A plan by hactivist group Anonymous to expose the details of people connected to one of the world's most dangerous drug cartels is back on after being briefly canceled, according to a video from one of movement's figureheads.

"This was canceled earlier this morning by one of the people involved," Barrett Brown said. "Shortly thereafter, the assembled people held a vote and decided nonethless to go ahead with the operation."

But reports suggest the Mexican chapters of Anonymous had called off the attacks, fearing bloody reprisals from the deadly Los Zetas drug cartel which had previously killed bloggers and journalists.

Brown's video shed light on the risky undertaking, dubbed Operation Cartel, or OpCartel, which was hatched last month as a means to avenge the alledged kidnapping of an Anonymous member by Los Zetas.

The Anonymous member reportedly was abducted in the eastern Mexican state of Veracuz while participating in an anti-cartel march.

"It's Mexicans themselves, including those in Veracruz, who have conceived [the operation] and are effectively running it, not a bunch of Americans," Brown said. "It's not some sterotypical computer geek sitting somewhere else in safety. These people are on the ground."

Statfor tactical analyst Ben West said Zetas had deployed computer experts to track individuals involved in the online anti-cartel campaign.

"Those individuals involved face the risk of abduction, injury and death – judging by how [the] Zetas [have] dealt with threats in the past."

Sam Bowne, an instructor of ethical hacking said there could be major collateral damage.

"If Anon continues with this, they are going to get people killed and likely innocent people – other anons [the Zetas] can find or innocent people in Mexico who they accuse of being in the cartel," he said.

"Anonymous has declared a gang war with a dangerous gang, and Anonymous is entirely unprepared."

But Brown said the mission is not too dissimilar to other anti-Zeta movements, and Anonymous members who are participating are trained. (He did not say how the hackers planned to retrieve information about the cartel).

"What we're doing is not fundamentally different from what many other Mexicans have done, rightfully in my mind, in response to these cartels," he said.

"The fact of the matter is that this operation is going ahead whether or not I get involved, and that fundamentally there are lives in the balance here does not differentiate this operation from previous Anonymous operations."

West added in his dispatch: "This higher skill-set means that Anonymous could contribute to the effectiveness of the online struggle against the cartels or at least bring more publicity to the issue".

"It's important to remember that the U.S. has been engaging in its own electronic observation of the Mexican cartels for years. Anonymous likely won't be able to turn up more information than the US government already has, but they are able to publicise more information than the US government can."

With Darren Pauli.

Standing on stage at the Facebook F8 developer's conference in September, founder and CEO Mark Zuckerberg boasted that the social media site he invented in his Harvard dorm room back in 2004 – the same site which now has more than 800 million users – recently hit a milestone: Half a billion people used Facebook in a single day. 

There is no denying that the behemoth that is Facebook has become ingrained into users' everyday lives. But even giants can fall. If members believe the information they post on Facebook is unsafe, they will move on – plain and simple. 

This reality is not lost on those who work for the company. In fact, it's quite the opposite. Within the walls of Facebooks's headquarters in Palo Alto, exists a culture dedicated to providing users with a secure experience, says Joe Sullivan, the company's chief security officer. 

“Trust is fundamental,” Sullivan says. “That's something we think about every day. There is never a situation where the company trades off security for something else. If there is a security issue, we drop everything and deal with it.” 

One of the necessities in running a web presence used by hundreds of millions of people each day is ensuring its code is free of errors – security vulnerabilities – that could allow an attacker to gain access to private accounts. By any measure, coding errors are extremely prevalent, not just in websites spanning the internet, but also in commercial computing products and custom-developed systems. 

“Vulnerabilities are dangerous, and people outside of the [computer security] industry aren't aware of how many latent vulnerabilities there are in products they use every day,” says Dino Dai Zovi, an independent security consultant who started bug hunting to find such issues in 1999, and who has disclosed flaws in products made by Apple and Sun Microsystems (now owned by Oracle).

While Sullivan estimates that hundreds of employees across Facebook work on security issues, there are two primary groups dedicated to preventing, finding and fixing vulnerabilities. The platform integrity team, within the software engineering department, works to ensure that every single engineer in the company follows secure-coding practices. Then, the six-person product security team, which is part of the security department Sullivan manages, works to “poke holes” in the code that has been created, scouring it for vulnerabilities. 

In addition to the internal holes, the company also calls on external auditors to review code for weaknesses before it is released online. 

And, to ramp up its efforts to find holes that could be abused by attackers, Facebook recently followed the lead of several other major web companies – including Google and Mozilla – to launch a so-called “bug bounty” program. Such initiatives offer independent researchers monetary incentives for the private disclosure of vulnerabilities and exploits. 

Since rolling out the program in July, Facebook has already doled out $70,000 to researchers around the world for the discrete disclosure of 72 vulnerabilities, all of which have since been fixed, Sullivan says. 

“I think it is a good thing to have more people testing our site, and I believe that because we launched the program we have encouraged more people with expertise in security issues to help us,” he says.

