Friday, July 05, 2013

Reiterating: Bypassing Blog Security




Some time ago someone at one of the less moderate "moderators" at a rather uncommon LDS blog became perturbed at my participation in the discussion, and activated whatever lame mechanism they use to try to block people they don't agree with from participating. Why did I care? I wasn't aware that I did until I found that the blog did not even prompt me for a comment any more.


Well, it turns out that this blog and most others use a software black box called Akismet that supposedly filters out unwanted stuff. It is supposed to keep spammers from cluttering up the place.  It works just fine for preventing spam.


I decided that anyone rude enough to presume to cut me off deserved more-or-less equal treatment. So I started researching the Akismet machine to figure out how to bypass the security measures.

According to the authors of the software, it is supposed to be very smart. As far as I can tell, it isn't. Akismet just tries to associate comments with a list of IP addresses and other possible junk commonly associated with spammers.


I have known for some time of software servers that anonymize the IP address of a web browser session. So, being the persistent bother that I am, I experimented until I could post again.

After I had accomplished that rather unremarkable feat, I was nonplussed to realize that I had absolutely nothing to say. So I decided to study more about Akismet.

This defense mechanism reminds me of the Star Trek phaser dilemma when attacking the Borg defenses.



Phasers could only penetrate their shields on the first few tries. After that, the Borg shifted the frequency of their shields to restore attenuation.

Blog operators only have a few parameters they can use to check incoming traffic against known spam offenders. This approach doesn't work at all against those who know how to shift the values of those parameters. It is effective against spam only because the spammers are mostly mindless automatons exploiting easy undefended targets.


I suppose most network users do not have much idea what an IP address signifies, let alone how to manipulate it. To put it simply, IP addresses are assigned by software, and can be easily changed or manipulated by software. Internet users with a bit of technical savvy and ambition can easily switch IP numbers and other software parameters. And for every more sophisticated technique of tracking addresses, there are even more elaborate schemes to conceal them.


My web browser volunteers personal information to web pages I interact with. I have no obligation to surrender this data, nor do I see anything unethical about refusing to freely hand over everything arbitrarily demanded. When blog operators use my voluntary compliance as a weapon against me, they forfeit my willing cooperation. The blog security structure is based entirely on voluntary compliance. I become an advocate for freedom from oppression.  Unless they resort to a closed system that only allows comments from established, trusted sources, blog operators cannot do much to block anonymous comments.



Not only that, but I strongly suspect that this particularly uncommon blog and others like it absolutely depend on anonymity to even operate at all. Many LDS Internet users who tend to waver on the lunatic fringe have grown noticeably paranoid about someone taking note of what they say in open forums. And rightly so, I suppose. Ironically, I suspect many of those with such concerns do not exactly subscribe to the principle of uncommon consent. They want free license to criticize the Church and speak evil of the brethren without suffering any consequence. This uncommon blog is not about to jeopardize the mechanism that affords naysayers a forum in which to offer criticism without disclosing their identity.



Also an interesting phenomenon observed in this context - on another similar blog, after some supposedly anonymous person had left behind a stinking deposit of obscene comments on my blog, I happened to make casual mention of the fact that "anonymous" comments on the Internet are not really anonymous, and are in fact rather easy for a technically-minded blogger to track to their origin.  Most gratuitously, the obscene comments ceased.  Good thing, too - it was starting to draw flies. :-)




I recently renewed my attempts to participate on the uncommon blog.  They didn't seem to want to bother blocking me again, just deleted some of my comments that someone apparently found alarming, or took exception to.  The mental gymnastics some will go to in trying to protect the sanctity of the domain they have staked out for themselves is just amazing to me - worth every effort to defy their devious "moderation", for the entertainment value alone.

I think it would be most interesting to know just how incoherent the casual hackers who read this post find it.

Thanks for all the fish.

5 comments:

Dennis said...

Interesting. Reminds me of the news article re "US Vulnerability DB" being hacked, then reading that the DB was hosted on a Windows server. (!) Well, duh... Shows you that idiots come in all shapes and sizes, and "security" on the Internet is a pretty relative term.

Jim Cobabe said...

Dennis, I don't think any of my relatives have the slightest clue about Internet security, any more than most other users.

Dennis said...

Ha! I'm convinced that some of my relatives are from another planet, so I don't even bother trying to explain to them what I do for a living anymore... They also never get my jokes and references to Monty Python, or Hitchhikers Guide, or Army of Darkness... Oh, well.

Jim Cobabe said...

I guess I don't have it all that bad. My son is a technogeek for the US Army. And my nephew quotes "Dr. Who" from memory.

William Braylen said...

As the manager for a think container which functions on the internet, I've come to the understanding that I like genuine analysis much more than people who come up with a speculation or concept, and then run around searching up information, and analysis to back up their concept. It's as if they run around trying to confirm themselves right, and basically neglect the information which reveals they are wrong, and begin record all the resources, and analysis which facilitates their concept. We can't properly do technology this way, and we have a serious issue when we several that strategy with governmental plans Persistently bothers