A month ago, Jason Calacanis went on a rant about why everyone should boycott comScore . He felt they were using sketchy tactics to bully people into their pay-to-play model for measuring web analytics. He also noted that their free competitors like Quantcast, Google, and Compete would soon eat their lunch. Both Quantcast and Google (Analytics) offer direct counting of pageviews (but even these methods can be abused ). But you may wonder how exactly Compete gets its numbers? It appears, that some sketchy tactics are (or at least were) employed, as well. We were recently pointed to this post from last month by Ben Edelman, a Harvard privacy advocate. In it, he details the data the Upromise toolbar collects and sends out. This toolbar is used by college students looking for savings on various items across the web, and can be quite useful. But until a few weeks ago, it appears they were also sending web browsing (and more personal) data to Compete without anyone’s knowledge. Writes Edelman: As shown in the “host:” header of each of the preceding communications, transmissions flow to the consumerinput.com domain. Whois reports that this domain is registered to Boston, MA traffic-monitoring service Compete, Inc. Compete’s site  promises clients access to “detailed behavioral data,” and Compete  says more than 2 million U.S. Internet users “have given [Compete] permission to analyze the web pages they visit.” He continues: Upromise’s installation sequence does not obtain users’ permission for this detailed and intrusive tracking. Quite the contrary: Numerous Upromise screens discuss privacy, and they all fail to mention the detailed information Upromise actually transmits. The Upromise  toolbar installation page touts the toolbar’s purported benefits at length, but mentions no privacy implications whatsoever. If a user clicks the prominent button to begin the toolbar installation, the  next screen presents a 1,354-word license agreement that fills 22 on-screen pages and offers no mechanism to enlarge, maximize, print, save, or search the lengthy text. But even if a user did read the license, the user would receive no notice of detailed tracking. Meanwhile, the lower on-screen box describes a “Personalized Offers” feature, which is labeled as causing “information about [a user's] online activity [to be] collected and used to provide college savings opportunities” But that screen nowhere admits collecting users’ email addresses or credit card numbers. Nor would a user rightly expect that “information about … online activity” means a full log of every search and every page-view across the entire web. Shortly after Edelman’s post (and a follow-up PCMag.com post ), Upromise changed their privacy policy to alert their users that this data is being sent out. But the company declined to state how long the issue had been going on. Privacy implications aside, it’s interesting that this is one of the ways Compete was gathering data. And it would be good to know where else they get it from. On their site, they only vaguely note that they have “ developed a unique methodology created by experts in the fields of mathematics, statistics and the data sciences to aggregate, transform, enhance and normalize data in order to estimate U.S. Internet traffic . ” They also claim to have over two million members — but apparently, at least some of them (such as the Upromise toolbar users), don’t know they’re members. I’ve sent a message to Compete asking them what other means (other toolbars, etc) they use to gather their data. In light of this Upromise fiasco, it seems wise that they should disclose that kind of information. I’ll update if and when I hear back. CrunchBase Information Compete Information provided by CrunchBase

Even though the iPad is still more than a month away from shipping, iSuppli conducted a preliminary itemized parts breakdown. The results aren’t that surprising: Apple’s making a boatload on these things. Suppli concluded that the $499 16GB/no 3G model only costs $229 to manufacturer with the $829 64GB/3G model costing only $117 more to make even though it carries a $329 premium. Nice, eh? These numbers can be broken down even further showing Apple’s insane margins. The 3G module only costs $24.50, but Apple charges $129 more for the option. The NAND memory chips are really the only difference between all three options, but their real costs of $29 for 16GB, $59 for $32GB, and $119 for 64GB are nowhere near proportionate with the iPad’s prices. All this data shows that Apple’s abandoning its long-held K.I.S.S. strategy . So what if Apple got back on the keeping it simple bandwagon, only offered the high-end 64GB with 3G iPad and still sold it for $499? After all, the company would still be making at least $153 on each iPad sold. Would that turn around the iPad’s outlook? Read the rest of this story at CrunchGear…

