July 05, 2004

Censorware usable for blog Denial-Of-Service Attack?

Michael Froomkin relates a censorware experience with some interesting implications:

Since the supreme court cares about the quality of blocking and filtering software, it may be appropriate to report that SiteCoach, the blocking software used on the internet kiosks in the lobby of the Amsterdam hotel I am staying in blocks Atrios for using the f-word, and the Volokh Conspiracy for "Forbidden Keyword free sox". Actually, the "o" in that last should be an "e" -- I'd post it more clearely, but that would just ensure I couldnt access my own blog any more.

Hmm ... "couldnt access my own blog any more". Now, his blog has the style where excerpts from recent comments are displayed on the front page, using the first few words of the comment. Suppose, as a comment, on seeing this, a malicious person had posted "FREE SEX!!!". Then that phrase would appear on the front page of the blog. And perhaps trip the censorware. Moreover, if he tried to delete the comment, the editing screen would of course have displayed it, and hence also triggered the censorware (there might be way to generate a delete command without display, but most people would probably stop at the point where they were locked-out of the comment editing screen).

I didn't test this, err, directly. But likely there will be plenty of chances to see if it happens to someone ...

By Seth Finkelstein | posted in censorware , security | on July 05, 2004 11:59 PM (Infothought permalink) | Followups
Seth Finkelstein's Infothought blog (Wikipedia, Google, censorware, and an inside view of net-politics) - Syndicate site (subscribe, RSS)

Subscribe with Bloglines      Subscribe in NewsGator Online  Google Reader or Homepage


Yes, poorly configured filtering software will do exactly that. In fact it can do worse than that...a malicious person could as well as give you the text "Free Sox" they could also provide you with a link to Free Chold Pron"

However it is important to remember, as we used to say in day care...when at “story time”a child says "I cant see ...I cant see" the response is “move to where you can see”...

In other words, you are not locked out of your blog you have to move to another computer...one without filtering software....

Posted by: Bob Turner at July 6, 2004 04:06 PM

Of course one can take measures to react to a Denial-Of-Service attack. But the twist here is that the blog owner, traveling or in some other way constrained, would be put to great inconvenience in order to recover. He or she would be locked-out until they could find an uncensorwared connection or a means of removing the triggering comment without actually viewing it. That's a notable effect, especially if done at a critical time (e.g. a conference).

Posted by: Seth Finkelstein at July 6, 2004 08:59 PM

Well...I have an idea for that, i recently just purchased the nokia 7610 phone, and it has this cool little function where you can access websites that arnt encoded in xml or the mobile website language. It can really display the whole website in a condensed form ....or the entire website normally (you have to scroll alot tho) so essentially if you ended up getting a phone like that or had those capabilities, you could fix the problem!
Just my 2p

ITIL Consultant

Posted by: ITIL Consultant at July 12, 2004 05:20 AM