« Tired of Wikipedia? Try Britannica | Main | Responsibility or Linkbait? »

February 22, 2007

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341bfb1a53ef00d834659c1569e2

Listed below are links to weblogs that reference Shoemoney Banned from MyBlogLog, Andy Beal Boycotts MyBlogLog:

» MyBlogLog: Good idea, SUCKY Implementation from zaid360.com
It seems almost customary for the blogosphere to lash out against MyBlogLog for a major bug or security flaw - whatever you decide to call it - every couple weeks. Sure MyBlogLog sold it to Yahoo and made good quick $$$. But... [Read More]

Comments

Li -- I can assure you that he did not get permission from either Scott Rafer or Jeremy Zawodny before posting their IDs. You can also tell from one of the early comments in the original "here's the hack" thread that at least one other account was posted without the owner's consultation.

As I have said in multiple places, he did not get banned for posting the exploit, he got banned for posting the data. And even that might have been forgivable if he hadn't updated the original post, which contained only three userIDs, to include eight more.

I'm simply not seeing where that act further increased anyone's security. Alternately phrased, how many userIDs should we have let him post before we could ban him without looking like a jerk? ;)

Looking forward to hearing any further thoughts you have on the subject.

Hey Eric - thanks for stopping by and posting.

I am in agreement with you - that posting the data was wrong. We, as bloggers, have a responsibility. I also emailed Jeremy and he confirmed that he did not have permission.

The blogosphere is all about communication, so in response to not looking like jerks, let me explain. As soon as you and your team discovered what he was doing, perhaps you could have emailed him or contacted him in some way - gave him a deadline to cease and then pull him from MBL, if he didn't comply with the request to pull down the data. Shoe's a pretty understanding guy, and he's intelligent - I'm sure if you expressed your concern about posting the personal data (even though naming avatar images as the persons' account number is pretty easy to discover, and a bad fault on MBL's part), Shoe would have stopped.

That would have shown a bit more effort on you MBL's part to resolve the situation in a reasonable manner, not get someone angry and then in turn get his entire community pissed at your service. I'm sure you are well aware of Shoe's following, and one post from Shoe can certainly cause a lot of grief, or a lot of happiness.

Right now, MBL is in a rock and a hard place - leaving him banned, you are pissing off a lot of people and loosing your evangelists. But putting him back in, would not bode well for your ToS.

Perhaps some kind of middle ground could be found. If Jeremy posted an apology - not for exposing the exploit, but for posting that data, after the exploit was fixed, would that be suffice?

I've met Jeremy, and I really find it hard that he meant any kind of harm. I just think this is a bit harsh, but still can understand why your team did what they did.

Thanks again Eric!

Li --

Here's the thing. We *did* have reach out to Shoe. Every time he posted a hack we thanked him in his comments for pointing out a vulnerability.

Then a couple days before this was posted, Scott Rafer emailed him and said, basically, "dude, I understand you're pissed at Jeremey Zawodny and so be it. But keep in mind that he's not part of the team and it still just us five guys bangin away. We've had a good relationship with you and we would just appreciate a heads up before you post your next exploit."

And then he posted this.

(I had previously omitted the previous info because I was unable to get in touch with Rafer last night to request permission to discuss his email exchange.)

The comments to this entry are closed.