The Legacy Sunbelt Software Blog

From the “What-were-they-thinking?” department

Security guru Bruce Schneier on his “Schneier on Security” blog noticed this one:

Charlapally Central Jail, near the Andhra Pradesh state capital Hyderabad will set up a public-private partnership with Radiant Info Systems to put 200 inmates to work doing data entry and information processing FOR BANKS!

The unit will have round-the-clock staffing – three shifts of 70 staff each.

The inmates will receive the equivalent of $2.20-3.32 US per day. Normal prison wages are 33 cents per day.

The BBC quoted CN Gopinath Reddy, the state’s director general of prisons: “The idea is to ensure a good future for the educated convicts after they come out of jail. With their experience of working in the BPO [business process outsourcing] in jail, any company will absorb them in future.”

Now the REALLY good news: BBC wrote: “Officials say this is a pilot project and, if it succeeds, it could be extended to other jails in the state.”

Story here: “Outsourcing unit to be set up in Indian jail”

Tom Kelchner

The Electronic Freedom Foundation has released a white paper that reveals most Web browsers leave enough information about their configurations on Web servers that they are identifiable.

The EFF put up a web site, took data from 470,161 informed participants and found that among browsers with Flash or Java activated, 94.2 percent were identifiable (“unique” in their words.)

“By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.”

And, if that isn’t scary enough, they said that those using anti-fingerprinting privacy technology will still be identifiable until a lot of people start using the same countermeasures.

White paper here: “How Unique Is Your Web Browser?”

Tom Kelchner

The Electronic Freedom Foundation has released a white paper that reveals most Web browsers leave enough information about their configurations on Web servers that they are identifiable.

The EFF put up a web site, took data from 470,161 informed participants and found that among browsers with Flash or Java activated, 94.2 percent were identifiable (“unique” in their words.)

“By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.”

And, if that isn’t scary enough, they said that those using anti-fingerprinting privacy technology will still be identifiable until a lot of people start using the same countermeasures.

White paper here: “How Unique Is Your Web Browser?”

Tom Kelchner

Short answer: no, it’s just a numbers game.

The debate is continuing over Facebook’s lack of concern for users’ privacy and strangely difficult procedures for managing users’s privacy settings.

Graham Cluley at the UK AV firm Sophos (http://www.sophos.com/blogs/gc/) drew the world’s attention to the fact that the Google Trends page is showing a spike in searches for the string “delete Facebook account.” The spike is still getting steeper.

What it shows is that there are nearly 30 times as many searches as there were at the lowest period represented in early 2009. It doesn’t say what the absolute numbers are, it just shows a huge increase in the RATE. If one person ran the search in 2009, there could be only 30 people checking it this week. It also doesn’t indicate if the Googlers are finding anything useful or actually deleting their Facebook pages.

Diaspora

Meanwhile, the Diaspora group (http://www.joindiaspora.com/) four college students who set out several weeks ago to raise some cash to support themselves while they write a “the privacy aware, personally controlled, do-it-all distributed open source social network,” are getting far more pledges of support than just the $10,000 they set out to raise:

Just say “No” to Facebook

A protest site QuitFacebookDay.com (http://www.quitfacebookday.com/), meanwhile has begun pushing the idea of users leaving Facebook. As of this afternoon, 3,466 people had committed to quit.

But, the big number

To put all this in perspective, we have a headline from the AllFaceBook.com blog (which is not connected to Facebook): http://www.allfacebook.com/2010/05/facebook-prepares-to-announce-500-million-users/#more-14403

“Facebook Prepares To Announce 500 Million Users”

Nick O’Neill writes there: “Facebook is working on plans for their 500 million user celebration, projected to take place at some point before the end of June.”

And this:

“Before the end of this year, the company should near the 600 million user mark and surpass $1 billion in annualized revenue.”

With numbers like that, Facebook’s privacy policy can probably be summed up in a couple of sentences — something like: “We don’t care. We’re so big we don’t have to.”

Tom Kelchner

Short answer: no, it’s just a numbers game.

The debate is continuing over Facebook’s lack of concern for users’ privacy and strangely difficult procedures for managing users’s privacy settings.

Graham Cluley at the UK AV firm Sophos (http://www.sophos.com/blogs/gc/) drew the world’s attention to the fact that the Google Trends page is showing a spike in searches for the string “delete Facebook account.” The spike is still getting steeper.

What it shows is that there are nearly 30 times as many searches as there were at the lowest period represented in early 2009. It doesn’t say what the absolute numbers are, it just shows a huge increase in the RATE. If one person ran the search in 2009, there could be only 30 people checking it this week. It also doesn’t indicate if the Googlers are finding anything useful or actually deleting their Facebook pages.

Diaspora

Meanwhile, the Diaspora group (http://www.joindiaspora.com/) four college students who set out several weeks ago to raise some cash to support themselves while they write a “the privacy aware, personally controlled, do-it-all distributed open source social network,” are getting far more pledges of support than just the $10,000 they set out to raise:

Just say “No” to Facebook

A protest site QuitFacebookDay.com (http://www.quitfacebookday.com/), meanwhile has begun pushing the idea of users leaving Facebook. As of this afternoon, 3,466 people had committed to quit.

But, the big number

To put all this in perspective, we have a headline from the AllFaceBook.com blog (which is not connected to Facebook): http://www.allfacebook.com/2010/05/facebook-prepares-to-announce-500-million-users/#more-14403

“Facebook Prepares To Announce 500 Million Users”

Nick O’Neill writes there: “Facebook is working on plans for their 500 million user celebration, projected to take place at some point before the end of June.”

And this:

“Before the end of this year, the company should near the 600 million user mark and surpass $1 billion in annualized revenue.”

With numbers like that, Facebook’s privacy policy can probably be summed up in a couple of sentences — something like: “We don’t care. We’re so big we don’t have to.”

Tom Kelchner

Trojan-Ransom.Win32.Winac.A

Our analyst Adam Thomas found this: a piece of ransomware that locks up Windows until you enter your credit card data.

First it claims you are running a pirated version of Windows and they need your billing details. “…but your credit card will NOT be charged.”

And of course that’s true.

Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate:

Basically, the Trojan locks your system. The only thing you can do is complete the “activation”.  You can choose to “activate windows” or “do it later”. If you choose to do it later, you machine reboots.

If you go through the process of entering your data (including your credit card number), then your system will work again.

Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it.

VIPRE detects it as Trojan-Ransom.Win32.Winac.A

Thanks Adam

Tom Kelchner

 

Trojan-Ransom.Win32.Winac.A

Our analyst Adam Thomas found this: a piece of ransomware that locks up Windows until you enter your credit card data.

First it claims you are running a pirated version of Windows and they need your billing details. “…but your credit card will NOT be charged.”

And of course that’s true.

Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate:

Basically, the Trojan locks your system. The only thing you can do is complete the “activation”.  You can choose to “activate windows” or “do it later”. If you choose to do it later, you machine reboots.

If you go through the process of entering your data (including your credit card number), then your system will work again.

Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it.

VIPRE detects it as Trojan-Ransom.Win32.Winac.A

Thanks Adam

Tom Kelchner

 

1. Google Trends are showing an increased interest in deleting Facebook accounts.

Google’s “Trends” site shows an interesting graph of people doing searches for “delete Facebook account”
(http://www.google.com/trends?q=delete+facebook+account)

What the graph is showing is that there are ten times as many searches for “delete Facebook Account” recently as there were in 2008. The rate has been rising through 2009 and is rising at a much steeper rate recently.

2. The Diaspora group is attracting a lot more money than they set out to raise

On Tuesday we blogged about the four New York college students who set out to raise $10,000 on the KickStarter site to pay for pizza and Mountain Dew over the summer while they write a “privacy aware, personally controlled, do-it-all distributed open source social network” that they are calling “Diaspora.”

