2 of her puppies...they are so pretty and tiny !
Tuesday, June 22, 2010
Wednesday, March 31, 2010
Social media, geolocation and privacy, oh my!
http://www.llrx.com/features/geolocation.htm
Nicole L. Black highlights how our net activities are carefully monitored and
meticulously tracked by some of the biggest players, including Google, Amazon,
Apple, Microsoft and Facebook.
Our individual online footprints, from the Web sites we visit, the items we purchase, the people with whom we communicate, to the locations where we access the Internet, are extremely valuable commodities that are increasingly sought after.
Nicole L. Black highlights how our net activities are carefully monitored and
meticulously tracked by some of the biggest players, including Google, Amazon,
Apple, Microsoft and Facebook.
Our individual online footprints, from the Web sites we visit, the items we purchase, the people with whom we communicate, to the locations where we access the Internet, are extremely valuable commodities that are increasingly sought after.
Tuesday, March 30, 2010
Please rob me!
by John Pyrik Mar 28, 2010 1:09 PM
When you leave the large cardboard box for your new HDTV at the curb for the garbage men, you are also letting theives know your house is worth robbing.
When you tell the world you are going somewhere using Twitter or Facebook, you are advertising your home has been left empty.
While new technology such as Google Latitude http://www.google.com/intl/en_us/latitude/intro.html makes it easier to hook up with friends, you may want to think about the potential issues that may arise in giving up your location.
Learn about "Locational Privacy" http://www.eff.org/wp/locational-privacy
When you leave the large cardboard box for your new HDTV at the curb for the garbage men, you are also letting theives know your house is worth robbing.
When you tell the world you are going somewhere using Twitter or Facebook, you are advertising your home has been left empty.
While new technology such as Google Latitude http://www.google.com/intl/en_us/latitude/intro.html makes it easier to hook up with friends, you may want to think about the potential issues that may arise in giving up your location.
Learn about "Locational Privacy" http://www.eff.org/wp/locational-privacy
Identity 'at risk' on Facebook - Apps steal data
Personal details of Facebook users could potentially be stolen, the BBC technology programme Click has found.
The popular social networking site allows users to add a variety of applications to their profile.
But a malicious program, masquerading as a harmless application, could potentially harvest personal data.
Facebook says users should exercise caution when adding applications. Any programs which violate their terms will be removed, the network said.
When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.
So, to become a victim, you dont' have to add the malicious app, you just have to be a friend of someone who has.
The only way to be completely protected from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.
http://news.bbc.co.uk/2/hi/programmes/click_online/7375772.stm
The popular social networking site allows users to add a variety of applications to their profile.
But a malicious program, masquerading as a harmless application, could potentially harvest personal data.
Facebook says users should exercise caution when adding applications. Any programs which violate their terms will be removed, the network said.
When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.
So, to become a victim, you dont' have to add the malicious app, you just have to be a friend of someone who has.
The only way to be completely protected from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.
http://news.bbc.co.uk/2/hi/programmes/click_online/7375772.stm
Sunday, March 28, 2010
Is your PC doing a hacker's dirty work?
The BBC has acquired control of 22,000 home computers as part of an investigation into hi-tech crime.
Check out the site for a short video
http://news.bbc.co.uk/2/hi/programmes/click_online/7938503.stm
Check out the site for a short video
http://news.bbc.co.uk/2/hi/programmes/click_online/7938503.stm
Sunday, March 21, 2010
Feds consider going undercover on social networks
March 16, 2010 11:17 AM PDT
by Declan McCullagh
The next friend request you receive might come from the FBI.
The Obama administration has considered sending federal police undercover on social-networking sites, including Facebook, MySpace, and Twitter.
A confidential U.S. Department of Justice presentation (PDF) on social-networking sites made public Tuesday said online undercover work can help agents "communicate with suspects," "gain access to nonpublic info," and "map social relationships."
Federal police agencies organized under the Justice Department include the FBI, the U.S. Marshals, the Drug Enforcement Administration, and the Bureau of Alcohol, Tobacco, Firearms, and Explosives.
The 33-page presentation noted that Twitter has a "stated policy of producing data only in response to legal process," while saying Facebook is "often cooperative with emergency requests."
By contrast, an IRS document about social-networking sites was more cautious about Internet undercover work. It says agents are allowed to conduct Internet searches for taxpayers and review information from public Web sites--but that they are not allowed to "misrepresent your identify (sic) or obtain information from a Web site using a fictitious identity to register."
That advice appears to apply to routine investigations. In some cases, as CNET reported in late 2008, Congress has authorized undercover IRS agents to run businesses for an extended sting operation, to open their own personal bank accounts with U.S. tax dollars, and so on.
