Elliott C. Back: In Aere Aedificare

If you’ve been reading any tech news today, you probably heard that Robert Scoble was banned from Facebook for hacking it with an automated scraper to get his Facebook friends into Plaxo. Later today, Facebook reinstated his account after warning him to “refrain from running these types of scripts again.”

What was Scoble after? Your names, email addresses, and birthday. Information that he is allowed access to inside Facebook, but which his many of 5,000 so-called friends might not want hauled outside and stored with another company. Buzzmachine is right when they label him an identity thief in What he says:

I want Facebook to protect my email address. I don’t want Scoble downloading it and giving it over to Plaxo, a brand and company I will never, never trust and would never choose to do business with or hand data to on my own. So much of the reaction to this little incident gets it backwards; there has been much talk about how we should be able to get our data out of Facebook and that’s fine but we also need to protect our data from others making use of it without our permission and that’s what this is about in the end.

There’s a reason that I have set my privacy to avoid these things–in addition to defriending everyone I don’t actually know and trust. I don’t want people knowing where I live (as I’ve received death threats, prank calls, and various harassments that are more trouble to sort out then just avoid). I don’t want them knowing my email, phone number, or birthday. And I certainly would get pissed off to see someone harvesting them en-masse. As I wrote in Cornell violates mass student privacy, “Taken one-by-one, this kind of directory information is completely useless and publicly available. But when taken in aggregate form, the contact information is a secret.”

So, in mass-downloading his Facebook friends’ information, Scoble violated the Terms of Service, the implicit trust relationships he had with his Facebook friends, their privacy, and their identities. Now he claims that the information will be removed after their tests are finished, but at this point it’s too late. The cat (our identities) is out of the bag.

p.s., Techcrunch agrees as well…

If you bought an iPhone this Christmas hoping for some unlocking love, chances are you were disappointed. The new iPhones have a 4.6 bootloader which hasn’t yet been hacked. Specifically, they come in the following versions:

• Firmware: 1.1.2
• Bootloader:4.6_M3S2
• Modem: 04.02.13_G

For now, all OOTB iPhones with this configuration (or newer, we know 1.1.3 is coming soon) cannot be unlocked. They expect a new 1.1.3 firmware to come out in January that will contain enough information to allow them to unlock new 1.1.2 iPhones, but you never know. For now, your options are limited to:

• Buying an actually unlocked iPhone from Germany or France and paying the high unlock cost via iTunes
• Buying a Turbosim or Stealthsim card for about $100, which should be resistant to further software updates.

Good luck to everyone who bough an iPhone this Christmas and doesn’t have AT&T service. You’ll need that, and a large bucket of patience.

Update: Now that the 1.1.3 firmware is out, a method for flashing the bootloader to 3.9 has emerged. Looks complicated and risky; an official release should be out soon.

Update: There’s now a software unlock, and it’s easy. Just do:

• Set “autolock” in settings to never: Settings, General, Auto-Lock
• Add this installer location: iphone.sleepers.net/repobeta.xml
• Install the “Geohots Gunlock Script” unlock script package from BigBoss’ Experimental/Beta Repo
• Install BSD Subsystem + Term vt100
• On 1.1.2 or 1.1.3, go to settings, and set AIRPLANE mode to ON
• Open termvt100 and type:
  cd /usr/bin
  geounlock

And, that’s it! Only for 4.6 Bootloader (BL) iPhones on 1.1.2 or 1.1.3, and not from the iPhone dev team, who aren’t as elite as they wanna be.

Today I had the pleasure of a random guy in Mexico recursively downloading as much of my site as he could, which sent my CPU load to 2.0, a level that Dreamhost would find acceptable but which I personally freak out about. The r-dns and IP of this guy are:

dsl-189-171-15-59.prod-infinitum.com.mx
189.171.15.59

He started at 04/Nov/2007:12:04:36 and ended (by iptables ban) at 04/Nov/2007:20:17:03. In those 8 hours and thirteen minutes, he made over 250,000 requests. That’s an extra 8.5 requests per second from a single IP, which is clearly unacceptable behavior:

[root@fc624389 ~]# cat access_log | grep 189.171.15.59 | wc -l
251923

If you don’t believe me, the next biggest offender over the last 24 hours made only 4,400 requests:

[root@fc624389 ~]# cat access_log | cut -d’ ‘ -f1 | sort -n | uniq -c | sort -nr | more
251923 189.171.15.59
4403 66.249.73.116
2012 76.88.78.239
1646 70.141.105.233

The user agent of this guy doesn’t tell *me* anything about him, but maybe one of you readers has an idea?

189.171.15.59 - - [04/Nov/2007:12:04:38 -0500] “GET /wp-content/themes/greenmarinee/images/links_bullet.gif HTTP/1.1″ 200 467 “http://celebrity-photos.elliottback.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)”

Another thing that bugs me is he requested each URL about 7 times. WTF? Do you really need to spider my site as fast as you can seven times?

[root@fc624389 ~]# cat access_log | grep 189.171.15.59 | cut -d’ ‘ -f11 | sort | uniq | wc -l
35414

I am either thinking of writing a very evil script to confuse non-google/msn/live/ask/yahoo bots by writing in an infinite number of invisible links into my websites, or installing some kind of mod_throttle into my apache. It looks like mod_limitipconn might help here, too.

I find this Personal Cell Phone Signal Blocker Device interesting. Not only does it retail for about $50, it offers portable jamming of all cellular signals (GSM, CDMA, DCS, PHS, 3G). All the iPhone toting Apple neophytes within a 2 to 40 foot radius will be unable to operate their shiny devices for three hours until your 1500mAh battery dies.

They note that “certain countries” like the USA forbid you from owning one:

Important Note: Usage and purchase of this item may not be allowed in certain countries. It is your responsibility to check for your local regulations. DX is not responsible for customs confiscations. if you are not sure whether you country allows importing this product, do not use EMS express shipping to avoid problems.

According to Wikipedia, this is because of the Communications Act of 1934. However, if you’re interested in this sort of thing you should read the Phrack piece on building a GPS jammer or the How Stuff Works article on jammers for a more basic overview.

I’m going to lay down the law here on the Storm Worm’s latest incarnation, w32/Ramex.A or W32/Skipi.A or W32.Pykspa.D. Although the official Skype blog refers to it as either “the worm” or “a virus”, their copy makes it clear that the Skype Storm Worm cannot spread without manual user action:

Skype has learned that a computer virus called “w32/Ramex.A” is affecting users of Skype for Windows. Users whose computers are infected with this virus will send a chat message to other Skype users asking them to click on a web link that can infect the computer of the person who receives the message.

Dwight Silverman gives a good overview about what exactly it does to convince a user to open the evil .scr file and infect themselves. After all, who wouldn’t click “NFL Season Is Here!”? That said, a computer worm is actually a lot more serious:

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention.

If this were a worm, all of Skype’s 10,000,000 users would have been infected in minutes, doubling or tripling the size of the “Storm Worm” botnet. So, you idiot bloggers, before you write something that scary, make sure you use the right terminology. I saw the headlines this morning at work and had a heart attack, and then read the story and cooled off. But, it’s probably not good for my blood pressure o_O.