We checked the KickStarter page for Diaspora then and wrote: “As of mid-afternoon today their web site said they’d raised $33,179 from 1027 backers. They had been seeking $10,000 to support themselves over the summer while they finished the project.” http://sunbeltblog.blogspot.com/2010/05/nyu-students-building-open-source.html

Well, that was three days ago. Here is what the KickStarter page says for Diaspora today:

These guys only set out to get $10,000! They’re up to $142,104 and the number is climbing by the minute!

Facebook has 350 million subscribers, so, it’s not like Farmville is going to become a ghost town overnight and there won’t be anybody left to bring in the fall harvest. However, the data above is starting to point to a trend and should be Facebook’s wake-up call about the privacy issue.

Tom Kelchner

1. Google Trends are showing an increased interest in deleting Facebook accounts.

Google’s “Trends” site shows an interesting graph of people doing searches for “delete Facebook account”
(http://www.google.com/trends?q=delete+facebook+account)

What the graph is showing is that there are ten times as many searches for “delete Facebook Account” recently as there were in 2008. The rate has been rising through 2009 and is rising at a much steeper rate recently.

2. The Diaspora group is attracting a lot more money than they set out to raise

On Tuesday we blogged about the four New York college students who set out to raise $10,000 on the KickStarter site to pay for pizza and Mountain Dew over the summer while they write a “privacy aware, personally controlled, do-it-all distributed open source social network” that they are calling “Diaspora.”

We checked the KickStarter page for Diaspora then and wrote: “As of mid-afternoon today their web site said they’d raised $33,179 from 1027 backers. They had been seeking $10,000 to support themselves over the summer while they finished the project.” http://sunbeltblog.blogspot.com/2010/05/nyu-students-building-open-source.html

Well, that was three days ago. Here is what the KickStarter page says for Diaspora today:

These guys only set out to get $10,000! They’re up to $142,104 and the number is climbing by the minute!

Facebook has 350 million subscribers, so, it’s not like Farmville is going to become a ghost town overnight and there won’t be anybody left to bring in the fall harvest. However, the data above is starting to point to a trend and should be Facebook’s wake-up call about the privacy issue.

Tom Kelchner

Number of attacks doubled in second half of year, but dying out in 2010

The Anti Phishing Working Group has released its “Global Phishing Survey: Trends and Domain Name Use 2H2009.” Highlights include:

— The Avalanche phishing gang was behind two-thirds of the 126,697 phishing attacks launched in the second half of last year.

— The uptime of phishing attacks continues to drop because of the response to Avalanche. Avalanche phish have half the up-time as non-Avalanche domains.

— APWG estimated that there were at least 126,697 phishing attacks in the second half of the year and 55,698 attacks in the first half.

— Phishing remains concentrated in just four top level domains: 76 percent of the attacks occurred in .COM, .EU, .NET, and .UK.

— Eighty eight percent of the malicious domain registrations were made in just five top level domains: .BE, .COM, .EU, .NET and .UK.

Avalanche is on the decline though. The report says: “Avalanche domain registrations hit a high in December 2009, but by then Avalanche was hosting fewer and fewer attacks overall. By March 2010, Avalanche was hosting only one phishing attack on each domain it registered, and attacks dwindled to just 59 in the month of April 2010.”

Report here: http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2009.pdf

Tom Kelchner

Number of attacks doubled in second half of year, but dying out in 2010

The Anti Phishing Working Group has released its “Global Phishing Survey: Trends and Domain Name Use 2H2009.” Highlights include:

— The Avalanche phishing gang was behind two-thirds of the 126,697 phishing attacks launched in the second half of last year.

— The uptime of phishing attacks continues to drop because of the response to Avalanche. Avalanche phish have half the up-time as non-Avalanche domains.

— APWG estimated that there were at least 126,697 phishing attacks in the second half of the year and 55,698 attacks in the first half.

— Phishing remains concentrated in just four top level domains: 76 percent of the attacks occurred in .COM, .EU, .NET, and .UK.

— Eighty eight percent of the malicious domain registrations were made in just five top level domains: .BE, .COM, .EU, .NET and .UK.

Avalanche is on the decline though. The report says: “Avalanche domain registrations hit a high in December 2009, but by then Avalanche was hosting fewer and fewer attacks overall. By March 2010, Avalanche was hosting only one phishing attack on each domain it registered, and attacks dwindled to just 59 in the month of April 2010.”

Report here: http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2009.pdf

Tom Kelchner

AnchorFree’s response to our blog post:

Hey Tom,

This is Art from Hotspot Shield. I work for the marketing department.

I wanted to bring to your notice that users don’t start seeing ads just by downloading/installing Hotspot Shield. They only see ad if they connect to Hotspot Shield. So, they are basically opting in to see the ads in exchange for using our services. We are very upfront about this to our users.

Once they disconnect, they go back to the normal browsing without any ad
insertion. User is informed that HotspotShield is supported by advertisements
before the download and at the start of each private browsing session.

Also, we never store real user IP address and never provide real user IP
to any advertiser. Therefore, neither we nor our advertisers can disclose real
IP of our user even if compelled. Although I agree that it is not very clear in
our privacy policy. But we never store/share any users’ personal data. We limit
list of our advertisers to only ones who agree NOT to receive real user IP.

Feel free to email me or call me if you have any questions.

Cheers,
art

Our response from Eric Howes, Sunbelt Spyware Research Manager

Art:

I’m sorry, but nothing in your response changes our conclusion that Hotspot Shield is adware and that it is being presented to users in a deceptive manner. Let’s look at your claims one by one.

They only see ad if they connect to Hotspot Shield. So, they are basically opting in to see the ads in exchange for using our services.

Most adware vendors can and have made similar claims. The term “adware” was, in fact, coined to describe products that are ad-supported.

We are very upfront about this to our users. Once they disconnect,
they go back to the normal browsing without any ad insertion.

There is nothing straightforward, clear, or conspicuous in the disclosures you offer users concerning the ad-supported nature of the product or the fact that ad networks can (and undoubtedly are) using tracking technologies to monitor users’ response to ads and personalize those ads.

User is informed that HotspotShield is supported by advertisements before
the download and at the start of each private browsing session.

Neither of these claims is true. There is no notice on the Hotspot Shield home page or download page that the product is ad-supported. To the contrary, the home page sports that flashy green “no adware/spyware” logo, leading users to believe that quite the opposite is true. Although there is a link to the “terms of service,” that link is at the bottom of the page (the download link is at the top right), and even then users must scroll down to section 9 to find any mention of advertisements.

The installation/setup process similarly lacks any notice of these material terms outside of the EULA. Curiously, there is a separate screen for the optional toolbar (presented to users as a means of helping AnchorFree keep the product free for use), but nothing equivalent for the advertising functionality of the core program itself.

Finally, what the user sees at the start of each private browsing session is a connection status message that, again, makes no mention of the ad-supported nature of the product.

It should also be noted that even though I carefully unchecked all the options to have AnchorFree take over my home page, search, and error page settings, my browser’s home page was still hijacked to the AnchorFree “privacy search” page at the start of each “private browsing session.”

Also, we never store real user IP address and never provide real user IP to any advertiser. Therefore, neither we nor our advertisers can disclose real IP of our user even if compelled. Although I agree that it is not very clear in our privacy policy. But we never store share any users’ personal data. We limit list of our advertisers to only ones who agree NOT to receive real user IP.

The real problem is that AnchorFree goes out of its way to create user expectations that are entirely opposite of the true ad-supported functionality of the product. Moreover, it’s fairly well established at this point that users’ true identities (or something very close to them) can, given enough data, be derived from the browsing profiles created via the tracking technologies used by major ad networks.

The key test or question in this case is a simple one. AnchorFree promotes Hotspot Shield as means for “protecting your privacy, security, and anonymity on the web.” What would users think if they knew that the very first thing AnchorFree does after users start a “private browsing session” is hand them over to invasive advertising networks? I think they would be appalled.

Eric Howes
Sunbelt Software

AnchorFree’s response to our blog post:

Hey Tom,

This is Art from Hotspot Shield. I work for the marketing department.

I wanted to bring to your notice that users don’t start seeing ads just by downloading/installing Hotspot Shield. They only see ad if they connect to Hotspot Shield. So, they are basically opting in to see the ads in exchange for using our services. We are very upfront about this to our users.

Once they disconnect, they go back to the normal browsing without any ad
insertion. User is informed that HotspotShield is supported by advertisements
before the download and at the start of each private browsing session.

Also, we never store real user IP address and never provide real user IP
to any advertiser. Therefore, neither we nor our advertisers can disclose real
IP of our user even if compelled. Although I agree that it is not very clear in
our privacy policy. But we never store/share any users’ personal data. We limit
list of our advertisers to only ones who agree NOT to receive real user IP.

Feel free to email me or call me if you have any questions.

Cheers,
art

Our response from Eric Howes, Sunbelt Spyware Research Manager

Art:

I’m sorry, but nothing in your response changes our conclusion that Hotspot Shield is adware and that it is being presented to users in a deceptive manner. Let’s look at your claims one by one.

They only see ad if they connect to Hotspot Shield. So, they are basically opting in to see the ads in exchange for using our services.

Most adware vendors can and have made similar claims. The term “adware” was, in fact, coined to describe products that are ad-supported.

We are very upfront about this to our users. Once they disconnect,
they go back to the normal browsing without any ad insertion.

There is nothing straightforward, clear, or conspicuous in the disclosures you offer users concerning the ad-supported nature of the product or the fact that ad networks can (and undoubtedly are) using tracking technologies to monitor users’ response to ads and personalize those ads.

User is informed that HotspotShield is supported by advertisements before
the download and at the start of each private browsing session.

Neither of these claims is true. There is no notice on the Hotspot Shield home page or download page that the product is ad-supported. To the contrary, the home page sports that flashy green “no adware/spyware” logo, leading users to believe that quite the opposite is true. Although there is a link to the “terms of service,” that link is at the bottom of the page (the download link is at the top right), and even then users must scroll down to section 9 to find any mention of advertisements.

The installation/setup process similarly lacks any notice of these material terms outside of the EULA. Curiously, there is a separate screen for the optional toolbar (presented to users as a means of helping AnchorFree keep the product free for use), but nothing equivalent for the advertising functionality of the core program itself.

Finally, what the user sees at the start of each private browsing session is a connection status message that, again, makes no mention of the ad-supported nature of the product.

It should also be noted that even though I carefully unchecked all the options to have AnchorFree take over my home page, search, and error page settings, my browser’s home page was still hijacked to the AnchorFree “privacy search” page at the start of each “private browsing session.”

Also, we never store real user IP address and never provide real user IP to any advertiser. Therefore, neither we nor our advertisers can disclose real IP of our user even if compelled. Although I agree that it is not very clear in our privacy policy. But we never store share any users’ personal data. We limit list of our advertisers to only ones who agree NOT to receive real user IP.

The real problem is that AnchorFree goes out of its way to create user expectations that are entirely opposite of the true ad-supported functionality of the product. Moreover, it’s fairly well established at this point that users’ true identities (or something very close to them) can, given enough data, be derived from the browsing profiles created via the tracking technologies used by major ad networks.

The key test or question in this case is a simple one. AnchorFree promotes Hotspot Shield as means for “protecting your privacy, security, and anonymity on the web.” What would users think if they knew that the very first thing AnchorFree does after users start a “private browsing session” is hand them over to invasive advertising networks? I think they would be appalled.

Eric Howes
Sunbelt Software

We’ve gotten some inquiries about why VIPRE has been detecting Hotspot Shield (http://www.hotspotshield.com/) as adware since May 4. Some thought it might be a false positive. It isn’t.

The Hotspot Shield web site carries the below graphic that says “NO spyware / adware.”

Well just SAYING “NO spyware / adware” doesn’t make it happen.

Here’s what the Hotspot Shield “terms of service” say (http://hotspotshield.com/terms/):

“9.1 Advertisements. AnchorFree may deliver third-party advertisements (“Advertisements”) within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page. You hereby acknowledge and consent that AnchorFree may alter the content of any web page accessed for the purpose of displaying Advertisements. Additionally from time to time, AnchorFree may prevent any user’s access to the product or continued use thereof until such user has successfully participated in applicable advertising programs, surveys, or other activities that collect and monetize users’ personal information. AnchorFree does not endorse any information, materials, products, or services contained in or accessible through Advertisements.”
It also says: “AnchorFree allows other companies, called third-party ad servers or ad networks, to serve advertisements within the Hotspot Shield. These third-party ad servers or ad networks use technology to send, directly to your browser, the advertisements and links that appear on the Hotspot Shield. They automatically receive the virtual IP Address assigned by AnchorFree when this happens. They may also use other technologies (such as cookies, javascript, or web beacons) to measure the effectiveness of their advertisements and to personalize their advertising content.”

This from a company that claims to be “Protecting the web for your security, privacy and anonymity!”

Eric Howes, Sunbelt Software Spyware Research Manager, said on the Sunbelt Support Forum:
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=4649&enterthread=y

“If a company is injecting ads into the user’s browser and onto the user’s desktop and using tracking technology to “personalize” those advertisements, then it is most certainly delivering adware/spyware to users, and any disclaimers to the contrary are simply deceptive.

“That’s why we added the detection for Hotspot Shield. If you want to continue the program yourself, that’s your decision. But this detection is not a false positive.”

Tom Kelchner

We’ve gotten some inquiries about why VIPRE has been detecting Hotspot Shield (http://www.hotspotshield.com/) as adware since May 4. Some thought it might be a false positive. It isn’t.

The Hotspot Shield web site carries the below graphic that says “NO spyware / adware.”

Well just SAYING “NO spyware / adware” doesn’t make it happen.

Here’s what the Hotspot Shield “terms of service” say (http://hotspotshield.com/terms/):

“9.1 Advertisements. AnchorFree may deliver third-party advertisements (“Advertisements”) within the content of any web page accessed. Advertisements may be injected into the top of the page, inserted directly into the page content, or even displayed to overlay the page. You hereby acknowledge and consent that AnchorFree may alter the content of any web page accessed for the purpose of displaying Advertisements. Additionally from time to time, AnchorFree may prevent any user’s access to the product or continued use thereof until such user has successfully participated in applicable advertising programs, surveys, or other activities that collect and monetize users’ personal information. AnchorFree does not endorse any information, materials, products, or services contained in or accessible through Advertisements.”
It also says: “AnchorFree allows other companies, called third-party ad servers or ad networks, to serve advertisements within the Hotspot Shield. These third-party ad servers or ad networks use technology to send, directly to your browser, the advertisements and links that appear on the Hotspot Shield. They automatically receive the virtual IP Address assigned by AnchorFree when this happens. They may also use other technologies (such as cookies, javascript, or web beacons) to measure the effectiveness of their advertisements and to personalize their advertising content.”

This from a company that claims to be “Protecting the web for your security, privacy and anonymity!”

Eric Howes, Sunbelt Software Spyware Research Manager, said on the Sunbelt Support Forum:
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=4649&enterthread=y

“If a company is injecting ads into the user’s browser and onto the user’s desktop and using tracking technology to “personalize” those advertisements, then it is most certainly delivering adware/spyware to users, and any disclaimers to the contrary are simply deceptive.

“That’s why we added the detection for Hotspot Shield. If you want to continue the program yourself, that’s your decision. But this detection is not a false positive.”

Tom Kelchner

If you’ve been squeezing the last bit of value out of that installation of Windows XP Service Pack 2 or are continuing to run it because of proprietary software that you’re squeezing the last bit of value out of, well, you only have two more months of squeezing. Microsoft will end support for Service Pack 2 on July 13.

Now if you can somehow upgrade to Service Pack 3, you can forget about the problem until Microsoft’s Extended Support for XP ends April 8, 2014, assuming the hard drive in that PC you bought in 2001 lasts that long. Meanwhile, I wouldn’t slack off on the backups.

And, no, July 13 isn’t on a Friday.

Support for Windows XP Service Pack 2 ends on July 13, 2010

Microsoft’s page on this is here.

Tom Kelchner

If you’ve been squeezing the last bit of value out of that installation of Windows XP Service Pack 2 or are continuing to run it because of proprietary software that you’re squeezing the last bit of value out of, well, you only have two more months of squeezing. Microsoft will end support for Service Pack 2 on July 13.

Now if you can somehow upgrade to Service Pack 3, you can forget about the problem until Microsoft’s Extended Support for XP ends April 8, 2014, assuming the hard drive in that PC you bought in 2001 lasts that long. Meanwhile, I wouldn’t slack off on the backups.

And, no, July 13 isn’t on a Friday.

Support for Windows XP Service Pack 2 ends on July 13, 2010

Microsoft’s page on this is here.

Tom Kelchner

AllFaceBook.com, (not a Facebook company web site) is reporting that insider contacts say Facebook has called an all-hands meeting today to discuss the company’s privacy strategy.

With the many controversies stemming from Facebook’s cavalier attitude to users’ personal data security, it has been conjectured that the social media giant might adopt an “opt-in” policy for features that share users’ information.

Blog post here: “Facebook Calls All Hands Meeting On Privacy”

The Electronic Freedom Foundation posted (in April) a great timeline of Facebook’s changing security policy statements over the last five years: “Facebook’s Eroding Privacy Policy: A Timeline”

Tom Kelchner

AllFaceBook.com, (not a Facebook company web site) is reporting that insider contacts say Facebook has called an all-hands meeting today to discuss the company’s privacy strategy.

With the many controversies stemming from Facebook’s cavalier attitude to users’ personal data security, it has been conjectured that the social media giant might adopt an “opt-in” policy for features that share users’ information.

Blog post here: “Facebook Calls All Hands Meeting On Privacy”

The Electronic Freedom Foundation posted (in April) a great timeline of Facebook’s changing security policy statements over the last five years: “Facebook’s Eroding Privacy Policy: A Timeline”

Tom Kelchner

ArsTechnica is reporting that U.S. Federal Judge Kimba Wood of the United States District Court for the Southern District of New York has granted summary judgment against LimeWire in an action by brought by Recording Industry Association of America (RIAA), which claimed the peer-to-peer file-sharing service was facilitating copyright infringement.

Penalties against LimeWire and its CEO Mark Gorton will be set after a status conference on June 1.

During the legal proceedings, an expert witness called by the RIAA testified that in a sample of 1,800 LimeWire files he examined, 93 percent were copyrighted.

In other testimony it was revealed that LimeWire had opened a digital music store and used filtering to prevent users from sharing digital recordings purchased from it, but didn’t filter to prevent them from sharing anything else.

“In Wood’s view, this all adds up to a business model knowingly built on copyright infringement, and it continued with no attempt to address the massive problem,” according to the article in ArsTechnica (“LimeWire sliced by RIAA, guilty of massive infringement”)

More coverage here in Wall Street Journal: “CopyWrong! Kimba Wood Squeezes the Juice Out of Limewire”

This is big news for LimeWire users who never knew you were supposed to pay for music and the artists and recording companies who would like them to learn.

Tom Kelchner