By Annalee Newitz
LAST WEEK at infamous computer-security conference Black Hat in Las Vegas, Bob Auger announced what should have already been obvious: Reading blogs isn't safe. Auger, a security engineer with SPI Labs, quietly revealed (www.spidynamics.com/assets/documents/HackingFeeds.pdf) that the mere act of checking out somebody's RSS feed might allow bad guys to steal money from your bank account, post web spam from your computer and snoop on everything you've written anonymously in that online porn community you secretly visit.
This is the dark side of all that free speech enabled by webish technologies, and it doesn't crush free speech in the usual way. Generally, free expression advocates worry about how businesses and governments censor the confessional, unedited style of bloggers. And they're right to be concerned. People posting personal rants have gotten fired for writing mean things about their bosses and sued for criticizing litigious maniacs. But these bloggers, who are punished for what they say, are receiving traditional retributions for speaking openly. They say bad things about someone or some corporate entity, and that person or entity smacks them down.
But as Auger and other researchers demonstrated at Black Hat, we're about to see a new threat to free expression. Massive groups of people will be punished not for what they say online but for using particular tools to say it. Auger researched several popular RSS readers—programs used to pull blog content onto your computer—including Bloglines, RSS Reader, Feed Demon and Sharp Reader. He discovered that many of these readers could be turned into delivery systems for malicious code designed to convert computers into spam generators or worse.
Although many web programs are partly protected against these kinds of attacks, blog readers tend not to be. Known generally as "cross-site scripting" and "cross-site request forgery," these attacks work by covertly moving data from one location to another. Sometimes, as Auger pointed out, this could mean everything you type into your banking website will get reposted elsewhere, thus allowing the bad guys to read your passwords and have fun with your money.
Even worse, blogs can spread their malicious code as quickly as they spread news. If I were a bad guy and wanted to steal a bunch of passwords, I would hide some malicious code inside a comment on a popular blog. Then, as soon as your reader downloaded that comment, you'd be infected. Or I would start a blog that sounded particularly interesting (or pornographic), tempt a bunch of people into subscribing to my feed and inject naughty code into their computers that way.
Things get really bad when you consider how many people automatically repost other people's feeds onto their own blogs in a "What I'm reading" section or something like that. People who inject nasty code into blog feeds are using the web's fastest free-speech engine to wreck havoc—and in the process, they could undermine free speech itself.
Feed injection poses a whole new set of problems for people who want to promote free expression. We're dealing with a mechanism of censorship that isn't even aware of itself as such. People who do these hacks may not have our best interests in mind—they are trying to lie, cheat and steal—but as an unintended consequence, they may choke off a powerful avenue of open communication.
If people begin to associate using blogs and feeds with being spied on, the less likely they are to read them. Government and business couldn't have asked for a better self-censorship catalyst. Speaking out, no matter what you say, will turn you into a victim. Luckily, there are fixes for the speech-stopping problems that Auger found—just as there are legal and social remedies for traditional forms of censorship. After talking with Auger, developers at Bloglines fixed many of the bugs he pointed out to them. Other vendors are working on fixing them, too. Also, a lot of cross-site scripting and cross-site referral forgery attacks are well known in other software programs and already have widely available fixes. So people making feed readers simply need to start thinking about security issues and using these fixes when they release the next version of their software.
As ever, what the geeks at Black Hat remind us is that free speech isn't just a matter of political freedom—it's also about technical freedom. Our ability to communicate openly will suffer if we aren't allowed to explore, reverse-engineer and even break the devices we use to talk to each other. Getting your message out means being prepared to defend yourself ideologically—and digitally too.
Annalee Newitz ([email protected])
Send a letter to the editor about this story.