Location-based services may still be searching for their purpose in the larger world, but they've found their niche at music festivals. Attendees at Lollapalooza, a major music festival taking place this weekend in Chicago's Grant Park, will be able to take advantage of an application for iPhone and Android that uses the location capabilities of smart phones to update and improve on common festival activities.

"One of the biggest things people are trying to do at these festivals is keep up with and connect with their friends," says Michael Feferman, digital marketing director at C3 Presents, which produces the event. Feferman described how the app builds on common practices at festivals.

For example, people typically plant flags in the ground as rallying points where friends can meet up. The Lollapalooza app lets users drop a virtual flag, complete with privacy controls so only a user's friends can see the signal.

Attendees often send flurries of text messages to coordinate with each other, and the app simplifies this by letting people communicate on friend walls so that everyone can see the messages.

Feferman believes that similar apps will eventually be taken for granted at festivals and will be entirely ubiquitous. This hasn't yet been realized, however, because connectivity is often a problem at events--festivals are often at remote locations without great connectivity in the first place, and they're flooded with a huge, sudden population all trying to use the network at once.

This year, Lollapalooza hopes to better serve the population hoping to post status updates, use twitter, and share and upload photos. Instead of relying on wireless carriers, who often suffer heavy criticism during such events, Feferman says festival organizers decided to take matters into their own hands. They installed free Wi-Fi over the 100 acres of the festival, which involved setting up temporary infrastructure to carry that load.

Feferman stressed that "it's very hard to provide people with the connectivity and service that they're used to," but he hopes that wireless access will help to make the location-based application more useful for attendees.

It's well-known that Google amasses large amounts of data about the people who uses its services. Though the company says it's careful to anonymize that data, and to safeguard what it collects, a talk given this week at Defcon, an underground hacker conference in Las Vegas, illustrated how information can leak out of Google's repositories regardless of the company's intentions.

In a talk titled "How I Met Your Girlfriend," security researcher Samy Kamkar (best known as the author of a worm that struck MySpace two years ago) described a series of attacks that could be used to find a person's physical location. The beginning of the talk focused on making contact with the target in order to convince him or her to visit a website of the attacker's choosing. Once the victim clicks the attacker's link, Kamkar showed how to manipulate Google into revealing his or her location.

As part of Google's StreetView effort, the company sends cars to drive through neighborhoods, taking photos and collecting data, including on WiFi networks in an area. The company has come under fire for some of the WiFi-related data it collects, but Kamkar says that hasn't included much concern over the MAC addresses Google collects--these are identifiers that are unique to devices using a given network.

Through triangulation, Google determines and stores the longitude and latitudes associated with these MAC addresses. This information can then be used to power Web services that make use of a person's location, including location services built into the Firefox browser. Kamkar says he was able to fool Google into revealing a target's location information after the target visited his website. He did this by tricking the victims browser into revealing data that then allowed him to impersonate that person when requesting the information from Google.

Leaving aside the technical details of Kamkar's attack, his narrative underlines a key concern with the personal information that modern Web companies store. Regardless of how a company intends to treat that data, providing it's accessible in some way it may be possible for an attacker to gain unauthorized access to it.

Searching for a hot news topic or buzzword can already lead an unsuspecting person to harmful malware. Recent articles are full of warnings about malware hidden in links that are supposedly about the World Cup or the Icelandic Volcano. Estimates have suggested that about 14 percent of traditional searches for trending news go to sites hosting malware.

As real-time search becomes more important, the problem of malware-related results could become much worse, according to a talk given yesterday by Dan Hubbard, CTO of Websense, at the Cloud Security Alliance Summit, which took place at the Black Hat security conference in Las Vegas. The event brought together speakers from government, industry, academia, and the underground. Hubbard outlined several ways that real-time search results are easy to poison.

Much of the problem stems from the nature of information provided in real time, Hubbard says. It's noisy, spammy, and not authoritative. So search engines have a difficult task ahead determining what links can be trusted.

The results are also easy to manipulate. Hubbard experimented with searches related to the recent Boston marathon. He found that he could get posts to the top of real-time search engine results by posting in anticipation of events. For example, he posted information about who had won before there was a winner, garnering a top spot on real-time results pages. He found that he could trick even Google by introducing typos that other users might be likely to make (such as "Botson" marathon). And, by posting images along with text, Hubbard found that he was able to rocket his posts to the top of results pages.

Hubbard says spammers could use social graphs to manipulate real-time search results as well. A botnet, for example, could create large numbers of interconnected Twitter accounts, creating a source of information that could seem authoritative. Hubbard also pointed to recent reports of spammers taking over the Twitter accounts of well-known users.

There may be big opportunities for spammers as location gets factored into the ranking of real-time results. Current location services trust where users say they are, he says. Location is also relatively easy to spoof. Spammers could add their links to real-time search ranks by seeming, for example, to tweet about the Icelandic volcano from Iceland, or about the Boston marathon from the finish line.

Hubbard plans to continue his investigation by looking at how spammers might be able to influence Facebook streams and search, and what they might be able to do with the popular location-based social network Foursquare.