DISQUS

freerobby · 1 month ago

SPAM is an interesting case. I agree that it has mostly been mitigated as far as email is concerned, but it still plagues blogs and budding social web sites. Services like Akismet and TypePad provide some relief, but what they block feels marginal compared to what gets through. Ryan Bates' Railscasts blog has tutorials for setting up those services as well as things like Captcha. But despite using these tools on his own site, he often tweets about how much spam still finds its way through to his comments section.

I work at oneforty.com, and we have seen the problem first hand. Lots of "people" have submitted spam-like reviews of Twitter apps along these lines:
1) The review contains nothing except a link to the author's web site.
2) "If you like this app you will love <some other app/url>"
3) "Get cheap viagra cialis here", etc.

Some of these -- notably #2 -- are difficult to detect. Nothing seems to catch them. But what is frustrating is that our tests with Akismet and TypePad almost always fail with #1, and usually fail with #3! In fact the comment "cheap viagra http://cheapviagra.com" did not get caught by Akismet in our tests (interestingly, it did work when we omitted the URL). We have a home-brewed solution that helps with #1 and #3, but it's not perfect. And more importantly, we want to spend our time building our web site, not anti-spam tools.

There's a final category that we have to deal with, which we call "crap content." This consists of the useless and unhelpful submissions we receive that don't quite fall under the "spam" umbrella. For instance, we have received hundreds of reviews that consist of a single word: "wow!!!", "nice", "hi", "whoa". Even more along the lines of "cool app" or "I like it." Even if this is not spam by definition, it reflects very poorly on us if a user comes to our site and this is what he or she sees in the reviews section.

So if the security industry is experiencing a Pax Romana of sorts, perhaps they could lend their talents to this area. If they build it, we'll gladly buy it. :-)

fredwilson · 1 month ago

do you think social media and the fact that the web has given end users more power has anything to do with this?

chris dixon · 1 month ago

Hmm, interesting question. I think inasmuch as Twitter and Facebook are replacing things like email that is good. SMTP is an antiquated protocol where you can basically fake anything. Twitter's opt in asymmetric following model makes spamming basically impossible (DM's excepted but those aren't really core). Facebook's opt in friend model has as similar effect.

I would also think richer AJAX web apps replacing the need for downloads helps a lot since the browser has a pretty good security model (certainly much better than Windows).

One thing I think you could argue is that security threats have moved higher "up the stack" along with most other interesting innovation on the web. Instead of the threat being people breaking into your computer, it's more about the online pharmacy site not being legitimate. That was part of the thesis of SiteAdvisor and I think the trend has only gotten greater.

fredwilson · 1 month ago

i was also talking about users telling each other about scams as fast as
they happen

chris dixon · 1 month ago

I could be way off on this, but my intuition is the people telling each other about scams via social media are not the people most in need of being told about scams.

fredwilson · 1 month ago

true

David Semeria · 1 month ago

I think there is an inevitable tension between security and functionality, especially in web apps.

For example, the "single site rule" was created to plug cross-domain scripting attacks, but developers are actively trying to find ways around it so as to make their applications be able to dialog with multiple data sources.

chris dixon · 1 month ago

Definitely. Always tension between security and functionality.

mcichows · 1 month ago

It almost feels like the calm before the storm on the consumer side, particularly in mobile. No doubt that will be a big time target by the bad guys. On the enterprise and govt side, I would say the state of affairs is pretty bad and attacks are getting much worse in both size and severity, but we haven't been hearing much about it. What scares me are initiatives like smart grid where new devices are coming online, and the effects of hackers could be devastating (e.g. shutting off your electricity). Perhaps, the good news is that there will be plenty of opportunity for startups b/c we know the bad guys won't be resting any time soon.

Dave Blanchard · 1 month ago

Not sure if you're seeing the 60 minutes tonight but it sounds like the gov't is certainly not experiencing Pax Romana. I don't keep up on this stuff, but I was surprised at some of the examples they shared (hackers staying in war systems for multiple days, Brazil going black, etc).

chris dixon · 1 month ago

Didn't see it. I'm always skeptical of MSM coverage of computer security - at least in my experience it's almost always wrong. That said, I should see this episode before commenting on it :)

jeremystein · 1 month ago

from what i can see, the threat has shifted from consumers to companies. every social media company deals with spam, abusive behavior, chargebacks, etc, on a daily basis. many of this does not trickle down to the user. imho, there is a larger opportunity to build moderation infrastructure to help companies deal with the human problem.

chris dixon · 1 month ago

That's a good point. I've heard similar things from social media sites.

jeremystein · 1 month ago

I meant to disclose above that I am biased because I am working on something
in this area.

I have experienced this first hand. There was a long period of time at
stocktwits where I was dedicated 50% of my day to spam.