JasonMorrison.net

I read two reports today about large-scale botnets that really pointed out that security is still an open problem on the web. Recently, researchers got access to a nasty botnet, Torpig (original paper: Your Botnet is My Botnet: Analysis of a Botnet Takeover). A few months earlier researchers hijacked the Storm Worm and looked at its profitability (original paper: Spamalytics: An Empirical Analysis of Spam Marketing Conversion). Both papers are fascinating, but terrifying reads.

Some findings:

• In 10 days, a botnet running on 160,000 machines stole credentials for over 8,000 bank accounts.
• About 1 in 10 people who open a spam email click through to get infected by the malware.
• 350 million spam emails resulted in only 28 sales, but the average purchase was $100.

How do these botnets get control of machines? How do they make money? Whether it’s a spammer who needs to get someone to make a purchase on a website or a scammer stealing credit card numbers, passwords, and other information, ultimately you need to get someone to a bad website. Think about all the paths you might take to different sites during the day:

• Via a web search
• Clicking on a link in an email
• Going directly to a favorite site
• Clicking through an ad

Spammers and scammers try to take advantage of all of those methods, and given the huge volumes of machines at their disposal, it’s a wonder search engines, spam filters, and advertising systems protect users as well as they do now. Between the first and third bullet point above, there’s a huge motivation to hack otherwise good sites to inject drive-by download malware – it can happen to anyone.

So what can we do about it? I think it ultimately comes down to a combination of smarter automated methods, better ways to establish trustworthiness, and removing the economic incentives for spamming, identity theft, and hacking. I have a few posts in mind about some current tools that help with the trust issue and how we might be able to build a social web of trust.

This isn’t a new discussion, Tim Berners-Lee has been writing about the web of trust since the 1990s. But all the work done since then has yet to really solve these problems. And really, so long as a few people are willing to click on a malware link or buy drugs via a spam email, it will never stop.

I’ve been kicking around the idea of redesigning my homepage and blog, though I’m not sure I really have the free time to do it. To start, I thought I would to put down a few thoughts about applying usability principles when designing blogs.

When you starting thinking about usability it’s temping to jump right into lists of principles and rules of thumb. It’s a little silly applying Fitt’s Law when you haven’t even established what you want your site to accomplish in the first place. So what, generally, do you want your blog to do?

Personal Goals

• Share thoughts and work with others
• Collect a body of work to represent myself (like a portfolio)
• Collect information for later discovery (by myself and others)
• Provide an outlet to continue practice writing
• Allow others to communicate with me and comment

If you’re creating or redesigning a blog for a company, the goal set may be very different. Below are some examples that don’t actually apply in my case.

Business goals

• Communicate with customers
• Build long term relationships with customers
• Produce quality content to drive search traffic
• Generate revenue through advertising
• Etc.

Many projects don’t even get this far before the graphic designers and web developers are already making mock-ups, but we still have one more important step to do. We know why you’re building a blog, but why are users coming to it?

(more…)

Having run a big online poll and seen some abuse, I had to share this story posted on the Music Machinery blog. Every year, Time collects their list of 100 most influential people and conducts an online poll. Most years it’s a healthy ballot-stuffing competition between Stephen Colbert fans and fans of the Korean singer Rain.

You can see the list of the top 100 this year here. Does anything look strange to you?

Through a combination of seeding forums with misdirected vote links and clever vote bots, the fans of 4chan not only got moot to the number 1 position but spelled out a message with the first letters of the following positions. That’s a truly amazing hack, and a surprisingly mild response from Time’s developers.

This is also an interesting look into the kind of tactic used by web spammers. Funny in this case, but this is the kind of thing we’re up against.

I wrote a post last Friday on the Google Webmaster Central Blog about the widespread abuse of open redirects round the web.  If you have some code on your site that will redirect users to an arbitrary destination based on url parameters, watch out.

“But Jason,” you say, “why would I have code that would redirect users to an arbitrary destination based on url parameters?”  You might be surprised.  Code that tracks clicks for ads or analytics, search results pages, and even some login pages are vulnerable.

There are actually lots of legitimate reasons to redirect users, but unfortunately spammers can use them too if you’re not careful.  Read the post to find out more and learn ways to make your site less attractive to attackers.

I hate comment spam. I think it’s safe to say we all do. So how do you keep it off your blog or forum? Check out this article I wrote on the Google Webmaster Central Blog with some ways to prevent comment spam.

It’s interesting that one of the commenters brings up compliment spam – I just wrote about it on this blog a little while ago.

This was pretty cool for me, because I can’t really share much about my work at Google. It’s also fun to see my text translated into German.

Next up I’ll post an update on the baby name poll with more fun charts and graphs.