Slashdot Mirror

A hacker going by the name AmFearLiathMor is claiming to have hacked ProtonMail and stolen "significant" amounts of data. They have posted a ransom demand to an anonymous Pastebin but it reads like a prank, as it states that the alleged hackers have access to underwater drone activity and treaty violations in Antarctica. Lawrence Abrams writes via BleepingComputer: According to the message, a hacker going by the name AmFearLiathMor makes quite a few interesting claims such as hacking ProtonMail's services and stealing user's email, that ProtonMail is sending their user's decrypted data to American servers, and that ProtonMail is abusing the lack of Subresource Integrity (SRI) use to purposely and maliciously steal their user's passwords. After reading the Pastebin message (archive.is link), which is shown in its entirety below minus some alleged keys, and seeing the amount of claims, the first thing that came to mind was a corporate version of the sextortion scams that have been running rampant lately. As I kept reading it, though, it just felt like a joke. ProtonMail posted on Twitter that this is a hoax and that there is no evidence that anything states is true. The encrypted email service provided a statement to BleepingComputer: "We believe this extortion attempt is a hoax, and we have seen zero evidence to suggest otherwise. Not a single claim made is true and many of the claims are unsound from a technical standpoint. We are aware of a small number of ProtonMail accounts that have been compromised as a result of those individual users falling for phishing attempts. However, there is zero evidence of a breach of our infrastructure."

New submitter stikves shares a report from Eurogamer: Ex-Valve writer Marc Laidlaw, who worked on Half-Life, Half-Life 2 and its episodic expansions, has published a summary of the series' next chapter on his blog. Titled, "Epistle 3," it details Gordon Freeman's next adventure. Except, likely for copyright issues, the whole story has been genderswapped. So Laidlaw's tale speaks of Gertrude Fremont, Alex instead of Alyx, Elly instead of Eli, and so on. Naturally, Laidlaw's blog is currently down due to traffic, although you can read a backup of the page on Archive.org, or on Pastebin, where the names have been corrected.

An anonymous reader writes: "An anonymous security researcher has published details on a vulnerability named "Antbleed," which the author claims is a remote backdoor affecting Bitcoin mining equipment sold by Bitmain, the largest vendor of crypto-currency mining hardware on the market," reports Bleeping Computer. The backdoor code works by reporting mining equipment details to Bitmain servers, who can reply by instructing the customer's equipment to shut down. Supposedly introduced as a crude DRM to control illegal equipment, the company forgot to tell anyone about it, and even ignored a user who reported it last fall. One of the Bitcoin Core developers claims that if such command would ever be sent, it could potentially brick the customer's device for good. Bitmain is today's most popular seller of Bitcoin mining hardware, and its products account for 70% of the entire Bitcoin mining market. If someone hijack's the domain where this backdoor reports, he could be in the position to shut down Bitcoin mining operations all over the world, which are nothing more than the computations that verify Bitcoin transactions, effectively shutting down the entire Bitcoin ecosystem. Fortunately, there's a way to mitigate the backdoor's actions using local hosts files.

Just because Nintendo doesn't officially let their tiny replica NES receive new games doesn't mean hackers won't find a way to add their own. This week, hackers in Japan and Russia figured out soft-mod solutions to adding new games to the NES Classic, meaning you don't need to grab a screwdriver or a soldering iron to mod your own console. Ars Technica reports: According to the whiz kids at Reddit's NESClassicMods community, the solution won't work until you've created a save file in Super Mario Bros' first slot. (Chances are, you've already done this just by playing the game, since creating game saves is so easy with this system.) Once you've done that, connect your NES Classic Edition to a computer via a micro-USB cable, then boot the NES in "FEL" mode. This is done by holding down the system's reset button while pushing down the power button from a powered-off state. While you're booting, you should also run a "sunxi-FEL" interface on your computer. (An open-source version of compatible "USBBoot" software can be found here.) The rest of the steps land firmly in "operate at your own risk" territory, as they require copying your NES Classic's internal data to your computer, then modifying and adding files via an application made by hackers. Doing so, by the way, includes the dubious step of supplying your own ROM files, which you may have either dumped from your own cartridges or downloaded from other Internet users. One tool linked from that Reddit community, however, comes with two open-source NES ROMs that are in the legal free-and-clear to upload to your hardware. Once you've added your own game files, which should also include custom JPGs that will appear in the NES Classic's "box art" GUI, you'll have to repack the hardware's kernel, then fully flash the hardware yourself. Do all of those steps correctly, and you'll see every single game you've added appear in the slick, default interface.

