Maximum PC readers don't need to be reminded why encrypting their wireless networks is important, but a recent slip up by the Google Street View team only serves to drive home the point. In a posting released on the European Public Policy Blog Google was forced to admit that in addition to collecting SSID and MAC address information about passing networks, payload information was also collected and archived. In Google's defense the only information that was acquired is data that was being transmitted over open Wi-Fi, but it only serves to fuel the fears, particularly in Europe that the Street View Cars are up to no good.
So how exactly did this happen? In a follow up post Google explained that "in 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data," Google's Senior VP, Engineering & Research Alan Eustace wrote. "A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google's Street View cars, they included that code in their software-although the project leaders did not want, and had no intention of using, payload data."
Google is consulting with a third party to help them confirm what was collected, and ensure it is properly deleted. You could argue that anyone operating an open hotspot deserves what they get, but at the same time it is important for Google to show the world it has at least a passing respect for our privacy given the sheer volume of personal information they seem to be privileged to.
In the wake of Google's Wi-Fi privacy incident, the company has let it be known they plan to roll out encrypted search. Google's Marissa Mayer briefly discussed the feature at Google's annual stock holder meeting. This is in keeping with the trend at Google. They recently set the defaults in Gmail to use the HTTPS encrypted protocol.
Mayer didn't go into specifics about how the feature would work, but everyone was encouraged to pay attention to the Google I/O conference next week. Whatever form it takes, we hope that it will be easy to enable. We don't see Google making the setting the default, but anything can happen at I/O. If encrypted search is made available to you, will you use it?
There are a lot of reasons to distrust Facebook's Instant Personalization service, but the list grew by one more today. The issue is an exploit that takes advantage of Yelp's participation in the Instant Personalization feature of Facebook. The attack allows a shady character to get access to all a user's Facebook data if they visit Yelp while participating in the Instant Personalization program.
The exploit took advantage of Yelp's association with Facebook by way of cross-site scripting to inject malicious code. In the past, this wouldn't have affected Facebook data, but Yelp is one of Facebook's Instant Personalization partners. This means Yelp has access to user data immediately upon visiting the site. The scary thing here is that the exploit would work even if you had never been to Yelp.
Facebook claims to have taken care of this security hole, but this event leaves us even more unsettled than before. It seems we can't go a day without learning of another Facebook security issue. We shudder to think what would happen if Instant Personalization were available for more than three sites.
Maybe with all the constant redesigns and swapping of features, the occasional bug is to be expected. But a bug uncovered by TechCrunch Europe today turned out to be a gaping security hole. The bug allowed users to view the live chat logs of any of their friends on the site.
The trick relied on Facebook's profile preview feature in the security settings. When changing security, users can preview their profile to see what information is available to the outside world. There is also a box on the preview where a specific user can be entered so you can see how your profile looks to that person. By just typing in the name of a friend, their chat log can be pulled up. Yes, a privacy feature actually created an exploit.
TechCrunch alerted Facebook, who then pushed out an update to fix the error. In a statement Facebook said the bug was accessed by, " by manipulating the “preview my profile” feature." We prefer to think of it as using the feature, but that's just semantics. We'll hand it to Facebook, they did fix it quickly, but it shouldn't have happened in the first place.
Hit the jump for TechCrunch's video of the exploit in action.
Specifically, the correspondence encourages Facebook to exercise caution in the use of the new universal 'Like' button. The Senators are concerned that its use as a marketing tool could endanger personal information. Facebook responded immediately saying, " We've developed powerful tools to give our users control over what information they want to share, when they want to share it and with whom."
Facebook has a sordid history of forcing users to opt out of major privacy changes, so it may be a good thing someone in the government is taking notice. Older and less tech savvy individuals often have trouble interpreting Facebook's "powerful tools" for modifying privacy settings. Do you think someone needs to keep Facebook in line, or do you still have trust in them?
If you're a privacy nut--or even someone who's the least bit concerned about the kind of information that Google might be collecting from you--then it's in your best interest to do everything possible to shield your browsing activities from The Man. Whoever "The Man" might be, that is. Anyway, this is relatively easy to do if you're keen with the technique of running proxies, blocking cookies, and stripping all other identifying characteristics out of your Web traffic. It's nevertheless quite a bit of work to undertake if you're even a semi-frequent Web browser.
The Firefox add-on GoogleSharing aims to simplify the process of rendering yourself invisible to the big G, and it kicks into effect every time you fire up your browser to begin a new surfing session. Click the jump to see how it works!
Google has come under heavy flak in recent times for what appears to be dwindling regard for people's privacy. It truly became conspicuous on the radar of privacy watchdogs with its Street View technology. A couple of months ago, it again caused a furore by choosing to launch Buzz, a social networking extension for its Gmail service, as an “opt-out” service.
The letter, dated April 19, is also signed by Stoddart's counterparts in France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom. The missive points to both Buzz and Street View as instances when Google launched a product “with such significant privacy issues.”
Stoddart has called on Google to ensure that its services honor fundamental privacy principles. The company has also been asked to outline ways in which it plans to ensure such conformity.
A 9-year-old student attending a Fairfax County Public School in Falls Church, Virginia, created quite the scare for his school district. Faculty thought it was the victim of a hacker attack after someone had been changing teacher passwords on the school district's Blackboard system.
Local police were called in to investigate, who then traced the incident to the home of a 9-year-old student. The kid didn't actually hack the system, but had simply swiped a teacher's password from a desk.
"This was a case where an individual...got hold of a teacher's password, and the passwords had administrative rights," said Paul Regnier, a school board spokesman.
The rebellious student used the administrative account to change enrollment lists and alter other teachers' passwords. Much to the student's chagrin, however, he wasn't able to alter grades or access other machines on the school's system.
"Nothing bad happened this time, but we have to make sure that...it doesn't happen again," said Regnier.
Not writing down high-level passwords and putting them in an unlocked desk might be a start.
Caller ID spoofing will soon become a thing of the past, or at least a lot less prominent. You can thank the U.S. Congress, who last week passed the "Truth in Caller ID Act of 2010."
There isn't much to the short bill, which gets straight to the point.
"It shall be unlawful for any person within the United States, in connection with any real time voice communications service, regardless of the technology or network utilized, to cause any caller ID service to transmit misleading or inaccurate caller ID information, with the intent to defraud or deceive," the bill reads.
Under the new bill, you would still be allowed to block your phone number from showing up on other people's phones, and law enforcement would be exempt from the restrictions. VoIP calls, however, would not be exempt and was actually the focus of the bill, according to the Congressional Research Service summary.
The US Department of justice has dropped its case attempting to force Yahoo to hand over private email without a warrant. The DOJ files a two page brief with the court canceling its request for access to Yahoo subscribers' email. The action taken by the DOJ ruffled a lot of feathers including the EFF and Google, who filed their displeasure with the court just recently.
The nature of the crimes being investigated was never disclosed, and that likely had something to do with the governments eventual decision to pull out. Though, the media attention in the last week probably helped as well. The EFF is claiming that the Justice Department dropped the case mainly because they did not want to fight the civil liberties group in court.
Yahoo isn't offering much background, but seems positive saying, "We are pleased with the decision and we continue to be committed to protecting the privacy of users." This decision does not rule out the possibility the government could make another attempt to access email without a warrant in the future, but these accounts are likely safe. How does this make you feel about the privacy of email?