thought the creepiest things to happen to social networking was when old guys, claiming to be eighteen-years-old started roaming social networks like MySpace and FaceBook looking to hook up with fifteen-year-olds.But now there’sa whole different kind of creepiness.以为creepiest事情，以社会网络时，老家伙，自称为18年来岁开始漫游社会网络像MySpace和Facebook展望钩，与15年- olds.but现在有一个完全不同的种creepiness 。 And this one includes old guys in white lab coats roaming through FaceBook profiles.这其中包括老家伙白色实验室外套漫游通过Facebook的个人档案。 A bunch of scholars at Harvard University and University of California have decided to turn the vastly popular FaceBook into a一群学者在哈佛大学和加州大学已决定把大大流行脸谱成 giant mouse maze巨鼠迷宫 . 。

If you’re a constant visitor of the site then you’ve probably added those quirky applications that let you throw your friend out window, bake them a cake, head butt – or make up your own little creative action.如果你是一个常数游客的网站，然后你大概也补充说，这些奇特的应用程序，让你丢你的朋友出窗口，烘烤他们一个蛋糕，头部对接-或者弥补自己的小创意行动。

Researchers have begun studying one class of students at a particular college, where applications like ‘Hot or Not’, ‘Pirates vs. Ninjas’, and cute little digital pets have become tools in determining certain aspects of social interactions online.研究人员已经开始研究一类学生在某一特定学院，申请像'热或不' ， '海盗主场迎战忍者' ，和可爱的小宠物的数字化已成为工具，在确定某些方面的社会互动在线。

The story in the New York Times didn’t specify if the class being studied knew that these creeps – I mean – scholars had informed them that they were looking at every little program they added, picture they posted, and whether or not they liked the movie Fight Club or not.故事在纽约时报没有指明如果阶级正在研究，知道这些讨厌的家伙-我的意思是-学者曾通知他们，他们正在寻找在每一个小节目，他们说，图片，他们张贴，不管他们是否喜欢电影搏击俱乐部与否。

Now, I understand that if you want to get a juicy perspective on youth culture – Facebook would be a good place to start.现在，我明白，如果你想获得多汁的角度对青年文化-脸谱会是一个良好的开端。 But there’s something about social science freaks digging through my profile and trying to find meaning in the fact that I just dropkicked my friend that makes me a little uncomfortable.但也有一些社会科学的怪胎挖通过我的个人档案，并试图寻找意义，而事实上，我只是dropkicked我的朋友，这让我有点不舒服。

Most of the time, I think social networking profiles are just a plastic exterior that doesn’t necessarily represent us as an individual.大部分的时间，我认为社交网络概况仅是一个塑料外，这并不一定代表我们作为一个个人。 It’s more like an external attachment, like a external hard drive.它更象一个外部依恋，就像一个外接式硬碟。 It isn’t really apart of us but it can be – but it’s temporary and changes without us having to change along with it.这是不是真的，除了我们，但可以-但它的暂时性变化，没有我们不必随着人事变动而变动。 Trying to draw together some conclusion and hidden meaning in stuff like this can only end with misinterpretations.企图拉拢在一起的一些结论和隐藏的意义，像是这只能落得与曲解。
—Eming Piansay -鄂piansay

Alexi Mostrous and Dominic Kennedy 阿列克谢mostrous和星英豪

Security breaches that are allowing the financial details of tens of thousands of Britons to be sold on the internet are to be investigated by the country’s information watchdog.安全违规行为是允许的财务细节成千上万的英国人予以出售，在互联网上，以调查该国的信息看门狗。

Without paying a single penny, The Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director.而不付出一分钱，我们的时代下载的银行资料属于32人，其中包括一名高等法院暂委法官及董事总经理。 The private account numbers, PINs and security codes were offered as tasters by illegal hacking sites in the hope that purchases would follow.私人帐户号码，销与安全守则等，作为味觉敏感的，由非法黑客网站中，希望购买会跟随。

Richard Thomas, the Information Commissioner, will begin an investigation into the security breach today and Scotland Yard is also investigating.理查德托马斯，资讯专员，将开始调查到安全缺口今天和苏格兰场也正在调查。 Experts said that the findings suggested that more personal data than ever before was going astray.专家指出，这一调查结果表明，更多的个人资料，比以往任何时候都被误入歧途。 The Times found: More than 100 websites trafficking British bank details A fraudster offering to sell 30,000 British credit card numbers for less than £1 each A British “e-passport” for sale, although the Government insists that they are unhackable.纽约时报： 100多个网站贩卖英国银行详情欺诈者提供销售30000名英国人的信用卡号码，不到1英镑每一名英国的"电子护照"出售，虽然政府坚持认为，他们是unhackable 。

The discovery comes as public alarm is growing about the dangers of identity theft.发现正值公众恐慌的是，越来越多有关危险的身份被盗用。 HM Revenue & Customs has yet to retrieve two lost CDs containing the banking details of 25 million Britons, which ministers admitted had vanished in the post a fortnight ago.国税局与海关尚未取出两个失去光碟载有银行资料25万英国人，部长们承认，都已经消失，在后两个星期前。 At current underworld prices, these could fetch more than £100 million if they fell into the hands of hackers.按照目前的黑社会性质的价格，这些毒品市值超过1亿英镑，如果他们落入手中的黑客。

The News of the World disclosed yesterday that it had been handed two discs mislaid by the Department for Work and Pensions containing the national insurance numbers of 18,000 claimants.世界新闻报昨天透露，它已转交两个光碟mislaid由惩教署为就业和养老金含有国家保险号码18000索赔。

Last year The Times discovered internet chatrooms where the hacked credit card details of 400 British people were being sold every day.去年这个时候，发现网上聊天的地方，披荆斩棘，信用卡详细资料的400名英国人被出售的每一天。

A spokesman for Mr Thomas said: “We will be looking at the evidence you have provided and investigating the circumstances.先生的一位发言人托马斯说： "我们会研究证据，你们提供的情况和调查情况而定。 This looks serious and is a matter of genuine concern.这很严肃，是一个真正的关注。

“We can take action against UK-based organisations that flout the Data Protection Act. "我们可以采取行动对付总部设在英国的机构蔑视个人资料保护法。 If some of these websites are not UK-based we will work with our counterparts in the relevant country.”如果有人对这些网站的内容是不是英国为基地，我们将与我们的对口单位，在有关国家" 。

Mr Thomas will address the Commons Justice Committee tomorrow on the addional powers that he says are needed to prevent breaches of data protection.汤明善将处理的商品，司法委员会明天就addional权力，他说，是必要的，以防止违反数据保护。 He believes that reckless failure to protect information should result in prosecution and that his staff should have powers to raid government and business premises.他认为，鲁莽失败，以保护资料的结果，应该起诉，并认为他的工作人员应该有权力去搜查，政府及商业楼宇。

Hacking sites act as online bazaars for stolen personal information.黑客网站作为线上市集，为被盗的个人信息。 They are well run, hierarchical groups structured like businesses.他们都清楚而言，分层群体结构一样的业务。 Some even have review sections where buyers can recommend a particular fraudster.有的甚至已审查路段买家可以推荐某一特定的交易资料。

Geraldine Hernon, 30, of St Ives, Cambridgeshire, was shocked to hear that her credit card number, expiry date and security number were online with her address, telephone number and e-mail address. geraldine hernon ， 30岁，圣艾夫斯，剑桥，吃惊地听到她的信用卡号码，到期日和安全号码的人在网上与她的地址，电话号码和电子邮件地址。 She said: “I can’t believe it.她说： "我不能相信这一点。 I will have to change my whole account.我会改变我的整个帐户。 It is terrifying that people have the information.这是可怕的人有这些资料。 It is personal information.这是个人信息。 I feel really scared.”我感到很害怕" 。

The bank details of Robert Seabrook, QC, a deputy judge and former chairman of the Bar Council, were also freely available.该银行的细节罗伯特seabrook御用大律师，暂委法官及前大律师公会主席的理事会，也可以免费获得。 He, too, described the breach as terrifying.他也形容违反作为可怕的。 “I am profoundly concerned,” he said. "我深为关切， "他说。 “One reads about the anxieties of data in the public domain but it is disconcerting to hear something so personal being available. "读到忧虑的数据在公共领域，但令人不安的是听到这么个人推向市场。 If you can get this sort of thing for free who knows what is below the water line?”如果你能得到这样的事，自由，谁知道什么是低于水线" ？

Neil Munroe, the director of the credit reference agency Equifax and an expert on internet fraud, said that the depth of information obtained by The Times was greater than he had ever seen.尼尔munroe ，总的信贷资料服务机构Equifax和专家，在互联网上诈骗，表示深度所掌握的资料，有时大于他所见过的。 “The detail you have got is very disturbing,” he said. "细节，你必须是非常令人不安的， "他说。 “Normally we only see credit card numbers coming up but you have got e-mails, addresses, security and PINs. "通常我们看到的只是信用卡号码来了，但你有电子邮件，地址，安全和别针。 Everything.一切。 It is very scary.”这是非常可怕的" 。

Senior police officers are concerned that current methods of dealing with large-scale data protection breaches are unworkable.高级警务人员担心，目前的方法处理大型数据保护有违规行为也是行不通的。 Detective Chief Inspector Charlie McMurdie, of the Metropolitan Police e-crime unit, said: “At the moment people report internet crimes to a local police station but no one locally has the resources to investigate properly.”刑事侦缉总督察查理mcmurdie ，首都警察电子犯罪的单位，说： "在这一刻人们报告互联网犯罪问题提升到当地派出所，但没有人在当地有资源妥当调查" 。

Since April customers have been told to report card crimes to their banks rather than to the police. 4月以来，客户已经接到通知，报告卡犯罪的，以银行，而不是向警方报案。 Mr McMurdie, backed by the main banks, has asked the Home Office for £1.3 million to fund a central e-crime unit.问mcmurdie ，之后由主要银行，已要求民政厅£ 130万元，以资助一个中央电子罪案组。

Stolen identities 被盗身份

Criminals use three main methods to extract personal information 犯罪分子所使用的三种主要方法提取个人信息

- Viruses contained in e-mails that install malicious software to collect information such as login names, bank account details and credit card numbers. -病毒包含在电子邮件安装恶意软件，以收集信息，如登录名，银行帐户资料和信用卡号码等。 Make sure you use up-to-date antivirus software确定您使用及时更新的反病毒软件

- Handheld credit card readers are used to “skim” cards and copy data that is then used to clone another one. -手持信用卡读者是用来"脱脂"的贺卡和拷贝数据，然后用来克隆另一个课程。 Check your accounts regulary for unusual transactions检查你的帐户regulary为异常交易

- Bin raiders go through rubbish bins to find discarded bank statements and utility bills. -斌袭击者经过垃圾箱里寻找被丢弃的银行对账单和公用事业法案。 Make sure that all personal documents are shredded before you throw them out确保所有个人证件是辗碎后，你再丢出来

