Taken from the article “To take the Alice and Bob on the forum example a step further, consider what happens when Alice views a forum posting by Bob that includes a link to an off-site image hosted at a site controlled by Bob. That image, when loaded by Alice’s browser, will automatically send Bob’s site a referrer URL that includes the full token that is unique to Alice’s browser session with that forum. Armed with the referring URL’s token, Bob can then respond to the image request from Alice’s browser with a request to silently take action on that forum in Alice’s name.”

This interesting attack has been around since 2001. The two researchers brought the CSRF concept a bit farther by systematically packaging payloads based on the referring site.. so essentially, they can have attacks ready for particular websites. “We’ve come up with a way to take those tokens and repackage them on a payload-per-domain basis, with different types of payloads based on the referring site,” Hamiel said. “So, if it’s linked off of Twitter, the tool might respond one way, or if it’s linked off of something like LinkedIn, it might respond another way.”

This also gives attackers the ability to scale up attacks in a modular fashion so updates can be made to payloads on fly when referring websites make changes.

Just something to keep your eye on..

It’s just before lunchtime in the sunny, high-tech headquarters of Facebook in Palo Alto, Calif., and Simon Axten is cuing up some porn. A photo of a young couple sloppily making out pops onscreen. It’s gross, but not against the rules, so Axten punches a key to judge the image appropriate. Next up: a young woman in panties only, covering her breasts with her hands. “That’s pretty close,” Axten says, pondering the image. There’s nothing arbitrary about his judgments: at Facebook, they have developed semiformal policies like the Fully Exposed Butt Rule, the Crack Rule and the Nipple Rule. In this photo there’s no visible areola, he decides, so it stays. The next photo is a male clad only in a black thong and angel wings. Utterly nonplussed, Axten OKs the picture. After delivering a verdict on 75 of the 438,848 outstanding photos flagged by Facebook users—buff guy soaping up in the shower (OK); girl blowing an epic cloud of pot smoke (he deletes it); an underage user drinking from two liquor bottles at once (ditto)—Axten is off to a meeting. It’s just another day at the office of the world’s fastest-growing social-networking site.

At Facebook, Axten isn’t some fringe employee doing unmentionable work. The 26-year-old Stanford grad is one of some 150 people the young company employs to keep the site clean—out of a total head count of 850. Facebook describes these staffers as an internal police force, charged with regulating users’ decorum, hunting spammers and working with actual law-enforcement agencies to help solve crimes. Part hall monitors, part vice cops, these employees are key weapons in Facebook’s efforts to maintain its image as a place that’s safe for corporate advertisers—more so than predecessor social networks like Friendster and MySpace. “[They were] essentially shanghaied by pornography and sexual displays,” says David Kirkpatrick, author of the forthcoming book “The Facebook Effect.” It’s a tricky job: by insisting that users sign up under real names and refrain from posting R-rated photos, Facebook hopes to widen its user base to include upscale professionals, but at the same time it’s aware that too much heavy-handed censorship could upset its existing members. “If [Facebook] got polluted as just a place for wild and crazy kids, that would destroy the ability to achieve the ultimate vision, which is to create a service for literally everyone,” Kirkpatrick says—and then its potential for profits would disappear, too.

Internet companies have long grappled with illicit postings. As far back as 1993, AOL’s “community action teams” were reviewing e-mail and chat-room activity. Craigslist has long been beset by ads for prostitution; in November, the site began cooperating with attorneys general to curb posts to its “Erotic Services” section, and last month Boston police apprehended a med-school student later charged with murdering a woman who’d placed a “massage services” ad on the site. In 2005, as user-generated content platforms exploded at sites like YouTube, Flickr and Digg, the need to screen content grew rapidly as well, increasing demand for online cops.

At Facebook, the range of policed activity is broad. A division called User Operations looks at all content that users say is harassing (via “report this” links spread liberally throughout the site) or that shows drugs, nudity or pornography. It also maintains an extensive “blacklist” of forbidden names that cannot be used to make new profiles, like Batman. Some of this monitoring is quite small beer: you’re not allowed to call someone a “jerk” on Facebook if someone reports it. Employees also vigorously enforce their “real-name culture”; they even disabled the actress Lindsay Lohan’s account in December after discovering that she was on the site under an alias.

Behind all these actions is a team of employees who set guidelines and make judgment calls, each earning in the neighborhood of $50,000 a year—making “porn cop” one of the quirkier entry-level jobs to emerge in the Silicon Valley economy. Another division, Site Integrity, watches for spam and phishing attacks on the Facebook network and employs “white hat” hackers to look for vulnerabilities in the system. Workers describe their roles with a police analogy, from “cop on the beat” to “undercover,” in the case of one employee who mingles with spammers and hackers in various dark corners of the Internet.

While the cops analogy may be overwrought, some of these teams are involved in actual law enforcement. Police departments are learning that Facebook accounts can offer rich information about criminal suspects. When Facebook was young, most police requests were about underage drinking. “Now it’s murders, missing kids—basically all the worst things you can think of,” says Max Kelly, 39, a former FBI computer forensics analyst who is now the site’s head of security. Kelly estimates police contact Facebook regarding up to half the crimes that attract national media attention. The company says it tends to cooperate fully and, for the most part, users aren’t aware of the 10 to 20 police requests the site gets each day. Other interactions with law enforcement have happier outcomes. “Because Facebook is so addictive, even if a high-school kid decides to run away with a college boyfriend and they’re three states away, they can’t keep themselves from checking Facebook,” Kelly says. Since the site tracks the geographic locations of log-ons, he says, “on a number of occasions, we’ve helped reunite families.”

By some accounts, archrival MySpace is actually ahead of Facebook in a number of measures in the safety-security-privacy arena. MySpace, a subsidiary of News Corp., says it has a staff of “hundreds” and proprietary software systems that proactively review every one of the 15 million to 20 million images added to the site every day, not just the ones that are reported by users, as Facebook does. NEWSWEEK reviewed both Facebook and MySpace documents that let law-enforcement agencies know what information they track and how to obtain it; MySpace’s guide is more robust, offering agencies templates with language geared specifically to be admissible in court. Both sites disclose that they cooperate with police in the terms that users agree to when they sign up.

Still, Facebook, which was launched in 2004 by Harvard sophomore Mark Zuckerberg and spread through the Ivy League before opening to all comers in 2006, retains some gloss from those prestigious roots; it recently added its 200 millionth member, while MySpace’s rolls contain half as many. “From a branding perspective, Facebook is the high-status, trusted brand in the social networking space,” says BJ Fogg, a psychologist at Stanford who teaches courses about the service. “Maintaining that will help them continue to grow quickly and bring on people who wouldn’t have thought of joining MySpace.” More users, obviously, means more advertising. Kirkpatrick estimates the site will bring in more than $300 million in revenue in 2009. “There are many reasons to believe that Facebook is increasingly an effective advertising destination,” he says.

There are plenty of obstacles that could keep that vision from coming true. As a business that is entirely dependent on its users’ whims, Facebook must manage its relationship with them just so. The site has tended to treat its users brusquely during periodic redesigns; its most recent one led to a 1.7 million-member Petition Against the “New Facebook” group. For the site’s content police, though, the bigger risk is that they’ll execute their censorship in a way that upsets some users. Last year mothers on Facebook began noticing that photos of themselves breast-feeding were being deleted. As so many things do on Facebook, the reaction went viral. As of last week, more than 230,000 people had joined a group named Hey Facebook, Breastfeeding Is Not Obscene! which promotes videos and online “nurse-ins.” Facebook, though stung by the bad publicity, says it’s not too worried: users may join a protest group, but the fact that they haven’t quit the site altogether shows how sticky Facebook can be. It may not be making money yet, but Axten and his colleagues are playing a key role in the race to profitability—one deleted nipple at a time.

video – http://www.cnn.com/video/#/video/tech/2009/05/04/am.cho.myspace.cnn

article – http://online.wsj.com/article/SB124045009224646091.html

By now, many employees are uncomfortably aware that their every keystroke at work, from email on office computers to text messages on company phones, can be monitored legally by their employers.

What employees typically don’t expect is for the company to spy on them while on password-protected sites using nonwork computers. But even that privacy could be in jeopardy.

A case brewing in federal court in New Jersey pits bosses against two employees who were complaining about their workplace on an invite-only discussion group on MySpace.com, a social-networking site owned by News Corp., publisher of The Wall Street Journal. The case tests whether a supervisor who managed to log into the forum — and then fired employees who badmouthed supervisors and customers there — had the right to do so.

The case has some legal and privacy experts concerned that companies are intruding into areas that their employees had considered off limits.

“The question is whether employees have a right to privacy in their non-work-created communications with each other. And I would think the answer is that they do,” said Floyd Abrams, a First Amendment expert and partner at Cahill Gordon & Reindel LLP in New York.

The legal landscape is murky. For the most part, employers don’t need a reason to fire nonunion workers. But state laws in California, New York and Connecticut protect employees who engage in lawful, off-duty activities from being fired or disciplined, according to a report prepared by attorneys at the firm Proskauer Rose LLP. While private conversations might be covered under those laws, none of the statutes specifically addresses social networking or blogging. Thus, privacy advocates expect to see more of these legal challenges.

In February, three police officers in Harrison, N.Y., were suspended after they allegedly made lewd remarks about the town mayor on a Facebook account. The officers mistakenly thought the remarks were protected with a password, but city officials viewed the page, said Harrison police chief David Hall. The remarks about Mayor Joan Walsh might have violated the officer’s code of conduct, he said.

Mr. Hall said the town board was considering firing the officers. The policemen have asked a federal judge in White Plains, N.Y., to limit the town of Harrison’s inquiry into the online postings, citing privacy concerns, said Donald Feerick, the officers’ attorney. Calls to Ms. Walsh weren’t returned.

The case in New Jersey centers on two employees of Houston’s restaurant in Hackensack, bartender Brian Pietrylo and waitress Doreen Marino, who in 2006 created and contributed to a forum about their workplace on MySpace.com. Mr. Pietrylo emailed invitations to co-workers, who then had to log in using a personal email address and a password.

“I just thought this would be a nice way to vent…without any eyes outside spying in on us. This group is entirely private,” Mr. Pietrylo wrote in his introduction to the forum, according to court filings.

On the forum, Mr. Pietrylo and Ms. Marino, who was his girlfriend, made fun of Houston’s decor and patrons, and made sexual jokes. They also made negative comments about their supervisors.

The supervisors were tipped off to the forum by Karen St. Jean, a restaurant hostess, who logged into her account at an after-hours gathering with a Houston’s manager to show him the site. They all had a laugh, Ms. St. Jean said in a court deposition, and she didn’t think any more about it.

But later, another supervisor called Ms. St. Jean into his office and asked her for her email and password to the forum. The login information was passed up the supervisory chain, where restaurant managers viewed the comments.

The following week, Mr. Pietrylo and Ms. Marino were fired. Houston’s managers have said in court filings that the pair’s online posts violated policies set out in an employee handbook, which include professionalism and a positive attitude. A lawyer for Hillstone Restaurant Group, which owns Houston’s, declined to comment.

In their lawsuit, Ms. Marino and Mr. Pietrylo claim that their managers illegally accessed their online communications in violation of federal wiretapping statutes and that the managers also violated their privacy under New Jersey law.

But the courts might not view online musings as private communication. “You can’t post something on the Internet and claim breach of privacy when someone sees it,” said Lewis Maltby, president of the National Workrights Institute in Princeton, N.J.

Ms. St. Jean said in a deposition she feared she would be fired if she didn’t give up her password, a twist in the case that Mr. Maltby says could sway a jury against the company.

Labor and legal experts say the outcome of many employee privacy cases hinges on workers’ expectations of their privacy rights — particularly whether they have been given notice that they are subject to monitoring. In the Houston’s case, the workers had no idea their online activities outside of work could be monitored, says their attorney, Fred J. Pisani. A trial is set for June 9.

Write to Dionne Searcey at dionne.searcey@wsj.com

Printed in The Wall Street Journal, page A13

Recently, there has been a new trend within Second Life, the medical diagnosis of real world patients via their avatars.

http://www.cnn.com/2009/TECH/03/30/doctors.second.life/index.html

Edward Richardson, 41, of Mayfield Road, Biddulph, was found guilty of stabbing Sarah Richardson to death.”

http://news.bbc.co.uk/2/hi/uk_news/england/staffordshire/7845946.stm