Facebook recently conducted a poll which showed up on the homepage newsfeed, and asked Facebook members just how exactly did they think Facebook’s “friend finder” worked when it prompted them for their email address & password in order to get a list of contacts. The numbers pretty much speak for themselves, here’s what they looked like near the end of the campaign:

Now ignore the dark blue bar: it’s a red herring and doesn’t contain any interesting info. The real juicy bit is the “Yes” option, and its 20% response.

20% of Facebook’s 80 Million active users (give or take) believe that the passwords for their email addresses are being stored when they use the Friend Finder…. and that doesn’t bother them in the least. That’s sixteen million people who don’t give a damn about their privacy, the contents of their email, or who has control of their entire online personas.

This is a subject that’s been chewed half to death already countless times by people far more in the know than myself; Jeff Atwood’s excellent article on the topic covers the dangers of sites asking for users’ email addresses & passwords, and – far more importantly – presents several more secure alternatives for web application developers looking to expand their social networks.

To put things in perspective, take a look at this downright horrifying tale on ReadWriteWeb about software that prompted users for their email addresses & passwords, then proceeded to save them for malicious use… then realize that 16 million Facebook users out there don’t care if this happens to them. Think about all the private, sensitive, confidential information available on your email account and just how truly terrible it would be for that info to fall in the wrong hands.

Of course all this begs the question: who’s to blame for this bout of end-user stupidity (for lack of a more politically-correct term)? Is it naïveté/trust in the goodwill of others that gets users to give out such sensitive data to people (Facebook has 500 employees!) they don’t know from Adam? Or is it that they just don’t get how dangerous it can be (see the ReadWriteWeb article for proof)? Or is it, maybe, that they’ve simply gotten accustomed to being asked for their email address and corresponding password by “trusted” sites they love to visit, too caught up in the “gather as many friends as you can” game to give a second thought to identity theft and fraud?

Personally, I can recall a time when most “normal people” I know would refuse flat-out to share such sensitive data with a site (phishing, tech support, etc. obviously excluded); but in the wake of “Web 2.0” it’s become so normal to ask for email addresses and passwords that no one ever gives it a second thought.

And it’s not just Facebook. To be totally frank, even if Facebook were to store end users’ passwords in their database, the access to that info would probably be very highly guarded… but when every new social network on the block is suddenly doing the same thing – you can get a good picture of just how easy it would be to steal users’ passwords.

MQ’s 3 Steps for World Domination

1. Send out an email purporting to be from “the hottest new social network around” informing the recipient that their “friends” want them to join: “Click here to show Peter you’re a real friend!”
2. Get the user to register a new account – make the procedure as pain-free and simple as possible… and right then and there on the registration page ask for the user’s email address and password so as to “make it easy to tell all your friends you care and get popular really fast…”
3. Profit.

As soon as it’s OK for one person to do it, it’ll be OK for everyone to… and then we’ll be in too deep to do anything about it.

So why does Facebook – after polling their end users and seeing just how dire the situation is – continue to use the same flawed mechanism of harvesting email addresses… especially when better, safer alternatives exist?

It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.

I don’t know why, but here’s the how:

• Firefox 3 opened to Gmail on Ubuntu.
• Session accidentally reset with ctrl+alt+bkspc
• Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).

The result:

• Gmail loaded up the email account of a user I’d never contacted before, never heard of, and never knew existed.
• I could see the front page of this user’s inbox, including the people he’d recently contacted, the brief summary of all messages, the total number of messages in the inbox, the number of unread messages in other folders, the dates of all correspondences, and a number of contacts (again, none that I have had contact with) in the sidebar.
• The number of remaining Gmail invites, the amount of space used, and other status values also reflected this mysterious individual’s account.
• I couldn’t browse deeper than the main page of the inbox. Emails couldn’t be opened, nothing past the first 50 correspondences could be seen, and I couldn’t switch to another folder.
• Attempts to do any of the above resulted in Gmail’s “Oops… the system encountered a problem (#102) – Retrying in XXs… <Retry Now>”

Parts of the Gmail interface contained values pertaining to my own account (for instance, the online status indicator) while others referred to this other individual’s account instead.

It’s very bizarre. I don’t know if it can be readily reproduced, but I’d imagine if you forced an exit of Firefox 3 and kept on firing it back up at some point or another you’d see similar behavior. Of course, a deeper analysis of what data Firefox 3 requests from Gmail’s servers verses what’s served from the local session cache may yield further information that could possibly be used to actively take advantage of this data leak.

It seems that Firefox requests a cached session complete with cookies and all from the Gmail URI, which in turn loads the Gmail javascript files that are responsible for retrieving the data associated with a particular email account via AJAX. At this point, either the session key is associated with another account and so Gmail retrieves the information assumming the session to be properly authenticated or else the expired session somehow causes Gmail to get data from elsewhere…

Screenshots of this behavior:

Gmail displaying the other user’s information:

Searching for this user in my own account yields no results:

As we’ve previously mentioned, NeoSmart Technologies is a big proponent of Full Disclosure. We’ve contacted the security department at Google and will post their reply if/when it’s available. We’ve also taken what we feel are the appropriate steps in this case with regards to the screenshots above in terms of what’s been made visible and what’s been blanked out for privacy concerns.

Update

The Google Security Team sent a reply to our inquiry. According to them, this behavior might be caused by broken ISP proxying, pending further investigation. This post will be further updated as soon as new information becomes available.

Update

Google has confirmed that was the result of an ISP caching/proxing problem, and that it’s been known to happen. It seems some ISPs are over zealous in their caching attempts (probably to save some money) – and you can add Cyberia to that list. Much thanks to Chris Evans of the Google Security Team for his feedback on the issue and prompt responses – that’s the way security is supposed to be handled!

• A cell-phone-wielding shopper enters the shopping plaza.
• Path Intelligence monitors mounted throughout the plaza detect that a new mobile phone is in the vicinity and log its IMEI code.
• As the shopper moves around the mall, his or her movements are continuously triangulated by the multiple Path Intelligence units, allowing movements to be mapped and saved for later analysis.

The good news: it’s totally private, there isn’t any (automated) way to map a particular record in the Path Intelligence logs to an actual person. The resulting logs can be analyzed for shopping patterns (where people go after visiting a certain store, peak hours of traffic, most popular regions, etc.) later on, providing valuable intelligence and allowing for improvements.

The bad news: The Path Intelligence logs — in-conjunction with other monitoring techniques such as cashier timestamps, credit card log, video surveillance, etc. — can result in the identification of the persons associated with logged behavior in the system; posing a real and tangible privacy/Big Brother concern.

The weird news: Everything in the above scenario can be directly mapped to an exact counterpart in the current web-tracking solutions in use:

• Shopper -> Visitor to a site
• Mall/Shopping Plaza -> Website
• IMEI code -> IP Address (unique, but not personally identifying on its own)
• Path Intelligence -> One of the many web-statistics companies

Everything from the tracking techniques used to the information gathered to the way its analyzed and used is directly taken from the way cyber traffic has been logged and analyzed for years. After all, why not?

Web monitoring solutions have proven to be reliable metrics for understanding the userbase of any given site; and more importantly, the number one tool to improving conversion rates and increasing the visits-to-sales ratio. If there are technologies that have proven invaluable to boosting the online commerce economy, it makes sense for people to attempt to apply these same methods to everyday life in the real world as well.

It’s somewhat of an epiphany to consider the amount of information available in cyberspace and how easy it is to obtain and analyze when compared to the physical world we live in. The quantity, quality, and pervasiveness of the data available to online far exceeds anything in the real world, and the use that it can be put to are truly amazing – and scary when extended to our normal lives.