An anonymous reader writes: "An attacker going by the name of Harak1r1 is hijacking unprotected MongoDB databases, stealing and replacing their content, and asking for a 0.2 Bitcoin ($200) ransom to return the data," reports Bleeping Computer. According to John Matherly, Shodan founder, over 1,800 MongoDB databases have had their content replaced with a table called WARNING that contains the ransom note. Spotted by security researcher Victor Gevers, these databases are MongoDB instances that feature no administrator password and are exposed to external connections from the internet. Database owners in China have been hit, while Bleeping Computer and MacKeeper have confirmed other infections, one which hit a prominent U.S. healthcare organization and blocked access to over 200,000 user records. These attacks are somewhat similar to attacks on Redis servers in 2016, when an unknown attacker had hijacked and installed the Fairware ransomware on hundreds of Linux servers running Redis DB. The two series of attacks don't appear to be related.

After it was revealed that Oculus founder Palmer Luckey backed a pro-Trump political organization called Nimble America that is dedicated to "shitposting" and spreading inflammatory memes about Hillary Clinton, several developers of the Oculus Rift virtual-reality headset have announced that they will stop supporting the headset until its founder steps down. One of the biggest developers for Oculus Rift, Insomniac Games, told Motherboard, "Insomniac Games condemns all forms of hate speech. While everyone has a right to express his or her political opinion, the behavior and sentiments reported do not reflect the values of our company. We are also confident that his behavior and sentiment does not reflect the values of the many Oculus employees we work with on a daily basis." Fez and Superhypercube developer Polytron also said in a statement, "In a political climate as fragile and horrifying as this one, we cannot tacitly endorse these actions by supporting Luckey or his platform." Motherboard reports: Motherboard has reached out to several other, more well-known VR developers who work with Oculus including Fantastic Contraption makers Northway Games and Job Simulator makers Owlchemy Labs. Northway Games couldn't be reached immediately for comment but tweeted the following: "What. The. Fuck. [accompanied with a link to the news via Kotaku]" and "Definitely using every fibre of my 'professionalism' to not tweet some tweets right now." Owlchemy Labs, which is currently developing for Job Simulator for the Oculus Touch controls, declined to comment either way. E McNeill, who has developed a couple of games for Oculus Rift and GearVR, suggested that like-minded VR developers raise money for Hillary Clinton's campaign to counter the money Luckey has raised for Trump. [E McNeill tweeted: "Idle Q: Would any Oculus devs join me in a donation drive for HIllary? We could aim to beat Nimble America's $11k. I'd start with $1k myself."] "This backlash is nonsense," said James Green, co-founder of VR developer Carbon Games. "I absolutely support him doing whatever he wants politically if it's legal. To take any other position is against American values."

An anonymous reader writes: FinFisher, the hacker that broke into Italian firm Hacking Team, has published a step-by-step account of how he carried out the attacks, what tools he used, and what he learned from scouting HackingTeam's network. Published on PasteBin, the attack's timeline reveals he entered their network through a zero-day exploit in an (unnamed) embedded device, accessed a MongoDB database that had no password, discovered backups in the database, found a BES admin password in the backups, and eventually got admin access to the Windows Domain Server. From here, it was easy to reach into their email server and steal all the company's emails, and later access Git repos and steal the source code of their surveillance software.

Mic.com reports that the "total war" declared by Anonymous against presidential candidate Donald Trump has resulted in a grandly presented leak of some personal information. Items alleged to be personal information about Trump have been posted to PasteBin; these include a social security number purported to be his, contact information for some Trump business associates (including his agent and his lawyer's office), and some information about his family relationships. As Tech Insider points out, though, the YouTube video announcing the dump seems to overstate its significance, in that none of the information leaked is new or earth-shattering -- most of it could be quickly gleaned from a Google search or a visit to Wikipedia.

ShaunC writes: Soon after Comcast implemented its data caps in Tennessee, one customer began getting calls warning that he was approaching his monthly usage limit. The company's data cap meter was ticking up rapidly, even attributing 120GB of use — almost half of the monthly cap — to a period of time when he was out of the country. After months of back and forth and troubleshooting by the customer, Comcast finally admitted that a typo in a MAC address was causing another customer's usage to appear on his account. With data caps like Comcast's carrying a real financial cost in terms of overage fees, how can we trust providers to accurately track customers' bandwidth usage?

mpicpp writes with news that hackers claiming to represent Anonymous have declared war on terrorists. They pledged to take down websites and social media accounts being used by jihadists as retaliation for the Charlie Hebdo attack. They said, "It is clear that some people do not want, in a free world, this inviolable and sacred right to express in any way one's opinions. Anonymous will never leave this right violated by obscurantism and mysticism. We will fight always and everywhere the enemies of freedom of speech. ... Freedom of speech and opinion is a non-negotiable thing, to tackle it is to attack democracy. Expect a massive frontal reaction from us because the struggle for the defense of those freedoms is the foundation of our movement.

An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."

Daniel_Stuckey (2647775) writes "The notorious troll and hacker known as Andrew 'weev' Auernheimer spent 13 months in jail for exposing an AT&T security flaw. He was recently released when a federal court overturned the conviction on grounds of improper venue. Now, Auernheimer has penned an open letter to the Department of Justice in which he demands reparations for acts of 'fraud' and 'violence' carried out against him over the past three years. Those reparations must be paid in Bitcoin, he says — 28,296, to be exact. At current market value, that comes out to $13.7 million. The bombastic letter is titled 'Open letter to federal scum,' and was allegedly bcc'd to 'a few hundred journalists.' In it, 28-year-old Auernheimer writes that he calculated the sum owed to him based on his market value:" A gem: "Know that all this wealth will be directed towards a good and charitable cause. I am building a series of memorial groves for the greatest patriots of our generation: Timothy McVeigh, Andrew Stack, and Marvin Heemeyer. You see, In the 'Special Housing Unit,' which is Bureau of Prisons codespeak for 'solitary confinement' and 'torture,' I had enough time to think about the current state of federal government. "

OakDragon writes "A Franklin, Tennessee man has been indicted for his attempt to blackmail Mitt Romney. Michael Mancil Brown allegedly claimed his intent to release some of Romney's pre-2010 tax documents unless one million dollars was converted to Bitcoins and deposited into an account which he specified. Demand letters were sent to Republican and Democratic Party offices in Tennessee, and Pricewaterhouse Coopers (whom he claimed to have stolen the documents from). Pricewaterhouse Coopers denies that he ever obtained such documents. Brown was also attempting to "sell" the documents to others (presumably the Democrats or other interested parties) for the same amount. And yes, he was apparently well aware of the Dr. Evil reference."

symbolset writes "In the wake of a disastrous E3 product reveal Microsoft has purportedly distributed a confidential internal 100-point 'FAQ' for the Xbox One that reads like it's from the Ministry of Truth. It was of course immediately leaked on pastebin. Kotaku has the story and an amusing online poll. In the discussion below make sure to line up the FAQ entries with the AC comments for extra 'Informative' moderation."

