What Twitter's homepage looked like before it went down on Thursday night.
(Credit: CC u07ch/Flickr)Twitter stumbled again overnight on Thursday. But this time, it wasn't the work of the "fail whale," the cuddly cartoon personification of the site's excessive technical baggage. Rather, the site was replaced with a foreboding message from "Iranian Cyber Army" before crashing entirely, indicating that it had been the victim of a malicious attack that targeted its internal servers.
Co-founder Biz Stone posted a brief clarification on the issue late on Thursday night. "Twitter's DNS records were temporarily compromised tonight but have now been fixed," he explained. "As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully."
At the risk of sounding like an evening-news anchor calling attention to exactly how dangerous your treadmill is or how many diseases you can get from the ball pit at Chuck E. Cheese, I think it's time to explore the question: Is it safe to use Twitter?
For one, Twitter's track record with security has been shaky at best. A security flaw this spring exposed the data of a number of employees and allowed a hacker to pilfer some internal documents. Several high-profile accounts, like those of Britney Spears, Ashton Kutcher, and CNN anchor Rick Sanchez, have been targeted individually. Twitter has been the victim of phishing attacks. Other hackers have proved that Twitter accounts can be set up specifically to corral botnets of infected PCs. And in perhaps the biggest incident of all, a politically motivated denial-of-service attack in August that targeted multiple social-media sites managed to cripple Twitter entirely.
Think of it this way: if Facebook, a far bigger and more mainstream site that's had concerns about user privacy splashed all over the news recently, saw its homepage replaced with a nefarious political message, there would probably be a fresh round of calls for CEO Mark Zuckerberg's resignation. Twitter's heavy users are, for better or for worse, accustomed to sporadic downtime and glitches. They're also less likely to ever visit the Twitter.com homepage, considering the service has so many points of entry--text message, as well as third-party apps for mobile, Web, and desktop. Users have become accustomed to logging into third-party applications with their Twitter credentials.
That, perhaps, makes the overnight hack a bigger concern. Even though it's unlikely that user accounts were compromised in this DNS redirect, it's yet another sign that Twitter's security operations have time and again proven weak enough that the service doesn't exactly seem watertight.
A political message, or just plain obnoxious?
On the other hand, we still don't know much about this attack and it may have been less sophisticated than some may fear. One, nobody's exactly sure yet who the hackers were. "Of course, just because a message saying 'This site has been hacked by Iranian Cyber Army' has been posted on a Web page does not necessarily mean that hackers from Iran are responsible for the defacement," Sophos security consultant Graham Cluley wrote on his blog Friday.
Additionally, Cluley said, the aim seems to have been to either get a political message through or to simply be obnoxious. "Fortunately there is no indication at this point that the page was carrying malicious code, and this attack appears to have had political motivations rather than being designed to steal confidential information from users," he wrote.
"It really looks like it was people were redirected to a 'hactivism' site," weighed in fellow Sophos analyst Beth Jones via e-mail. "There was no malicious code on the site claiming to be the 'Iranian Cyber Army' either. It looks like they just hacked the registrar to redirect traffic. So it's quite probable that none of Twitter's own servers were touched."
Another reassurance is the fact that Twitter simply doesn't have the kind of sensitive data that a Facebook or Google does. While it does have millions of mobile phone numbers stored to power its text-message app, not to mention archived private "direct messages" between users, Twitter does not index a whole lot more that isn't otherwise public. Facebook, for example, has many members' credit card numbers on hand (if they've ever used its "gift shop" feature), not to mention extensive personal data in profiles like addresses, birthdays, and family connections. Members who are still concerned about the security of their Twitter accounts can take the obvious step of changing their Twitter passwords to something that they don't use on their e-mail, Facebook accounts, or elsewhere--just in case.
Beth Jones says she has confidence in Twitter. "I wouldn't say their security is second-rate by any means," Jones said via e-mail. "As it stands, they weren't actually compromised, but I can see from a user point of view the questions and concerns. At Sophos we see a new site compromised every 3.6 seconds. That's easily close to 24,000 sites a day, and of those, the vast majority are legitimate sites that get hacked."
That doesn't mean that Twitter shouldn't start making it more clear that it takes security seriously. If the company, which is now beta-testing a "Contributors" feature that may pave the way to paid corporate accounts, begins storing financial information, we can only hope that their security operations are turned up a few notches. Or, ideally, an order of magnitude.
This post was expanded at 6:23 a.m. PT with comment from Sophos' Beth Jones.
The saga continues: Electronic Arts, which handles digital versions of the board game Scrabble for North American parent company Hasbro, has claimed that malicious hackers were responsible for the disappearance of its Facebook application on Tuesday.
The game had crashed on the same day that the creators of Scrabulous, a popular imitation game, blocked access to North American visitors after a legal complaint from Hasbro. With the real Scrabble inaccessible, irritated fans assumed that there was a server problem--the game is in beta, after all--and filled the application's discussion wall with angry comments.
But the real problem, EA has said, is that a hack downed Scrabble. When, according to the Los Angeles Times, the game was still inaccessible at 4 p.m. PT, the company released a statement.
"EA's Scrabble Facebook game experienced a malicious attack this morning, resulting in the disabling of Scrabble on Facebook," the statement read. "We're working with our partners to resolve this issue and have Scrabble back online and ready to play as soon as possible."
It sounds like the old "blame the hackers" excuse, but if you just look at the Scrabble application wall, it's pretty clear that there are a few people who are angry enough at Hasbro and EA to want to sabotage the game.
Whatever the case, the hack was a good one: on Wednesday morning, the game was still inaccessible.
The top headlines at a given time on Wednesday morning at OurSignal. Yeah, a bit short on relevant news.
(Credit: OurSignal)On Wednesday morning, I read about a new site called OurSignal, which mashes up the top headlines from Digg, Reddit, Delicious, and HackerNews, promising to show a more diverse array of what the Web's recommending. Kind of like OriginalSignal for social news.
Unfortunately, when I loaded up OurSignal, staring me in the face was "Goatse In Spore," a reference to an extremely crude graphical Web meme (don't Google it, please). Not exactly the kind of top headline I was looking for.
The concept is kind of cool: "warm" colors mean a story is gaining momentum, and "cool" colors mean it's fading. Bigger boxes mean more votes on a story across the Web. And it refreshes every 15 minutes, which isn't that impressive in the real-time culture of Summize, but is still quick enough to provide a fresh take on the news.
That's the problem: news. Social-news sites, for better or for worse, have become known for being places to find the most popular Top 10 lists and funny videos in addition to the news, and OurSignal is no exception. So if you're looking to find the goofiest Digg and Reddit headlines in one place, this is a nice resource; but if you're actually looking for the news, you might be out of luck. Putting a handful of social-news sites together unfortunately doesn't do much to help the content.
I'll stick to Google News for now, thanks.
Files that have been uploaded to hosting sites tend to have a short shelf life, but there are few that manage to keep them around indefinitely. In many cases, users will simply forget about a previously uploaded file, or have no more use for it. To help give these orphaned files a second life is FilesTube, a search engine that monitors files that have recently been uploaded to a handful of file-sharing sites and makes them easily searchable. While the files aren't in any way hosted to FilesTube, the service acts as a middleman to point you to where you can download them.
In addition to links that have been slurped up from FilesTube's search spiders, users can submit their own links. It supports seven popular upload and sharing services, and if users have shared something on their own server, they can simply drop in the direct URL and FilesTube does the rest.
Similar efforts to FilesTube have been constructed using larger search engines and their support of advanced operators. A few that have made the rounds earlier this year were SearchHacker and G2P; both make use of Google and are fully capable of pulling in a variety of file formats based on user-specified search queries.
[via eHub]
Note: We're not down with piracy. These sites may contain illegally shared files, so use your head.
McAfee announced plans on Tuesday to acquire ScanAlert in deal worth approximately $51 million in cash.
And what is McAfee looking to get for its money? For starters, it'll snap up ScanAlert's Hacker Safe Web site security certification service, bolster its own SiteAdvisor security-rating system, and become the keeper of ScanAlert's proverbial "good housekeeping" seal for sites seeking to reassure customers that they are conducting safe online transactions.
The acquisition, expected to close in the first quarter, calls for integrating ScanAlert's e-commerce security certification service into McAfee's SiteAdvisor system. McAfee last year acquired SiteAdvisor, which informs users about the safety of their returned search results, estimating the likelihood that a site could potentially infect their computer with spyware, spam, or a browser attack.
