DNA Differences Observed Between Blood and Organs

Read more of this story at Slashdot.

Town on SF Bay wants to photograph every car (AP)

AP - Visitors should be prepared to have their pictures taken as they enter and leave this picturesque town of million-dollar views and homes along the San Francisco Bay.

Best Home Backup Strategy Now?

Read more of this story at Slashdot.

Amazon to replace cracked Kindle 2s for free

Section: Business News, Gadgets / Other, Household, Lifestyle

Responding to the recent class-action lawsuit over cracking Kindle 2s, Amazon has decided to stop charging customers $200 for repairing the damage.  Amazon was originally charging for the repair because it claimed the Kindle’s warranty didn’t cover the damage.  Now, Amazon will replace for free any customer’s Kindle that has cracked due to the Amazon-branded Kindle cover. 

Thankfully, my own Kindle 2 has not cracked yet, but if it does, at least it’s covered.

Read: [InformationWeek]

Full Story » | Written by Merlyn Akhtar for Gadgetell. | Comment on this Article »

Computerized Election Results With No Election

Read more of this story at Slashdot.

Stay connected: A guide to being online everywhere

Section: Communications, Email / IM, Smartphones, Computers, Wireless, Web, Features, How To, Originals

I’m not sure if there is a phobia for being afraid of not being connected, but I know some people who definitely fit that definition.  In fact, they hate going anywhere that prevents them from checking their email, surfing the web, or talking via IM.  With the right equipment, it is possible to be connected nearly anywhere at any time.  Of course, this probably wouldn’t have been possible a few years ago. 

Your home: standard broadband connection

The most obvious way of being connected to the Internet is through a modem, whether it be dial-up or a broadband connection.  Commonly featured in the household as well as the workplace, a broadband connection allows you to reach fast download speeds on any computer or laptop in order to surf the Internet.  For this to work, you have to have your ethernet cable plugged in (at least at the router); therefore you can’t access this Internet from anywhere in your house or office unless you have Wi-Fi. 

Lose the cords: Wi-Fi

Wi-Fi is another way to access the Internet from your laptop, cell phone, gaming console, or personal media player.  Technically, you don’t have to be plugged in, provided the modem is on and running Wi-Fi.  All you have to do is choose your, hopefully stable and secure network, from a list of available Wi-Fi networks and connect to it.  This will also provide broadband speeds and you can be connected anywhere in your house. 

Stores such as Starbucks offer Wi-Fi.  If you travel abroad, chances are Wi-Fi will also be available but it could cost money just to use it.  Areas in which Wi-Fi connections can be found are called hotspots. 

Now, in case you want to find out where hotspots are located in any area, check out Open WiFi Spots.  All you have to do is enter in a city or zip code and it will find all available hotspots.  It is a pretty neat service that should save you some time and frustration if you use it before traveling to that destination. 

3G Data Cards

Another option when Wi-Fi isn’t available is 3G data cards, which use cell phone networks in order to provide fast Internet access to your laptop.  Most cell phone carriers offer monthly rates for such cards and they plug in directly to your laptop. 

Depending on where you are located, network speeds will vary.  If you plan on using the laptop card in a city, chances are speeds will be a lot faster than dial-up, however, in a rural area, speeds will probably hover near dial-up speeds, which isn’t terrible.  In short, anywhere there is a cell phone signal you will be able to surf the web using your 3G data card. 

Tethering

Another option for accessing the Internet anywhere is similar to 3G data cards.  Essentially, tethering is gathering an Internet connection from a cell phone and using it with a device that doesn’t have an Internet connection.  This can be done via Bluetooth or USB.  Of course, such a process isn’t always the best unless you have a strong data plan.  Also, carriers don’t approve of such use unless they offer actual tethering plans, which would probably cost additional money for the bandwidth usage. 

The bottom line

All in all, staying connected is very important this day in age.  As long as your budget allows, you can be pretty much be connected nearly at any time any where.  For those who are on a strict budget, using a Wi-Fi finder can help find hotspots which can still allow you to stay connected often.

Full Story » | Written by Natesh Sood for Gadgetell. | Comment on this Article »

The BlackBerry Tour gets torn apart, reassembled

I don’t get the fascination with gadget tear downs. I mean, who cares? It’s not like any of us understand what the hell is on the circuit boards. I say as long as the product works, lets leave it intact. But apparently like Internet loves herself some gadget tear downs so here is the BlackBerry Tour dissected while a terrible soundtrack is played in the background.

Why Zynga Is Worried about Playfish

When I wrote my BusinessWeek column on Zynga a while back, every venture capitalist in the Valley told me that Playdom was the company’s biggest competitor.