Nerval's Lobster writes "Online economies come with their own issues. Case in point is the Auction House for Diablo III, a massively multiplayer game in which players can pay for items in either in-game gold or real-world dollars. Thanks to a bug in the game's latest patch, players could generate massive amounts of virtual gold with little effort, which threatened to throw the in-game economy seriously out of whack. Diablo series publisher Blizzard took corrective steps, but the bug has already attracted a fair share of buzz on gaming and tech-news forums. 'We're still in the process of auditing Auction House and gold trade transactions,' read Blizzard's note on the Battle.net forums. 'We realize this is an inconvenience for many of our players, and we sincerely apologize for the interruption of the service. We hope to have everything back up as soon as possible.' Blizzard was unable to offer an ETA for when the Auction House would come back. 'We'll continue to provide updates in this thread as they become available.' Diablo's gold issue brings up (however tangentially) some broader issues with virtual currencies, namely the bugs and workarounds that can throw an entire micro-economy out of whack. But then again, 'real world' markets have their own software-related problems: witness Wall Street's periodic 'flash crashes' (caused, many believe, by the rise of ultra-high-speed computer trading)." It seems likely the gold duping was due to a simple integer overflow bug. A late change added to the patch allowed users to sell gold on the Real Money Auction House in stacks of 10 million rather than stacks of 1 million. On the RMAH, there exists both a cap ($250) and a floor ($0.25) for the value of auctions. With stacks of 1 million and a floor of $0.25, a seller could only enter 1 billion gold (1,000 stacks) while staying under the $250 cap. When the gold stack size increased, the value of gold dropped significantly. At $0.39 per 10 million, a user could enter values of up to 6.4 billion gold at a time. Unfortunately, the RMAH wasn't designed to handle gold numbers above 2^31, or 2,147,483,648 gold. Creating the auction wouldn't remove enough gold, but canceling it would return the full amount.

An anonymous reader writes "Finnish copyright lobby TTVK Ry (which earlier ordered the artist promotion site The Promo Bay to be censored as 'thepiratebay subpage' before later admitting that it's legal, and also got the police to confiscate a 9-year-old's Winnie-the-Pooh laptop on suspicion of having illegally downloaded a single album) launched an anti-piracy website: http://piraattilahti.fi./. The site closely resembles The Pirate Bay, and if you take a closer look, you'll notice that CSS has been directly copied from thepiratebay.se, complete with the original site name in comments (http://piraattilahti.fi/css/css.css, pastebin mirror). Of course, one interesting question is: how on Earth did they manage to pirate The Pirate Bay content, considering that they managed to get court orders for major ISPs to censor access to The Pirate Bay?"

An anonymous reader writes "On Friday, The Journal News caved under pressure of gun advocates and shut down the interactive maps which contained the names and addresses of licensed gun owners in upstate New York. The maps are still visible on the site, however they are simply static images. The Journal News published the interactive maps on December 23 which caused significant backlash. In a similar move, Gawker published the names of licensed gun owners in New York City without addresses. New York state Senator Greg Ball (Republican) called the removal of the data a 'huge win.' On Saturday, an anonymous user leaked the raw data used to build The Journal News maps."

L3sPau1 writes "A zero-day exploit has been found in the Nvidia Display Driver Service on Windows machines. An attacker with local access can use the exploit to gain root privileges on a Windows machine. Windows domains with relaxed firewall rules or file sharing enabled can also pull off the exploit, which was posted to Pastebin by researcher Peter Winter-Smith."

jppiiroinen writes "It seems that Nokia is slowly killing existing applications for their Linux based N9 mobile phone which are available through their store. As a developer who has published paid (and free) apps, it appears after their final blow of killing the support for paid applications in China, where the main revenue came from, there is not any means to make money, and no reason to maintain apps anymore. What this means also for the end-users: no premium apps, like Angry Birds. There was no heads-up or anything, just a single email without any means to make a complaint. Nokia, So Long, and Thanks for All the Fish." Also being discussed at Maemo.org.

An anonymous reader writes "The Register is reporting that the hacking collective GhostShell has announced it has [dumped] around 1.6 million account details purloined from government, military, and industry. The [hacking] group said in a statement: 'we have prepared a juicy release of 1.6 million accounts/records from fields such as aerospace, nanotechnology, banking, law, education, government, military, all kinds of wacky companies & corporations working for the department of defense, airlines and more.'"

