It turns out the guy in charge of fighting online crime was nearly conned by online criminals: Mueller told a San Francisco audience today that he once began entering his personal information into a scammer's Web form in response to what appeared a "perfectly legitimate" email from his bank, The Register reports. Then, after being asked for his password, Mueller realized he'd made a huge mistake and changed all his passwords and eventually turned to his wife, and was like, ha ha, "teachable moment."

But she replied: "It is not my teachable moment. However, it is our money. No more internet banking for you!"

The point is, stop trying to use the internet for any sort of important business, people, because if Robert Mueller can't figure this crazy thing out, who can? Other than hackers, terrorists, children, and most humans outside of U.S. banks, credit card companies and the federal government?

The maker of one password tool estimates it can crack 55 to 65 percent of passwords out there — and that's not even particularly impressive, says security writer Bruce Schneier in an in-depth look at picking a secure password. You won't read that, so here's a very short guide. Summary: Use a password manager, don't use words from the dictionary, don't use the same password on every site.

And try not to be the Hotmail user who picked the reasonably secure password "lafaroleratropezoooooooooooooo," only to then go and enter it in a stupid phishing website.

(Pic: by zakwitnij on Flickr)

Since royally screwing up the 3G network used by iPhone owners wasn't embarrassing enough, the wireless carrier had to have a public falling out with Mitnick over the security of his AT&T account. The company will only let Mitnick use an eight-digit, all-numeric password to log in online, and aspiring uber-hackers — wanting to prove themselves against the master — have cracked in, obtained his call logs, billing address and last four social-security-number digits, and posted them to the Web, The Register reports.

AT&T's response? "We investigated Mr. Mitnick's claims and determined they were without any foundation," it told the Register, and invited him to take his business elsewhere. Is it any wonder online spooks just adore these guys?

(Pic: Mitnick on release from federal prison, 2000, Getty Images.)

In a blog post, Twitter co-founder Biz Stone writes that the attacks are ongoing and "massively coordinated," but declined to elaborate, because then he'd have to kill you. Actually no, it's because he didn't want to "engage in speculative discussion." But a Georgian blogger is happy to speculate; he says it's totally the Russian regime.

The blogger, known as "Cyxymu," has been outspoken in his criticism of Russian tactics in the war over the disputed region of South Ossetia. Facebook's chief of security tells CNET (via Business Insider) that Cyxymu is the target of the denial of service attack on Facebook and Twitter yesterday and today. The blogger has accounts on both services, as well as on LiveJournal, Blogger and YouTube. Google, which operates the latter two, told CNET its systems "prevented substantive impact to our services," so we still have the keyboard cat.

First the subs off our coast, now Twitter attacks. How will the Russians vaguely annoy us next? Satellite TV jamming? Attack the iPhone app store?

(Pics via)

AT&T spokesman Michael Cole sent us the following statement, saying AT&T's network was swamped with attacks from the server that hosts 4chan's infamous "/b/" forum, so AT&T blocked 4chan for a while:

Beginning Friday, an AT&T customer was impacted by a denial-of-service attack stemming from IP addresses connected to img.4chan.org. To prevent this attack from disrupting service for the impacted AT&T customer, and to prevent the attack from spreading to impact our other customers, AT&T temporarily blocked access to the IP addresses in question for our customers. This action was in no way related to the content at img.4chan.org; our focus was on protecting our customers from malicious traffic.

Overnight Sunday, after we determined the denial-of-service threat no longer existed, AT&T removed the block on the IP addresses in question. We will continue to monitor for denial-of-service activity and any malicious traffic to protect our customers.

4chan itself has come under denial of service attack recently; if the site's online enemies actually managed to gain access to the site's servers (via a different type of attack), they could have used it as a proxy to hit AT&T. Or maybe someone figured out how to trick /b/'s bulletin board software into doing the same thing; lord knows the online hangout is popular with plenty of crafty script kiddies.

(Pic via)

For benefit of the uninitiated, 4chan is a popular Wild West-ish outpost of internet known equally for its infamous hacking jobs and pranks (Rickrolling emerged from this murky swamp) as its meme generation, perhaps most notably the LOLcats phenomenon. 4chan's /b/ messageboard, one of the sections of the site blocked by AT&T, was once described as "the asshole of the internet" by Gawker and Valleywag alum Nick Douglas, an outpost where "btards" gather to engage in tasteless games of uncensored oneupsmanship, where the objective is often to see who can elicit the most shock from other members of the community.