Early this morning, Twitter began alerting certain users to reset their passwords because of a possible phishing attack. They later elaborated on it a bit but it still wasn’t clear exactly what was going on. Now they’ve felt the need to fully go into exactly what went down — and it’s fairly interesting. On their Twitter Status blog (interesting that it’s not the main Twitter blog), Del Harvey, Twitter’s Director of “Trust and Safety” has a post detailing the attack. Apparently, Twitter figured out that some torrent sites have been being created for a number of years by some individual who then sells them to others looking to get into the business. The problem is that this person seems to have included a backdoor into these sites so that they could access them later when the site became popular. And because people often use the same login and password across the web, a bunch of Twitter accounts were then comprimised with this data. To make matters worse, it seems that there were also other exploits on these sites that allowed other hackers to gain access to data. Harvey doesn’t name any of the torrent sites involved (and says they likely won’t even be able to figure out all of them), but notes that if you’re a torrent site user, you should probably change your Twitter password immediately. Harvey titles his post, “reason 4,132 for changing your password” — but really it should be, “reason 4,132 for not using the same login/password on all sites.” Here’s the main nugget: The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites.  Through our discussions with affected users, we’ve discovered a high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts. [photo: flickr/ Daquella manera ]

So Sprint just published an official fact sheet for a U301 USB modem with support for both WiMAX and EV-DO — it’s not accompanied by any press release or product page on Sprint’s online store, but we can only assume this means that a release is around the corner. Of course, the dual-mode capability alone doesn’t set it apart — the carrier’s existing U300 model already handles those duties with aplomb — but what seemingly sets the U301 apart is its support for Mac OS. We’d just as soon they’d release drivers for the U300, but failing that, alright, fine, we’ll take a new modem. If we’re sustaining over 3Mbps down, we’ll take a lot of carrier and manufacturer abuse, actually. Sprint puts out fact sheet for dual-mode U301 WiMAX modem, release imminent? originally appeared on Engadget on Sat, 19 Dec 2009 04:24:00 EST. Please see our terms for use of feeds . Permalink    |  Sprint  |  Email this  |  Comments

A Facebook developer named Yvo Schapp has uncovered a massive security flaw present on both Facebook and MySpace that would give hackers the ability to steal all of your account data, including your photos, personal messages, and basically everything else you’ve ever put on the social networks, without you ever realizing it. Schapp stumbled upon the exploit and contacted both Facebook and MySpace. According to his blog MySpace has since fixed the bug, and while his blog indicates that Facebook is still working on it we’ve confirmed that they’ve fixed it as well (we’re waiting on a statement from MySpace). So what exactly could the exploit do? From Schapp’s blog : You don’t need much time to think of all the ways this could be exploited. All what has to happen is a active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally. An more invasive and hidden exploit could harvest all the users personal photo’s, data and messages to a central server without any trace, and there is no reason why this wouldn’t be happening already with both Facebook and MySpace data. In other words, if you’ve ever checked that ‘remember me’ button on Facebook or MySpace’s login screen and have at any point viewed a Flash app taking advantage of the exploit, it’s possible that all of your data was compromised. You wouldn’t even have to neccesarily open anything — in Facebook’s case, if one of the infected items showed up in your News Feed you could have your data stolen without ever knowing it. Yeah, that’s pretty damn scary. For what it’s worth, Facebook gave us this statement: The security of our users is a top priority for Facebook and we worked with the researcher who identified the issue to fix it. We have not received any reports that it was ever exploited. Of course, Schapp pretty clearly writes that there’s no way for a user to tell if their data was harvested, so for all we know it could have been used by multiple developers for months or longer (Facebook is currently investigating how long the bug may have existed). Granted, Schapp could be the first developer to ever stumble across the exploit. But the potential of this bug is so huge — allowing a developer to mine all of the data for any user who accessed their app — that less honest developers may well have used the hack for their own benefit. Facebook has previously said that there are a whopping 300,000 developers building on its platform. And we’ve seen time and time again that some of those developers are not opposed to Black Hat tactics. MySpace has seen its own share of problems. This is obviously bad news for both social networks, but Facebook in particular has long been heralded as the safer of the two, with its extensive privacy settings and authentic identities. Yet the site has repeatedly seen glitches in its security. Today’s bug is by far the worst vulnerability in recent memory. The security vulnerability works by taking advantage of an oversight in a crossdomain.xml configuration file, which is used by Flash applets to determine if an application has permission to access data on that domain. The crossdomain.xml files at Facebook and MySpace were allowing any applet from any other domain to access data and the API. Combined with browsers keeping a record of your logged in session if you have checked ‘remember me’, the vulnerability means that an invisible Flash applet on any website you visit would be able to read out all your data and send it away somewhere else. For more on cross-domain requests and security, there is a write up explaining all the details. If you’re interested in the nature of the exploit itself, head over to Schapp’s blog for a full description of how he stumbled on it. Image by Lisanne! Crunch Network : CrunchGear drool over the sexiest new gadgets and hardware.