VentureBeat:

The app in question came from Jackeey Wallpaper, and it was uploaded to the Android Market, where users can download it and use it to decorate their phones that run the Google Android operating system. It includes branded wallpapers from My Little Pony and Star Wars, to name just a couple.

It collects your browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voicemail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times.

Interesting parallel piece of data: 47% of Android apps access some variety of third-party data, while only 23% of iOS apps do.  I'd see this as correlational, not causal.

Nonetheless, looks like Apple is doing a better job policing its app store, but it's not fair to indict the Android Marketplace for this when 'wallpaper' apps are barely apps at all.

If anything, this is a harbinger of the app explosion mobile platforms are seeing and a call for attention to the security problems that will be in tow.

Community backlash is building against a routine .NET Framework update for Microsoft Windows that quietly installs a browser add-on for user who surf the Web with Mozilla’s popular Firefox browser.  From WaPo’s Brian Krebs:

I'm here to report a small side effect from installing this service pack that I was not aware of until just a few days ago: Apparently, the .NET update automatically installs its own Firefox add-on that is difficult -- if not dangerous -- to remove, once installed.

Annoyances.org, which lists various aspects of Windows that are, well, annoying, says "this update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC." I'm not sure I'd put things in quite such dire terms, but I'm fairly confident that a decent number of Firefox for Windows users are rabidly anti-Internet Explorer, and would take umbrage at the very notion of Redmond monkeying with the browser in any way.

Big deal, you say? I can just uninstall the add-on via Firefox's handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the "uninstall" button on the extension. What's more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that -- if done imprecisely -- can cause Windows systems to fail to boot up.

The Firefox extension is delivered through an update to Microsoft .NET Framework.  Once installed, it seems to be difficult to remove depending on your Firefox browser version and other factors, as the in-browser Uninstall button is disabled.  Manual removal instructions – which aren’t for novice users, as they involve some registry hacks – are here.

On my browser, Firefox 3.0.10, the add-on is present and uninstallable via the browser, although I can kill the extension through Add/Remove Programs.  Other reports suggest that there is a 1.1 version of this .NET Framework Assistant that allows the add-on to be removed directly within Firefox.

Questionable design decisions here.  Microsoft wants people to update their systems automatically, which requires implicit trust.  When an OS vendor starts shipping unpublished modifications to competing browser platforms, it’s a great way for users not to trust your updates.

If the functionality is important, then publish what you’re doing and explain why – provide notice and set context.  Don’t assume you have the rights to do what you want to a user’s applications, regardless of your intent.  As an OS vendor, this sort of thing isn’t tolerated well.  A simple Google search gives you the zeitgeist opinion of the situation, and it’s not what I would want to see.

(Crossposted from Unfiltered)

I just had a pretty scary piece of spam show up in my inbox. It appears to be from the IRS, implicates my employer, and comes immediately on the heels of the US tax season. All in all, very well socially-engineered. Long story short, it's spam, but you need to be careful. There's more where it came from. More details here.

I found an interesting spam email in my inbox this morning that's basically a personalized approach that hints at a risk to an online trademark (domain name) due to a foreign application being made for the trademark name in country-specific versions (.asia, .biz, .cc, .cn, .com. cn., .hk, etc.).  It looks valid enough to hook a reader at first glance, and only when some research is done do you discover what it's all about.

This approach is obviously personalized to the owner/manager of a commercial Internet brand and hints at risk to our online trademark (miproconsulting) due to a foreign application being made for our trademark name in country-specific flavors (.asia, .biz, .cc, .cn, .com. cn., .hk, etc.).  Being the nice foreign domain registrar they are, the sender of this message, SK Holdings, is asking us if we want to do business with them and secure all of the miproconsulting variants listed below so that we can protect our Internet brand from this foreign applicant.

This is pretexting: it takes a known fact or truism about an individual or business and uses that piece if information to get someone to divulge information or carry out some other action.  In this case, the spammer wants the victim to purchase the extended domain names before the foreign applicant does, thereby allowing the victim to protect his Internet trademark.  Not exactly the most aboveboard way to do business, but it is clever.  I'll grant them that.

(crossposted at clusterflock)

Bruce Schneier pens another fantastic essay that sums up post-9/11 politics as, essentially, security versus privacy.  Most notable for me is the following, as I've always felt that the "measures" the TSA takes to "ensure security" are, quite bluntly, almost entirely worthless (unless they're aiming to diminish personal privacy, in which case they succeed spectacularly):

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.

The debate isn't security versus privacy. It's liberty versus control.

Like everything else that comes about as a result of a jarring catalyst or intense politics, the urge to overcorrect and overthink in the spirit of covering all the bases cannot be repressed.  And here, especially with regard to security measures, that's proven to be true.

If you are someone who believes that your trek to a mountaintop is at hand to avoid the advent of an Orwellian worldstate, well, your ship has come in:

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"

That's Director of national Intelligence Michael McConnell talking about the police state he envisions without using the words police state.

If all this doesn't scare the living bejeezus of of you, nothing will.

As Schneier notes in closing, perhaps this famous quote attributed to Benjamin Franklin sums all of this up best, especially with respect to how it relates to liberty (which is getting lost in the whirlwind):

"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."

[Thanks to DF for the tip]

Since these two terms are often tossed about interchangeably, I found this a perfect illustration of the subtle -- but critical -- difference between the two. [Via A Clever Cookie]

Monumental stupidity:

Visiting Sears.com (and Kmart.com) a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. Sears.com is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the "community," very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently. An interesting note, the spyware Sears distributes is "genetically" related to software CA Anti-Spyware has detected for a few years by the name of MarketScore (and other aliases) and distributed by other websites.

From a marketing perspective, this is a horrible move, and not even the old cliche "bad press is better than no press" can save it. Theres no honesty or authenticity here whatsoever. Why do this? What's the sales pitch that convinces Sears and Kmart brass that this is a good idea? Are the execs really that clueless when it comes to web culture? Do they not understand the social nature of the web? Do they not grok that the web is a conversation? Unreal. It's telling that Sears and Kmart think they can fool the community by hiding behind jargon-filled EULAs. Nothing screams "detached from reality" louder than this. How many examples do we need of a watchful community busting a corporation dead in its tracks? Shameful. Sears and Kmart deserve all the heat they take for this. Then again, both companies are trainwrecks (Kmart moreso than Sears), so I suppose I should quit acting all surprised. If either of these were my companies, and assuming I had no prior knowledge, the executive responsible for making a decision to pursue something like this would expire immediately. [Via DF]

I can't say that I've noticed much of a spam decrease across my multiple email accounts.  In fact, if anything, certain types of spam are starting to make their way into my Gmail inbox, whereas before I'd see virtually none.  Spam is cyclical, though: spammers try Method A and largely fail.  They go to Method B, which works for a while then is killed as spam filters learn its hook.  Method C might get nowhere, but Method D might have a short half-life.  And so on.

Regardless, Google thinks spammers are waning, as indicated by the number of spam messages that flow through its Gmail clusters:

But a remarkable trend is underfoot, according to Brad Taylor, a staff software engineer at Google: The number of spam attempts -- that is, the number of junk messages sent out by spammers -- is flat, and may even be declining for the first time in years.

Google won't disclose numbers, but the company says that spam attempts, as a percentage of e-mail that's transmitted through its Gmail system, have waned over the last year. That could indicate that some spammers have gotten discouraged and have stopped trying to get through Google’s spam filters.

I don't know if this means spam attempts are down overall, or spam attempts aimed at Google are down.  There's no doubting the efficacy of Google's filters: they're strong, probably the best I've ever seen.  So perhaps Gmail accounts are starting to be considered a low-return target and spammers are focusing elsewhere.  Hard to say.

Regardless, I don't see spam attempts going down anytime soon.  They're an amazingly low-cost way to hook potential customers, especially those who aren't very technologically literate.  It's a numbers game, and with the increasing spam filter logic found in email clients of all types, spammers are looking at a law of diminishing returns lest they increase the volume sufficiently -- and are clever enough in their spam writing -- to keep their return/hit rates high.

I still can't understand one thing, though.  The spam that does make it through to my various inboxes is so borderline nonsensical, so ridiculous in its syntax and semantics, that I can't believe anyone falls for it.  I suppose that's the social engineering angle: prey upon people's ignorance and unfamiliarity with the medium.  Straight away you lose anyone who's halfway clued-in with a computer, but let's be honest: most people aren't reading blogs, talking about Google, fretting over their OS and wondering how to best read their RSS feeds.  And those people, figure spammers, are their prime demographic.

If you read any one thing today, read Bruce Schneier's absolutely fantastic essay on how the war on terror has devolved down to the public level, creating a treadmill of amateur, untrained people doing amateur, backyard security.  Every time someone sees something suspicious and reports it -- which is what we're encouraging people to do in the name of a raised public security consciousness -- it often solves nothing.  In fact, it winds up creating a chain-reaction of escalations and CYA gyrations that waste hundreds of police/law enforcement hours and cause massive public discord (closed airports, evacuated buildings, etc.).

The problem is that ordinary citizens don't know what a real terrorist threat looks like. They can't tell the difference between a bomb and a tape dispenser, electronic name badge, CD player, bat detector, or a trash sculpture; or the difference between terrorist plotters and imams, musicians, or architects. All they know is that something makes them uneasy, usually based on fear, media hype, or just something being different. Even worse: after someone reports a "terrorist threat," the whole system is biased towards escalation and CYA instead of a more realistic threat assessment. Watch how it happens. Someone sees something, so he says something. The person he says it to -- a policeman, a security guard, a flight attendant -- now faces a choice: ignore or escalate. Even though he may believe that it's a false alarm, it's not in his best interests to dismiss the threat. If he's wrong, it'll cost him his career. But if he escalates, he'll be praised for "doing his job" and the cost will be borne by others. So he escalates. And the person he escalates to also escalates, in a series of CYA decisions. And before we're done, innocent people have been arrested, airports have been evacuated, and hundreds of police hours have been wasted.

Clear-headed, no-BS essays are the reason I subscribe to Schneier's blog.