A 25-year-old UK man has been charged with five counts of illegal hacking for repeatedly penetrating the security defenses of Facebook.
Glenn Steven Mangham of York was accused of engaging in a hacking spree against Facebook earlier this year. From April 27 to May 9, he allegedly targeted at least three different services used by the social network. According toThe Telegraph, the services included a Facebook “puzzle server,” a “mailman” server and a restricted part of a “Facebook Phabricator server.”
Mangham appeared briefly in Westminster magistrates’ court on Wednesday and was released on bail. Judge Nicholas Evans ordered the defendant not to use the internet and to surrender his iPhone and any other devices capable of accessing the net while the case is pending.
Details of the alleged security breach were sketchy. The Telegraph said Mangham “repeatedly hacked into a Facebook ‘puzzle server’ using software he had downloaded.” The report went on to say Mangham “allegedly knew that doing so could disrupt its operation.” The mailman server he allegedly targeted may have been used to to run internal and external email distribution lists.
Mangham is accused of having “a special software script to hack into the Phabricator server.” The Facebook Phabricator is a collection of open-source applications for the site.
Users’ personal data wasn’t compromised in the hacks, a Facebook spokesman said. Mangham is scheduled to reappear in court next month for a committal hearing. ®
Interview Wars over creators’ rights are pretty old – much older than copyright law. In one of the first “copyfights”, in 561AD, about 3,000 people died, writes Robert Levine in his new book Free Ride. St Colmcille and St Finnian clashed over the right to make copies of the Bible, with the King castigating Colmcille for his “fancy new ideas about people’s property”.
Levine’s book is a story of the digital copyright wars …
“I tried to write in an analytical way about something people get very emotional about. I don’t really believe the entertainment industry is good and the technology industry is bad; I just don’t see it as a morality issue. Businesses are in business to make money,” Levine says.
The book details the calamitous decisions made by the music business, particularly in its suing of end users for infringement. “In a few years,” he writes, “the major labels managed to destroy the cultural cachet they had spent decades building.”
The book also follows in detail Google’s “war on copyright” and the academics and activists who benefit from it. It comprehensively demolishes the arguments put by Lawrence Lessig, who helped create the cyberlaw industry. This is a book with masses of solid, meticulously researched detail.
I caught up with Levine in Berlin.
Q: What do you see as the culture industries’ biggest mistakes? You focus a lot on music …
Levine: The music industry made a lot of mistakes. They could have launched an iTunes store. And suing individuals was a mistake. I don’t think there’s anything wrong with companies suing companies: Napster, or Grokster for example. But suing people created publicity so bad that it made it very hard to get a legislative solution. It was a complete disaster.
But you have to remember that there’s a lot of things that aren’t legally or financially practical for an incumbent to do. You have a game theory-type problem: the establishment player has a lot to lose and has to play by the rules. A startup doesn’t have to.
‘The culture business is one that generates jobs that are pretty good, and doesn’t create a lot of pollution, compared to BP’
People say they should have worked with Napster. But the labels would have been trading quarters for dimes, and they didn’t even know those dimes would be worth 10 cents. It assumes Napster would have worked out as a business.
I also think labels should have cut CD prices faster. But did you know Universal Music cut CD prices 25 per cent in 2002, and sold 13 per cent more CDs. You lose money that way; we’ve seen that again and again. We’ve seen iTunes raise the price of the best-selling songs from 99 cents to £1.20 and make more money. People aren’t price-sensitive as much as they’re convenience-sensitive. They want it when they want it.
The record companies should have done something like Hulu. I gather there were antitrust issues. Hulu does a good job, and it also helps TV companies control things a little bit. Hulu also makes money. The labels together could have done something pretty well.
Q: And DRM?
Levine: A lot of people say DRM was huge problem. But when EMI eliminated it, it didn’t create a huge boost in sales. People hate DRM in that it won’t let them do what they want, but very few people are against it on principle. I haven’t seen any evidence that people care. Sales don’t respond to DRM policy.
People want something easy to use and iTunes is easy to use. Convenience is what iTunes delivers.
It’s all about markets
Q: Your argument is really to get money flowing to the creators online.
Levine: We’ve had a market for IP for at least 300 years. I think it works pretty well. If you compare the cultural output of countries with a market for IP and those without, it’s clear that a market gives you better IP on an economic level, and possibly on a cultural level too.
If you look at West Germany, they produced Herzog, Fassbinder, Can, Neu! and Krautrock. In East Germany they produced, well, maybe some good TV shows, but not ones they could export.
