Archive for the ‘Glitches and Bugs’ Category

If you have checked in with Foursquare in San Francisco in the last three weeks, Jesper Andersen probably knows where and when — even if you’ve set your check-ins to be published to friends only.

Andersen, a coder who recently built a service called Avoidr that helps you avoid social network “friends” you don’t really like, figured out that Foursquare had a privacy leak because of how it published user check-ins on web pages for each location.

On pages like the one for San Francisco’s Ferry Building, Foursquare shows a random grid of 50 pictures of users who most-recently checked in at that location — no matter what their privacy settings. When a new check-in occurs, the site includes that person’s photo somewhere in the grid. So Andersen built a custom scraper that loaded the Foursquare web page for each location in San Francisco, looked for the differences and logged the changes.

Even though he was using an old computer running through the slow but anonymous Tor network, Andersen estimates he logged about 70 percent of all check-ins in San Francisco over the last three weeks.

That amounts to 875,000 check-ins.

Foursquare is one of the most popular of a growing number of services that let people quickly report to friends, family or the entire world where they are — and is part of a growing trend of making public more information that used to be private. Foursquare’s popularity is tied to its game-like ecosystem, where users can win “badges” for certain actions or become the “mayor” of locations by checking in there more than any other users.

Andersen reported the privacy breach to Foursquare two Sundays ago — and the company admitted the bug existed. They asked for a week or so to fix the bug, and now, according to an e-mail sent to Alexander, the company is modifying its privacy settings to let users opt out of being listed on location’s web pages. The site previously allowed users to opt out of being listed in the “Who’s here now” function, but until Tuesday that button didn’t apply to listing “Who’s checked in there.”

“I’m trying to be white-hat,” Andersen said. “It definitely felt icky at times.”

Andersen confirmed the validity of his script’s findings by checking the results with people he knew. And even though his groups of friends “live in a data mining culture,” the findings didn’t sit well with all of them.

“Some were grossed out by it, and a couple of people stopped using Foursquare,” Andersen said. “One had a stalker and got creeped out by it.”

Foursquare declined to respond to two e-mail requests for comment, but in an e-mail to Andersen, Foursquare programmer Jon Hoffman thanked Alexander for bringing the issue to the company’s attention.

“The privacy leak on the venue page was something that was overlooked when we added privacy-protection features to the ‘who’s here now’ section of the venue page on the mobile clients (the data that’s exposed via the API),” Hoffman wrote Tuesday morning. “There already is a privacy toggle on the /settings page to control privacy for that feature, but it did not extend to the ‘who’s been here’ section of the venue page on the website. We’ve recently locked down the ‘who’s been here’ section so that it respects the ‘Who’s here’ privacy toggle.”

While Jesper praised the company for its speed in handling the privacy leak report, he’s less enthusiastic about the solution.

“It’s not clear that users will really understand that,” Jesper said, referring to the new check box. “I certainly haven’t seen a drop-off in check-in collections.”

By default, Foursquare users are included in both the lists of who is currently at a location and who has visited it, and the company did not tell its users Tuesday of the privacy leak or the changes.

Continue Reading “White Hat Uses Foursquare Privacy Hole to Capture 875K Check-Ins” »

A new malware scam is trying to dupe BitTorrent users into coughing up serious cash for illegally downloading copyrighted material.

The code displays a box with the message “Warning! Piracy detected!” and opens a web page purportedly run by a Swiss company “committed to promoting the cultural and economic benefits of copyright.”

The fake company, the ICCP Foundation, also claims to be backed by the Recording Industry Association of America, the Motion Picture Association of America and others. “It appears to scan the user’s hard drive for .torrent files and displays these as  ’evidence’ of an earlier infringement,” wrote TorrentFreak, which first disclosed the malware.

Victims are are warned of possible imprisonment and fines, and given the option of “settling” the “case” for a one-time payment of $400, by credit card.

The scam seems intended to capitalize on the recent news that an independent filmmakers association is targeting thousands of BitTorrent users in federal lawsuits, with the aim of reaching quick settlements.

Continue Reading “Malware Threatens to Sue BitTorrent Downloaders” »

The Federal Aviation Administration blames an unspecified computer glitch for commercial flights being canceled or temporarily delayed Thursday.

The glitch was related to a key FAA flight-processing system, according to ABC News. The problems were first reported at Hartsfield-Jackson Atlanta International Airport.