Reports Tech Central:

Users of AT&T's DSL internet access across many states in the US are reporting that they are being blocked from the infamous /b/ message board in what appears to be an act of internet censorship by the phone company. This started today Sunday and no one has yet been able to get any official confirmation out of AT&T as to why.

Moot, the founder of 4chan, has confirmed AT&T is filtering/blocking the site.

In addition to starting a war with the internet's most skilled collection of cyber-rogues, Central Gadget says that AT&T may also be breaking the law.

Under the FCC's Comcast/BitTorrent ruling, Internet Service Providers may only slow or cap connection speeds. They are not allowed to block any service or protocol on the internet. Here, 4chan as a web site appears to fall under an internet service, but it is also conforming to standard web page protocols. It appears AT&T does not have the legal right to block 4chan, only to cap customers who are "abusing" their access to the internet.

Predictably, the 4chan crowd is already mobilizing both inside and outside of their online community. AT&T didn't just open a can worms, they dove headfirst into a den of vipers, and this will be very interesting to watch play out.

AT&T Takes on 4chan—Everybody Stand Back [Tech Central]
AT&T Blocking Access to Some Parts of 4chan [Central Gadget]
pic via

TechCrunch has published financial forecasts assembled by Twitter Inc in February and obtained from management's personal files by a computer hacker. They project $400,000 in revenue this quarter, presumably from those adorable "concept definition" ads. Sales were projected to increase tenfold by the fourth quarter, ramping to $62 million by the fourth quarter of next year.

Twitter Inc., which doesn't like people talking about its hacked internal documents, told TechCrunch the numbers are stale and unofficial. But, specifics aside, they leave the unmistakable impression the microblogging service was serious about making money this year. That goal may have been intended only for company backers; now that it has gone public, there will be even more pressure on the company to make its creative approach to advertising pay off over the next five months.

(Top pic: Twitter CEO Evan Williams at Allen & Co.'s Sun Valley media summit July 10, 2009.)

The ongoing denial of service attack against U.S. government websites is nothing if not ambitious, you see, and what it lacks in sophistication it makes up for with what an Yank might call "moxie."

According to reports from IDG and AP, someone is launching what may be the biggest distributed Web attack yet, consuming at one point 20-40 gigbytes/second worth of bandwidth. And instead of just concentrating that power, the attacker is going after basically everything, including

• the Secret Service,
  
• the Department of Homeland Security,
  
• the Department of State,
  
• the White House,
  
• the National Security Agency,
  
• the Department of Defense,
  
• the Federal Trade Commission,
  
• the Department of Transportation,
  
• the Treasury Department,
  
• the Federal Aviation Administration
  
• and, who knows, probably the Park Service too.

As one researcher told ComputerWorld,

Who goes around targeting a site like the FAA or the U.S. Treasury? It's not something that most people would think to attack.

Ah, but every American success story must start somewhere. Using computers mainly based in Korea, but not necessarily controlled from there, the attacker successfully knocked out the FTC website for a day or two. Just imagine what our country would look like if our financial regulators were out to lunch much longer than that!

(Pic via)

Boing Boing, the tech culture blog, went down today, and briefly thought it was under attack. BB blogger (and old Gawker Media hand) Joel Johnson tweeted that the site had been the victim of "cyberwar." The site had only hours earlier posted a "Cyberwar guide for Iran elections;" we asked Johnson via IM if he thought Iran was attacking Boing Boing:

Later, the real culprit emerged: It was Boing Boing's fault; the site had somehow posted every post ever to the front page, resulting in a 171MB index.html.

A similar drama unfurled yesterday on Andrew Sullivan's blog for The Atlantic. Sullivan, who has been blogging heavily about the situation in Iran, proclaimed he was under "digital attack," later clarified to be a denial of service attack. Then later, "it turns out our servers have just been overwhelmed... the tech staff has now ruled out a... attack."

(While Sullivan was under-credited for his tech problems, he was over-credited when Twitter reversed a decision to delay a planned outage, as Sullivan had urged. Though some observers said Sullivan was key to Twitter's reversal, it later emerged that the State Department liked played the crucial role in lobbying the microblogging service.)

If the Iranian regime does have the capacity to launch some sort of cyberattack, now may be the ideal time: There have been so many false alarms, it will take significantly longer to respond to the real thing.

Nick's email asked a question in the subject line..."Did someone hack the Times Twitter?"


Um, yep!