For years, FBI agents have gone undercover on the Web for child porn sting operations. One technique that the bureau has used involves logging in to a discussion forum, posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.
One possible hurdle that the lawyers at the Justice Department noted in their presentation, which was given by John Lynch and Jenny Ellickson, both attorneys in the department's Computer Crime and Intellectual Property Section, is the possibility of violating a Web site's terms of service, if an agent lies about his identity.
This is called prosecutors being too clever by half: in the Lori Drew case, the Justice Department claimed (PDF) that violating MySpace terms of service was a criminal offense.
The problem today? Many Web sites require that subscribers use their real name. Facebook's terms of service require users to agree not to "create an account for anyone other than yourself without permission." At Twitter, "impersonation is against the terms of service." Even some newspapers such as the Los Angeles Times say "using a name other than your own legal name in association with the submission of user content is prohibited."
A federal judge eventually ruled (PDF) that a strict interpretation of criminal law would be unreasonable, but it remains an unsettled legal question.
"The good example set by the IRS is in stark contrast to the U.S. Marshals and the Bureau of Alcohol, Tobacco, Firearms and Explosives," wrote Marcia Hofmann, an attorney at the Electronic Frontier Foundation, which obtained the documents through the Freedom of Information Act and released them this week. "Neither organization found any documents on social-networking sites in response to EFF's request, suggesting they do not have any written policies or restrictions upon the use of these Web sites."
Update 4:45 p.m. PDT: Andrew Noyes, a spokesman for Facebook, sent me this statement: "Facebook regularly works with law enforcement agencies when they are investigating criminal activity. We have developed materials to help officials understand Facebook and the proper ways to request information from Facebook to aid investigations. We scrutinize every single law enforcement request; require a detailed description of why the request is being made; and if it is deemed appropriate, share only the minimum amount of information. We strive to respect the balance between law enforcement's need for information and the privacy rights of our users, and as a responsible company we adhere to the letter of the law." It doesn't quite answer what I asked, which was: "How many law enforcement requests do you folks receive a year, and for what types of stored data do you require a search warrant? Also, under what circumstances do you disclose user data without a valid subpoena or search warrant?"
by Declan McCullagh
The next friend request you receive might come from the FBI.
The Obama administration has considered sending federal police undercover on social-networking sites, including Facebook, MySpace, and Twitter.
A confidential U.S. Department of Justice presentation (PDF) on social-networking sites made public Tuesday said online undercover work can help agents "communicate with suspects," "gain access to nonpublic info," and "map social relationships."
Federal police agencies organized under the Justice Department include the FBI, the U.S. Marshals, the Drug Enforcement Administration, and the Bureau of Alcohol, Tobacco, Firearms, and Explosives.
The 33-page presentation noted that Twitter has a "stated policy of producing data only in response to legal process," while saying Facebook is "often cooperative with emergency requests."
By contrast, an IRS document about social-networking sites was more cautious about Internet undercover work. It says agents are allowed to conduct Internet searches for taxpayers and review information from public Web sites--but that they are not allowed to "misrepresent your identify (sic) or obtain information from a Web site using a fictitious identity to register."
That advice appears to apply to routine investigations. In some cases, as CNET reported in late 2008, Congress has authorized undercover IRS agents to run businesses for an extended sting operation, to open their own personal bank accounts with U.S. tax dollars, and so on.
For years, FBI agents have gone undercover on the Web for child porn sting operations. One technique that the bureau has used involves logging in to a discussion forum, posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.
One possible hurdle that the lawyers at the Justice Department noted in their presentation, which was given by John Lynch and Jenny Ellickson, both attorneys in the department's Computer Crime and Intellectual Property Section, is the possibility of violating a Web site's terms of service, if an agent lies about his identity.
This is called prosecutors being too clever by half: in the Lori Drew case, the Justice Department claimed (PDF) that violating MySpace terms of service was a criminal offense.
The problem today? Many Web sites require that subscribers use their real name. Facebook's terms of service require users to agree not to "create an account for anyone other than yourself without permission." At Twitter, "impersonation is against the terms of service." Even some newspapers such as the Los Angeles Times say "using a name other than your own legal name in association with the submission of user content is prohibited."
A federal judge eventually ruled (PDF) that a strict interpretation of criminal law would be unreasonable, but it remains an unsettled legal question.
"The good example set by the IRS is in stark contrast to the U.S. Marshals and the Bureau of Alcohol, Tobacco, Firearms and Explosives," wrote Marcia Hofmann, an attorney at the Electronic Frontier Foundation, which obtained the documents through the Freedom of Information Act and released them this week. "Neither organization found any documents on social-networking sites in response to EFF's request, suggesting they do not have any written policies or restrictions upon the use of these Web sites."
