Exclusive: Google's latest Buzz privacy changes enable possible new exploit
Today, Google Gmail customers are seeing a promised round of software changes whose purpose is to make Google Buzz users more aware of their privacy options, and to give them a more obvious way to back out of Buzz. These changes come a mere nine days after the social networking product's rollout as an element of Gmail, although some have already claimed personal damage, and have already begun legal action.
Before we went to that extreme, Betanews tested the Buzz changes on accounts where Buzz was already set up. There we noticed the promised Buzz tab has been added to Gmail settings, where as we expected, the user is given the option to withdraw the lists of other Buzz users she's following from her public Google profile. This is effectively a copy of the option from Buzz setup that Google only made prominent after its first round of changes at this time last week.
Google adjusts Buzz setup for privacy, makes 'public' choice more obvious
Already sensing that too many potential users were attributing the "evil" moniker to Google (in the absence of actual evil in the world), the company yesterday made adjustments to its Google Buzz sign-up procedure. In Betanews tests, we found Google's altered dialog box is much more descriptive about the repercussions of setting up a public profile. It uncovers a critical choice about what you share with others publicly, that had been buried beneath an Edit link, by copying it up front where everyone can see it.
The danger involved with a new user setting up Buzz without being mindful of its default consequences, is that her public profile can be automatically filled with the names and profile links of Gmail contacts she communicates with most. Betanews tests this morning indicate that changes Google has made to Buzz setup appear to reduce that danger somewhat:
Does Google Buzz offer better privacy than Facebook?
With Google already the center of controversy worldwide over how it uses the information it gleans from its search users, red flags were almost certain to be sent up over Google Buzz, announced Tuesday. It's the company's new social platform for sharing bits of Twitter-like communication, and it's built rather cleverly on its existing Gmail platform.
The red flags concern how Google leverages Gmail to create a pre-established social network for Buzz users. Unlike a fresh, new social network that asks incoming users to build their lists of followers from scratch, Buzz starts out by collecting a list of folks who appear to be doing the most communicating with the incoming user via Gmail.
Windows XP WGA validation 'spyware' case dismissed
On Monday, a US District Court in Seattle dismissed with prejudice a class action case originally brought by Los Angeles native Brian Johnson in the summer of 2006. Johnson's claim at the time was that, when Windows XP used Microsoft's Windows Genuine Advantage (WGA) feature to validate his rights to use a newly purchased XP, Microsoft not only employed software not covered by the end-user license agreement, but used it to transmit his personal information to Microsoft against his wishes.
His allegation was that XP violated California's and Washington state's statutes regarding spyware -- separate software that transmits personally identifiable data back to a source.
No solution yet for SSL/TLS security hole besides turning renegotiation off
A defect in the protocol that secures monetary exchanges and other private transactions throughout the Web, discovered by wireless security engineers last August, continues to go unfixed as vendors work towards a solution. It can only be described as miraculous that a working exploit hasn't yet been detected for a security hole that hid in plain sight ever since Transport Layer Security was developed.
The problem was inadvertently made public last November. In short, it has to do with the transition Web sites make between the older Secure Sockets Layer protocol and the augmented TLS. During the transition process, the Web sites leave one protocol, but have to remind each other what they were transitioning from and to -- like asking one another, "What were we talking about again?" The question and answer get sent in the clear, making it easy for a man-in-the-middle to spoof the site with the answer.
Proposed settlement in Facebook Beacon case draws fire from advocacy groups
Just over two years ago now, Facebook began deploying a behavioral tracking service it called Beacon, which automatically enabled the tracking of Facebook users' behavior, but shared that data with advertising partners. It wasn't an "opt-in" service by anyone's definition, and after Facebook took down most of the service, customers filed a class-action suit against the social network.
In a proposed settlement last September, Facebook is opting to use its own money -- some $9.5 million -- to establish a fund for the creation of a foundation to help make Web users more aware of their privacy rights, and how they can improve their online safety. It's what the law calls a cy près settlement, named for an old French phrase that literally means, "the next best thing."
Canada's privacy office puts Facebook back in the hot seat
One of the principal factors behind Facebook's revision of its privacy policies has been said to be a formal complaint filed by the office of Canada's Privacy Commissioner last July. That complaint alleged that the leading social network failed to properly disclose to its users the extent to which it could use personally identifiable information, including sharing that information with partners and advertisers. The following month, Facebook agreed to implement changes.
Those changes led to last December's overhaul of the Facebook privacy system, which many now consider to be more of a giveaway than ever before. With the guise of clear and straightforward explanation, users are now being asked to accept default settings that expressly give Facebook permission to share personal information with partners, and are even told that in the absence of such permission, there are ways in which it could be shared anyway.
China is the victim of an Internet smear campaign, alleges its government
In its latest and broadest-ranging official statement since a major policy conference last week at the US State Department, aligning American foreign policy with "Internet freedom" and directing skepticism against China, the Chinese government said this morning it had absolutely nothing to do with any cyber-attack on anyone's Internet assets. China was careful not to mention Google by name, which might have been interpreted as an acknowledgment that such an attack happened.
"Accusation that the Chinese government participated in cyber attack, either in an explicit or inexplicit way, is groundless and aims to denigrate China," reads an official China government statement issued through the Xinhua news agency. "We firmly opposed to that [sic]. China's policy on Internet safety is transparent and consistent... China is the biggest victim country of hacking as its Internet has long been facing severe threats of hacker and online virus attacks."
Security report: Web users pick passwords that are way too easy to hack
According to a report on Consumer Password Best Practices culled from an analysis of 32 million passwords exposed in the recent Rockyou.com Web security breach, the three most commonly used passwords among users of the Rockyou social networking site turned out to be 123456, 12345, and 123456789.
Also making in into the top ten, in this order, were the following: Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123.
Newly released Windows fix addresses both new and old IE browsers
Over the past few days, security engineers have warned that variations of the publicly-released Hydraq exploit are being engineered for later versions of Internet Explorer than the one targeted in the recently discovered wave of attacks against Google and others, IE6. One security researcher on the "good side," Dino Dai Zovi, claimed on Twitter earlier today he has a functional derivative of Hydraq for IE7 and IE8...kind of. To make them work, two of Windows 7's more celebrated security features -- Address Space Load Randomization and Data Execution Prevention -- have to be manually turned off first.
Still, the nearness of such an exploit to reality prompted Microsoft to release its out-of-band security update today, as promised yesterday, for IE6, IE7, and IE8. Separate update packages are currently being deployed through Windows Update, and are available for download now.
Baidu: Register.com helped 'Iranian Cyber Army' commit criminal trespass
Leading China search engine Baidu's lawsuit against US domain registrar and ISP Register.com, filed yesterday, was not at all what analysts, especially in the British press, expected it to be: There's no evidence, including in the context of its many redacted paragraphs, of any sort of "retaliation" whatsoever against Google's new public stance against China in the wake of attacks against it that it claims emanated from China. Although diplomats from both countries may continue to play the Baidu case as another volley in a brewing trade dispute, from Baidu's perspective, that's not what it is at all.
Baidu's grievance is specifically against Register.com, not the country it's in; and it would probably have filed this very lawsuit had the Google attack never happened. The public portions of the initial complaint, released by US District Court in New York this morning, accuse Register.com not only of negligence in allowing its DNS records to be hacked, and Baidu traffic diverted to a Web site purportedly from the "Iranian Cyber Army" (which may not even be Iranian). Baidu goes so far as to say that Register.com "aided and abetted" whoever produces that Web site, whom Baidu refers to as the "Imposter," in the commission of what Baidu describes as trespass upon its property. Evidence of the Imposter's true identity and/or whereabouts may, based on Betanews' reading of the complaint, could very well appear within those redacted paragraphs.
Google: We're ready for a dialogue with China
This afternoon, just hours following Microsoft's stunningly fast response to a critical Internet Explorer vulnerability made stunningly public by Google last week, a Google spokesperson told Betanews today that it expects to engage in a dialogue with the government of China within the next few weeks. The subject will be the status of its business relationship with that country, following Google's allegations that a recent attack on its servers originated in China.
Whether Google will take the next step -- specifically, discussing the substance of these talks with the US government -- is something the company may not yet have considered, judging from the response to our question from Google's spokesperson today.
Out-of-band update for Hydraq exploit from Microsoft Thursday
In an unprecedented response to the news just last week of attacks on Google's servers, and others, from a sophisticated Trojan first catalogued as Hydraq, Microsoft confirmed to Betanews this afternoon that it will be publishing a security fix for the vulnerability tomorrow, January 21, at approximately 10:00 am PST. The company will issue the update with a "Critical" severity rating.
"Microsoft continues to see limited attacks, and to date, the only successful attacks have been against Internet Explorer 6," the company stated this afternoon. "Customers will be apprised of any changes in the threat landscape through the Microsoft Security Response Center blog, and changes to the advisory [issued last week].
Microsoft: Out-of-band fix to IE6 Google/China exploit to come soon
In a display of calm defiance against the notion that reacting publicly to a threat against its customers is a "marketing tactic," a Microsoft spokesperson confirmed to Betanews this afternoon that a fix for the recently uncovered remote code execution vulnerability in Internet Explorer 6 will be made publicly available some time prior to the next round of Patch Tuesday updates. The exact time of the patch's release, as well as the scope of users who should install it, will be revealed tomorrow.
This would limit Microsoft to a four-week response window since last Tuesday, when Google broke its veil of silence to reveal its servers had been attacked by sources apparently emanating from China.
The Google attack: Human rights threat or IE browser exploit?
On Tuesday, Google described an alleged series of attacks on its servers and others' as an apparent effort by an unknown China-based source to gain access to private information about human rights activists in that country. No less than Secretary of State Hillary Clinton acknowledged her staff being briefed by Google on the matter -- this after almost five years of apparent silence toward government officials from Google regarding its business arrangement with the government of China.
But in a blog post today which officially dubbed the alleged attack "Operation Aurora," McAfee CTO George Kurtz, in revealing his company worked with Google in investigating the attack, suggested a completely different motive. Specifically, Kurtz alleged that a new and heretofore unseen malware turned up during his investigation, appeared to be designed to search for a specific type of company intellectual property.
© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.