From owner-freebsd-questions@FreeBSD.ORG Wed Dec 8 21:15:04 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78BA1106564A for ; Wed, 8 Dec 2010 21:15:04 +0000 (UTC) (envelope-from vogelke@hcst.net) Received: from beta.hcst.com (beta.hcst.com [192.52.183.241]) by mx1.freebsd.org (Postfix) with ESMTP id 3A9898FC16 for ; Wed, 8 Dec 2010 21:15:03 +0000 (UTC) Received: from beta.hcst.com (localhost [127.0.0.1]) by beta.hcst.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id oB8LF2l6014579 for ; Wed, 8 Dec 2010 16:15:02 -0500 Received: (from vogelke@localhost) by beta.hcst.com (8.14.3/8.14.3/Submit) id oB8LEwrJ014572; Wed, 8 Dec 2010 16:14:58 -0500 Received: by kev.msw.wpafb.af.mil (Postfix, from userid 32768) id 0C364BFAA; Wed, 8 Dec 2010 16:13:25 -0500 (EST) To: freebsd-questions@freebsd.org In-reply-to: <001901cb968f$9bef44b0$d3cdce10$@shaw.ca> (dalescott@shaw.ca) Organization: Array Infotech X-Disclaimer: I don't speak for the USAF or Array Infotech. X-GPG-ID: 1024D/711752A0 2006-06-27 Karl Vogel X-GPG-Fingerprint: 56EB 6DBF 4224 C953 F417 CC99 4C7C 7D46 7117 52A0 References: <3374599093-437630056@intranet.com.mx> <4CFED0D4.3090108@herveybayaustralia.com.au> <001901cb968f$9bef44b0$d3cdce10$@shaw.ca> Message-Id: <20101208211326.0C364BFAA@kev.msw.wpafb.af.mil> Date: Wed, 8 Dec 2010 16:13:25 -0500 (EST) From: vogelke+unix@pobox.com (Karl Vogel) Subject: Re: Shopping cart other than OSCommerce? [LONG] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vogelke+unix@pobox.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2010 21:15:04 -0000 >> On Tue, 7 Dec 2010 21:23:04 -0700, >> "Dale Scott" said: D> I'll interpret that as saying a large percentage of the PHP apps vying D> for your attention are crap, but buyer beware. Just be careful, have a D> healthy level of scepticism, and keep your eyes open. Yup. D> I don't know anything about Facebook other than it's PHP-based, but I'm D> sure we'd hear about it being hacked on a regular basis if it was. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=216403016 Microsoft and Facebook Team Up to Put the Kibosh on Koobface Mon, 6 Apr 2009 Microsoft and Facebook are working together to protect users from the Koobface worm. Koobface spreads through Facebook and MySpace social networking sites and infects users who run vulnerable versions of Windows. It steals login information so it can hijack accounts and spam users' contact lists. The spam usually contains a link to what is billed as a video, but users who click the link are told they must download a program to watch the clip. If users agree to the download, their machines become infected with malware. Microsoft has added Koobface to its Malicious Software Removal Tool (MSRT), which removed nearly 200,000 instances of Koobface from more than 133,000 computers in two weeks. ------------ http://www.theregister.co.uk/2009/05/15/facebook_phishing_scam/ http://technology.timesonline.co.uk/tol/news/tech_and_web/article6294169.ece Another Phishing Attack Targets Facebook Users Fri, 15 May 2009 Users of the social networking site Facebook have been subjected to another phishing attack. The attackers gained access to the social networking site by using legitimate user accounts and then directing the contacts of the compromised accounts to websites containing malicious software. The attackers ostensibly gained access to the initial accounts by exploiting easy-to-guess passwords. ------------ http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1356896,00.html IT Managers Feel Pressured to Relax Security Policies Wed, 20 May 2009 According to a recent survey of 1,300 IT managers, 86 percent said they were being pressured by company executives, marketing departments, and sales departments to relax web security policies to allow access to web-based platforms such as Google Apps. Nearly half of respondents said some employees bypass security policies to access services like Twitter and Facebook. More than half of the respondents noted that they lacked the means to detect embedded malicious code and prevent URL redirect attacks. ------------ http://www.theregister.co.uk/2009/08/07/twitter_attack_theory/ Attack on Twitter and Facebook Was a "JoeJob" 6-10 Aug 2009 The denial-of-service attacks that hobbled Twitter and Facebook last week were not conducted through botnets, but instead were the result of a spam campaign aimed at a taking out accounts that belong to a pro-Republic of Georgia blogger. ------------ http://www.scmagazineus.com/Facebook-to-modify-privacy-practices-after-investigation/article/147556/ http://technology.timesonline.co.uk/tol/news/tech_and_web/article6812783.ece Facebook Will Strengthen Privacy Practices 27-28 Aug 2009 In response to an investigation launched by Canada's Office of the Privacy Commissioner, Facebook has agreed to give users more control about the information they share with third-party applications. The applications will be required to get permission from users for every category of personal information they want to access. In addition, users will have the option to deactivate or to even to delete their accounts. If users delete their accounts, all information belonging to that user will be deleted from Facebook servers. ------------ http://www.computerworld.com/s/article/9138780/Facebook_Captchas_broken_?source=rss_security Spammers Break Facebook CAPTCHA Thu, 1 Oct 2009 Malware purveyors have managed to break the Facebook CAPTCHA (completely automated public Turing test to tell computers and humans apart), allowing them to automate the creation of Facebook pages. The malicious pages are being used to send links to malicious websites that promote scareware. The pages all have the same photograph, but have different user names. Facebook is taking steps to identify the rogue pages and disable them. ------------ http://www.wired.com/epicenter/2010/01/facebook-email/ Rogue Marketers Can Mine Your Info on Facebook Ryan Singel Tue, 5 Jan 2010 A marketer can take a list of 1,000 e-mail addresses, either legally or illegally collected -- and upload those to Facebook through a dummy account -- which then lets the user see all the profiles created using those addresses. Given Facebook's ubiquity and most people's reliance on a single e-email address, the harvest could be quite rich. ------------ http://www.theregister.co.uk/2010/01/11/facebook_charging_rumour_malfeasance/ http://www.snopes.com/computer/internet/fbcharge.asp Facebook Group Page Has Links to Malware-Laced Sites Mon, 11 Jan 2010 Miscreants intent on spreading malware appear to be preying on people's unfounded fears that Facebook plans to begin charging users for its services. A Facebook group that appears to offer a place for people to protest the rumored fees has been shown to contain malware. The group pages themselves appear to be clean, but link to suspicious sites. Snopes.com has posted a warning about the deceptive groups and associated pages. ------------ http://www.pcworld.com/businesscenter/article/191847/facebook_users_targeted_in_massive_spam_run.html http://news.cnet.com/8301-27080_3-20000682-245.html Spammers Go After Facebook Users Thu, 18 Mar 2010 Spammers have been targeting Facebook members with data-stealing malware. The malicious messages appear to come from legitimate senders, but the return address is spoofed. The messages tell recipients that their Facebook passwords have been reset and that they need to download an attachment that contains the new password. Although many users may know by now that websites would not reset passwords and email the new ones, because Facebook's user base is so large, the attackers appear to be hoping that at least some will fall for the ruse. ------------ http://www.eff.org/deeplinks/2010/04/facebook-further-reduces-control-over-personal-information Facebook Further Reduces Your Control Over Personal Information Kurt Opsahl Mon, 19 Apr 2010 Today, Facebook removed its users' ability to control who can see their own interests and personal information. Certain parts of users' profiles, "including your current city, hometown, education and work, and likes and interests" will now be transformed into "connections," meaning that they will be shared publicly. If you don't want these parts of your profile to be made public, your only option is to delete them. ------------ http://blogs.zdnet.com/security/?p=6304 1.5 million Facebook accounts offered for sale Dancho Danchev Sat, 24 Apr 2010 VeriSign's iDefense Intelligence Operations Team has spotted an underground market ad offering 1.5 million Facebook accounts for sale. The pricing method is based on the number of contacts per compromised account, presumably with the idea to allow easier spreading of related malicious content across Facebook. ------------ http://www.eff.org/deeplinks/2010/05/facebook-should-follow Facebook Should Follow Its Own Principles Kurt Opsahl Thu, 13 May 2010 If you decide to leave by deactivating your account, information is saved in case you decide to reactivate later. Even if you delete your Facebook account, you have to wait 14 days and even then Messages and Wall posts remain. The Facebook Principles are much clearer: Users have the right to "take [their data] with them anywhere they want, including removing it from the Facebook Service." Facebook is not living up to its promises. ------------ http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars "Deleted" Facebook photos actually aren't Ars Technica staff Tue, 12 Oct 2010 We wrote a piece more than a year ago examining whether photos really disappear from social network servers when you delete them, and found that Facebook was one of the worst offenders when it came to leaving "deleted" photos online. We decided to revisit the issue recently when readers continued to point out that our deleted photos from that article were still online more than 16 months later. ------------ http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html http://www.theregister.co.uk/2010/10/18/facebook_apps_privacy_breach http://www.bbc.co.uk/newsbeat/11565948 http://www.net-security.org/secworld.php?id=10005 Facebook Faces Another Privacy Breach Mon, 18 Oct 2010 The privacy of many users on Facebook has been compromised by a number of popular applications, or apps, used on the social networking site. An investigation by the Wall Street Journal identified a number of apps that access Facebook members' personal details, even if their privacy settings were set to the most restrictive allowed within the social network. According to the report, up to 25 advertising and data gathering firms were exploiting the issue to enable them access the name of the persons using certain apps, and in some cases the names of those persons' friends. One company, Rapleaf, was also found to have combined the user data accessed in Facebook with its own database of internet users. Rapleaf admitted that some of this information was also transmitted to other third parties, but claimed that this transmission was accidental. Facebook has responded by saying it will implement a solution to prevent this type of access to user data. ------------ http://blogs.sfweekly.com/thesnitch/2010/10/zynga_facebook_lawsuit.php http://business.financialpost.com/2010/10/22/13072/ http://www.computerworld.com/s/article/9192862/Rapleaf_says_it_has_fixed_privacy_issue_with_Facebook?taxonomyId=203 Facebook to Employ Encryption to Protect User IDs Mon, 25 Oct 2010 Facebook says it will use encryption and other data protection measures following reports that users' data were being shared with third parties. Facebook policy forbids application developers from sharing Facebook User IDs (UIDs) with third parties, but the company said that "some developers were inadvertently sharing [the data] via the HTTP Referrer header." ------------ http://www.computerworld.com/s/article/9192923/New_Firefox_add_on_hijacks_Facebook_Twitter_sessions?taxonomyId=17 Firefox Extension Makes it Easy to Steal Cookies Mon, 25 Oct 2010 At the ToorCon 12 conference in San Diego, researchers presented a proof-of-concept Firefox extension that is capable of stealing session cookies from Facebook, Twitter and other accounts on unencrypted Web 2.0 sites on open wireless networks. ------------ http://www.bbc.co.uk/news/technology-11665120 Facebook Bans Developers for Selling User IDs Mon, 1 Nov 2010 Facebook has banned a number of developers from connecting to the social network for six months after it learned that they had been selling user information to data brokers. -- Karl Vogel I don't speak for the USAF or my company