How Trustworthy are Blogs?


As we strive towards to enabling Trustworthy Computing I was thinking recently about how trustworthy blogs are as a new communication medium.  For reasons blogs.msdn.com readers can discover on their own I’ll call it “The moo Effect” that stirred an internal discussion amongst MS bloggers on the subject.   Skipping to the chase I propose that blogs are not currently a trustworthy medium.  In most implementations blogs suffer from the same problems that have plagued technologies such as e-mail, forums, and newsgroups.  There are also new problems that have been creeping up as well.  At this stage of software development maturity, it is incredibly important to not leave secure computing out of the picture when you are developing a new form of social computing interaction.  Doing so will lead to the prevention of more mainstream adoption.  Here is my breakdown of the problems. 


SPAM: I’m sure there have been a lot of discussions on the topic, but the open nature of most blog comment entry systems enable spam without recourse.  To date the effects of this exposure have been limited.  I have seen only a few blogs with ads for porn sites posted in the comments along with generic statements like “I love what you have to say, visit my site and …”.  Now imagine a world where bloging and blog reading starts to impact a measurable percentage of internet users and the government starts cracking down on telemarketing and e-mail spam.  These “Advertisers” aren’t going to simply give up and go home.  They are going to look for new markets to pollute and we are going to give them a great one at this rate. 


Trustworthy Information: Every blogger loves seeing what interesting google searches lead hapless web travelers to their blogs.  To use myself as a small example: If you search for “jimmy fund red sox” (no quotes) in google you are likely to see my blog occupy a spot in the top ten simply because of this post and way the social network created by blogs fools the search engine.  In this case I believe I’ve polluted the search results with information that is not what the person was looking for.  I can’t imagine the countless “innocent” searches that must land tons of non-technical web travelers to the world of Scoble.  Let alone their reactions once they get there. This one is a double edged of course, since I do think it’s potentially helpful that when someone has a question about “devenv.xml” they will most likely find my entry that details how this file is used by VS.NET.  Regardless of whether or not this is a problem with blogs or with the search engines the end public perception could be “Damn, I landed on another one of those stupid online geek diary sites that didn’t help me.”


Identity: How do I know person X is really person X in all cases with the aggregation and redistribution of countless XML feeds now moving around the web.  I haven’t read about it yet, but it wouldn’t be that hard to steal someone’s blogging identity and redistribute their feeds with alternate content.  It would be much easier than spoofing and IP address and harder to verify you’ve made a mistake than simply misspelling a URL in your web browser.  How do you know you are reading the true Scoble feed?  When I searched to subscribe it seemed there were certainly more than one location offering this content and, as a user, I could have picked the wrong one. 


Anonymous Cowards: The term was made famous by Slashdot as far as I can tell.  At least there I can filter out these people and they are appropriately branded. ๐Ÿ™‚ Currently anyone can leave a comment in my blog without being verified at any level.  Some would argue that the anonymity enables commentary by those that may not have otherwise shared their useful views.  I would call for both.  I do want to encourage ease of use in order to gain feedback, but I don’t want a world where someone can spam a bunch of blogs with offensive remarks that add no value under the protection of anonymity or potentially pretending to be someone else to harm their reputation.  Which leads me to…


Reputation: How do I know I can trust information coming from person X?  This is really no different than the problem of knowing whether or not you can trust information from web site Y.  However, with the new (much needed) move towards simpler publishing mechanisms that blogging represents it enables even more people to create misleading content without moderation.  Of course the argument could be “If you don’t like it don’t subscribe and subscribe to sources you trust”.  But how do I make sure I can find the good stuff?  What posts are the best ones to read?  There is no agreed upon content/user rating system that you might find in most new web forum implementations. 


I’m sure there are other problems that security experts could point out that need addressing, but these where the ones that have been on my mind today that I wanted to share.  Please don’t read this as an article against blogging.  I love what the phenomenon has enabled me and thousands of others to do.  I just know that the world is setting expected security standards higher every day and not paying attention to these problems now will only set us up for the same problems we’ve seen historically with every other ground breaking communications enabling technology that went too long without a care for security.  And this time users won’t accept simply “Hey look at this new thing is cool” without asking “is it trustworthy?”. 


josh

Comments (15)

  1. J.P. Stewart says:

    This is a great topic first of all. But some of these questions have been asked and answered before. I firmly believe that this will probably continue for about any new technology that we come up with as humans as well, but from my point of view I think its also important to keep some of the past solutions in mind:

    SPAM: Whenever you have a large system (or systems) that can inter-communicate and people are reading, SPAM will surely appear in some form. But at the same time, technology can be used against spam as well. Shared blacklists for IP addresses especially are important. So that when spaming from a particular location is detected, then everyone else on that blacklist is detected too. Specifically for blogs though, there are some plugins that have been written for Moveable Type that are supposed to detect and prevent these types of comments. And then there is using a comment service, that would hopefully have this protection. Please also see answers for the next two sections for solutions as well.

    Trustworthy Information: This is a good topic. Especially in blogs. ESPECIALLY in blogs written by people that may work for large software companies. ๐Ÿ˜‰ But I think your example goes off task a bit. In your example, I think that the largest problem is the google blog effect. One thing that has been happening on google lately, and there have been many many people blogging about this (including myself), is that the contents from all these blogs (which are very diverse in content, but sometimes just siply BIG on content) are being added to the google search database, and while you might search for one thing, you can end up with 10s or 100s of entrys on something different (and sometimes all on different topics, but just happening to contain the words you searched for). BUT, then there is the problem that we all know a limited amount. As much as we would like to know everything, we only know as much as is possible given the cross of our memory skills and our experience. That being said (assuming people are generally trustworthy … which comes further down) people say things as they see/know it, but that may not always be correct. So this is one of the biggest reasons (as I see it) that we are encouraged (cough) to put disclaimers on our blogs so that when we are wrong (and it happens) we can simply correct ourselves withouth having to worry about more than just maybe some embarassment. Personally, I know that I always apply the salt filter to whatever I read online….er actually I apply it to just anything that I read in general (why I did not do so well in arts and sciences). The salt filter as I see it means to "take everything with a grain of salt". I have no idea where the saying comes from, but essentially (for those that may not know) it boils down to being "slightly" skeptical about everything and to call into suspect things that just dont "seem" right. For example when reading things from certain web publications I now expect certain levels of criticism by default, and only really get alarmed now when HEAVY criticism is given to MS over somthing.

    identity: Well, this is the easiest one of all actually. It all comes down to trust. As it turns out the tech world has and uses a model for this on a daily basis. The certificate trust model is what allows you to know that when you connect to https://windowsupdate.microsoft.com you are actually talking to a microsoft.com server and not someone else. This is all based on the model that there is one (or more than one) authority that can hand out identities and "keys" that prove those identities. Because there are a set of default authorities in windows, then you can prove your identity to one of these authorities and recieve a key (usually for a price). These are use for many things from verifying the sender of an email, to verifying a server identity, to signing just about anything for verification later. Well assuming this model still holds true (and everytime you go to a https site and enter private information, you are making this assumption), then I could simply sign this comment if I wanted to (I tried but did not find any written apps and did not want to take the time to write the app myself), and the signiture that I produced would theoretically be irreversible as well as uniquely tied to my key. It should also be known that in addition to this model I pointed out (which carries fees at almost every point) is a free model called PGP (or at least parts are free from what I understand) which works on similar principles, but instead of having an authority, you simply validate others based on the content of messages and then add your signature to their key, so that in the future, others can see all the people that trust me when I sign something.

    Anonymous Cowards: Well, seems like the first few sections above should be able to help out with that. But, if not, then your not the only one frustrated by this. In Live Journal its possible to only allow registered users to be able to comment. (that of course being an invite only or paid system)

    This seems to (from my point of view) cut down on this in LiveJournal sites. AHem and no jeering from the audience that criticizes LJ users for not being technical enough. I see, lots of LJ users that follow the same spirit as everyone else. They just have stuff to say. Sometimes what people have to say is technical…some times its not. Who are we to judge which is right or wrong. (/me steps down) Anyways, my point is that technology can solve this if you really want it.

    Reputaion: There is no need for me to say anything here by this point. This is covered X times in all the other items above. But, basically: Salt Theory + Cert Identity is my proposed solution….

    J.P.

  2. Josh,

    I made much the same comment on one of the blogs at weblogs.asp.net (where I also blog). The blogger in question had posted about the most recent security flaw (the ASN.1 flaw), and had included that post in the main feed for weblogs.asp.net.

    I suggested that a.) posting such a message to the main feed at weblogs.asp.net was probably not necessary, since most readers of the main feed are probably sufficiently tech-savvy to have other sources for the information, and b.) that it was not the responsibility of the person posting to disseminate this information, and most importantly, that c.) blogs are inherently unreliable as a source for security update information, because the person posting cannot be relied on to be as diligent about posting them as the "official" Microsoft communication channels for this information.

    Alas, the observations were not well-received, but then the same is often true of your well-meaning relative or co-worker who forwards every virus warning (hoax or not) in an attempt to "protect" you.

    If I can verify the identity of a given blogger, and they’re someone to be trusted on the issue, that goes a long way for me. But security warnings from your average Joe Blogger are not as useful in my mind.

  3. jledgard says:

    I’ve deleted a comment made by someone who misrepresented themselves as a Microsoft employee. The point of the post was to show that Microsoft Employees themselves cannot be trusted because all of our โ€œinternal memosโ€ end up on the web as soon as they are sent out. This is, of course, true for larger company wide memos and I think that most of the people that send these mails probably know that they will end up public sooner or later. A more valid, interesting point, might have been what JP says that you have to take everything with your grain of salt.

  4. Ivana Vackoff [MSFT] says:

    You think im gona use my real login aliase on the internet? I dont think so ๐Ÿ˜€

    Next you want my BU so you can find it in headtrax. I dont think so ๐Ÿ˜›

  5. josh ledgard says:

    No, the irony of Ivana’s comment on this post is not lost on me.

  6. josh ledgard says:

    And, again, the reminder that Ivana does not work at Microsoft. She does, however, have a LOT of free time on her hands though.

  7. Androidi says:

    I have a few ideas of my own to the problems mentioned, but as i’m not very well familiar with the current blogging system, i would like to know that if i write a comment to this old posting, will the author (you josh ๐Ÿ™‚ be able to notice new comments to old posts (perhaps if it’s already in archive). I guess this depends on the blog system used for postings?

    If anyone reads these new comments to old bloggings, then i’ll give you penny of my thoughts..

  8. jledgard says:

    .TEXT sends me notification whenever someone comments in any post no matter how old. So… I’m listening.

    josh