Friday, May 13, 2011

Blog for May 12th (Deleted when Blogger went down)

Of course they fixed it! (after initially denying that it existed) How could they sell something that advertisers could get for free?

Facebook Quietly Patches A Massive Security Hole, Millions Potentially Affected [News]

Facebook has confirmed claims made by Symantec over millions of leaked “access tokens”. These tokens enable an application to access personal information and make changes to profiles, essentially giving third parties the “spare key” to your profile information, photographs, wall and messages.

It is not confirmed whether these third parties (mostly advertisers) knew about the security hole, though Facebook has since told Symantec that the flaw has been fixed. Access granted via these keys could have even been used to mine users’ personal data, with evidence that the security flaw could date back to 2007 when Facebook applications were launched.

… Users who are concerned that their access keys have been well and truly leaked should change their passwords immediately to automatically reset the token.

There was no news of the breach on the official Facebook blog, though revised application authentication methods have since been posted on the developers blog, requiring all sites and applications to switch to OAUTH2.0.

Even while the “victim” remains ignorant, banks and credit unions are taking action.

(update) Michaels Stores finds tampered PIN pads in 20 states

May 11, 2011 by admin

As noted yesterday by Brian Krebs, the Michaels Store breach appears to be significantly larger than what was originally reported on May 4. NBC in Chicago reports:

The Irving, Texas-based company reports it removed 7,200 PIN pads from stores as a precautionary measure. Of those removed, less than 90 devices (or 1percent of the total devices) were identified as being compromised.

“The company has commenced replacing these PIN pads in all US stores,” Michaels said in an official statement, “and expects the replacement to be completed within the next 15 days.”

The list of 20 states with PIN pad tampering includes Illinois, Georgia, North Carolina, Ohio, Virginia, New Mexico, Iowa, Delaware, Colorado, Pennsylvania, Rhode Island, Utah, New Jersey, Nevada and Washington.

Gregory Karp of the Chicago Tribune adds:

llinois was hit the hardest, with PIN pads compromised in 14 Michaels stores, all in the Chicago region. They are Bloomingdale, Burbank, Chicago Ridge, Downers Grove, Glenview, Gurnee, McHenry, Mount Prospect, Naperville, Niles, Norridge, Skokie, Vernon Hills and Willowbrook.

The fraud attack has led many banks to proactively freeze bank accounts of customers they think may be vulnerable. [Overreaction? Bob] For example, Marquette Bank, with 24 branches in the Chicago region, said 1,900, or 3 percent, of its customers were identified as potential victims, meaning they made a PIN-based debit card transaction at Michaels over the past six months.

We were able to identify fraud early, before Michaels went public with their data breach, so we were able to avoid large losses,” said bank spokesman Jeff McDonald. The bank posted warnings on its Web page and on social media site Twitter, while it also called customers, sent letters and began proactively replacing debit cards of some customers. “Unfortunately, we have become experts in addressing these issues quickly with minimal customer inconvenience after dealing with past retail store breaches,” he said.


Credit Union 1 recently posted a warning on its website: “Due to an enormous surge in fraudulent ‘Pin based’ ATM transactions in California throughout the financial industry, Credit Union 1 has shut down the availability of ‘Pin based’ ATM transactions in California only. Effective immediately, when a ‘Pin based’ transactions occurs in California, your Credit Union 1 Visa Debit card will be ‘flagged and will not be able to be used again.”

A list of stores known to be affected are included in Michaels Stores’ official statement on pages 2 and 3.

This whole incident is reminiscent of the breaches involving Hancock Fabrics and ALDI.

For my Ethical Hackers.

Search Contrarian Blekko’s Next Move: Limiting Its User Data Retention To 48 Hours

Search engine Blekko, ever eager to differentiate itself and make headlines with its countless product development advances, is announcing today that it will reduce its data retention period to 48 hours, retaining far less user personal information (like IP addresses) than the the dominant players in the space.

For comparison, competitors Google and Yahoo are currently at 18 months of user data retention and Bing is at six months, which is the European standard. In fact, Yahoo recently extended its data retention policy from 90 days to 18 months because it needed it to “compete” with Google in offering personalized recommendations.

Crazy IS a defense...

NY’s highest court rules HIPAA trumps Kendra’s law

By Dissent, May 11, 2011

Alison Frankel of Reuters reports:

U.S. privacy laws bar release of a mental health patient’s records as part of an effort to compel outpatient treatment unless the disclosure is authorized by the patient or a court, the New York Court of Appeals ruled on Tuesday.

It was the first time a state’s highest court had ruled on the scope of the Health Insurance Portability and Accountability (HIPAA) Act’s privacy provisions in an involuntary mental health treatment proceeding, said the patient’s lawyers, Scott M. Wells and Dennis Feld of the New York Mental Hygiene Legal Services.

The ruling was In the Matter of Miguel M. The New York City Department of Health and Mental Hygiene sought in 2007 to compel Miguel M. to receive mental health treatment under Kendra’s Law, a 1999 New York statute that permits public officials to demand outpatient treatment orders for mental health patients who have been hospitalized after failing to comply with treatment plans.

At the Supreme Court hearing on Miguel M.’s treatment order, counsel for the city asked to introduce into evidence records of the patient’s two recent hospitalizations for schizoaffective disorder. Although the city conceded that the records had been obtained without the patient’s consent or a court order, it argued that the disclosure was permissible under Kendra’s Law.

Miguel M.’s counsel opposed the introduction of his hospital records, citing HIPAA’s privacy strictures. After briefing on the question, the trial court admitted the records, finding that HIPAA permits the disclosure under a provision authorizing public health officials to collect information in order to prevent disease or injury or to conduct a public health investigation or intervention. An intermediate appellate court upheld the ruling.