Hugh Pickens writes "The Guardian reports that members of computer hacker collective Anonymous have distanced themselves from WikiLeaks, claiming the whistleblowers' site has become too focused on the personal tribulations of its founder, Julian Assange. A statement linked from the Anonymous Twitter account, AnonymousIRC, described WikiLeaks as 'the one man Julian Assange show,' and complained that the website implemented a paywall seeking donations from users who wanted access to millions of leaked documents. 'The idea behind WikiLeaks was to provide the public with information that would otherwise be kept secret by industries and governments. Information we strongly believe the public has a right to know,' said the statement on behalf of Anonymous. The dispute could starve WikiLeaks of potentially newsworthy leaks in the future, as some of Wikileaks' recent disclosures – including the Stratfor emails – are alleged to have come from Anonymous."

Orome1 writes "A file containing a million and one record sets containing Apple Unique Device Identifiers (UDIDs) and some other general information about the devices has been made available online by Anonymous hackers following an alleged breach of an FBI computer. 'During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,' the hackers claim." Update: 09/04 13:44 GMT by T : A piece at SlashCloud points out that if the leak is genuine, this raises some sticky questions about privacy and security; in particular: "[H]ow did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?"

angry tapir writes "A timer found in the Shamoon cyber-sabotage malware discovered last week matches the exact time and date when a hacktivist group claims to have disabled thousands of computers from the network of Saudi Aramco, the national oil company of Saudi Arabia. 'We penetrated a system of Aramco company by using the hacked systems in several countries and then sent a malicious virus to destroy thirty thousand computers networked in this company,' a group called the 'Cutting Sword of Justice' said in a Pastebin post on Aug. 15. 'The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours.' That same day, Saudi Aramco confirmed that some sectors of its computer network were affected by a computer virus that infected workstations used by its employees."

hypnosec writes "Anonymous has claimed a new attack on Sony's PlayStation Network, and this time around it seems they have information from nearly 10 million user accounts. As a proof of the hack they dumped more than 3000 credentials online in the form of a pastebin post. The notorious hacktivist group is claiming that the entire set of hacked credentials contains over 10 million PSN accounts and that the file is of around 50GB." Update: 08/16 13:12 GMT by S : Sony has denied this claim.

An anonymous reader writes "Yahoo! has patched the security hole that allowed hackers to access some 450,000 email addresses and passwords associated with Yahoo! Contributor Network and ultimately publish them last week. In the meantime, the group responsible for the hack of the official forum site of technology company NVIDIA has also dumped some user 800 records taken during the breach."

An anonymous reader writes "Mozilla will be announcing next week that they will effectively be taking away resources from Thunderbird's development. Mozilla believes it's better for the developers behind the open-source e-mail client to work on other projects, i.e. Firefox OS. They claim they will not be outright stopping Thunderbird." You can also read the letter at pastebin.

Hkibtimes writes, quoting the International Business Times: "The Anonymous hacking collective has landed in China, home of some of the most tightly controlled Internet access in the world, and defaced hundreds of government websites in what appears to be a massive online operation against Beijing. Anonymous listed its intended institutional targets on Pastebin and has now attacked them."

mask.of.sanity writes "A working proof of concept has been developed for a dangerous vulnerability in Microsoft's Remote Desktop Protocol (RDP). The hole stands out because many organizations use RDP to work from home or access cloud computing services. Only days after a patch was released, a bounty was offered for devising an exploit, and later a working proof of concept emerged. Chinese researchers were the first to reveal it, and security professionals have found it causes a blue screen of death in Microsoft Windows XP and Windows Server 2003 machines. Many organizations won't apply the patch and many suspect researchers are only days away from weaponizing the code."

owenferguson writes "WikiLeaks has begun leaking a cache of over 5 million internal emails from the the Texas-headquartered 'global intelligence' company Stratfor. The emails date from between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the U.S. Department of Homeland Security, the U.S. Marines and the U.S. Defense Intelligence Agency. The associated news release can be found on pastebin."

Sparrowvsrevolution writes "Hackers linked with Anonymous leaked another 1.26 gigabytes of Symantec's data Monday night, what they say is the source code company's PCAnywhere program. More interestingly, also posted a long private email conversation that seems to show a Symantec exec offering the hackers $50,000 to not leak the company's data and to publicly state they had lied about obtaining it. Symantec has responded by revealing that in fact, the $50,000 offer had been a ruse, and the 'Symantec exec' was actually a law enforcement agent trying to trace the hackers. It adds that all the information the hackers have released, including a 2006 version of Norton Internet Security, is outdated and poses no threat to the company or its customers. Symantec says the Anonymous hackers began attempting to extort money from the company in mid-January, and it responded by contacting law enforcement, though it won't comment on the results of the fake payoff sting while the investigation is still ongoing."

First time accepted submitter spuguli writes with more exploits of Anonymous. "From Helsingin Sanomat: 'A data leak was uncovered in Finland on Saturday, in which personal details ... of around 16,000 people were uploaded onto a file-sharing website.' Anonymous has claimed responsibility for the cracking of several databases."

chrb writes "According to Security News Daily, Anonymous has taken down more than 40 darknet-based child porn websites over the last week. Details of some of the hacks have been released via pastebin #OpDarknet, including personal details of some users of a site named 'Lolita City,' and DDoS tools that target Hidden Wiki and Freedom Hosting — alleged to be two of the biggest darknet sites hosting child porn."

Trailrunner7 writes "There is a new worm circulating right now that is compromising servers running older versions of the JBoss Application Server and then adding them to a botnet. The worm also attempts to install a remote access tool in order to give the attacker control over the newly infected server. The worm has been circulating for a couple of days at least, and it's not clear right now how many servers have been compromised or what the origins of it are. It apparently exploits an old vulnerability in the JBoss Application Server, which was patched in April 2010, in order to compromise new machines. Once that's accomplished, the worm begins a post-infection routine that includes a number of different steps."

rwven writes "Yesterday Sony sent an email to PlayStation Network members regarding a change in the Terms of Service for PSN. When agreeing to this new terms of service, you must waive your rights to a class action suit against Sony. I, for one, will not be agreeing to any such thing. You can view section 15 of the new ToS here (PDF)."

An anonymous reader sends word that hacking group Anonymous has breached servers and accounts belonging to "dozens" of Texas police departments, leaking emails, documents and personal information. They say the attacks are in retaliation for "the arrests of dozens of alleged Anonymous suspects," and were done in solidarity with "the 'Anonymous 16' PayPal LOIC defendants, accused LulzSec member Jake Davis 'Topiary,' protesters arrested during #OpBart actions, Bradley Manning, Stephen Watt, and other hackers and leakers worldwide." Predictably, some of the leaked emails paint an unflattering picture of internal operations at the police departments.

JohnBert sends this excerpt from and IDG report: "The politically oriented hacking group Anonymous has released 1GB of what it says are private e-mails and documents from an executive of a U.S. defense company that sells unmanned aerial vehicles to police and the U.S. military. The documents were publicized in a post on Pastebin, with links leading to the actual material on another website. The material purportedly belongs to Richard Garcia, a senior vice president at Vanguard who was a U.S. Federal Bureau of Investigation special agent for 25 years. Anonymous took special delight in the breach, as Garcia is director of InfraGard, an organization that liaises between private sector companies and the FBI. A group affiliated with Anonymous called LulzSecurity, or LulzSec, breached and defaced one of InfraGard's websites belonging to its Atlanta chapter in June."

Dangerous_Minds writes "Some people feel that elections can be rigged and votes tampered with. One hacker, who goes by the name of Abhaxas, decided to prove that votes aren't secure by exposing parts of the Florida voting database. Said Abhaxas while posting the data, 'Who believes voting isn't tampered with?'"

c0lo writes "After a brief spat where the notorious Anonymous hacking collective sniped at Lulzsec, the 'upstart' hacking collective, for crowing about low-rent Denial of Service attacks on the CIA and 4chan websites, the two groups have apparently teamed up in operation Anti-Sec. The operation's 'top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments. If they try to censor our progress, we will obliterate the censor with cannonfire anointed with lizard blood.' We can only predict that the following will be unpredictable: store canned food and flash batteries, change your eBanking password daily."

Frequent Slashdot contributor Bennett Haselton writes "Facebook indirectly accused Google of creating dummy accounts to log in and spider information from their site, and Google denied the charge. But if Google wants to help users discover what strangers can find out about them, then spidering Facebook with dummy accounts is exactly what they should be doing." Read on for the rest of his thoughts.

