After those national headlines, Capitol Hill is finally listening. Representatives Eliot Engel (D., N.Y.) and Jan Schakowsky (D., Ill.) introduced “The Social Networking Online Protection Act” to the House on Friday, a bill that would prohibit employers from asking candidates for their social networking passwords.

“No one would feel comfortable going to a public place and giving out their username and passwords to total strangers,” Rep. Engel said in a statement provided to The Hill. “They should not be required to do so at work, at school, or while trying to obtain work or an education.”

If the bill were to pass, employers or school and university admittance boards could be fined up to $10,000 for a violation.

The issue first exploded after the AP pointed to statistician Justin Bassett’s account of the questionable practice last month, spurring lawmakers such as Senators Charles Schumer (D., N.Y.) and Richard Blumenthal (D., Conn.) to call on the Justice Department for an investigation.

But public concern waned after AP reporter Manuel Valdes admitted his evidence was mostly anecdotal and the practice “doesn’t seem to be widespread.”

Even if the hubbub was a bunch of sound and fury, the bill still has a long road to go before hitting President Barack Obama’s desk. There are still rounds of committee hearings, getting it through the floor of the House and the Senate and getting the two sides of the legislature to agree on a final version before sending it to the White House.

And none of those are easy feats.

Facebook isn’t commenting on this bill in particular, but it’s safe to assume the company will support its passage.

Soon after the AP published its initial story, Facebook made it a Terms of Service violation for anyone to share or solicit Facebook passwords. And when Maryland became the first state to pass a similar bill earlier this month, Facebook commended the legislature on the move, although Governor Martin O’Malley hasn’t signed it quite yet.

There’s no telling the exact timeline — so to speak — on moving the bill through Congress, but my guess is it won’t be speedy.

So here’s a plea: if you have anything to do with security in a distro, and think that my kids (replace “my kids” with “sales people on the road” if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place.

– Linus Torvalds’s rant on Google+ about his negative experience with openSUSE on his MacBook Air, after his daughter was was asked for a root password in order to print from the machine

Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers — who appeared to be working in China — penetrated Nortel’s computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation.

Read the rest of this post on the original site »

One example is the annual tech prediction by analyst Mark Anderson, which I wrote about last week. Another is IBM’s recurring “Five in Five” series, wherein Big Blue looks at the unfolding technology landscape and predicts what innovations are still just this side of “gee whiz” today, but will be commonplace within five years.

Think back to what we were doing in 2006, and how far things have come in that short period of time in terms of consumer and enterprise technology. The iPhone existed only as an Apple prototype. Facebook had just opened itself up to the population at large, beyond just college and university students. Twitter was just getting started. And a tablet was a not-terribly-popular PC design.

As you’ll see, some of these five predictions aren’t exactly mind-blowing, especially if you pay attention to general technology trends. Over the past decade, you’ve probably already heard predictions saying that computer passwords will go away and be replaced by biometrics of some kind, whether in the form of fingerprints or voice authorization or some part of your eyeball. Also: Junk mail I actually want? That one I’ll believe when I see it. However, I really like the “think to call” idea, which sounds like a super speed-dial.

Anyhow, here are IBM’s predictions for stuff we’ll see by 2016, and a video explaining them in a little more detail:

You will make your own energy: Anything that moves has the potential to create energy. Your running shoes, your bicycle and even the water flowing through your pipes can create energy. Advances in renewable energy technology will allow individuals and scientists to collect this energy and use it to help power our homes, offices and cities.

You will not need a password: Your biological makeup is the key to your individual identity, and soon, it will become the key to safeguarding it. Each person’s unique biometric data such as facial definitions, retinol scans and voice files will be composited through software to build your DNA-unique online password. You will be able to log into your mobile phone or have access to an ATM machine by simply speaking your name or looking into a camera.

Mind reading is no longer science fiction: Scientists are researching how to link your brain to your devices, such as a computer or a smartphone, so you just need to think about calling someone and it happens. Scientists have designed headsets with advanced sensors to read electrical brain activity that can recognize facial expressions, excitement and concentration levels, and thoughts of a person without them physically doing anything.

The digital divide will cease to exist: In five years, the gap between information haves and have-nots will narrow considerably due to advances in mobile technology. Growing communities will be able to use mobile technology to provide access to essential information and better serve people with new solutions such as mobile commerce and remote healthcare.

Junk mail will become priority mail: Think about how often we’re flooded with advertisements we consider to be irrelevant or unwanted — it doesn’t have to be that way anymore. In five years, unsolicited advertisements may feel so personalized and relevant it may seem spam is dead. Systems will be able to filter and find only the data that’s important and relevant to you and will bring you the information without you having to ask for it.

It’s been more than 30 years since my favorite American bard, John Prine, sang that lyric, and it came to mind as I sat down today to meet with Brian David Johnson, who is, to my recollection, the first person I’ve ever known to carry the job title “futurist.” And yes, it sounds a little specious, until you find out he works as a futurist for the chipmaker Intel, which certainly has a long-term strategic interest in anticipating the demands of the future well before they happen.

Johnson was a guest today on The Wall Street Journal’s “Digits” program, which I co-hosted with the Journal’s affable Simon Constable. Johnson is in New York to speak at Comic Con about Intel’s Tomorrow Project, which aims to ask honestly what computing may be like 15 or 20 years from now — and the implications for our daily lives.

Think back to 1996 and you probably had some idea of what 2011 would be like. But did you really? You may have had a cellphone, but would you have imagined how much of your daily life would be punctuated by its use, beyond making phone calls? If you were to zap back in time and have a conversation with the 1996 you about life in 2011, you’d probably have to rely on science fiction to get the point across. “You know the communicator and tricorder from ‘Star Trek’? Yeah, we basically have those. We call them smartphones, and they’re kind of a big deal,” the 2011 you might say. “And they’re also the talking computers from ‘Star Trek.’ And you won’t believe who makes them.”

Science fiction makes it possible, Johnson says, to have a conversation about the future, by giving us the metaphors we need to figure out what we want and don’t want to happen. Hence “The Tomorrow Project Anthology,” a collection of short stories set in the future, imagining plausible situations emerging from science fact of today. One volume of the anthology was published earlier this year, and a new one is out now.

What happens, on some hypothetical day in the future, when passwords are easily and readily hackable and all our personal information is more or less available for all the world to see and take and use? That’s what the writer Cory Doctorow asks in his story, “The Knights of the Rainbow Table,” which appears in the new volume.

So these are some of the things that Simon and I talked about with Johnson in today’s closing segment on “Digits,” which you can see below. Enjoy.

*Lyrics from “Living in the Future,” by John Prine, from the 1980 album “Storm Windows.”

Yes, System Administrator Appreciation Day exists and has since about 2002. Naturally, the folks in Google’s Enterprise division, the people who bring you Google Apps, have something to say about it.

Google Apps, you see, are all about making the lives of sysadmins easier or more productive so they can focus on more important things than the mundane task of resetting passwords. It also frees them to come up with silly dances in response to the occasional Google April Fool’s prank. If I were a sysadmin, I’d rather have the cake, but that’s just me.

Anyway, to all you system administrators out there: Happy System Administrators Appreciation Day!

(Image from Wikipedia.)

Google, which has blamed China for a previous attack on the company’s computer networks, said its security and abuse detection systems recently discovered that users of its popular Gmail service had fallen for what are called “phishing scams.” Such exploits trick users into sharing their passwords, and that the campaign “appears to originate from Jinan, China” and targeted specific individuals.

Read the rest of this post on the original site »

Sony says that the credit card data associated with the accounts was encrypted, though there are anecdotal reports of credit card fraud occurring coincidental with the timing of the breach.

On top of that, regulators in places as varied as Connecticut and the U.K. and Ireland are demanding information, often the first step in investigations that lead to lawsuits. The office of Ireland’s data protection commissioner (cool title) says it wants a full report on the incident by the end of the week. The U.K.’s Information Commissioner’s Office is investigating. Perhaps Sony’s one lucky draw in all this, as Parmy Olson of Forbes notes, is that it won’t have to face the full fury of the European Union because authority for data privacy issues are reserved to individual member countries.

Meanwhile, the attorneys general of several U.S. states are starting to rumble, starting with Connecticut’s George Jepson, who said he is launching an investigation, while his counterparts in Missouri and Iowa are making the kind of public statements that are often a precursor to investigations of their own. A few lawmakers in Congress are tsk-ing disapprovingly too, mulling hearings and new legislation. Below is an appearance on CNBC by Sen. Richard Blumenthal, D-Conn., suggesting that the Department of Justice should launch its own investigation.

Thanks, Senator. However, my guess is that if the systems compromised are in the U.S.–and given the number of PlayStation Network customers there are in the U.S., how can they not be?–then one branch of Justice is already likely involved: The FBI. Hasn’t Sony already disclosed that it’s working with law enforcement? This isn’t exactly the sort of thing for which you call a local police agency.

The company will soon give all users the option to use Facebook entirely over HTTPS, and recommends they do so if they use public Internet access points. It will also show members social captchas for authentication–where they must identify a few of their Facebook friends’ faces–whenever suspicious activity is detected on an account.

Facebook warned in a blog post that using HTTPS will slow down the site and isn’t compatible with all features, including some externally developed Facebook applications. It will roll out HTTPS access “slowly over the next few weeks” via its settings page, the company said.

Facebook still faces other ongoing security problems, such as spam, virus messages and wall posts. CTO Bret Taylor said yesterday the company had cut platform spam by 95 percent in 2010, but I believe he was referring to notifications and posts from applications, especially social games. Meanwhile, Facebook CEO Mark Zuckerberg’s public fan page was apparently hacked into yesterday and has since been taken down.

Please see the disclosure about Facebook in my ethics statement.

Gawker was told about the flaw in the method it used to store user passwords to its commenting system more than two years before it was hacked, the Guardian’s Charles Arthur reports.

A Gawker user posted a message on Get Satisfaction and received a promise to “improve it,” though no such improvement ever took place.

Well, we know how that turned out. A hacker group called Gnosis gained entry not only to the commenting system, but also to pretty much everything the Gawker team used to run its collection of sites.

Gawker was hacked. Gawker founder Nick Denton apologized. But the damage wasn’t limited to Gawker and its users.

Soon Twitter and LinkedIn were dealing with hacking attacks on their sites. Then Yahoo and World of Warcraft developer Blizzard forced users to change their passwords. And finally the collateral damage reached all the way to the New York Times.

We also learned that many of the people whose passwords were disclosed used simple ones. Topping the list: “123456.” And we all learned a little about the dangers of using the same password everywhere.

No comment yet from Denton, although I’ll certainly update if I hear back from him.

And in case you didn’t pay enough attention to all this, and why it’s not a good idea to share passwords across multiple sites, here’s a great cartoon from XKCD that illustrates the dangers:

I have had a little disagreement with my IT guy. He says that when taking my laptop out in public, I should never type anything with passwords or confidential information. He says that someone can pick up my information. I say that I can’t believe that everyone in public is totally exposed. There must be some way to protect yourself while on a public network. Who is right?

A:

There’s no single correct answer. It’s true that thieves in public places can and do steal passwords and other sensitive information transferred over public Wi-Fi hotspots. But it’s also true that methods like Virtual Private Networks can mitigate this problem, and that most public hotspots are, just by the odds, unlikely to harbor these thieves at any one time. However, my advice is to avoid doing any sensitive tasks, like banking or stock trading, while using public hotspots. And, if you’re doing anything confidential on your company or home network remotely, use a VPN, which is like a secure tunnel through the internet.

Q:

I recently purchased a new iMac and am considering installing anti-virus/spyware/malware programs on it. Reader forums in MacWorld magazine say it’s not needed. A local newspaper computer columnist says he’s had Macs since the early ’80s and has never run an AV program and has had no problems. Other online computer advisers say Macs are always vulnerable and advise to run AV programs. Any recommendations here?

A:

No computer is inherently invulnerable to malicious software, and that includes the Macintosh. However, nearly every malicious program known is meant to run on Windows and simply won’t operate on the Mac operating system. The handful of Mac viruses and other malware that have been discovered are either proofs of concept, or have spread to very few users and done little or no damage. Most Mac users I’ve known don’t run third-party security software and haven’t had malware problems. So I don’t routinely recommend Mac security software.

There are two caveats, however. If you are running Windows on your Mac, you should install Windows security software, to run while Windows is in use. Also, Mac users are just as vulnerable as Windows users are to online scams, or to insecure public networks. So, even though you may never get a virus, you still have to be careful about doing sensitive Internet tasks via public hotspots or careless behavior like clicking on links sent you by unknown email senders.

Q:

My car has an audio jack that integrates any input into the sound system. I know that Kindle has a text-to-speech feature. Would I be able to use that feature via the audio jack in the car?

A:

Without having tested your car’s input jack, I assume the answer is yes. The Kindle has a standard headphone jack.

However, note that the text-to-speech feature works only on certain books, not all of them. Publishers have the right to allow or disallow it for any book.

Also, even if it’s enabled, it isn’t the same as an audio book, which is usually read by a trained narrator or by the author. Instead, it’s a computer doing the reading.

You can find Mossberg’s Mailbox and my other columns at the All Things Digital website, http://walt.allthingsd.com.

One particular highly accessible kind of flash mob, in which local singing groups perform Handel’s “Hallelujah” chorus at shopping malls, has been replicated all over the U.S. and Canada in the last month or so.

Quickly: Flash mobs are traditionally secretly orchestrated performances that play out in public places while bringing a little bit of magic to unsuspecting people in the right place at the right time. If you’ve ever seen those videos of a person breaking into song or dance in a public place, then being joined by hordes of interlopers who somehow know the full routine, you’ve seen a flash mob. (There are also less choreographed variations, like public pillow fights.)

Since flash mobs seem so fun, organic and full of life, they’ve of course been co-opted by marketers who mimic the style right down to camera shots of the surprised and confused onlookers capturing videos of the moment with their own camera phones. But they’ve also recently been adopted by wholesome community groups wanting to spread a little holiday joy. And in many cases, both the performers and the audience know about the event in advance (element of surprise be damned).

One flash mob performance of “Hallelujah” in a Canadian shopping mall, posted on YouTube on Nov. 17, has been seen more than 25 million times. YouTube’s Trends blog recently called it “by far, the most popular video of the season.”

YouTube’s Kevin Allocca also highlighted some 20 other flash mob performances, also of “Hallelujah” and mostly in shopping malls, from Orlando, Cleveland, Chattanooga, Juneau and Winnipeg. Allocca says the meme may actually have been kicked off by the Opera Company of Philadelphia performing “Hallelujah” in a Macy’s as part of the Knight Foundation’s Random Acts of Culture. That video was posted Nov. 1 and has more than six million views.

It’s gotten so bad that on Monday night a mall near Sacramento had to be evacuated after crowds overwhelmed it and the fire department feared for its structural integrity. A planned flash mob by the Sacramento Choral Society and Orchestra and other local congregations had been endorsed by the mall and promoted for weeks, drawing thousands to watch and sing along with their printed-out sheet music.

Would-be flash mobbers broke into impromptu singalongs as they were escorted out of the building and into the parking lot (with their video cameras recording all the while, of course). So apparently spontaneity isn’t dead yet.

Within two days, sites like LinkedIn and later Blizzard Entertainment and Yahoo had advised their users to change their passwords.

The latest company caught up in all this is the New York Times. A little more than an hour ago, the Times sent an email to customers (see below) whose email addresses appeared in a searchable database of compromised Gawker commenting accounts, warning them that if they used the same password on nytimes.com as they did on Gawker, it would be a good idea to change it. There is no evidence of any funny business on the Times’ Web site.

Incidentally, in case you missed it, Gawker’s technology head, Thomas Plunkett, circulated a memo detailing what happened at Gawker and what it plans to do in response to the incident. One thing it will do is offer disposable commenting accounts that users can ditch easily, and for which storing an email address won’t be required.

Here is the email from the Times:

NYTimes.com Wed, Dec 22, 2010 at 5:15 PM
Reply-To: nytdirect@nytimes.com

In case you missed our recent article “Gawker Sites Hacked and Passwords Compromised”
http://nyti.ms/hjNvlY we are writing to inform you that databases belonging to Gawker Media were compromised and hackers obtained more than one million user names, e-mail addresses and passwords.

While there is no evidence of suspicious activity on NYTimes.com we wanted you to know that
the e-mail address you registered with NYTimes.com matches an e-mail address that was on
the list of Gawker e-mail addresses and passwords that were published online.

If you use the same password for NYTimes.com as you did for Gawker, we strongly recommend you change your password. Changing your NYTimes.com password can be accomplished by visiting the Member Center page: http://www.nytimes.com/membercenter. After logging in to your account, click on the ‘change’ button associated with the password field which can be found under the Account Summary heading.

Here’s a Gadgetwise post with tips on developing a good password (in brief: do not make it a real word, keep it long and mix in an unusual combination of letters and numbers).
http://nyti.ms/gGR3kz

Please contact Customer Support at 1-800-698-4637 or e-mail customercare@nytimes.com with any questions.

Have a safe and happy holiday season.

The New York Times Company
620 Eighth Avenue
New York, NY 10018

However, we’re starting to get more information about how the McDonald’s incident appears connected to hacking incidents at other sites. Chicago Business is reporting that the company responsible for McDonald’s email marketing is Silverpop Systems, and that it had been operating under a subcontract from Chicago-based Arc Worldwide.

So who else is a customer of Silverpop? Yesterday I received an email from someone who’s a customer of deviantArt, a social network where artists share their creations. DeviantArt has a base of 13 million users. Got an account there? You’d better change any passwords that overlap with other sites. The site advised customers that their accounts were compromised, and blamed Silverpop.

It could extend much further yet. Silverpop has more than 100 clients, and not all of them are publicly disclosed, though here are a few, found on its client quotes page and its case studies page: Stamps.com, Pitney Bowes/Mapinfo, Encyclopedia Britannica, Santander Consumer Finance and watchmaker Fossil. There’s no word how any of those other companies are affected, if at all.

Silverpop CEO Bill Nussey said in a blog message to customers that the FBI is investigating the incident, and that only a small percentage of Silverpop customers have been affected. He also said that Silverpop was “among several technology providers targeted as part of a broader cyber attack.” Stacy Kirk, a Silverpop spokeswoman, wouldn’t say anything beyond what’s in Nussey’s message.

I’m beginning to wonder if there’s some indirect connection between what happened to Silverpop and what happened to Gawker. I’m speculating here, but it’s no stretch of the imagination that numbering among deviantArt’s 13 million users are some of the 1.5 million people whose accounts were compromised in the Gawkergate affair. And the FBI is investigating both. Thomas Plunkett, Gawker’s technology chief, told me by email that there’s no evidence of a connection. Then again, as Business Insider tells it, he hasn’t yet had his meeting with the FBI.

Maybe I’m looking for connections that aren’t really there, but it’s really not hard to see how the breach at Gawker could turn out be the start of a domino effect that’s much larger than anyone has yet realized. There certainly is a lot of grumbling about changing passwords today.

If you know more more about any of this, get in touch!

Below is the email to deviantArt users.

From: deviantART.com (address deleted)
Date: Mon, Dec 13, 2010 at 5:54 AM
Subject: RE: Email Notice

Silverpop Systems, Inc., a leading marketing company that sends email messages for its clients, told us that information was taken from its servers. This was probably part of a sweep by spammers. As a result, email addresses belonging to deviantART members were copied. Corresponding usernames and birth date may also have been removed.

We can assure you that nothing occurred on our systems with respect to this incident and no access was gained to private information on deviantART’s servers.

As a member of deviantART, you certainly have a right to know when an incident of this kind occurs. Unfortunately spammers are an unavoidable part of living on the Web.

The likely result of this event might be an increase in spam to your email. Experts have told us that there is an increase in email scams out there on the Internet and you should be cautious. Only click links or download attachments from people you know, particularly if they ask for personal information, and be sure that your email service provider has adequate spam filters.

Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us.

Yahoo spokeswoman Dana Lengkeek just emailed a statement saying that some Yahoo users were required to reset their passwords. “As part of our ongoing security measures we issued a password reset to some users. Yahoo! does this periodically to ensure the security of users.” She didn’t specify whether or not this was in direct response to the Gawker incident, but it’s not hard to conclude that it was, given the timing. I’ll update if Yahoo says anything further.

I have a Yahoo account and was required to change my password today, and yes, I also had a Gawker commenting account, so at this point it’s safe to say they certainly seem connected.

Meanwhile, Blizzard Entertainment (developer of World of Warcraft and provider of the Battle.net gaming service) was abundantly clear about the connection in an email to its customers. “We’ve recently been informed that several Gawker Media websites have been compromised…To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password,” it said.

Other Web incidents–perhaps connected to Gawkergate, perhaps not–have occurred during the past few days as well. For instance, McDonald’s disclosed that a database containing email address and birthdates of people who had signed up to receive promotions was compromised. It notified those customers on Monday. Again, it’s not clear what connection, if any, there may be to the Gawker incident, but the timing certainly makes it seem possible. I’ve asked McDonald’s for a comment and will update if I get one.

In another incident, drugstore chain Walgreens disclosed on Friday that a database of email address belonging to its customers had been breached. Given the timing–the Gawker incident happened over the weekend–it’s probably not connected, though it’s hard to be sure, as the folks at Anonymous Gnosis, the group that attacked the Gawker sites, say they’ve had access to the database for about a month. I’ve asked a Walgreens spokesman for a comment, and as with all the other cases above will update if I hear back.

This comes on top of other related forced password changes at Twitter and LinkedIn, as my colleague Peter Kafka reported earlier today.

Meanwhile, our friends at Digits have a fascinating graphic on the Top 50 passwords used on Gawker. Topping the list: “123456,” “password” and “12345678.” The two lessons in all this? Make your passwords complex, and don’t use the same password for multiple sites.

On Sunday night, hackers posted online a trove of data from Gawker Media’s servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords.

How do Gawker Media users express themselves when no one is watching? While many of their passwords are common phrases like “qwerty,” others appear distinctive to the Gawker community. Where else would “f—you,” “blahblah” and “whatever” rank among the most popular passwords? And why, oh why, is “monkey” in the top 10?

Read the rest of this post on the original site

The hole stems from the app’s failure to confirm the authenticity of PayPal’s website when communicating over the Internet–a basic lapse that the security researcher who found the flaw said would allow someone to intercept passwords from unsuspecting users.

PayPal spokeswoman Amanda Pires said the eBay Inc. unit verified the vulnerability Tuesday night and has fixed the problem after being notified by The Wall Street Journal. PayPal sent the fixed version of the app to Apple Inc.’s App Store. “To my knowledge it has not affected anybody,” Ms. Pires said. “We’ve never had an issue with our app until now.”

A hacker would need skill and luck to make use of the vulnerability, which only affects users of the iPhone app connecting over unsecured Wi-Fi networks. It doesn’t affect the company’s Android app or users of the PayPal.com website.

Read the rest of this post on the original site

Google earlier this year said that the camera-equipped cars it uses to mark the location of wireless networks and take pictures for its Street View service had for years inadvertently collected data from publicly accessible wireless networks. Google initially said that no significant personal data was collected, but last month admitted that emails and passwords had also been copied.

On Wednesday, U.K. Information Commissioner Christopher Graham, the regulator in charge of data protection, issued a statement saying that, as a result of the “significant breach” of law, his office would audit Google’s data-protection practices in the U.K. and ask the Mountain View, Calif., company to sign an official commitment affirming that such breaches wouldn’t occur again. The U.K. regulator had earlier found that Google didn’t collect meaningful personal details.

Read the rest of this post on the original site

“Google’s alarming admission last week–confirming it collected entire emails and passwords–only heightened our concerns about how and why this data was collected,” Blumenthal said, adding that he’d rather not “rely on Google’s explanations and assurances…to confirm the facts about how this happened and how consumers will be protected going forward.”

A wise move, I think, particularly given the way Google’s narrative for this particular cock-up has evolved over the past few months, from an outright denial in April to a backpedaling, embarrassing admission in May and finally an apology in October.

In April, an outright denial:

Writing in Google’s European Public Policy blog, Peter Fleischer, the company’s global privacy counsel, denies there was a privacy issue with Google’s Wi-Fi data collection practices. “Google does not store or collect payload data,” he says.

Google product manager Raphael Leiteritz reiterates this assertion in the company’s Submission to Data Protection Authorities that same day. “All data payload from data frames are discarded, so Google never collects the content of any communications,” he writes.

In an interview with the New York Times a few days later, Google spokesman Kay Oberbeck dismisses the privacy concerns of German officials, saying: “What we are doing is totally legal and is being done by other companies around the world….We did not mention the WLAN project during our discussions with data protection officials because it is not related to Street View.”

In May, an embarrassing admission…

Writing in Google’s official blog two weeks later, Google SVP Alan Eustace reveals that the company actually had been collecting payload data. “It’s now clear that we have been mistakenly collecting samples of payload data from open (i.e., non-password-protected) Wi-Fi networks,” he explains. “So how did this happen? Quite simply, it was a mistake.” Then there was this from Peter Barron, Google’s director of communications for Northern and Central Europe: “We didn’t want to collect this data in the first place and we would like to destroy it as soon as possible.”

…followed by some aggressive damage control and a downplaying of the issue:

Speaking at Google’s annual Zeitgeist Europe forum, Google CEO Eric Schmidt describes the payload data collected as inconsequential and excuses the company for its misstep, saying, “There was no harm, no foul.”

In June, an unsettling hypothesis:

Apologizing for the company’s mistaken collection of user data, a Google New Zealand spokesperson tells the Otago Daily Times that the information the company’s Street View cars intercepted might not have been as inconsequential as Schmidt claimed. “Our in-car WiFi equipment automatically changes channels five times a second,” she says. “That said, it’s possible that the fragments of data we collected could contain entire emails or other content if a user broadcast personal information over an open network at that moment.”

In October, some hard evidence, another embarrassing admission and a change of tack…

A few months pass, and then a Canadian Privacy Commissioner’s investigation reveals “that Google did capture personal information–and, in some cases, highly sensitive personal information such as complete emails.” Interestingly, in its report on the matter, the Canadian Privacy Commissioner’s office notes that while Google “does not intend to resume collection of Wi-Fi data through its Street View cars…[it does intend to] rely on its users’ handsets to collect the information on the location of Wi-Fi networks that it needs for its location-based services database.”

And then the Schmidtstorm:

Appearing on CNN’s “Parker Spitzer,” Google CEO Schmidt cavalierly suggests that folks worried about Google Street View invading their privacy should “just move.” Ironically, he says this on the very day that Google admits those cars captured more than just fragments of personal payload data and says it is “mortified by what happened.”

Schmidt apologizes for his remark the next day:

“As you can see from the unedited interview, my comments were made during a fairly long back and forth on privacy,” he says. “I clearly misspoke. If you are worried about Street View and want your house removed please contact Google and we will remove it.”

And a day later the FTC announces that it has concluded its inquiry into Google Street View, saying the improvements Google has made to its internal privacy practices have alleviated its concerns for consumer safety.

Meanwhile, Blumenthal’s investigation continues.

“It’s still too early to say what will happen as a result of this investigation,” the CNIL said. “However, we can already state that…Google did indeed record e-mail access passwords [and] extracts of the content of e-mail messages.”

Now, recording passwords and extracting them are two entirely different matters, and there’s no evidence of the latter. That said, this is still an unfortunate revelation for Google (GOOG), which has sought to downplay the implications of the breach by portraying it as a mistake and the data collected as inconsequential. Indeed, last month CEO Eric Schmidt excused the company for its misstep, saying, “There was no harm, no foul.”

No harm, perhaps, but there was certainly a foul–particularly since it now appears the data collected may have been protected by privacy laws.

Ironically, such data collection is a non-issue for all who actually heed the universal advice to secure their Wi-Fi networks–advice that comes in the documentation of every router and advice that Google itself gives the customers of Google WiFi. The FAQ for the service states: “In order to make our service easily accessible to a large number of WiFi-enabled devices, Google WiFi is an open-access wireless network, and our signal is not encrypted. However, users can achieve a secure connection by using GoogleWiFiSecure if their device supports WPA, WPA2 or 802.1x protocols (most laptops do)….As with any wireless network, users should take certain precautions to secure their online experience from security violations by third parties or unintentional security breaches.”

Plainly, Google feels its transgression falls into the latter category–not illegal, but an unintentional intrusion. As Google’s director of public policy, Pablo Chavez, wrote in a recent letter to the House Energy and Commerce Committee, “As an initial matter, collection of network information broadcast by WiFi routers (such as SSID and MAC address) is used to improve location-based services and is a lawful, established business practice….We believe it does not violate U.S. law to collect payload data from networks that are configured to be openly accessible (i.e., not secured by encryption and thus accessible by any user’s device). We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry.”

The micro-blogging service disclosed in a notice to developers late Tuesday that an unidentified person had been creating so-called “torrent” sites and forums for “a number of years” with the sole purpose of getting users to input user names and passwords the person could use to gain access to Twitter accounts.

The person “waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up,” the notice stated.

Torrent sites are those that allow users to search for files sent through file-sharing service BitTorrent. Twitter didn’t identify any specific sites and forums it believes to be gathering the data.

Read the rest of this post on the original site

“We actually did an evil scale and decided not to serve at all was worse evil.”

– Google CEO Eric Schmidt on the company’s decision to offer a censored version of its search services in China, Jan. 30, 2006

Evidently Google is taking its informal “don’t be evil motto” a bit more seriously these days. The search sovereign threatened late Tuesday to pull out of its operations in China after detecting a “highly sophisticated and targeted attack on [its] corporate infrastructure originating from China.” Targeted in the assault: The Gmail accounts of Chinese human rights activists.

“These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China,” Google’s chief legal officer, David Drummond, wrote in a post to the company blog.

“We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all,” Drummond added. “We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.”

Shut down Google.cn, and potentially our offices in China? Hmm. What’s the Chinese word for “Bing”?

Drummond didn’t directly accuse the Chinese government of orchestrating the incursion, but he certainly seems to be implying there’s a link. And you’d think one would have to exist for Google (GOOG) to threaten pull out of a country that has more Internet users than the total population of the U.S.–even if its efforts to gain market share there haven’t met with the same success as in the rest of the world.

It’s tough to stake your claim in a country where the government favors the local rival and blocks your traffic if you fail to censor. Baidu’s share of the Chinese search market in the third quarter was 77 percent, up from 75.6 percent. Google’s share for the same period? Just 17 percent, down from 19 percent.

So, to some extent, Google can probably threaten to leave China because the country accounts for such a small portion of its revenue. On the other hand, China leads the world in Internet users and presents a hell of a market opportunity–large enough that Google willingly provided a censored version of its services as a prerequisite for doing business there. Or, rather, it used to.

At $395.50 Baidu shares are up more than two percent after hours on the news. Google shares are down 1.6 percent at $581.01.

Drummond’s post in full, below, as well as another on the safety of data on Google by Dave Girouard, President of Google Enterprise:

A new approach to China

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China’s economic reform programs and its citizens’ entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that “we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China.”

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Keeping your data safe

Many corporations and consumers regularly come under cyber attack, and Google is no exception. We recently detected a cyber attack targeting our infrastructure and that of at least 20 other publicly listed companies. This incident was particularly notable for its high degree of sophistication. We believe Google Apps and related customer data were not affected by this incident. Please read more about our public response on the Official Google Blog.

This attack may understandably raise some questions, so we wanted to take this opportunity to share some additional information and assure you that Google is introducing additional security measures to help ensure the safety of your data.

This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers. Any computer connected to the Internet can fall victim to such attacks. While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure.

While any company can be subject to such an attack, those who use our cloud services benefit from our data security capabilities. At Google, we invest massive amounts of time and money in security. Nothing is more important to us. Our response to this attack shows that we are dedicated to protecting the businesses and users who have entrusted us with their sensitive email and document information. We are telling you this because we are committed to transparency, accountability, and maintaining your trust.

As far as I know, no one can steal my identity. Even if my bank account number, my credit card number and all my passwords are stolen, I am fairly confident that I will still be me and the thief will be a different person.

Yes, the criminal will be masquerading as me. But anyone who knows me–my husband, my children, my colleagues, my doorman, my employer–will not be fooled. If “I” was actually stolen, I believe that would be called a kidnapping.

The entities that would be fooled by a masquerader are ones that don’t really know me: my bank, my credit card company, places where I do online or offline shopping. Maybe they should have done a better job figuring out who I was before parting with my money or their goods.

Read the rest of this post on the original site

Other couples, meanwhile, share their passwords or even their accounts and email addresses. “If your bank accounts are common, why not your Twitter and Facebook accounts?” said one man in the article.

Read the rest of this post on the original site