[Cialug] Security on social networking sites

[Nathan Stien]

On 3/28/07, Josh More <morej at alliancetechnologies.net> wrote:
> It's a classic example of gluing security on afterwards.  Flickr has
> some great security concepts in their API, but it's another of those
> "hard outside, soft inside" models, where once you get in, you can do
> anything you wish.

Do you (or any other cialuggers) have any good ideas on what they
could do to make it "hard outside, hard inside" without sacrificing
usability for non-technical people?

A first step seems like you could just scan links in incoming content
for ".exe".  I've seen a few poorly designed (IMHO) CGI systems that
expose ".exe" in the URL, though, which would be broken by this.  A
more resource-intensive method might be to actually connect to the
server and get a mime type for the content.  This might grab people
who try to use redirects (e.g. tinyurl), but I imagine the cost of
checking every single href in every comment post might be prohibitive.
 Thoughts?

Presumably Flickr are already doing some kind of checking for this
after the fact, since they were on the ball enough to eventually
delete the offending comment from your post.

-- 
Nathan P. Stien
Consulting Engineer / Software Developer
Embedded Systems Electronics and Software
http://linkedin.com/in/nathanstien
Mobile: 309.241.2581