Yahoo to ignore Microsoft's 'Do Not Track' signal from IE10

Yahoo plans to ignore “Do Not Track” privacy requests sent by Microsoft’s Internet Explorer (IE10) browser, calling its ally’s unilateral decision “signal abuse” and pointing to a possible rift between the search partners.

One Do Not Track (DNT) expert, however, didn’t think Yahoo’s decision, announced last week, would affect its deal with Microsoft.

“I don’t think this is especially significant,” said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. “Yahoo! is just the biggest individual company to draw this line in the sand. I doubt this will affect their search relationship.” Brookman has been heavily involved in the DNT standard-setting effort.

Dan Olds, an analyst with the Gabriel Consulting Group, agreed. “This won’t rise to the level where it will affect the Yahoo-Microsoft relationship. Companies this large are able to compartmentalize.”

IE10, which launched Oct. 26 alongside Windows 8 and will be released as a preview for Windows 7 by mid-November, is the only browser that has switched on Do Not Track (DNT) by default.

In reality, some argue, IE10 does not actually switch DNT on: In August, Microsoft backed away a step, and promised that during Windows 8 setup, customers will be notified of the impending setting and given a chance to turn it off.

Do Not Track (DNT) signals whether a user wants online advertisers and websites to track his or her movements. Four of the five major browsers—Firefox, IE, Opera and Safari—can now send a DNT signal, while Chrome will include the option by the end of this year. All but IE, however, initially leave it in the “off” position and require users to manually turn on the signal.

Like others—primarily advertisers, but also some browser makers such as Firefox’s Mozilla—Yahoo criticized the on-by-default setting in IE10.

“In principle, we support DNT,” Yahoo said in an unattributed entry on its policy blog Friday. “[But] Microsoft unilaterally decided to turn on DNT in Internet Explorer 10 by default, rather than at users’ direction. It basically means that the DNT signal from IE10 doesn’t express user intent. We will not recognize IE10’s default DNT signal on Yahoo! properties at this time.”

Online advertisers have balked at the idea that browsers can turn on DNT without asking users, essentially hoping that the under-consideration standard will not be widely adopted if the signal must be manually switched on.

Yahoo alluded to that on its blog, saying, “In our view, [IE10’s on-by-default] degrades the experience for the majority of users and makes it hard to deliver on our value proposition to them.”

“Value proposition” clearly refers to the trade-offs—users must accept the targeted ads as the price for receiving free software, services and content—that advertisers say make the Internet what it is. As far as advertisers are concerned, tracking is required to provide targeted ads.

A group composed of advertisers, browser makers, privacy advocates and others have not finalized a DNT standard, even after months of intensive work. The Worldwide Web Consortium (W3C) standards-setting group has, however, preliminarily ruled that browser makers cannot set the DNT signal for users, essentially letting each website decide whether it will acknowledge or ignore IE10’s.

Advertisers recently turned up the rhetoric about DNT. Earlier this month, the Association of National Advertisers (ANA), an industry lobbying group, said Microsoft’s decision would “harm consumers, hurt competition, and undermine American innovation,” and called the on-by-default setting “unacceptable.”

Privacy advocates countered, saying that the ANA’s demands were “bizarre.”

Yahoo’s decision to ignore IE10’s DNT signal is notable because the California company is allied with Microsoft in search. In 2010, the two firms signed a 10-year agreement whereby Yahoo’s search results are fueled by Microsoft’s Bing search engine.

One privacy advocate tied Yahoo’s announcement to the Friday launch of Windows 8. “Hunch: Yahoo walked back its Do Not Track commitment today because of the Win8/IE10 launch,” said Jonathan Mayer on Twitter.

Mayer is a graduate student in computer science and law at Stanford University, and one of two researchers at the school who created the HTTP header implementation that signals a user’s DNT preference.

Microsoft debuted IE10 on Oct. 26 as part of Windows 8. A version of the browser for themuch more popular Windows 7 will reach beta—Microsoft calls that a “preview”—in mid-November. IE10 on Windows 7 will also have the DNT option enabled by default.

“At least Yahoo is honest about why it’s ignoring IE10 Do Not Track,” noted Mayer, also on Twitter, as he quoted the company’s claim that the privacy feature, if turned on, “makes it hard to deliver on our value proposition.”

Also on Friday, Microsoft’s head counsel, Brad Smith, blogged about DNT. Because his comments were based on an Oct. 23 keynote speech at an international conference of data protection and privacy officials, he did not address Yahoo’s move.

In the blog post, Smith defended Microsoft’s decision on IE10 and DNT, citing a survey the company commissioned that said 75% percent of U.S. and European consumers wanted DNT switched on by default.

(Smith’s Oct. 23 keynote presentation can be found on the Microsoft website ( download PDF).

Smith also urged all browser makers to “clearly communicate to consumers whether the DNT signal is turned on or off, and make it easy for them to change the setting,” a reference to Windows 8’s notice during setup.

Olds saw Yahoo’s statement as giving it an out, noting that the explicit reason it gave was due to the lack of a clear and comprehensive standard, and that the company used the phrase “at this time” in its statement.

He predicted that Yahoo would get more attention, virtually all negative, for ignoring IE10’s DNT preference than it had when it announced last March that it would support the standard.

And there will be more tussling, not less, over DNT as time goes by, both Brookman and Olds forecast.

“The most interesting question in all this is how Microsoft responds to companies that reject their DNT instructions,” said Brookman. “They can’t just sit back and let their users’ privacy settings be ignored—they would lose credibility with their customer base.”

“This topic is not going to go away,” Olds prognosticated. “As tracking becomes even more sophisticated, it will be a much bigger issue as advertisers use big data along with other information they’ve gleaned on you. It’s going to really start crossing the creepy threshold.”

Brookman sees the possibility of a full-fledged war between browser vendors and online advertisers if Microsoft responds by, for instance, blocking ads from domains that don’t honor its IE10 signal.

“DNT was really designed to prevent this sort of user-browser-advertiser war … but I know most of the browser makers are getting increasingly skeptical about how ad networks are going to honor the signal,” said Brookman. “Escalated warfare may be inevitable.”

Microsoft did not respond to a request for comment on Yahoo’s announcement.

Source: pcworld.com

Read More

Tumblr takes a tumble, stumbles back to life

Tumblr is back online after an hours-long outage Friday morning.

Just a week following its last outage, Tumblr on its Twitter account said it was “experiencing network problems” due to an issue with one of the site’s uplink providers.

According to service monitoring site Down Right Now, the outage began shortly after 8 a.m. EDT on Friday.

hortly after 2 p.m. EDT, Tumblr tweeted that the site was back online and a “full postmortem regarding today’s service interruption will follow.” No explanation has yet been posted.

The Internet is having a rough week. Amazon Web Services Monday experienced an outage that took down Netflix, Pinterest, Reddit, Airbnb, and Flipboard, among others hosted on the service.

Dropbox and Google App Engine were down for some but operational for others on Friday morning, and some users reported issues with YouTube as well. Even Apple had issues this week with its iMessage service. iOS users reported a Thursday afternoon outage, though Apple didn’t confirm or clarify the reasons behind the glitch.

Internet Traffic Report documented significant packet loss and a steep dip in Web traffic across North America on Friday morning, though it’s unclear what caused the anomalies, and it seems things are back to normal.

The outages have thus far been unrelated. Tumblr’s outage last week was due to issues with its Dashboard, while Amazon Web Services had server trouble at its Virginia data center.

Why do outages freak some users?

The response to these outages, some of which last for less than an hour, may say more about the always-on nature of the Internet than about the sites themselves. Tumblr users took to Twitter to mourn the site’s absence in either snarky (“I can’t post my new ‘tumblr-is-down’ gif because tumblr is down”) or plaintive (“tumblr is still down why am I breathing”) tones.

The pitfalls of living in a constantly connected culture have been well documented. Speaking in a March TED talk, Professor Sherry Turkle of the Massachusetts Institute of Technology said people turn to social networking platforms to feel connected and understood.

“That feeling that ‘no one is listening to me’ makes us want to spend time with machines that seem to care about us,” said Turkle, who studies the way technology is changing the way humans interact with each other.

When Tumblr and Pinterest are unavailable, when iMessages stop working for a few hours, stream of connections are severed, even if only briefly.

Source: pcworld.com

Read More

Google, Microsoft and Yahoo fix serious email weakness

Use of weak DKIM signing keys could allow spoofed email messages to look legitimate, US-CERT warned

Google, Microsoft and Yahoo have remedied a cryptographic weakness in their email systems that could allow an attacker to create a spoofed message that passes a mathematical security verification.

The weakness affects DKIM, or DomainKeys Identified Mail, a security system used by major email senders. DKIM wraps a cryptographic signature around an email that verifies the domain name through which the message was sent, which helps more easily filter out spoofed messages from legitimate ones.

The problem lies with signing keys that are less than 1,024 bits, which can be factored due to increasing computer power. US-CERT said in an advisoryissued Wednesday that signing keys less than 1,024 bits are weak, and that keys up to RSA-768 bits have been factored.

The issue came to light after Florida-based mathematician Zachary Harris was sent an email from a Google recruiter that used only a 512-bit key, according to a report published Wednesday by Wired magazine.

Thinking it might be some clever test by Google, he factored the key, then used it to send a spoofed message from Sergey Brin to Larry Page, Google's founders.

It wasn't a test but in fact a serious problem, one in which emails that could be bogus would be trusted. According to the DKIM standard, email messages that have keys shorter that 1,024 bits are not necessarily rejected.

Harris found the problem wasn't limited to Google, but also Microsoft and Yahoo, all of whom appeared to have fixed the issue as of two days ago, according to US-CERT. Harris told Wired he found either 512-bit or 768-bit keys in use at PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC.

Weak signing keys are a boon for cybercriminals. They selectively target people with emails containing malicious links in an attempt to exploit a computer's software and install malware, a style of attack known as spear phishing. If an email contains the correct DKIM signature, it's more likely to end up in a recipient's inbox.

US-CERT also warned of another problem. The DKIM specification allows a sender to flag that it is testing DKIM in messages. Some recipients will "accept DKIM messages in testing mode when the messages should be treated as if they were not DKIM signed," US-CERT said.

Source: computerworld.com

Read More

Popular Android apps leak personal data, study finds

Popular Android apps from the Google Play store are vulnerable to theft of personal details, including emails and bank account logins, according to a new study. As many as 185 million users who downloaded vulnerable applications could be tricked into revealing their personal data, the research indicates.

Researchers at the University of Leibniz and University of Marburg, Germany, tested the top 13,500 popular apps in the Google Play store and identified 41 apps that are prone to SSL certificates attacks. They used a fake Wi-Fi Hotspot and a special attack tool that could spy on the data passing between a smartphone and the website the app is linked to.

In their tests, the researchers were able to capture login credentials for email services, social media sites, online bank accounts, and even corporate networks. They were also able to trick or disable security software on Android and inject malicious code to make apps carry specific commands.

The research paper says: “We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts, and email accounts. We have successfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself.”

The researchers did not name the vulnerable apps, but they did say that the Facebook app for Android is not prone to the attacks they tested, and it displays meaningful warning messages when a possible attack is taking place. However, they did note that many apps can display abstract warnings during an SSL attack, which could leave users confused. (See also Which Android security tools are worth your time?).

A follow-up survey of 745 people considered whether people are aware when they're browsing over unsecured connections from their phones, leaving them prone to attacks. The results from the non-IT experts showed that almost half thought they were using a secure connection when they were actually not, while 35 percent of IT-educated users also mistook unsecure connections for safe ones.

Source: techhive.com

Read More

Yahoo blocks emails about Wall Street protest

Ready for conspiracy theories? Folks emailing information about the Wall Street protests on Monday using Yahoo discovered their emails failed, and received a message from Yahoo claiming "suspicious activity." Does that sound suspicious?

ThinkProgress.org has perhaps the best coverage, including a YouTube video of users trying to send emails that mention the "OccupyWallSt.org" web site. That seemed to be the magic phrase to get your email blocked.
Yahoo spokespeople claim it was a glitch, a mistake, unintentional, and they don't know how their spam filters became so sensitive. Via Twitter, Yahoo announced the blockage was now fixed, but "there may be residual delays." There will certainly be some residual questions. But remember, censorship requires a government entity squelching speech, not an email provider.

Source: ITWorld.com

Read More