But in Tuesday’s decision, the Court of Appeals found that neither of those exceptions to HIPAA’s presumption of privacy apply in this case.

Read more on Reuters.

I’m really pleased to see this decision.

“No conflict here. This is not the unethical behavior you are looking for. Move along.”

FCC Commissioner Leaves To Become Lobbyist

"Meredith Attwell Baker, one of the FCC Commissioners, is leaving the FCC to become a lobbyist for Comcast-NBC, just four months after approving their merger deal. She refused to put any significant conditions on the merger, saying that the deal would 'bring exciting benefits to consumers that outweigh potential harms.' Comcast has released an official statement saying that, 'Meredith's executive branch and business experience along with her exceptional relationships in Washington bring Comcast and NBCUniversal the perfect combination of skills.'"

What does Facebook gain from this? Did they think it would allow them to say, “everyone does it?”

Facebook Busted in Clumsy Smear on Google

May 12, 2011 by Dissent

Dan Lyons reports:

For the past few days, a mystery has been unfolding in Silicon Valley. Somebody, it seems, hired Burson-Marsteller, a top public-relations firm, to pitch anti-Google stories to newspapers, urging them to investigate claims that Google was invading people’s privacy. Burson even offered to help an influential blogger write a Google-bashing op-ed, which it promised it could place in outlets like The Washington Post, Politico, and The Huffington Post.

The plot backfired when the blogger turned down Burson’s offer and posted the emails that Burson had sent him. It got worse when USA Today broke a story accusing Burson of spreading a “whisper campaign” about Google “on behalf of an unnamed client.”

But who was the mysterious unnamed client? While fingers pointed at Apple and Microsoft, The Daily Beast discovered that it’s a company nobody suspected—Facebook.

Confronted with evidence, a Facebook spokesman last night confirmed that Facebook hired Burson, citing two reasons: First, because it believes Google is doing some things in social networking that raise privacy concerns; second, and perhaps more important, because Facebook resents Google’s attempts to use Facebook data in its own social-networking service.

Read more in The Daily Beast.

I'm sure there is a law against acting like a teenager... Right?

Teen arrested after allegedly ranking girls on Facebook

The Chicago Tribune reports that the boy was arrested Monday and charged with disorderly conduct after he allegedly published on Facebook his rankings of female classmates.

There are those who find much of Facebook disorderly. However, the Chicago Sun-Times reported last month that the young gentleman had allegedly posted a comprehensive list, ranking 50 of his female classmates. It apparently included some rather predictable criteria.

There was allegedly a subjective bio of each girl, coupled with separate ratings for their faces and bodies and references to race, ethnicity, and alleged sexual behavior. There was also an indicator of whether their "stock" might be in the ascendancy or not. The vocabulary was not exemplary.

This, some might imagine, is precisely the content of conversations boys have with boys about girls. However, in this case, it was public, on Facebook, and accompanied by fliers that contained full details of the list.

Moreover, the Sun-Times reported that there exists a cell phone video in which the accused is seen at school addressing a crowd and proclaiming the philosophy: "Women are the future, unless we stop them now."

Fortunately, half a billion dollars is chicken feed...

May 11, 2011

Google Announces First Quarter 2011 Results and $500M Set Aside for DOJ Investigation

Google Announces First Quarter 2011 Results: "In May 2011, in connection with a potential resolution of an investigation by the United States Department of Justice into the use of Google advertising by certain advertisers, we accrued $500 million for the three month period ended March 31, 2011. Although we cannot predict the ultimate outcome of this matter, we believe it will not have a material adverse effect on our business, consolidated financial position, results of operations, or cash flows. As a result, we have updated the affected financial data in this release, as noted, as well as the accompanying financial tables."

'cause I know people who love 'em.

40 Insightful (Yet Deadly Creative) Infographics

You are unlikely to win a T-shirt, but the list is useful.

[HELP NEEDED] Tell Us Your Top 10 Websites & Get A T-Shirt!

For my starving students...

Free Windows utility lowers your printing costs

Tired of burning through pricey ink and toner cartridges? PretonSaver Home promises to cut these consumable costs by up to 70 percent. Best of all, it's free.

For my programming students. Handles: Basic, C/C++, C#, CSS, HTML/XML, Java, Javascript, Perl, Python, Ruby and others.

Syntaclet: Makes Code Pretty & Easy To Read

As a developer you might find yourself browsing program codes on websites. Often sites do not neatly present these codes. SyntacLet is here to help you better understand those codes and display them in a friendlier manner.

SyntacLet is a browser bookmarklet that presents codes on websites in a neater manner.

… The language of the code is automatically detected.

Also read related articles: Top 10 Professional Sample Code Websites For Programmers and How To Change Default Webpage Source Editor Of Browsers.

The future of personal computing?

Google Posts Chromebook Product Page With Specs, FAQ, And Notifications

Just a few short moments after Google officially announced the Chromebook at its I/O event, the search giant also posted the Chromebook product page, offering up some some juicy details about what we can expect to see on these Chrome OS Notebooks for their June 15 arrival.

According to features listed on the product page, the Chromebooks are definitely catering to the demands of consumers, while simultaneously differentiating itself from other tablets on the market. The core idea behind the Chromebook is pretty simple: this device is virtually a barebones computer with Chrome OS running on top, rather than a traditional notebook.

The product page offers up a number of features, as well as basic specs for both versions of the Chromebook, manufactured by Samsung and Acer respectively. You’ll also find a support tab on the product page, which includes a guided tour, a FAQs page, and a help center. You can also sign up for notifications on the Chromebook under the highlighted “Notify Me” tab.

We’re pretty excited about the Chromebooks, so if this sounds as great to you as it does to us, check out Matt’s full coverage of the Chromebook announcement at Google I/O, or visit the Chromebook product page.

No comments: