For one thing, it’s just dumb. It makes it easier for anyone to make a guess and take your account for a spin. Or perhaps, as was the most recent case, you’ll get cracked by a big scary hacker attack.

That’s what’s up with a slew of blogs on Friday evening, as one or more hackers used a “botnet” — basically a creepy name for a network of automated programs — to try to access WordPress-hosted sites by attacking the lowest common denominator: Sites that use “admin” as the login name, paired with a list of the most commonly used passwords.

The brunt of the attack began last week, according to Sean Valant of HostGator, an online hosting service for Web sites. After dying off for a bit, the attack picked back up again Thursday morning, and has received some attention from Web hosts and security companies around the net.

Some, like Web security services company CloudFlare, are ringing the alarm bells (while simultaneously promoting the company’s own security services ). Which is fair, I guess. If you’re someone potentially at risk and unaware, CloudFlare could be helping you out by sounding the alert.

But I’d say it’s simpler than downloading extra protections or signing up for CloudFlare’s security plan: Just don’t use absurdly stupid usernames and passwords. Hackers go after the low-hanging fruit, which is most often found in the novice Web users who don’t take the time to switch from their default log-in information.

“Here’s what I would recommend: If you still use ‘admin’ as a username on your blog, change it; use a strong password; if you’re on WP.com, turn on two-factor authentication; and of course make sure you’re up-to-date on the latest version of WordPress,” Matt Mullenweg, founding developer of WordPress and Automattic, wrote on his blog. “Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem.”

Completely basic password security is as simple as that. So please, do us all a favor and change your log-in data if it’s something easily guessed. It’ll save you — and everyone else — a huge headache.

Twitter just published a statement today that it “unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised.”

Read the rest of this post on the original site »

Google Inc. earlier this year refused to unlock an alleged pimp’s cellphone powered by its Android software — even after the Federal Bureau of Investigation obtained a search warrant.

Read the rest of this post on the original site »

Shutterstock/Péter Gudella

The breach of Yahoo’s servers was supposedly the work of a group of hackers that called itself the D33D Company, saying in a post that the action was meant to wake up Yahoo’s computer security team and not for malicious purposes.

As data breaches go, the number of accounts compromised wasn’t that large. Earlier this summer, LinkedIn suffered a breach that compromised the passwords of some six million of its customers.

In LinkedIn’s case, the passwords were stored in a marginally scrambled state — not strongly encrypted as they should have been, but in a mixed-up state, using an old, easy-to-break hashing technique known as MD5.

In the case of Yahoo, the passwords are said to have been stored in raw plaintext, which anyone with even the slightest bit of training in IT security knows is a no-no. If that is indeed how these passwords were stored, then Yahoo has some explaining to do.

The attack itself seems to have been carried out using a favorite old hacker technique known as an SQL injection. Basically, a Web application sitting on top of a database is tricked into serving up information because it hasn’t been told not to answer queries for it.

In this case, according to Kyle Adams, chief security architect for Mykonos Software, a unit of Juniper Networks, the attack was a variant of SQL injection known as a Union Based attack, in which the database hands over hundreds of passwords in a single go. Since it only takes a small number of requests to yield a lot of information, they’re hard to detect.

Yahoo is in damage-control mode. It said in a statement that it “takes security very seriously,” and pointed out that fewer than 5 percent of the Yahoo accounts involved had valid passwords. If that’s the case, then there’s a good chance that many of the passwords its database handed over are expired. Also, there’s no mention of the email addresses and passwords being stored in plaintext, but I doubt there will be. Here’s Yahoo’s full statement:

“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”

As you can imagine, security research companies are running fast and furiously to analyze the attack and the data that’s been published so far. I got one interesting file from the people at Rapid7, with whom I talk from time to time. Large numbers are usually an abstraction. If someone says a half-million accounts have been compromised, you can imagine the scale, but it’s harder to get your head around how many people’s accounts may actually be involved.

Rapid7′s researchers put together a file with the number of domains seen in email addresses of the compromised accounts: There are 35,000 of them. Below is a list of the top 100 or so which had at least 100 addresses appear in the list. The number to the left is the number of accounts from the given domain. For context: If what Yahoo says is true and only 5 percent of the Yahoo accounts on this list were paired with still-current passwords, then that works out to 6,878 Yahoo accounts compromised. If that rate remains consistent across the entire list, then we’re talking a total of about 23,000 accounts.

Rapid7 also shared with me the most common passwords seen in the file taken in the breach. The most common among them? 123456. Yes. Really. The list of passwords, including the number of each found in the list, is after the list of domains.

137,559 yahoo.com
106,873 gmail.com
55,148 hotmail.com
25,521 aol.com
8,536 comcast.net
6,395 msn.com
5,193 sbcglobal.net
4,313 live.com
3,029 verizon.net
2,847 bellsouth.net
2,260 cox.net
2,133 yahoo.co.in
2,077 ymail.com
2,028 hotmail.co.uk
1,943 earthlink.net
1,828 yahoo.co.uk
1,611 aim.com
1,436 charter.net
1,372 att.net
1,146 mac.com
1,131 rediffmail.com
1,124 googlemail.com
1,053 rocketmail.com
928 juno.com
853 optonline.net
810 yahoo.ca
572 peoplepc.com
546 mail.com
536 excite.com
453 netzero.com
433 netzero.net
419 embarqmail.com
400 yahoo.co.id
367 live.co.uk
344 insightbb.com
342 shaw.ca
339 windstream.net
336 inbox.com
336 btinternet.com
322 tampabay.rr.com
321 lycos.com
316 mchsi.com
313 yahoo.com.au
307 netscape.net
302 roadrunner.com
299 gmx.com
298 myway.com
287 yahoo.fr
273 rogers.com
273 cfl.rr.com
268 me.com
255 yahoo.com.ph
252 associatedcontent.com
251 frontiernet.net
245 sympatico.ca
243 adelphia.net
236 centurytel.net
217 live.ca
206 email.com
202 163.com
201 suddenlink.net
200 cableone.net
180 hughes.net
177 abv.bg
176 mindspring.com
174 yahoo.com.sg
173 yahoo.in
169 bigpond.com
168 ntlworld.com
168 ac.com
161 us.army.mil
161 nc.rr.com
160 mail.ru
154 tmail.com
152 yahoo.com.my
152 in.com
149 usa.com
146 telus.net
144 yahoo.cn
140 tds.net
139 prodigy.net
134 q.com
130 netscape.com
128 optusnet.com.au
126 qq.com
126 126.com
125 cs.com
124 yahoo.com.cn
123 rock.com
122 wi.rr.com
119 alltel.net
114 fuse.net
114 carolina.rr.com
112 wowway.com
110 rochester.rr.com
110 pacbell.net
109 tx.rr.com
109 austin.rr.com
108 triad.rr.com
107 wmconnect.com
103 ptd.net
101 msu.edu
100 woh.rr.com
99 nyu.edu

123456␣ 1667
password – 780
welcome - 437
ninja - 333
abc123 – 250
123456789 - 222
12345678 - 208
sunshine – 205
princess – 202
qwerty – 172
writer – 164
monkey – 162
freedom – 161
111111 – 160
michael – 160
iloveyou – 140
password1 – 139
shadow – 134
baseball – 133
tigger – 132
1a1a1a1b – 131
success – 126
blackhatworld – 121
jordan – 111
whatever – 110
michelle – 109
dragon – 107
superman – 106
purple – 106
1234567 - 106
ashley – 103
123123 – 101
associated – 101
babygirl – 100
ginger – 100
maggie – 99
0 – 98
computer – 98
trustno1 – 95
cookie – 93
football – 93
blessed – 92
jasmine – 92
samantha – 91
pepper – 90
charlie – 90
nicole – 88
justin – 88
654321 – 88

LinkedIn said in a blog post over the weekend that it had received no reports that member accounts were breached as a result of the stolen passwords.

Read the rest of this post on the original site »

Shutterstock/Péter Gudella

Passwords are having a very bad week. First came word that more than 6 million passwords belonging to LinkedIn users were compromised in an attack. Today, the social music service Last.fm confirmed its password files have been compromised. Dating site eHarmony suffered another breach of its password files.

There aren’t many technical details about how the breaches were carried out. LinkedIn has confirmed the breach but has offered no details on what happened.

The fundamental problem is simple: Passwords have to be stored somewhere in order for them to be useful. They’re usually stored in a scrambled form using a mathematical function called a “hash” to make them difficult obtain. One hash algorithm that has been in use for almost two decades is called MD5, and you can see it in action here. When I type in the phrase “the rain in spain falls mainly on the plain,” I get back the string of text: 262aac1a988ef3be5b01d1a565cc5acb.

The problem with hash codes is that with the increase in computing power, it’s increasingly easy to take that long string of letters and numbers and convert it back into text. If you like, you can cut and paste the string above and plug it into this free MD5 hash-cracking site and see what I mean (make sure you don’t include the period). You should get the original text as your result.

As hash algorithms go, MD5 is pretty old. It dates to about 1995, and as such has been declared “no longer safe” by its creator. Other stronger hash algorithms have emerged. One called SHA-1, created by the National Security Agency, takes my phrase from the MD5 example and turns back this longer, presumably harder to break string: 9a73724fb8bcb23447453be5a02c48bad5be02bf. No such luck. The Hash Cracker site makes equally short work of it.

The problem is that processing power has reached a point where it’s a lot easier to crack hash algorithms. Getting the actual plain text password out of the hash string is basically a complex math problem. And as we’ve seen, ever more powerful computers are able to make ever shorter work out of cracking them.

So what’s the answer? One approach I’ve thought about and actually put into practice with some of the sites that I use is two-factor authentication. Google has made this an option on its Google Apps service, and I’ve enabled it there and also on my personal Gmail account.

Two factor authentication works like this: You have a password — one that should be long and complicated and hard to guess, but also somehow easy to remember. Then once you’ve entered it correctly, you get prompted to enter a second code, maybe a string of four to six numbers. Where do these numbers come from?

They’re generated every 30 seconds or so on a smart phone. I have Google’s Authenticator App running on my iPhone and, every thirty seconds, it generates new numbers for each Google account I have. I enter that number before it expires and get access to my account. And while it adds a step and thus a tad of inconvenience, only I will have that number. I can also allow the number to be good for 30 days for each computer that I use, and so limit the number of times I have to jump through that hoop.

Two-factor authentication isn’t perfect. RSA Security — which makes its own widely used two-factor security system — was attacked last year, and the target appeared to be the algorithm it uses to generate those numbers. If an algorithm is compromised it can allow the entire system to be broken.

With so many of us carrying smartphones, which are essentially handheld-computers, there’s almost no excuse for not kicking up the security of popular Web sites by a notch or two. If most popular Web sites that use any kind of sensitive information (LinkedIn and Facebook, I’m looking at you) were to implement two-factor as an option — not a requirement — there would be at least two very easy and positive results. First, it would make the work of compromising a Web account all the more difficult. Even if your initial password is “password” you would still need a second set of impossible-to-guess, always-changing numbers to get access.

Finally, it would put some responsibility for security in the hands of users. And that’s a good thing, too.

It seems likely that LinkedIn has suffered a breach of millions of user passwords, but the company says it hasn’t been able to confirm that’s the case — even some eight hours after it first came to light.

Following widespread reports today that 6.5 million unique passwords had been published online by a Russian hacker, LinkedIn is now adding its official voice to the chorus of people telling users to change their passwords. While it has so many eyes watching its blog and Twitter account for updates, the company just now told users to choose strong, unique passwords and to change them regularly.

The passwords were originally posted two days ago, but news of their ties to LinkedIn looks to have first come out about eight hours ago in a Norwegian paper.

There are two main indicators that the passwords are from LinkedIn: First, thousands of them contain the word “Link” or “LinkedIn”; second, many people — including security researchers — have tweeted or blogged that they have found their own unique LinkedIn passwords in the batch.

The data dump also included about 1.5 million passwords that similarly indicate they may be from eHarmony.

It is reportedly likely that the list was focused on particularly strong passwords that the hacker wanted help with cracking.

The LinkedIn passwords were guarded only with simple “unsalted” hashing called SHA-1, which security experts say is a weak defense.

News of the likely password breach came after concern yesterday about LinkedIn’s new iPhone app feature that sends calendar information to its servers. That’s a less-serious concern, as the opt-in feature is explicitly about matching calendar items with LinkedIn profile data. However, LinkedIn made some modifications today to address user concerns.

After those national headlines, Capitol Hill is finally listening. Representatives Eliot Engel (D., N.Y.) and Jan Schakowsky (D., Ill.) introduced “The Social Networking Online Protection Act” to the House on Friday, a bill that would prohibit employers from asking candidates for their social networking passwords.

“No one would feel comfortable going to a public place and giving out their username and passwords to total strangers,” Rep. Engel said in a statement provided to The Hill. “They should not be required to do so at work, at school, or while trying to obtain work or an education.”

If the bill were to pass, employers or school and university admittance boards could be fined up to $10,000 for a violation.

The issue first exploded after the AP pointed to statistician Justin Bassett’s account of the questionable practice last month, spurring lawmakers such as Senators Charles Schumer (D., N.Y.) and Richard Blumenthal (D., Conn.) to call on the Justice Department for an investigation.

But public concern waned after AP reporter Manuel Valdes admitted his evidence was mostly anecdotal and the practice “doesn’t seem to be widespread.”

Even if the hubbub was a bunch of sound and fury, the bill still has a long road to go before hitting President Barack Obama’s desk. There are still rounds of committee hearings, getting it through the floor of the House and the Senate and getting the two sides of the legislature to agree on a final version before sending it to the White House.

And none of those are easy feats.

Facebook isn’t commenting on this bill in particular, but it’s safe to assume the company will support its passage.

Soon after the AP published its initial story, Facebook made it a Terms of Service violation for anyone to share or solicit Facebook passwords. And when Maryland became the first state to pass a similar bill earlier this month, Facebook commended the legislature on the move, although Governor Martin O’Malley hasn’t signed it quite yet.

There’s no telling the exact timeline — so to speak — on moving the bill through Congress, but my guess is it won’t be speedy.

So here’s a plea: if you have anything to do with security in a distro, and think that my kids (replace “my kids” with “sales people on the road” if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place.

– Linus Torvalds’s rant on Google+ about his negative experience with openSUSE on his MacBook Air, after his daughter was was asked for a root password in order to print from the machine

Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers — who appeared to be working in China — penetrated Nortel’s computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation.

Read the rest of this post on the original site »

One example is the annual tech prediction by analyst Mark Anderson, which I wrote about last week. Another is IBM’s recurring “Five in Five” series, wherein Big Blue looks at the unfolding technology landscape and predicts what innovations are still just this side of “gee whiz” today, but will be commonplace within five years.

Think back to what we were doing in 2006, and how far things have come in that short period of time in terms of consumer and enterprise technology. The iPhone existed only as an Apple prototype. Facebook had just opened itself up to the population at large, beyond just college and university students. Twitter was just getting started. And a tablet was a not-terribly-popular PC design.

As you’ll see, some of these five predictions aren’t exactly mind-blowing, especially if you pay attention to general technology trends. Over the past decade, you’ve probably already heard predictions saying that computer passwords will go away and be replaced by biometrics of some kind, whether in the form of fingerprints or voice authorization or some part of your eyeball. Also: Junk mail I actually want? That one I’ll believe when I see it. However, I really like the “think to call” idea, which sounds like a super speed-dial.

Anyhow, here are IBM’s predictions for stuff we’ll see by 2016, and a video explaining them in a little more detail:

You will make your own energy: Anything that moves has the potential to create energy. Your running shoes, your bicycle and even the water flowing through your pipes can create energy. Advances in renewable energy technology will allow individuals and scientists to collect this energy and use it to help power our homes, offices and cities.

You will not need a password: Your biological makeup is the key to your individual identity, and soon, it will become the key to safeguarding it. Each person’s unique biometric data such as facial definitions, retinol scans and voice files will be composited through software to build your DNA-unique online password. You will be able to log into your mobile phone or have access to an ATM machine by simply speaking your name or looking into a camera.

Mind reading is no longer science fiction: Scientists are researching how to link your brain to your devices, such as a computer or a smartphone, so you just need to think about calling someone and it happens. Scientists have designed headsets with advanced sensors to read electrical brain activity that can recognize facial expressions, excitement and concentration levels, and thoughts of a person without them physically doing anything.

The digital divide will cease to exist: In five years, the gap between information haves and have-nots will narrow considerably due to advances in mobile technology. Growing communities will be able to use mobile technology to provide access to essential information and better serve people with new solutions such as mobile commerce and remote healthcare.

Junk mail will become priority mail: Think about how often we’re flooded with advertisements we consider to be irrelevant or unwanted — it doesn’t have to be that way anymore. In five years, unsolicited advertisements may feel so personalized and relevant it may seem spam is dead. Systems will be able to filter and find only the data that’s important and relevant to you and will bring you the information without you having to ask for it.

It’s been more than 30 years since my favorite American bard, John Prine, sang that lyric, and it came to mind as I sat down today to meet with Brian David Johnson, who is, to my recollection, the first person I’ve ever known to carry the job title “futurist.” And yes, it sounds a little specious, until you find out he works as a futurist for the chipmaker Intel, which certainly has a long-term strategic interest in anticipating the demands of the future well before they happen.

Johnson was a guest today on The Wall Street Journal’s “Digits” program, which I co-hosted with the Journal’s affable Simon Constable. Johnson is in New York to speak at Comic Con about Intel’s Tomorrow Project, which aims to ask honestly what computing may be like 15 or 20 years from now — and the implications for our daily lives.

Think back to 1996 and you probably had some idea of what 2011 would be like. But did you really? You may have had a cellphone, but would you have imagined how much of your daily life would be punctuated by its use, beyond making phone calls? If you were to zap back in time and have a conversation with the 1996 you about life in 2011, you’d probably have to rely on science fiction to get the point across. “You know the communicator and tricorder from ‘Star Trek’? Yeah, we basically have those. We call them smartphones, and they’re kind of a big deal,” the 2011 you might say. “And they’re also the talking computers from ‘Star Trek.’ And you won’t believe who makes them.”

Science fiction makes it possible, Johnson says, to have a conversation about the future, by giving us the metaphors we need to figure out what we want and don’t want to happen. Hence “The Tomorrow Project Anthology,” a collection of short stories set in the future, imagining plausible situations emerging from science fact of today. One volume of the anthology was published earlier this year, and a new one is out now.

What happens, on some hypothetical day in the future, when passwords are easily and readily hackable and all our personal information is more or less available for all the world to see and take and use? That’s what the writer Cory Doctorow asks in his story, “The Knights of the Rainbow Table,” which appears in the new volume.

So these are some of the things that Simon and I talked about with Johnson in today’s closing segment on “Digits,” which you can see below. Enjoy.

*Lyrics from “Living in the Future,” by John Prine, from the 1980 album “Storm Windows.”

Yes, System Administrator Appreciation Day exists and has since about 2002. Naturally, the folks in Google’s Enterprise division, the people who bring you Google Apps, have something to say about it.

Google Apps, you see, are all about making the lives of sysadmins easier or more productive so they can focus on more important things than the mundane task of resetting passwords. It also frees them to come up with silly dances in response to the occasional Google April Fool’s prank. If I were a sysadmin, I’d rather have the cake, but that’s just me.

Anyway, to all you system administrators out there: Happy System Administrators Appreciation Day!

(Image from Wikipedia.)

Google, which has blamed China for a previous attack on the company’s computer networks, said its security and abuse detection systems recently discovered that users of its popular Gmail service had fallen for what are called “phishing scams.” Such exploits trick users into sharing their passwords, and that the campaign “appears to originate from Jinan, China” and targeted specific individuals.

Read the rest of this post on the original site »

Sony says that the credit card data associated with the accounts was encrypted, though there are anecdotal reports of credit card fraud occurring coincidental with the timing of the breach.

On top of that, regulators in places as varied as Connecticut and the U.K. and Ireland are demanding information, often the first step in investigations that lead to lawsuits. The office of Ireland’s data protection commissioner (cool title) says it wants a full report on the incident by the end of the week. The U.K.’s Information Commissioner’s Office is investigating. Perhaps Sony’s one lucky draw in all this, as Parmy Olson of Forbes notes, is that it won’t have to face the full fury of the European Union because authority for data privacy issues are reserved to individual member countries.

Meanwhile, the attorneys general of several U.S. states are starting to rumble, starting with Connecticut’s George Jepson, who said he is launching an investigation, while his counterparts in Missouri and Iowa are making the kind of public statements that are often a precursor to investigations of their own. A few lawmakers in Congress are tsk-ing disapprovingly too, mulling hearings and new legislation. Below is an appearance on CNBC by Sen. Richard Blumenthal, D-Conn., suggesting that the Department of Justice should launch its own investigation.

Thanks, Senator. However, my guess is that if the systems compromised are in the U.S.–and given the number of PlayStation Network customers there are in the U.S., how can they not be?–then one branch of Justice is already likely involved: The FBI. Hasn’t Sony already disclosed that it’s working with law enforcement? This isn’t exactly the sort of thing for which you call a local police agency.

The company will soon give all users the option to use Facebook entirely over HTTPS, and recommends they do so if they use public Internet access points. It will also show members social captchas for authentication–where they must identify a few of their Facebook friends’ faces–whenever suspicious activity is detected on an account.

Facebook warned in a blog post that using HTTPS will slow down the site and isn’t compatible with all features, including some externally developed Facebook applications. It will roll out HTTPS access “slowly over the next few weeks” via its settings page, the company said.

Facebook still faces other ongoing security problems, such as spam, virus messages and wall posts. CTO Bret Taylor said yesterday the company had cut platform spam by 95 percent in 2010, but I believe he was referring to notifications and posts from applications, especially social games. Meanwhile, Facebook CEO Mark Zuckerberg’s public fan page was apparently hacked into yesterday and has since been taken down.

Please see the disclosure about Facebook in my ethics statement.

Gawker was told about the flaw in the method it used to store user passwords to its commenting system more than two years before it was hacked, the Guardian’s Charles Arthur reports.

A Gawker user posted a message on Get Satisfaction and received a promise to “improve it,” though no such improvement ever took place.

Well, we know how that turned out. A hacker group called Gnosis gained entry not only to the commenting system, but also to pretty much everything the Gawker team used to run its collection of sites.

Gawker was hacked. Gawker founder Nick Denton apologized. But the damage wasn’t limited to Gawker and its users.

Soon Twitter and LinkedIn were dealing with hacking attacks on their sites. Then Yahoo and World of Warcraft developer Blizzard forced users to change their passwords. And finally the collateral damage reached all the way to the New York Times.

We also learned that many of the people whose passwords were disclosed used simple ones. Topping the list: “123456.” And we all learned a little about the dangers of using the same password everywhere.

No comment yet from Denton, although I’ll certainly update if I hear back from him.

And in case you didn’t pay enough attention to all this, and why it’s not a good idea to share passwords across multiple sites, here’s a great cartoon from XKCD that illustrates the dangers:

I have had a little disagreement with my IT guy. He says that when taking my laptop out in public, I should never type anything with passwords or confidential information. He says that someone can pick up my information. I say that I can’t believe that everyone in public is totally exposed. There must be some way to protect yourself while on a public network. Who is right?

A:

There’s no single correct answer. It’s true that thieves in public places can and do steal passwords and other sensitive information transferred over public Wi-Fi hotspots. But it’s also true that methods like Virtual Private Networks can mitigate this problem, and that most public hotspots are, just by the odds, unlikely to harbor these thieves at any one time. However, my advice is to avoid doing any sensitive tasks, like banking or stock trading, while using public hotspots. And, if you’re doing anything confidential on your company or home network remotely, use a VPN, which is like a secure tunnel through the internet.

Q:

I recently purchased a new iMac and am considering installing anti-virus/spyware/malware programs on it. Reader forums in MacWorld magazine say it’s not needed. A local newspaper computer columnist says he’s had Macs since the early ’80s and has never run an AV program and has had no problems. Other online computer advisers say Macs are always vulnerable and advise to run AV programs. Any recommendations here?

A:

No computer is inherently invulnerable to malicious software, and that includes the Macintosh. However, nearly every malicious program known is meant to run on Windows and simply won’t operate on the Mac operating system. The handful of Mac viruses and other malware that have been discovered are either proofs of concept, or have spread to very few users and done little or no damage. Most Mac users I’ve known don’t run third-party security software and haven’t had malware problems. So I don’t routinely recommend Mac security software.

There are two caveats, however. If you are running Windows on your Mac, you should install Windows security software, to run while Windows is in use. Also, Mac users are just as vulnerable as Windows users are to online scams, or to insecure public networks. So, even though you may never get a virus, you still have to be careful about doing sensitive Internet tasks via public hotspots or careless behavior like clicking on links sent you by unknown email senders.

Q:

My car has an audio jack that integrates any input into the sound system. I know that Kindle has a text-to-speech feature. Would I be able to use that feature via the audio jack in the car?

A:

Without having tested your car’s input jack, I assume the answer is yes. The Kindle has a standard headphone jack.

However, note that the text-to-speech feature works only on certain books, not all of them. Publishers have the right to allow or disallow it for any book.

Also, even if it’s enabled, it isn’t the same as an audio book, which is usually read by a trained narrator or by the author. Instead, it’s a computer doing the reading.

You can find Mossberg’s Mailbox and my other columns at the All Things Digital website, http://walt.allthingsd.com.

One particular highly accessible kind of flash mob, in which local singing groups perform Handel’s “Hallelujah” chorus at shopping malls, has been replicated all over the U.S. and Canada in the last month or so.

Quickly: Flash mobs are traditionally secretly orchestrated performances that play out in public places while bringing a little bit of magic to unsuspecting people in the right place at the right time. If you’ve ever seen those videos of a person breaking into song or dance in a public place, then being joined by hordes of interlopers who somehow know the full routine, you’ve seen a flash mob. (There are also less choreographed variations, like public pillow fights.)

Since flash mobs seem so fun, organic and full of life, they’ve of course been co-opted by marketers who mimic the style right down to camera shots of the surprised and confused onlookers capturing videos of the moment with their own camera phones. But they’ve also recently been adopted by wholesome community groups wanting to spread a little holiday joy. And in many cases, both the performers and the audience know about the event in advance (element of surprise be damned).

One flash mob performance of “Hallelujah” in a Canadian shopping mall, posted on YouTube on Nov. 17, has been seen more than 25 million times. YouTube’s Trends blog recently called it “by far, the most popular video of the season.”

YouTube’s Kevin Allocca also highlighted some 20 other flash mob performances, also of “Hallelujah” and mostly in shopping malls, from Orlando, Cleveland, Chattanooga, Juneau and Winnipeg. Allocca says the meme may actually have been kicked off by the Opera Company of Philadelphia performing “Hallelujah” in a Macy’s as part of the Knight Foundation’s Random Acts of Culture. That video was posted Nov. 1 and has more than six million views.

It’s gotten so bad that on Monday night a mall near Sacramento had to be evacuated after crowds overwhelmed it and the fire department feared for its structural integrity. A planned flash mob by the Sacramento Choral Society and Orchestra and other local congregations had been endorsed by the mall and promoted for weeks, drawing thousands to watch and sing along with their printed-out sheet music.

Would-be flash mobbers broke into impromptu singalongs as they were escorted out of the building and into the parking lot (with their video cameras recording all the while, of course). So apparently spontaneity isn’t dead yet.

Within two days, sites like LinkedIn and later Blizzard Entertainment and Yahoo had advised their users to change their passwords.

The latest company caught up in all this is the New York Times. A little more than an hour ago, the Times sent an email to customers (see below) whose email addresses appeared in a searchable database of compromised Gawker commenting accounts, warning them that if they used the same password on nytimes.com as they did on Gawker, it would be a good idea to change it. There is no evidence of any funny business on the Times’ Web site.

Incidentally, in case you missed it, Gawker’s technology head, Thomas Plunkett, circulated a memo detailing what happened at Gawker and what it plans to do in response to the incident. One thing it will do is offer disposable commenting accounts that users can ditch easily, and for which storing an email address won’t be required.

Here is the email from the Times:

NYTimes.com Wed, Dec 22, 2010 at 5:15 PM
Reply-To: nytdirect@nytimes.com

In case you missed our recent article “Gawker Sites Hacked and Passwords Compromised”
http://nyti.ms/hjNvlY we are writing to inform you that databases belonging to Gawker Media were compromised and hackers obtained more than one million user names, e-mail addresses and passwords.

While there is no evidence of suspicious activity on NYTimes.com we wanted you to know that
the e-mail address you registered with NYTimes.com matches an e-mail address that was on
the list of Gawker e-mail addresses and passwords that were published online.

If you use the same password for NYTimes.com as you did for Gawker, we strongly recommend you change your password. Changing your NYTimes.com password can be accomplished by visiting the Member Center page: http://www.nytimes.com/membercenter. After logging in to your account, click on the ‘change’ button associated with the password field which can be found under the Account Summary heading.

Here’s a Gadgetwise post with tips on developing a good password (in brief: do not make it a real word, keep it long and mix in an unusual combination of letters and numbers).
http://nyti.ms/gGR3kz

Please contact Customer Support at 1-800-698-4637 or e-mail customercare@nytimes.com with any questions.

Have a safe and happy holiday season.

The New York Times Company
620 Eighth Avenue
New York, NY 10018

However, we’re starting to get more information about how the McDonald’s incident appears connected to hacking incidents at other sites. Chicago Business is reporting that the company responsible for McDonald’s email marketing is Silverpop Systems, and that it had been operating under a subcontract from Chicago-based Arc Worldwide.

So who else is a customer of Silverpop? Yesterday I received an email from someone who’s a customer of deviantArt, a social network where artists share their creations. DeviantArt has a base of 13 million users. Got an account there? You’d better change any passwords that overlap with other sites. The site advised customers that their accounts were compromised, and blamed Silverpop.

It could extend much further yet. Silverpop has more than 100 clients, and not all of them are publicly disclosed, though here are a few, found on its client quotes page and its case studies page: Stamps.com, Pitney Bowes/Mapinfo, Encyclopedia Britannica, Santander Consumer Finance and watchmaker Fossil. There’s no word how any of those other companies are affected, if at all.

Silverpop CEO Bill Nussey said in a blog message to customers that the FBI is investigating the incident, and that only a small percentage of Silverpop customers have been affected. He also said that Silverpop was “among several technology providers targeted as part of a broader cyber attack.” Stacy Kirk, a Silverpop spokeswoman, wouldn’t say anything beyond what’s in Nussey’s message.

I’m beginning to wonder if there’s some indirect connection between what happened to Silverpop and what happened to Gawker. I’m speculating here, but it’s no stretch of the imagination that numbering among deviantArt’s 13 million users are some of the 1.5 million people whose accounts were compromised in the Gawkergate affair. And the FBI is investigating both. Thomas Plunkett, Gawker’s technology chief, told me by email that there’s no evidence of a connection. Then again, as Business Insider tells it, he hasn’t yet had his meeting with the FBI.

Maybe I’m looking for connections that aren’t really there, but it’s really not hard to see how the breach at Gawker could turn out be the start of a domino effect that’s much larger than anyone has yet realized. There certainly is a lot of grumbling about changing passwords today.

If you know more more about any of this, get in touch!

Below is the email to deviantArt users.

From: deviantART.com (address deleted)
Date: Mon, Dec 13, 2010 at 5:54 AM
Subject: RE: Email Notice

Silverpop Systems, Inc., a leading marketing company that sends email messages for its clients, told us that information was taken from its servers. This was probably part of a sweep by spammers. As a result, email addresses belonging to deviantART members were copied. Corresponding usernames and birth date may also have been removed.

We can assure you that nothing occurred on our systems with respect to this incident and no access was gained to private information on deviantART’s servers.

As a member of deviantART, you certainly have a right to know when an incident of this kind occurs. Unfortunately spammers are an unavoidable part of living on the Web.

The likely result of this event might be an increase in spam to your email. Experts have told us that there is an increase in email scams out there on the Internet and you should be cautious. Only click links or download attachments from people you know, particularly if they ask for personal information, and be sure that your email service provider has adequate spam filters.

Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us.

Yahoo spokeswoman Dana Lengkeek just emailed a statement saying that some Yahoo users were required to reset their passwords. “As part of our ongoing security measures we issued a password reset to some users. Yahoo! does this periodically to ensure the security of users.” She didn’t specify whether or not this was in direct response to the Gawker incident, but it’s not hard to conclude that it was, given the timing. I’ll update if Yahoo says anything further.

I have a Yahoo account and was required to change my password today, and yes, I also had a Gawker commenting account, so at this point it’s safe to say they certainly seem connected.

Meanwhile, Blizzard Entertainment (developer of World of Warcraft and provider of the Battle.net gaming service) was abundantly clear about the connection in an email to its customers. “We’ve recently been informed that several Gawker Media websites have been compromised…To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password,” it said.

Other Web incidents–perhaps connected to Gawkergate, perhaps not–have occurred during the past few days as well. For instance, McDonald’s disclosed that a database containing email address and birthdates of people who had signed up to receive promotions was compromised. It notified those customers on Monday. Again, it’s not clear what connection, if any, there may be to the Gawker incident, but the timing certainly makes it seem possible. I’ve asked McDonald’s for a comment and will update if I get one.

In another incident, drugstore chain Walgreens disclosed on Friday that a database of email address belonging to its customers had been breached. Given the timing–the Gawker incident happened over the weekend–it’s probably not connected, though it’s hard to be sure, as the folks at Anonymous Gnosis, the group that attacked the Gawker sites, say they’ve had access to the database for about a month. I’ve asked a Walgreens spokesman for a comment, and as with all the other cases above will update if I hear back.

This comes on top of other related forced password changes at Twitter and LinkedIn, as my colleague Peter Kafka reported earlier today.

Meanwhile, our friends at Digits have a fascinating graphic on the Top 50 passwords used on Gawker. Topping the list: “123456,” “password” and “12345678.” The two lessons in all this? Make your passwords complex, and don’t use the same password for multiple sites.