Beside the web form an RESTful API is provided to check automatically. Right now 6,474,028,664 accounts are listed from about 340 hacked websites. Also a list of the breaches, the data comes from is provided. All together it is an easy way to check if your digital identity was recently stolen.
After Collection #1 it did not took long until additional sets fo leaked account and password information appeared. Meanwhile there are Collection #2 to Collection 5.
All together there are more than 8,000,000,000 are meanwhile leaked. While I accept and actually think of systems being hacked at one point – remember it is not about the if, it is about the when – I cannot understand how actual passwords are stored.
As I did design a large multi-user system some years ago, we did not save clear text passwords in the system. We actually did even not transport the password from the client to the server in plain text. Said that, I still try to image how anyone could even think of storing passwords in plaintext.
I actually checked three mail addresses I usually use to sign in at various services.
As this is a mail address I don’t use to sign in at public services a lot, the result was not very surprising. Actually, that was I found an account to delete. For my second account this does not look that well. The mail address (and probably passwords) appear in Collections #1 to 2.
The same actually is true for my third and last address I do use for public services.
While I do reset passwords from time to time, it still is worrying that so many passwords have been leaked. I probably will change some passwords of my major accounts as well as I will delete some accounts I really won’t use anymore – or even have never used such as a MySpace account, I completely forgot about.
That way, the HPI Identity Leak Checker might help also to figure about forgotten accounts worth closing.
While I was annoyed in the very first moment, I had to think through various perspectives, not just coming up with yet another rant post about Google’s attitudes.
The Business Point of View Google is not doing anything wrong (I guess) from a business point of view. They simply cut down projects, teams or cost centers with no or little revenue. I have seen this several times during my time at Microsoft where teams or studios where shut down due to a revenue not meeting the expectations. Larry Page wanted to focus on core products and less speculative projects which does make sense considering the shareholders beyond Google. Consequently, cutting down free services not being paid for, requiring manpower for development an maintenance and (not to underestimate) bare metal down in Google’s data centers is a plan to increase revenues, cut down losses and save not to spend money.
The User ‘s Point of View As a user, you might rely on these services. Maybe you build up your website based on various Google APIs (as they have been free), you maintained you RSS feed in Google Reader and so on. Even with several weeks of notice, you need to change technologies, maybe rebuild or recode you page, and even worse to change habits. At some point in time, after this happened one, two or three times (depending on your very personal potential to suffer).
The Developer’s Point of View There arequite many apps, tools and pages out there heavily depending or based on Google’s API including Google Reader. Not only their apps and tools stop working, also users who bought these products will be forced to stop using these tools. With feedly, there is timely an alternative Reader and with Normandy developers get an API they might use for their products. However, Nick Bradbury already announced to stop working on the Windows client FeedDemon which heavily depends on the Google API for synchronization.More will definitely follow…
The Consequences As developer, I was affected once before, as user I am affected the second time by now. By cutting down both services I am left with Google Calendar. While Google might or might not continue this service in the future, one might rethink if using it is a good choice. Keep in mind, we do not pay for it as users and the Google App Sync meanwhile is only available for business users (probably paying for it). Google Calendar Sync was a great tool to sync between Outlook and Google Calendar. I fought my way through the setup using Windows 7 three years ago right after they stopped development for it.
The Business Point of View Revisited
I wonder if Google thought of charging for these services. I wonder if one (e.g. I) would pay for such a service. It definitely would depend on the amount they would charge. A few bucks a year won’t hurt and with a few ten thousands of users they might pay the bills for this service one might think. On the other hand, a company like Google might not be interested in any service with less than ten million $$$ of revenue (please put in whatever amount you think is suitable) or a million of users…
For a Web Service providing some REST-style URIs to access the data, I decided to use the ASP.NET MVC 4 Web API. Once developed, tested and deployed I experienced a mysterious 404 on my production server.
The Web API started originally as WCF Web API at CodePlex and is finally fully integrated within the latest .NET framework:
“ASP.NET Web API represents the joint efforts of the WCF and ASP.NET teams to create an integrated web API framework. You can get the bits and find articles, tutorials, samples and videos on the new ASP.NET Web API home page. All you have to do is to..”
The tutorials and examples for the ASP.NET Web API are overall easy to understand and you probably get access to the technology very quickly. After I set up my first Web API, which worked absolutely perfect on Windows 8, developed using Visual Studio 2012 and tested with the IIS Express, I was not able to get the bits executed on the deployment server. It’s a Windows Server 2008 R2, IIS 7.5 and a whole bunch of stuff installed using the Web Platform Installer.