In October, two security experts at hacker conference ToorCon9 in San Diego hacked into their hotel’s corporate network using a Cisco VoIP phone 在10月，两名安全专家黑客会议toorcon9在圣迭戈侵入了他们酒店的企业网络采用思科VoIP电话

By 由 Linda Leung Framingham 琳达Framingham的梁

Cisco confirmed it is possible to eavesdrop on remote conversations using Cisco VoIP phones. 思科证实，是有可能以监听远程交谈使用思科VoIP电话。 In its 在其 security response 安全响应 , Cisco says: “an attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol (RTP) audio stream.” 思科说： "攻击者持有有效延长移动认证证书可能导致思科统一IP电话配置使用分机移动功能来发送或接收实时传输协议（ RTP ）的音频流" 。

Cisco adds that Extension Mobility authentication credentials are not tied to individual IP phones and that “any Extension Mobility account configured on an IP phone’s Cisco Unified Communications Manager/CallManager (CUCM) server can be used to perform an eavesdropping attack.” 思科公司也表示，分机移动性认证证书，是不是绑个人IP电话，并说： "任何分机移动帐户配置一个IP电话的思科统一通信经理/ CallManager的（ cucm ）服务器，可以用来执行一个监听攻击" 。

The 该 technique was described 技术被称为 by Telindus researcher Joffrey Czarny at HACK.LU 2007 in Luxembourg in October. 由telindus研究员joffrey czarny hack.lu于2007年在卢森堡举行，在十月。

Cisco has published some workarounds to this problem in its 思科公司已经发布了一些变通方法，以这个问题，把它 security response 安全响应 . 。

Also in October, two security experts at hacker conference ToorCon9 in San Diego hacked into their hotel’s corporate network using a Cisco VoIP phone. 同样在10月，两名安全专家，在黑客大会toorcon9在圣迭戈侵入了他们酒店的企业网络采用思科VoIP电话。

The hackers, John Kindervag and Jason Ostrom said they were able to access the hotel’s financial and corporate network and recorded other phone calls, according to a 黑客，约翰kindervag和Jason ostrom说，他们能够方便地联络酒店的财务及企业管网和其他记录的电话，据一位 blog on Wired.com 博客对wired.com . 。

The hackers used penetration tests propounded by a tool called VoIP Hopper, which mimics the Cisco data packets sent at three minute intervals and then trades a new Ethernet interface, getting the PC — which the hackers switched in place of the hotel phone — into the network running the VoIP, according to the 该黑客使用贯入试验所提出的工具，所谓的VoIP漏斗，其中模仿思科的数据包进行发送，在3分钟的间隔，然后行业的一个新的以太网接口，让电脑-其中黑客开关代替了酒店电话-进入网络运行网络电话，根据我的 blog post 博客职位 . 。

The Avaya configuration is superior to Cisco, according to the hackers, because you have to send requests beyond a sniffer. 该Avaya的配置优于思科公司，据该黑客，因为你要发送请求超越嗅探器。 Although it can be breached the same way, by replacing the phone with a PC. 虽然它可以被破坏同样的方式，代之以电话与PC机。

Many users resented Facebook grabbing and sharing data许多用户反感脸谱攫取和共享数据

Facebook members have forced the social networking site to change the way a controversial ad system worked. More than 50,000 Facebook users signed a petition calling on the company to alter or abandon its Beacon advertising technology. Facebook的成员，迫使社交网站方式的转变，一个有争议的广告系统的运作情况。五万多Facebook的用户签署了一份请愿书，要求该公司必须改变或放弃灯塔广告技术。

When Facebook users shopped online, Beacon told friends and businesses what they looked at or bought.当Facebook的用户在网上购物，灯塔，告诉朋友和生意，他们看到或买。

Many considered the data sharing to be an intrusion that exposed them to more scrutiny than was comfortable.许多人认为数据共享是一个入侵充分暴露了他们更多的审议，较舒适。

Privacy please 隐私权请参阅

In response to the demands, Facebook’s 55 million members will have more control over whether data about what they do online is used for Beacon.针对这一要求， Facebook的5500万会员，将有更多的控制数据是否对他们在线上做些什么，是用于灯塔。

Before the changes, Beacon was an “opt out” system and many complained that they missed the chance to avoid using it when it was introduced in early November.之前的变化，灯塔，是一种"选择退出"的制度和许多抱怨说，他们错过了机会，以避免用它当它在11月初。

Now Beacon will be an “opt in” system that only tracks data if explicit permission is granted to Facebook to do so.现在的灯塔，将是一个"选择"的制度，只有轨道数据，如果明确准予以脸谱这样做。

More than 40 websites, including Fandango.com, Overstock.com and Blockbuster, signed up to use Beacon software on their webpages and report what Facebook users did when they visited. 40多个网站，包括fandango.com ， overstock.com和Blockbuster公司签署了使用灯塔软件对网页内容和报告有什么Facebook的用户，当他们访问了。

Beacon embarrassed many doing Christmas shopping online灯塔尴尬，许多做圣诞节网上购物

Activist site MoveOn was at the forefront of protests against Beacon and set up the petition to gather signatures on 20 November.活动家网站moveon是站在最前列的抗议，灯塔，并于同年成立请愿收集签名，于11月20日。

“It also says a lot about the ability of internet users to band together to make a difference,” said Adam Green, a spokesman for MoveOn. "它也说了很多关于能力的互联网用户以波段通力合作，使差说： "亚当绿色，发言人moveon 。

Facebook apologised for its actions via a letter on its website. Facebook的道歉，为自己的行动通过一个信在其网站上。

