Blancer.com Tutorials and projects

This iPad security breach story from last week continues to spin way out of control, and in our opinion fingers are being pointed in the wrong direction. The FBI is investigating the incident, and a few hours ago AT&T finally communicated with customers to tell them about the breach (I’ve reprinted the AT&T email below).

Here’s what happened: Goatse Security discovered a rather stupid vulnerability on the AT&T site that returned a customer email if a valid serial number for the iPAD SIm card was entered. An invalid number returned nothing, a valid number returned a customer email address. Goatse created a script and quickly downloaded 114,000 customer emails. They then turned all that over to Gawker, after, they say, AT&T was notified and the vulnerability was closed. Gawker published some of the data with the emails removed. Says Goatse: “All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.”

AT&T is characterizing the incident as “unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.”

We don’t see much hacking here, and we don’t see anything really malicious. AT&T was effectively publishing the information on the open Internet, and if there’s an FBI investigation, it should be focused on them, not Goatse. The fact is that Goatse was performing a public service by discovering and publishing the vulnerability – they made the Internet slightly safer by doing so. I agree completely with their blog post responding to the AT&T letter. Unless additional facts come out suggesting that Goatse has used the information inappropriately, such as selling it, or has otherwise done some bad act hasn’t yet been alleged, they are completely in the right here.

In fact, companies like AT&T should offer people a reward for discovering vulnerabilities like this, although they’d probably ask that the information be given to them privately after discovered. But by shaming AT&T publicly other companies may take security marginally more seriously, which is good for users. And AT&T customers need to know that AT&T is so careless about security.

Se we’re doing something we’ve never done before – awarding Goatse a Crunchie award for public service – a beautiful 14 inch tall custom designed gorilla statue celebrating technology. Until now we’ve only given these awards at our annual Crunchies award ceremony.

Here’s the AT&T email:

June 13, 2010

Dear Valued AT&T Customer,

Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.

Here’s some additional detail:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.

As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.

While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.

AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.

AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.

Sincerely,

Dorothy Attwood
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T

As we all know by now, comments on the Internet are a fascinating thing. My favorite involve the word “fanboy.” Generally speaking, it means you write (stories, tweets, whatever) about a certain topic with a positive angle. It’s meant to be derogatory, but the truth is that it’s so overused that it’s almost completely meaningless. But for the sake of this post, I’ll play ball. I have a confession to make: I’m a fanboy.

Now, I didn’t say specifically what I’m a fanboy of, because there have been too many titles bestowed upon me over the years. At various points over just the past few months, I’ve been an Apple fanboy, a Google fanboy, a Twitter fanboy, a Facebook fanboy, a Foursquare fanboy, a Gowalla fanboy, and yes, even a Microsoft fanboy. Never mind that most of companies compete with one another, so it would be hard to be a true fanboy of multiple ones without misrepresenting your fanboydom of a few of the others. We’ll just say I’m a fanboy and leave it at that. And that leaves me wondering: why wouldn’t you want to be a fanboy?

To me, the diluted version of the term means that you’re passionate about a certain technology. And isn’t that why any of us do what we do? Sure, you’ll throw the term “objective journalism” at me, but what does that really mean? Is any journalism truly objective? Every human being has an opinion one way or another about everything. Objective journalism is simply the practice of suppressing that opinion. For certain news fields, like politics, I see the value in that (at times). For technology, I’m not sure that I do.

If I’m reading about a new technology, I want to know what the author actually thinks. Take a new tech product for example, I want to know if an author thinks it’s any good or not. Or a new startup — same thing. Or some move a big technology company is making. It’s all the same. If I wanted a completely objective take on the story, I’d read the press release or the spec sheet. Actually, no I wouldn’t. Those are usually more full of bullshit than even the most biased reporting (wait, my laptop is supposed to have 12 hours of battery life on a single charge — it says so right there).

Others will say that the term fanboy doesn’t just mean you love something — it’s that you love something and are unfair against its competitors because of that love. That’s the only way I can explain the angry comments when I write posts with the headlines “An iPhone lover’s take on…” “Your bias is obvious!” the commenters will shout. Well yes, I put it in the title. How observant.

But that’s the funny thing about being a fanboy — you can be a fanboy of anything. You can switch your alliances at a moments notice. There is nothing tying you to the love of a certain product. As I’ve written numerous times before, in the 1990s I would have been called a Microsoft fanboy — I loved Microsoft products and hated Apple ones. Today, I’m called an Apple fanboy. Times change. And they’ll change again.

As always, my only requirement for being a fanboy of a product is that it has to (in my mind) be the best. Right now, in some cases those are Apple products. In some other cases, those are Google products. In some other cases, it’s Twitter. Etc…

Angry commenters seem to want to believe that you can’t actually just like a product. There has to be some ulterior motive. Either you’re paid off, or you’re just blind. Or both. It’s simply an easier (non) argument to make than having an actual discourse.

Make no mistake, those people are fanboys too — but worse. They feel the subject of their adulation is under attack, so they become rabid. But I’ll repeat that I think overall this is a good thing. Balance and all that.