Imagine for an instance the typical data available to a website owner enlisted with one or more of the web statistics services and just how useful such knowledge would be in the real world:

• Referrals. Who came from where, how people came across your store, and what they’re most interested in.
• Popularity Ranking. Know what stores in each mall are the most popular, down to the last customer. Find out exactly what sections of each store get the most attention (then compare it with sections are currently getting the most sales and try to maximize sales in those departments).
• Shopper Characteristics. As the Times article explains, the IMEI number can be traced back to the country the shopper comes from. In high-tourist areas (think New York, Las Vegas, London, Chicago, etc.) this kind of intelligence can provide great insight…

Basically, the real world is starting catch up with the online one (not the other way around, folks!), and there’s a lot it has to learn and a lot it has to benefit.

A Texan family is now suing Virgin Mobile for using a photo of their daughter, Alison Chang, in an ad campaign – the catch is, it was released by the photographer on Flickr under the Creative Commons Attribution license, and that’s where Virgin Mobile got the photo from. The problem is, the girl featured in the photo had no idea her photo was being used – or that it was released under the Creative Commons license.

As the case currently stands, the Changs are suing consumers of open source works and not the original party responsible for the release of the work as an open source material without a proper media consent form.

It gets more complicated than that. Appearances in the media need a media consent form, but posting a photo online technically doesn’t. At least, not yet — is this another issue at stake? So in this case, a photographer posts a photo online, fully within their rights and releases the photo itself as an open source work. Then the open source work (and not the actual person) is used in a media appearance – what’s the ruling then? Why is the family suing Virgin Mobile and not the photographer? Do they (and their lawyer) fully understand the concept of open source and creative commons licensing? Do end-users of open source material have a legal obligation to ensure that the material they use was cleanly and wholly legally released as open source in the first place? Just how far does one have to go?

Still not confusing enough for you? Well, Virgin Mobile added insult to injury, captioning the photo in their advertisements with what amounts to – more or less – an insult to Alison Chang. Is the question of whether the subject of an open source’d photograph can be used against one’s self a legal or a moral issue? Does releasing a photo to the public under a lax license let it be used by anyone for any purpose, even when “hurting” the original producer/subject?

This is quite the legal tangle, and we’re betting it’ll be settled out of court – but even if it is, it’s certain to come up later in one court case or another. We’re not lawyers, but this is clearly a case that poses quite the risk to open source, attempting to redefine just how “open” it really is. Here’s a re-cap of the issues at stake:

• Are “consumers” of open source legally liable for using “dirty” open source’d code? Do they have a legal requirement to verify its validity before using it?
• Will legal consent forms be required for simply posting photos online? What about “personal” sites like Flickr, MySpace, and Facebook?
• Just how global is an open source copyright? In this case, Virgin Mobile Australia is charged with breaking a US copyright.
• Previous court cases have ruled that bloggers are journalists in their own right. Does the freedom of press protect online photo-journalism, too? ((In this case, we’re referring to the original “blog post” on Flickr by the photographer, and not the subsequent use by Virgin Mobile))

It’s unlikely that all of these issues will actually appear in a court of law, but it certainly is possible. The first and second are very likely to appear, and have far-reaching effects; whereas the latter two are stretching it a bit, but anything is likely when money is involved. Creative Commons has an optional “country” setting that determines, in the case of a legal dispute, which country’s laws and jurisdictions shall apply. We have no details at the moment which setting was specified, but the default is USA, and that’s where the photographer and subject both resided. The Creative Commons license is recognized by law in both the United States and Australia.

Should it actually be ruled that Virgin Mobile is guilty as charged, a huge online panic in the open source community will likely ensue. At the moment, most big open source projects perform a cursory check on any code/content submitted for possible legal violations (and, let’s be honest, for plausible deniability more than anything else). But in some cases (read: Wikipdia) it’s almost impossible to practically do so, thanks to the enormous volume of content being constantly contributed and the difficutly of vigorously checking it for legal trespasses. What happens when you can no longer simply trust the EULA that ships with a particularly code library? Or when the content you grab off of Wikipedia (technically licensed under the GFDL) isn’t as open source as it claims to be? And most importantly, that using such “dirty” materials makes you, in the eyes of the law, guilty of content/idea theft?

If any ruling of this sort were to be passed with an actual verdict on the open source angle, it would instantly destroy the entire spirit of open source. No one would be able to trust any open source project or the other, destroying one of the most important benefits of using an open source license the first place: being able to instantly convey the rights a consumer has or doesn’t by simply telling them it’s “GPL” or “BSD” or whatever. You’d need something tantamount to a chain of custody for each and every modification/copy, telling people exactly where each bit of code or content came from and what grounds you had to use it, and no project would be safe without a lawyer of its own. In a word, it’d be the death of open source… In the United States, that is; because the rest of the world (for the most part) is blissfully immune to many of the issues outlined in this post.

Not only does the United States system of copyrights and software patents have to be rewritten to prevent ridiculous things like this taking a toll on the entire open source industry, but also a legally-recognized free software “Bill of Rights” needs to be drafted to ensure that lawsuits like this one don’t jeopardize everything that the online community has been working on for decades. Just like the current Bill of Rights defines basic freedoms for US Citizens that no law can overrule (the Patriot Act excluded because GWB says so), free software needs a similar document to set down its (proverbial) foot and ensure that open source lives on – freely, as it was meant to be.

It’s important to note that the Creative Commons license that the photo was released under was not marked as non-commercial, and that Virgin Mobile fully complied with the letter of the Creative Commons license, by properly citing the Flickr page the photo was grabbed from at the bottom of their advertisement. As far as Virgin Mobile is concerned, they didn’t really do anything wrong. It is no wonder most magazines still insist on getting explicit legal permission before including anything in their issues, even if the EULA/copyright is clearly indicated on the site/source!
This might just be a case of a family trying to get rich quick; and if it is, it’s quite unfortunate that the entire spirit of open source has to be put on trial for a couple of bucks and a 16-year-old emotional teenager’s injured self image. If it’s not, it’s still a damn shame.

Earlier today, Slashdot featured a story on EarthLink’s “random” dropping of email messages. We just concluded a test of our own, and we find the results may not be as random as they seem. In fact, the results point directly to a big spider of sorts, sitting in the middle of all the tubes and picking what goes through and what doesn’t.

According to EarthLink themselves, “EarthLink’s mail system has been so overloaded that some users have been missing up to 90 percent of their incoming e-mail.” But what they don’t mention is, it isn’t random. As a matter of fact, our tests lead us to believe that EarthLink is indeed prioritizing not only message delivery time but also whether the messages ever get there or not.

We sent out 20 email messages from a EarthLink account, and discovered that 100% of them reached an @Gmail.com email, 30% reached a no-name domain, and 100% of them reached an @Yahoo.com email. This could of course be a coincidence, but at a time like this, we don’t think so.

When a system is under load, generally speaking it (attempts to) deliver messages in the order they were received, and they either go through or they don’t. What makes EarthLink’s results a bit more interesting is, the messages that went through and those that didn’t have absolutely nothing to do with the physical network routes:

EarthLink’s mail servers are hosted in New York; Gmail’s are hosted in Mountain View, CA; Yahoo’s servers are in Redwood City, CA; and our no-name servers are in Chicago. Technically speaking, packets sent from New York should arrive in Chicago before they do all the way on the other end of the continent. But of course, our no-name server isn’t on any high-politics list, nor is it loaded with money.

If “dumb” networks existed, then the packets would have most certainly made it to our server before they reached Gmail’s or Yahoo’s all the way in California. Unless, of course, net-neutrality is no longer just a concept or idea for the future, but something applicable in the here-and-now. If the big names in computing are prioritizing one-another’s networks to such an extent, we’re in trouble.

Tennessee, the first to implement such a system in March of 2005, has the highest rate of meth abuse. Jennifer Johnson of the PR Dept. at the Tennessee’s regional version of the FBI makes a case for an internet registry that lists meth – and meth only – makers:

“Unlike other drugs where it is really [only] harmful to you and your family, meth is hazardous to all around you. […] That’s why we don’t foresee a heroin or cocaine registry.”

What Johnson is referring to are the “meth factories” required in the production of amphetamines. Unlike other drugs and illegal substances, “cooking” meth results in highly-dangerous toxic waste, that can affect entire communities and is relatively expensive to clean. However, given that Meth Makers’ Registry lists only contain the location of the meth lab in question and the name of those involved in its production, its viability as a measure of public safety and its preference over the creation of other drug registries becomes questionable.

Since the Meth Registry only contains the ex-location of meth labs, and doesn’t contain actual address of offenders, its unlikely that it would be of any use since its impossible for the same location – once compromised – to be used again for the same purpose. Given that it doesn’t list users of meth, but only those involved in the production and sale of amphethetamines, might it not be more useful to create a registry of more-commonly abused (and more dangerous) drugs like cocaine and heroine.

If the point of the National Online Meth Registry is to protect the public and provide information vital to the safety of individuals and the community at large, perhaps the efforts of the FBI would be best implemented in a registry that lists the actual & registered physical addresses of those convicted in the creation and distribution of meth and/or other more lethal substances.

In a time where tapping of phone lines and monitoring of any and all email has become the daily norm in the United States, its not the privacy issues that would inhibit the creation of such a registry ((Such was the case when the sex offenders list was first proposed and later implemented)) but rather its purpose and usefulness to the society as a whole.

Are we the only ones that how that every single MP3/Audio player to date has been successfully stripped of its firmware, souped-up, then published as a how-to on the web? But all that is besides the point: there is no evidence right now that indicates the need for anything as drastic.

First, let’s get one thing clear here: It’s not in Microsoft’s favor to have DRM. Any of it. Microsoft isn’t the author of the media nor does it own RIAA; Microsoft’s concerns are almost assuredly focused solely on maximizing profit and keeping their users happy. That’s the way the business world works. So the only reason DRM is in the Zune in the first place is just because it has to be there: legal reasons, politics, etc.

What that tells us is that Microsoft won’t be going out of its way to make your media-playing experience comparable to a week in the slammer (sorry Michael!). It means that wherever possible, the best-case-scenario is most likely. And it means that whatever DRM is implemented in the Zune, it can’t possibly be so bad as to make this product a big no-no. That’s not Microsoft, Michael Robertson, or us speaking: it’s pure business.

That said, there is undeniably something going on with the wi-fi. No one is really sure right now which media is subject to 3 days/3 plays rule – but that rule is definitely there, and not many like it. But before you scream, think about this: you can’t even share songs on an iPod. i Pods don’t have wi-fi, and until they do, you can’t really compare the two. It’s not a nice rule, we don’t like it any more than you do, but that’s life.

The best you can hope for is that it doesn’t apply to non-Microsoft-downloaded media files, and more importantly, that next-generation Zunes will be able to download songs and media off the net.

But Zune’s DRM isn’t Viral. Never has been, and if the laws of business don’t suddenly change, never will. We’re not to sure who came up with this BS, but it has no sources, and it’s been officially debunked anyhow. Just remember, Microsoft has never pushed the boundaries of DRM, and were against Blu-Ray for that very reason.

What matters in the end is hardware quality, style, price, and us. Just use some common sense, don’t believe every rumor you hear, and remember: worst comes to worst, in a week or less Zune will be running Linux as some hackers celebrate and prepare to release it to the public.

When a person, group, or company discovers a security flaw in a product or service, they have a range of means to communicate this flaw to the outside world. On one side of the scale, most companies explicitly ask that such discoveries be treated with the utmost confidence and not spoken of until they have released a patch. Then you have Full Disclosure wherein the finders reveal any and all associated information, exploits, fixes, and workarounds. At the the very other end are the self-beneficiaries that attempt to sell or else use the exploits for their own self-aggrandizement.

The first option has its obvious merits: when a security hole has been in existence for __ long, it’s a good idea that the company should get a chance to patch their product and set matters straight before the public finds out; lest wily souls get their hands on it and take advantage innocents around the web. But then what’s to guarantee that this kind of thing doesn’t happen again and again? A couple of months ago there was a similar story with MSN and Yahoo! – they’re warned, but it’s easier to just sit around and wait.

Just last week, “hackers” claimed they’d found critical security flaws in Firefox that allow for complete remote control of users’ PCs from afar. Two days later they backed down and confessed it was a hoax — after creating chaos everywhere. Even if it wasn’t a hoax, their original intent of manipulating this security hole for their own “malicious” (Hacker communication network!) purposes could hardly be considered any better.

No matter who finds a bug or what software/product it’s in, Full Disclosure is the only method that can ensure that the right people know about it without too much hassle. With Full Disclosure,

• The holes get fixed. Isn’t that what it’s all about?
• Such vulnerabilities can’t be abused by morally-challenged people.
• It allows end-users a chance to backup their databases and take preliminary steps to securing their sites.
• It provides the affected companies with a solution. If the exact bug and the associated steps of reproduction, the affected files/code, and the extent of damage are reported there really isn’t anything much left.
• It embarrasses the company into taking immediate action and better care.
• You get the credit you deserve for finding the flaw!

When all that is said and done, nothing is perfect. Full Disclosure most certainly can be used and manipulated by people with malicious intent, and the more popular the application, the more potent Full Disclosure becomes.

But Full Disclosure isn’t a strict way of releasing information, it’s just a guideline of sorts. It doesn’t say you can’t warn the originating company a day before and give them a deadline upon which to act. It doesn’t mean you have to tell everyone immediately, nor does it mean you agree to keep mum for a set amount of time. All it means is that, sooner or later, you tell everyone everything, for the good of the general public.

It’s the law of the jungle. It’s a wild beast that has been thus far never been truly stopped, and you can use it for your own advantage. It’s called fair use, and it’s near impossible to truly define. Simply put, if you see something online and you want to use it in an article or presentation or project, all you have to do is cite your sources, follow that up with a link, and you’re good to go.

We’re not talking about binary data or pay-per-view content or anything like that, that’s a whole ‘nother story, and normally has other user-end agreements and various strings attached. But simple content on a website, a picture hosted for the public to see, information or research from someone you’d like to talk about, or anything that catches your eye; it’s already there for anyone that wants it, all you have to do is just ask.

Fair use is fair. Well, we’re technically biased here, with the majority of this site’s contents being Creative Common’d; but it’s hard to argue otherwise. In the real world, when you write an article or publish a story, you can technically quote pages at a time so long as you cite your sources right along with the quote and mention them in a pretty list at the end. Generally speaking, that’s for educational books and research articles or newspaper/magazine sources, but nothing says you can’t do the same with a novel or short story; after all, they’re both protected by the same laws.

It’s the same thing online. Think about it, if you did contact the author, and waited for him or her to reply, and they said it was OK for you to quote them, what would they ask? They could ask you to name them in your story and at most they could request a link back to them; there really isn’t anything more that they could ask, and money is generally speaking out of the question. So you take the initiative and you do the most they have any right to expect.

But the author could have said no. In that case, the author will in time become aware of your site or story (via the backlinks or just by sheer dumb luck) and they’ll ask you to stop. That’s really all they can ever do in accordance with over 98% of all copyright laws. They ask you to stop, and if you do, that’s it. No court, no fees, no litigation, no lawsuits, no trouble. So take the safe side, cite your sources, contribute to the story, trust your judgement, and always listen to the author if he or she contacts you. It’s that simple.

NeoSmart Technologies in no way, shape, or form endorses copyright violation. NST has published this article in good faith and firmly believes that following these steps is in accord with major copyright laws around the world, and particularly in the United States of America and throughout Europe. Please forward any complaints to legal@neosmart.net.

Everyone agrees the internet is full of both the good and the bad, and that you can’t necessarily have one without the other. The only real question is, whose to decide what’s right and what’s not? Who can say whether a country is right or wrong to decide what’s good for its people; what they can or cannot access, and where they get their information from. Generally speaking, every man or woman should decide for themselves; but some countries have made the decisions for their citizens and that’s the world we live in.

Saudi Arabia is such a country. It’s approach may be vastly different from that of China, it may not be making the headlines by requesting that websites tailor their content to suit the Kingdom’s likings, but nevertheless, Saudi Arabia’s firewall is just as powerful and as just as controlling, and all the more dangerous in its subtle and invisible way.

An anonymous NST reader in the Kingdom of Saudi Arabia provided us with the data needed for this report — without it, this story would have been impossible. It runs a lot deeper than we’ll ever be able to research, but what we have certainly was a shocker. First some background though.

Saudi Arabian telecommunications is locked off to a single internet provider: the Saudi Telecom Company (STC), a government-subsidized corporation in charge of all telephone, cellular, internet, and other data exchange mediums that take place in Saudi Arabia. This single-company perfect monopoly is government protected, and emerged as a result of privatization in the Saudi Arabian Ministry of Telex, Mail, and Telephone in 1998. Since then it has been involved in a campaign of complete information control on all in- and out-bound traffic in the Kingdom.

A browser runs on the end-users’ computers obviously, and it may be argued that end users have the right to choose how they want to be able to view web pages, what they see, how they see it, and where they go from there. To that end, Opera (like several other cool browsers) offers an “Author Mode” and “User Mode” CSS display styles: basically a place where users can locally overwrite CSS selectors defined on the website in question. That is, after all, what the web is all about, isn’t it? Information at the fingertips, in an internationally recognized format that can be twisted at will to make things show up the way the user wants them to.

But it’s one thing to give the end-user peace of mind, and quite another to twist and turn the web into something the website owners don’t want it to be. Imagine if you will a browser that is capable of breaking web standards – (no, we’re not talking about IE6) a browser that purposely ignores server redirects, and refuses headers from websites.

But this raises quite a few questions. When a reader visits a site, who’s right is it to decide where the reader should go? In most cases the obvious and honest answer is that it’s the readers’ choice. If they want to visit pages in one order or the other, it’s up to them.

But imagine a browser where when filling out a form that only enables the next button after you fill out some info is automatically enabled because the browser decided that users should choose? What if when you visited a directory and the web server attempted to gently redirect you away from sensitive data, your browser decided it would rather continue on?

Sure, all of these can be fixed (and should be as a matter of fact) server-side. Scripts can be implemented, data checks installed, and encryption used. But it’s an interesting question nevertheless. When you visit a site, whose right is it to be in control of what you see and what you don’t? On one end, the data is there, it’s not hidden nor is it encrypted, just filtered. On the other end is a web host that doesn’t have too much to hide, but would like some semblance of privacy, an expectation that a polite redirect request will be followed.

The web is an interesting place that raises quite a lot of questions, many moral, many technical, and all controversial and none too easy to unanimously decide on. As the web only increases and depth and breadth, these questions will only become more eminent, and answering them will become a necessity, and addressing them will only get harder.

Which brings us back back to where we started: Opera 9 and its redirection policies. With Opera, the first step has been taken and the gears have been put into motion. It’s not exactly lack of redirection, but it’s just as bad. In Opera, the first time you visit a page and are redirected, (for example, http://www.neosmart.net/ redirects to http://neosmart.net/ with a 301) Opera follows the redirect request.

However, the next time you visit the original page, Opera will grab the content from the redirection, but it will not actually redirect the browser itself (i.e. the address bar still displays the original text). In the example given the results are obvious: traffic rankings for sites that employ this sort of redirection will be affected. At the moment, your private data remains private, but in the future, who can tell?

JavaScript can do a lot of things, but that doesn’t mean it should be used that way. But that’s not the problem – not this time. The problem is that people are still insisting on believing that using JavaScript to hide text means that the bad guys won’t ever see it. But that’s just not true.