The FAA system that was affected is said to be in Atlanta and is called the National Airspace Data Interchange Network, or NADIN.

The system electronically transmits pilot flight plans to air traffic controllers, providing them with information about the route and altitude a flight will take. Without the system, pilots were required to record their flight plans manually, causing delays.

Air traffic controllers are also spacing out departing flights by 20 miles instead of the normal 8 miles, which left New York airports operating at about 50 percent of their usual capacity, other news outlets reported.

The problematic computer system generates flight plans primarily for flights on the East Coast, and the FAA said that due to the glitch, flight plans were being processed through another system in Salt Lake City instead.

UPDATE: The FAA said the problem was fixed by 10 a.m. EST. The Associated Press has reported that in addition to the system for processing flight plans, the FAA systems that provide information on weather and wind speeds at airports also malfunctioned.

A Maryland woman lost her accounting job after a background check performed through the FBI’s criminal database indicated, erroneously, that she was unsuitable for the job, according to the Baltimore Sun.

Eschol Amelia “Amy” Studnitz had been working for Corporate Mailing Services since August 2008 as a senior accountant.

Last July, after CMS won a contract to handle mail for the Social Security Administration, the administration performed a routine background check on Studnitz and other CMS employees, who needed a low-level security clearance to work on the contract. The SSA subsequently sent CMS a letter stating that the background check showed Studnitz was “unsuitable” to work on the contract. The SSA letter didn’t say what the background check had uncovered.

Rather than simply keep her off the contract, CMS decided to fire Studnitz. The company gave her just a few minutes to leave its offices.

Studnitz maintained that she had no criminal history and, indeed, the only court record the Baltimore Sun was able to uncover on her was a civil case related to a $11,676 judgment that a nursing home had been awarded in 2005. Studnitz told the paper this actually involved a suit against her late father’s estate.

About two weeks later, the Social Security Administration sent a letter to CMS backing her claim of innocence. The letter said Studnitz had passed a pre-screening check and could work on the SSA contract pending a final determination. It made no mention of the previous letter that claimed she was unsuitable.

That should have settled the matter. But instead of reinstating her in her job, CMS told her to re-apply for her position. After she did so, the company wrote back saying it was reorganizing the department and would get back to her. The company finally sent her a letter last week saying it had no intention of restoring her job.

The company claimed it had uncovered some problems that would be “detrimental” to her performing her job successfully. The company said she had failed to process some invoices or bill customers at new rates after they’d been raised. Studnitz has disputed the claims.

Studnitz has since learned that an unspecified error in the FBI’s National Criminal Information Center database was the cause for the SSA’s initial determination that she was “unsuitable. The NCIC database is a repository for criminal records and information on fugitives, stolen property and missing persons. Information is fed to the database from local, state. and federal law-enforcement agencies around the country. Canada uses the database to refuse border entry to anyone with a criminal record.

Studnitz is now considering a lawsuit. Since losing her job, she has not been able to find a new position anywhere. She has fallen behind on her mortgage payments and recently received a shut-off notice from her local utility company.

Photo of NCIC database servers courtesy FBI

See also:

• Choicepoint Checks Under Fire
• Bad Data Fouls Background Checks

The maker of a life-saving radiation therapy device has patched a software bug that could cause the system’s emergency stop button to fail to stop, following an incident at a Cleveland hospital in which medical staff had to physically pull a patient from the maw of the machine.

The bug affected the Gamma Knife, a device resembling a CT scan machine that focuses radiation on a patient’s brain tumor while leaving surrounding tissue untouched. A patient lies down on a motorized couch that glides into a chamber, where 201 emitters focus radiation on the treatment area from different angles. The patient wears a specialized helmet screwed onto his skull to ensure that his head doesn’t move and expose the wrong part of the brain to the machine’s pinpoint tumor-zapping beams.

Courtesy NRC

Positioning is vital in the procedure, so when the couch moved out of position during a treatment at an university hospital in Cleveland last December, staffers hit the “emergency stop” button, expecting the couch to pull the patient out of the Gamma Knife, and the radiation shields at the mouth of the machine to automatically close. Instead, according to a report eventually filed with the Nuclear Regulatory Agency, nothing happened.

“Staff had to manually pull out the couch from the Gamma Knife and manually close the doors to the Gamma Knife to shield the source,” reads the report, which states that neither the patient nor the workers were harmed. “Radiation exposure to all individuals involved with the incident was minimal.”

