News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging
flickr /compujeramey
This is nitpicky, and I certainly don’t mean to take lightly the seriousness of the matter. But I do want to clarify that the News of the World wasn’t technically “hacking” voicemail in its scandal. It was engaged in social engineering.
For those of you who missed the headlines (and for the benefit of posterity): News of the World was (until July 10, 2011) a Sunday tabloid; like most British tabs, it’s best known for printing racy pictures of women and sleazy stories.
News of the World hired a private investigator to help it research stories. That contractor gained access to a number of voicemail accounts, including those of a murdered 13-year-old girl, several soldiers killed in the Middle East conflicts, and royal family members.
All the shoes involved here haven’t yet dropped, but as of this writing the scandal has closed the paper after 168 years of publication; threatens to bring down Prime Minister David Cameron; has led to several arrests and may well result in additional restrictions on Great Britain’s press. (Even overwhelmingly reasonable pundits, such as The Economist, are calling for a mucking out of British journalism’s stables.)
The entire affair is loathsome, no question about that, even for the British press, nefarious for its “chew people up and spit them out” appetite. It’s also caused other world press outlets to term what News of the World did “phone hacking,” needlessly worrying people who have taken reasonable steps to secure their voicemail that they, too, might be targeted.
So I want to clear things up. If you’ve changed your voicemail password (PIN), you almost certainly can’t be violated in the way News of the World violated its victims.
Continue reading: News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging »
Automatically Hash Tagging Text With PHP And MySQL
My recent work on the Google Reader to Twitter interface led me to recognize a serious shortcoming of such a basic system: A lack of support for hash tags.
For those unfamiliar with Twitter, hashtags are basically words proceeded by a hash mark (#). When a word is “tagged”, it becomes a hyperlink to content also containing that term.
Tagging isn’t unique to Twitter. It’s integral to WordPress, Tumblr and many other blogging platforms; Google uses tags (which they call “labels”) in most of their major applications, including GMail and Google Documents.
The reason is simple: People tend to organize information in terms of categories, so interrelating content by linking items that belong to the same categories to one another makes it easier on us to find and process that information.
So here’s a quick and easy script that lets you take keywords / tags / labels / categories / what have you from a MySQL table, run those terms over a string / subject text, and automatically tag that string with those terms.
(In a later tutorial, I will describe how to add new terms to the database.)
Continue reading: Automatically Hash Tagging Text With PHP And MySQL »
The Lessons We Should All Relearn From HBGary
Ars technica published a long (by Web standards) story yesterday about the hacking of HBGary by Anonymous. It is absolutely, positively, must-read information for all beginner Web developers — for that matter, for experienced Web developers, too.
For those unfamiliar with the story, HBGary is an information systems security consultancy. It’s not huge, but it’s been successful getting work with the federal government and several other companies.
But HBGary wanted to get bigger; to exploit the headlines and prove itself worthy of major government and corporate contracts. So HBGary hatched a couple of schemes.
One was to help Bank of America discredit WikiLeaks with a disinformation campaign and character assassinations. The other was to “unmask” the Anonymous hackers who set off several DDoS attacks against Visa, Bank of America, and others perceived as having harmed WikiLeaks.
Unfortunately, HBGary boss Aaron Barr decided to go public with his plans to expose the alleged hackers. So Anonymous decided to attack HBGary, and the rest are our lessons for the day.
Continue reading: The Lessons We Should All Relearn From HBGary »
Google Search Results Encourage New Wave Of Negative Customer Service
A fascinating article in today’s New York Times examines the case of DecorMyEyes, an online eyeglasses retailer who’s found an interesting exploit in Google’s search rankings.
Noting that Google’s PageRank algorithm doesn’t determine if a linkback to a Web site is positive or negative, store owner Vitoly Borker games that system simply: He fights every customer complaint bitterly, with verbal abuse, counter-complaints, and what some construe as overt threats of violence.
(Update, Dec. 2, 2010: Google has changed its PageRank algorithm to weigh the negativity of comments.)
This aggressive, seemingly destructive behavior is so over-the-top, it leads disgruntled customers to complain everyplace they can online, including at such massive entities as Get Satisfaction.
The long and short: Lots of mentions and links to his Web site, plus lots of mentions of the brands he sells, all in context, often on high-traffic Web sites, means searching for a specific pair of eyeglasses often leads to Borker’s Web site being listed first in a Google search.
Borker effectively preys on the inexperienced online shopper. “If you’re the type of person who reads consumer reviews,” says the Times, “Mr. Borker would rather you shop elsewhere.”
He gets away with it via a combination of apathy and obeying the letter of the law.
His previous hosting company and eBay (from where he buys glasses for resale) ignored scores of complaints until the Times inquired about his accounts. The confusion law enforcement has over Web-based commerce crime, including the IC3, means police have largely been absent, even in the face of obvious violations of the law.
Borker carefully monitors Visa and MasterCard complaints, making sure he doesn’t go past the monthly complaint limits. After MasterCard closed one of his merchant accounts, he opened another:
“There is no such thing as shutting someone down on the Internet,” he said during our initial telephone interview. “It isn’t possible. If Visa and MasterCard ever shut me down, I’d use the name of a friend of mine. Give him 1 percent.”
Most interesting, Borker sells on Amazon.com’s Marketplace, and doesn’t employ any nastiness there, because Amazon has a very low tolerance for customer complaints, according to the Times.
Continue reading: Google Search Results Encourage New Wave Of Negative Customer Service »
ASP.NET Crypto Exploit Patch Now Available Through Windows Update
Scott Guthrie announced yesterday that the hotfix for the ASP.NET cryptographic padding oracle exploit is now available on Windows Update / Windows Server Update Services.
Points of note:
- Persistent authentication cookies will need to be reset after applying the patch. In other words, if your site uses Forms Authentication, all your users will need to log in again after you apply this patch.
- You will still be able to persist Forms Authentications sessions across versions of ASP.NET. In other words, if you have multiple applications, running multiple versions of ASP.NET, on a given domain, one Forms Authentication login will work for them all, provided they share the same data store for authentication.
- If you run a web farm, all versions of ASP.NET must be the same in that farm, and the patch needs to be applied to all machines.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-now-available-through-windows-update
