Lessons from the last few weeks
July 13, 2004
The last few weeks have been interesting ones here at The Common Voice. Regular readers are well aware of what has transpired. There are lessons to be learned and changes on the horizon.
The evening of June 25 I was cleaning up shop in preparation of going out of town on vacation. It was a frustrating evening because I had much to accomplish and the clock seemed to be moving double time. In the midst of this an email appeared in my box that caused me to look twice. The subject field alerted me that a change had been to one of the BlogPot accounts.
Now, I wish there were even more bloggers willing to jump into the pot and list their musings on The Common Voice. So, I clicked on the email to see who was coming on board. What I learned was that a change had been submitted to my own web blog entry in the BlogPot. Suddenly a frustrating evening went even further south!
I immediately went to the site and found someone had gained access to the admin portion of the site and posted a notice that the site had been hacked. The hacker attributed the break to Jimmy Moore. He also posted some headlines and discussions.
I didnít have time to deal with it at that moment so I started the process of shutting down the public portion of the site. However, the hacker was still trying to work behind the scenes. At that time I went to the database level to break the code so that he could no longer continue his actions while I was out of town.
Upon my return I set about trying to find out how the site was compromised. Thankfully, he returned and I was able to capture the approach used. Upon seeing what he did, it became obvious. Basically, he used a SQL injection into the username and password fields to return a record from the database thus giving him access. I freely admit this was due to lazy coding on my part. Had I disallowed such injections, the miscreant wouldnít have ruined my vacation!
I wish that was the end of story, but it isnít. Deterred from breaking into the admin section of the site, the person (who obviously has something in his crawl) succeeded to redirect visitors to The Common Voice to other sites. He did this by placing Java scripts in the headline submission forms. By submitting a line of code into multiple headlines, he was able to launch a redirect. The fix again was simple, just disallow any characters that are used to write scripts.
That is when our friend decided to start putting very long strings of THIS_SITE_HAS_BEEN_HACKED into the headline fields so that the default page would stretch and distort the formatting. Technically, you canít very well call that a hack. Who knows what he will try next?
NEWSFLASH: Even as I was typing this, I see that he has returned to place a long string of "Xís" in the headline field. I keep wondering what satisfaction he gets from this. Pardon me while I go to clean up his droppings.
Of course, there are ways to combat this type of activity and those wheels have been placed in motion. I also understand that it is easy to get into a war Ė and that I donít have time to do. That leads me to the lessons and future changes.
In the three years The Common Voice has been online, it has been an interesting experiment. I never set out to build a hacker proof site (my self-taught knowledge of programming doesnít allow that). What I did set out to do was attempt to build a community where people of different ideas and values could come and discuss issues.
The lesson I have learned is that every community must have law. I also learned that not everyone likes the laws that are put in place. In order to have a site where there is freedom to build a community there must be restrictions. The obvious answer that would save me a lot of work is if everyone would act responsibly and be civil to one another. The problem then becomes who decides what is responsible and civil behavior?
(By the way, that is one of the reasons why I canít be a full-fledged libertarian.)
What I attempted to do was to build a threshold of what I personally deemed responsible and civil behavior and then allowed people to cross the line. In the end I had people complaining that the site was too far one way or the other. I guess you can call that balance. Has the site been perfect? No way! Impossible -- seeing that an imperfect person has been at the controls.
So, here is the change that will be soon to come. I will no longer be allowing anonymous headline submissions. In the near future the site will require you to log in before you are able to submit to any portion of the site. Also, valid email addresses will be required to log in. I wish there was no need to log in at all, but that isnít to be.
Whatever the case, the site will not be going away. I have been known to be a patient person and am willing to keep deleting our disgruntled visitorís headlines until I can get the log in mechanism in place.
Thanks to all you friends of the site Ė both liberal and conservative Ė who have hung with me through this time . . . even when you got directed to a web site proclaiming you are an idiot! We all know who the real one is.