ScanAlert issues a Hacker Safe certification to Web sites that have undergone its scanning service for vulnerabilities, as well as demonstrating that they have been fixed. The sites also need to undergo daily scans by ScanAlert, in order to maintain their Hacker Safe stamp of approval.
The Hacker Safe certification will be visible through SiteAdvisor, once the acquisition is completed, and the technologies are integrated.
Security fears have resulted in consumers delaying their online-shopping decisions and transactions by more than half a day, according to ScanAlert's own research.
Those concerns are nothing new. Two years ago, a fourth of online shoppers reduced their purchases, as fear over identity theft soared, according to a report by RSA Security.
E-commerce site operators, as a result, have been particularly interested in trying various techniques to boost the security of their sites.
As part of the McAfee deal, ScanAlert may see its overall acquisition price jump by another $24 million, should it hit certain performance targets.
The company has 8,000 customers, who represent more than 75,000 Web sites. Those customers include Toshiba, Warner Bros., and the American Red Cross.
Editor's note: This story was updated at 9:59 a.m. PDT.
Steve Jobs made it official Wednesday morning: third-party applications are coming to the iPhone.
Apple's CEO posted another of his open letters to the world Wednesday on Apple's Hot News section of its Web site, confirming reports that a software development kit (SDK) for the iPhone will be released to developers next year. It's coming in February, rather than January as reported, but application developers and iPhone owners will probably be able to wait the extra month.
"We are excited about creating a vibrant third party developer community around the iPhone and enabling hundreds of new applications for our users," Jobs wrote. "It will take until February to release an SDK because we're trying to do two diametrically opposed things at once--provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc."
It always made sense for Apple to go down this road, since it was never going to win a hacking war and users clearly want third-party applications on their iPhones and iPod Touches, which will also be opened up by the SDK, Jobs confirmed. I actually thought it would take a little longer for Apple to open its precious iPhone up to developers, but the company probably has become more satisfied in recent months with the stability of the OS X operating system. Apple has always said that the iPhone runs Mac OS X at its core, but in practical terms it's really a new operating system that Apple has put together for the iPhone with common DNA from Mac OS.
Jobs implied that the first iPhone SDK would be a step past what Nokia is doing with its developers. Nokia has a huge developer community that creates applications for both Java and Symbian-based phones, and Jobs said those
"While this makes such a phone less than 'totally open,' we believe it is a step in the right direction," he wrote, hinting that Apple would somehow make it possible for almost any developer to add trusted applications to the iPhone using the SDK.
We'll have to see how Apple decides to strike a balance between openness and security, but it's good to see the company acknowledge that there are more options for keeping the iPhone secure than just
What do you get when you mash up the latest, greatest Google feature with an unconference full of hackers?
I'm tempted to say pure magic, but instead I'll say you get Hacking Google Street View, the report from WhereCamp that I found on my favorite blog, Waxy.org, Monday.
Google's Street View feature lets people see street-level images from several U.S. cities
(Credit: Google)So what is it? It's hackers playing with the Street View APIs, figuring out ways to do things like mash up Grand Theft Auto with the hot new mapping phenomenon.
"Greg Sadetsky cracked Street View a couple hours after the announcement at Where 2.0," the Brain Off post reported. "It was pretty easy and comprehensible...almost as if the Google engineers wanted it hacked. I'm sure they did."
Nothing specific came out of the late-night geekery, but knowing what people with good ideas can come up with, especially when enabled as they usually are when it comes to Google Maps projects, I'm sure that within days, we'll be seeing some very cool things spreading across the Intertubes.
(Credit:
CNET Networks)
Flash guru Michael Battle has created a 3D version of Digg. You can zoom around all the popular stories on Digg's technology page using your mouse and scroll wheel. It's not exactly the most useful interface, but it's a ton of fun and it's very slick. If you get lost, just refresh your browser. There's also a complete list of advanced navigation instructions here.
Seeing Web sites in 3D reminded me of the 1995 movie Hackers, where a young Jesse Bradford hacks into a complex computer network by flying around a magical city of what can only be Microsoft Excel spreadsheets (clip here).
[via Digg]
- prev
- 1
- next
