Gizmodo is one of the biggest blogs on the planet, a gadget site that gets upwards of 3 million views every single day. Unfortunately, last week it appears to have been distributing malware advertising to visitors that could have put them at risk of infection.

In a similar scam to that which hit the New York Times in September, Gizmodo admits that the ad sales team there were fooled into running malware adverts on the site.

Although the actual details are sketchy, a Gizmodo spokesperson says in an apology to users that:

“Guys, I’m really sorry but we had some malware running on our site in ad boxes for a little while last week on Suzuki ads. They somehow fooled our ad sales team through an elaborate scam. It’s taken care of now, and only a few people should have been affected, but this isn’t something we take lightly as writers, editors and tech geeks. (And we would have noticed sooner except everyone on staff is on OS X or Linux for production machines.) Everything should be cleared up but you should be checking “qegasysguard.exe” if you’re experiencing random popups. Be careful, load up some antivirus and make sure your system is clean. I’m sorry.”

As I say, malvertising is nothing new but it is certainly rather worrying as a trend. The New York Times were taken in by a gang which pretended to be buying space for Internet telephony outfit Vonage, and now Gizmodo by a gang claiming to be buying ad space for Suzuki. This follows in from last year when the Daily Mail newspaper displayed banner ads that actually linked to malware sites in Russia.

And the scam behind the malvertising? Almost certainly Russian scareware gangs, some of which have been using sophisticated attack methodologies of late. Gizmodo is not releasing any details at the moment, but such gangs have been able to use attacks which can infect a Windows machine just by serving up that advert without the need for any link clicking.

It should come as no surprise that scareware attacks are on the up, and methods such as malvertising are being used as a distribution channel, when Symantec reckon 40 million people have fallen victim over the last year and individual gangs are said to be earning as much as £750,000 per year as a result.

The Guardian Jobs website, one of the top five employment sites in the UK with two million users logging in every month, was hacked over the weekend. The Guardian confirmed the breach on Saturday 24th October, stating that it had been alerted to the incident on Friday the 23rd. In a statement posted online it stated that it had been “assured by our provider that the system is now secure and we have identified and contacted everyone who may have been affected”. This statement was updated on Sunday 25th to add that it had become clear “that only a minority of Guardian Jobs users are at risk” and that some of the data “which appears to have been stolen is up to two years old”. It went on to admit that as many as half a million users may have had data compromised, all of whom had now been emailed. This is out of more than 10 million unique users that the site sees every year. The US Guardian Jobs site does not appear to have been targeted by the hackers, only the UK one.

The precise nature of the hack is not yet known, not least because the there is a police investigation underway involving the central e-crime unit at New Scotland Yard, and they are keen to keep information about any theft to a minimum so as not to jeopardise that investigation this early in the proceedings.

In a blog posting, Guardian Computer Editor Jack Schofield says that the email which went out to users said “We learned yesterday evening that the Guardian Jobs website has been targeted by a sophisticated and deliberate hack, which has breached the security of the data on the site. You have used the site to make one or more job applications and we believe your personal data, relating to those applications, may have been accessed”.

The jobs.guardian.co.uk site was hosted by Magdex in the UK on behalf of The Guardian, and the company is said to have already taken steps to ensure the same “sophisticated and deliberate” attack cannot happen again.

Graham Cluley of Sophos comments “The Guardian Jobs website doesn’t say that login passwords may also have been compromised, but if I were a user of the site I certainly wouldn’t hesitate to change my password just in case”.

This is not the first time, nor I suspect the last, that the bad guys will target employment seeker sites. Remember back in 2007 when Monster.com was targeted by a data stealing Trojan or earlier this year when the official US Government job site, USAJOBS, was breached?/ As long as there is all that juicy personal data sitting there, the would be identity thief will be trying to find ways of stealing it.

At least The Guardian deserves some credit for acting quickly to both seal the hole and notify the potential victims of this hack.

When it comes to phishing sites there are two universal truths: people click on the links because they are lacking in IT security smarts, and the fake sites themselves get decommissioned very quickly indeed. So why not exploit the latter to educate the former? That’s the rather ingenious game plan being deployed by the Anti-Phishing Working Group.