For one thing, as we all know, the weapons reach the bad guys first, and it takes a long time for the “good guys” to get them later. Just because GoogleBot and Yahoo! Crawler don’t exactly understand JS-rendered text, doesn’t mean that the spam bots, email harvesters, blog spammers, and more don’t. As a matter of fact, more spam bots come to NeoSmart Technologies with javascript enabled engines than authentic users with JS enabled browsers (stats thanks to SpamKarma 2) – and they’re on your site too.

Just like people insist on writing their emails as ramblings [at] neosmart dot net or one of it’s variations, and it never occurs to them that spambots can harvest these just as well as they can ComputerGuru@NeoSmart.net with or without the mailto: entity defined, it just doesn’t matter. It takes the code masters over at HiveLogic a month or more to write such a complicated algorithm, but it takes spam bot and email harvester authors mere hours to add JS processing to their engines – and all of a sudden everyone is vulnerable.

There really is no good way to prevent an email address from being listed in spam directories and sold in bulk along with thousands of others to spammers around the web – especially not image renders of email addresses, OCR is actually a rather practical method once combined with baesian filters to identify a likely email-in-image target. The best thing one can do is to sign up for a good email service if you use free webmail (don’t use AOL, Hotmail, Walla, WowMail, SpyMac, or most others; use Yahoo!, Live.com, or GMail if you have to), or if you have your own MX server, invest in a quality spam-control engine (don’t use BrightMail or anything else Symantec!). If it’s too late to change whatever it is that you picked or your email address is all over the web such that it doesn’t make a difference, get a decent client-side program instead (reviews to come!).

Remember, you can never beat them completely, just do your best to bat them away. Using disposable email addresses helps, but it’s not the best way since spammers will send messages to random email addresses and bookmark those that don’t bounce back – you really can’t win outright, just keep trying.

However (and this is important!) Hivelogic deserves recognition for their algorithm. I personally used it the month it went public (3 or 4 years ago?), and it was a great idea, the innovation is there, and it definitely worked for a couple of years, but times change and technology swarms and grows, and nothing lasts forever. If you really want security via obsecurity, then this is your award-winning horse that’ll take you quite far, but remember, no one is perfect, and nothing lasts forever.

When a choice has to be made, no excuses or delays accepted, what will they choose? The only clear element is the options themselves: will they choose the industry or the consumer? Will they uphold the basic and unalienable rights of music listeners, video watchers, TiVo Rippers, and software-geeks everywhere; or will they staunchly support the industry that has worked so hard to bring these products to the market, and attempt to help them in their never-dying endeavor for greater riches and more prosperous returns?

Our research team is hard at work. A web-interface is in the make, sources are being carefully checked & verified, one after the other; soon a tentative list of companies on both sides will be out; will you be satisfied with your favorite corporations’ choice, or will one of you have to re-evaluate their priorities before something gives?

I think this is the ultimate proof that Sony has gone too far. ‘They were trying to protect their interests.’ Sure they were (I’m being sarcastic, in case you couldn’t tell) but there are limits. Various conventions throughout history have outlawed the use of WMDs. Weapons of Mass Destruction. Why? I mean, there has to be a reason that the US doesn’t nuke the terrorists, or vice versa; and there is. SALT I & II resulted in strategic WMD reductions for the US and USSR. Sony’s rootkits are practically in violation of the Geneva Convention as well…

I think the UN should step in… Now Japan has WMDs too.. Interesting.. WMDs make things too easy, drive the casualties too high, and overall are a just one big disaster. It takes little to no effort to achieve widespread chaos and destruction, and there is almost no preventive measure. Well, its official. Sony’s rootkit is a WMD. Since its release, it has been used by BMG-Sony for their shady protection schemes, WoW hackers, rumors abound that CS hackers use it as well, and now Virii and Trojan writers.

It is undetectable by any traditional spyware and Antivirus software, making it near impossible to clear your PC out. Rootkits are like cheats in AOE. They make an epic battle between good and evil all the more bloody and cheap. Spawning Cobras that can wreak havoc on Town Centers in minutes is not fun, its cheap, its evil, and its most certainly below the belt.