I missed this when it made the press last week. It turns out that Google’s Street View had a privacy implication that made a bust for the Dutch police.
From Metro.co.uk:
Dutch police have arrested twin brothers on suspicion of robbery after their alleged victim spotted a picture of them following him on Google’s Street View map application, a spokesman said on Friday.
Paul Eidanus, a police spokesman in the town of Groningen, said he believed the case was the first time Street View images had been used in a Dutch criminal investigation.
‘For us, it is unique,’ he said.
Hmm, so will more criminals use masks? Um, no.
For the full article, read on.
(Image used under CC from dunechaser’s Flickr feed)
It seems that Amazon has had some interesting goings on recently, and by interesting I of course mean interesting.
I started to write this article last night but the Easter dinner/dessert food coma won the battle and I’m glad it did. As it turns out what was going to be an article solely about censorship in a major online community as transformed into a perfect security article overnight 
.
I suppose a brief recap is in order. Long story short this past Friday some homosexual themed romance novels started disappearing from the site’s sale’s rankings. Amazon first claimed that they were “excluding adult material from appearing in some searches and best seller lists.” Well it just so turns out that these lists and searches are generated using user sale’s ranks.
Step two in this story is of course a Twitter explosion of hash-tag anger which is self explanatory #amazonfail. Step three? You guessed it, an announcement from Amazon PR that claimed a glitch in the system. First I’ve heard of a homophobic glitch but I entertained the idea as plausible.
Well that’s where the news stopped on my radar last night until a very interesting turn of events this morning. A hacker known as Weev stepped forward claiming responsibility for the #amazonfail stating an exploitation of an Amazon product rating vulnerability. Apparently after a product is flagged as inappropriate enough times it isstripped from the sales rankings lists auto-magically. With some help from some Nigerian friends who registered Amazon accounts and flagged books for him, Weev systematically picked off whichever books he pleased. (Whats with hackers stepping forward lately??)
In case your interested here is the hacker’s “confession” that he posted on his LiveJournal:
Hay dude. Amazon removed its customer-based reporting of adult books yesterday. I guess my game is up! Here’s a nice piece I like to call “how to cause moral outrage from the entire Internet in ten lines of code”.
I really hate reputation systems based on user input. This started a while back on Craigslist, when I was trying to score chicks to do heroin with. My listings like “looking to get tarred and pleasured” and “Searching for a heroine to do the paronym of this sentence’s lexical subject” kept getting flagged. The audacity of the San Francisco gay community disgusted me. They would flag my ads down but searching craigslist for “pnp” or “tina” reveals tons of hairy dudes searching for other hairy dudes to do meth with. So I decided to get them back, and cause a few hundred thousand queers some outrage.
I’m logged into Amazon at the time and see it has a “report as inappropriate” feature at the bottom of a page. I do a quick test on a few sets of gay books. I see that I can get them removed from search rankings with an insignificant number of votes.
I do this for a while, but never really get off my ass to scale it until recently.
So I script some quick bash.
#!/bin/bash
let count = 1
while true; do
links -dump ‘http://www.amazon.com/s/qid=0/?ie=ASCII&rs=1000&keywords=Gay_and_Lesbian&rh=n%3A!1000%2Ci%3Astripbooks%2Ck%3AHomosexuality&page=’`echo $count`|grep \/dp\/ >> /tmp/amazon
((count++))
doneThere’s some quick code to grab all the Gay and Lesbian metadata-tagged books on amazon. Then I pull out all the IDs of the given books from those URLs:
cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//
and I have a neat little list of the internal product ID of every fag book on Amazon.
Now from here it was a matter of getting a lot of people to vote for the books. The thing about the adult reporting function of Amazon was that it was vulnerable to something called “Cross-site request forgery’. This means if I referred someone to the URL of the successful complaint, it would register as a complaint if they were logged in. So now it is a numbers game.
I know some people who run some extremely high traffic (Alexa top 1000) websites. I show them my idea, and we all agree that it is pretty funny. They put an invisibleiframe in their websites to refer people to the complaint URLs which caused huge numbers of visitors to report gay and lesbian items as inappropriate without their knowledge.
I also hired third worlders to register accounts for me en masse. If you ever need a service like that, you can find them in a post like this advertising in the comments:
http://ha.ckers.org/blog/20070427/solving-captchas-for-cash/
Then they would log into the accounts, save the cookies in a cookie file and send it to me.
Then I used the cookie files like so to automated-report all the books:
for i in `cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//`; do lynx -cookie_file=/home/avex/cookie1 http://www.amazon.com/ri/product-listing/`echo $i`/;done
The combination of these two actions resulted in a mass delisting of queer books being delisted from the rankings at Amazon.
I guess my game is up, but 300+ hits on google news for amazon gay and outrage across the blogosphere ain’t so bad.
Not sure if this is actually true but it certainly is interesting.
UPDATE: Some conflicting responses.. Amazon has come up with some stats to back the before-mentioned glitch.
Here’s a statement from Amazon spokesman Drew Herdener:
This is an embarrassing and ham-fisted cataloging error for a company that prides itself on offering complete selection.
It has been misreported that the issue was limited to Gay & Lesbian themed titles – in fact, it impacted 57,310 books in a number of broad categories such as Health, Mind & Body, Reproductive & Sexual Medicine, and Erotica. This problem impacted books not just in the United States but globally. It affected not just sales rank but also had the effect of removing the books from Amazon’s main product search.
Many books have now been fixed and we’re in the process of fixing the remainder as quickly as possible, and we intend to implement new measures to make this kind of accident less likely to occur in the future.
Tags: Amazon, AmazonFail, Book Rankings
The EFF has launched a new online search tool that will allow people to search through their treasure trove of documents that they have garnered through Freedom of Information Act requests.
From EFF:
EFF’s document collection — obtained through requests and litigation under the Freedom of Information Act (FOIA) — casts light on several controversial government initiatives, including the FBI’s Investigative Data Warehouse and DCS 3000 surveillance program, and the Department of Homeland Security’s Automated Targeting System and ADVISE data-mining project. The documents also provide details on Justice Department collection of communications routing data, Pentagon monitoring of soldiers’ blogs, mismatches in the Terrorist Screening Center’s watchlist, and FBI misuse of its national security letter subpoena authority.
The new search capability enables visitors to EFF’s website to conduct keyword searches across the universe of government documents obtained by EFF, maximizing the value of the material.
Here is a screen cap of the search interface. Strangely that search term only returned 4 hits.
I gave it a whirl with limited results. Must have been my search queries.
Ah the growing pains of a new product. Imagine that, it labeled Google as a malicious site.
From eWeek:
A company says Yahoo’s new feature incorrectly flagged its Web site and was slow to respond.
The beta version of Yahoo’s SearchScan security feature has come under fire for false positives and other mistakes.
SearchScan is the result of a partnership between McAfee and Yahoo to improve the security of Web searches. The feature, powered by McAfee’s SiteAdvisor, alerts users when sites contain spam, spyware, adware or other malicious software that could damage a PC.
However, since the beta was unveiled May 6, there have been some cases of false positives. A URL mix-up by Yahoo seemed to label Google.com as a malicious site. In another case, AnyCoupons, a Web site operated by 77Blue, was classified as a spammer. Though both issues have been resolved, the latter left a bad taste in the mouth of 77Blue CEO David Lewis, who complained that Yahoo and McAfee were slow to fix the problem.
Could have been worse. Could have been anti competitive behaviour.
heh.
After numerous attempts by folks to get Google to remove their faces from Street View, Google is now blurring faces. A quick and easy way to obscure people’s identity. Especially helpful if you’re, say, a prominent musician leaving a German brothel.
Nah, that wouldn’t have helped him. Damn you Roxanne.
From CNET:
The technology uses a computer algorithm to scour Google’s image database for faces, then blurs them, said John Hanke, director of Google Earth and Google Maps, in an interview at the Where 2.0 conference here.
Google has begun testing the technology in Manhattan, the company announced on its LatLong blog. Ultimately, though, Hanke expects it to be used more broadly.
Dealing with privacy–both legal requirements and social norms–is hard but necessary, Hanke said.
“It’s a legitimate issue,” he said. He likened the issues some have with Street View to the ones that took place when Google introduced aerial views to Google Maps. It took time for the public, regulators, and Google to get comfortable with the feature, but, “It needs that debate. We see that and try to let it play out.”
So, is this an improvement? What do you think?
OK, so the date has ended. Microsoft didn’t get to second base. Yahoo was jilted for being too high maintenance and their stock dropped 15% today. So, what now for Yahoo?
From Internet News:
“With Microsoft’s withdrawal, we’ll be better able to focus our energy on growing our industry leadership and maximizing value for stockholders,” Yang said.
The problem that Yahoo (NASDAQ:YHOO) now faces is the same one it’s had since Microsoft first announced its bid, only two dollars worse: How to find an alternative to selling outright that will bring equivalent value to the $33 per share price Microsoft had offered before talks broke down over the weekend.
Yahoo has already been the target of at least seven shareholder lawsuits charging that its board breached its fiduciary duty to investors in its response to the initial bid. Now that it has walked away from a higher bid, and its stock fell 15 percent to close at $24.37 today, more shareholders will likely bring a new wave of lawsuits, according to IDC analyst Karsten Weide.
Read on.
From USA Today:
For 40 years, U.S. presidents have begun each day with a top-secret, personal briefing on security threats and global affairs obtained largely from covert spy missions, clandestine satellite surveillance and other highly classified intelligence sources.
Now, however, the President’s Daily Brief and other crucial intelligence reports often rely less on secrets from risky espionage missions than on material that’s available to just about anyone.
Intelligence officers have gleaned insights on Iran’s nuclear capabilities from photos on the Internet. They’ve scooped up documents, including a terrorist training manual, at international conferences and public forums. They’ve found information in foreign university libraries and newscasts.
Such material is known as “open-source intelligence” or, in the acronym-laden parlance of the 16 federal agencies that make up the U.S. intelligence community, OSINT. The explosion of information available via the Internet and other public sources has pushed the collection and analysis of that material to the top of the official priority list in the spy world, intelligence officials say.
Open source intel. My personal favourite spymaster tool.
Tags: OSINT, Open Source Intelligence, Spy
Well, the cDc (Cult of the Dead Cow) has resurfaced. Not that they ever went anywhere. Just, in terms of the mainstream media it has been a while since Tod, Laird and company have been in the news. They first gained notoriety with the release of the back door application “Back Orifice”. Just this past week they released “Goolag“, a tool to make Google hacking even easier than it already was.
From GCN:
Goolag Scan runs with Windows, has a good graphical interface along with a library of about 1,500 carefully crafted searches that can reveal sensitive information about or from queried Web sites. The tool is neutral; it can be used for penetration-testing by administrators and application owners to identify weaknesses or by hackers to find vulnerabilities to exploit.
“Tools like this scanner are a wake-up call for application owners,” Shulman said. “And that is a good thing. The issue of data leakage into search engines is a big issue.”
The Cult of the Dead Cow has said much of its research in this area has been against government servers where it has been able to turn up sensitive information that has been unwittingly exposed.
“With a lot of script kiddies having this tool, I think the government can expect a rough period of headlines,” Shulman said.
From the cDc press release:
“It’s no big secret that the Web is the platform,” said cDc spokesmodel Oxblood Ruffin. “And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for web site owners to patch up their online properties. We’ve seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large web site, I’d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.”
Article Link
cDc Press Release
Tags: Goolag, Google Hacking, Cult of the Dead Cow
Well, that didn’t take the spammers long at all. No shock there. On the heels of the Bhutto tragedy Websense as issued an alert for malicious sites trying to infect computers. They are by using the attack as a lure for less than cautious web surfers.
From Websense:
Websense Security Labs has discovered malicious Web sites attempting to capitalize on the breaking news of the assassination of Benazir Bhutto. These sites attempt to infect users seeking more information about the event. This activity is similar to past news events, where attackers used malicious sites containing information about the event to infect visitors.
In this case, the first infected site found by Websense Security Labs was the second result in a Google search using a generic and simple keyword. Therefore, the site likely to receive large amounts of traffic. Clicking on the link in the search results did not trigger a warning from Google that the site may be malicious.
Tags: Bhutto, Benazir Bhutto, Bhutto Scripting Attacks, Bhutto Phishing Lure
Google took a positive step this week and wiped clean the search results of malware sites that had been gumming up the results. Sadly as with anything on the internet that has anything to do with malware and spammers…wait five minutes. They’ll be back.
From Computer World:
“They look gone to us,” said Alex Eckelberry, the CEO of Sunbelt Software Distribution Inc., the company that broke the news Monday of a massive, coordinated campaign by attackers to spread malware through search results on Google, Yahoo, Microsoft Live Search and other sites.
“Google did confirm yesterday with us that they were working the case, and they are good about nailing this stuff,” Eckelberry added in an e-mail late Wednesday afternoon. Sunbelt had notified Google of its findings on Monday.
Earlier today, Sunbelt malware researcher Adam Thomas said his spot searches on Google the night before had come up sans malware URLs. “They appeared to be zapped,” Thomas had said.
Ironically, Google itself refused to confirm or deny that it had cleansed its index of the more than 40,000 malware hosting sites, or even that they had existed.
LA LA LA we can’t see them so, they weren’t really there.
Tags: Malware, Malware Hosting, Google Malware Clean Up, Google Security
