“A researcher from a Dutch university is warning that Facebook’s ‘Like This’ button is watching your every move. Arnold Roosendaal, who is a doctoral candidate at the Tilburg University for Law, Technology and Society, warns that Facebook is tracking and tracing everyone, whether they use the social networking site or not. Roosendaal says that Facebook’s tentacles reach way beyond the confines of its own web sites and subscriber base because more and more third party sites are using the ‘Like This’ button and Facebook Connect.”
Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. ‘While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,’ Cannon wrote. ‘It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.’
Here’s a good assessment of the problem:
So let’s say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.
Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it’s really serious it’ll probably pop up in the next Patch Tuesday. If it’s hyper-serious then it might come out three or four days after the vuln was announced.
That’s not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can’t give you any patches because the HP customizations are a fork of MS’s source [code]; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.
Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you’re lucky.
— Peganthyrus @ Slashdot
[T]wo US companies, Kindsight Inc. and Phorm Inc., are pitching deep packet inspection services as a way for Internet service providers to claim a share of the lucrative online ad market [Shunned Profiling Technology on the Verge of Comeback]. Kindsight and Phorm say they protect people’s privacy with steps that include obtaining their consent. They also say they don’t use the full power of the technology, and refrain from reading email and analyzing sensitive online activities. Use of deep packet inspection this way would nonetheless give advertisers the ability to show ads to people based on extremely detailed profiles of their Internet activity. To persuade Internet users to opt in to be profiled, Kindsight will offer a free security service, while Phorm promises to provide customized web content such as news articles tailored to users’ interests. Both would share ad revenue with the ISPs. Kindsight says its technology is sensitive enough to detect whether a particular person is online for work, or for fun, and can target ads accordingly.
A series of critical breakthroughs – massively increased bandwidth, the demand for rich media, cloud computing, the advent of wireless connectivity and the rise of mobile devices – has created the foundations for the next generation of rich internet-based apps.
Each of the big three computing companies – Microsoft, Apple and Google – has its own radically different vision to promote, as does the world’s biggest creative software company, Adobe
The stage is set for an enormous battle between these computing titans, and the value of the prize is incalculable: what price can you put on a company that holds the keys to the internet?
— Tom Arah @ PC Pro
Ben Strong writes:
I decided a couple of weeks ago that I wanted to build an app, most likely a web app. Being a premature optimizer by nature, my first order of business (after deciding I need to learn to draw) was to find the absolute fastest way to serve up a web page. The Google home page is the fastest-loading page I know of, so I thought a good place to start would be to figure out how they do it and then replicate their strategy.
The full story of my search is below, but the short version is that to match Google’s page load times you have to cheat on the tcp slow-start algorithm. It appears that stretching the parameters a little bit is fairly common, but Google and Microsoft push it a lot further than most. This may well be common knowledge in web development circles, but it was news to me.
“Software developer and blogger Ben Strong did a little exploring to find out how Google achieves its admirably fast load times. What he discovered is that Google, and to a much greater extent Microsoft, are cheating on the ‘slow-start’ requirement of RFC-3390. His research indicates that discussion of this practice on the Net is at an early, and somewhat theoretical, stage. Strong concludes with this question: ‘What should I do in my app (and what should you do in yours)? Join the arms race or sit on the sidelines and let Google have all the page-load glory?'”
HTTPS Everywhere Gets Firesheep Protection
The Electronic Frontier Foundation today said it rolled out a version of HTTPS Everywhere that offers protection against ‘Firesheep’ and other tools that seek to exploit webpage security flaws. Hitting the streets in October, Firesheep caused a storm of controversy over its tactics, ethics and Web security in general. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors’ log-in credentials.
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.
The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
Three California men have pleaded guilty charges they built a network of CAPTCHA-solving computers that flooded online ticket vendors and snatched up the very best seats for Bruce Springsteen concerts, Broadway productions and even TV tapings of Dancing with the Stars.
The men ran a company called Wiseguy Tickets, and for years they had an inside track on some of the best seats in the house at many events. They scored about 1.5 million tickets after hiring Bulgarian programmers to build “a nationwide network of computers that impersonated individual visitors” on websites such as Ticketmaster, MLB.com and LiveNation, the U.S. Department of Justice (DoJ) said Thursday in a press release.
… Their scheme was remarkably successful. When Bruce Springsteen and the E Street Band played Giants Stadium in July 2008, nearly half of the 440 general admission floor tickets were snatched up by the Wiseguy Tickets network.
The network would “flood vendors computers at the exact moment that event tickets went on sale,” the DoJ said. With computerized CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)-solving, the bots were able to complete transactions faster than any human, giving them an edge in snatching up tickets for the Major League Baseball playoffs, the Rose Bowl and many concerts.