Update 4:45 p.m. PDT: Andrew Noyes, a spokesman for Facebook, sent me this statement: "Facebook regularly works with law enforcement agencies when they are investigating criminal activity. We have developed materials to help officials understand Facebook and the proper ways to request information from Facebook to aid investigations. We scrutinize every single law enforcement request; require a detailed description of why the request is being made; and if it is deemed appropriate, share only the minimum amount of information. We strive to respect the balance between law enforcement's need for information and the privacy rights of our users, and as a responsible company we adhere to the letter of the law." It doesn't quite answer what I asked, which was: "How many law enforcement requests do you folks receive a year, and for what types of stored data do you require a search warrant? Also, under what circumstances do you disclose user data without a valid subpoena or search warrant?"
Monday, March 15, 2010
From my Instructor - John Pyrik
"Investigators not only collect information, they analyze it. This may seem like a trite observation, but we sometimes forget about this aspect of our jobs because analysis becomes such an automatic part of the work that we do it unconsciously.
Leaving aside (for the time being) the type of analysis done by investigators when they try to fill in the missing pieces of a puzzle, lets focus on analysis as it relates to assessing the reliability of information.
In other words, how do we determine truth from fiction?
This is a daily issue for any investigator dealing with complainants, suspects, and informants. Over time, an experienced investigator develops a heavy-duty "BS detector". Mine, for example, was first developed in the murky world of intelligence and further refined by years dealing with smooth-talking con artists in the securities industry.
The problem most investigators have though is that their "BS detectors" work best when they are interviewing someone, not necessarily when they are reading something. In short, it is usually easier for an experienced investigator to tell someone is lying in person than in print."
For me, I learned the "BS detectors" from my follow classmates in BCIT over the years. =D
Leaving aside (for the time being) the type of analysis done by investigators when they try to fill in the missing pieces of a puzzle, lets focus on analysis as it relates to assessing the reliability of information.
In other words, how do we determine truth from fiction?
This is a daily issue for any investigator dealing with complainants, suspects, and informants. Over time, an experienced investigator develops a heavy-duty "BS detector". Mine, for example, was first developed in the murky world of intelligence and further refined by years dealing with smooth-talking con artists in the securities industry.
The problem most investigators have though is that their "BS detectors" work best when they are interviewing someone, not necessarily when they are reading something. In short, it is usually easier for an experienced investigator to tell someone is lying in person than in print."
For me, I learned the "BS detectors" from my follow classmates in BCIT over the years. =D
Sunday, March 14, 2010
Quote of the day from CM
"Life is a game, play it....Life is too precious, do not destroy it." - Mother Teresa
Quote of the day from CM
"Experience is a brutal teacher, but you learn. My God, do you learn." - C.S. Lewis
Friday, March 12, 2010
National Do Not Call List
https://www.lnnte-dncl.gc.ca/insnum-regnum-eng
Register here so they will not call again....I hope
Register here so they will not call again....I hope
Google Goggles
Crazy stuff!!!
Now you can use pictures to search the web....from your cellphone!!!
http://www.google.com/mobile/goggles/#landmark
Now you can use pictures to search the web....from your cellphone!!!
http://www.google.com/mobile/goggles/#landmark
Quote of the day from CM
"Oh what a tangled web we weave, when first we practice to deceive." - Sir Walter Scott
Thursday, March 11, 2010
Quote of the day from CM
"If I am what I have, and if I lose what I have, who then am I?" - German Psychologist Erich Fromm
Monday, March 8, 2010
No more facebook stalkings !! -- 2
Awesome read, check out the paper that talks about social networking sites.
http://www.schneier.com/blog/archives/2010/03/de-anonymizing.html
March 8, 2010
De-Anonymizing Social Network Users
Interesting paper: "A Practical Attack to De-Anonymize Social Network Users."
Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.
In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.
The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.
http://www.schneier.com/blog/archives/2010/03/de-anonymizing.html
March 8, 2010
De-Anonymizing Social Network Users
Interesting paper: "A Practical Attack to De-Anonymize Social Network Users."
Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.
In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.
The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.
No more facebook stalkings !! -- 1
Attack Unmasks User Behind The Browser
Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users
Feb 23, 2010 | 05:32 PM
By Kelly Jackson Higgins
DarkReading
A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks.
The 'deanonymization' attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany's Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to "fingerprint" and identify them.
"Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel," says Gilbert Wondracek, a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept.
Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code -- there's no malicious link, per se. "We could put the attack code on a Website that contains a political, dating, religious, [or other] forum. If someone posts anonymously to this Website, there is a chance that we could find out the social network profile for this person," Wondracek says. "Since social network profiles contain a wealth of info and, per definition, the friends of this person, blackmailing is also an option."
Wondracek says he and fellow researcher Thorsten Holz had wondered how the well-known history-stealing technique could used to unmask online users via their social networking profiles. History stealing allowed them to peek at a user's URL browsing history to see if he had visited specific social network groups -- sports-related or other groups that friend or fan organizations, for instance -- that the researchers had joined.
"We can now perform an intersection and find out that there are just a few people in the whole social network that belong to exactly these ... groups. The group fingerprint is rather unique among all users," Wondracek says.
Then the attacker uses history-stealing once again to check for links that are similar to each member of the groups.
The researchers say that while their PoC was for Xing, it can work with any other social network. They crawled 7,000 public groups in Xing and found around 1.8 million users belong to at least one group. "These users are vulnerable to our attack," Holz blogged recently.
Volunteers from Xing can participate in the experiment via the researchers' demo Website here. The more regularly a Xing user participates in groups on the social network, the more likely he will be deanonymized by the PoC.
There is no fix for this attack, but workarounds include turning off browsing history or using private-browsing mode. Wondracek says the only protection social networks could provide is to change the way their Web applications use hyperlinks to move information from one point of their site to another in "keep state." Xing has implemented this as part of its response to the attack research, he says.
"I was -- and am still -- quite surprised that, a, getting the group data was so easy, and, b, almost all social networks use URLs that leak private information," Wondracek says."The attitude behind this is pretty scary from our maybe naive point of view."
The researchers will present their paper (PDF) on their preliminary results on the attack in May at the 31st IEEE Symposium on Security & Privacy.
Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users
Feb 23, 2010 | 05:32 PM
By Kelly Jackson Higgins
DarkReading
A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks.
The 'deanonymization' attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany's Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to "fingerprint" and identify them.
"Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel," says Gilbert Wondracek, a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept.
Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code -- there's no malicious link, per se. "We could put the attack code on a Website that contains a political, dating, religious, [or other] forum. If someone posts anonymously to this Website, there is a chance that we could find out the social network profile for this person," Wondracek says. "Since social network profiles contain a wealth of info and, per definition, the friends of this person, blackmailing is also an option."
Wondracek says he and fellow researcher Thorsten Holz had wondered how the well-known history-stealing technique could used to unmask online users via their social networking profiles. History stealing allowed them to peek at a user's URL browsing history to see if he had visited specific social network groups -- sports-related or other groups that friend or fan organizations, for instance -- that the researchers had joined.
"We can now perform an intersection and find out that there are just a few people in the whole social network that belong to exactly these ... groups. The group fingerprint is rather unique among all users," Wondracek says.
Then the attacker uses history-stealing once again to check for links that are similar to each member of the groups.
The researchers say that while their PoC was for Xing, it can work with any other social network. They crawled 7,000 public groups in Xing and found around 1.8 million users belong to at least one group. "These users are vulnerable to our attack," Holz blogged recently.
Volunteers from Xing can participate in the experiment via the researchers' demo Website here. The more regularly a Xing user participates in groups on the social network, the more likely he will be deanonymized by the PoC.
There is no fix for this attack, but workarounds include turning off browsing history or using private-browsing mode. Wondracek says the only protection social networks could provide is to change the way their Web applications use hyperlinks to move information from one point of their site to another in "keep state." Xing has implemented this as part of its response to the attack research, he says.
"I was -- and am still -- quite surprised that, a, getting the group data was so easy, and, b, almost all social networks use URLs that leak private information," Wondracek says."The attitude behind this is pretty scary from our maybe naive point of view."
The researchers will present their paper (PDF) on their preliminary results on the attack in May at the 31st IEEE Symposium on Security & Privacy.
Quote of the day from CM
"Oh what a tangled web we weave, when first we practice to deceive." -Sir Walter Scott
Canadian paper money going plastic!!!
Finally...the new bank notes gonna be cool (just like the ones from Hong Kong)
http://www.680news.com/news/national/article/32514--canadian-paper-money-going-plastic
By: Jaime Pulfer
It'll last longer, be harder to copy and be better for you.
The federal finance minister has announced our paper money is going to be replaced with polymer bills.
The bills will feel different but, they'll last up to three times longer.
Next year our cotton paper bills will be replaced with a synthetic polymer.
Several countries including Austrialia have already started using the plastic money.
It costs more to print but overall the hardiness of the bills will reduce the cost because we won't have to print as many.
It also means our currency will be less grubby.
The smooth surface will carry around less dirt.
It won't absorb sweat and other liquids and will be more germ-resistant.
The money will also be waterproof, so leaving that $20-bill in the pocket of your jeans and putting them through the wash won't be as devastating.
The Bank of Canada said new bills will contain more elaborate security features, including clear windows, making them harder to counterfeit.
http://www.680news.com/news/national/article/32514--canadian-paper-money-going-plastic
By: Jaime Pulfer
It'll last longer, be harder to copy and be better for you.
The federal finance minister has announced our paper money is going to be replaced with polymer bills.
The bills will feel different but, they'll last up to three times longer.
Next year our cotton paper bills will be replaced with a synthetic polymer.
Several countries including Austrialia have already started using the plastic money.
It costs more to print but overall the hardiness of the bills will reduce the cost because we won't have to print as many.
It also means our currency will be less grubby.
The smooth surface will carry around less dirt.
It won't absorb sweat and other liquids and will be more germ-resistant.
The money will also be waterproof, so leaving that $20-bill in the pocket of your jeans and putting them through the wash won't be as devastating.
The Bank of Canada said new bills will contain more elaborate security features, including clear windows, making them harder to counterfeit.
Sunday, March 7, 2010
Saturday, March 6, 2010
Quote of the day from CM
"When a father gives to his son, both laugh; when his son gives to his father, both cry." -William Shakespeare
Friday, March 5, 2010
Quote of the day from CM
"Hope is the worst of evils, for it prolongs the torments of man." - Friedrich Nietzsche
Thursday, March 4, 2010
Quote of the day from CM
"Hope is the thing with feathers, that perches in the soul, and sings the tune without the words, and never stops at all." - Emily Dickinson
Windows XP users: Don't press F1
By Christopher Null
If you're browsing the web today and see a notice that you should press the F1 key (the traditional button used to get "help" in any application), don't do it.
Microsoft is warning of a brand new exploit that can cause computers running Windows XP and using the Internet Explorer web browser to become infected with malware at the push of a button: Specifically, the F1 button.
The flaw is part of the way Visual Basic and Windows Help are implemented within IE, the upshot being that a clever hacker can code a dialog box that will allow the running of any code the hacker wants. Traditionally this means installing any kind of malware or virus on the victim's PC that a hacker desires.
The good news is that this exploit isn't extremely dangerous because it does require user interaction to install itself. Unlike some recent exploits, merely visiting an infected website won't cause harm to your computer: You actually have to "push a button" to be affected.
The bad news is that the F1 button has always been seen as harmless, more so than simply clicking "OK" on the average prompt you might see. When dismissed, the prompt can also be coded to pop up repeatedly, so getting rid of it might not be simple.
Microsoft is advising users that, until a patch can be written and released, users are advised not to press the F1 key while web browsing. No matter how many pop-ups and alerts a user receives, as long as F1 is not pressed this attack will not succeed.
Microsoft has not announced a timeline for the fix, but its next patch release is due on March 9. Hang tight, but don't ask for "help."
Another M$ pos.....
If you're browsing the web today and see a notice that you should press the F1 key (the traditional button used to get "help" in any application), don't do it.
Microsoft is warning of a brand new exploit that can cause computers running Windows XP and using the Internet Explorer web browser to become infected with malware at the push of a button: Specifically, the F1 button.
The flaw is part of the way Visual Basic and Windows Help are implemented within IE, the upshot being that a clever hacker can code a dialog box that will allow the running of any code the hacker wants. Traditionally this means installing any kind of malware or virus on the victim's PC that a hacker desires.
The good news is that this exploit isn't extremely dangerous because it does require user interaction to install itself. Unlike some recent exploits, merely visiting an infected website won't cause harm to your computer: You actually have to "push a button" to be affected.
The bad news is that the F1 button has always been seen as harmless, more so than simply clicking "OK" on the average prompt you might see. When dismissed, the prompt can also be coded to pop up repeatedly, so getting rid of it might not be simple.
Microsoft is advising users that, until a patch can be written and released, users are advised not to press the F1 key while web browsing. No matter how many pop-ups and alerts a user receives, as long as F1 is not pressed this attack will not succeed.
Microsoft has not announced a timeline for the fix, but its next patch release is due on March 9. Hang tight, but don't ask for "help."
Another M$ pos.....
Saturday, February 27, 2010
Leaked Microsoft intelligence document: Here's what Microsoft will reveal to police about you
By: Preston Gralla
Orginal post @ http://blogs.computerworld.com/15655/leaked_microsoft_intelligence_document_heres_what_microsoft_will_reveal_to_police_about_you
I've got my hands on a copy of the leaked, confidential Microsoft "Global Criminal Compliance Handbook," which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on.
The handbook was first leaked by the whistleblowing site Cryptome. Microsoft asked that the document be removed from the site, under the Digital Millennium Copyright Act. The site was instead shut down, and as I write this, it is in the process of being restored.
The handbook is available at the Wikileaks site. That's where I got it, after unsuccessfully trying to get it via BitTorrent networks. In a statement, Microsoft said that it is no longer trying to have the document removed, so it may soon be available elsewhere.
Related:
Microsoft retreats from demand that killed whistleblower site
The report, published in March 2008, is labeled "U.S. Domestic Version," which makes one wonder whether there's also a version available for U.S. agencies that operate primarily overseas and for foreign governments. But I don't know whether such a document exists. Also, the document may have been superseded by a later one, although I don't know that, either.
The handbook details exactly how police and intelligence agencies can get the information, including where to serve legal process, and how to make emergency requests for the information. It notes, for example:
Microsoft Online Services will respond to emergency requests outside of normal business hours if the emergency involves "the danger of death or physical injury to any person…" as permitted in 18 U.S.C. § 2702(b)(8) and (c)(4). Emergencies are limited to situations like kidnapping, murder threats, bomb threats, terrorism threats, etc. If you have an emergency request, please call the law enforcement hotline at (425) 722-1299.
The report describes what information is available from Microsoft Online services for police and ingelligence services, including:
E-mail Services
Authentication Service: Windows Live ID
Instant Messaging: Windows Live Messenger
Social Networking Services: Windows Live Spaces & MSN Groups
Custom Domains: Windows Live Admin Center & Office Live Small Business
Online File Storage: Office Live Workspace & Windows Live SkyDrive
Gaming: Xbox Live
What's available is the actual content of your communications --- for example, copies of your emails --- as well as other information, such as your connection history and associated data that you provided to Microsoft during the registration process. The document spells out, in exacting detail,what is available for law enforcement and intelligence agenies. For example, here's an excerpt that details what emails are available from people who are MSN Premium subscribers:
Stored E-mail Records for MSN Premium Customers:
Microsoft's systems only store the e-mails a user has elected to maintain in the account. Therefore, the only e-mails provided in response to legal process seeking stored e-mail content will be the e-mails stored in the "Folders on MSN" section of a user's account.
Be aware that users may also store e-mail content on their computer's hard drive. Microsoft will not be able to disclose e-mail content stored on a user's computer --- only e-mail content stored on Microsoft's e-mail servers.
The document also gives advice and tips to law enforcement and intelligence agencies about how to understand the information that Microsoft provides. Several pages, for example, are devoted to helping agencies understand how to interpret information about Windows Live ID log-ins, showing, for example, when people log in and out, IP address history, and so on.
Interestingly, the document contains just about no information about Windows Live SkyDrive, which is Microsoft's free online file storage service. The document only has a single-sentence description of the service, along with a screenshot. I assume that the files on the service can be gotten by police and intelligence agencies, but there are no details about that, so for me at, least, it's an open question.
Quite a bit of information is available about XBox Live users. Here's what the document says can be gotten by police and intelligence officials:
What records are retained and for how long?
Both registration and IP connection history records are retained for the life of the gamertag account. Because the volume of IP connection history records may be large, when possible please ask for the specific date range of records you are specifically interested in receiving. A full listing of retained records is below:
* Credit card number
* First/last name with zip code
* Serial number but only if box has been registered online. "Console ID" is better.
* Service request number from Xbox Hotline (e.g. SR 103xx-xx-xx)
* E-mail account (e.g. @msn.com, @hotmail.com or any other Windows Live ID account name)
* IP history for the lifetime of the gamertag (only one gamertag at a time)
If your investigation involves a stolen Xbox console, if the console serial number or Xbox LIVE user gamertag is provided and the console has been connected to the Internet, IP connection records may be available.
Especially noteworthy is the final section of the document, which spells out in detail what information Microsoft is required by law to provide to police and intelligence agencies. Here, for example, is a small section:
Information that may be disclosed with a subpoena. Basic subscriber information includes name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old as long as the governmental entity follows the customer notification provisions in ECPA (see 18 U.S.C. §§ 2703(b), 2705.)
The document goes on to explain that a court order is required for the rest of a customer's profile. It also spells out when search warrants are required.
None of this should be a surprise. All companies, not just Microsoft, comply with laws that require them to turn over information to police and intelligence agencies. So Microsoft is not to blame. But it's certainly eye-opening to see what they turn over, and how they do it.
For more details, check out Gregg Keizer's story on Computerworld.
Microsoft, by the way, has released a statement about the affair. Here's what the company has to say:
"Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal."