After all, it competes game-to-game, with similar mob-style and poker games, and was said to be doing the same revenues as Zynga with much higher profitability. (As my column pointed out, Zynga’s revenues are more like double Playdom’s—and since I’ve heard the discrepancy is even greater.)

As you’d expect Zynga’s CEO Mark Pincus pooh-poohed Playdom as any sort of threat. But tellingly, he said the company he was worried about was UK-based Playfish. So, while I was across the pond, I decided to see what the fuss was about and sat down with Playfish’s founder and CEO Kristian Segerstrale. I came away convinced this was one of the hottest companies to watch in the UK. Here are five reasons why.

1. Not “The UK Zynga.” Playfish is very much running its own race in this market, and this may be a case where distance from the Valley is actually healthy. It doesn’t try to compete on specific games with Playdom, SGN, and Zynga. For instance, it doesn’t have a mob game, the most popular genre right now, and it doesn’t have a poker game, Zynga’s top earner. “That’s such short term thinking,” Segerstrale said. “Something is wrong if your route to success is copying competitors’ games.”

2. Platform Development Doesn’t Have to Mean Half-Ass Development. Playfish is not about building a game in a week or so and throwing it up on Facebook. Playfish spends six months to a year designing a game, and they’ve only produced seven of them. While everyone else talks up how quickly and cheaply you can build a game on social networks, Playfish still employs the same artistic discipline of a console game with a Wii-like look and feel. The plus with platforms like Facebook and the iPhone isn’t speed to market for Playfish, it’s easier distribution and greater social engagement.

3. Traction. The painstaking design process appears to be a hit. Every one of Playfish’s games has been a top ten hit on Facebook. Across all platforms, those seven games have yielded 100 million installs and 30 million monthly uniques, says Segerstrale. Playfish pays “practically nothing” for customer acquisition and makes money through virtual goods, ads and premium versions of games.

Playfish is profitable and hasn’t spent a dime of its recent $17 million funding round. That’s gotta be some top line given Playfish has 200 employees across several offices. In fact, TechCrunch Europe’s Mike Butcher speculated that Playfish could be the $1 million-dollar-a-month Facebook app maker, back in September 2008. It certainly puts the company in an enviable position given the paucity of venture funds in the UK.

4. Proximity to the Valley Insiders via Investors. While Playfish enjoys distance from the one-ups-man-ship or developer poaching of SGN, Playdom and Zynga, it’s connected into the Valley where it counts. One of its main investors is Accel—also one of the main backers of Facebook. Yes, that matters. (See Sequoia Capital-backed Google’s purchase of Sequoia Capital-backed YouTube.)

5. Segerstrale Knows Games. This is the fuzziest one, but also probably the most important. As a CEO, Segerstrale comes to this industry from a different point of view than Pincus. Pincus has said he was never really much of a gamer—Segerstrale on the other hand has loved games since he was three years old playing Pong with his older brother. He always got a visceral rush from playing, especially with other people. So he’s spent much of his career working towards two goals: Decoding what makes a game “fun” and deconstructing the concept of a “gamer” so games are just something everyone plays.

His first attempt was at mobile, thinking that with phones in every pocket, everyone would essentially have a game console. Indeed, the company he cofounded, Glu Mobile, went on to a successful IPO. But gaming was still a niche activity on phones.  There were too many barriers set up by the telcos and it wasn’t as easy for people to find and download games. Facebook turned out to be a much greater platform for this kind of democratization of gaming because users could market games to one another.

Segerstrale’s macro theory is that we’re in the first shift of a move from physical games and goods to digital ones, and from games as a product to games as a service. It’s a theory that seems right-on to me. For one thing, we already saw it with the transition from enterprise software to software as a service. For another, sales of console games are down 20% year-over-year according to NPD, while comScore says social gaming is up 20% year-over-year. It’s nice to see a CEO who can articulate not only a product vision, but a clear industry vision.

All the positives above aside, I’m still not convinced that Segerstrale will succeed in his mission to democratize games. I still mainly use Facebook as a way to connect with friends, not to build virtual restaurants and I don’t necessarily see that changing. In fact, Facebook has so de-emphasized apps in its new all-feed iteration, I spent nearly an hour trying to find a listing of games, before someone finally told me it was on the throw-away bottom bar of the profile page. And by emphasizing the social stickiness of a game, there’s a chicken-and-egg risk that the games are boring for people who don’t have enough friends already playing.

But these are execution risks and every promising startup has them. When it comes to business model, financing, vision and product, Playfish is certainly a formidable competitor to Zynga. With hundreds of millions in real dollars already swarming around social gaming, this will be fun space to watch.

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.

Spain’s First Seafloor Lab Opens

So Hot Right Now: Top 10 Gadgetell posts for the week of July 12, 2009

Section:

Haven’t caught all of the Gadgetell news this week?  Here’s your chance to catch up on this week’s top 10 articles!

• Microsoft Office comes to Linux - MS begrudgingly bends
  “Your cheap little Linux netbook just got a boost in credibility, or will get a boost when Microsoft drops the web app version of Office 2010 next year.  To date, Linux netbooks or anything else running the OS had to rely on…” MORE »
• Get your free Microsoft Office 2010 web apps
  ” Above: Microsoft Excel, the web app Did you think Microsoft forgot all that stuff they said about clouds and their products?  Nope.  After the flurry of activity surrounding Office 2010 this morning, here comes the web…” MORE »
• Vacationers, watch out with Wi-Fi
  ” Ah, summer.  Time to relax, go visit friends, vacation.  No worries, right?  Well, there may be a small one if you like to use public Wi-Fi on your travels. The latest trend for the in hacker is what has become known as…” MORE »
• Gadgetell introduces a new show: InterrupTech
  ”  Download: iPod version (mp4)  | Audio version (mp3)   Welcome to the pilot episode of Gadgetell’s InterrupTech.  Here’s how this works: every Monday we get you caught up on the most…” MORE »
• Facebook fighting lawsuit by Power.com
  ”  Facebook says it will fight a lawsuit filed against it by Power.com.  The lawsuit, filed in response to Facebook’s lawsuit against it last year, is an attempt to compel the social networking giant to drop the charges and restore access to Power.com…” MORE »
• GM hoping to rebuild company with eBay auction sales
  ”  After declaring bankruptcy, the new General Motors Corporation is looking for ways to rebuild their company. A new program being launched by GM is a sales agenda that will include making the entire…” MORE »
• Companies wary of upgrading to Windows 7
  ”  When Microsoft released Windows Vista, despite all the hype a lot of people decided to wait out the release to decide whether they should upgrade.  We all know that after reports started coming in on how much…” MORE »
• Official Google Voice apps coming for Android and BlackBerry, but not for the iPhone or Pre
  “Despite Google Voice still not being open for anyone to sign up without first having been invited, the smartphones apps are beginning to roll out.  In an announcement that came via the official Google Voice Twitter account, we now know that we can expect to see an…” MORE »
• Auction site Swoopo turns away from dark side
  “You’ve seen the advertisements, “Win this iPod touch for $4.19” or “the hammer fell on this MacBook for just $15.23.”  These temptingly good offers are brought to you by Swoopo, an auction site of sorts that has been shown a lot of hate by our commenters.   MORE »
• LexisNexis suffers mafia related data breach
  “LexisNexis has sent a warning to over 13,000 people after discovering a possible data breach.  The information broker says that a Florida man facing charges in a mafia racketeering conspiracy may have accessed some databases that used to be…” MORE »

Full Story » | Written by NEWS for Gadgetell. | Comment on this Article »

Toshiba Bows Out Of Fight Against Blu-ray

New Firefox Vulnerability Revealed

Read more of this story at Slashdot.

Kathe Koja's BUDDHA BOY audiobook: bravery, bullying, complicity and opting-out

As the story goes on, Justin has to come to grips with his complicity in the savage and cruel bullying that Jinsen is faced with, the complicity of the bystander who does nothing, even as his friend Jinsen shows him an entirely new way to deal with bullies: to simply refuse to join the narrative they're recruiting you for. This strategy is not without its consequences, but it is also so shocking and new that it forces Justin to reexamine his life from top to bottom, from his academic passions to his spirituality.

As with Kissing the Bee, the Full Cast Audio adaptation of Buddha Boy is skillfully acted and edited, bringing out nuances in the story with a cast of talented actors, including some very gifted young people in the principle roles. The story twists and turns, and never quite goes where you think it will -- and like all of Koja's YA novels, it contains an elegant and simple emotional truth at its core that will have you vowing to be a better person by the time it's done.

Buddha Boy (CD)

Buddha Boy (paperback)

Shark Attack Victims Fight For The Predator’s Safety

When Sysadmins Ruled the Earth full-cast audio drama

When Sysadmins Ruled the Earth

MP3 Link

Teenager with Asperger's hoaxes UK aviation industry with fake airline

Tait, who said he was in his twenties, even flew to Jersey to attend a 1½-hour long meeting with the director of its airport. Their talks were considered promising enough for a further meeting to be arranged, which was due to be held next week.

Other air industry bosses found themselves dealing by telephone or e-mail with Tait's fellow executives, David Rich and Anita Dash, who proposed to launch a cut-price Channel Islands-based airline servicing most of Europe...

"Some of the things he said were the sort of things that were indicative that there might have been some substance to his claims," said Coupar. "If they were real then there would have been opportunities for us to expand our business and that's not the sort of thing we are going to ignore."