In the dust-up over the revelation that Facebook had paid a PR firm to plant negative stories about Google indexing Facebook's site, one point was often overlooked: the allegation that Google had been creating dummy Facebook accounts, and using them to log in to Facebook and spider information that was only available to Facebook users. This was denied by Google and never proven, but the denial obscures a more important point. Paradoxically, rather than hurting user privacy, it would have helped to protect user privacy in the long run if Google actually had been logging in to Facebook, spidering the information that was available to members, and making that information available in Google search results.

To review the facts not in dispute: When you create a Facebook profile, Facebook by default makes certain categories of information viewable to other users. Most of your personal information (in particular, your contact information) is viewable to other members that you confirm as your Facebook friends. A narrower set of information — usually including your name and your interests, but not including your contact information — is viewable to other Facebook members who are signed in to Facebook, but who are not in your friends list. (Let's call this the "Facebook stranger" version of your profile.) Finally, since 2007 Facebook has made an even smaller subset of information available in a "public search listing," which can be viewed without being logged in to Facebook or even having an account. Facebook explicitly stated that one reason for creating these public search listings was to make the profiles more easily findable by Google.

Now, the op-ed that Burson-Marsteller was trying to plant in the press strongly suggested that Google was using tactics like creating fake Facebook accounts in order to log into Facebook and scrape the "Facebook stranger" version of people's accounts, and not just the public search listings. (For one thing, the op-ed accused Google of likely "violating the Terms of Service" of Facebook. While scraping the public search listing obviously doesn't violate the TOS, creating dummy accounts to log in to Facebook and spider content automatically certainly does — and that's the only thing Google could do on Facebook beyond spidering the public search listing.) Of this allegation, Wired senior writer Steven Levy wrote:

This information is a lot easier to unearth from inside Facebook, but actually logging into Facebook to purloin information would indeed be troublesome. For one thing, it would violate the terms of service agreement. Is Google doing this? One of the Burson operatives implied that it is. But Google says the company does not go inside Facebook to scrape information, and I find this credible. (If Facebook has logs to prove this serious charge, let's see them.)

But why is this such a scurrilous charge anyway?

When you search for a person's name on Google, you might be looking for information about that person, or you might be doing research on what other people in the world can find about that person (particularly if that person is yourself). If a certain fact about you — for example, the members of your Facebook friends list — is viewable to anyone with a Facebook account as long as they're logged in to Facebook, then anybody in the world can obtain that information about you anyway, by getting their own Facebook account. So it's perfectly legitimate for Google to report that as a fact that anyone can find about you, if you Google your own name. You may not like the fact that Facebook exposes that information about you to anyone with a Facebook account, but it's Facebook, not Google, that makes the information available to anyone. If you Google your own name and Google tells you that that some piece of information is available to any Facebook user, Google is doing you a favor.

For that matter, it's not that easy to view your own "stranger Facebook profile" on Facebook, to see for yourself what other users can see about you. You can't just click your own profile while signed in, since that will show you all of your own personal information. You can't sign out and then click your own profile, since that will show you your public search listing (which is shown to non-logged-in users). You would have to, instead, create a second dummy Facebook account (already a violation of Facebook's TOS), which usually requires creating a second email address that you can tie to your second Facebook account, then signing in with your second account and trying to view your "real" one... How many people — even the most privacy-conscious ones who pore over every article about Facebook allegedly exposing their data — have ever tried that experiment? Having the information already spidered by Google would make it much easier.

When would you actually derive some privacy benefit from not having your "Facebook stranger" profile information listed in Google? Really, only if you're being looked up by a particularly lazy stalker who searches your name on Google — but then doesn't even bother signing in to Facebook and searching for your name on Facebook. If they're motivated enough to find you on Facebook and view your "Facebook stranger" profile there, then you've gained nothing by blocking that information from Google.

Notice this argument does not extend to some general principle that webmasters shouldn't be able to tell Google not to index parts of their website. Many websites have specified, using the Robots Exclusion Standard, that they don't want Google indexing certain documents on their site. (The Robots Exclusion Standard allows webmasters to create a file called robots.txt on their website, which tells search engines not to index any files listed in the robots.txt file. It would be technically possible for a search engine to ignore that directive and index the documents anyway, but virtually all search engines do follow it.) In that scenario, even if a document listed in robots.txt contains personal information about someone, there's no argument that "someone could find it anyway by searching, so Google is doing you a favor by listing it," because nobody would be able to find it by searching unless Google lists it. What makes Facebook a special case is that (a) it has its own search function, and (b) more importantly, it's already the place that everybody knows to go looking if they're searching for a person. These two facts mean that people can find you on there without Google's help.

That might sound unfair to Facebook — that simply because they've achieved success, different rules should apply to them, and Google ought to be allowed to violate their TOS by logging in to their system and spidering people's Facebook-stranger information. But it's the only way for Google to display honest answers, if a user comes to Google to ask: What can strangers on the Internet find out about me?

P.S.: I received many useful suggestions in response to a previous article, in which I described an algorithm for crowdsourcing the abuse-complaint-review process on Facebook, and offered a $100 prize split between users who sent in the best criticisms or improvements. So I'm going to do it again in a more free-form approach: I'll offer a $50 prize to be split between readers who email me the best negative comment or counterargument to the argument that I've just made here. Entries have to be submitted by email, although of course you can and should post your thoughts in the comment threads as well. Email bennettSPAMMERS at SUCKpeacefire dot org with "googlebot" in the subject. You can also donate your winnings to a charity of your choice.

jfruhlinger writes "LulzSec might not be as famous as Anonymous — they're really best known for hacking sites they like, to prove a point about security — but they may have just raised their profile significantly, posting what appears to be data taken from an internally facing server at the US Senate. However, the fun-loving group might find that the Senate reacts a lot more harshly to intrusions than, say, PBS did." The group also recently grabbed data from Bethesda Softworks.

Tiek00n writes "Hacker Group 'LulzSec' has gained some attention recently for their hacks of PBS and Sony. Their most recent target: FBI affiliate Infragard. The group claims, 'It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it...'"

nk497 writes "A boastful Iranian hacker has claimed sole responsibility for the Comodo security certificate attack, saying it had nothing to do with his government. The 21-year-old claimed via a note on PasteBin, 'I'm not a group of hacker, I'm single hacker with experience of 1,000 hackers.' While some researchers believed his claims, saying the media had accepted Comodo's claims that the attack was from the Iranian government too easily, others said it was impossible to tell if the hacker was real, or a PR move by Iran."

An anonymous reader writes "Apparently not one to mince words, Last.fm founder Richard Jones lambasted Apple for their recently announced App Store subscription rules. 'Apple just ****ed over online music subs for the iPhone,' Jones wrote in IRC earlier this week. Taking things further, Jones angrily theorized that by effectively preventing subscription services like Rhapsody and Spotify from thriving on iTunes, Apple is paving the way for its own music subscription service where it will, surprise surprise, face little to no competition." Jones argues that music service subscriptions don't operate at margins "anywhere near 30%," and that the dramatic loss in revenue will be tough to survive. Another article suggests that Apple's fee structure will highlight the publishing industry's broken business model. Some analysts expect it to raise antitrust concerns, though the wave of Android tablets hitting the market may stifle that sentiment.

solafide writes "The HDCP Master Key has allegedly been revealed. If true, this information will allow anyone to create their own source or sink keys, essentially making HDCP useless for content protection permanently. No word yet on how it was obtained, but if true, this is a great day for content freedom around the world!"

kad77 writes "It appears that, despite skepticism, 'muslix64' was the real deal. Starting from a riddle posted on pastebin.com, members on the doom9 forum identified the Title key for the HD-DVD release 'Serenity.' Volume Unique Keys and Title keys for other discs followed within hours, confirming that software HD-DVD players, like any common program, store important run-time data in memory. Here's a link to decryption utility and sleuthing info in the original doom9 forum thread. The Fair Use crowd has won Round One; now how will the industry respond?"