Hello, My name is Dan and I do not use “social networks”. I don’t have a MySpace, Don’t use “Facebook”, Don’t have an Orkut etc. Reason being, one of these days something you posted many years ago will bit you in the ass.

Yes, you know who you are. Remember the picture you posted online of you smoking pot and getting frisky with an inflatable chair? Yea, thats not gonna go over so well with the new employers. Regardless if you are posting information on social sites as “private” or “friends only” information WILL leak out the only question is when. It’s “Dan’s law of suckness” (™ and ® UNEASYsilence :P ).

Normally its a friend who thinks its cute to download a picture off your profile and email it to another friend, but now the networks themselves are doing the leaks for you. Previously MySpace had a bug where anyone (via a special url) could see anybodies private pictures. Now it’s Facebooks turn!

A security lapse made it possible for unwelcome strangers to peruse personal photos posted on Facebook Inc.’s popular online hangout, circumventing a recent upgrade to the Web site’s privacy controls.
The Associated Press verified the loophole Monday after receiving a tip from a Byron Ng, a Vancouver, Canada computer technician. Ng began looking for security weaknesses last week after Facebook unveiled more ways for 67 million members to restrict access to their personal profiles.
But the added protections weren’t enough to prevent Ng from pulling up the most recent pictures posted by Facebook members and their friends, even if the privacy settings were set to restrict the audience to a select few.
After being alerted Monday afternoon, Facebook spokeswoman Brandee Barker said the Palo Alto-based company fixed the bug within an hour.

Next time you want to post evidence of your drunken debauchery or say something really crazy and radical – you may want to give that a second thought now.

Read More

The nifty Gmail backup utility seems to have (possibly maliciously) collected the GMail logins of the programs users.

This was discovered when a developer named Dustin Brooks took a look at the code using a decompiler. He discovered a Gmail account name and password embedded in the source code. Brooks logged in and found over 1,700 emails all with user account information — with his own at the top. According to a story in Informationweek, he deleted the emails, changed the account password, and notified Google.

The developer of G-Archiver, says the code to collect users GMail logins was debug code that should have been stripped out of the shipping version and a patch will be available shortly.

Sneaky what some programmers are capable of.

Read More [via]

In an interesting turn of events the House did not approve (or even hold a vote on) the FISA Surveillance Law allowing it to expire.

The House broke for a week’s recess Thursday without renewing terrorist surveillance authority demanded by President Bush, leading him to warn of risky intelligence gaps while Democrats accused him of reckless fear mongering.

The refusal of Speaker Nancy Pelosi, Democrat of California, to schedule a vote on a surveillance measure approved Tuesday by the Senate touched off an intense partisan conflict over the national security questions that have colored federal elections since 2002 and are likely to play a significant role again in November. [...]

The main sticking point is a provision in the Senate bill that provides legal immunity for telecommunications companies that, at the Bush administration’s request, cooperated in providing private data after the Sept. 11, 2001, attacks. Many House Democrats oppose that immunity.

Surveillance efforts will not cease when the law lapses. Administration intelligence officials said agencies would be able to continue eavesdropping on targets that have already been approved for a year after the initial authorization. But they said any new targets would have to go through the more burdensome standards in place before last August, which would require that they establish probable cause that an international target is connected to a terrorist group.

Intelligence officials also told reporters Thursday that they were worried that telecommunications companies would be less willing to cooperate in future wiretapping unless they were given immunity.

I find it hysterical that the law is providing immunity to phone companies for doing something the US refuses to acknowledge that they did. Meanwhile, the telecom companies have admitted to the fact they broke the law assisting the government with warrantless wiretapping. Get ready for some real interesting weeks of the House and White House playing chicken.

Read More

Seems that users who install the latest version of the Google search bar are finding that Google is hijacking a servers 404 error page.

Google grabs the 404 error code returned to the web browser in certain situations and instead of displaying the 404 error page of the website you are on, it creates a custom 404 error page – made by Google. The “new” 404 error page ‘conveniently’ includes a Google search box and if used by a visitor will drive the visitor away from your website. Even worse – the search box is pre-populated with data from the initial URL query on your website. Imagine a situation where kind of sensitive data is send to Google that way. Even normal data would make it to Google that way and we all know what Google does with data. For me as a webmaster this is a major intrusion into my own intellectual property.

In the wild west of the internet keeps evolving these problems will keep popping up. Hopefully Google will reverse its decision to hijack error pages, just as Verisign abandoned Sitefinder (well with a little pressure).

Read More

Tired of online ads like I am? I have Firefox’s Adblock Plus and Safari AdBlock installed on my computer, but it becomes rather annoying to keep installing these applications on my multiple machines as well as every time I format them. To make ad blocking simpler I opted to use OpenDNS to block ads on the DNS level.

To make this hack work you must configure your router to use OpenDNS’s servers (trust me you will want to do this anyway – their servers are FAST!) by following the OpenDNS tutorials. Secondly you must signup for a free OpenDNS account so you can setup network filters.

Once that is done navigate to the Domain Blocking feature under the Filtering category. Once you click on that add the following domains into the filter:

ad.doubleclick.net
adlog.com.com
adservices.google.com
googleadservices.com
googlesyndication.com
pagead2.googlesyndication.com
servedby.advertising.com
view.atdmt.com
mm.chitika.net
ctxt.tribalfusion.com
intellitxt.com

These few domains are responsible for a vast majority of the ads on the internet. For a more comprehensive list you may want to check out all the domains listed on this directory.

No, OpenDNS is not as good as dedicated AdBlocking applications but for a simple network wide fix this seems to do the trick and I hope in the future OpenDNS offers a true Adblock feature.

German based RapidShare seems to have a bit of legal troubles on their hands. German music companies have taken Rapidshare to court and have secured an order to stop its users from downloading infringing music tracks from its servers, or be shut down.

Last week we reported on rumors that Rapidshare had, or was about to be, shut down, rumors that now look likely to resurface. The company, one of the world’s largest ‘one-click’ file hosting services, has lost a copyright infringement case against German performing rights outfit, GEMA. Representing a claimed 60,000 members and more than 1 million rights owners worldwide, GEMA has taken an aggressive stance in pursuing legal action against Rapidshare, trying to force it to be accountable for the infringing actions of its users.

For its part, Rapidshare has always insisted that it cannot be held responsible for these actions, such as when users upload copyright works (in this case, music) to their servers for subsequent downloading by others.

On 23 January 2008, the district court in Düsseldorf (Landgericht) disagreed with this assertion after GEMA succeeded in convincing the court that Rapidshare should take responsibility for infringements carried out within its service.

GEMA are trying to imply that as a result of the decision, Rapidshare will be forced to take preventative action to stop GEMA works from even getting onto their servers, rather than a DMCA-style after-the-fact removal. GEMA says that if Rapidshare are forced to filter they will likely end up with a service that’s not worth operating, so they may decide to shut it down completely.

Read More

At CES in a not so smoke filled room AT&T and other ISP’s are considering filtering copyrighted content on the network level. Yup, that’s right. Your ISP’s routers will filter content for you.

At a small panel discussion about digital piracy here at NBC’s booth on the Consumer Electronics Show floor, representatives from NBC, Microsoft, several digital filtering companies and telecom giant AT&T said the time was right to start filtering for copyrighted content at the network level.

Network-level filtering means your Internet service provider – Comcast, AT&T, EarthLink, or whoever you send that monthly check to – could soon start sniffing your digital packets, looking for material that infringes on someone’s copyright.

“What we are already doing to address piracy hasn’t been working. There’s no secret there,” said James Cicconi, senior vice president, external & legal affairs for AT&T.

This is OUTRAGEOUS. ISP’s are protected by safe harbor provisions that shield them from their users activities. Why would they want to burden themselves withe the responsibility to filter content. How will they know what is legitimate or not legitimate. What ever happened to net neutrality? What happened to a users privacy. Anybody as angered by this as I am.

