Jeremy Shoemaker aka "Shoemoney" has been banned from MyBlogLog. Now, you all are probably sitting here wondering "how the heck did that happen?
Jeremy quite frequently posts about the MyBlogLog security flaws, ever since someone grabbed his identity on MyBlogLog back in December, he's been posting about issues with MBL. To be fair, he's pointed out the issues, but he's also helped to promote MBL - especially among his user base.
Yesterday, Jeremy pointed out a security flaw that allowed people to surf blogs as other MyBlogLog users. According to MyBlogLog, pointing out the security flaw would just fine, but Jeremey also included data in the post that gave away other users' id numbers in the MBL system and apparently that's what has MBL quite upset - enough to ban him.
Andy Beal has now taken the stance that he's removing the MBL code that runs their popular widget, off of Marketing Pilgrim and boycotting MyBlogLog until it re-instates Jeremy's account. It's true that this information is readily available if you read the cookie's information, and in a sense that's publicly available. However, I wonder if he got permission to post that information first from the users on the list? (and I do have an email out to Shoe with this question) I ask this, because, with blogging and notoriety comes a bit of integrity and due diligence one should think about before posting information like that.
If Shoe had the permission of Andy, Barry, Danny and the others on the list, then MBL needs to back off and reinstate him, and I would join Andy in the boycott. However, if the permission wasn't sought, then in my opinion MyBlogLog does have a point, especially considering how popular Shoe's blog is. But even if they have a point, banning is a bit harsh or extreme and makes MBL look like "jerks", and considering how far reaching Shoe's blog reaches, it could come back to bite MBL in the butt.
I'm going to hold my judgment on this till all the facts come shuffling in. Eric from MBL has commented on Andy's post about his boycott, but that comment still doesn't answer my question. It also will be interesting to see how many of Shoe's readers will take up the cause, as well. I'll update this post if i hear back from Shoe.
- I've heard from Shoe. No Permission was sought when posting the ID's.
- The id's came from the avatars, not the cookies. But you had to modify your cookie in order to surf as someone else.
- That security hole was plugged before Shoe posted the personal data.
- Eric of MBL posted in comments below, he asked for my opinion on how they could not be seen as jerks - why don't you all contribute to the convo? :)
So some reflection - I'm not going to pull my MBL code, because Shoe didn't first drop a simple note to anyone who's data he posted and say "hey can i do this, do you mind?" Don't take this as total support for MBL, though. MBL has demonstrated an itchy trigger finger here - Eric and his team could have dropped a quick email or post to Jeremy, asking him to stop or they'd pull him. The blogosphere is about communication and engaging in conversation - MBL should know that since they have a service that caters to the blogging community.
Again, it's not about posting the exploit, it's about the data, and the fact that the hole was plugged before Shoe posted the information. But Shoe's an intelligent and understanding person - had MBL asked, I'm sure he would have respected MBL request.
I've suggested a middle ground in my response to Eric, perhaps this is a solution everyone could live with and bring everyone back to the same ground? What are your opinions?