Or if you look at Nigeria and Brazil, they’re countries that in the 1960s and 1970s had great pop music that changed the world. In Brazil, you had Tropicalia, Gilberto Gil and Os Mutantes; people still buy those records today. in Nigeria, you had Fela Kuti, who is still as iconic as he ever was. This generated money sent back to Brazil and Nigeria. Now people are still making the music but not a lot of money is going back. And those countries could use the money. The culture business is one that generates jobs that are pretty good, and doesn’t create a lot of pollution, compared to BP.
If the culture business disappears, then culture is not going to disappear. I use the example of The Beatles without George Martin: they would have continued to be great songwriters, and we’d have the songs, but they wouldn’t have made great albums.
You can’t have an economy without a market. You can’t have a market without property rights, and you can’t have property rights without a means of enforcing those rights. Copyright has some aspects of property, and one of these is you can’t sell something if somebody else is giving it away.
eBay-style outsourcing site PeoplePerHour says a rival firm faked emails which claimed to be offering the company’s customer database for sale.
The company initially feared that a disgruntled ex-contractor had swiped customer records and was offering them for sale to rival companies. The rivals declined the offer and tipped off PeoplePerHour.
Company founder Xenios Thrasyvoulou said: “We have now looked extensively into the matter, including getting the headers of the initial email that was sent to our competitors informing them that they have a database and contacting this supposed fraudster in India. We also got access to the email account via Google as we filed a fraud complaint with them.”
He said the email headers showed that the email could not have been sent from India where the contractor is supposedly based. Additionally the fake mails used an actual contractor’s name, but added a digit at the end.
Thrasyvoulou said: “So: all the evidence shows that someone (probably an envious competitor) got the name of a former contractor (which is very easy to get from places like LinkedIn etc), created a Gmail account in their name with a slightly different suffix and sent this out to competitors and the press. Its a lame attempt to hurt us.”
The company is confident no customer data was compromised.
The site is one of several offering “bid for a contractor” services to small businesses but we had no idea competition in this market was so cut-throat. ®
The Metropolitan police have arrested another man as part of its ongoing investigation into alleged phone-hacking at axed Sunday tabloid News of the World.
“On Thursday, 18 August, officers from Operation Weeting arrested a man [H], aged 38, on suspicion of conspiring to unlawfully intercept voicemails contrary to section 1(1) Criminal Law Act 1977,” said Scotland Yard in a brief statement this morning.
The unnamed man was cuffed by appointment at a London police station, where he remains in custody.
This arrest brings the total number of people allegedly associated with the NotW phone-hacking scandal to 13.
A Guardian report suggest that James Desborough, who joined the tabloid as a showbiz reporter in 2005 before being promoted to Hollywood editor in 2009, is the man currently being quizzed by police. ®
In case you ever wondered just what kind of preparation Afghan police recruits get in order to prepare them to face the Taliban, rest assured they’re offered the very latest in high-tech training technology.
For proof, check out the fourth snap in this slideshow from FOCUS online. Regular readers will note the same scrupulous attention to detail lavished on our own Playmobil reconstructions, including plastic trees, real sand and a lovingly-crafted building.
It’d be too easy to laugh at this initiative by German coppers to enlighten their Afghan counterparts as to just how you hold up the traffic while your colleague suspiciously eyes what appears to be a partially buried Smart Car, but the scene is notable for the conspicuous absence of Lego Taliban (pictured), meaning that in the world of Playmobil at least, the forces of justice always prevail. ®
Bootnote
Thanks to Matthias Toth for the tip-off.
Related stories
All of our own illuminating Playmobil set-ups can be found here.
A computer user who alleged that an advertising network breached US privacy laws did not prove she had suffered sufficient damages for those charges to be further examined, a US court has ruled.
Sonal Bose claimed that Interclick’s use of Flash cookies and “history sniffing” code “invaded her privacy, misappropriated personal information and interfered with the operation of her computer”, according to a district court in New York.
Cookies are small text files that websites store on internet users’ computers. The files record users’ activity on the site. Flash cookies are files stored by websites that use Adobe Flash media, such as in adverts or video clips. Flash cookies can also back up the data that is stored in a regular cookie. When you delete cookies using your browser controls, your Flash cookies are not affected. A website that served a cookie to you that you deleted may recognise you on your next visit if it backed up its now-deleted cookie data to a Flash cookie.
Advertising networks use cookies to track user behaviour on websites in order to target adverts to individuals based on that behaviour.
