p2pnet - rss feed: Spam, malware and online vigilantism
p2pnet news view | Security:- Sometime in October a malicious program exploited a security flaw in the Wordpress software I use to host my weblog and injected some extra commands into one of the widgets I use to add features to the site.
They opened up a connection between the blog and a site that tried to download a malicious piece of software to any site visitor unfortunate enough to be using Microsoft’s Internet Explorer.
Anyone who visited my site would have been prompted to install a clearly unwanted piece of software, although as far as I know nobody was affected. However I can’t be sure and hope that I didn’t unwittingly cause damage to anyone else’s computer.
I upgrade my installation regularly, and apply new security patches as they come out, but this happened in the few days before the release of a new version and I was caught.
Yet I only found out about the problem when a kind reader emailed me to tell me that Google was warning prospective visitors that my blog might ‘harm’ their computer.
I hadn’t noticed the warning because, strange as it may seem, I don’t Google my own name that often (searching blogs is a different matter, of course!)
And I hadn’t found out from Google, either because they didn’t send any emails or because the company that acts as technical contact for my site didn’t bother passing them on.
Once I knew what had happened I searched for and found the offending code, but it has taken three weeks to get the Google warning removed, and the experience has been a salutary one.
I started off at StopBadware, the organisation Google works with to flag sites hosting malicious code. Run by Harvard Law School’s Berkman Center for Internet & Society and Oxford University’s Oxford Internet Institute, it describes itself as ‘a “Neighborhood Watch” campaign aimed at fighting Badware’, and it does a good job of listing sites and providing information for users and site providers.
I searched for information about what they had found on my site and discovered that although Google had flagged my blog it hadn’t passed any information on to StopBadware. So I requested a review using the form provided, hoping to get some information to help me find out what had happened and which pages were affected.
I had to email them three times before I got a reply, and had to wait ten days for that, and even then there was no information on exactly what Google had found on my site, so I had to search myself.
Eventually I discovered that I could find a lot more information and request a review more effectively by signing up for Google’s Webmaster Tools. This is a great service, but it isn’t something my small blog really needs and of course signing up gives Google access to a lot of information about what I’m up to, information I’d rather they didn’t have.
But when the alternative is a blood-red sign saying ‘All hope abandon, ye who enter here’ splashed over Google’s search results there really is no choice.
And now my site is clean and Google likes me again.
Malware on websites isn’t the only area where private organisations are taking on this sort of police action. There is a similar debate going on over email and spam, with groups like Spamhaus creating lists of servers that they believe are sending out spam. Other organisations subscribe to the Spamhaus Block List and will block emails from those servers.
Their approach is pretty effective at closing spam relays, but of course sometimes the listing is wrong and sometimes there is collateral damage, when a server used by an ISP is listed and all of its customers are affected.
Part of me would like to see this sort of listing done by the appropriate authorities, perhaps even the police, with some degree of judicial overview and a formal appeals process.
Of course this is not going to happen, at least not on the global basis that would be needed to make it effective.
And the only real option for anyone who runs their own website is to sign up Webmaster Tools to keep an eye on what the rainbow monster thinks of them.
But if we’re going to live in a world where Google, StopBadware, Spamhaus and all the other private organisations offering to make the net safe have so much power then we have to push them to do a better job, especially when it comes to communication.
The point is not that this is online vigilantism, although it surely is. The point is about accountability, openness, responsiveness and the other things that we require from state actors but too often leave up to the market to enforce for private companies.
In his poem ‘Cloths of Heaven’ WB Yeats asks his lover to ‘tread softly because you tread on my dreams.’ For many of us our websites, email addresses, personal profiles and the other aspects of our online lives are vital parts of who we are, and at least as important as our dreams.
The organisations and companies seeking to fill the gaps left by law enforcement need to tread carefully too, and must treat those affected with respect and care, or they cannot expect us to support them, however noble their intentions.
Bill Thompson - andfinally.com
[Thompson is a UK-based writer and broadcaster. He has a weekly column on the BBC WebWise site, and contributes both on and off-line to The Guardian, The Register and The New Statesman, among others. His “inappropriately-titled ‘billblog’ “appears weekly on BBC News Online in the technology news section.]
Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile - http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for the download, and here for details. Click here or here to learn how to by-pass censorship in your area.
November 15th, 2007 at 11:50 am
Probably some haker paid by the criminals at the RIAA.
November 15th, 2007 at 1:38 pm
“Probably some haker paid by the criminals at the RIAA.”
I really doubt the RIAA gives a shit about P2Pnet enough to do something illegal like that.
November 15th, 2007 at 10:16 pm
Why not? They’re illegally invading the privacy of hundreds of average anonymous people every week, aren’t they?
November 16th, 2007 at 12:21 pm
“I really doubt the RIAA gives a shit about P2Pnet”
Oh yes they give a shit a very big shit even!
I have my information and I can tell you that some of these parasites are fuming over some of the posting.
I they could sue P2pnet they would. But legaly there is no no way they can. There power of corruption on judges have some limit. Also even if they could they are affraid that some ellected official might turn against them. What is the point to receive supports from then for your next campaign if people will vote against you anyway?
November 16th, 2007 at 10:01 pm
If the RIAA gives enough of a care to pay a hacker to break in and obtain email communications then it cares enough that no one can be sure they will be a decent actor. It is no wonder they are hated as much as they are.
Many times off and on you see the employees of that organization trying to say, Hey we are the good guys but their actions speak far louder than any words you hear.
They are intimately involved in spreading malware. So why would one not think they would love to create problems for a pin prick in their side giving them bad publicity (not that they need any help in that department). Still you can see where they are sensitive to the bad press they have created for themselves in the action of making these sue’em alls local instead of national to try and control some of that bad press. I don’t think that does any good other than to show their mentality.