Log in

No account? Create an account

Previous Entry | Next Entry

A few days ago, I wrote about what appears to be a massive breach at Ning, a social networking platform that allows people to create their own niche social networking sites. The Ning security appears to be compromised, and the social networking sites they host are overrun with automated spam advertising links and redirectors to computer viruses--over a million of them, in fact.

As a good Internet citizen, I dropped an email to Ning alerting them to the problem. I've since received back what appears to be a stock form email in response:

Hi there,

Thanks for bringing this to our attention. As you may already know, Ning is a platform that enables individuals to build their own social networks. We aren't involved in the decisions relating to content uploaded or published by Network Creators or members. In addition, we aren't involved in the management of the social networks on our platform, or in any of the decisions relating to the focus of social networks created on our platform. That said, we'll look into this and take action if we determine that our Terms of Service have been violated.

Thanks again!
The Ning Team


I've checked, and the problem still exists. Google is delisting the virus redirectors pretty quickly, but they're being added even more quickly. Right now, Google shows about 600,000 virus redirectors on various Ning-hosted sites, with many more existing but not listed in Google.

It seems that Ning either does not understand or does not care about the scope of the problem they face.

In a way, I'm not surprised. iPower Web took over a year to fix their security when they were hit with a massive, ongoing server security breach, for example.

But it is disappointing. An executive at Verizon recently wrote an essay deriding security researchers who talk about security issues publicly as "narcissistic vulnerability pimps" who "solely for the purpose of self-glorification and self-gratification - harms business and society by irresponsibly disclosing information that makes things less secure."

But considering how poorly ISPs and software vendors tend to respond to security problems, and how cavalier they seem to be with the safeguarding of their users' data, it's hard to see this essay as anything more than the whining of a crybaby managers who would rather play Quake III Arena than take care of fixing gaping security holes in their systems.

Meantime, I still suggest that anyone hosted on Ning seek hosting elsewhere.


( 10 comments — Leave a comment )
Apr. 25th, 2010 02:48 pm (UTC)
What would happen if you were to Tweet at @ning?
Apr. 25th, 2010 04:00 pm (UTC)
You know, I actually did that when I published the first article. No response.
Apr. 25th, 2010 04:23 pm (UTC)
In the last month, Ning forced out their founder as CEO and laid off 40% of their staff, and within the next month or two they're going to be dumping all their free networks. My suspicion is that they're probably going to punt on this until after all the free sites are dumped, on the expectation that that's going to get rid of a lot of these.
Apr. 25th, 2010 09:14 pm (UTC)
Safe Harbor Protections
Speaking from a legal standpoint, the reason they may be doing this is because if they intervene, then they become responsible for the content of the site.

Leave it alone, they aren't responsible.
Fix one account and suddenly, they are responsible for fixing all of them.

I'm not a lawyer, but from the bit of research I did on this topic (quite in-depth actually), the above holds true. Their best course of action legally is not to fix any accounts.
(Deleted comment)
Apr. 26th, 2010 02:48 pm (UTC)
Re: Safe Harbor Protections
I think the case has been made that since you are proving you CAN police the site by fixing one issue with a clients upload, you can fix them all.

It's like Craigslist. It can't actively remove all the illegal ads, so it takes the stance that it can't (which really, they can't). They then shouldn't be blamed for what the users does (aka, the "Steve Dallas Legal Defense" {http://www.techdirt.com/articles/20040604/2047248.shtml}).

But if they prove they can fix one account, well then, they are responsible for all of them because clearly, they CAN fix it and therefore should (no matter how much it costs).
Apr. 26th, 2010 05:04 pm (UTC)
Re: Safe Harbor Protections
It's my understanding that safe harbor protections don't apply to server security, and removing security holes or the effects of security holes does not constitute "editorial control" for the purpose of determining liability.

Case in point: Network Solutions recently had a massive security breach that exposed the raw contents of files on their servers. Someone wrote a tool to penetrate their servers and scour for WordPress configuration files. They then used these configuration files to penetrate all the databases of all the WordPress installs hosted by Network Solutions and plant malicious redirectors to computer viruses. Network Solutions has removed the virus redirectors but is still a safe harbor; removing the redirectors doesn't breach their safe harbor protections.
Apr. 26th, 2010 05:10 pm (UTC)
Re: Safe Harbor Protections
The difference there is that Network Solutions removed the redirectors that were placed in their system not by an account, but by a hack. If those same hackers got an account and put up a webpage with them and they fixed it that way, yes. They would lose their safe harbors.

One came from a hack, the other came from a signed up user with a webpage.
Apr. 26th, 2010 05:16 pm (UTC)
Re: Safe Harbor Protections
The million or so Ning viral redirectors appear to have been placed by an automated bot program that has broken the Ning CAPTCHA and is autmatically signing up for hundreds of thousands of phony accounts. That seems rather like a hack to me...
Apr. 26th, 2010 05:19 pm (UTC)
Re: Safe Harbor Protections
Fair enough. Like I mentioned before, I'm not a lawyer, so I don't know what case you are referring to and don't know the fine details of law. :)

But Ning is still probably taking the best course of action. Even from a money standpoint. Why pay someone to fix it when they do not have to?
May. 11th, 2010 12:56 am (UTC)
Well, it seems a lot of people on Ning will have to look elsewhere anyway, given that they are shutting down their "free account model" and moving directly to a paying-only model. Wonder if they'll start to actually take things more seriously now?
( 10 comments — Leave a comment )