No, not that kind of drug problem. But Chopra, before getting named White House CTO, served as Virginia's secretary of technology. He made his name automating Virginia's healthcare industry. One of the specific achievements he was lauded for was getting the state's scattered doctors' offices and clinics to file electronic prescriptions. Web 2.0 fanboys love him. Sounds great, right?

Sure, until we heard that hackers had broken into a Virginia state drug-prescriptions database and are demanding ransom for more than 8 million patient records. A state official said the FBI was investigating. Chopra, as the state's tech boss, may not have configured the server personally — but he should have made sure something like this never happened.

An FBI investigation: Where have we heard that before? Oh yes, at Kundra's previous job. Before becoming White House CIO, Kundra ran Washington, D.C.'s Office of the Chief Technology Officer, which has been mired in a bribery scandal. He was briefly suspended, even though he hadn't been named as a target of the investigation.

The natural conclusion to draw: Obama's techie hires talk a good game. But when it comes to actually keeping our nation's servers safe from attacks within and without, they've fallen down on the job. President Change deserves better than a bunch of smooth-talking PowerPoint jockeys. He needs hackers, not hacks.

Facebook is the target of new phishing scams, which attempt to trick users to logging into FBaction.net and FBstarter.com, thereby handing over their passwords. (If you got taken in, don't feel bad — so did notorious social media fameball Rex Sorgatz!) Here's a screenshot of the scam in action, via The Next Web:

But wait, isn't that exactly what Facebook is trying to do on sites like Digg and The Insider and Gawker? Its Facebook Connect program is designed to let people use their Facebook logins on other websites. And the only way Facebook will ever make money is by getting users to share every last moment of their life. If the Facebookers were really doing their jobs, their users wouldn't have any private information left for phishers to steal.

Unlike with Sarah Palin's emails, there's not really a public-spirited reason to post the screenshots the hackers took, except, of course, pure voyeurism. The detail-by-detail, appointment-by-appointment depiction of the lifestyle of a rich and famous actress is all engrossing stuff for the masses (and for us). And yet it feels oddly unsatisfying — the same drip, drip, drip of minutiae that the Internet famous overshare on blogs and Twitter.

Screenshots of the shayek@mac.com email account, released by habitués of the online bulletin board 4chan, appear to be authentic. Breaking into the account was a simple matter of knowing Hayek's birthday — September 2 — and guessing at her security word (they claim it was the name of her best known movie role) to reset the account's password. Public-records searches show that the 323-area-code phone number Hayek listed in a sent email belongs to the actress. A spokeswoman for Hayek has not returned a call requesting comment.

The glimpses into Hayek's life revealed by her inbox are fascinating, even if mundane: The stranger-suckling actress has been invited to America Ferreira's 25th birthday party. She downloads a bunch of iPhone applications from the iTunes App Store — and she gets spam from Apple, just like the rest of us. As for the perks of being famous, a driver was scheduled to meet her flight arriving in Abu Dhabi. American Express has given her a new Gold card. (What, she doesn't rate the exclusive black Centurion Card?) Balenciaga and Stella McCartney deliver designer clothes to her apartment. She schedules "Japanese face massages." And she gets scans of stories about her in the celebrity weeklies.

The only thing anyone can agree on was Amazon.com PR's complete mishandling of the situation, once people noticed that gay and lesbian books were getting marked as "adult" titles, which Amazon.com omits from its sales rankings and search results. Top flack Patty Smith didn't do much better with her latest excuseplanation:

This is an embarrassing and ham-fisted cataloging error for a company that prides itself on offering complete selection.

It has been misreported that the issue was limited to Gay & Lesbian themed titles – in fact, it impacted 57,310 books in a number of broad categories such as Health, Mind & Body, Reproductive & Sexual Medicine, and Erotica. This problem impacted books not just in the United States but globally. It affected not just sales rank but also had the effect of removing the books from Amazon's main product search.

Many books have now been fixed and we're in the process of fixing the remainder as quickly as possible, and we intend to implement new measures to make this kind of accident less likely to occur in the future.

Thanks for checking in. Best regards -
Patty

In other words, it happened and they're fixing it. That's worse than nothing. So here are the rumors that have crossed our inbox:

Blame France! An Amazon.com alumnus tells us this story about "how it went down":

guy from Amazon France got confused on how he was editing the site, and mixed up "adult", which is the term they use for porn, with stuff like "erotic" and "sexuality". That browse node editor is universal, so by doing that there he affected ALL of Amazon. The [customer service] rep thought the porn question as a standard porn question about how searches work.

It's the Conficker worm! A source who claimed to work at Amazon.com told me that internal logs revealed a massive wave of automatically created accounts shortly before the incident, apparently using machines infected with the Conficker worm.

We don't have concrete evidence that it was Conficker, but a few days before the incident, there was a mass registration of accounts on Amazon. We're talking MASSIVE. I don't have an exact number, but from the regions the accounts were registered from, it looked like it followed a trend. There were quite a few from India, eastern United States as well. According to my coworkers who have done more research into it, the regions that the registrations were from followed a strong trend with the regions that Conficker has most affected.

The hacker did it. That brings us back to the claim by Weev, a well-documented website prankster, that he's responsible — a claim which Smith, the Amazon spokeswoman categorically denies. ("No," she said, in response to a series of direct questions asking if Weev was involved. Smith is quite possibly the least verbose director of corporate communications in the world.)

In his detailed explanation of how he allegedly pulled off the stunt, Weev says he hired third-world workers to break Amazon's "captcha" security, which displays a random set of numbers and letters in an effort to block hackers who attempt to mass-register accounts using scripts. Might he have hired a third party which then used a Conficker botnet to create accounts which then flagged gay and lesbian books on Amazon as inappropriate? Or is this all part of an elaborate attention-getting stunt to take credit for an Amazon employee's mistake? Either way, it's a masterstroke to tie together the month's two big Internet memes.

The hacker, known as Weev, with whom we've had dealings before the "amazonfail" episode, is saying that the whole escapade was the result of his exploitation of a vulnerability in Amazon's product-rating tools.

What to make of people who don't want to believe this was a prank? They're left with the notion of Amazon.com pursuing homophobic censorship, which must be pleasing to people who see evil behind every "Inc." Pick your conspiracy theory: Someone's playing someone.

A recap: On Friday, two gay-themed romance novels disappeared from Amazon's sales rankings — they were still listed on the site, but could not appear on best-seller lists. On Saturday, hundreds more vanished. Writer Mark Probst asked Amazon.com customer service what happened, and got this answer from an "Ashlyn D." in customer service:

In consideration of our entire customer base, we exclude "adult" material from appearing in some searches and best seller lists. Since these lists are generated using sales ranks, adult materials must also be excluded from that feature.

Twitter users started decrying the move en masse, tagging their posts "#amazonfail" and accusing the online retailer of homophobia. Amazon.com PR didn't help matters by calling the problem a "glitch." Even though the sales ranks of most gay and lesbian titles had been restored, Twitterers taunted Amazon.com by posting messages with the tag "#glitchmyass."

Glitch my ass, indeed. One LiveJournal user speculated that the mass flagging of gay books on Amazon.com might be the work of organized antigay groups — or troublemaking hackers:

Now, let's just put ourselves in Amazon's shoes. Keep in mind that Amazon is a smug, fairly liberal company headquartered in fucking Seattle of all places and, last I checked, Jeff Bezos is not exactly a Christian fundamentalist.

Why on earth would they suddenly censor only a specific group of content that deals with a marginalized and politically active community? Why would this policy change not take the form of a specific policy, but rather of very discriminately flagging only certain titles as "adult" content? Why would this happen over a weekend?

Our hacker has an explanation: Amazon.com has long had a mechanism that allowed customers to flag a product as "inappropriate." Only a small number of these votes were needed to get a book off of Amazon's sales rankings.

What Weev says he figured out was a way to trick Internet users into automatically flagging products without their knowledge, with the help of friends who run high-profile websites. He also says he hired "third-worlders" to register fake Amazon accounts and flag books. (His full explanation of the stunt is below.) He hasn't yet offered proof that he carried off the prank as described, but one part checks out: Amazon.com has apparently removed the feature that lets users flag books as "inappropriate." And the scheme he details seems far more likely than Amazon CEO Jeff Bezos deciding to become a censor.

The hacker's confession, which he also posted on LiveJournal:

Hay dude. Amazon removed its customer-based reporting of adult books yesterday. I guess my game is up! Here's a nice piece I like to call "how to cause moral outrage from the entire Internet in ten lines of code".

I really hate reputation systems based on user input. This started a while back on Craigslist, when I was trying to score chicks to do heroin with. My listings like "looking to get tarred and pleasured" and "Searching for a heroine to do the paronym of this sentence's lexical subject" kept getting flagged. The audacity of the San Francisco gay community disgusted me. They would flag my ads down but searching craigslist for "pnp" or "tina" reveals tons of hairy dudes searching for other hairy dudes to do meth with. So I decided to get them back, and cause a few hundred thousand queers some outrage.

I'm logged into Amazon at the time and see it has a "report as inappropriate" feature at the bottom of a page. I do a quick test on a few sets of gay books. I see that I can get them removed from search rankings with an insignificant number of votes.

I do this for a while, but never really get off my ass to scale it until recently.

So I script some quick bash.
#!/bin/bash
let count = 1
while true; do
links -dump 'http://www.amazon.com/s/qid=0/?ie=ASCII&rs=1000&keywords=Gay_and_Lesbian&rh=n%3A!1000%2Ci%3Astripbooks%2Ck%3AHomosexuality&page='`echo $count`|grep \/dp\/ >> /tmp/amazon
((count++))
done

There's some quick code to grab all the Gay and Lesbian metadata-tagged books on amazon. Then I pull out all the IDs of the given books from those URLs:

cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//

and I have a neat little list of the internal product ID of every fag book on Amazon.

Now from here it was a matter of getting a lot of people to vote for the books. The thing about the adult reporting function of Amazon was that it was vulnerable to something called "Cross-site request forgery'. This means if I referred someone to the URL of the successful complaint, it would register as a complaint if they were logged in. So now it is a numbers game.

I know some people who run some extremely high traffic (Alexa top 1000) websites. I show them my idea, and we all agree that it is pretty funny. They put an invisible iframe in their websites to refer people to the complaint URLs which caused huge numbers of visitors to report gay and lesbian items as inappropriate without their knowledge.

I also hired third worlders to register accounts for me en masse. If you ever need a service like that, you can find them in a post like this advertising in the comments:
http://ha.ckers.org/blog/20070427/solving-captchas-for-cash/

Then they would log into the accounts, save the cookies in a cookie file and send it to me.

Then I used the cookie files like so to automated-report all the books:

for i in `cat /tmp/amazon |sed s/.*dp\\/// |sed s/\\/ref.*//`; do lynx -cookie_file=/home/avex/cookie1 http://www.amazon.com/ri/product-listing/`echo $i`/;done

The combination of these two actions resulted in a mass delisting of queer books being delisted from the rankings at Amazon.

I guess my game is up, but 300+ hits on google news for amazon gay
and outrage across the blogosphere
ain't so bad.

Weev has attracted at least one doubter who had trouble following his instructions, saying the code doesn't work. We asked him to answer the critique. He says he believes they were using a different version of a software program called "elinks," and that Amazon has disabled the site feature in question.

In the meantime, you can follow this clusterfuck, 140 characters at a time.

Conficker has been the object of a lot of speculation since it was first reported in January; it has since spread to between 3 million and 12 million computers running Microsoft Windows. One security expert called the computer virus a "digital Pearl Harbor." The reason why it has been so feared is because no one knew quite what it would do — it's designed to take over a computer and then wait for instructions. The only real sign of infection: Conficker blocks access to the websites of Microsoft and other antivirus software companies, making its removal more difficult. Besides that, Conficker is capable, in theory, of anything. Or nothing. April 1 came and went without the millions of infected machines showing much activity.

Then this morning Conficker started downloading a viral payload. The result? Infected machines started displaying popups offering a supposed antivirus software called "Spyware Protect 2009" for $49.95:

It's the perfect behavioral targeting: Anyone who left their machine unprotected against Conficker has a natural need for spyware blockers. Naturally, Spyware Protect 2009 does nothing of the kind; it's actually another computer infection which lets hackers steal passwords and other data — probably so they can make more money.

Why are today's computer villains so damn boring? Whatever happened to hacking into systems in order to impress girls?

The new site appears to be identical, save for the name, to ViddyHo.com, a site which spread via instant messenger. The messages, generated automatically by the ViddyHo worm, promised a video once the user followed a link and logged in using a Gmail username and password. The worm then logged into that user's account and blasted everyone on his or her contact list with new messages.

Ton-That, whose Twitter bio reads "Anarcho-Transexual Afro-Chicano American Feminist Studies Major," runs an iPhone-app startup called HappyAppy. Fastforwarded.com has a copyright notice from HappyAppy on its pages. Here's its FAQ:

What is fastforwarded.com?

Fast Forwarded is the easiest way to share content with your friends on instant messenger networks like AIM, ICQ, MSN and GTalk.

Is fastforwarded.com a phishing site?

No. We do not store your passwords to the Instant Message networks (like MSN, ICQ, AIM, Gtalk, etc...).

Did fastforwarded.com use to be viddyho.com?

Yes. We had a bug in our code that would send everyone a video when they logged in

I have a question!

