I've discussed the threat
of weblogs before. In my story, I waxed lyrical about the benefits of
sequestered weblogging sites such as
LiveJournal and
Xanga. I advocated them safe in the
belief that they were safely separated from the rest of the Web under a
single domain, making any spurious search results from them easy to
filter out.
However, there is a new and probably more dangerous threat posed by Xanga
which has only been made obvious recently. A person's Xanga weblog can
contain arbitrary JavaScript and HTML. In and of itself, this isn't too bad.
Even though the blog can do pretty horrendous things to anyone who visits
it, it isn't likely to be visited because it won't stand out amongst the
five and a half million or so other weblogs hosted at the same site.
However, when this poor security is combined with readily available (and
easily written) Xanga spamming scripts to spam links to the insidious
weblog to tens or hundreds of thousands of other users, it receives dozens
of hits a minute. And if the weblog has an embedded <iframe> or
redirect to a database intensive script on other website -- such as
Slashdot -- bad things happen. Slashdot suffered sporadic 503 errors
and anything which depended on its database, including logging in and the
generation of the front page, suffered from frequent failures. (That is,
until CmdrTaco finally figured out what happened and got rid of search.pl
all together.)
What makes this even more dangerous is that it can be done so quickly
and readily. As opposed to scraping together a decent-sized botnet (which
can take days or weeks), anyone can whip up a couple of Perl scripts
and start hammering away. The only limit is someone's bandwidth, but
past Xangadottings have demonstrated that it only takes two or three
disgruntled hackers with ordinary broadband connections to take down the
databases of all but the hardiest websites.
Xanga seem to be completely unaware of this problem or just can't be
bothered to try and fix it, having taken no measures to combat it. (I suspect the latter, since they haven't bothered to follow up on other users' reports.) For
instance, despite asking for an email address when signing up, they don't
send confirmation to the email address. Nor do they use a captcha in order
to signup or post. So the process of
signing up
and posting
comments in others' blogs is very easy to script.
As such, we can't really do much about it but fume now and then. Even
trying to use the flooding tactic against Xanga itself would be
self-defeating because if Xanga were to go down, it would no longer be
bombarded. Quite a dilemma. Maybe I should have been more inclusive in
decrying weblogging after all. I find it pretty funny that blogging, which has been described as a tool for perpetuating freedom of speech, can now be used as a tool to suppress others' views.
Good work. Let's keep bringing the power of publishing to the people!