Internet

Those using Safari on Mac OS X are still vulnerable to "man-in-the-middle" attacks using fraudulent security certificates that hackers generated from Dutch certificate authority DigiNotar. The problem lies in the way Mac OS X handles a new type of certificate called Extended Validation, or EV certificates. Fortunately, however, there is a relatively easy fix.

DigiNotar had been hacked earlier this week in order to generate hundreds of fake security certificates for numerous websites, including Google, Yahoo, and others. An Iranian hacker appears to have used the certificates for google.com to spy on Iraninan Gmail users' conversations.

Microsoft and Google revoked trust in certificates issued by DigiNotar, and Mozilla issued patches for Firefox and Thunderbird to no longer trust certificates from the company. These changes meant that Chrome, Internet Explorer, and Firefox users would no longer accept secure HTTPS connections from sites using DigiNotar issued certs.

Apple has yet to provide a patch for its Safari browser or Mac OS X, so users were told to use the Keychain to mark any certs issued by DigitNotar as "Never trust." Unfortunately, according to developer Ryan Sleevi, Mac OS X will still accept newer Extended Validation certs—used to help prevent phishing attacks—even from authorities that are marked as untrusted.

"When Apple thinks you're looking at an EV Cert, they check things differently," Sleevi told Computerworld. "They override some of your settings and completely disregard them."

Security experts, including WhiteHat Security CTO Jeremiah Grossman, consider the flaw "troubling." Since Apple tends to not release any information about browser insecurity until it releases the relevant patches, users could potentially be exposed to further exploits in the meantime.

There is still a relatively simple fix to the problem until Apple issues a patch to Mac OS X, however. Using Keychain Access, users can simply delete any DigiNotar certs from the Keychain instead of marking them "untrusted." Since the authority has already revoked all the fraudulent certs, they will no longer validate when Safari or other Mac OS X programs encounter them again.

Read the comments on this post

Unredacted versions of more than 250,000 US government cables have been released online after a breach of WikiLeaks' archive servers, which WikiLeaks blames on the "gross negligence or malice" of a journalist from The Guardian. As such, the full versions of the documents are now floating around on the Internet, complete with the names of informants, sources, and the like. WikiLeaks says it has initiated legal action against the UK newspaper.

WikiLeaks, famous for its massive leaks of secret government and corporate documents, has made a habit of redacting some of the sensitive information that could hurt individuals named in its documents, but has simultaneously saved uncensored versions of the documents to its "Cablegate library"—a massive archive of files to which only selected parties have been given access, such as publications that WikiLeaks likes to work closely with when it releases new documents. One of those parties is—was—The Guardian, or more specifically, Guardian editor in chief Alan Rusbridger, who allegedly signed a confidentiality agreement with WikiLeaks promising to keep the unredacted documents secure.

Facebook is planning to announce a music platform at its f8 conference on September 22, according to an anonymous source speaking to CNBC. The platform is rumored to be less of a retail outlet à la iTunes than a setting for streaming services like Pandora or Spotify to engage customers.

Whispers of a Facebook music service have made the rounds before, and many companies have since attempted to enter the market without much success, including Best Buy and RIM. In the meantime, dedicated services like Rdio, Grooveshark, and Spotify have flourished, though few have managed to duplicate the straightforward-sales success of iTunes.

CNBC speculates that Facebook will offer a platform for third-party services to deliver music to their customers, rather than trying to directly compete with them. Facebook's swath of 750 million users and heavy use of advertising could provide a promising new way for these services to reach new customers, and hold current ones more tightly in their grasp.

Mark Zuckerberg has indicated before that he considers the volume of content users are sharing to be a more important metric than the total number of users. Current Facebook users are able to share their music interests on a limited basis through services like Last.fm; after September 22, that type of sharing may stand to get a big boost.

Read the comments on this post

The act of geotagging photos has come a long way since online photo services began reading EXIF data and sticking it on a map for location-based viewing. Concerns over the clash between tech and personal privacy—especially over the last year—have flourished in the media, forcing users to begin thinking more seriously about who can see what. Because of this shift, popular photo sharing service Flickr has made changes to its privacy settings—users can now specify who can see the geotags on specific photos based on where the photos were taken.

Previously, Flickr users were limited to turning geotags on or off for their photos, and separately limiting those photos to be visible to certain groups of contacts—two functions that happened to work together, but mostly functioned independently from each other. For example, a user might leave geotags off for most of her public photos, but upload certain photos from the club down the street with geotags on. But because she doesn’t want any creepers figuring out the exact address of where she spends most Saturday nights, she might limit those club photos so they’re only visible to friends. Such a solution is imperfect and can be quite tedious to employ; settings that should be changed might get overlooked, or geotags might show up on photos they shouldn’t.

In May 2006, Anthony Chai, a naturalized United States citizen from Thailand, took a flight back to the land of his birth to catch up with relatives and friends. He visited his nieces and nephews and spent some time at the resort town of Hua Hin.

But according to a new lawsuit, when Chai tried to return to California via Bangkok airport, he was stopped by a quintet of security agents. Employed by Thailand's Department of Special Investigation, they informed him that they had a warrant for his arrest for committing an act of lèse majesté—a public statement that supposedly violates the "dignity" of a ruler.

Thailand's version of the law, which was deployed against YouTube in 2007, seems (relatively) narrow at first glance. "Whoever defames, insults or threatens the King, Queen, the Heir-apparent or the Regent, shall be punished with imprisonment of three to fifteen years," it stipulates, and punishes those found guilty of making these insults with long prison sentences. But human rights advocates say it is now used against anyone who utters a statement critical of the government.

Teachers can still engage in private conversations with their students on Facebook and other social networking services, thanks to a MIssouri judge. The judge issued a ruling today that noted that a law prohibiting such practices could have drastic implications for free speech, so he has put it on hold until February.

The law states that teachers would not be allowed to use non-work-related sites to contact current or former students under the age of 18 via private means, such as messages on Facebook or direct messages on Twitter. Under the legislation, public discussion, like wall posts, would be acceptable.

Teachers’ groups initially supported the provision, but the Missouri State Teachers Association has since challenged it, noting it would violate the First Amendment of the US Constitution. The organization said that social networks have become a popular medium for student-teacher interaction.

The law was strictly worded enough that it would technically be illegal for a mother or father who was a teacher to direct-message their own child. However, if the law were to go into effect, the “non-work-related” provision means that teachers could still carry out private conversations, so long as it was through a channel approved by the school.

The Missouri General Assembly does not reconvene until January. When it does, Cole County Circuit Judge Jon Beetem said that a hearing would be held to determine whether the private-messaging law should be permanently blocked.

Read the comments on this post

Google has agreed to forfeit $500 million generated from Canadian pharmacies targeting US customers through its AdWords program, the US Department of Justice announced today. The money represents revenue received by Google from the pharmacies as well as from unlawful sales made by the pharmacies to customers in the US.

Generally, it is illegal for pharmacies "to ship controlled and non-controlled prescription drugs into the United States from Canada," the DOJ states. Google acknowledged this as early as 2003, and yet allowed Canadian pharmacies to entice US customers to buy prescription drugs from their sites via AdWords advertising.

Transactions like these, with rare exception, violate the Federal Food, Drug, and Cosmetic Act because the shipped drugs are not FDA-approved. The problem is compounded by the fact that Canadian pharmacies shipping drugs to the US aren't even subject to Canadian regulations, so the pharmacies can sell drugs from countries other than Canada that meet neither Canada's regulations, nor the FDA's.

Google even provided customer support to the Canadian pharmacies, advising them on how to effectively place their AdWords ads. The company is now taking responsibility for the prescription drug rabbit hole it dug, and will forfeit a total of $500 million to cover both its own and the pharmacies' offenses.

Read the comments on this post

Google+ has begun verifying the accounts of high-profile users and publicly flagging them as such next to the users' names, the company announced today. Now when users visit the page of a celebrity or public figure, there will be checkmark next to the name once it has been verified, and Google hopes to extend the program to many more users.

Google has made waves recently with its policy regarding fake accounts. The company insists that every Google+ profile must bear the real name of the same person operating the account, an approach that Facebook expressed public support for recently. The verifications will only appear on the profiles of public figures, celebrities, and "people who have been added to a large number of circles," said Wen-Ai Yu, a member of the Google+ team, said in an introduction video. But that's just for now, Yu says—"we're working on expanding this to more people in the future."

For those of you trying to figure out whether that's really Lindsay Lohan's Google+ page, the checkmark that appears next to a verified account will roll out the text "verified name" when moused over. Google did not respond immediately to requests for comment on how it verifies profiles, or what the current minimum number of circles is for a profile to require verification.

Still, Google's wording in the introduction suggests a future where users can request account verification for personal reasons, unlike Twitter. The future of the program could also be more sinister: a Google+ where all users must be prepared to back up their identities with some kind of proof, or else cede the service as a social networking ground.

Read the comments on this post