“We’re sorry if we spoiled some of your holiday gift-giving plans,” read the letter. "我们很抱歉，如果我们宠坏了你的一些节日送礼计划" ，宣读了这封信。 “We are really trying to provide you with new meaningful ways, like Beacon, to help you connect and share information with your friends.” "我们真的想向你提供新的有意义的方式，像灯塔，以帮助您连接和共享信息与您的朋友" 。

Industry commentator Om Malik said Facebook users had to be certain to opt out completely from Beacon otherwise Facebook would still collect data from partner sites - even if that data was not shared more widely.业界评论员关于马利克说， Facebook的用户以一定的退出完全由Beacon否则脸谱仍会搜集资料，由合伙人遗址-即使该数据没有得到更广泛的交流。

The changes to Beacon may not be the last that Facebook has to make to the technology.该改变的灯塔，可能不会是最后一次说，脸谱已使该技术。

Two rights groups, the Electronic Privacy Information Center and the Center for Digital Democracy, are believed to be compiling a complaint to the US Federal Trade Commission about it.两个人权团体，电子隐私信息中心和研究中心数位化民主，相信都是被编译投诉，向美国联邦贸易委员会的有关情况。

http://news.bbc.co.uk/1/hi/technology/7120916.stm

Governments are using the Internet to spy and launch cyberattacks that target critical systems, according to McAfee’s cybersecurity report

By Jon Brodkin

Governments and allied groups worldwide are using the Internet to spy and launch cyberattacks on their enemies, targeting critical systems including electricity, air traffic control, financial markets, and government computer networks, according to McAfee’s annual report examining global cybersecurity.

This year, China has been accused of launching attacks against the United States, India, Germany and Australia, but the Chinese are not alone: 120 countries including the United States are said to be launching Web espionage operations, according to McAfee’s Virtual Criminology Report , issued today and developed with input from NATO, the FBI , the United Kingdom’s Serious Organized Crime Agency , and various groups and universities.

“Cyber assaults have become more sophisticated in their nature, designed to specifically slip under the radar of government cyber defenses,” McAfee states. “Attacks have progressed from initial curiosity probes to well-funded and well-organized operations for political, military, economic and technical espionage.”

One attack against Estonia , allegedly carried out by Russia, disrupted government, news and bank servers for several weeks in April, McAfee notes. In the United States, a Pentagon computer network allegedly was hacked by China-based perpetrators in June, the McAfee report states.

The Internet is simply a great tool for gathering intelligence, both for world powers like the United States and China and small countries with limited resources, says David Marcus, security research and communications manager at McAfee Avert Labs.
He doesn’t think cyberattacks will replace conventional warfare, but says they are becoming an important augmentation, with countries using technology to spread disinformation and disrupt communications. He also predicts it will be common for governments to license cybercriminals to attack enemies in a sort of privatized model. “We’re already starting to see that with state-sponsored malware,” he says. “I only think you’re going to start seeing more than that because it’s easier to attack government X’s database than it is to nuke their troops.”

McAfee said its research also found an increasing threat to banking and other online services, and “the emergence of a complex and sophisticated market for malware .” Malware today is more complex than ever before, capable of acting as if it were genetically modified. “These ’super-strength’ threats are more resilient, are modified over and over again like recombinant DNA,” McAfee writes. “Nuwar [ Storm Worm ] was the first example, and experts say there will be more examples in 2008.”

VoIP is a new target of cybercriminals, and such social-networking applications as MySpace and Facebook are sure to be exploited more often, going forward, McAfee says. NATO insiders say many governments are unaware of the Web espionage threats and have left themselves open to cyberattack.

One aspect that might be overlooked is the economy that distributes the tools of cybercrime. Software flaws are sold for as much as $75,000, and criminals can buy Software flaws are sold for as much as $75000, and criminals can buy custom-written Trojans designed to steal credit card data. Additionally, McAfee says an “underground economy already includes specialized auction sites, product advertising and even support services, but now competition is so fierce that ‘customer service’ has become a specific selling point.”

Network World is an InfoWorld affiliate.

By Louise Story and Brad Stone
The New York Times

Faced with its second mass protest by members in its short life span, Facebook, the enormously popular social networking Web site, is reining in some aspects of a controversial new advertising program.

Within the last 10 days, more than 50,000 Facebook members have signed a petition objecting to the new program, which sends messages to users’ friends about what they are buying on Web sites like Travelocity.com, TheKnot.com and Fandango. Within the last 10 days, more than 50000 Facebook members have signed a petition objecting to the new program, which sends messages to users’ friends about what they are buying on Web sites like Travelocity.com, TheKnot.com and Fandango. The members want to be able to opt out of the program completely with one click, but Facebook won’t let them.

Late yesterday the company made an important change, saying that it would not send messages about users’ Internet activities without getting explicit approval each time.

MoveOn.org Civic Action, the political group that set up the online petition, said the move was a positive one.

”Before, if you ignored their warning, they assumed they had your permission” to share information, said Adam Green, a spokesman for the group. “If Facebook were to implement a policy whereby no private purchases on other Web sites were displayed publicly on Facebook without a user’s explicit permission, that would be a step in the right direction.”

Facebook, which is run by Mark Zuckerberg, 23, who created it while an undergraduate at Harvard, has built a highly successful service that is free to its more than 50 million active members. But now the company is trying to figure out how to translate this popularity into profit. Like so many Internet ventures, it is counting heavily on advertising revenue.

The system Facebook introduced this month, called Beacon, is viewed as an important test of online tracking, a popular advertising tactic that usually takes place behind the scenes, where consumers do not notice it. Companies like Google, AOL and Microsoft routinely track where people are going online and send them ads based on the sites they have visited and the searches they have conducted.

But Facebook is taking a far more transparent and personal approach, sending news alerts to users’ friends about the goods and services they buy and view online.

Charlene Li, an analyst at Forrester Research, said she was surprised to find that her purchase of a table on Overstock.com was added to her News Feed, a Facebook feature that broadcasts users’ activities to their friends on the site. She says she did not see an opt-out box.

”Beacon crosses the line to being Big Brother,” she said, “It’sa very, very thin line.”

Facebook executives say the people who are complaining are a marginal minority. With time, Facebook says, users will accept Beacon, which Facebook views as an extension of the type of book and movie recommendations that members routinely volunteer on their profile pages. The Beacon notices are “based on getting into the conversations that are already happening between people,” Mr. Zuckerberg said when he introduced Beacon in New York on Nov. 6.

”Whenever we innovate and create great new experiences and new features, if they are not well understood at the outset, one thing we need to do is give people an opportunity to interact with them,” said Chamath Palihapitiya, a vice president at Facebook. “After a while, they fall in love with them.”

Mr. Palihapitiya was referring to Facebook’s controversial introduction of the News Feed feature last year. More than 700,000 people protested that feature, and Mr. Zuckerberg publicly apologized for aspects of it. More than 700000 people protested that feature, and Mr. Zuckerberg publicly apologized for aspects of it. However, Facebook did not remove the feature, and eventually users came to like it, Mr. Palihapitiya said. He said Facebook would not add a universal opt-out to Beacon, as many members have requested.

MoveOn.org started the anti-Beacon petition on Nov. 20, and as of last night more than 50,000 Facebook users had signed it. MoveOn.org started the anti-Beacon petition on Nov. 20, and as of last night more than 50000 Facebook users had signed it. Other groups fighting Beacon have about 10,000 members in total. Other groups fighting Beacon have about 10000 members in total. Facebook, they say, should not be following them around the Web, especially without their permission.

The complaints may seem paradoxical, given that the so-called Facebook generation is known for its willingness to divulge personal details on the Internet. But even some high school and college-age users of the site, who freely write about their love lives and drunken escapades, are protesting.

”We know we don’t have a right to privacy, but there still should be a certain morality here, a certain level of what is private in our lives,” said Tricia Bushnell, a 25-year-old in Los Angeles, who has used Facebook since her college days at Bucknell. ”We know we don’t have a right to privacy, but there still should be a certain morality here, a certain level of what is private in our lives,” said Tricia Bushnell, a 25-year-old in Los Angeles, who has used Facebook since her college days at Bucknell. “Just because I belong to Facebook, do I now have to be careful about everything else I do on the Internet?”

Two privacy groups said this week that they were preparing to file privacy complaints about the system with the Federal Trade Commission. Among online merchants, Overstock.com has decided to stop running Facebook’s Beacon program on its site until it becomes an opt-in program. And as the MoveOn.org campaign has grown over the past week, some ad executives have poked fun at Facebook users.

”Isn’t this community getting a little hypocritical?” said Chad Stoller, director of emerging platforms at Organic, a digital advertising agency. “Now, all of a sudden, they don’t want to share something?”

Facebook users each get a home page where they can volunteer information like their age, hometown, college and religion. People can post photos and write messages on their pages and on their friends’ pages.

Under Beacon, when Facebook members purchase movie tickets on Fandango.com, for example, Facebook sends a notice about what movie they are seeing in the News Feed on all of their friends’ pages. If a user saves a recipe on Epicurious.com or rates travel venues on NYTimes.com, friends are also notified. There is an opt-out box that appears for a few seconds, but users complain that it is hard to find. Mr. Palihapitiya said Facebook is making the boxes larger and holding them on the Web pages longer.

Mr. Green of MoveOn.org said that his group would be tracking the effects of the latest changes before deciding if it would still push for a universal opt-out.

The whole purpose of Beacon is to allow advertisers to run ads next to these purchase messages. A message about someone’s purchase on Travelocity might run alongside an airline or hotel ad, for example. Mr. Zuckerberg has heralded the new ads as being like a “recommendation from a trusted friend.”

But Facebook users say they do not want to endorse products.

”Just because I use a Web site, doesn’t mean I want to tell my friends about it,” said Annie Kadala, a 23-year old student at the University of North Carolina at Chapel Hill. “Maybe I used that Web site because it was cheaper.”

Ms. Kadala found out about Beacon on Thanksgiving day when her News Feed told her that her sister had purchased the Harry Potter “Scene It?” game.

”I said, ‘Susan, did you buy me this game for Christmas?’” Ms. Kadala recalled. “I don’t want to know what people are getting me for Christmas.”

Feeling Betrayed, Facebook Users Force Site to Honor Their Privacy
By Ellen Nakashima
The Washington Post

Friday 30 November 2007

Sean Lane’s purchase was supposed to be a surprise for his wife. Then it appeared as a news headline - “Sean Lane bought 14k White Gold 1/5 ct Diamond Eternity Flower Ring from overstock.com” - last week on the social networking Web site Facebook.

Without Lane’s knowledge, the headline was visible to everyone in his online network, including 500 classmates from Columbia University and 220 other friends, co-workers and acquaintances.

And his wife.

The wraps came off his Christmas gift thanks to a new advertising feature called Beacon, which shares news of Facebook members’ online purchases with their friends. The idea, according to the company, is to allow merchants to effectively turn millions of Facebook users into a “word-of-mouth promotion” service.

Lane called it “Christmas ruined,” and more than 50,000 other users signed a petition in recent days calling on Facebook to stop broadcasting people’s transactions without their consent. Lane called it “Christmas ruined,” and more than 50000 other users signed a petition in recent days calling on Facebook to stop broadcasting people’s transactions without their consent.

Last night, Facebook backed down and announced that the Beacon feature would no longer be active for any transaction unless users click “ok.” Beacon is a core element of Facebook’s attempt to parlay the personal and behavioral information it collects about its members into a more sophisticated advertising business, an effort to turn a user’s preferences into an endorsement with commercial value. Last night, Facebook backed down and announced that the Beacon feature would no longer be active for any transaction unless users click “ok.” Beacon is a core element of Facebook’s attempt to parlay the personal and behavioral information it collects about its members into a more sophisticated advertising business, an effort to turn a user’s preferences into an endorsement with commercial value.

The merging of social networking and online advertising combines two of the most powerful forces on the Internet today, and privacy advocates say it raises issues about the way personal data are disclosed for marketing purposes.

”Sites like Facebook are revolutionizing how we communicate with each other and organize around issues together in a 21st century democracy,” said Adam Green, a spokesman for MoveOn.org, a liberal activist group that has launched the petition drive to pressure Facebook to stop broadcasting members’ purchases and using their names as endorsements without explicit permission. ”Sites like Facebook are revolutionizing how we communicate with each other and organize around issues together in a 21st century democracy,” said Adam Green, a spokesman for MoveOn.org, a liberal activist group that has launched the petition drive to pressure Facebook to stop broadcasting members’ purchases and using their names as endorsements without explicit permission. “The question is: Will corporate advertisers get to write the rules of the Internet or will these new social networks protect our basic rights, like privacy?”

The site, which was started in a Harvard dorm room, has become a Silicon Valley powerhouse, recently valued at $15 billion. It allows its users to share messages, photos and updates on their lives.

Facebook launched Beacon as part of a wider social advertising campaign Nov. 6, with 44 announced partners, including Overstock, Travelocity, the auction site eBay, the movie ticket site Fandango, Blockbuster and the shoe site Zappos. The Beacon feature, free to advertisers, is not restricted to commerce. A person’s high score on an online game might also be posted for friends to see.

Facebook puts a string of code called a cookie on a user’s computer, which tracks the user on Beacon partner sites. In the version that Facebook launched, a person logged into Facebook who bought, say, a movie ticket, was alerted that the Web site was sending a “story” to his profile and had a chance to opt out - both at the merchant’s site and on his own page, Facebook says. In the version that Facebook launched, a person logged into Facebook who bought, say, a movie ticket, was alerted that the Web site was sending a “story” to his profile and had a chance to opt out - both at the merchant’s site and on his own page, Facebook says.

But privacy advocates criticized the opt-out feature - a pop-up box - because it disappeared after a few seconds and said Facebook should allow users to turn off Beacon and include an “opt in” feature for those who wish to receive the service. Last night, Facebook apparently added an “opt in” feature for each transaction, which Green called “a huge step in the right direction,” but still did not include a way to shut off the service permanently.

Beacon is a key part of what Facebook founder and chief executive Mark Zuckerberg, 23, called “a completely new way of advertising online.” Sometimes, ads accompany the news feeds. The ads could contain a person’s photo.

Yesterday Facebook issued an apology on MoveOn’s Facebook page: “We’re sorry if we spoiled some of your holiday gift-giving plans.”

In a news release last night, Facebook said “we appreciate feedback from all Facebook users and made some changes to Beacon in the past day. Users now have more control over stories that get published.”

Marketers can target paid social ads on Facebook according to criteria such as age, gender, political views and taste in movies, Zuckerberg told media and ad executives at the launch, according to Online Media Daily.

”What’s unique about Facebook is it’s really turning over personal profile data to advertisers,” said Jeff Chester, executive director of the Center for Digital Democracy, a privacy advocacy group. “In essence, it’s telling advertisers, we know exactly who your targets are, what their favorite entertainment is, the books they read, the kinds of social networks they have, what their political leanings are.”

Chester’s group, along with the US Public Interest Research Group, has asked the Federal Trade Commission to investigate whether Facebook and MySpace, a rival social networking site that is also targeting members for ads, are using deceptive practices to violate people’s privacy. Chester’s group, along with the US Public Interest Research Group, has asked the Federal Trade Commission to investigate whether Facebook and MySpace, a rival social networking site that is also targeting members for ads, are using deceptive practices to violate people’s privacy 。

MoveOn has created a blog on its Facebook page for people to post comments. The wall contained more than 800 as of yesterday.

They include Tasha Valdez from Michigan, who wrote: “Oh my gosh, my cousin’s entire Christmas shopping list this week was displayed on the [Facebook News] feed. That’s so messed up. This has gotta stop!”

Beacon’s risks go beyond ruining someone’s Christmas, said Mike Rogers, editor and publisher of a gay-oriented Web site, PageOneQ. “We teach young people to be very careful about what they post and all of a sudden comes along an automated system like this. What happens if a kid is on a football team and he buys a ticket to ‘Brokeback Mountain’ [a gay-themed film]?” he said, alluding to the possibility that the youth could be outed and harassed as a result.

For Lane, spoiling his wife’s surprise was bad enough.

Within two hours after he bought the ring on Overstock.com, he received an instant message from his wife, Shannon: Who is this ring for?

What ring, he messaged back, from his laptop at work in Waltham, Mass.

She said that Facebook had just put an item on his page saying he bought a ring. It included a link to Overstock, which noted that the 51 percent discount on the ring.

Lane, 28, a technical project manager at an online printing company, was crestfallen. He had gone to lengths to keep the ring a secret, even telling Shannon he was not going to give her jewelry this year.

Lane complained to Overstock. Company spokesman Judd Bagley said this week that on Nov. 21, Overstock abandoned its Beacon feature until Facebook changes its practice so that users must volunteer if they want to participate.

”I was really disappointed because for me the whole fun of Christmas is the surprise,” said Shannon Lane, 28, who married Sean a year ago in September. “I never want to know what I’m getting.”

———

Staff writer Ylan Mui contributed to this report.

YouTube stops account of Egypt anti-torture activist

Cynthia Johnston

CAIRO, Nov 27 (Reuters) - The video-sharing Web site YouTube has suspended the account of a prominent Egyptian anti-torture activist who posted videos of what he said was brutal behaviour by some Egyptian policemen, the activist said.

Wael Abbas said close to 100 images he had sent to YouTube were no longer accessible, including clips depicting purported police brutality, voting irregularities and anti-government demonstrations. YouTube, owned by search engine giant Google Inc <GOOG.O>, did not respond to a written request for comment. A message on Abbas’s YouTube user page, http://youtube.com/user/waelabbas, read: “This account is suspended.”

“They closed it (the account) and they sent me an e-mail saying that it will be suspended because there were lots of complaints about the content, especially the content of torture,” Abbas told Reuters in a telephone interview. Abbas, who won an international journalism award for his work this year, said that of the images he had posted to YouTube, 12 or 13 depicted violence in Egyptian police stations.

Abbas was a key player last year in distributing a clip of an Egyptian bus driver, his hands bound, being sodomised with a stick by a police officer — imagery that sparked an uproar in a country where rights groups say torture is commonplace.

That tape prompted an investigation that led to a rare conviction of two policemen, who were sentenced to three years in prison for torture. Egypt says it opposes torture and prosecutes police against whom it has evidence of misconduct.

YOUTUBE RULES

YouTube regulations state that “graphic or gratuitous violence” is not allowed and warn users not to post such videos. Repeat violators of YouTube guidelines may have their accounts terminated, according to rules posted on the site.

Rights activists said by shutting down Abbas’s account, YouTube was closing a significant portal for information on human rights abuses in Egypt just as Cairo was escalating a crackdown on opposition and independent journalists.

The Internet has emerged in Egypt as a major forum for critics of the Egyptian government.

“The goal is not showing the violence, it is showing police brutality. If his goal was just to focus on violence without any goal, that is a problem. But Wael is showing police brutality in Egypt,” said Gamal Eid, head of the Arabic Network for Human Rights Information.

This year, for the first time, an Egyptian court convicted and jailed a blogger over his Internet writings.

A string of court rulings since September has seen at least 12 Egyptian journalists ordered jailed on charges from defaming President Hosni Mubarak to misquoting the minister of justice.

Elijah Zarwan, a prominent blogger and activist in Egypt, said he thought it was unlikely that YouTube had come under official Egyptian pressure, and was more likely reacting to the graphic nature of the videos.

“I suspect they are doing it not under pressure from the Egyptian government but rather because it made American viewers squeamish,” he said. “But to shut them down because some people might find the truth disturbing is unconscionable.” (Writing by Cynthia Johnston)

By Ralph Lopez

Google has refused to run the following sponsored ad and link paid for by the Northeast Impeachment Coalition and YaliesForImpeachment.org:

Help Impeach Cheney NOW
Nonpartisan, the time is here.
House JC 202-225-3951 Demand ACTION
YaliesForImpeachment.org

Google’s explanation is the following:

“At this time, Google policy does not permit ad text that advocates against an individual, group, or organization. In addition, this policy doe not permit the advertisement of websites that advocate against a group protected by law.”

Protected by law? Since when is the Vice President of the United States protected from free speech? Political speech is protected speech. Cheney is a public figure. Google does run ads “against” the tobacco industry. We believe this is settled law in the print and TV worlds. Any legal beagles out there please weigh in. We’ll be forwarding this to the ACLU and the general media Monday morning. Following is the full text of the email Google sent to our coordinator. An example of political speech Google DOES allow: if you type in keywords “support the president” the following ad comes up:

Elect More Republicans
The Party of Lincoln, Reagan and You. Support the RNC today.
www.gop.com

Also included is a list of impeachment-related advertising which Google allows. What’s the difference between “Impeach Bush” and “Help Impeach Cheney Now?” Our feeling is the line is drawn at political advertising which might actually wake people up, is too effective. Please circulate widely, and in the meantime, use Yahoo for your search engine.

Encrypted E-Mail Company Hushmail Spills to Feds

By Ryan Singel

Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.”

But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.

A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the US and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.

The court revelation demonstrates a privacy risk in a relatively-new, simple webmail offering by Hushmail , which the company acknowledges is less secure than its signature product.

A subsequent and refreshingly frank e-mail interview with Hushmail’s CTO seems to indicate that government agencies can also order their way into individual accounts on Hushmail’s ultra-secure web-based e-mail service, which relies on a browser-based Java encryption engine. A subsequent and refreshingly frank e-mail interview with Hushmail’s CTO seems to indicate that government agencies can also order their way into individual accounts on Hushmail’s ultra-secure web-based e-mail service, which relies on a browser-based Java encryption engine.

Since its debut in 1999, Hushmail has dominated a unique market niche for highly-secure webmail with its innovative, client-side encryption engine.