The APWG is a global pan-industrial and law enforcement association focused on eliminating fraud and identity theft resulting from phishing, pharming and email spoofing of all types. Now the APWG Internet Policy Committee along with the Carnegie Mellon Cylab Usable Privacy and Security Laboratory have developed a scheme which aims to educate consumers at the most teachable moment of all: when they have literally just clicked on a link in a phishing message.

The APWG/CUPS Phishing Education Landing Page Program is a real-time counter-eCrime education system designed to instruct consumers the moment they’ve been pulled into a phishing scam by redirecting them away from the (by now decommissioned) phishing website they have clicked through to and instead taking them to an educational security page that warns of the dangers they would have faced and instructs them on how best not to get caught out in the future.

Phishing sites don’t tend to be live for very long. Security companies are good at spotting them quickly, and the phishing gangs have enough street smarts to not hang around long enough for law enforcement to be able to catch them. The phishing spams linking to those sites often remain in circulation long after the sites themselves have been decommissioned. So it makes good sense to put them to some positive use. The APWG is therefore asking ISPs, domain registrars and the like to get the spoofed company or brand to approve redirection of those links to the educational page and then do the necessary technical wizardry to make the redirect work.

You can see the Phishing Education Landing Page for yourself right here.

“Our research has shown that most Internet users don`t know very much about online scams and don`t realize that there are some simple things they can do to protect themselves,” said Dr. Lorrie Cranor, an associate professor of computer science and engineering & public policy at Carnegie Mellon and director of the CyLab Usable Privacy and Security Laboratory. “People aren’t interested in computer safety courses. But we’ve demonstrated that users are receptive to on-line safety instruction immediately after they fall for a phishing attack and they tend to remember this instruction.”

This week, the true power of Twitter was revealed and oh boy was it a sight to behold. Who said Twitter was just a bunch of willy waving celebs polishing egos and plugging books, followed by a bunch of sad geeks with nothing better to do?

First there was the not so small matter of Carter Ruck, Trafigura, Parliamentary proceedings and The Guardian. When The Guardian was prevented on reporting a question to be asked in Parliament by a so-called super-injunction taken out by solicitors Carter Ruck acting on behalf of oil trader Trafigura, Twitter went ballistic.

The super-injunction not only prevented The Guardian from reporting on the question about Trafigura being asked in Parliament, but also prevented them from reporting that the injunction had been taken out in the first place.

That didn’t prevent The Guardian from publishing that “the case involves the London solicitors Carter-Ruck” or that published House of Commons order papers contained “a question to be answered by a minister later this week” which might somehow be involved. “The Guardian is prevented from identifying the MP who has asked the question, what the question is, which minister might answer it, or where the question is to be found” it admitted.

But that was enough for quick witted Twitter users to join the dots and work out exactly what was going on. Within a few hours not only had the hashtag #trafigura topped the Twitter trending list, but by the next morning Trafigura, Carter-Ruck and CarterRuck occupied three out of the four top trending keywords on Twitter for good measure.

By the time that Guardian Editor Alan Rusbridger had confirmed that he was due at the High Court in London to argue that the injunction be lifted, not least because it was a clear infraction of the 1688 Bill of Rights which protects Parliamentary privilege and the rights of the press to report upon Parliamentary proceedings, the damage had already been done. It came as no real surprise when Carter Ruck lifted the injunction against the newspaper with Twitter users absolutely playing a part in ensuring that happened.

And so it was revealed that the fuss was all about a question from Labour MP Paul Farrelly asking about the reporting of a toxic waste dumping incident in the Ivory Coast, and which wanted to know if ministers had taken any measures to protect whistle blowers and the press following the obtaining of an injunction against publication of a report which looked at the incident.

The Minton Report, which at the time remained subject of an injunction, has since also been released from that legal stranglehold and you can read what all the fuss was about here.

Then, later the same week, came the Daily Mail and a columnist called Jan Moir. Ordinarily, nobody really pays much attention to the Daily Mail publishing a homophobic rant, but this particular one came at exactly the wrong time. Not only was the UK genuinely grieving the loss of a popular boy band singer, Stephen Gately, but Twitter was still psyched by the success earlier in the week.