Landscape shifts 

The bug bounty programs of today represent a significant evolution in the historically fragile relationship between researchers who find security issues and companies whose products are affected. In the late 1990s and early 2000s, most large companies didn't have a defined process for dealing with reports of vulnerabilities coming in from the research community, Dai Zovi says. 

“At best, they would ignore you,” he recalls. “At times, they were hostile and threatened researchers with lawsuits.” 

The idea to begin paying researchers for vulnerabilities initially came from the vendor community. The first such initiatives were the Vulnerability Contributor Program (VCP), launched in 2002 by security firm iDefense (now owned by VeriSign), and the Zero Day Initiative (ZDI), founded in 2005 by TippingPoint (now owned by HP). These programs remain the top players in the commercial bug market today.

The most important shift in the vulnerability disclosure model occurred when software makers themselves started offering bug bounties, Dai Zovi says. “Vendors are switching from passively receiving reports to actively soliciting them,” he says. 

Mozilla, maker of the popular Firefox web browser, began such a program in 2004. The company provides monetary rewards for the private disclosure of bugs classified as “critical,” or “high” – its most severe ratings designated for flaws that could allow an attacker to install malware without user interaction, obtain confidential data from a user's machine, or cause a denial of service requiring extensive cleanup or reinstallation of the operating system. Since launching the program, Mozilla has received somewhere between 150 and 160 bounty-eligible bugs, and thousands of others that are lower in severity, says Brandon Sterne, a Mozilla security engineer. 

Considering some companies still try to deal with security flaws internally and don't welcome bug reports from the research community, Mozilla, along with a number of other companies with such programs, are undoubtedly ahead of the curve,.

Facebook, too, has traditionally encouraged researchers to notify the company directly about security problems.

“We haven't sued anyone or reported anyone to law enforcement who has reported a vulnerability to us, nor do we intend to,” Sullivan says. 

In fact, the social networking site advanced its bug solicitation efforts after Sullivan's team spoke with professionals at other companies with established bug bounty programs and received positive feedback. Facebook now offers at least $500 for privately disclosed flaws that may “compromise the integrity or privacy of Facebook user data.” For a particularly bad flaw, the company has given $5,000. 

Just two months after the project was launched, Sullivan says he is “astonished” by how impactful it has been. It has enabled Facebook to build relationships with researchers from all over the world. The top two bug finders so far have been a college student from the United States and an individual in Turkey, both of whom have already been paid at least five different times, totaling between $5,000 and $10,000 each, Sullivan says. 

Further, the bugs that are being disclosed are flaws for which the company wouldn't normally have been looking. And, the initiative has proven to be an invaluable recruitment tool. 

“We had one person who asked us if they could have admission to the F8 conference instead of receiving the bounty,” Sullivan says. “We flew them out to San Francisco and scheduled them for a series of engineering interviews the next day.” 

Next: The flip side

A mailing list containing a potential massive quantity of subscribers to News Limited publication Taste.com.au was stolen yesterday by hackers who have already exploited user details.

The attackers swiped an "old version" of the subscriber database and sent spam emails to subscribers.

The company said it was confident its web site was not hacked but News Limited would not provide further details of the incident when contacted by SC, saying only that its "production database" was not affected.

However, in an email to subscribers, News Limited advised users to change passwords for their Taste.com.au account and any other online account which shares the same password.

While Taste.com.au said resetting passwords "may be an overreaction", such advisories have historically been linked to breaches of user account passwords.

News Limited claims Taste.com.au has 2.4 million unique browsers and 23.4 million page impressions each month.

An SC reader had reported the email warning had been flagged as spam. Taste.com.au subscribers are advised to check spam inboxes for the warning email.

Update: A list of two hundred government email addresses affecting Australian federal and state senators and departments has been posted on pastebin along with 25 unconfirmed usernames and passwords.

The disclosure of information was claimed by proflic hacking group TeamP0ison.

The hacker, Hex00010, told SC Magazine it targeted Australian government accounts to "send a message to corrput governments".

"In today's society, international governments are corrupted. I have targeted Aussies' servers due to the fact that statistically ... from a cyber attacks perspective Australia is not hit that much compared to other national governments," Hex00010 said.

"We have attacked a third world country listing hundreds of government officials."

The hacker claimed to have the username and password combination of Julia Gillard's email account which they "took for my own keeping".

But the lists may be outdated. AusTrac told SC Magazine an official of the agency named in the documents left in 2009. 

It also said the password linked to the official was incorrect.

Government agencies had not confirmed the validity of named usernames and passwords.

Australian departments listed on the breach included AusTrac, IP Australia, the Bureau of Meterology, NSW Police, local councils, and hundreds of senator email addresses including Treasure Wayne Swan.

Nine accounts for Britain's Ministry of Defence included usernames and passwords.

Also included were emails for Fiji Government ministers and one for the Auckland District Health Board.