Well, it’s time to update your WordPress installation to the latest release (2.3.1) if you haven’t done so yet. Janek Vind has posted a less critical cross-site scripting vulnerability that applies to version <2.3.0.

Input passed to the “posts_columns” parameter in wp-admin/edit-post-rows.php is not properly sanitised before being returned to the user. So this can be exploited to execute arbitrary HTML and script code in a user’s browser session in context.

Janek Vind’s original advisory can be found here and the latest version of WordPress can be found here.

If you want to speed up the upgrade of WordPress I also suggest that you take a look at Wordpress Automatic Upgrade that takes care of the upgrade for you. Wordpress Automatic Upgrade allows a user to automatically upgrade the wordpress installation to the latest one provided by wordpress.org using the 5 steps provided in the wordpress upgrade instructions.

Kim Haverblad

Bookmark to:

The Swedish tax authorities (IRS), Skatteverket, has lately started to look into home pages that they think generate revenue via banner income and now wants to force Swedish ISP:s to release their customers records.

Swedish ISP Bahnhof is one of several companies that received a request from Swedish IRS to release customer records between 2004-2006 and have specific been asked to release following:

• Name
• Address
• Personal code (identity) number
• Date for check-in
• Date for check-out
• Total billing amount
• Server type and IPs
• List of domains hosted
• Host configuration files

To be mentioned is that Swedish IRS is not asking for specific customers records that they believe have participated in any kind of criminal act - they are asking to get what ever they can get and then poke around until they stumble over something of interest.

Bahnhof:s CEO Jon Karlung says in an interview that they have no reason of releasing such information due to that it would be against the Swedish law (the law about electronic communication). Even if they will be fined 80 000 USD for not comply with the request made by the IRS. Jon Karlung also says that they don’t oppose to release specific information about customers if the IRS (or any other authorities for that matter) can show suspicion about ongoing criminal activities. This is not the case here since the IRS want to harvest ISP customer records for what they define as suspicious economical activities.

Swedish IRS spokesperson, Dag Hardyson, is confident that Bahnhof will release the requested information even if this case has to go to county administrative court and says that he has full confidence in the injunction made towards Bahnhof and that the injunction itself is according to the Swedish laws and don’t want to make any comments to Bahnhof:s legal interpretation and says that he has full confidence with their legal department interpretation and recommendations.

All in all it seems that our privacy is more and more compromised on a national and EC level and in the name of fighting terrorist and criminal activities. Don’t get me wrong here; I fully agree that we should fight activities that threaten our community. But it seems that all laws that wouldn’t be passed 10 years ago due to privacy intrusion gets fast tracked and passed.

To wrap it all up, the problem is also that we have two different laws that collide with each other and by that there is a deadlock regarding this entire story until it has been seattled in court. So I’m looking forward to see what happens next.

Kim Haverblad

Bookmark to:

Computer World, IDG and DN today writes that Microsoft has bought 1.6% of the shares in Facebook for the amount of 240 million dollars! I can just congratulate Mark Zuckerberg and Facebook. But, the questions remains if it’s in the best interest of the users to get Microsoft involved in Facebook due to the enormous wealth of information that the users has provided Facebook with - for free - about themselves!

So how many of the estimated 50 million users has actually given it a thought about the information that they have submitted to Facebook and of them how many have actually read the Terms of Use and the Privacy Policy? It can’t be that many of the existing users! Either people are very well aware of what they sign or they don’t care. But they should; since when they signed up at Facebook they give the company exclusive rights to the material submitted and to be used in what ever way that they like!

“You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about the Site or the Service (”Submissions”), provided by you to Company are non-confidential and shall become the sole property of Company. Company shall own exclusive rights, including all intellectual property rights, and shall be entitled to the unrestricted use and dissemination of these Submissions for any purpose, commercial or otherwise, without acknowledgment or compensation to you.”

Even if you as user have the possibility to delete your account, Facebook has following lines in the Privacy Policy to inform you that the user data may exist in backup copies for reasonable time:

“Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.”

My question to above is how short or long is their definition of reasonable period?

The Terms of Use has a few lines about what you as uses can do or not do when it comes to harvest or collect information about other users; it doesn’t really say anything about what Facebook rights to harvest or collect information about their users; so let’s check the Privacy Policy.

Facebooks Privacy Policy clearly states that they harvest and collect information about you as user and as well tries to figure out user patterns.

“When you use Facebook, you may set up your personal profile, form relationships, send messages, perform searches and queries, form groups, set up events, add applications, and transmit information through various channels. We collect this information so that we can provide you the service and offer personalized features.”

They actually say that they in most cases inform they user about prior activities so that you can choose or not to participate; I would say that they in most cases don’t inform you as user about how they plan to use the collected information.

Following next lines should indicate red flag by most people, when talking about aggregating user information that they’ve gathered and that you as user already given Facebook exclusive rights to, but it doesn’t, sadly:

“Facebook may use information in your profile without identifying you as an individual to third parties. We do this for purposes such as aggregating how many people in a network like a band or movie and personalizing advertisements and promotions so that we can provide you Facebook. We believe this benefits you.”

I’m fully aware of the Facebook is a corporation that wants to make money and that they provide a free service; but are people aware of what kind of spin off industry and products that might come out of this huge information that they’ve gathered? Working with business development at Facebook must be one of the greatest jobs around due to the huge potential they have with all the raw data. And I doubt that Facebook will aggregate more than just what kind of bands or movies that you or a group of users likes.

So think twice when you sign up with Facebook or similar community; you might just end up signing over your entire life story to company behind the community and by that ruin your future.

So when you in the future gets questions about activities that you you’ve done in the past and thought that they where harmless at that time. Think twice before answering; what does he or she knows about you that you forgotten?

Kim Haverblad

Bookmark to: