebook page instead. "A new website will launch later in the year," it adds. The gaming outfit sent out warning emails to its customers on Friday, which is the first many had heard of the problem. Several readers (too numerous to mention individually) forwarded these emails. We've asked Codemasters for comment on the hack but are yet to hear back at the time of going to press. It seems remarkable that a firm that depended at least in no small part on web sales would take its site offline indefinitely. This is a question we'd hope to explore as and when we hear back from Codemasters. Codemasters has employed controversial law firm Davenport Lyons to chase file sharers for damages over the alleged uploading of copies of its games onto file sharing networks. It's unclear whether or not this motivated this months assault but the loose confederation between file sharers and hackers does make it a possibility. Source:

Updated Spanish national police have arrested three suspected members of the infamous Anonymous hacking crew. The arrests in Barcelona, Alicante and Almeria involve suspects who allegedly had the ability to direct operations for Anonymous, the loosely affiliated hacking crew. Spanish police claim to have disrupted a key cell of the organisation. A server hosted in the Spanish city of Gijon was seized as part of these raids. Investigators reckon the group is responsible for masterminding attacks on the Spain's Central Electoral Board (la Junta Electoral Central) last month as well as Sony's PlayStation Store. The group was also involved in attacks against government websites in Egypt, Algeria and Libya. Spanish police have already published, via Twitter, screensots from IRC logs that appear to show discussion of plans to attack the Spanish electoral board as well as Spanish police websites. The logs don't say but we guess the attacks are a response to proposed legislation to make filesharing illegal in Spain. None of the suspects have been named, standard practice at this stage of a police investigation in Spain. A division of the national police handling this case shares responsibility for the investigation of cybercrime cases with El Grupo de Delitos Telem

Facebook Tattoo Woman is a Hoax So that crazy lady who let a tattoo artist ink 152 of her Facebook friends on her arm isn't so crazy after all because the entire thing was just an advertising stunt. Youtube user Susyj87 uploaded a video of herself getting a sleeve tattoo of her 152 Facebook friends. The video, called "My Social Tattoo" has received almost 1.5 million views since it was uploaded May 30. DutchNews reports that the whole thing was just a hoax -- Susyj87 didn't get a real tattoo, she was inked with a transfer. Rotterdam tattoo artist Dex Moelker reportedly admitted that the tattoo was a "tryout tattoo, a transfer, that washes off in a couple of days." The "tattoo" only took a couple of hours to apply, not 30 hours as the video claimed. Apparently the stunt was for a local Dutch firm that specializes in making gifts out of Facebook profile pictures. All I can say is, I'm relieved -- now Susyj87 won't have to run back to the tattoo artist every time one of her Facebook friends decides to change their profile picture. http://www.youtube.com/watch?v=ApOWWb7Mqdo&feature=player_embedded

Skype appears to be down, or at the very least it is for a whole lot of users throughout Europe who are tweeting in a ton of different languages about their inability to connect. Many blame Microsoft, and even founder Bill Gates for the downtime, which is sort of strange because the multi-billion dollar acquisition of Skype hasn't even closed yet. Anyway, let's pray that this isn't a repeat of the Great Skype Outage of December 2010, when the apocalypse appeared nigher than ever. Funnily enough, a bug in the Microsoft Windows client was to blame for that one. If you're affected by the downtime, you'd be well advised to monitor Skype Heartbeat (although it claims things are all working normal at the time of publication) and @Skype. I'll be one of those watching closely, because it's down for me too. Damn you, Microsoft! Update: around 7 AM Eastern time, the Skype team tweeted that "a small number" of users may be having trouble connecting indeed, and that it's investigating the cause. Companies always say only a small subset of users experience problems when they occur. I have no clue why they insist on pointing that out like it makes a difference. Update 2: and a Heartbeat blog post for good measure, saying the same. Update 3: Skype slowly crawling back up for me (7:40 AM Eastern time) Update 4: Skype now says a configuration problem caused the glitch (8:15 AM Eastern time). The company adds that now that is has identified the cause of the problem, they have begun to address it. The client should reconnect automatically as soon as it's able to do so. Update 5: Skype now says the situation is improving. Well good. Update 6: Skype says: "Today's problems have stabilised, and recovery is ongoing. Skype should return to normal soon." (12:20 PM Eastern Time) Source:

As you may be aware, nearly two months ago Microsoft and federal law enforcement agents cracked down on the infamous Rustock botnet, which was responsible for a lot of the spam you hopefully never receive. This morning, the Redmond software giant posted a status update on its company blog, positing that Rustock is still "dead and decaying". Microsoft also surprised with the announcement that it is placing quarter-page advertisements in two mainstream Russian newspapers "to make a good faith effort to contact the owners of the IP address and domain names that were shut down when Rustock was taken offline". As promised. Microsoft says it has taken several technical countermeasures to prevent the bot's self-defense mechanisms from reanimating it, and that these efforts have been successful. The company says the number of infected IP addresses decline as more and more people update their software or get malware removed from their computers. Nevertheless, some reports claim the takedown hasn't actually made a dent in spam. The company adds that its Digital Crimes Unit continues to follow this case, and that based on evidence gathered, the perpetrators likely operated or are operating out of Russia. Microsoft will now run ads in the Delovoy Petersburg and The Moscow News to notify the owners of the IP address and domain names that were shut down of the takedown as well as the date, time and location of hearings where they will have an opportunity to make their case. This in addition to setting up this website. The company says it realizes that the people associated with the IPs and domains will probably not come forward in response to a court summons, although they say they still hope the defendants in this case will present themselves. That won't happen, of course, so Microsoft also says it intends to pursue this case, including possibly within the Russian judicial system. Source:

Angst! Raised Eyebrows! Distinct feelings of discomfort! So go the reactions to a feature on Facebook that uses facial recognition technology to help users tag their photos. It has people so upset, in fact, that it's just sparked a probe from European Union privacy regulators. The uproar revolves around a feature that's been around since December, so the technology itself isn't particularly new. But regulators are only getting upset about it now after a Sophos report pointed out that Facebook has recently turned the setting on by default, apparently continuing the social network's habit of encroaching on user privacy without asking for permission. Except this time, the complaints seem to be about issues that aren't new — and humans are still very much involved in deciding who gets tagged. First, let's run through exactly what the feature does. When you upload photos to Facebook, you're prompted to tag your friends in those photos — your friends will then be notified about the photos they're tagged in, and depending on their privacy settings other people may be able to see them as well. This feature is relatively ancient in Facebook terms, and is actually one of the key reasons why the site got popular on college campuses (and later, with everyone else) in the first place. Facebook easily has more photos than all of the other photo hosting sites combined, and as of last December people were creating 100 million tags per day. But while tagging is hugely popular, it's also a pain. For a long time you had to do every single tag manually — click a face, type in the person's name, repeat for each face, and click onwards to the next photo, where you get to do it all again. It's tiresome. Which is where Facebook's facial recognition comes in. The first feature that incorporated this technology made it easier to tag the same person in multiple photos. Say, for example, you were at a friend's birthday party and the same eight people showed up in each photo. Using facial recognition, Facebook can ask you to identify each of those friends once, and then automatically tag them throughout the rest of the photo album. The more advanced facial recognition feature, which launched in December, goes one step further: instead of initially asking you to identify each of your friends' faces, it looks at your Facebook friends to see if any of them seems like a likely match. You then confirm those suggested tags (each possible match shows a thumbnail that you can 'X' out), and have to do a lot less clicking. That's it. We're not talking about a sinister site-wide facial recognition feature that will let your boss find incriminating photos of you taken at a bachelor party. It just makes tagging less tedious. And no, it is not fully automated. Which brings us back to the privacy issue. Here's a quote from Gerard Lommel, a Luxembourg member of the Article 29 Data Protection Working Party, taken from the Bloomberg article on the EU probe. "Tags of people on pictures should only happen based on people's prior consent and it can't be activated by default," said Lommel. Such automatic tagging "can bear a lot of risks for users" and the group of European data protection officials will "clarify to Facebook that this can't happen like this." Now, Lommel has a point: if you are tagged in a photo on Facebook, you do not get to approve that tag before it shows up in your 'Tagged Photos' album or in friends' News Feeds — you have to detag photos after the fact. But this is how Facebook Photos have always worked (in fact, it's how all of their features work, which is why you can be tagged in groups you've never heard of, or at places you'd rather not be tagged in). And, as Facebook always points out, if you're worried about it, you can hide tagged photos from other users using the site's privacy options. In other words, it isn't a new issue, and it isn't related to facial recognition at all. Your friends have always been able to tag you in photos without your prior consent. Sure, these features make it easier to do so, but presumably they're not going to suddenly start tagging you in incriminating photos just because it takes fewer clicks. To reiterate: the EU may conclude that Facebook users should be able to pre-approve their tags, and I don't necessarily think that would be a bad thing (I'm sick of tag spam, for one). But conflating this with the spookiness of facial recognition seems like a mistake — we should save that outcry for when companies really do start doing creepy things with the technology. Source: TechCrunch

Guerillapps, a social game maker, debuted a cool new Facebook game at Disrupt NYC that is adding a new spin to green games. What's more, from what I can tell, Trash Tycoon is the first "upcycling" game to hit the Facebook platform. But what is this "upcycling", you ask? Upcycling is the process of converting waste materials into new products of better quality and higher environmental value, so when gamers play Trash Tycoon, they take on the role of recycling entrepreneurs responsible for doing just that. Gamers become the stewards of their city, a la Sim City, fighting litter and trash wherever it rears its ugly head. Players earn game money and points by collecting trash and upcycling it to create new products out of trash, just like its sponsor TerraCycle does in the real, green world. Guerillapps, which recently received a $500K in seed funding from Rhodium, will be keeping Trash Tycoon in private beta until later this month, but TechCrunch readers can get an early taste of the game here. One of the many cool parts about Trash Tycoon is that it's trying to separate its game from the traditional Facebook social game model by adding synchronous play, offering realtime multiplayer, so that users can communicate and collaborate in realtime during play, banding together with friends to attack their city's trash heaps. Trash Tycoon is also putting an interesting spin on its revenue model, offering seamless inclusion for green brands right in the gameplay. This may sound slightly off-putting, after all, who wants to play a game with brand logos stamped on every object? But Trash Tycoon's brand integration isn't offensive: The energy items players need to collect may be branded products, as will the factories players build to recycle waste. But these brand tie-ins have real world justification. The piece of gum you collect might be Wrigley's, and so on. "We integrate the same real world dynamics of TerraCycle brands in the game in attempt to avoid things like banners, or in-your-face branded items, for example", said Guerillapps Co-founder and CEO Raviv Turner. And the great thing about Trash Tycoon's brand integration is that it's enabled by TerraCycle's business model. Just as TerraCycle works with major partners to run packaging reclamation programs, which pay schools and other community groups to collect the sponsors' packaging to later be upcycled into items that bear the sponsor's brand, this process is mirrored in Trash Tycoon. The company is also able to leverage the existing user bases of its partners, like the 24 million at TerraCycle, which significantly helps write off user acquisition cost. It's a ready-made user base. For Guerillapps, it's not just about offering a game-ified product or game-ified approach to green behavior and upcycling, it's about creating a playable social game that incorporates reality into the virtual world. Waste Management built a Facebook game to teach users how to use its interactive recycling kiosks last year, but the game still hasn't taken off (only 6,400 montly active users), and Guerillapps hopes that by incorporating brands and real world concepts like recycling and upcycling organically into the game, as opposed to a game-ified, education-entertainment gameplay experience, the player will learn but do so with greater enjoyment. To build a more playable game, Guerillapps brought on two veteran game designers Greg Costikyan and Naomi Clark (who has consulted and developed concepts for clients and publishers including PBS, Disney, Fisher Price, Wizards of the Coast, Electronic Arts, Nintendo, Major League Baseball), who are both responsible for Trash Tycoon's addictive design and gameplay. The veteran designers goes towards alleviating any concern that this is just another Facebook game ported from another medium or whipped off in 24 hours. Trash Tycoon has partnered with Treehugger.com and also donates 10 percent of revenues from its virtual currency to CarbonFund.org and plans to later introduce a "Play to Offset" icon, so that if you, say, order an Amtrak train ticket, or buy a flight ticket online, CarbonFund partners will present the "Play to Offset" icon so users can go play Trash Tycoon and offset their carbon footprint, instead of just paying with a credit card. Turner says that that Guerillapps next steps involve taking the Trash Tycoon model to other verticals, like energy, health care, parenting, and more. The company isn't looking to be the next CityVille, he says, the team wants to design games around affinity groups, which offer a more active and social (and socially active) community of users looking to learn and have fun while doing it. The startup is also currently in the process of raising its second round. Source: TechCrunch

Microsoft researchers have rubbished figures from cyber-crime surveys, deeming them subject to the types of distortions that have long bedevilled sex surveys. It's well enough established that men claim to have more female sexual partners in sex surveys than women claim male partners, a discrepancy that can't be explained by sampling error alone. All it takes is for a few self-styled Don Juans to hopelessly distort the figures. Similarly, refusal rate and small sample sizes in cybercrime surveys mean that cybercrime surveys tend to get dominated by a minority of responses, normally those who have or think they have lost a great deal as a result of hacking or malware attack, and are vocal about it. Unverified self-reported numbers that come from such people are used as the basis for calculating losses that are based on, at best, guesstimates. "Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population," Miscosoft researchers Dinei Florencio and Cormac Herley argue in the paper Sex, Lies and Cybercrime Surveys. "Cyber-crime, like sexual behavior, defies large-scale direct observa- tion and the estimates we have of it are derived almost exclusively from surveys," they add. It's only human nature to want to get a handle on the size of any economic or social problem, hence the understandable hunger for figures on cybercrime losses. While you can go some way towards gauging the spread of a virus or the volume of fraudulent phishing emails, it's fraught with difficulties to try on map such raw figures to actual losses. This idea is seldom challenged but often overlooked by security industry firms who commission surveys of questionable methodology to talk up cybercrime losses in the hope of hoping to sell more kit, essentially by putting the frighteners up potential customers. Some customers at least are wise to such ploys, and disregard it as simply part of the rough and tumble of the security marketing game. The problem with cybercrime figures comes when they are presented as methodically researched before being used to lobby either senior corporate executives or politicians for extra security spending and the like. Using these estimates to drive policy decisions, when they are unreliable in the first place, is almost certainly going to to steer decisions towards a misguided outcome. Florencio and Herley note that the sketchy practices that persist in security surveys are among those security-conscious coders are taught to avoid. "'You should never trust user input' says one standard text on writing secure code," they write. "It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy." The paper (pdf), prepared for the Workshop on the Economics of Information Security, alleges that cyber-crime loss estimates are more often than not largely derived from the unverified self-reported answers of one or two people. The researchers (correctly) state that others have reached the same dim view of cybercrime guesstimates before starkly concluding: "Cyber-crime surveys

Citigroup has admitted that hackers could have grabbed thousands of account details for its credit card customers. The breach hit Citi Account Online systems and information potentially accessed was limited to names, email addresses and account numbers. Birth dates, PINs and other sensitive information is held elsewhere the bank said. The bank has contacted police and tightened fraud procedures, according to the FT which first publicly revealed that the break-in had taken place. Citibank said about one per cent of its 21m card holders in the US could have had their data compromised. The security hole was found during routine checking in early May. The bank told the paper that only credit card customers were hit, but several customers told the paper they'd had debit card transactions stopped. Citi said it was contacting affected customers but would not confirm whether any had seen dodgy transactions on their cards. We've contacted Citi for more details but have yet to hear back. Citibank said: "During routine monitoring, we recently discovered unauthorized access to Citi's Account Online. A limited number

What difference dose it make who made it, as long as t was updated and looks good. thats what its all about.

I've been testing the new look of the webchat from Buzzen, and have to admit I'm impressed with the results of it, and the look. The developement Team has done a great job with it. They have implemented quite a bit of what the user's are looking for in a webchat. I love the idea of the different color swatches, it will allow anyone or any user to change there own appearance of there webchat. Also the menu Tabs on top are a great added feature as they give the look a better feel to it. I have tested most of the menu Buttons and they all are working except for the friends. that is still being worked on. the downfall right now is that if you want to join another room, it will open a second window, and not stay on the same window as the previous chat. But all of this is being taken care of, as Duke told me that there still working on that. Also the Chat options are terrific as they allow certain things to be ticked on or off, me myself i like the timestamp, that was brilliant to add and the fonts. I would like to see that it would allow acces to our fonts. the emoticon drop down was a nice added touch, and so was the away messages. I have to take my hats off to the Buzzen developers for taking the time to make this the one webchat that people will come to like. Also note that the cam view is in process as thats there next goal to get up and running. Hope you try it and give your feed backs to the developement room!!

Facebook has just filed a motion for expedited discovery in its case against Paul Ceglia, the man who is claiming that he holds a major stake in Facebook based on a contract he allegedly signed with Mark Zuckerberg back in 2003. There was plenty of initial skepticism around the case (who could possibly forget that they owned a major stake in one of the most successful companies of the decade?), but people starting taking it more seriously when Ceglia landed representation from DLA Piper, and a series of potentially legitimate email exchanges surfaced. Now Facebook is striking back, and it's not mincing its words. The document, embedded below, is a concerted attack on Ceglia's character and criminal history. Facebook is asking the court to grant expedited, targeted discovery that would require Ceglia to produce the original contract between Zuckerberg and Ceglia, as well as original copies of their email exchanges. Facebook also wants access to all of Ceglia's computers. Facebook's argument is that with this evidence (or lack thereof), it can prove that Ceglia's claim is fraudulent, which would render a full discovery process unnecessary. To help support its claim that Ceglia's case is fraudulent, Facebook hired private investigative firm Kroll Associates, which dug through Ceglia's past. According to Facebook's filing, Kroll uncovered more of Ceglia's transgressions that allegedly include multiple incidents of land scamming in New York and Florida. According to the filing, Kroll investigators presented the Director of the Polk County (Florida) Land Development Division with some of the documents involved with these land scams, and the Director stated that they had likely been doctored. The filing also details a wood pellet scam, whereby Ceglia would sell wood pellets that he never delivered. The money quote: "The fact that Ceglia has spent the past seven years a a hustler engaged in various land swindles and wood-pellet scams further highlights the fraudulent nature of his claims in this case. If Ceglia were in fact the owner of a substantial stake in Facebook, why would he have resorted to a life of crime?" The filing goes on to detail why the contract with Zuckerberg that Ceglia previously produced is itself a forgery, citing Frank Romano, Professor Emeritus Rochester Institute of Technology, who says there are "significant inconsistencies between page 1 and 2 of the document" ("The Facebook" is only mentioned on page 1), including differences in page width and margins, type face, and spacing. Another quote from Romano: Based on my professional experience and judgment, my opinion is that Page 1 and Page 2 of [the document] were printed at different times on different printers. This strongly indicates that, at least in part, [the document] is forged. Furthermore, all the references to "The Face Book" or "The Page Book" appear on Page 1. Thus, it is my conclusion that Page 1 of [the document] is an amateurish forgery. There is much more beyond that — Facebook also does a point by point breakdown on why the emails between Zuckerberg are also fraudulent. And it says that "Zuckerberg has now declared under oath that he did not sign the contract attached to Ceglia's complaint, and he did not write or receive any of the purported emails quoted in the Amended Complaint." Of course, even if Ceglia were completely telling the truth Facebook would likely try to undermine his character by pointing out his past transgressions. But given the extent of this attack, Zuckerberg's sworn testimony, and Facebook's confidence that the evidence will support its case, Ceglia's lawyers certainly have their work cut out for them. <a title="View Memorandum of Law on Scribd" href="http://www.scribd.com/doc/56943969/Memorandum-of-Law" style="margin: 12px auto 6px auto; font-family: Helvetica,Arial,Sans-serif; font-style: normal; font-variant: normal; font-weight: normal; font-size: 14px; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none; display: block; text-decoration: underline;">Memorandum of Law</a><iframe class="scribd_iframe_embed" src="http://www.scribd.com/embeds/56943969/content?start_page=1&view_mode=list&access_key=key-2e3luuic37m0bisyige1" data-auto-height="true" data-aspect-ratio="0.772727272727273" scrolling="no" id="doc_86457" width="100%" height="600" frameborder="0"></iframe><script type="text/javascript">(function() { var scribd = document.createElement("script"); scribd.type = "text/javascript"; scribd.async = true; scribd.src = "http://www.scribd.com/javascripts/embed_code/inject.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(scribd, s); })();</script> Source:

