Five Companies That Dropped The Ball This Week

The [Stuff] Hits The Fan For CarrierIQ

CarrierIQ, a purveyor of wireless network analytics software, entered industry-wide condemnation this week as it emerged that several carriers and handset makers, including AT&T, Sprint, HTC and Samsung, have been installing and using it on millions of devices. Questions swirled about whether the software, which can track keystrokes, location and text within messages, had been used for privacy infringing purposes.

CarrierIQ already raised eyebrows last month when it sent a cease-and-desist order to a researcher who labeled its software a rootkit, and then subsequently retracted the C&D and apologized. The researcher, Connecticut-based network admin Trevor Eckhart, then posted a YouTube video that outlines exactly what sort of snooping CarrierIQ's software is capable of.

The denials and equivocations are flying thick and furious now, and Congress is looking into whether the use of CarrierIQ violates federal wiretap laws.

Facebook Apologizes Again For Privacy Missteps

Stop if you've heard this before: This week, Facebook founder and CEO Mark Zuckerberg apologized in a blog post for not keeping its previous privacy promises to users. He's done this many times in the past, but this time, Zuckerberg also acknowledged that Facebook had agreed to a settlement with the Federal Trade Commission over its privacy transgressions.

As far as settlements go, this one didn't have much of a bite: Facebook wasn't fined and didn't even have to admit its guilt. Nor did users receive any compensation for having their privacy repeatedly stepped on. Basically, Facebook was told not to ever, ever do it again. Talk about toothless!

Facebook is chugging steadily toward what has been estimated to be a $100 billion IPO next year, but the privacy violations remain a thorny issue for the company. For many Facebook users, the apologies are starting to ring hollow.

HP Lashes Out At Researchers' Printer Fire Claims

HP's reaction this week to a bizarre report about a security vulnerability that could potentially be used to remotely ignite its LaserJet printers was an interesting study in misdirection.

According to, a pair of Columbia University security researchers discovered a vulnerability in HP LaserJet printers' firmware that could enable remote attackers to send commands that would cause a printer mechanism to overheat and catch fire. HP responded by calling the reporting "sensational and inaccurate", but also acknowledged that it had identified a "potential security vulnerability" in some of its LaserJet printers, and that it would release a firmware upgrade to address the issue.

HP was clearly irked by the amount of attention this outlandish sounding story generated. But the fact is, the researchers did direct its attention to a potential security flaw in one of its products.

AT&T Rails Against FCC Smackdown Report On T-Mobile Bid

The Federal Communications Commission filed its report on AT&T's proposed $39 billion acquisition of T-Mobile, and AT&T didn’t much like what the FCC had to say.

AT&T is trying to make the case that merging with T-Mobile would increase competition, create jobs, lower prices and cause it to invest more in infrastructure.

But the FCC wasn't having any of it: In its report, the agency refuted each of these claims and basically sent the message: Nice try, but no dice. AT&T responded by calling the FCC report "unfair." Next up for AT&T is a Dec. 9 hearing with the Department Of Justice to talk about that agency's civil antitrust suit against the deal. If AT&T can't find some way to settle, the case will head to court next February.

Oracle Gets Heat Over Response To Security Flaws

Oracle has long been targeted by security researchers for not being responsive enough to security vulnerabilities they report, and for sometimes downplaying their impact.

This week, database security experts raised similar claims and warned of the dangers of SQL injection attacks and other advanced threats that target databases.

"I would say easy fixes get done pretty quickly, within three to six months, but things that are harder and need some changes in architecture or have an impact on customers where customers have to make some changes to their products, to their software that uses the databases, those things don't get done in the CPU," said Alex Rothacker, manager of Application Security's research arm, TeamSHATTER, told Dark Reading this week.

"We have a vulnerability disclosed where basically we can brute force any user's password ... we reported this two years ago and they haven't fixed it yet."