Please email us at happyappyinc@gmail.com. We do listen and reply.

Nice try. The makers of Safari and Firefox already list Fastforwarded.com as a "phishing" site, one that tries to fraudulently extract passwords from users. After the ViddyHo worm spread, police began looking for Ton-That. This new attack suggests they never nabbed the hacker, whose code is still at large on the Internet.

(Photo by Amit's Bike)

In a mass email, Calacanis wrote that he and Mahalo's CTO, Mark Jeffrey, were ignorant of Schiefer's background, even though his 2007 guilty plea to installing malware was easily found on Google.

We didn't know John was convicted of infecting 250,000 computers with bots when we hired him. We have a rigorous hiring process at Mahalo, in which each candidate must go through an average of five to eight interviews, and in which at least three, but more typically five, references are checked. Our CTO, and one of my oldest friends, Mark Jeffrey, did all of this with John, and he passed with flying colors.

However, Mark screwed up by not doing a simple Google search on John's name. If Mark had, he would have easily found out about these crimes, we would never have hired John, and I would not be writing this letter. Why would we even take the risk of hiring a felon hacker? No one would, right?

Calacanis makes a rousing defense of Schiefer, saying the experience of watching an employee get sentenced to four years in jail has taught him powerful lessons about redemption and rehabilitation. He excuses Schiefer's crimes by saying, essentially, that everyone does it and that Schiefer was abused as a child.

However, I consider myself a fairly decent judge of character, and after spending months with John, I'm convinced he was an angry stupid kid when he launched his botnet attack (which did .000000001% of the damage it could have). Now he's an adult who just wants to make a decent living, spend time with his significant other and breathe the clean air off the Pacific Ocean by our offices in Santa Monica.

Perhaps that's all true. But it certainly seems embarrassing for a guy who's been entrusted with $21 million by investors to build a better search engine to admit he let a felon into the office without bothering to do a simple search first. May we suggest you add this search to your rewrite list?

Ton-That owns the domain name viddyho.com, now offline, which hosted a form asking people to log in with a Google account in order to watch a video. The ViddyHo worm then seized control of their chat and email accounts and sent contacts a disguised link.

Even if Ton-That had nothing to do with ViddyHo, he (or she? how am I supposed to respect this person's deeply nuanced personal concept of gender without hearing explicitly the gender narrative he or she has constructed around a completed sense of self?) would still be an interesting character — a classically quirky yet herd-following San Francisco Web-software entrepreneur. His Twitter profile describes him as an "Anarcho-Transexual [sic] Afro-Chicano American Feminist Studies Major."

Ton-That frequently posted on Twitter about going to Sugarlump, an overwroughtly hip San Francisco "coffee lounge" in a rough-hewn but gentrifying corner of the Mission District, the preferred neighborhood of twentysomething Web developers. HappyAppy's office address is listed as 25 Stillman Street, a classically South of Market location for a startup. (In fact, it was once the home of Socializr, Friendster founder Jonathan Abrams's current company.)

In his work, too, Ton-That has followed the herd. A Google-cached version of Ton-That's blog gives this career biography:

From July 2007 to July 2008, I built 16 Facebook apps (with different codebases) with a combined unique install base of 6 million. In March 2008 the applications had over 150 million page views. In August 2008, I sold the top apps (Have You Ever, Would You Rather, Friend Quiz and Romantic Gifts).

I've also built 8 iPhone apps, notably Expando being the #2 app in September 2008 receiving 4 stars and over 400 reviews.

Ton-That's involvement with Facebook apps tracks precisely the rising and falling arc of Silicon Valley's craze for the social network's add-ons. And at the same time as many, Ton-That jumped from the Facebook-app wave to iPhone apps.

A Harvard Crimson reporter found extensive online links between ViddyHo and Ton-That's software business, HappyAppy. Ton-That hasn't admitted to the hack, or denied it. It's possible that whoever perpetrated the worm also hacked Ton-That's site. But his personal website is now offline, and he hasn't updated his Twitter feed since yesterday afternoon, when the first links between Ton-That and ViddyHo were reported.

Everything about Ton-That's life and work is a screaming stereotype of San Francisco's Web crowd — a bunch of supposed individualists who'd be paralyzed with fear by the idea that they're not living in the right neighborhood, working in the right office, and chasing the right technological trend. That's the irony of Ton-That's involvement with ViddyHo. If he is indeed the perpetrator of the worm, it may make him hated. But it would be the first truly original thing he's done.

(Photo by Terry Chay)