How Facebook Can Put Google Out of Business I was surprised to hear former Google CEO Eric Schmidt publicly lament lost opportunities and missed chances to catch Facebook the other day. I used to envy Google and the vast digital empire that Schmidt commanded. Google had one of the most intricate monopolies of all time. It had the most impressive dataset the world had ever seen; the most sophisticated algorithm to make sense of it; an audience of a billion users expressing their interest; and more than a million advertisers bidding furiously to reach those consumers at just the right moment. What’s more, it had captured the ultimate prize: increasing returns to scale. Only Google could spread such huge R&D costs among an even more humongous query volume, all while offering advertisers the chance to reach most of the population with one buy. Google had earned its success. It competed on being smarter. It was. And it won. Google’s business strength was simply taken for granted; so much so that even deep-pocketed competitors like Yahoo and Microsoft stopped trying to outdo Google’s massive scale and core algorithmic know-how. And that’s why I used to think that Google was unstoppable. Until I realized one very important thing: despite the fact that Google goes to great lengths to keep its index fresh by indexing pages that often change every hour, or even every few minutes, and despite its efforts at realtime search (including searching the Twitter firehose), its dominant dataset is dead, while the Web is—each day more so than the last—vibrantly and energetically alive. Indeed, Google’s revered and unparalleled dataset is increasingly dating itself as an ossified relic akin to the Dead Sea Scrolls—outshined by the freshness of the living, breathing organism that is the social Web. Like dusty and determined archaeologists, Google’s massive bots crawl the Web looking for the artifacts of digital civilization. And what they find is fossils—in the form of pages and links: the leave-behinds of writers, contributors, and casual end-users who have deposited traces of themselves in the skinny crevices and dark recesses of the Internet. Google analyzes these remains, and yet it has almost no first-hand knowledge of any of the users who created this content—or those who are searching for it. Enter Facebook. Since its founding in 2004, Facebook has focused on enabling social connections, not on search. And yet, in the process, Facebook has created a platform that knows more than 600 million people, complete with identity, interests, and activities online. The company’s relentless and organic expansion—from an application to an emergent social operating system—has enabled it to know its users, not only on the Facebook.com domain, but also on other sites, as they travel throughout the Internet. While Google has amassed an incredible database consisting of the fossilized linkages between most Web pages on the planet, Facebook possesses an asset that’s far more valuable—the realtime linkages between real people and the Web. What does this mean, and what are the implications here? Well, in a nutshell, Facebook has stored a treasure trove of distinctive data that, if fully utilized, could put Google out of business. Yes, put Google out of business. Here’s why. Facebook’s data allows it to do more than just guess what its customers might be interested in; the company’s data can help it know with greater certainty what its customers are really interested in. And this key difference could potentially give Facebook a tremendous advantage in search when it eventually decides to move in that direction. If Google’s business has been built on choosing which Web pages, out of all those in the universe, are most likely to appeal to any given (but anonymous) query string, think about this: Facebook already knows, for the most part, which pages appeal to whom—specifically and directly. And, even more powerfully, Facebook knows each of our individual and collective behavior patterns well enough to predict what we’ll like even without us expressing our intent. Think of it: Facebook can apply science that is analogous to what Amazon uses to massively increase purchase likelihood by suggesting and responding to every minute interactive cue. Whereas Amazon relies on aggregate behavior, Facebook adds in the intimate patterns of each individual—along with their friends and the behavioral peers they’ve never met all around the world. And each of them is logged in and identified as a real person. When Google was born, its advantage stemmed from its ability to collect and analyze superior data. While other publishers looked myopically at each page on the Web as a standalone realm, Google found that the link relationships between those pages held more valuable relevance data than the pages themselves. All of a sudden, the isolated views of players like AltaVista and Yahoo began to look one-dimensional. And ownership of what is now the $20-billion-plus search advertising market was cemented. In the last several weeks, Google has indicated how important Facebook-like social networks are to its still-vast ambitions. One proof point is the launch of the new +1 product; another is the company’s internal announcement that bonuses will be tied to success on the social Web. It may seem that this is about capturing a new market opportunity. But, trust me, it’s not. In reality, it’s Google’s recognition that Facebook has the same kind of advantage over Google that Google is used to having over its competitors. And Google is smart to be scared. Very smart. But, if the truth be told, it will take far more than +1 to measure up to the whole new human dimension of the Internet. After all, the human organism is home territory for Facebook and utterly foreign turf for Google’s algorithmic machine.

developer has released an app for Android handsets that brings website credential stealing over smartphones into the script kiddie realm. FaceNiff, as the Android app is called, can be used to steal unencrypted cookies on most Wi-Fi networks, giving users a point-and-click interface for stealing sensitive authentication tokens sent over Facebook, Twitter, and other popular websites when users don't bother to use encrypted SSL, or secure sockets layer, connections. The app works even on networks protected by WPA and WPA2 encryption schemes by using a technique known as ARP spoofing to redirect local traffic through the attacker's device. An attacker would have to know the security password, however. To be sure, FaceNiff doesn't do anything that hasn't been done for decades, and based on a YouTube video and comments on an official support forum, the app seems to have its share of quirks. Programs such as SSLSniff, released years ago by Moxie Marlinspike, contain considerably more powerful capabilities even if they lack a smartphone GUI. But by making it possible for ordinary Android users to hijack other people's Web 2.0 accounts, FaceNiff has the potential to be something like the smartphone equivalent of Firesheep, a Firefox browser extension that brought new urgency to the decades-old threat of using unencrypted web connections. FaceNiff lacks some of the automated features of Firesheep, but that could change with a few updates to the Android app. Over the past year or so, Google, Facebook, Twitter, and Microsoft have upgraded a variety of their services to add always-on SSL, which is the only effective way to prevent the theft of authentication tokens. Those protections on several occasions have been found to be far from perfect, but they're a step in the right direction. Source: The Register