Crowd-sourcing mischief on Google Maps leads customers astray

Google PlacesAs if we weren’t already a drifting, confused mob of smartphone-jabbing zombies already, Google has presented a new way to baffle business customers.

As the New York Times recently reported and a bunch of “No, we are not closed” businesses subsequently protested, Google’s Yellow Pages-ish Google Places turns out to be dismayingly easy to lie to.

The problem: Relying as it does on crowd sourcing that allows customers to report that a Google Maps/Google Places business is closed, Google has incorporated no verification to back up the “closed” status.

It's easy to tell Google Places that a business is closed

Thus, spammers can jump on a business out of malice or fun or for whatever other drooly reasons motivate the idly malicious, putting a “closed” sign on any shop the mob has decided to pick on that day.

This exchange on Google’s Help forum for Google Places for Business is typical of Google’s initial response:

Exchange on Google's Help forum

Mystified business owner douknow1:

"After doing a search on my mobile phone for my business, I learned that Google has a tag below my business name that says Permenantly Closed in Red. Being that I cannot contact google, I was hoping someone could help me figure out how to remove it."


"Google does not report businesses as closed. This was submitted as a community edit. On your Google places page you will find a link 'edit this place' there you can find the option to report the business as open."

OK, it sounds like a shrug put into text. But to its credit, Google has jumped on this problem fast. The New York Times article went up Monday, and by 12:35 a.m. Tuesday Google had responded, saying they’re aware of the problem and are “actively working on a solution.”

To wit, here’s what Google is saying:

"Every year, millions of businesses open, close, move, change their hours, get a new website, or make other types of changes. Because we can’t be on the ground in every city and town, we enable our great community of users to let us know when something needs to be updated. The vast majority of edits people have made to business listings have improved the quality and accuracy of Google Maps for the benefit of all Maps users."

"For example, when there is a pending edit that indicates that a place might be closed, our system currently displays the label, 'Reported to be closed. Not true?'. Only when that pending edit is reviewed and approved does the label change to, 'This place is permanently closed. Not true?'"

Since the issue boiled up in the blogosphere two weeks ago, Google has been working on a fix that it expects will be out “in the coming days,” the company said in the posting.

Closed signBecause security people earn their beer money by being proactively paranoid, here are some misery scenarios Naked Security’s own Graham Cluley suggested to me:

1. “Could we see business rivals abusing the system? After all, we’ve seen plenty of hotels on TripAdvisor seemingly with bogus reviews – either good or bad!”

2. “Sounds like a fascinating new Web 2.0-ish-flavored attack which could target a company. Imagine if you were a controversial multinational with stores on every street corner — could organized protestors band together and trick Google Maps into thinking your individual stores were closed for business?”

Fortunately, it sounds as though Google is on top of it. Hopefully your local Starbucks won’t go belly-up because multitudes of disappointed, latte-craving pedestrians have been misled by erroneous “closed” Google Mapification.

But, as Graham points out, at the very least, the issue points to the danger of “placing too much trust in an unpoliced online community—especially when malicious acts could resort in businesses losing valuable exposure and income.”

It’s not exactly about trust, of course. It’s not as if businesses actively opt in to crowd-sourcing. It is about being attentive. This is just one more slice of your business’s multifaceted online persona that you can’t stop monitoring.

You can’t sit back and assume that somebody’s not screwing with you, and you can’t assume that online behemoths like Google aren’t (unwittingly) aiding and abetting the screwing.

Let’s just hope they figure out how to unscrew, and to remain in the unscrew aiding and abetting camp, very soon.

Anonymous suspects bailed – banned from using online nicknames and IRC

LulzSecFour men appeared at City of Westminster Magistrates’ Court today in connection with various Anonymous and LulzSec internet attacks, and were granted bail on the condition that they did not use specific online nicknames on the internet or IRC.

Hackers affiliated with Anonymous and LulzSec have used IRC (Internet Relay Chat) channels as their primary method of coordinating attacks and communicating with each other, using online nicknames as a veil of anonymity.

The men will break the conditions of their bail if they use specific online nicknames on websites:

20-year-old Christopher Jan Weatherhead, from Northampton, cannot use the internet nickname “Nerdo”.

Ashley Rhodes, 26, from London, is banned from calling himself “NikonElite” online.

22-year-old student Peter David Gibson, of Hartlepool, County Durham, is banned from using the name “Peter” on the internet (which must be awkward), and a 17-year-old from Chester is not allowed to use his online nickname.

The four are separately charged with conspiracy to impair the operation of a computer or hinder access to a program or data. Police arrested the men earlier this year, following a series of denial-of-service and hacking attacks against the websites of different organisations and companies.

There will, no doubt, be some raised eyebrows that the men’s bail conditions do not insist upon a complete ban on internet access, considering the nature of the allegations against them.

According to CourtNewsUK, the judge said that such an internet ban was unworkable:


Judge says it's 'unworkable' to ban four suspected 'Anonymous' hackers from using the internet after granting them bail

The suspected hackers are scheduled to appear at Southwark Crown Court on November 18th.

Hat-tip: The Guardian.

GlobalSign stops issuing SSL certificates in response to Iranian hacker

Warning, breach aheadEarlier today a person calling himself ComodoHacker made a submission to text posting site Similar to a previous post by ComodoHacker it is fair to call it a bit of a bragging rant.

Last March ComodoHacker claimed responsibility for the first attack against a certificate authority that resulted in bogus SSL certificates being issued in the wild.

In addition to claiming his attacks are far more sophisticated than Stuxnet and distancing himself from the Iranian government, he also claims to have compromised four other certificate authorities, including GlobalSign.

GlobalSign logoGlobalSign, the fifth largest certificate issuer according to NetCraft, responded to this news by immediately ceasing any further signing of certificates while they investigate.

Their response is interesting. While we don’t know if they have been compromised (and arguably, neither do they) they are making a tough choice that is what we should expect from organizations whose business models rely on trust.

It’s possible the accusations are simply from an anonymous raving lunatic. Yet they could be true, and rather than put the greater internet community at risk, GlobalSign is forgoing some revenue out of an abundance of caution.

That’s great news. Let’s hope that the accusations are false and everything is safe and secure at GlobalSign and the other three unnamed victims.

While I have argued for a long time that the certificate system is fragile and arguably broken, I’d rather not have two examples in one week to support my arguments.