Make sure the .NET Framework is installed, probably you missed to install the 4.5 framework on the deployment server. As IIS is set up already, once again it is necessary to register ASP.NET for the latest framework using
Recently, I was in the need of retrieving the favicon.ico file from a website. As I had to process the file programmatically and render it on a website, it would have been quite a lot of manual work to get the .ico file and make sure the browser does render it in the correct way. After digging around, I learned about a secret URI probably provided once by Google’s social bookmarking service Google Shared Stuff. While Google Shared Stuff was launched in 2007, it was already discontinued in 2009. However, this one URI seems to work perfectly maybe because it is still used within Google extensively.
To get the favicon.ico file from any arbitrary page you simply have to use an URI using the following pattern:
While this is probably not a problem retrieving the favicon.ico file using the standard URI at all, the secret URI provides one major advantage: you’ll get the icon as a nice 16×16 PNG file, ready to be rendered in any <img> tag right away.
A few days ago, Radu Drăgușin discovered a data leak at the IEEE servers, enabling him to download about 100.000 plain text keywords (probably mine as well).
On the one hand it shows how critical it is to consider the security off your system, nevertheless if you are a small company or a worldwide organization such as the IEEE. On the other hand it showed that even large organizations you never thought of this might face such fatal security leaks.
However, Radu went ahead and (a) decided not to share the information he gained through this security leak with public (big kudos for this decision), (b) to prepare various statistics on ieeelog.com based on the information (which are indeed interesting without revealing traceable information about individuals) and (c) to inform IEEE about the leak (also kudos for this). As a result you can say, he was quite responsible with the data he received and at least e followed some of the principles, provided by the IEEE Computer Society Code of Ethics.
One result of his analysis is the fact, that about almost 300 users are using the password 123456, reminding me Mel Brooks epic Star Wars parody Spaceballs, Dark Helmet saying
“So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!”
As a result, I went straight to my IEEE account and changed the password. Luckily, it was a password not used for any other site beside the IEEE. Said that, if you have an IEEE account, it probably is a good thing to go there directly changing yours as well if not already done.
And Radu, whenever you ever read this post, if have the chance please have a look into the log files and let me know if the user aheil is listed there as well.
“Important: The Google Feedburner APIs have been officially deprecated as of May 26, 2011 will be shut down on October 20, 2012.”
For all readers of this blog subscribed to the google Feedburner feed, it has not been available using the URI http://www.feedburner.com/aheil probably providing a 404 error code for the last few days. The Feed Stats dashboard already shows that the feed has subscribers anymore.
I used Feedburner even before acquired from Google. It was a great way to aggregate various sources of information on the web. Even with a deprecation time of three years, it is quite a loss as Feedburner provided a great way of mashing up data sources. Probably this service did not generate sufficient revenue for Google…
Digging through the resources on the Web, you might figure out that there are various approaches. I decided against any server-side processing of the request as I did not want to make an extra call to the my server. Also any jQuery plugin related approach would not work at the moment due to recent unavailability of jQuery plugins.
Once you got your API key which is based on the domain you want to call the API from, you can immediately start using it. The key is valid for all pages within this domain. Usage of the API includes adding the script your head of the HTML, loading the API using Google Loader’sload()call and finally hooking up your code as call-back in the setOnLoadCallback function. The feed is then provided either as JSON or as XML by the Google Feed API and can be easily used within you code without any cross-domain restrictions.
Google has replaced the + (plus) operator for their search. While looking for a certain expression (using the plus operator) Google tells that from now an double quotation marks are necessary to find an exact expression.
Not sure if I like this, however, it looks like there are not many options to ignore this change. This probably has to do with all the G+ notation. It feels to me as bad as product and event names like .net or build which in combination with the new double quotation mark operator find some 2,490,000,000 results not relevant at all.
Today, TechCrunch reported about Yahoo shutting down the widely used bookmark service del.icio.us.Right after this, a statement from Yahoo showed a possible alternate future of the service.
Many of you have read the news stories about Delicious that began appearing yesterday. We’re genuinely sorry to have these stories appear with so little context for our loyal users. While we can’t answer each of your questions individually, we wanted to address what we can at this stage and we promise to keep you posted as future plans get finalized.
However, who still wants to quick backup his/her boomarks could use curl following the tips from Martin Koser: