Maybe with all the constant redesigns and swapping of features, the occasional bug is to be expected. But a bug uncovered by TechCrunch Europe today turned out to be a gaping security hole. The bug allowed users to view the live chat logs of any of their friends on the site.
The trick relied on Facebook's profile preview feature in the security settings. When changing security, users can preview their profile to see what information is available to the outside world. There is also a box on the preview where a specific user can be entered so you can see how your profile looks to that person. By just typing in the name of a friend, their chat log can be pulled up. Yes, a privacy feature actually created an exploit.
TechCrunch alerted Facebook, who then pushed out an update to fix the error. In a statement Facebook said the bug was accessed by, " by manipulating the “preview my profile” feature." We prefer to think of it as using the feature, but that's just semantics. We'll hand it to Facebook, they did fix it quickly, but it shouldn't have happened in the first place.
Hit the jump for TechCrunch's video of the exploit in action.
Specifically, the correspondence encourages Facebook to exercise caution in the use of the new universal 'Like' button. The Senators are concerned that its use as a marketing tool could endanger personal information. Facebook responded immediately saying, " We've developed powerful tools to give our users control over what information they want to share, when they want to share it and with whom."
Facebook has a sordid history of forcing users to opt out of major privacy changes, so it may be a good thing someone in the government is taking notice. Older and less tech savvy individuals often have trouble interpreting Facebook's "powerful tools" for modifying privacy settings. Do you think someone needs to keep Facebook in line, or do you still have trust in them?
If you're a privacy nut--or even someone who's the least bit concerned about the kind of information that Google might be collecting from you--then it's in your best interest to do everything possible to shield your browsing activities from The Man. Whoever "The Man" might be, that is. Anyway, this is relatively easy to do if you're keen with the technique of running proxies, blocking cookies, and stripping all other identifying characteristics out of your Web traffic. It's nevertheless quite a bit of work to undertake if you're even a semi-frequent Web browser.
The Firefox add-on GoogleSharing aims to simplify the process of rendering yourself invisible to the big G, and it kicks into effect every time you fire up your browser to begin a new surfing session. Click the jump to see how it works!
Google has come under heavy flak in recent times for what appears to be dwindling regard for people's privacy. It truly became conspicuous on the radar of privacy watchdogs with its Street View technology. A couple of months ago, it again caused a furore by choosing to launch Buzz, a social networking extension for its Gmail service, as an “opt-out” service.
The letter, dated April 19, is also signed by Stoddart's counterparts in France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom. The missive points to both Buzz and Street View as instances when Google launched a product “with such significant privacy issues.”
Stoddart has called on Google to ensure that its services honor fundamental privacy principles. The company has also been asked to outline ways in which it plans to ensure such conformity.
A 9-year-old student attending a Fairfax County Public School in Falls Church, Virginia, created quite the scare for his school district. Faculty thought it was the victim of a hacker attack after someone had been changing teacher passwords on the school district's Blackboard system.
Local police were called in to investigate, who then traced the incident to the home of a 9-year-old student. The kid didn't actually hack the system, but had simply swiped a teacher's password from a desk.
"This was a case where an individual...got hold of a teacher's password, and the passwords had administrative rights," said Paul Regnier, a school board spokesman.
The rebellious student used the administrative account to change enrollment lists and alter other teachers' passwords. Much to the student's chagrin, however, he wasn't able to alter grades or access other machines on the school's system.
"Nothing bad happened this time, but we have to make sure that...it doesn't happen again," said Regnier.
Not writing down high-level passwords and putting them in an unlocked desk might be a start.
Caller ID spoofing will soon become a thing of the past, or at least a lot less prominent. You can thank the U.S. Congress, who last week passed the "Truth in Caller ID Act of 2010."
There isn't much to the short bill, which gets straight to the point.
"It shall be unlawful for any person within the United States, in connection with any real time voice communications service, regardless of the technology or network utilized, to cause any caller ID service to transmit misleading or inaccurate caller ID information, with the intent to defraud or deceive," the bill reads.
Under the new bill, you would still be allowed to block your phone number from showing up on other people's phones, and law enforcement would be exempt from the restrictions. VoIP calls, however, would not be exempt and was actually the focus of the bill, according to the Congressional Research Service summary.
The US Department of justice has dropped its case attempting to force Yahoo to hand over private email without a warrant. The DOJ files a two page brief with the court canceling its request for access to Yahoo subscribers' email. The action taken by the DOJ ruffled a lot of feathers including the EFF and Google, who filed their displeasure with the court just recently.
The nature of the crimes being investigated was never disclosed, and that likely had something to do with the governments eventual decision to pull out. Though, the media attention in the last week probably helped as well. The EFF is claiming that the Justice Department dropped the case mainly because they did not want to fight the civil liberties group in court.
Yahoo isn't offering much background, but seems positive saying, "We are pleased with the decision and we continue to be committed to protecting the privacy of users." This decision does not rule out the possibility the government could make another attempt to access email without a warrant in the future, but these accounts are likely safe. How does this make you feel about the privacy of email?
Big name PC repair shops don't need any more bad publicity, but they're getting it anyway courtesy of a pretty embarrassing SNAFU by CompUSA. Here's what happened.
According to CBS News in Chicago, a woman named Kymberli Mulford entrusted the CompUSA in Hoffman Estates with removing a nasty virus on her system that she believed was causing it to shut down. Around the same time, Karen Davis took her PC in to th same store for repairs. CompUSA purportedly took care of both issues, but they also installed Mulford's files on Davis's PC. Oops!
"It was everything, pictures of her kids, notes, and emails," Davis said. "Even what meds her kids were taking, just very personal stuff."
Davis did the right thing by getting in touch with Mulford to tell her what happened, but now Mulford fears her data could have been loaded onto other machines too.
"All of that information is a gold mine for thieves," said Roger Safian, a computer security expert. "They back up all the data first, then they re-install it after they remove the virus, and that could be how they ended up making this mistake. They re-installed one person's data to the other person's machine."
According to CompUSA, the tech and his supervisor were fired because of the incident.
Have a PC repair horror story of your own? Hit the jump and tell us all about it!
Yes, we actually made an "All Your Base" reference, and trust us, we feel terrible about it. But it was the first thought that came to mind when we caught wind that the Library of Congress had acquired every public tweet ever made. That's right, all your spelling errors -- intentional or otherwise -- and witty 140-character musings are now forever preserved in the oldest federal cultural institution in the United States.
"It is out pleasure to donate access to the entire archive of public tweets to the Library of Congress for preservation and research," Twitter announced on its blog. "It's very exciting that tweets are becoming part of history. It should be noted that there are some specifics regarding this arrangement. Only after a six-month delay can the tweets be used for internal library use for non-commercial research, public display by the library itself, and preservation."
This 'only' includes public twitter messages and not direct messages or the "tiny percentage of accounts that are protected." According to Twitter, 105 million registered users send out some 55 million tweets a day, "and that number is climbing sharply."
Octavius Durdley, an emergency paramedic with the Bradford County Emergency Services (BCES) in Florida, is going to have a tough time gaining any sympathy for his plight. You see, Durdley was charged last September with possessing and distributing child pornography, but it's how the evidence was obtained that is likely to cause a few outcries in the case.
Durdley-do-wrong committed a big no-no, and we're not talking about the (allegedly) obvious one here. What landed Durdley in hot water was accidentally leaving a USB flash drive plugged into a computer provided by the BCES, a PC that's shared by him and other members of the emergency service.
A supervisor discovered the files and turned Durdley in to authorities. This ultimately led to a search of his house, both of which Durdley claims are violations of his Fourth Amendment rights against unreasonable search and seizure. Judge Maurice Paul of the U.S. District Court for the northern district of Florida didn't agree.
"Durdley's files were exposed to anyone who sat down at the computer station who used the traditional means for opening and viewing files," the judge wrote in a 15-page ruling. Furthermore, the supervisor who discovered the files did so without any "special means or intruding into any area which Durdley could reasonably expect to remain private."
Ignoring the nature of the alleged crime, what are your thoughts on this? Is forgetting to pull your USB key out of a shared PC cause for others to poke around?