Hushmail uses industry-standard cryptographic and encryption protocols ( OpenPGP and AES 256 )  to scramble the contents of messages stored on their servers. They also host the public key needed for other people using encrypted email services to send secure messages to a Hushmail account.

The first time a Hushmail user logs on, his browser downloads a Java applet that takes care of the decryption and encryption of messages on his computer, after the user types in the right passphrase. So messages reach Hushmail’s server already encrypted.  The Java code also decrypts the message on the recipient’s computer, so an unencrypted copy never crosses the internet or hits Hushmails servers.

In this scenario, if a law enforcement agency demands all the e-mails sent to or from an account, Hushmail can only turn over the scrambled messages since it has no way of reversing the encryption.

However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.

The rub of that option is that Hushmail has — even if only for a brief moment — a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail’s servers can get at the passphrase and thus all of the messages.

In the case of the alleged steroid dealer, the feds seemed to compel Hushmail to exploit this hole, store the suspects’ secret passphrase or decryption key, decrypt their messages and hand them over.

Hushmail CTO Brian Smith declined to talk about any specific law enforcement requests, but described the general vulnerability to THREAT LEVEL in an e-mail interview (You can read the entire e-mail thread here ):

The key point, though, is that in the non-Java configuration, private key and passphrase operations are performed on the server- side.

This requires that users place a higher level of trust in our servers as a trade off for the better usability they get from not having to install Java and load an applet.

This might clarify things a bit when you are considering what actions we might be required to take under a court order. Again, I stress that our requirement in complying with a court order is that we not take actions that would affect users other than those specifically named in the order.

Hushmail’s marketing copy largely glosses over this vulnerability, reassuring users that the non-Java option is secure.

Turning on Java provides an additional layer of security, but is not necessary for secure communication using this system[…]

Java allows you to keep more of the sensitive operations on your local machine, adding an extra level of protection. However, as all communication with the webserver is encrypted, and sensitive data is always encrypted when stored on disk, the non-Java option also provides a very high level of security.

But can the feds force Hushmail to modify the Java applet sent to a particular user, which could then capture and sends the user’s passphrase to Hushmail, then to the government?

Hushmail’s own threat matrix includes this possibility, saying that if an attacker got into Hushmail’s servers, they could compromise an account — but that “evidence of the attack” (presumably the rogue Java applet) could be found on the user’s computer. Hushmail’s own threat matrix includes this possibility, saying that if an attacker got into Hushmail’s servers, they could compromise an account — but that “evidence of the attack” (presumably the rogue Java applet) could be found on the user’ s computer.

Hushmail’s Smith:

[T]he difference being that in Java mode, what the attacker does is potentially detectable by the user (via view source in the browser).

“View source” would not be enough to detect a bugged Java applet, but a user could to examine the applet’s runtime code and  the source code for the Java applet is publicly available for review . 。 But that doesn’t mean a user could easily verify that the applet served up by Hushmail was compiled from the public source code.

Smith concurs and hints that Hushmail’s Java architecture doesn’t technically prohibit the company from being able to turn over unscrambled emails to cops with court orders.

You are right about the fact that view source is not going to reveal anything about the compiled Java code. However, it does reveal the HTML in which the applet is embedded, and whether the applet is actually being used at all. Anyway, I meant that just as an example. The general point is that it is potentially detectable by the end-user, even though it is not practical to perform this operation every time. This means that in Java mode the level of trust the user must place in us is somewhat reduced, although not eliminated.

The extra security given by the Java applet is not particularly relevant, in the practical sense, if an individual account is targeted. (emphasis added) […]

Hushmail won’t protect law violators being chased by patient law enforcement officials, according to Smith.

[Hushmail] is useful for avoiding general Carnivore-type government surveillance, and protecting your data from hackers, but definitely not suitable for protecting your data if you are engaging in illegal activity that could result in a Canadian court order.

That’s also backed up by the fact that all Hushmail users agree to our terms of service, which state that Hushmail is not to be used for illegal activity. However, when using Hushmail, users can be assured that no access to data, including server logs, etc., will be granted without a specific court order.

Smith also says that it only accepts court orders issued by the British Columbia Supreme Court and that non-Canadian cops have to make a formal request to the Canadian government whose Justice Department then applies, with sworn affidavits, for a court order.

We receive many requests for information from law enforcement authorities, including subpoenas, but on being made aware of the requirements, a large percentage of them do not proceed.

To date, we have not challenged a court order in court, as we have made it clear that the court orders that we would accept must follow our guidelines of requiring only actions that can be limited to the specific user accounts named in the court order. That is to say, any sort of requirement for broad data collection would not be acceptable.

I was first tipped to this story via the Cryptography Mailing List, and Kevin, who had been talking with Hushmail about similar matters involving another case, followed up with Smith. We both agree Hushmail deserves credit for its frank and open replies (.pdf). Such candor is hard to come by these days, especially since most ISPs won’t even tell you how long they hold onto your IP address or if they sell your web-surfing habits to the highest bidders.

CBS News

Online auctioneer eBay Inc. spent almost US$2-million lobbying various departments of the federal government in the past year, including an entity rarely named on federal disclosure forms: the Central Intelligence Agency.

According to a database maintained by the Senate’s public records office, eBay is one of eight groups and companies to lobby the spy agency. The company listed the CIA on a form covering its lobbying activities for the first six months of 2007. Hani Durzy, an eBay spokesman, said that listing was an error.

But he said the company did meet with CIA officials in the second half of 2006 to discuss amendments to a 1994 law — the Communications Assistance for Law Enforcement Act — that required Internet phone companies to ensure their equipment can accommodate wiretaps. EBay owns the Internet phone company Skype.