Next time you get a “tumblr/facebook questionnaire” asking you to work out your porn star name or something, remember this…

semperfrosty:

Your mother’s maiden name, the name of your first pet, your birthday and the first street you grew up on are usually the same fields used for password security reset questions

Stay Frosty

Facebook Hacker Gets Eight Months in Jail

anticapitalist:

He should get an award instead.

A 26-year-old named Glenn Mangham was before a British court recently and admitted to hacking into the servers of Facebook from his bedroom in his parents’ home between April and May of 2011. Mangham is a software development student who claimed that the hacking was an attempt to identify vulnerabilities in Facebook and alert the social network to the issues. The hacker claims to have done the same thing with Yahoo in the past.
 
While Mangham says that he was a white hat hacker simply looking to help, prosecutors in the case rejected those claims. According to prosecutors Sandip Patel, “He [Mangham] acted with determination, undoubted ingenuity and it was sophisticated, it was calculating.”
 
Facebook reports that it spent $200,000 dealing with hack and Facebook says that the hack also led to an investigation by the FBI and British law enforcement officers. Patel went on to say, ”He said he wanted a mini project and chose Facebook because of its high-profile internet presence.” Patel also said, “The prosecution does not accept that the defendant’s actions were anything other than malicious.”
 
The prosecution also claims that Mangham was able to steal “invaluable” intellectual property that he downloaded onto an external hard drive. Patel characterizes the hack is the most extensive and great incident ever brought before British courts.
 
Judge Alastair McCreath told Mangham that his actions were not harmless and had real and serious consequences. Judge McCreath said, “You and others who are tempted to act as you did really must understand how serious this is.” He continued, ”The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all I’m afraid a prison sentence is inevitable.”
 
The attack targeted multiple servers and bypass Facebook security. The hacker gained access to the account of a Facebook employee while the worker was on holiday and obtained the restricted internal data. When Mangham begun to fear he would be caught, he attempted to cover his footprints and erase any evidence that he was inside the system. Facebook later discovered the hack during a routine security review.
 
Mangham was sentenced to eight months in prison, was forced to forfeit his computer equipment, and his access to the internet was restricted.

It’s a shame that he got caught. This guy seems like a boss.

Facebook, you are bunch of fucking idiots. You should have hired him.

Notes on the .xxx domain launch
  • So the point of this domain is to make filtering out adult websites on that domain easier. If an adult site isn’t on the domain (hotchixx.com for example) no such filtering is possible.* Note that adult sites are not required to switch over. *ETA it’s possible with your standard website blockers, but that software uses a different strategy to block things.
  • The relevant bit here is that the ICM is partnering with McAffee to do a daily scan for malware on every site in the goddamn domain.
  • THIS IS A REALLY BAD IDEA.
  • Why this is bad: 
  • "After verified as malware free .xxx sites can display the McAfee Trustmark, that includes the scan date, to show that your Website passed a security scan by McAfee to provide a more safe and relaxed experience to your customers.”
  • So what if somebody forgets to check for the Trustmark? Or doesn’t know to check? (I mean, whatever the fuck a Trustmark is, you know? It’s not going to be that difficult to fake one and put it on your site.) It seems like this is going to foster a very unhelpful false sense of security for users visiting sites on this domain. 
  • Also: McAffee’s security tools are notoriously subpar and slow. It’s going to tie up network bandwidth and make service on this domain drag, and a Trustmark doesn’t mean much when McAffee’s security is so notoriously shitty. 
Check If Your Android Phone Has Carrier IQ, No Rooting Required | Lifehacker

mudwerks:

When we first covered Carrier IQ, the rootkit that can log everything you do on your phone, we detailed how to check and remove Carrier IQ on Android using an app from the developer who discovered the rootkit, but that method required rooting your phone. Voodoo Carrier IQ Detector is a free app available on Android Market that can check for—but not yet remove—the spying software, no root required.

