Shoemoney Banned from MyBlogLog, Andy Beal Boycotts MyBlogLog
Jeremy Shoemaker aka "Shoemoney" has been banned from MyBlogLog. Now, you all are probably sitting here wondering "how the heck did that happen?
Jeremy quite frequently posts about the MyBlogLog security flaws, ever since someone grabbed his identity on MyBlogLog back in December, he's been posting about issues with MBL. To be fair, he's pointed out the issues, but he's also helped to promote MBL - especially among his user base.
Yesterday, Jeremy pointed out a security flaw that allowed people to surf blogs as other MyBlogLog users. According to MyBlogLog, pointing out the security flaw would just fine, but Jeremey also included data in the post that gave away other users' id numbers in the MBL system and apparently that's what has MBL quite upset - enough to ban him.
Andy Beal has now taken the stance that he's removing the MBL code that runs their popular widget, off of Marketing Pilgrim and boycotting MyBlogLog until it re-instates Jeremy's account. It's true that this information is readily available if you read the cookie's information, and in a sense that's publicly available. However, I wonder if he got permission to post that information first from the users on the list? (and I do have an email out to Shoe with this question) I ask this, because, with blogging and notoriety comes a bit of integrity and due diligence one should think about before posting information like that.
If Shoe had the permission of Andy, Barry, Danny and the others on the list, then MBL needs to back off and reinstate him, and I would join Andy in the boycott. However, if the permission wasn't sought, then in my opinion MyBlogLog does have a point, especially considering how popular Shoe's blog is. But even if they have a point, banning is a bit harsh or extreme and makes MBL look like "jerks", and considering how far reaching Shoe's blog reaches, it could come back to bite MBL in the butt.
I'm going to hold my judgment on this till all the facts come shuffling in. Eric from MBL has commented on Andy's post about his boycott, but that comment still doesn't answer my question. It also will be interesting to see how many of Shoe's readers will take up the cause, as well. I'll update this post if i hear back from Shoe.
UPDATES:
- I've heard from Shoe. No Permission was sought when posting the ID's.
- The id's came from the avatars, not the cookies. But you had to modify your cookie in order to surf as someone else.
- That security hole was plugged before Shoe posted the personal data.
- Eric of MBL posted in comments below, he asked for my opinion on how they could not be seen as jerks - why don't you all contribute to the convo? :)
So some reflection - I'm not going to pull my MBL code, because Shoe didn't first drop a simple note to anyone who's data he posted and say "hey can i do this, do you mind?" Don't take this as total support for MBL, though. MBL has demonstrated an itchy trigger finger here - Eric and his team could have dropped a quick email or post to Jeremy, asking him to stop or they'd pull him. The blogosphere is about communication and engaging in conversation - MBL should know that since they have a service that caters to the blogging community.
Again, it's not about posting the exploit, it's about the data, and the fact that the hole was plugged before Shoe posted the information. But Shoe's an intelligent and understanding person - had MBL asked, I'm sure he would have respected MBL request.
I've suggested a middle ground in my response to Eric, perhaps this is a solution everyone could live with and bring everyone back to the same ground? What are your opinions?
Li -- I can assure you that he did not get permission from either Scott Rafer or Jeremy Zawodny before posting their IDs. You can also tell from one of the early comments in the original "here's the hack" thread that at least one other account was posted without the owner's consultation.
As I have said in multiple places, he did not get banned for posting the exploit, he got banned for posting the data. And even that might have been forgivable if he hadn't updated the original post, which contained only three userIDs, to include eight more.
I'm simply not seeing where that act further increased anyone's security. Alternately phrased, how many userIDs should we have let him post before we could ban him without looking like a jerk? ;)
Looking forward to hearing any further thoughts you have on the subject.
Posted by: Eric Marcoullier | February 22, 2007 at 11:01 PM
Hey Eric - thanks for stopping by and posting.
I am in agreement with you - that posting the data was wrong. We, as bloggers, have a responsibility. I also emailed Jeremy and he confirmed that he did not have permission.
The blogosphere is all about communication, so in response to not looking like jerks, let me explain. As soon as you and your team discovered what he was doing, perhaps you could have emailed him or contacted him in some way - gave him a deadline to cease and then pull him from MBL, if he didn't comply with the request to pull down the data. Shoe's a pretty understanding guy, and he's intelligent - I'm sure if you expressed your concern about posting the personal data (even though naming avatar images as the persons' account number is pretty easy to discover, and a bad fault on MBL's part), Shoe would have stopped.
That would have shown a bit more effort on you MBL's part to resolve the situation in a reasonable manner, not get someone angry and then in turn get his entire community pissed at your service. I'm sure you are well aware of Shoe's following, and one post from Shoe can certainly cause a lot of grief, or a lot of happiness.
Right now, MBL is in a rock and a hard place - leaving him banned, you are pissing off a lot of people and loosing your evangelists. But putting him back in, would not bode well for your ToS.
Perhaps some kind of middle ground could be found. If Jeremy posted an apology - not for exposing the exploit, but for posting that data, after the exploit was fixed, would that be suffice?
I've met Jeremy, and I really find it hard that he meant any kind of harm. I just think this is a bit harsh, but still can understand why your team did what they did.
Thanks again Eric!
Posted by: Li Evans | February 23, 2007 at 05:48 AM
Li --
Here's the thing. We *did* have reach out to Shoe. Every time he posted a hack we thanked him in his comments for pointing out a vulnerability.
Then a couple days before this was posted, Scott Rafer emailed him and said, basically, "dude, I understand you're pissed at Jeremey Zawodny and so be it. But keep in mind that he's not part of the team and it still just us five guys bangin away. We've had a good relationship with you and we would just appreciate a heads up before you post your next exploit."
And then he posted this.
(I had previously omitted the previous info because I was unable to get in touch with Rafer last night to request permission to discuss his email exchange.)
Posted by: Eric Marcoullier | February 23, 2007 at 09:52 AM