In closing, let me state again for the record that I’m fine with the fanboy label. Apple fanboy, Google fanboy, Twitter fanboy, etc — those are all appropriate and welcomed. But it may be easier (and less contradictory) to just say that I’m a fanboy of good products. And I always will be.

[photo: flickr/terryjohnston]

I get the feeling that we have just participated in a dare — or the indulgence of a delusion. What else could explain the utterly insane spectacle that just took place in Galen Center here in LA? We were promised an experience. I experienced something, all right. Not something I’m in a hurry to experience again, I’m afraid.

Those of you who weren’t present for this indecipherable boondoggle are probably wondering what the fuss is all about. The fact is there’s no fuss at all; the Project Natal Experience was a complete non-event — and I’d have said that even if the device, name, and launch titles didn’t all leak a couple hours before the show. But the fact also is that this was just too weird not to share. In detail. Do you like to read? Good.

Continue reading…

(Psssst. I’m leaving …)

Yelp co-founder and CTO Russel Simmons, pictured here (left) with fellow co-founder and chief exec Jeremy Stoppelman, is leaving the company. Simmons will be transitioning to an advisor role and take some time off to travel, we’ve confirmed with the company.

Stoppelman and Simmons were both early software engineering employees at PayPal and went on to brainstorm new Internet startup ideas at a business incubator not long after the company was acquired by eBay.

Out came Yelp, which first started as an email recommendation service, was transformed to become a local business review site for the San Francisco area in October 2004 and has now grown into an international network that receives some 31 million unique visitors per month.

Six years later, Simmons is now transitioning to an advisor role at Yelp, we’re told.

Stoppelman says Simmons remains a “significant” shareholder in the company and will continue to provide support and advice as needed. No word on replacement yet.

As for what’s next for Simmons: first, some “much deserved time off to travel” and then probably yet another startup, likely as a founding member.

Yelp has raised $56 million in venture capital to date, from investors like ex-PayPal exec Max Levchin, Bessemer Venture Partners, Benchmark Capital and DAG Ventures. Elevation Partners earlier this year said it would be investing up to $100 million in the Internet company – so far it has injected 1/4 of that.

Late last year, we heard from reliable sources that Yelp was in acquisition talks with Google regarding a whispered $550+ million buy-out agreement. Later, we learned that Stoppelman walked away from the all-but-signed deal to move forward with the company on its own.

(Picture via Fast Company, photograph by Dan Escobar)

This story fascinates me on so many levels. Here are the basic facts: Zynga has been moving its games off of the Tagged social network and encouraging users to migrate to Facebook. Earlier this month Zynga gave out a special code to Mafia Wars users on Tagged that would give them $120 worth of currency on Facebook when they completed the migration. But Zynga didn’t cap the number of people that could use the code, and the form for entering it didn’t give users much of idea what it was for anyway. So word spread, and tens of thousands of users entered the code and grabbed the loot. Somewhere around 100,000 people used the code.

When Zynga realized what was happening they shut down the code. But then they went one step further and rolled back the accounts for every user who entered it at least 24 hours, removing the free currency but also deleting any actions the users took to move their accounts forward during that period. Users complained on the Zynga forum but those complaints were deleted. Zynga also posted the notice below on their forum and then later deleted that too.

When Zynga continued to ignore users they started emailing us instead. Emails thousands of words long came in containing the kind of bitter passion that you usually only see when we say something mildly critical about the iPhone. Some users are saying that they are going to do a credit card charge back on money they’ve previously spent on Zynga games. Others say they’re leaving to try one of the many competitors. Etc.

What really seemed to make the users angry is the tone Zynga used in communicating with them:

Your account was determined to have attempted to use an unauthorized redemption code that would result in $120 worth of Reward Points.
As a result of this action, your account has been reverted to its status as of 5am PST on Tuesday June 8th.

and

Attention:

Our records indicate you have redeemed Rewards Points using an exploit. Please note that future use of exploits may result in disciplinary actions, up to and including the permanent banning of your account.

We will keep your account active at this point, but have rolled back your account to 06/08/2010, the date prior to the redemption of these unauthorized Reward Points.

If you have any questions, please email [email protected]. We will respond to your inquiry in 72 hours.

Thank you,
The Mafia Wars Team

Remember that this is just fake money to buy fake stuff on Mafia Wars that costs Zynga nothing to create. The code was created by Zynga and distributed without any technical restrictions on its use (meaning anyone could use it).

In other words, Zynga screwed up. But it didn’t really cost them anything since it’s all virtual goods. It seems like the smart thing to do would be to simply turn the code off and move on with their lives. But instead the Zynga team really seemed to think that they had been wronged by their users, and took proactive steps to punish and frustrate them. Instead of seeing passionate users engaging with the game, Zynga saw people trying to take advantage of them and responded by going on the attack. Terrible move. These are your customers, not your enemies.

Another observation: Zynga users are more passionate about this stuff than I thought, and while I don’t understand that it does help me understand that the science and psychology behind these games is very real. They are addictive money extraction machines.

Here’s Zynga’s official statement on this: “Last week we uncovered a technical issue with a Mafia Wars redemption code during the migration process of two of our networks. In order to protect the integrity of the game and level the playing field for the rest of the community, we rolled back those involved users to a previous save. Less than half a percent of Mafia Wars players were affected.”