Read More

Seems that I set the internet ablaze when I raised the issue that Adobe applications that called home. During the firestorm, I was able to talk to MANY individuals in Adobe – specifically John Nack – who stood on the firing line fiercely defending the company that employs him.

He writes:

The welcome screen (screenshot) that’s available in some Adobe CS3 applications (Flash, Fireworks, Dreamweaver, Illustrator, and InDesign) is designed to show fresh, relevant news and information. For that reason it loads a Flash SWF file that’s hosted on Adobe.com, just as a Web browser would do. When the SWF gets loaded, it pings the Omniture server to record the event. As noted previously, no personal information is uploaded in that exchange. [...]

Q.: Why does Adobe use a server whose name is so suspicious-looking?
A.: I’m afraid the answer is that we don’t really know. The fact is that this SWF tracking code already existed on the Macromedia side at the time the companies merged, and it was adopted without change by a number of products for CS3. The people who wrote the code originally did not document why they used that server name, and we can’t find anyone who remembers. I’m sorry we aren’t able to provide a more solid, definitive explanation.

Q.: Follow-on: Given that you can’t give a good reason why Adobe is using a server whose name is so suspicious, are you going to change the name?
A.: Absolutely. We are working with Omniture on this right now, and will make this change as soon as we can. (I don’t know how long this will take, but will post here when I do.)

Longer-term (in future releases), we’ll do a better job of explaining what the apps are doing of the network and why. I think we can enable some really amazing user experiences by bringing the desktop & online worlds closer together, and that most people will want to participate in those. The key thing is that they be given the choice, and that they be made aware of what’s going on.

Kudos, John. You did a VERY good job at explaining why Adobe apps connect to the Internet. From this lesson Adobe will hopefully learn to carefully scrutinize WHO they do business with and to give users CHOICE regarding how their applications interact with the internet. They will now hopefully better disclose better what is ticking in their super secret source code.

After getting to know John I can say that he is profoundly concerned about this issue and will be working hard to achieve all the goals he promised – he has the power to do it.

ALL programmers take note, we are watching! You are on notice! All we ask is that you clearly disclose WHAT information you collect and what you do with it.

Read More

These crafty hackers just won’t quit, will they? The latest ploy hackers are trying is to deceive a user to think they are logging into a secure website, giving up their login credentials.

Mozilla Firefox displays an authentication dialog, whenever the visited web server returns 401 status code, and the “WWW-Authenticate” header. In order to specify basic authentication, the “WWW-Authenticate” header should have the value [Basic realm="XXX"] (without the brackets). The Realm value, which in this case is XXX, will be displayed in the authentication dialog window.
While Firefox does not display the characters in the “WWW-Authenticate” header Realm value after the last double-quotes (“), it fails to sanitize single-quotes (‘) and spaces. This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted web site.

Just just have to be sooooo aware on the internet these days because it is getting harder and heard to tell what is legitimate and what is fake.

Read More

Yes, I am a tin foil hat guy. The sky is falling, the NSA is listening and Adobe is watching how many times you open your programs. Okay, the first two can’t be PROVEN but I can show you that Adobe is spying on users application habits.

When you launch a CS3 application the application pings out to what looks like an IP address – and internal IP address: 192.168.112.2O7.

That makes sense, right? Adobe wants to be sure you aren’t running multiple copies of their programs…. Wait something is wrong here.

The first clue something is fishy is that I don’t use a 192.168.xxx.xxx numbering scheme in my network. Secondly, if you look at the address Little Snitch is displaying, the last “numbers” of the IP address (2O7) look funny. Also, IP address don’t end in any .com/net/org suffix.

Turns out that 192.168.112.2O7.net is owned by Omniture, a huge behavioral analytics firm. Hmmmmmm, anybody curious why Adobe is doing this? Anybody care to sniff packets? I sense an invasion of privacy here!