Mr

by Jim West Friday, Dec. 06, 2002 at 6:22 PM

A possible opportunity for someone to cause Little Green Footballs some grief. Copy of posting to LGF site under "Got another One"

Totally of topic but pretty interesting for anyone posting at LGF and interested in PRIVACY and LAW SUITES.

First of all, my sincerest thanks to h-man for explaining how you could ascertain my nationality from my postings (and #82 as well). I admit I would never have guessed it or looked for it in a million years.

There I was entertaining a bit of a conspiracy theory about some asshole actually having access to the LGF server, and using REMOTE_ADDR to get the IP address, then running that through one of those "use the IP address to get the country" services. But h-man was implying that the "professional" web designers at LGF would be so negligent as to post the email address given back into the generated HTML.

Surely not, I thought. Surely the email address was for LGF's use, so they could check that you were a real person, with a real email address, and maybe so that they personally could fire a little warning shot over the bow if the postings got too OTT. I mean, if its real intended purpose was so that any one could contact you, surely it would be posted visibly below the main body of your posting, so you knew the deal. I mean, what would be the point of slightly hiding the email address, so that the casual user didn't suspect that it was public knowledge for any semi technically literate wannabe geek with too much time on his hands, right?

But no, h-man was right. There it is, directly readable for anyone who can hit view then source. I was staggered at such an obvious oversight, and was about to write to LGF to complain, but first I did a bit more checking. I mean, there was a legitimate use to which they were putting the email address, e.g. checking that the posters actually had email addresses and could be contacted. But no! put in a totally bogus email address, and it works just fine. Just check it out here in the source code under jimwest@totally.bogusadd.com. Things just kept looking weirder.

Of course, it had dawned on me by then that I should check my email, and sure enough a couple of semi-techno pin-dicks (or one semi-techno pin-dick with 2 accounts), with a deep cmmitment to free speach as long as it is theirs, was were already launching mass hate-mail (although it looks like the useless fuckers are actually sitting there clicking away at a send button. Never mind, I suspect more high tech attacks are to come).

Oh well, I fucked up, I trusted LGF. Serves me right, the email address is voluntary, etc, etc. I'm sure I've got h-man's sympathy at this point. (Yeah, fuck you too).

By this point I was sufficiently pissed of to start to thinking conspiracies yet again, but I now discount that idea again. I simply can't believe anybody sufficiently devious to do this with malicious intent would be stupid enough not to see the following scenarios:

1) The system would be used (misused) exactly as it is being used against me, and without serving a useful purpose that I can discern. After all, if people are intending for their email addresses be publically posted on such a contraversial site, wouldn't LGF display it below the post? Admittedly, this scenario is not too important, as most of the targetted couldn't really give a shit, and aren't going to expend much energy in retaliation.

2) That on such a controversial site, the facility could be easily be used as follows: Small business A doesn't like it's competitor, B, and decides to attempt to compromise said competitors email ordering side. Business A goes to the LGF site and makes highly controvrsial posts, guaranteed to attract flood of hate mail and other garbage. Wiley Business A uses competitors email address. This is a more serious scenario.

3) Enterprising young lawyer, motivated by greed, actively encourages and colludes in the scenario outlined in 2) above, as a sham, with the ultimate aim of all getting to share in damages against LGF. It may not be motivated by greed. I rival site such as some of the lefty anti-war bloggers might be motivated by the same respect for freedom of speech demonstrated by some of LGF's own posters. This could be more serious for LGF.

These scenarios seem all too simple and open to exploitation, I'm sure there are flaws there. But I really would be intrigued to know the original intended purpose of the email field. I'd enjoy feed back from LGF posters (hell, I'm already getting plenty from the under employed amongst you). I really think it's a "bug" that deserves immediate attention.