Myspace: Protecting our Kids from...

...perverts? pedophiles?!? Aye, of course but let's not forget (and perhaps most of all):


Samy (the lad whom I mentioned a couple weeks ago) is now feeling the not-so-swift nonetheless serious hand of Myspace justice as reported in SC Magazine yesterday. Man. Don't mess with the Fox / NewsCorp people; some of them take being shaken up a bit quite seriously (even when the shaker isn't shaking to make money or disrupt them really).

I found this on Myspace, ironically.

...OK, technically yes, Samy was no baby, and he did commit a crime that he's got to pay for. He was legally an adult when he let his worm loose on them, but by a mere year or two. That no doubt made all the difference in determining his punishment (despite undisclosed details about the $ part).

It doesn't necessarily mean that Myspace taking it as far as an actual trial for his childish behavior would've been the most mature response, though. I wonder if taking him to court with the aim of settling so as to put him to (unpaid) work for them for a period of time would've been a better strategy, i.e. retaining more street cred while putting some obviously skilled help on tightening up their sites. With hackers and spammers, it often takes one to fight one... and sometimes it's better to take the high ground and look for a potential advantage in a situation, than it is to go making an example of someone to try sending a message like they did here.

They have been getting it together lately though. Word is they've been working in more email verification requirements, IP blocking, and a stronger CAPCHA in the past week.

Anywho, I've been putting off getting one of the T-shirts for a while. It's about that time now though... just in case the better design sells out and/or their prices get raised. Besides, they probably qualify as retro chic now. Two years counts as retro in Internet time, right? I should think so.

I wonder how long Samy's direct record (complete with the code overview, screenshots, links and a guestbook) will be allowed to stay live. Those who haven't seen it are encouraged to check out the retrospective now in case it gets yanked soon per the recent court ruling.

No Comments »

Speak of the Devil...

and hear wings rustle.

It's been another interesting discovery day in the world of Myspace, whom I happened to elude to yesterday albeit on a different point.

I maintain that if I were them I'd be flapping hard, despite how the only way entrepeneurs are directly monetizing them is (to my knowledge) in pushing profile tweaks and lookie-loo webcam sites via fake profiles (areas which unto themselves have some serious coin in them): RSnake's Fierce has revealed now their "Content Take-Down Tool"...

Content Take-Down

also their Site Admin...

Site Admin

and the location of their Webmail...


and... sheesh. Hopefully they're hiring Engineers as aggressively as they say they're hiring Sales reps. 😛

I really don't know much about Web security or IT but meself, I'd have thrown some spider traps on all this. Also, their public site's robots.txt is surprisingly simple and inviting for the business they're in. There are ton of sites who are spit in the ocean compared to Myspace that are more secure. It wouldn't be hard for them to just let in the major SE bots and feed aggregators and as for the rest of them, well screw 'em, in order to keep out unidentified crawling objects. Up there with Yahoo and Ebay, they're the one of the most visited sites on the Web already, and their brand is one of the most searched-on queries any given week or month. So sure, it would hamper their traffic some but IMHO it would be a small price to pay to sleep easier at night.

Maybe I'm just paranoid... Whenever I register a domain and put the DNS on anything other than the registrar's park page, it doesn't take but days or weeks before some hoser, proxified via the PRC, Turkey, Singapore, The United Arab Emirates or some other place, sends something wriggling through me trying to find vulnerabilities in things that don't even exist yet, i.e. before I've installed any software or databases on the host whatsoever. This moreover sometimes happens before I've published any content or set up any inbound links on the greater Web. That's how aggressive and thoroughly automated some people are.

Anyway, I'm not the only one with misc. feelers out there aiming to keep a finger on the pulse of things from ongoing research, polite observation, and info-power perspectives. So if people like me are becoming aware of this stuff without specifically trying, think what professional hackers are up to right about now with it. My guess: Shifting attention from developing various XSS methods that work on Myspace's public-facing stuff (a handful of which seem to appear monthly) over to targeting their back-end. At this rate it's probably just a matter of time until someone comes up with something that does a lot more damage than what Samy did.

With Web 1.0 hyper-growth was a lot about content management, handling loads on infrastructure etc. ... With 2.0 though, given the new democratic openness and the methods facilitating that, the watchword now is security for sure.

No Comments »


Based out of Northern California, is a bl.og dedicated to the advocacy and study of high-impact, data driven marketing disciplines and related concerns: Analytics and Data Mining, Marketing Automation, Integrated Advertising (targeting, retargeting), Demand Generation and Lead Nurturing, Social Media / Social Engineering (Crowd-hacking) and the new PR, Privacy, Security, CRM, SEO / SEM, CRO, ROI... more TLAs (three letter acronyms) than any sane person's daily lexicon should include.

About the Preacher