When the hospital called the company that makes the Gamma Knife, it learned that there was a “known software bug problem” affecting the unit’s couch sensors. Known, anyway, to the company, Stockholm-based Elekta AB.

Continue Reading “‘Known Software Bug’ Disrupts Brain-Tumor Zapping” »

Drunken-driving convicts in Minnesota are intoxicated over a recent state high court ruling allowing defense experts to examine the source code of breath-testing machines.

The legal brouhaha concerns the court’s position (.pdf) that drunk drivers have the right to examine the evidence against them. But the company that supplies the state with breath-testing machines, CMI of Kentucky, isn’t forking over the code and is declaring it a trade secret — threatening thousands of DUI convictions.

Princeton computer science whiz Ed Felten and others point out the conundrum.

“The problem is illustrated nicely by a contradiction in the arguments that CMI and the state are making. On the one hand, they argue that the machine’s source code contains valuable trade secrets — I’ll call them the ’secret sauce’ — and that CMI’s business would be substantially harmed if its competitors learned about the secret sauce,” Felten writes on the Freedom to Tinker blog. “On the other hand, they argue that there is no need to examine the source code because it operates straightforwardly, just reading values from some sensors and doing simple calculations to derive a blood alcohol estimate.”

The state and CMI are involved in a separate legal flap about whether the maker of the Intoxilyzer 5000EN should turn over the code to the state.

Still, internet security guru Eric Rescorla points out another problem: that an examination of the source code may not help determine whether the machines are reliable.

“Stepping up a level, it’s not clear what our policy should be about how to treat evidence from software-based systems; all software contains bugs of one kind or another (and we haven’t even gotten to security vulnerabilities yet). If that’s going to mean that all software-based systems are useless for evidentiary purposes, the world is going to get odd pretty fast,” he writes on Educated Guesswork.

What’s more, an analysis of the source code of the Draeger Alcotest used in New Jersey found frightening software errors as well. But that state’s high court last year ruled against challenges questioning the machines’ veracity.

“Despite the clear errors in the machine,” Evan Levow, a New Jersey drunken-driving defense attorney said in a telephone interview, “the Supreme Court in New Jersey found the Alcotest to be reliable.”

The four undersea cables that were severed in the Middle East last week are under repair and could take up to a week before they’re fixed, according to a BBC report.

Three of the cables are presumed to have been damaged by a ship’s anchor or a trawling net; the fourth cable to Malta may have been damaged by an earthquake.

The SMW3, SMW4 and FLAG cables were all damaged within 40 minutes of each other last Friday, and the fourth cable, the Seabone owned by GO, went down several hours before.

A robot is searching for the severed ends in an undersea trench, and once they’re found they’ll be brought up to a ship and repaired — an operation that involves soldering thousands of tiny fibers through a microscope and then testing each one to make sure it’s working.

See also:

• Undersea Cables Cut; 14 Countries Lose Web

Reports from the Mediterranean indicate that two of the undersea cables severed and repaired earlier this year have been cut again, disrupting internet access and phone service between the Middle East, Europe, and parts of Asia. An additional third cable is down in the same region.

The cuts are causing traffic to be re-routed through the United States and elsewhere.

Egypt’s communications ministry tells the Associated Press that the outage has almost completely killed internet services throughout Egypt.

A second report indicates that the three cables that are out include the SEA-ME-WE 4 cable (also known as SMW4), which went out at 7:28 a.m. local time Friday morning; SEA-ME-WE 3, which went down at 7:33 a.m.; and the FLAG EA cable, which went out at 8:06 a.m. The cables were cut in the region where they run under the sea between Egypt and Italy. They carry an estimated 90 percent of all data traffic between Europe and the Middle East. SMW 3 and SMW 4 are owned by groups of phone companies; FLAG is owned by Reliance Globalcom.

The SMW 4 and FLAG cables were among five undersea cables damaged earlier this year in January and February in the Mediterranean, launching a flurry of conspiracy theories before investigations revealed that at least one of the cuts was caused by a ship’s anchor. When those cables went down, SMW 3 was used to re-route traffic. But this time, SMW 3 is reportedly involved in the outage as well.

A France Telecom report listed 14 countries affected by the current problem. The Maldives are 100 percent down, followed by India, which has 82 percent disruption. Qatar, Djibouti and the United Arab Emirates were the next most widely affected areas with about 70 percent service interrupted. Disruptions for Saudi Arabia, Egypt and Pakistan range from 51 percent to 55 percent.

UPDATE: As reader Julian Borg Barthet notes in the comments section, a fourth undersea cable went out Thursday evening in the same region. The cable, the Seabone, is operated by GO and runs between Malta and Sicily. According to the Times of Malta, GO transferred traffic to a second cable operated by Vodafone. It was the second time in four months that the Seabone cable had failed.

See Also:

• Five Ton Anchor Caused Cable Cut
• Cable Cut Fever Grips the Web
• Fiber Optic Cable Cuts Isolate Millions From Internet, Future Cuts …
• Vietnamese Fishermen Charged With Harvesting Fiber Optic Cable

The internet has a huge security problem that’s temporarily fixed with bent paperclips and some gaffer’s tape.  Without concerted effort, hackers could easily spoil what little confidence remains in the internet.

In fact, cyber-criminals are already exploiting the Domain Name System hack uncovered by security researcher Dan Kaminsky this summer -– essentially setting up fake banking websites that users reach by typing in their bank’s real domain name. (That’s according to research by Georgia Tech’s David Dagon and Internet System Consortium’s Paul Vixie.)

That’s why the U.S. government finally put out a call Thursday for comments on whether the net as a whole should adopt new security protocols called DNSSEC, and asking who should have the privilege of controlling the master keys.

Two longstanding net infrastructure rivals — ICANN and VeriSign -– each want the job.

Internet experts are siding overwhelmingly with ICANN, arguing that the crucial responsibility of making sure users can trust the technical equivalent of the internet’s phone book belongs in the hands of the net’s main oversight body.

Continue Reading “VeriSign and ICANN Square Off Over the DNS Root” »

John McCain accepts the Republican party’s nomination to be its presidential candidate at the Xcel Energy Center in St. Paul, Minnesota. Projected behind him on the 51.6 by 30 foot video wall is the Walter Reed Middle High School in North Hollywood. Was it meant to be the Walter Reed Army Medical Center in Washington, DC, which takes care of injured veterans?
Photo: Associated Press/Ron Edmonds

In the run-up to the 2008 Democratic National Convention, Barack Obama was mocked mercilessly by John McCain’s campaign staff for the grandiose stage set-up where he was scheduled to accept his party’s presidential nomination.

Now it’s the Democratic bloggers’ turn.

Some watching McCain’s nomination acceptance speech Thursday night wondered whether he was asking to be mocked when the screen turned green behind him as he spoke.

McCain became the butt of jokes online and on the The Colbert Report this June after delivering a speech in Louisiana where the stage backdrop was a nauseating green. That spawned Stephen Colbert’s "Green Screen Challenge" to make McCain’s presentation more exciting.  Some of the rather entertaining results can be seen below.

This time around, the green that television viewers saw behind McCain was actually the lawn of the Walter Reed Middle High School in North Hollywood, the name of which can be seen faintly in this picture.

While the giant Hibino video screen was probably meant to give all the delegates within the stadium a sense of context for the proceedings, for many it turned out to be a giant distraction for television viewers.

As some posters on this audio visual experts’ forum note, the stage designers probably should have thought more about how the background screen would affect television viewers’ experience of the speeches during close-up shots since they’re the prime audience.

And as for the use of Walter Reed Middle High School’s image in the background? Neither the McCain campaign nor the convention organizers could be reached at the time of this posting. Bloggers suspect that the image that was meant to have been projected was the Walter Reed Army Medical Center in Washington, DC, which would have made more sense since McCain spent a good deal of time talking about his injuries in Vietnam.

The high school’s principal Donna Tobin declined to comment about the use of the school’s image, but  issued this statement, suggesting that she wasn’t happy about it, on the school’s blog:

“It has been brought to the school’s attention that a picture of the front of our school, Walter Reed Middle School, was used as a backdrop at the Republican National Convention.  Permission to use the front of our school for the Republican National Convention was not given by our school nor is the use of our school’s picture an endorsement of any political party or view.”

Nevertheless, it’s probably the McCain campaign that’s having the last laugh.

Green screen or no, television audience measurement firm Nielsen says that the final night of the Republican National Convention drew 500,000 more viewers than Obama’s spectacularly-staged nomination speech did: More than 38.9 million people watched McCain’s speech while 38.4 million viewers watched Obama on the final night of the Democratic National Convention.

Update: Josh Marshall has an update here.