Orginal post @ http://blogs.computerworld.com/15655/leaked_microsoft_intelligence_document_heres_what_microsoft_will_reveal_to_police_about_you
I've got my hands on a copy of the leaked, confidential Microsoft "Global Criminal Compliance Handbook," which details for police and intelligence services exactly what information Microsoft collects about users of its online services, and how they can be accessed. What is gathered and available about you is quite comprehensive, including your emails, detailed information about when you sign in and use the services, credit card information, and so on.
The handbook was first leaked by the whistleblowing site Cryptome. Microsoft asked that the document be removed from the site, under the Digital Millennium Copyright Act. The site was instead shut down, and as I write this, it is in the process of being restored.
The handbook is available at the Wikileaks site. That's where I got it, after unsuccessfully trying to get it via BitTorrent networks. In a statement, Microsoft said that it is no longer trying to have the document removed, so it may soon be available elsewhere.
Related:
Microsoft retreats from demand that killed whistleblower site
The report, published in March 2008, is labeled "U.S. Domestic Version," which makes one wonder whether there's also a version available for U.S. agencies that operate primarily overseas and for foreign governments. But I don't know whether such a document exists. Also, the document may have been superseded by a later one, although I don't know that, either.
The handbook details exactly how police and intelligence agencies can get the information, including where to serve legal process, and how to make emergency requests for the information. It notes, for example:
Microsoft Online Services will respond to emergency requests outside of normal business hours if the emergency involves "the danger of death or physical injury to any person…" as permitted in 18 U.S.C. § 2702(b)(8) and (c)(4). Emergencies are limited to situations like kidnapping, murder threats, bomb threats, terrorism threats, etc. If you have an emergency request, please call the law enforcement hotline at (425) 722-1299.
The report describes what information is available from Microsoft Online services for police and ingelligence services, including:
E-mail Services
Authentication Service: Windows Live ID
Instant Messaging: Windows Live Messenger
Social Networking Services: Windows Live Spaces & MSN Groups
Custom Domains: Windows Live Admin Center & Office Live Small Business
Online File Storage: Office Live Workspace & Windows Live SkyDrive
Gaming: Xbox Live
What's available is the actual content of your communications --- for example, copies of your emails --- as well as other information, such as your connection history and associated data that you provided to Microsoft during the registration process. The document spells out, in exacting detail,what is available for law enforcement and intelligence agenies. For example, here's an excerpt that details what emails are available from people who are MSN Premium subscribers:
Stored E-mail Records for MSN Premium Customers:
Microsoft's systems only store the e-mails a user has elected to maintain in the account. Therefore, the only e-mails provided in response to legal process seeking stored e-mail content will be the e-mails stored in the "Folders on MSN" section of a user's account.
Be aware that users may also store e-mail content on their computer's hard drive. Microsoft will not be able to disclose e-mail content stored on a user's computer --- only e-mail content stored on Microsoft's e-mail servers.
The document also gives advice and tips to law enforcement and intelligence agencies about how to understand the information that Microsoft provides. Several pages, for example, are devoted to helping agencies understand how to interpret information about Windows Live ID log-ins, showing, for example, when people log in and out, IP address history, and so on.
Interestingly, the document contains just about no information about Windows Live SkyDrive, which is Microsoft's free online file storage service. The document only has a single-sentence description of the service, along with a screenshot. I assume that the files on the service can be gotten by police and intelligence agencies, but there are no details about that, so for me at, least, it's an open question.
Quite a bit of information is available about XBox Live users. Here's what the document says can be gotten by police and intelligence officials:
What records are retained and for how long?
Both registration and IP connection history records are retained for the life of the gamertag account. Because the volume of IP connection history records may be large, when possible please ask for the specific date range of records you are specifically interested in receiving. A full listing of retained records is below:
* Credit card number
* First/last name with zip code
* Serial number but only if box has been registered online. "Console ID" is better.
* Service request number from Xbox Hotline (e.g. SR 103xx-xx-xx)
* E-mail account (e.g. @msn.com, @hotmail.com or any other Windows Live ID account name)
* IP history for the lifetime of the gamertag (only one gamertag at a time)
If your investigation involves a stolen Xbox console, if the console serial number or Xbox LIVE user gamertag is provided and the console has been connected to the Internet, IP connection records may be available.
Especially noteworthy is the final section of the document, which spells out in detail what information Microsoft is required by law to provide to police and intelligence agencies. Here, for example, is a small section:
Information that may be disclosed with a subpoena. Basic subscriber information includes name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old as long as the governmental entity follows the customer notification provisions in ECPA (see 18 U.S.C. §§ 2703(b), 2705.)
The document goes on to explain that a court order is required for the rest of a customer's profile. It also spells out when search warrants are required.
None of this should be a surprise. All companies, not just Microsoft, comply with laws that require them to turn over information to police and intelligence agencies. So Microsoft is not to blame. But it's certainly eye-opening to see what they turn over, and how they do it.
For more details, check out Gregg Keizer's story on Computerworld.
Microsoft, by the way, has released a statement about the affair. Here's what the company has to say:
"Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal."
Saturday, February 13, 2010
Monday, February 8, 2010
10 Ways to use Facebook Professionally
10 Ways to Use Facebook Professionally
Your profile is like your desktop at work. Only put on it what you would want your co-workers to see.
Socialize with a purpose. Re-establish connections with former co-workers, classmates, but add friends selectively.
Edit your news feed preferences so that you are only alerted when it matters. Do you really care if a friend adds a new picture? More important is when they add a new contact.
Edit your profile and security settings. Be selective showing what to whom. The default settings probably show more information than you would like.
Create interest by incorporating a feed from your blog.
Join Groups related to your business interests. Ask respected contacts which groups they like.
Stay focused. It's easy to waste time on Facebook so set limits.
Help others when you can so that they'll help you when you need it.
Use the My Questions app. It is a great way to tap into your contacts� collective knowledge.
Look for events. Good online relationships can be made better by face-to-face networking or meetings.
My way?
Only use Facebook for spying or don't use at all.
Why post anything to the public?
Thursday, February 4, 2010
Twitter, Facebook use rising among gang members
Posted: 02/02/2010 02:32:28 PM PST
LOS ANGELES — When a gang member was released from jail soon after his arrest for selling methamphetamine, friends and associates assumed he had cut a deal with authorities and become a police informant.
They sent a warning on Twitter that went like this: We have a snitch in our midst. Unbeknownst to them, that tweet and the traffic it generated were being closely followed by investigators, who had been tracking the San Francisco Bay Area gang for months. Officials sat back and watched as others joined the conversation and left behind incriminating information.
Law enforcement officials say gangs are making greater use of Twitter and Facebook, where they sometimes post information that helps agents identify gang associates and learn more about their organizations.
"You find out about people you never would have known about before," said Dean Johnston with the California Bureau of Narcotics Enforcement, which helps police investigate gangs. "You build this little tree of people."
In the case involving the suspected informant, tweets alerted investigators to three other gang members who were ultimately arrested on drug charges. Tech-savvy gangsters have long been at home in chatrooms and on Web sites like MySpace, but they appear to be gravitating toward Twitter and Facebook, where they can make threats, boast about crimes, share intelligence on rivals and network with people across the country.
Saturday, January 23, 2010
Real-Time Search: 5 Alternatives to Google
Want breaking news? These five databases/services do their best at providing real-time access to various info sources.
Unlike traditional search engines, real-time search sites index updates from social communities such as Twitter, Delicious, Flickr and YouTube, providing you with a peek into the hot discussion topics on the Web.
Many people have turned to real-time search sites to follow events (think Captain Sully landing on the Hudson River or the aftermath of the earthquake in Haiti)-these results can often point you to blogs and other new sources of information that traditional search engines may have overlooked.
1. Collecta - When you enter a search and click "Now!" Collecta gives you a streaming list of real-time posts-everything from comments from readers on news sites to recent tweets and Wordpress blog entries. You also have the option to narrow your search to just blog posts and articles; comments on blog posts; updates from Twitter and microblogging sites Jaiku and Identica; photos from Flickr, TwitPic and yFrog; and videos from YouTube and Ustream.
2. Leapfish lets you search two ways: via real-time search and a more conventional search. The results page will give you top news results, a Wikipedia page (if there is one assigned to the topic), top Web results (you can choose whether Leapfish uses Google, Yahoo or Bing as the search engine), video results, Twitter results, a section for blog results and images, top posts from Digg and a shopping section (where you can view top hits from Amazon or eBay). Leapfish also lets you filter results by Web-only, real time, videos, images, news, blogs and shopping.
3. OneRiot sort search results by "Pulse" and you'll find the most "socially valued" content related to your search, ranked by how many times it's been shared on various social sites.
4. Scoopler aggregates and organizes content in real time by indexing updates from news sources and social sites such as Twitter, Flickr, Digg, Delicious and more.
5. Thoora identifies what's attracting the most buzz by indexing the blogosphere to determine which mainstream news stories attract the most interest.
Source: http://www.computerworld.com/s/article/9147099/Real_Time_Search_5_Alternatives_to_Google_Bing
Subscribe to:
Posts (Atom)
