100 million Facebook pages leaked on torrent site

Image: Screen capture of Facebook directory download

A directory containing personal details about more than 100 million Facebook users has surfaced on an Internet file-sharing site.

The most dramatic “data theft” to hit social networks in quite a while isn’t a theft at all.
Facebook users were hit with another frightening reminder on Thursday that not everyone online is their friend, as over 100 million personal profiles and details from the service were scraped from Facebook’s pages and published on the Web.
But Facebook wasn’t hacked. Far from it. And if users had personal details exposed, they have no one but themselves to blame.
A program written by Ron Bowes, a security consultant at Skull Security, scanned all the listings in Facebook’s open-access directory and then compiled a text file that lists the information he uncovered. That data potentially exposes some Facebook users’ birthdays, addresses, phone numbers and more — but only because they chose not to keep those details private.
“All I’ve done is compile public information into a nice format for statistical analysis,” Bowes told the BBC. He explained that he had simply accessed the same information that’s available to search engines like Google, Bing and Yahoo — or the countless white-pages services available online.
But the stunt should make those 100 million Facebook users reconsider what personal information they make available online.
Going public with your birthday and address exposes you to the very real threat of identity theft and fraud — not to mention stalking and other unwelcome advances. Hackers typically troll for such information to open credit cards under aliases, or they use the names they find in other online scams.
And it’s hardly unreasonable to presume that some of the thousands of people who have downloaded Bowes’ file since it hit the Internet have criminal intentions.
Facebook is putting a straight face on the story. Company spokesman Andrew Noyes told FoxNews.com that the “information that people have agreed to make public was collected by a single researcher … no private data is available or has been compromised.”
As Facebook leaves it up to its users to decide how much personal information they want to reveal to the public, people who want to keep some things to themselves are encouraged to take a few specific steps.
To be removed from the open access directory that Bowes scanned, users should select “Privacy Settings” under the “Account” heading on the Facebook screen, then edit the “Public Search” option to uncheck the “Enable public search” box.
Then they should go back to the privacy settings and select “Custom” to specify what information (photos, comments, and so on) they want to share, and with whom.
If your profile was set to be searchable by everyone, chances are you’re in Bowes file, and there’s nothing you can do about that now.
Facebook users should also be aware that after they have changed their privacy settings, their old profile pages may still be publicly available because they are often stored (or cached) by search engines.
Ultimately, this latest incident is just another reminder of the basic reality of modern cyber security:
Whatever it is . . . if you wouldn’t put it on a billboard in Times Square, don’t post it on the Web.

The most dramatic “data theft” to hit social networks in quite a while isn’t a theft at all.
Facebook users were hit with another frightening reminder on Thursday that not everyone online is their friend, as over 100 million personal profiles and details from the service were scraped from Facebook’s pages and published on the Web.
But Facebook wasn’t hacked. Far from it. And if users had personal details exposed, they have no one but themselves to blame.
A program written by Ron Bowes, a security consultant at Skull Security, scanned all the listings in Facebook’s open-access directory and then compiled a text file that lists the information he uncovered. That data potentially exposes some Facebook users’ birthdays, addresses, phone numbers and more — but only because they chose not to keep those details private.
“All I’ve done is compile public information into a nice format for statistical analysis,” Bowes told the BBC. He explained that he had simply accessed the same information that’s available to search engines like Google, Bing and Yahoo — or the countless white-pages services available online.
But the stunt should make those 100 million Facebook users reconsider what personal information they make available online.
Going public with your birthday and address exposes you to the very real threat of identity theft and fraud — not to mention stalking and other unwelcome advances. Hackers typically troll for such information to open credit cards under aliases, or they use the names they find in other online scams.
And it’s hardly unreasonable to presume that some of the thousands of people who have downloaded Bowes’ file since it hit the Internet have criminal intentions.
Facebook is putting a straight face on the story. Company spokesman Andrew Noyes told FoxNews.com that the “information that people have agreed to make public was collected by a single researcher … no private data is available or has been compromised.”
As Facebook leaves it up to its users to decide how much personal information they want to reveal to the public, people who want to keep some things to themselves are encouraged to take a few specific steps.
To be removed from the open access directory that Bowes scanned, users should select “Privacy Settings” under the “Account” heading on the Facebook screen, then edit the “Public Search” option to uncheck the “Enable public search” box.
Then they should go back to the privacy settings and select “Custom” to specify what information (photos, comments, and so on) they want to share, and with whom.
If your profile was set to be searchable by everyone, chances are you’re in Bowes file, and there’s nothing you can do about that now.
Facebook users should also be aware that after they have changed their privacy settings, their old profile pages may still be publicly available because they are often stored (or cached) by search engines.
Ultimately, this latest incident is just another reminder of the basic reality of modern cyber security:
Whatever it is . . . if you wouldn’t put it on a billboard in Times Square, don’t post it on the Web.

