Simon Willison’s Weblog

Subscribe

Sunday, 23rd August 2009

Facebook Hacked By 4chan, Accounts Compromised. It wasn’t Facebook that got hacked: 4chan members got hold of a list of usernames and passwords from an insecure Christian dating site and started using them to raise complete hell. Yet another demonstration that storing your user’s passwords in the clear is extremely irresponsible, and also a handy reminder that regular users who “don’t have anything worth securing” actually have a great deal to lose if their password gets out.

# 10:02 am / security, passwords, 4chan, facebook, identitytheft

For those who haven't heard the story the details were pulled from a Christian dating site db.singles.org which had a query parameter injection vulnerability. The vulnerability allowed you to navigate to a person's profile by entering the user id and skipping authentication. Once you got there the change password form had the passwords in plain text. Someone wrote a scraper and now the entire database is on Mediafire and contains thousands of email/password combinations.

rossriley on Hacker News

# 10:10 am / security, sql-injection, passwords

Bokode (via) New take on the humble barcode from the MIT Media Lab—Bokodes are 3mm wide but can be read at a distance by a regular digital camera lens using out of focus photography, exploiting the bokeh effect. The way in which the Bokode is read allows both distance and relative angle to the camera to be derived, making it ideal for Augmented Reality systems.

# 10:29 am / augmentedreality, bokode, bokeh, optics, barcodes, mitmedialab

We completely understand the public’s concern about futuristic robots feeding on the human population, but that is not our mission.

Harry Schoell, CEO of Cyclone

# 10:51 am / robots, cyclone, funny, ethics

Exploring OAuth-Protected APIs. One of the downsides of OAuth is that it makes debugging APIs in your browser much harder. Seth Fitzsimmons’ oauth-proxy solves this by running a Twisted-powered proxy on your local machine which OAuth-signs every request going through it using your consumer key, secret and tokens for that API. Using it with a browsers risks exposing your key and token (but not secret) to sites you accidentally browse to—it would be useful if you could pass a whitelist of API domains as a command line option to the proxy.

# 11:06 am / oauth, apis, proxy, sethfitzsimmons, twisted, python

2009 » August

MTWTFSS
     12
3456789
10111213141516
17181920212223
24252627282930
31