Well, this hacker has quite the sense of humor.
Reports started spreading this weekend that iPhone users in Australia had been falling victim to "ikee," a worm that replaces default wallpaper with a picture of Rick Astley, the British pop singer whose song "Never Gonna Give You Up" has gained eternal infamy thanks to the mainstreaming of the "Rickrolling" prank craze. The photo is accompanied by the message "ikee is never gonna give you up," and it's apparently quite difficult to remove. According to security firm Sophos, this is the first worm detected that targets the iPhone.
The vulnerability is pretty specific: the phones must be jailbroken in order to be affected, and it appears to spread by searching an infected phone's contacts to find other jailbroken-phone users who have installed the Unix software SSH (secure shell) but haven't yet changed their passwords from Apple's default root password, "alpine."
Sophos says that it has not heard of any occurrences of the worm outside Australia, and that while it doesn't appear to do anything worse than irritate and embarrass affected users, that it highlights the vulnerabilities that jailbroken phones face.
Facebook head of communications Elliot Schrage posted a company blog entry on Thursday inviting members to review proposed updates to the social network's privacy policy, and much of it deals with what happens to the content of accounts that members have opted to delete.
"Specifically, we've included sections that further explain the privacy setting you can choose to make your content viewable by everyone, the difference between deactivating and deleting your account," and the process of memorializing an account once we've received a report that the account holder is deceased," Schrage wrote. Earlier this week, Facebook detailed the process of "memorializing" an account, which leaves the profile intact to current friends but hides potentially sensitive information.
Now, in the proposed new policy, which members are invited to review and comment on until November 5, Facebook explains to users that they can "deactivate" their account, which hides it but keeps information stored for potential reactivation, or alternately choose to delete it for good.
"Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users," the new wording explains. It's referring to content like posts and comments on other members' profile 'walls.' "However, your name will no longer be associated with that information on Facebook."
It's been a long and twisted road for Facebook's privacy regulations. The new policy was put into place after a complaint from the Canadian Privacy Commission called into question what would happen to member profile data if a user deactivated an account.
That fiasco followed outrage over changes to Facebook's terms of service that implied Facebook claimed an "irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license" to member content even if the account had been deleted. One privacy advocacy group readied a federal complaint, and Facebook backed off and returned to its old terms of service.
In July, Facebook cleaned up its user privacy controls as it prepared to open up more of its profile content to public access and search engines.
But the Canadian Privacy Commission had also taken issue with how much Facebook profile information could potentially be shared with third-party developers or advertisers. Facebook made additional modifications to its user privacy controls in August in response to concerns about the developer platform, and in Thursday's post about the new privacy policy Schrage highlighted that the social network does not intend to share personal data with advertisers.
"The information we provide to advertisers is 'anonymized,' meaning that it can't be traced back to you as an individual in any way," Schrage's post explained.
I'm not an employee of MySpace, but I was able to join its Facebook network.
(Credit: Facebook)I do not work for MySpace. But my Facebook profile now says I do, thanks to what appears to be a sneaky little flaw in MySpace's recently launched e-mail client.
Professional networks on Facebook are intended to be limited to employees, and require a corporate e-mail address to which Facebook sends a confirmation e-mail to verify accuracy. But when MySpace launched MySpace Mail this summer, it made e-mail addresses with the myspace.com domain--which is also used internally for corporate e-mail--available to any members of the News Corp.-owned social network.
A reader tipped off CNET News to the hack, which requires a little bit of HTML know-how. We're not going to give detailed instructions out of the interest of MySpace employees' own security--and it looks like Facebook has put a fix in place, because when a CNET colleague used a MySpace Mail address to register around 2:40 p.m. PT on Wednesday, he was informed that the address was invalid.
See what happens?
(Credit: Facebook)In vague terms, it looks like MySpace was aware of the fact that members might try to register for its network on Facebook, because the confirmation link to Facebook does not work in MySpace Mail, nor does copy-pasting it. Basically, it's mangled somehow. But, the tipster explained, the real link is still in the page's HTML source. And indeed, I was able to join MySpace's network on Facebook.
This does have security implications, because many Facebook members limit some of their profile data to people who went to their schools or work for the same company--Facebook first launched corporate networks in the spring of 2005. Many may display their cell phone numbers, photo albums, or home addresses only to college alumni or co-workers.
It's an issue for Facebook as well because the massive social site does have an obligation to make sure that its restricted networks don't lie fallow. If there's a change in corporate e-mail structure at a company with a Facebook network, particularly a big one, that can mean something big with regard to potentially thousands of Facebook members' security.
A MySpace representative told CNET News that the company was looking into the matter and would be able to comment soon.
This post was updated at 2:44 p.m. PT on Wednesday to note that the problem appears to have been corrected by Facebook.
No, it's not just you.
Facebook confirmed on Monday afternoon that there have been sitewide problems that saw log-in credentials turned down, status messages eaten up, and other various unpleasant occurrences over the course of the past few days. But the social network, which recently surpassed 300 million active users worldwide, hasn't yet disclosed the source of the problem.
"Some users are experiencing errors across a number of site features," a statement e-mailed to CNET News read. "This includes content occasionally disappearing, difficulty logging in or viewing profiles, and error messages when posting content. We are working to resolve these issues as soon as possible."
Outages at major social media sites have drawn particular attention since a massive distributed denial-of-service attack last month threw Facebook into flux and took down Twitter altogether.
It's finally over for Beacon, the ill-fated advertising program that the social network initially launched with splashy Madison Avenue fanfare nearly two years ago.
The social network has settled a year-old class action lawsuit that targeted the social network's alleged failure to provide adequate information and privacy controls to users with regard to Beacon, which shared information about users' information on third-party partner sites in Facebook news feeds.
One of the terms of the settlement? Any last vestiges of Beacon, which failed to gain traction amid a barrage of negative press stemming largely from advocacy groups like MoveOn.org, will be shut down completely.
Also as part of the settlement, which is still pending approval from a judge, a $9.5 million "settlement fund" has been established to set up an independent foundation to "fund projects and initiatives that promote the cause of online privacy, safety, and security," according to a release. Up to a third of that fund, however, can potentially be recovered by the plaintiffs' lawyers.
"We look forward to the creation of the foundation and its work to educate Internet users on how best to control their privacy; engage in safe social-networking practices; and, generally, enjoy themselves more online by having knowledge that gives them a greater sense of control," a statement from Facebook representative Barry Schnitt read. "We fully expect the foundation to team with other leading online-safety and privacy experts and organizations that have been working diligently in these fields."
The suit was filed in August 2008 on behalf of 20 plaintiffs, most of whom were Texas residents. Named as defendants were Facebook, along with current and former Beacon participants Blockbuster, Fandango (owned by Comcast), Overstock.com, STA Travel, Zappos, Hotwire (owned by InterActiveCorp), and GameFly. Another, earlier Beacon-related lawsuit had been filed against Blockbuster several months earlier, claiming that its participation in the advertising program violated the Video Privacy Protection Act of 1987. Facebook was not named as a defendant in that suit.
Shortly after the negative buzz about Beacon started, Facebook began tweaking and modifying the program to allow more user control over the feature. But it was too late: advocacy groups claimed that it still wasn't enough, some existing partners pulled out, and others were likely deterred from participating because of the unsavory implications. Surprisingly, a "small number of customers" were still using it; Facebook will work to transition them out of it.
Facebook's experiments in social-media advertising turned instead to "engagement ads," which have come under some scrutiny themselves, and the "fan pages" that it encourages brands, organizations, and celebrities to create.
The irony behind Friday's news is that the thinking behind Beacon ultimately evolved into the phenomenally successful Facebook Connect, the universal log-in standard that, among other things, shares third-party activity on members' Facebook profiles.
The privacy controls on Connect are clearer and more extensive, but perhaps more crucial to Facebook Connect's success has been the fact that it's been marketed as a utility for ordinary members rather than an advertising tool for paying clients. It's free for third-party sites to implement, and with only a few exceptions, sites working with Facebook Connect code it in through the social network's application programming interface, or API, rather than ink a formal partnership.
And offering Facebook users the chance to register and log in to external sites without separate usernames and passwords gives Facebook Connect's marketing a slant of user convenience--and security, as some Web users may be more comfortable hitting a "Connect with Facebook" button than registering for an account with a new Web service.
"We learned a great deal from the Beacon experience," the statement from Facebook's Schnitt read. "For one, it underscored how critical it is to provide extensive user control over how information is shared. We also learned how to effectively communicate changes that we make to the user experience. The introduction of Facebook Connect--a product that gives users significant control over how they extend their Facebook identity on the Web and share experiences back to friends on Facebook--is an example of this."
The Northern California chapter of the American Civil Liberties Union has put out a campaign designed to raise awareness of the privacy implications of Facebook's developer platform. It's focusing specifically on the popular "quiz" applications, like "Which Cocktail Best Suits Your Personality?" and "Which Wes Anderson Movie Character Are You?" These are largely one-time-use apps that many a Facebook user clicks on and tries out with little concern.
According to the ACLU chapter, "millions of people on Facebook who use third-party applications on the site, including the popular quizzes, do not realize the extent to which developers of quizzes and other applications have access to personal information. Facebook's default privacy settings allow nearly unfettered access to a user's profile information, including religion, sexual orientation, political affiliation, photos, events, notes, wall posts, and groups." For the promotion, it's put together a quiz about how much you know about Facebook-based quizzes.
Side note: Creating a Facebook quiz app to draw attention to the pratfalls of Facebook quiz apps is very meta.
"It's time for Facebook to upgrade its privacy controls so that quizzes can only see what people want them to see," Chris Conley, technology and civil liberties fellow at the ACLU of Northern California, said in a release. "Users need stronger protections than Facebook currently provides."
So are the ACLU-NC's claims legitimate? The most damning one asserts that "regardless of whether a user's Facebook profile is 'private,' by taking a quiz the user allows its developer to gain access to the user's profile information...by Facebook default, every time one of a user's friends takes a quiz, the quiz has access to that user's profile information." That could have particularly alarming security implications if an app turns out to be malicious.
Facebook does not deny this, but notes that "sensitive" information like contact details are not available to third-party apps, and that Facebook has settings for users to tweak exactly how much their friends' apps can see.
Last month, the company modified its privacy settings to make them more user-friendly.
The ACLU chapter recommends that Facebook make it an opt-in, rather than opt-out process for apps to access a user's friends' data and require that apps list the specific profile data fields that they will be accessing.
"We generally agree with (the ACLU's) recommendations and have already made public announcements about relevant changes that are under way," Facebook spokesman Barry Schnitt said in an e-mail. "Specifically, we recently disabled hundreds of applications, including quiz applications, that were inconsistent with Facebook Platform policies...We've also had productive discussions with the Canadian Privacy Commissioner about improving user data controls on Platform. We'd be glad to also have productive discussions with the ACLU and generally catch them up, if they want to give us a call."
The office of the Canadian Privacy Commissioner, which has taken issue with Facebook's privacy policies, is holding a press conference on Thursday to address the subject, and Facebook plans to hold a conference call with reporters in response.
A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.
Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.
Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.
But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.
"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.
This post was updated at 1:05 p.m. PDT to note that Arbor Networks also reported the Twitter-based botnet.
Twitter's servers were on the fritz again on Tuesday, with members receiving server timeouts and third-party applications unable to access the microblogging service. This appears to have begun around 11:45 a.m. PDT.
Twitter posted an update to its status blog when the servers had been in flux for about 10 minutes: "Responding to site downtime. We're working to recover from a site outage and will update as we learn more."
The service was back up about a half hour later. At 12:17 p.m. PT, Twitter confirmed that it was an attack. "We're back up and analyzing the traffic data to determine the nature of this attack," the company said.
Outages used to be commonplace at Twitter when the small start-up's servers were unable to keep up with the massive amount of data flowing through them. They gradually became less and less frequent. But this one's particularly notable because it happens as Twitter is still reeling from a denial-of-service attack last week that targeted a Georgian activist blogger but ended up knocking Twitter's servers offline for several hours. Other services, like Facebook and LiveJournal, were also affected by the attack.
More updates when we hear them...last updated at 3:57 p.m. PT.
Hackers launched a distributed denial-of-service (DDOS) attack that sporadically downed popular blog network Gawker Media over the weekend and on Monday, the company confirmed in a blog post early Tuesday morning.
When CNET News spoke to Gawker Media representatives on Monday, they were not yet sure what was causing the outages but had not ruled out malicious behavior.
The attacks appear to have been launched at Consumerist, a blog that Gawker sold to Consumer Reports last year but which is still hosted on the same servers. The motivation behind them is not yet clear.
The New York-based Gawker Media has sold or merged a number of its blog titles over the past few years, but it remains the parent company of several extremely high-profile blogs--often with an edgy gossip angle--like Gizmodo, Jezebel, and the eponymous Gawker.com.
DDOS attacks occur when hackers swamp a site with excess pings from multiple sources to bring it down; they can knock out entire hosting companies.
An investigation by Canada's Privacy Commissioner is concerned that Facebook is only paying lip service to members' privacy, and has called on it to do more.
"It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," commissioner Jennifer Stoddart said in a release Thursday, which explained that the investigation was spurred by a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC).
About 12 million of Facebook's 250 million active users are Canadian.
More specifically, Stoddart expressed concern that while it's easy for members to deactivate their accounts, it's less clear on how to actually delete them. Facebook therefore can retain member data from deactivated accounts for an indefinite period of time, which is in violation of a Canadian privacy law; Stoddart's office's investigation recommended that Facebook designate a time period after which that data is permanently deleted.
The report also suggests that Facebook tighten privacy regulations on its developer platform to ensure that third-party developers can't access too much personal information from the users who have installed their applications.
Here's something interesting from the release: "As a result of the investigation, Facebook has announced a new privacy tool for its site, which is aimed at giving users more control over who gets to see each item on their Facebook page."
Facebook launched those new tools in a conference call with reporters early this month. But the social network did not say at the time that there had been any impetus from lawmakers behind it.
"Facebook is pleased that the Canadian Federal Privacy Commissioner has dismissed most of the inaccurate claims brought by CIPPIC, and that we were able to collaboratively resolve other issues raised in the complaint," a statement from Facebook read. "The Commissioner also recognized, as we do, that privacy and user control on the social web is a new area, which requires websites, users and data protection authorities to work together. Without question, Facebook and the Canadian Privacy Commissioner's Office share the common goal of making the Internet more privacy friendly for Canadians and users across the world."
"As part of our continued leadership in developing privacy tools that advance user control over their information, Facebook will soon be introducing a number of new additional privacy features to its service that we believe will keep the site at the forefront of user privacy and address any remaining concerns the Commission may have," the statement continued. "In the meantime, we will also continue our efforts to work with the Canadian Federal Privacy Commissioner to address the outstanding areas highlighted in the report and will continue our efforts to raise awareness of the privacy controls on Facebook."
This post was updated at 11:04 a.m. PDT with comment from Facebook.
