I suppose we should be used to "gaper delays*" on the Internet, but 17gb worth?
Ed Felten at Freedom to Tinker writes about the recent MySpace photo debacle reported on in Wired News where someone named DMaul downloaded 17 gigabytes worth of pictures from 44,000 MySpace users and put it out on BitTorrent. He reportedly did it to "prove it could be done."
F2T comments:
The implication here, not quite stated, is that DMaul was trying to
draw attention to the flaw in order to force MySpace to fix it. If this
is what it took to get MySpace to fix the flaw, this story reflects
very badly on MySpace.and
Now suppose you know that a company’s product has a flaw that is
endangering its customers, and the company is denying and delaying.
There is something you can do that will force them to fix the problem —
you can arrange an attention-grabbing demonstration that will show
customers (and the press) that the risk is real. All you have to do is
exploit the flaw yourself, get a bunch of private data, and release it.
Which is pretty much what DMaul did.To be clear, I’m not endorsing this course of action. I’m just
pointing out why someone might find it attractive despite the obvious
ethical objections.
Ultimately, F2K wonders if DMaul intended to punish MySpace with the revelation.
The most surprising thing about this commentary and the story overall is the irony of the situation that is not getting addressed: DMaul is attempting to "protect" people from having their pictures exposed… by exposing their pictures. Of course, he only did it for some small number – 44,000 users, but I suspect that was probably about 40,000 more than were compromised before his exercise.
The user is almost always the externality that both the software writer and the bugfinder completely ignore in their cage match. They become an unfortunate byproduct that really should be the main focus.
Clearly, what DMaul did increased the risk by getting the attention of the press and thereby increasing the threat (the more people know about the problem, the higher the threat) as well as increasing the consequences of the action (consequences increase in confidentiality scenarios anytime the information becomes more public).
*the "gaper delay" is the phenomenon ascribed to the inevitable slow-down of cars in the lanes opposite a traffic accident, caused by drivers who want to see what is going on across the way.
It was high time that MySpace sorted this sorry situation out already. If this is what it takes, then so be it.
@Happy -
I wonder if the 44,000 people whose pictures were in the BitTorrent release agree.
“The user is almost always the externality that both the software writer and the bugfinder completely ignore in their cage match. They become an unfortunate byproduct that really should be the main focus.”
indeed… with all the talk of protecting networks and protecting endpoints and protecting data, why does no one talk of protecting people?