The average IQ of the internet pedophile is apparently much higher than the aggregate of IQs at MySpace.

Let me make a prediction: MySpace will be found liable for several incidents of child exploitation going forward — even more so than before. Wired's blog made it public over here.

I was blissfully unaware of this until now (not being a pedophile and all…), but I could always tell that MySpace was a poorly conceived application. The idea was good, but that is where it ended.

The problem is that MySpace was started (and hence programmed) by a team that never knew how big it would become — and quite possibly in over its head. And of course every programmer or IT manager knows that it's orders of magnitude harder to fix applications while they're being used. Often, it must be refactored and/or rewritten. That's even worse.

That said, it should have been done. There is enough money flowing into the enterprise that some of it should be devoted to fixing all obvious flaws, especially where it pertains to child exploitation.

The frightening part of the most recent bug is that, assuming I understand it, it was trivial to fix. Criticisms about the inanity of letting users have full control over content (and hence allowing for creative XSS attacks and phishing), this wasn't anything complex. Let me explain:

Typically a web site displaying anything — whether it be products, files, or, in this case, provocative photos of 14 year olds, has two levels of navigation.

1. List multiple items in a catalog.
2. View a particular item.

A simplified request to a web server for level "1." looks like this:

http://www.socialsite.com/album/?user=bob (view all photos in album for "bob").

And for 2:

http://www.pictures.com/album/?picture_number=12345 (view photo 12345).

When myspace decided to protect your 14 year old daughter from the "Army of Pedophiles," they initially only prevented level "1." from being viewed. So if a user contrived a method to guess or derive the latter type of URL, nothing stopped that from occuring. And that's just what this "army" figured out how to do.

This incensed me — not because I've ever been this sloppy in implementing an application, but because MySpace was under scrutiny, was aware that they have facilitated pedophilia in the past, and didn't audit their application to verify that this sort of obvious sloppy security hole didn't exist until it was obviously exploited.

I would assert that the fix for this security hole was no more than 2 lines of program code and would take about 1 week to exhaustively test and deploy.

Meanwhile the self-proclaimed "pedo-army" figured it out, masturbated to pictures of your daughter, and will probably continue to see more of her when the pedophiles outfox MySpace again …

Tell an amigo:
  • Sphinn
  • Digg
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Facebook



No related posts.