Interclick used Flash cookies to “respawn” cookies Bose had deleted, and used “history sniffing” code to determine content that Bose had viewed online. Both techniques helped Interclick serve Bose with targeted ads, she claimed, according to the ruling. Bose claimed Interclick’s activity violated the US Computer Fraud and Abuse Act (CFAA), the ruling said.
Under the CFAA a person is prohibited from causing damage by intentionally accessing a protected computer without consent. Unless a damages claim for violations of the CFAA exceeds $5,000 in a period of a year no action for damages can be taken against the company under the terms of the Act, the Act provides.
The CFAA states that only claims for “economic damages” can be made. The judge ruled that Interclick’s collection of Bose’s personal information did not raise an economic “injury” that was worth more than the $5,000 threshold. Bose had argued that Interclick had obtained information about her online activity without her permission as she had taken steps to delete cookies and protect her privacy.
“Even if Bose took steps to prevent the data collection, her injury is still insufficient to meet the statutory threshold,” the judge said in the ruling.
Bose also claimed that Interclick had “impaired the functioning and diminished the value” of her computer. The judge ruled that Bose had failed to “make any specific allegation as to the cost of repairing or investigation the alleged damage” and ruled that, as a result, Bose had failed to meet the damages threshold for that charge to be further investigated by the courts.
Bose’s third claim, that Interclick caused interference with the operation of her computer, was unsubstantiated and therefore failed to meet the damages threshold for pursuing the charge, the judge ruled.
“Even if a flash cookie may reach up to 100 kilobytes in size and may occupy space on Bose’s hard drive, Bose fails to demonstrate that the flash cookie caused damage, a slowdown, or a shutdown of her computer,” the judge said. “Thus, Bose’s claim of interruption of service is insufficient to meet the … threshold,” the judge said.
Bose’s case was part of a so-called “class action” against Interclick. Class action lawsuits are common in the US, where lawyers will earn large fees for organising many similarly affected people into bringing proceedings against organisations.
Bose had argued that her damages claims should be “aggregated” with other members of the class action, but the judge said that they could not.
“[Bose] here has failed to allege facts that would allow this Court to conclude that damages meet the … threshold, even when aggregated across the putative class,” the judge said.
A police officer working on Scotland Yard’s investigation into alleged phone-hacking at the now-defunct Sunday tabloid the News of the World was arrested by cops from the anti-corruption unit of the Metropolitan police late last week.
The Met said that on Thursday 18 August they cuffed “a serving MPS officer from Operation Weeting on suspicion of misconduct in a public office relating to unauthorised disclosure of information as a result of a proactive operation”.
They didn’t release the name of the officer, who was described as a 51-year-old male detective constable, and Scotland Yard only confirmed he had been arrested after releasing the man on bail until 29 September, pending further inquiries.
The officer was suspended from his job on Friday (19 August).
“I made it very clear when I took on this investigation the need for operational and information security. It is hugely disappointing that this may not have been adhered to,” said Deputy Assistant Commissioner Sue Akers, who is in charge of Operation Weeting.
“The MPS takes the unauthorised disclosure of information extremely seriously and has acted swiftly in making this arrest,” she added.
Meanwhile, a 35-year-old man was released on Friday, after being in police custody on suspicion of conspiring to unlawfully intercept voicemails.
He was bailed to return at a yet-to-be-determined date in October.
Reports suggested that former NotW features writer Dan Evans was the man arrested then bailed by police on Friday.
James Desborough, who joined the Sunday tabloid as a showbiz reporter in 2005 before being promoted to Hollywood editor in 2009, was arrested last Thursday as part of the Operation Weeting probe. ®
Microsoft has deleted code on its MSN website that secretly logged visitors’ browsing histories across multiple web properties, even when the users deleted browser cookies to elude tracking.
Microsoft announced the move in a tersely worded blog post published on Thursday. That’s the same day that a researcher revealed that MSN and three other Microsoft websites hosted JavaScript that uniquely identified users in the event they deleted tracking cookies from their hard drives. The code was copyrighted in 2007, indicating the practice may have been in place for more than four years.
To survive the cookie purges that many users perform to preserve their privacy, the JavaScript was stashed in a browser’s cache folder and contained two separate means to uniquely identify visitors. First, it included the MUID, or machine unique identifier, contained in the tracking cookie, along with instructions to recreate the file in the event it was no longer found in the browser’s cookie folder. The script also included the MUID in what’s known as an ETag that was also stored in the cache.
“We don’t really know what they were doing with this information, but it’s not obvious what this explanation would be,” said Jonathan Mayer, a graduate student in Stanford University’s computer science department, whose research brought the practice to light.
“The burden is on Microsoft to explain how it came to be there and how they used it and what they’re going to do to make sure it doesn’t happen again. As we turned over this ETag mechanism, we thought long and hard about how could they be using this legitimately. We couldn’t come up with anything.”
A spokeswoman at Microsoft’s outside PR firm declined to answer any questions about the practice, including whether it’s been discontinued on all Microsoft properties or only on MSN. She said no one inside Microsoft was available to speak about the issue.
The revelation comes as hundreds of sites including Hulu.com, Spotify, and GigaOm were recently observed using similar “cookie respawning” techniques, which are controversial because they resurrect the browsing history of users who take pains to erase them. In addition to the use of cache cookies and ETags, the respawning can also rely on cookies based on Adobe Flash, Microsoft SilverLight, and the HTML5 specification, making it hard for many people to evade.
The practice of issuing so-called supercookies and zombiecookies is the subject of numerous lawsuits. Last week, Microsoft and several other companies were dismissed from a suit alleging cookie respawning abuse because the plaintiff couldn’t quantify the monetary damages she suffered.
According to Mayer, the cookies respawned by the wlHelper.js JavaScript hosted on Microsoft sites allowed Microsoft to sync browsing histories across at least six sites, including bing.com, microsoft.com, msn.com, live.com, xbox.com, and atdmt.com, its ad-serving network.
In Thursday’s 225-word blog post, Microsoft Associate General Counsel Mike Hintze said Microsoft curtailed the practice after Mayer brought it to the company’s attention.
“We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued,” he wrote. “We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft.”
For Mayer, who along with colleagues at the University of California at San Diego, UC Berkeley, and elsewhere have repeatedly documented websites that respawn cookies or sniff browsing history to track users against their wishes, he no longer believes companies when they say they can be trusted to police themselves.
“I really don’t think that’s possible to accept any more,” he said. “The fact of the matter is that we’re seeing, intentionally or not, companies doing things that circumvent privacy choice in a way that suggests they need to have more of a spotlight put on them, possibly by regulators.” ®
The hack of a commercially available insulin pump that diabetics can control wirelessly has attracted the attention of US lawmakers who oversee the safety of the nation’s airwaves.
In a letter drafted earlier this week, US Representatives Anna Eshoo and Edward Markey asked members of the Government Accountability Office to ensure that wireless-enabled medical devices “will not cause harmful interference to other equipment” and are “safe, reliable, and secure.”
The letter comes two weeks after a researcher demonstrated he could remotely tamper with the insulin dosages administered by the machine he relies on to treat his diabetes. The model uses no means of authentication, making it easy for unauthorized parties to connect to it and increase, decrease, or stop the flow of the hormone.
The demonstration at this year’s Black Hat security conference in Las Vegas was the latest to show the vulnerability of a remotely controlled medical device. Pacemakers and other implanted heart devices were shown to be susceptible to serious hack attacks in research released in 2008.
Jerome “Jay” Radcliffe, the researcher at this year’s Black Hat who demonstrated the attack, has refused to identify the manufacturer of the vulnerable insulin pump. A representative of Medtronic, one of several companies that make such devices, has been quoted as saying: “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.” ®
The Identity and Passport Service (IPS) is to introduce a new online passport application service in early 2012 in an effort to improve its interactions with customers.
In its business plan for 2011-12 (28-page PDF/2.2MB), the IPS says that it will replace its current PASS passport application system with one that will allow customers to apply and pay for their passport online anywhere in the world. For the first time people will also be able to check the status of their application.
“The online application channel will be of particular benefit to customers living overseas, who from 2012 will apply directly to IPS, rather than via the Foreign and Commonwealth Office, for their passport,” the document says.
The IPS will decide the future of the civil registration digitisation and indexing project this year. So far it has digitised about 50 per cent of its birth, death, adoption and marriage records, and it hopes to digitise the remaining records and place its indexes online by the end of the year.
The service will also focus on replacing or extending a number of legacy systems, and upgrade its main passport database “to ensure it remains as secure as possible”. The business plan says these changes will provide the foundation for a wider modernisation of the organisation. As a result of the National Identity Service being scrapped last year, the IPS will look at new technology to replace ageing systems, as well as hosting for its civil registration systems.
The document also reveals plans to share more services in 2011-12, most likely with the Home Office, with which the IPS already shares HR, marketing and some categories of procurement where possible. This will include an increase in the number of shared corporate functions to include finance and the remaining procurement categories.
Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.