All you have to do is install VooDoo Carrier IQ Detector on your Android device and run it to get the detection score: 0 is best, above zero means Carrier IQ is present and you should seriously consider rooting your phone if you are concerned about the program logging your information or just slowing down your device. (Follow the directions we posted yesterday on your options right now for removal).

VooDoo Carrier IQ doesn’t remove Carrier IQ yet, but it is an easy way to check for it. Developer François Simond has also provided the open source code for the app on Github. And if you’re an iPhone user, you’ll find it easy to turn off Carrier IQ on the iPhone.

[0 for me…yay…]

Here’s a much more user-friendly app than the one I’ve been posting about to detect Carrier IQ. I’m reluctant to encourage inexperienced users to root their phones to remove it - there’s a lot of room for error - but I haven’t heard of another way to turn the app off. I’ll let y’all know if there’s an easier method, but for now, unless you know what you’re doing proceed with caution.

Which companies are on the Carrier IQ bandwagon? -- Engadget

mudwerks:

Apple: 

We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.

AT&T:

In-line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance.

HTC:

Statement 1: HTC, like most manufacturers, has an opt-in error reporting function built in to our devices. If your phone experiences an error, you have the option of ‘Telling HTC’ so we can make improvements to our phones. Details about this are in our privacy policy on each device and in order for data to be collected, you have to opt-in. If you do opt-in, we protect your privacy by de-identifying and encrypting the data. HTC is committed to protecting your privacy and that means a commitment to clear opt-in/opt-out as the standard for collecting any information we need to serve you better.

Statement 2: Carrier IQ is required on devices by a number of U.S carriers so if consumers or media have any questions about the practices relating to, or data collected by, Carrier IQ we’d advise them to contact their carrier. It is important to note that HTC is not a customer or partner of Carrier IQ and does not receive data from the application, the company, or carriers that partner with Carrier IQ. HTC is investigating the option to allow consumers to opt-out of data collection by the Carrier IQ application.

Microsoft:

Since people are asking — Windows Phones don’t have CarrierIQ on them either.

Nokia:

Nokia is aware of inaccurate reports which state that software from Carrier IQ has been found on Nokia devices. Carrier IQ does not ship products for any Nokia devices, so these reports are wrong.

RIM:

RIM does not pre-install the Carrier IQ app on BlackBerry smartphones or authorize its carrier partners to install the Carrier IQ app before sales or distribution… RIM also did not develop or commission the development of the Carrier IQ application, and has no involvement in the testing, promotion, or distribution of the app.

Samsung:

Some Samsung mobile phones do include Carrier IQ, but it’s very important to note that it’s up to the carrier to request that Samsung include that software on devices. One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ.

Sprint:

Carrier IQ provides information that allows Sprint, and other carriers that use it, to analyze our network performance and identify where we should be improving service. We also use the data to understand device performance so we can figure out when issues are occurring. We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool. The information collected is not sold and we don’t provide a direct feed of this data to anyone outside of Sprint.

Sprint is well known for our serious commitment to respecting and protecting the privacy and security of each customer’s personally identifiable information and other customer data. A key element of this involves communicating with our customers about our information privacy practices. The Sprint privacy policy makes it clear we collect information that includes how a device is functioning and how it is being used. Carrier IQ is an integral part of the Sprint service. Sprint uses Carrier IQ to help maintain our network performance.

Verizon:

To be 100% clear: Carrier IQ is *not* on Verizon Wireless phones.

HP:

HP does not install nor authorize its partners to embed Carrier IQ on its webOS devices.

Google, which has never shipped CarrierIQ on its Nexus devices:

We do not have an affiliation with CarrierIQ. Android is an open source effort and we do not control how carriers or OEMs customize their devices.

T-Mobile:

T-Mobile utilizes the Carrier IQ diagnostic tool to troubleshoot device and network performance with the goal of enhancing network reliability and our customers’ experience . T-Mobile does not use this diagnostic tool to obtain the content of text, email or voice messages, or the specific destinations of a customers’ internet activity, nor is the tool used for marketing purposes.

Motorola didn’t have an official statement but did mention that Carrier IQ is only pre-loaded as an operator requirement.

Here we go. List of companies whose phones almost certainly have CIQ on them. Again, if you want to find out if your phone has this spyware on it, you can follow these instructions to detect it and disable most of it.

Update#2 on the Carrier IQ app that's logging texts and location

Apparently someone has already written an app to see if the logger is on your phone. Unfortunately there’s a lot of setup involved, but fortunately the person who wrote this app has also written code that can disable some of the spying. SO. Instructions for android phones follow. The spyware is also supposedly on some non-android Nokias and some Blackberrys, but I was unable to dig anything up about removing this app for those phones.

1. Things you need to download from Android market: the barcode scanner app and the ASTRO file manager. You will also need to go to Menu -> Settings -> applications and permit installation of apps from unknown sources (not the Android market).

2. Go to the link above. Scroll down and click on the [Click for QR Code] link that is listed next to the TestApp_v7 link. Scan this code using the barcode scanner app, and when a link is provided, select it and then select “download.”

3. Go to the ASTRO file manager. Click on the file for “downloads”, click on the Logging TestApp file, and select “Install.” Once installation is done, you’ll see an option in the ASTRO file manager to open the app. Click on it.

4. The simplest test you can run is by clicking on the button “CIQ checks”, which looks for the Carrier IQ app. If the file /system/etc/iqprofile.pro exists, your phone has the logging app. I was unable to get some of the other tests to work. This is an app aimed at professionals, not users, so if you want to mess with it go ahead but you may or may not get useful results.

The person who wrote this app does have a licence for sale for $1 on the android market. This will let you use the Logging TestApp to disable the spyware as much as possible. There is no user-friendly free way to do disable it, so if you want it turned off that’s your best option.

Let me know if you guys have any trouble with this.

A hidden app on android phones and blackberries has been monitoring users' texts and geographic location

Referring to yesterday’s post on security: see what I mean? You cannot even trust a fresh-off-the-factory-line machine to not have spyware on it. 

Stuff everybody should know about the Internet PSA

cookies: This is how a website (like Amazon.com) tracks users who aren’t logged in. Your browser and the website each have a copy of the cookie, which uniquely identifies you when you visit that site. That’s how Amazon can track items you’ve looked at on their site, that’s how ads on totally unrelated sites (like Facebook) can be tailored to display items you’ve viewed before, etc. Don’t like it? Clear out your cookies frequently. Google the name of your browser and “clear cookies” if you don’t know how to do it.

certificates: You’ve clicked on links and gotten a screen that says “this certificate is not trusted” before? This is a security/encryption thing; there’s a certificate authority that will guarantee (for example) that the site you’re visiting called “paypal.com” is really paypal.com and not an interloper that wants your bank data. Tread very carefully here - you should NEVER get this warning when visiting a well-known legitimate site, especially not a site for online shopping. 

firewall: prevents certain types of traffic from reaching the network it protects. For example, there’s a program called telnet that lets someone access a computer remotely. A firewall could block all telnet connections (or make exceptions for telnet connections coming from certain trusted users, or whatever.) If you don’t have one installed you almost certainly should. Same goes for antivirus protection, but I think that one doesn’t need an explanation.

trojan horse: A program that does more than what it’s supposed to. Most commonly attached to things that you can download for free - it could do something like attempt to get your computer’s login info and send it back to the person who wrote the program. This is why I never download tv shows/music illegally and am really careful about things like browser add-ons (which might, say, try to capture your login data for Amazon.com.) You should ALWAYS stay away from ActiveX and be very careful with Firefox add-ons or new browser toolbars - better yet, use Chrome and remove the temptation for adding bullshit to your browser entirely. 

(Like, for the month that I ran firefox I remember seeing an add-on for changing the color of your toolbar or whatever - who the fuck does that shit for funsies? Nobody. Be skeptical. Also note that completely legitimate companies have put trojan horses on their products before. So, yeah. Trust no one.)