The 2.8GB torrent was compiled by hacker Ron Bowes of Skull Security, who created a web crawler program that harvested data on users contained in Facebook’s open access directory, which lists all users who haven’t bothered to change their privacy settings to make their pages unavailable to search engines.

Bowes’ directory contains 171 million entries, relating to more than 100 million individual users – more than one in five of Facebook’s recently trumpeted half billion user base.

The file contains user account names and a URL for each user’s profile page, from which details such as addresses, dates of birth or phone numbers can be accessed. Accessing a user’s page from the list will also enable you to click through to friends’ profiles – even if those friends have made themselves non-searchable.

There’s absolutely nothing illegal about what Bowes has done – the information is, after all, publicly available – but perhaps the existence of a stalker’s online black book might finally persuade less security-minded Facebook users to get their arses in gear.

http://www.skullsecurity.org/Resume-20100621.pdf

http://www.skullsecurity.org/blog/

1024-bit RSA encryption cracked by carefully starving CPU of electricity

Since 1977, RSA public-key encryption has protected privacy and verified authenticity when using computers, gadgets and web browsers around the globe, with only the most brutish of brute force efforts (and 1,500 years of processing time) felling its 768-bit variety earlier this year. Now, three eggheads (or Wolverines, as it were) at the University of Michigan claim they can break it simply by tweaking a device’s power supply. By fluctuating the voltage to the CPU such that it generated a single hardware error per clock cycle, they found that they could cause the server to flip single bits of the private key at a time, allowing them to slowly piece together the password. With a small cluster of 81 Pentium 4 chips and 104 hours of processing time, they were able to successfully hack 1024-bit encryption in OpenSSL on a SPARC-based system, without damaging the computer, leaving a single trace or ending human life as we know it. That’s why they’re presenting a paper at the Design, Automation and Test conference this week in Europe, and that’s why — until RSA hopefully fixes the flaw — you should keep a close eye on your server room’s power supply.

Postgres 9.1 – Release Theme

Following a great deal of discussion, I’m pleased to announce that the PostgreSQL Core team has decided that the major theme for the 9.1 release, due in 2011, will be ‘NoSQL’.

There is a growing trend towards NoSQL databases, with major sites like Twitter and Facebook utilising them extensively. NoSQL databases often include multi-master replication, clustering and failover features that have long been requested in PostgresSQL, but have been extremely difficult to implement with SQL which has prevented us from advancing Postgree in the way that we’d like.

To address this, the intention is to remove SQL support from Postgres, and replace it with a language called ‘QUEL’. This will provide us with the flexibility we need to implement the features of modern NoSQL databases. With no SQL support there will obviously be some differences in the query syntax that must be used to access your data. For example, the query:
select (e.salary/ (e.age – 18)) as comp from employee as e where e.name = “Jones”
would be rewritten as:
range of e is employee retrieve (comp = e.salary/ (e.age – 18)) where e.name = “Jones”

Aggregate syntax in QUEL is particularly powerful. For example, the query:
select dept,
avg(salary) as avg_salary,
sum(salary) as tot_salary
from
employees
group by
dept
may be written as:
range of e is employee
retrieve (e.dept,
avg_salary = avg(e.salary by e.dept),
tot_salary = sum(e.salary by e.dept)
)
Note that the grouped column can be specified for each individual aggregate.
We will be producing a comprehensive guide to the QUEL syntax to aid with application migration. We appreciate the difficulty that this change may cause some users, but feel we must embrace the NoSQL philosophy in order to remain “The world’s most advanced Open Source
database”
“There’s no question that, at 21 years old, the SQL standard is past its prime,” said core developer and standards expert Peter Eisentraut. “It’s time for us to switch to something fresher. I personally would have preferred XSLT, but QUEL is almost as good.”
Project committer Heikki Linnakangas added: “By replacing SQL with QUEL not only will will be able to add new features to Postgres that were previously too difficult, but we’ll also increase user loyalty as it’ll be much harder for them to change to a different, SQL-based
database. That’ll be pretty cool.”
You may also notice that without SQL, the project name is somewhat misleading. To address that, the project name will be changed to ‘PostgreQUEL’ with the 9.1 release. We expect this will also put an end to the periodic debates on changing the project name.

Aggregate syntax in QUEL is particularly powerful. For example, the query:
select dept,avg(salary) as avg_salary,sum(salary) as tot_salaryfromemployeesgroup bydept
may be written as:
range of e is employeeretrieve (e.dept,avg_salary = avg(e.salary by e.dept),tot_salary = sum(e.salary by e.dept))
Note that the grouped column can be specified for each individual aggregate.
We will be producing a comprehensive guide to the QUEL syntax to aid with application migration. We appreciate the difficulty that this change may cause some users, but feel we must embrace the NoSQL philosophy in order to remain “The world’s most advanced Open Sourcedatabase”
“There’s no question that, at 21 years old, the SQL standard is past its prime,” said core developer and standards expert Peter Eisentraut. “It’s time for us to switch to something fresher. I personally would have preferred XSLT, but QUEL is almost as good.”
Project committer Heikki Linnakangas added: “By replacing SQL with QUEL not only will will be able to add new features to Postgres that were previously too difficult, but we’ll also increase user loyalty as it’ll be much harder for them to change to a different, SQL-baseddatabase. That’ll be pretty cool.”
You may also notice that without SQL, the project name is somewhat misleading. To address that, the project name will be changed to ‘PostgreQUEL’ with the 9.1 release. We expect this will also put an end to the periodic debates on changing the project name.

March 8, 1955: The Mother of All Operating Systems

whirlwind

1955: Computer pioneer Doug Ross demonstrates the Director tape for MIT’s Whirlwind machine. It’s a new idea: a permanent set of instructions on how the computer should operate.

Six years in the making, MIT’s Whirlwind computer was the first digital computer that could display real-time text and graphics on a video terminal, which was then just a large oscilloscope screen. Whirlwind used 4,500 vacuum tubes to process data.

The Whirlwind occupied 3,300 square feet and was the fastest digital computer of its time. It also pioneered a number of new technologies, including magnetic core memory for RAM.

Another one of its contributions was Director, a set of programming instructions on paper tape that is regarded as the predecessor of operating systems in computers. The Director was designed to issue commands to the 4-year-old Whirlwind machine.

The idea was to eliminate the need for manual intervention (.pdf) in reading the tapes for different problems during a computing session.

The Director tape would communicate with the computer through a separate input reader. That means different tapes with various problems to be computed would be recognized and appropriately processed. A Director tape would make a complete run possible by pushing a single button.

Programmers John Frankovich and Frank Helwig wrote the first Director tape program. The software concept was to connect a Flexowriter — a mechanical, heavy-duty tape reader — to a newer, faster photoelectric tape reader.

This allowed the team to feed the spliced-together paper tapes directly to Whirlwind, without having a separate human operator.

Lead programmer Doug Ross finally demonstrated it in 1955.

The Director tape was also probably the first example of a Job Control Language–driven operating system. JCL is a scripting language used on mainframe operating systems to instruct them how to run a batch job or start a subsystem.

The Whirlwind is credited with leading to development of the SAGE, or Semi-Automatic Ground Environment, system used by the U.S. Air Force. It’s also said to have influenced most of the computers of the 1960s.

Source: Wikipedia, MIT Computer Science and Artificial Intelligence Laboratory

Photo: Stephen Dodd, Jay Forrester, Robert Everett and Ramona Ferenz test Whirlwind in 1950.
Courtesy Mitre Corp.

RCA announces WiFi battery

RCA announces WiFi-sucking battery

The RCA AirPower series of emergency chargers use surrounding WiFi signals to charge their internal batteries.

The technology behind Nokia’s power-sucking never-charge handset concept could be closer than you think, with manufacturer RCA planning to launch a range of WiFi-powered battery packs.

Yes, you read that the right way round: a WiFi-powered battery pack. Dubbed the AirPower, at first RCA’s gadgets – previewed over on LoopyGadgets – appear to be normal emergency power supplies for your portable gadgets – and that’s pretty much what they are.

Where the technology gets interesting is in the power source which charges the internal battery: rather than relying on being plugged into a USB port or a wall socket, the AirPower – as the name suggests – draws power from thin air in the form of surrounding WiFi signals, which are converted to a current powerful enough to trickle charge the internal battery.

While the technology potentially means never having to plug the device in, the low power of WiFi signals means that it takes a while: RCA claims that the internal battery takes a full six hours of exposure to a strong WiFi signal in order to fully charge.

RCA’s implementation of the energy-harvesting technology comes just a few months after Nokia predicted its own variant – designed for embedding directly into a mobile ‘phone handset – would likely take five years to become a commercially viable product.

Although pricing information has not yet been made available, RCA is hoping to release the product in the US before the end of the year – and hopefully we’ll be seeing a UK launch in the near future, too.

Are you impressed at the thought of an emergency charger which never needs plugging in, or would you need to see the technology in action – and the potential effects it may have on your WiFi signal strength – before getting excited?