So when this particular columnist appeared to be insinuating that Stephen Gately had died because he was gay, even though the coroner reported that he died of natural causes, Twitter exploded once more. The column in question included such lines as “Healthy and fit 33-year-old men do not just climb into their pyjamas and go to sleep on the sofa, never to wake up again” and went on to state that the death was not a natural one. Of course, a little research quickly reveals that healthy 30 year olds do die in their sleep with alarming regularity.

But it was the attempt to somehow connect the fact that Gately had been out clubbing with his partner, and that they had returned home with another man, to the death that just proved too much. It could not have been more offensive, nor more insensitive, had the newspaper used a headline of ‘Gayness kills popstar’ to be honest.

Knowing that Twitter users know had a sense of the power of the community, instead of just tweeting outrage at the comments, Twitter users started to encourage each other to petition the companies which advertised on the Daily Mail website instead. Although I am sure that Twitter will never get official recognition for the role that it played, surely it is too much of a coincidence that within just a matter of hours every single advert had vanished from the page carrying the column in question.

What’s more, the Press Complaints Commission received more than one thousand complaints about the column. Again, this was at least partly due to people on Twitter pointing others in the right direction. When the PCC website crumbled under the strain, it was Twitter telling folk where complaints could be emailed instead.

Until now, it had been pretty easy for people to dismiss Twitter as nothing more than a geek messageboard. As The Powers That Be in the US are discovering those days are over, Twitter has found its voice.

Have you ever been stuck in the middle of a giant supermarket desperately trying to find that ‘Bombay Bad Boy’ Pot Noodle but were just too embarrassed to ask an assistant for help? Well there’s an app for that.

Just last month Apple rejected the Tesco Store and Product Finder app due to a technical issue with the way it handled being denied access to the iPhone’s location service. Well, OK, if it could not find your location it assumed you were at the Tesco.com head office in Welwyn Garden City instead. That glitch has now been rectified, and the Tesco Finder has hit the App Store.

Assuming that you are a Tesco customer, of course, then it’s actually a pretty nifty little application for the iPhone. It knows where you are and will find your nearest store, providing the street address and telephone number along with a one-click ‘directions finder’ using Google Maps. Very nice indeed. If you are already inside a Tesco, it knows that as well.

What it doesn’t seem to be able to do, at least not for me, is allow you to use the Town/City search function to locate a store that is not near to where you currently are. I just get a “Sorry: I couldn’t connect to Google.com Please check your network connection or try again later” error every single time. Not so nice.

However, once you have located a Tesco store the real star feature of this little app comes to the fore: the product search. Type in a product, any product at all, and it will tell you if the store you are in stocks it or note. But that’s not all, it will also tell you exactly where in that store it is located. How cool is that? No more cowering before the wife as you explain that you just couldn’t find the tampons (again) - they are on aisle 03 on the right side counting 11 units along from the 7th shelf up from the floor. Interestingly, the app uses exactly the same technology that Tesco.com pickers use to shop for customers’ online orders in store.

What it doesn’t tell you, and where Tesco has missed a trick, is the current in-store price and in-store stock levels. Now if it did that, how cool would it be? Very cool is the answer and you bet that Tesco is working on functionality upgrades. Indeed, Nick Lansley, the Head of Research and Development has hinted at some pretty interesting upgrades coming real soon. “one of Tesco Finder’s hidden talents is that you can search on a 13-digit barcode” he says “Just read any barcode from a grocery product and type it in”. The best is yet to come, as Lansley drops very string hints that ‘Red Laser’ functionality (another app which turns the iPhone into a barcode scanner and price comparison service rolled into one) could be coming in “a short time” to enable you to just point your iPhone at a barcode to capture it.

Oh, and just for the record, the Bombay Bad Boy Pot Noodle is on Aisle 15 on the left side counting 9 units along then the 2nd shelf up from the floor at my local store. And the beef is on aisle 18 on the left side counting 10 units along then the 7th shelf up from the floor.

It is always worth keeping an eye on patent applications from the bigger players in IT as they have the potential to reveal possible future business models long before any official statement.

In the past Microsoft has been held up for ridicule with some of the patent applications it has made. Perhaps most notable amongst these was the infamous Page Up Page Down patent. The latest Microsoft patent application to reach my radar will not, most likely, cause quite the same amount of sheer disbelief although it does point to something of a change in the way the Seattle giant sells us software and services.

Microsoft has filed for a patent for ‘Time-Based Licenses’ and the application abstract reveals this to be a method and system for “issuing a number of different types of time-based licenses associated with software products”.

The technical stuff about the system including an activation server which might maintain licensing information in a licensing database, along with a licensing platform which may might request issuance and renewal of time-based licenses, is interesting enough. But not nearly as interesting as the statement that each of the time-based licenses may be associated with respective product keys and may have a number of configurable parameters to make time-based licenses suitable for different licensing business models. Microsoft says, in the patent application, that licensing business models could include “a non-renewable evaluation license, a renewable trial license, a one-time promotion license, and a subscription license” as well as “a configurable parameter” which indicates “an amount of time for a grace period after a time-based license would have normally expired”.

I’m not sure how well this is going to go down with folk who are used to paying for their software with a single, one-off, license. Does this application reveal that Microsoft is going to get serious about Software as a Service after all? However, as we get increasingly comfortable renting our applications (anti-virus being a prime example) and increasingly comfortable with our software being in the cloud, it is surely only a matter of time before that includes the OS. Anyone prepared to wager if Windows 8 will be the first OS for hire from Microsoft?

Should bloggers be legally bound to prove that they are not unethical liars? Some people seem to think so, but I am not one of them.

In my 20 or so years as a freelance technology journalist in the UK I have reviewed plenty of hardware and software that has been purchased with my own hard-earned money. I have never, unless my memory is failing faster than I care to admit, bought an item solely for the purpose of a review however. That would, frankly speaking, be bad for my business. Reviews, yes even those ones that appear in glossy magazines on the newsstand, do not pay a great deal as far as the reviewer is concerned. In many cases the cost of the reviewed item would easily be much higher than the fee received for reviewing, and that’s before you even start to factor in the time taken to perform proper testing and actually writing the review itself.

So the vast majority of items that I have reviewed over the last twenty years I have not paid for, they have been supplied by the manufacturer or their PR company for the purposes of review. The vast majority of these will be supplied only after a product loan form, a binding contract between reviewer and the company concerned, has been signed and dated which sets out the length of the loan and a date by which it has to be returned. Very occasionally, maybe 5% of all the items I have ever reviewed and always the lower value products, a company will either send an item on the off chance I will review it and does not want it back whatever the case.

Does this make me a bad reviewer, am I somehow in the pocket of the corporations and providing glowing reviews in return for the use of these goods for a week or two? Er, no, of course not. Even if I were never asked for an item back, if they were all provided on the understanding that I can keep them after my review is complete, the answer would be the same. My professional opinion would not be compromised because doing so would compromise my reputation.

Now, whether you agree with my writings or not, if you regard me as a loudmouth egomaniac or an informed industry observer, my reputation is important to me. Indeed, in the decidedly volatile world that all freelance journalists inhabit, reputation is the pretty much all we have. If it gets damaged then the wound to a career would usually be a fatal one.

Back in the mists of time when the only outlet for technology reviewers was the printed medium, there were the allegations thrown around every now and then that the reviewer, or more commonly the magazine or newspaper in question, were somehow in cahoots with the software company or hardware vendor. Usually those allegations came from folk who disagreed with the opinion of the reviewer, either because they were market competitors or just wound up geeks on a mission. Nobody really took them seriously, not least as it was such a silly thing to suggest when the evidence was there in full colour with a nice illustration on the page. Just because I raved about a Microsoft product in the January edition did not mean that I wouldn’t slate one in February. Hardly the act of a paid company goon.

Now, of course, you can find vastly more reviews online than you will in all the magazines put together. And that, according to the US Federal Trade Commission, is a problem. A big problem. In it’s attempts to clean up Dodge, as it were, and regulate the blogosphere the FTC is giving the impression that it thinks all bloggers are liars.

Having now voted unanimously to approve new guidelines for online writers, guidelines which will come into effect from December 1st, the FTC expects everyone writing reviews online to make it ‘clear and conspicuous’ if the product concerned was provided free of charge or not. Any blogger violating the guidelines faces fines of up to $11,000 per violation as well possibly be forced to reimburse people claiming to have purchased the item on the strength of any review deemed inappropriate through non-disclosure.

Just how this will work in practise has yet to be seen, especially given the global nature of the web. Does it mean, for example, that a website hosted in the US is deemed to be published in the US and all its writers must abide with the guidelines even if they are based elsewhere?

I’m not denying that there are, without doubt, some companies which pay some bloggers (either directly or by way of freebie products and trips) to write glowing copy which is anything but independent. I just don’t see how the new guidelines can hope to flush these folk out, they are hardly likely to put up big disclaimers on their blogs saying “I am paid by Company X for my opinions” are they? While the rest of us, the decent guys, will be forced into making declarations of disclosure that are wholly unnecessary.

The truth is that my reputation is not up for offer to the highest bidder, and never will be. I hold myself up to a high editorial and ethical standard, I don’t need professional nannying thanks very much. Of course, the FTC regulations are unlikely to apply to IT Pro or myself as a UK-based writer. Which is probably just as well considering it is demanding that all ‘material connections’ to any company whose products you are reviewing are revealed (without actually explaining exactly what it means or what that declaration should look like).

It would turn the IT Pro site into a nightmarish vision of legal disclaimers overnight. After all, the people most likely to advertise on an IT-related website are, er, IT-related companies. Which means pretty much every review would have a ‘material connection’ to be revealed. Then there would be the individual writers to consider. If I am reviewing the latest Symantec security product in 2010 should I declare that Symantec paid my travel expenses to attend a technical review workshop in the US five years ago?

The biggest problem is that the FTC has applied a broad brush when it comes to who needs to disclose here and applied it somewhat haphazardly, the end result being that it has left something of a mess splashed all over the place. Not least in defining exactly who it is saying is a blogger.

From my reading of the guidelines the FTC would appear to be suggesting that professional journalists write for newspapers and magazines, TV and radio, and not blogs. By implication then, all bloggers are liars and cannot be trusted. The fact that increasingly large numbers of ‘professional’ writers now ply their trade online would appear to have escaped the FTC, just as has the pretty obvious conclusion that the vast majority of non-professional writers who blog are actually pretty decent people who just happen to have a strong opinion about things.

Does the FTC really think that ordinary folk who read blogs are so stupid that they cannot tell if someone is being paid to promote? Does it truly believe that the wisdom of crowds cannot apply to blog reviews? Do you really want to end up with online reviews written by lawyers?

Just when you thought spam volumes couldn’t really get much worse, comes the news that one of the frontline defences against spambots has been compromised by a rather clever decoding Trojan.

According to researchers at Webroot the Trojan makes use of components found in commercial optical character recognition software in order to decode Captcha sentries which do a pretty decent job of keeping the bots out of webmail and forum services while letting the real human beings in. At least of late, software has had something of a problem in unjumbling the images of text used by these ‘Completely Automated Public Turing Test To Tell Computers and Humans Apart’ systems. Heck, even I have trouble in getting it right on occasion, and I am a real human being, albeit one with eyes that are not as young as they used to be.

Sure, this is not the first time that Captcha has been cracked, Hotmail (which is having something of a security crisis right now) fell victim to spammer gang hacking attention earlier in the year. I wrote a piece on IT Pro called Hotmail CAPTCHA: cracked in 20 seconds at the time.

But this time it’s different, this time it’s a Trojan using clever technology to accomplish a cunning goal. You’d never guess, but the Webroot folk reckon its main purpose “appears to be to fill out contest entries, online polls, and other forms relating to marketing campaigns”. It uses the OCR side of things to get past the Captcha and submit the forms.

So why should we worry about this? Mainly as it seems the tool itself is something of a corker, designed in China and capable bypassing over 30 different captcha systems. Simples. Which means that spammers are going to be making a lot of use of the thing before very long. Especially Chinese spammers, one has to assume.

The Trojan itself appears capable of filling in forms at the rate of one every 15 minutes, not amazingly fast but seeing as it can also monitor active pages and steal passwords and shopping form contents, it is worrying enough methinks.

So what are the people behind it up to? Webroot researchers think it’s currently something of a product test combined with a cheeky and greedy attempt to win prizes offered by the online survey outfits.