Tait also made approaches, with varying levels of success, to other airlines, including Titan Airways and Aer Arann.

When he made contact with Jersey airport, his patter was convincing enough to effect a 90-minute face-to-face meeting with Julian Green, the airport's director, who said last night: "Jersey airport can confirm it has had discussions with Adam Tait over recent weeks about an ambitious network of services between Jersey, the UK and Europe.

Verizon’s iPhone a dream of legislators?

Section: Communications, Cellular Providers, Smartphones, Mobile

In light of a federal inquiry into mobile carriers and exclusive deals like the one AT&T has for the iPhone, Verizon has jumped the gun and announced they will not sign onto any exclusives longer than six months.  The move comes as the federal authorities look to help smaller carriers survive as they’ve been locked out of the latest and greatest phones.  Verizon is the first to stem any appearance of wrong doing.

From GigaOM:

Verizon said today it will offer smaller carriers access to any cell phone model it uses — even those exclusive to Verizon.  Carriers who have fewer than 500,000 subscribers will have access to phones after only six months, according to a letter sent by Verizon to Rick Boucher, the chairman of the Subcommittee on Communications, Technology and the Internet in the House.

The question quickly becomes, does the government have any business regulating phone exclusives and if so, what are the ramifications?

For two different perspectives, I questioned our Editor, Iyaz.  His take:
“With the deals running out in 6 months, think of it this way—the carriers have less leverage and the phone manufacturer has more incentive to make a lot of money by having the next great phone on every carrier (Palm Pre?)

If the iPhone wasn’t exclusive on AT&T, so many people would have the Vz version.  AT&T couldn’t lean on the iPhone and would have to pump up its network.”

So in short, Iyaz sees a beautiful utopia filled with iPhones on every network where users are thrilled to have the phone of their choosing on the network of their choosing.  It might be interesting to note, Iyaz did a bit more than dabble in legal studies.

For the polar opposite, here are my views:
I’d argue that without AT&T to back the iPhone for 2 years, Apple wouldn’t have made the phone in the first place.  If others follow suit in light of federal scrutiny we’ll see a the incentive for OEMS to develop game changing phones diminish.  With no big cash cow, why bother?  Cell carriers pay more for handsets to be exclusive.  There is higher incentive for phone makers to make an exclusive model and the best way to sell an exclusive model is to make it better than everyone else.

This could be just what Android needed.  Hee hee, Google benefiting from federal scrutiny.  With less incentive to put R&D dollars into a product where revenue will be limited as no carrier is going to risk pimping it as it will get released in just 6 months time, we’ll see lots less innovative phones.

One new line of thought is emerging: this is purely a marketing move by Verizon as a way to shake the iPhone free from AT&T’s grasp.  Verizon was so quick to jump at this (do they really care about an exclusive with the Bold?) that it seems a bit more than just fear of regulation.  This looks to be a jump at getting the iPhone on their network, something that many users (both Verizon and AT&T customers would love to see happen).  It is a long shot that this would help get the iPhone on Verizon but it looks like their hopes for the start of that road.

Source: [GigaOm]

Full Story » | Written by JG Mason for Gadgetell. | Comment on this Article »

Earthquake Invisibility Cloak

Read more of this story at Slashdot.

Free Apps roundup for July 17th, 2009

FROM APPLETELL - Based on recent sales figures, chances are high that you now have an iPhone 3GS (and are also out of money as a result). But don’t worry, I have your back. It’s Friday again, and here comes my list of great free apps.
MORE »

Full Story » | Written by NEWS for Gadgetell. | Comment on this Article »

The Apollo program: One massive rocket designed by young engineers

There has been a good deal of focus on the Moon lately. First, the LRO sent back high-res photos of the surface, which was followed by the 40th anniversary of Apollo 11 and the release of restored video footage from the Moon. Then the LRO produced the first photos of the equipment left behind from the Apollo missions and Walter Cronkite, the trusted voice who informed America about the events, passed away.

The LA Times is keeping the buzz alive with a fantastic article about the construction of the Saturn V rocket that shot the astronauts to the Moon.

“What set us apart was our ability to build a very big rocket to get us to the moon,” said Roger Launius, the Smithsonian Institution’s space historian, reflecting on the U.S.’ race with the then-Soviet Union to reach the moon first. “The Russians were never able to do that.”

If you think about it, that’s about as accurate as it gets. Our engineers who were backed by a massive budget, out-developed the Soviets with the Saturn V rocket. Well done, boys. Well done.

How to set up a Google Voice account outside the US

Section: Communications, Web, Web Apps, Google, Features, How To

Google Voice is beginning to open up a little more each day.  Of course, at this time, you still need an invitation.  But that aside, for this purpose of this post we are going to assume that you are lucky enough to have been invited.  Given that, aside from people still wanting an invitation, the biggest complaint I am seeing is that Google Voice is limited to those in the US.

When attempting to set up Google Voice from a location outside the US, users are greeted with a message that (in part) reads;

“Google Voice is not available in your country.”

Which does not help those that are outside the US, because while many prefer to have a local number, there are some benefits to having a US based number—even when you are outside the US.  Well, let me tell you a little secret.  Despite the service not officially being available, it is possible to set up your Google Voice account outside the US, that is as long as you do not mind a little trickery.

In pretty much one simple step, here is what you need to do;

• Find a Proxy site that is located on US servers, and while we cannot give you an exact Proxy to use, you may want to click this link, or this link and begin a quick search.
• After you have found your US-based Proxy site, all you need to do is then begin the regular Google Voice setup process.

Of course, if you have a trusted friend in the US, you could also ask nicely and have them do the setup for you.

Now for the fine print, if you choose to go this route only to have Google shut your Voice account down, I, along with Gadgetell, take no responsibility.  Additionally, I, along with Gadgetell take no responsibility for any calls that may not be properly routed should you try and forward your Google Voice number to a non-US number.  That said, if you do go this route, make sure you enjoy your Google Voice setup.

Full Story » | Written by Robert Nelson for Gadgetell. | Comment on this Article »

Hot gaming news for the week of 7-12-2009

Section:

No need to scour the interwebs for hot gaming news, Gamertell‘s already done that for you!  Here’s a look at this week’s top stories…

• Gamertell Review: Mountain Dew World of Warcraft Game Fuel
• PlayStation Store Update: Own the skies with Battlefield 1943 (July 12 to July 18, 2009)
• Club Nintendo announces its Elite status freebies
• What If: Game companies rebranded in the style of SyFy channel
• Edios accused of attempting to control Batman: Arkham Asylum review scores

Full Story » | Written by NEWS for Gadgetell. | Comment on this Article »

Verizon slashes BlackBerry Storm pricing, now just $99.99 on contract

Section: Communications, Cellphones, Cellular Providers, Smartphones, Mobile

Still considering the purchase of a BlackBerry Storm 9530?  If so, the time may have just arrived because Verizon has recently lowered the price down to $99.99.  The new lowered price comes after a $100 instant online discount and requires you to also agree to the standard two year agreement.  That and, it should be pointed out that, this could also be nothing more than an additional sign that the BlackBerry Storm 2 is coming sooner than later.  Maybe that price drop is to clear out inventory of the not-so-hot Storm.  Of course, if you are not the type to need the latest and greatest, a $99 BlackBerry Storm 9530 could be a nice choice.

Product [Verizon Wireless]

Full Story » | Written by Robert Nelson for Gadgetell. | Comment on this Article »

Saudi phone operator Mobily's profits up 49% (AFP)

AFP - Mobily, Saudi Arabia's second mobile phone network operator, said on Sunday that net profit jumped 49 percent to 1.155 billion riyals (308.7 million dollars) in the first half from a year earlier.

The Twitter Effect For Movie Studios

The Anatomy Of The Twitter Attack

The Twitter document leak fiasco started with a simple story that personal accounts of Twitter employees were hacked. Twitter CEO Evan Williams commented on that story, saying that Twitter itself was mostly unaffected. No personal accounts were compromised, and “most of the sensitive information was personal rather than company-related,” he said. The individual behind the attacks, known as Hacker Croll, wasn’t happy with that response. Lots of Twitter corporate information was compromised, and he wanted the world to know about it. So he sent us all of the documents that he obtained, some 310 of them, and the story developed from there.

This post isn’t about the confidential information taken from Twitter. It’s about exactly how Hacker Croll was able to get such deep access to Twitter in the first place.

It’s clear that Twitter was completely unaware of how deeply they were affected as a company - when Williams said that most of the information wasn’t company related he believed it. It wasn’t until later that he realized just how much and what kind of information was taken. It included things like financial projections and executive meeting notes that contained highly confidential information.

We’ve already said a lot about all of this and the related “server password = password” story that was discovered by another individual last week. But we’ve got two more stories to tell. The first, this post, is exactly how the hacks took place, based on information gathered from hours of conversations with Hacker Croll. The second is what was happening behind he scenes with Twitter as the story unfolded. We’ll post that later this week.

When the story first broke the true scope of what had taken place and how it occurred was not understood. Various bloggers speculated about the cause of the attack - with some placing the blame on Google while others blaming the rising trend of hosting documents in the cloud.

We immediately informed Twitter of the information we had in our possession (and forwarded it to them), and at the same time reached out to the attacker. With some convincing, the attacker responsible for the intrusion at Twitter began a dialog with us. I spent days communicating with the attacker in an effort to gain insight into how the attack took place, what the true scope of it was and how we could learn from it.

We’ve waited to post exactly what happened until Twitter had time to close all of these security holes.

Some Background

In the security industry there is a generally accepted philosophy that no system or network is completely secure - a competent attacker with enough time, patience and resources will eventually find a way into a target. Some of the more famous information security breaches have relied on nothing more than elementary issues exploited by an attacker with enough time and patience at hand to see their goal through. A classic example is the case of Gary McKinnon, a self-confessed “bumbling computer nerd” who while usually drunk and high on cannabis would spend days randomly dialing or attempting to login to government servers using default passwords. His efforts led to the compromise of almost 100 servers within a number of government departments. After McKinnon spent a number of years trawling through servers looking for evidence of alien life (long story), somebody within the government finally wised up to his activities which lead to not only the arrest and attempted extradition of McKinnon from the United Kingdom, but a massive re-evaluation of the security methods employed to protect government information.

A more recent example is the case of Kendall Myers, who after being recruited to work for the Cuban government by an anonymous stranger they met while on holiday in that country, set out to obtain a high ranking position within the State Department specifically to obtain access to US government secrets. Kendall dedicated his entire life to obtaining state secrets, and up until he was recently caught by the FBI had successfully passed on secret information and internal documents to the Cuban government for 30 years. He relied only on his memory, his education credentials and sheer dedication.

The Twitter Attack: How The Ecosystem Failed

Like other successful attacks, Hacker Croll used the same combination of patience, sheer determination and somewhat elementary methods to gain access to a frightening number of accounts and services related to Twitter and Twitter employees. The list of services affected either directly, or indirectly, are some of the most popular web applications and services in use today - Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal and iTunes . Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well. The end result was chaos, and raises important questions about how private corporate and personal information is managed and secured in a time when the trend is towards more data, applications and entire user identities being hosted on the web and ‘in the cloud’.

“Hacker Croll” is a Frenchman in his early 20’s. He currently resides in a European country and first discovered his interest in web security over two years ago. Currently in between jobs, he has made use of the additional time he now has, along with his acquired skillset, to break into both corporate and personal accounts across the web. His knowledge of web security has been attained through a combination of materials available to the public and from within a tight-knit group of fellow crackers who exchange details of new, and sometimes unknown, techniques and vulnerabilities. Despite the significance and impact a successful attack has, the cracker claims that his primary motivation is a combination of curiosity, exploration and an interest in web security. There is almost a voyeuristic tendency amongst these individuals, as they revel in the thought of gaining privileged access to information about the inner lives of individuals and corporations. The “high” of access and gaining unauthorized knowledge must be big enough to carry a cracker’s motivation through the long hours, days and months of effort it may take to hit the next pot of gold.

For Hacker Croll, his first port of call in setting out to gain access to a target network is to make use of public search engines and public information to build a profile of a company or individual. In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses and their roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and logged. This dragnet across the millions of pages on the web picked up both work and personal information on each of the names that were discovered. Public information on the web has no concept of, or ability to, distinguish between the work and personal details of a person’s identity - so from the perspective of a cracker on a research mission, having both the business and personal aspects of a target’s digital life intertwined only serves to provide additional potential entry points.

With his target mapped out, Hacker Croll knew that he likely only needed a single entry point in any one of the business or personal accounts in his list in order to penetrate the network and then spread into other accounts and other parts of the business. This is because the web was designed at a time where there was implicit trust between its participants - requiring no central or formal identification mechanism. In order to keep private data private, modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use is an email address, and it is this common factor that creates a de facto trust relationship between a user’s applications. The second factor is a password: a random string that only the user knows, is unique to each application, and in theory should take even a computer months or years to figure out if it started guessing. These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.

Look at the front page of almost any web application and you will see hints at just how hopeless and helpless we are in managing our digital lives: “forgot my password”, “forgot my username”, “keep me logged in”, “do not keep me logged in”, “forgot my name”, “who am i?”. Features that were designed and built as a compromise since we are often unable to remember and recall a single four-digit PIN number, let alone a unique password for every application we ever sign up for. Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use - which often is to say, very weak.

Now going back to Hacker Croll and his list of Twitter employees and other information. Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees - be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application - it is the weakest application used by the weakest user. For an attacker such as Hacker Croll looking to exploit the combination of bad user habit, poorly implemented features and users mixing their personal and business data - his chances of success just got exponentially greater. Companies that are heavily web based rely largely on users being able to manage themselves - the odds are not only stacked against Twitter, they are stacked against most companies adopting this model.

Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access - but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at hotmail.com.

At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

Well designed web applications will never just give a user their password if they forget it, they will force the user to pick a new one. Hacker Croll had access to the account, but with a password he had specified. To not alert the account owner that their account had been compromised, he had to somehow find out what the old Gmail password was and to set it back. He now had a bevy of information at his fingertips, a complete mailbox and control of an email account. It wasn’t long before he found an email that would have looked something like this:

To: Lazy User
From: Super Duper Web Service
Subject: Thank you for signing up to Super Duper Web Service

Dear Lazy User,

Thank you for signing up to Super Duper Web Service. For the benefit of our support department (and anybody else who is reading this), please find your account information below:

username: LazyUser
password: funsticks

To reset your password please follow the link to.. ahh forget it, nobody does this anyway.

Regards,

Super Duper Web Service

Bad human habit #1: Using the same passwords everywhere. We are all guilty of it. Search your own inbox for a password of your own. Hacker Croll reset the password of the Gmail account to the password he found associated with some random web service the user had subscribed to and that sent a confirmation with the password in clear text (and he found the same password more than once). He then waited, to check that the user was still able to access their account. Not too long later there was obvious activity in the email account from the account owner - incoming email read, replies sent and new messages drafted. The account owner never would have noticed that a complete stranger was lurking in the background. The second domino falls.

From here it was easy.

Hacker Croll now sifts through the new set of information he has access to - using the emails from this user’s personal Gmail account to further fill in his information map of his target. He extends his access out to all the other services he finds that this user has signed up for. In some instances, the password is again the same - that led Croll into this user’s work email account, hosted on Google Apps for Domains. It turns out that this employee (and in fact most/all Twitter employees and everyone else) used the same password for their Google Apps email (the Twitter email account) as he did with his personal Gmail account. With other sites, where the original password may not work - he takes advantage of a feature many sites have implemented to help users recover passwords: the notorious “secret question”.

Fork the story here for a moment because there is a real issue here with the “secret question” (from here on abbreviated more appropriately as just “secret ?”). For some strange reason, some sites refer to the “secret ?” as an additional layer of security - when it is often the complete opposite. In the story of Hacker Croll and Twitter, the internal documents that we now all know about were only a few steps away from the first account he gained access to. In addition to that, this attacker, and certainly others just like him, have been able to demonstrate that some of the biggest and most popular applications on the web contain fundamental weaknesses that alone might seem harmless, but in combination with other factors can cause an attacker to completely tear through the accounts of users, even those who maintain good password policy.

This is not the first time that the issue of “secret ?” being used in password recovery systems has been raised. Last September, US Republican Vice Presidential candidate and former governor of Alaska, Sarah Palin, had screenshots of her personal Yahoo mail account published to Wikileaks. A hacker or group known only as ‘Anonymous’ claimed credit for the hack, which was carried out by the attacker making an educated guess in response to the security question used to recover passwords. In early 2005, celebrity Paris Hilton suffered a similar incident when her T-Mobile sidekick account was broken into, and the details of her call log, messages (some with private pictures of Hilton) and contact list were leaked to the media. The culprit, again, was “secret ?”.

Giving the user an option to guess the name of a pet in lieu of actually knowing a password is just dramatically shortening the odds for the attacker. The service is essentially telling the attacker: “we understand that guessing passwords is hard, so let us help you narrow it down from potentially millions of combinations to around a dozen, or even better, if you know how to Google, just one”. The problem is not the concept of having an additional authorization token, such as mothers maiden name, that can be used to authenticate in addition to a password, the problem arises when it is relied on alone, when the answer is stored in the clear in account settings, and when users end up using the same question and answer combination on all of their accounts.

From this point, with a single personal account as a starting point, the intrusion spread like a virus - infecting a number of accounts on a number of different services both inside and outside of Twitter. Once Hacker Croll had access to the employee’s Twitter email account hosted by Google, he was able to download attachments to email that included lots of sensitive information, including more passwords and usernames. He quickly took over the accounts of at least three senior execs, including Evan Williams and Biz Stone. Perusing their email attachments led to lots more sensitive data being downloaded.

He then spidered out and accessed AT&T for phone logs, Amazon for purchasing history, MobileMe for more personal emails and iTunes for full credit card information (iTunes has a security hole that shows credit card information in clear text - we’ve notified Apple but have not heard back, so we won’t publish the still-open exploit now).

Basically, when he was done, Hacker Croll had enough personal and work information on key Twitter executives to make their lives a living hell.

Just to summarize the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

What could have happened next is that Hacker Croll could have used or sold this information for profit. He didn’t do that, and says he never intended to. All he wanted to do, he says, was to highlight the weaknesses in Twitter’s data security policies and get them and other startups to consider more robust security measures.

He also says he’s sorry for causing Twitter so much trouble. We asked Hacker Croll if he had any message he wants to deliver to Twitter, and he sent me the following:

Je tiens à présenter toutes mes excuses au personnel de Twitter. Je trouve que cette société a beaucoup d’avenir devant elle.

J’ai fait cela dans un but non lucratif. La sécurité est un domaine qui me passionne depuis de longues années et je voudrais en faire mon métier. Dans mon quotidien, il m’arrive d’aider des gens à se prémunir contre les dangers de l’internet. Je leur apprend les règles de base.. Par exemple : Faire attention où on clique, les fichiers que l’on télécharge et ce que l’on tape au clavier. S’assurer que l’ordinateur est équipé d’une protection efficace contre les virus, attaques extérieures, spam, phishing… Mettre à jour le système d’exploitation, les logiciels fréquemment utilisés… Penser à utiliser des mots de passe sans aucune similitude entre eux. Penser à les changer régulièrement… Ne jamais stocker d’informations confidentielles sur l’ordinateur…

J’espère que mes interventions répétées auront permis de montrer à quel point il peut être facile à une personne mal intentionnée d’accéder à des informations sensibles sans trop de connaissances.

Hacker Croll.

This roughly translates to:

I would like to offer my personal apology to Twitter. I think this company has a great future ahead of it.

I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the Internet. I learned the basic rules .. For example: Be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing … Upgrading the operating system, software commonly used … Remember to use passwords without any similarity between them. Remember to change them regularly … Never store confidential information on the computer …

I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge.

Croll hacker.

What’s the takeaway from all this? Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent. And while any single service can be fairly secure, the important thing is that the ecosystem most certainly is not. Combine the fact that so much personal information about individuals is so easily findable on the web with the reality that most people have merged their work and personal identities and you’ve got the seed of a problem. A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.

Crunch Network: MobileCrunch Mobile Gadgets and Applications, Delivered Daily.

FasterWeb Wants To Make The Entire Web Up To Ten Times Faster In 2010

As the web matures, it’s also getting more complex. Yet much of it is still fundamentally based on things like HTML which are 30 years old. A new startup, FasterWeb, aims to bring these old technologies up to speed — as it were — making the web faster, by optimizing the old standards for doing new things. And in doing so, it claims that it can increase the performance of any site by 2 to 10 times — something which would obviously be a huge leap forward, if it can deliver.

One VC firm, YL Ventures, believes that it can. And they’ve seen it in action, so we’ll just have to take their word for it, for now. We spoke with Yoav Andrew Leitersdorf, managing parter at YL, and he tells us that the different between the regular web versus a site optimized with FasterWeb, is pretty staggering. And that’s why his firm had no hesitation in pouring an undisclosed amount of money into the Israel-based venture.

So how does FasterWeb claim to work? Leitersdorf wouldn’t go into the details, saying that’s the company’s secret, but he would say that it uses 45 different techniques to optimize the web. He also said that this is done either on the end of the content provider or the ISP. In other words, the end user doesn’t have to do a thing to experience the increase in web speed. And FasterWeb will work across all the major web browsers, starting with Internet Explorer and Firefox immediately, and expanding to the rest, including Opera, Chrome and Safari, when it’s ready for its widespread release next year.

But some sites won’t have to wait until next year to get the speed boost. Over the next several weeks, the first sites optimized with FasterWeb will begin hitting our browsers, Leitersdorf says. He would not say which ones, but notes that some will be known entities in the U.S. and worldwide.

And all of this will work for the mobile web too. “That’s one of the biggest opportunities here,” Leitersdorf says. He went on to note that they’re thinking a lot about mobile ISPs in particular.

Obviously, a two to tenfold increase in speed is a big difference, but Leitersdorf notes that the more complex a page is, the higher the magnitude of optimization will be. This optimization occurs across HTTP, HTML, JavaScript, CSS and images on a page, to achieve the results.

The business model for the project seems sound as well. FasterWeb has a multi-pronged approach depending on the situation of the website or ISP. That means it can either charge a one-time fee, or do a revenue sharing model. “What we found out as a VC fund going into this business is that by selling this to websites, it’s going to increase their revenues. And these sites are willing to spend 20-30% of their increase in revenues on our solution,” Leitersdorf says.

He also notes that in their research, YL only found two companies even come close to doing what these guys are doing. But Leitersdorf declined to name them. Seeing as this is all on the backend, and requires nothing from the consumers, it seems safe to assume this will be significantly better than something like the Google Web Accelerator toolbar.

Naturally, all of this sounds great, but it will be another thing to deliver on a massive scale across much of the web. “We’ve talked to the customers, they’re excited. But FasterWeb wants to make sure they’re ready,” according to Leitersdorf. And that’s why we won’t see wide-scale deployment until next year.

The Israel-based FasterWeb was started by Ofer Gadish, Gil Shai, Ofir Ehrlich and Leonid Fainberg.

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.