Slashdot Mirror
Free Web Hosting a Fount of Malware
daria42 writes "It looks as if free Web space services are increasingly being used to host spyware, with Internet security firm Websense claiming more of such dodgy material was found on free hosting services during the first two weeks of July than in May and June combined. "These fraudulent, free personal Web sites have an average lifespan of two to four days, making them difficult to trace," said an executive from the company."
It's not just fake hosting services with malware and other phishing scams. It's getting so that one gets suspicious of any kind of new service that crops up on the web. The other day, I got excited seeing this service that promised to turn my blog contents into a printed book. I tried it, but then got worried that it was a phishing scam. And cancelled my attempts to use the service. What does mean for the promise of "web services" in general? More on the "blog into book" experience here: ahref=http://mp.blogs.com/mp/2005/07/s_11.htmlrel= url2html-21790http://mp.blogs.com/mp/2005/07/s_11. html>
Does anyone know how effective these schemes really are? Is there a study that measures how effective this is?
There are 11 types of people. Those who understand binary, those who don't and those who are sick of this lame joke.
I was wondering, how do these people typically register accounts with free web services? Our site was having a problem with comment spam, so a CAPTCHA test tends to do the trick basically all the time. On the other hand, I've also heard about defeating the test by starting a porn site and then taking the image and showing it to visitors and basically just having them type the right answer and they get to see 10 pictures or something. What we ended up doing was a word riddle, like "The quick brown fox jumped over the lazy ___s" or "3 + 5 = _" So if automated registering of these accounts is a problem, that's what I would suggest. Or you could surely just prohibit any files with a .bat or .exe or .whatever extension, and only allow .html, .gif, .jpg, .png, .wav, .txt, and a few more. I mean, if it's a free service, you get what you pay for. If you really need to host programs it shouldn't be too much trouble for you to buy something for $5/month. All in all this doesn't really seem like that outrageous of a problem.
Take off every sig. For great justice.
The dilemma is... if they got rid of free hosting. Then only those who can afford $$ monthly hosting bills can host. It's tough to shoot for democracy when only people with money can have a voice online. Let's not tear down the tree and the whole neighborhood due to a couple bad apples.
They're also often used to host infringing files.
:) But don't blame me if they do, it was the Google representative who all but suggested that to me :P
I've seen some schemes where they encode the files several different ways, give it an incomprehensible name, and host each one on various free web hosts, then make you go through their voting and advertising scripts to get to the download file prompt.
Rather clever, actually. Illegal in any signitory to the Berne copyright convention, surely, but rather clever.
Another matter is that some of these hosts seem remiss to enforce their ToS. I've informed Google of many violations of their ToS on Blogger, and they've (in effect) told me to sod off because they don't actually intend to enforce it unless they feel like it. Apparently it takes a full DMCA notice or some other legal documents/subpoenas/etc. to actually get them to do a damn thing, and I just can't be arsed to register the copyrights and go through all the rigamarole to file one of those.
Then again, want to store something illegal? Blogger apparently doesn't give a damn about copyright infringement until you file a DMCA notice, so feel free to UUEncode whatever you damn well please and put it on your blog
I read that and at first glance thought it was a typo. But it's true that you don't see that word much. "It is a fount and or plethora of ..."
My humor is probably your flamebait
I'd say that the gov't should make these companies provide more authentication, but all it would do is prove a barrier against legitimate users while the criminals would just find a way around.
Authentication.. how about a 'contract' stating you must actively use your free hosting account for 30days or get a penalty fee. Gives the hosting company a chance to catch up on whos doing what
I think it's pretty clear that the problem is the same as spam: the opportunity cost is too low.
There are many, many things that one could do to make it reasonable. You could have them send a $1 bill, or pay a similar trifling amount through an online broker, or even require a waiting period during which content is machine-inspected for scamming.
I personally use a "free" server that pretty much keeps spam at bay by requiring a $1 bill sent through the mail in order to gain memebership.
Mod me down and I will become more powerful than you can possibly imagine!
this is why its so important to recognize the unique sociological challenge of the URL.
it is a namespace. thus, portions of it will be a BRAND space.
either people recognize when they are culting, or they don't. times that they do, are often predicated on the formulation of identity.
the URL is a human blank page. if you don't know the URL, don't go there...
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I thought CAPTCHAs would be pretty effective, until I heard of this cool scheme to get around them:
1. Spammer X wants to sign up for 100 free email accounts at free-accounts-Y.
2. Spammer X has a small cache of porn.
3. Spammer X puts up a website to allow access to his porn & promotes it
4. To see Spammer X's porn, Joe Average must sign up at Spammer X's website.
5. Signing up involves, you-guessed-it, a CAPTCHA!
5a. Joe requests to sign up
5b. Spammer X requests an account at free-accounts-Y and gets a CAPTCHA request.
5c. Spammer X presents this same request on their website to Joe
5d. Joe solves the CAPTCHA and returns the info to Spammer X
5e. Spammer X passes that info to free-accounts-Y
6. Repeat steps 5a-5e for lots of Joes. Result: lots of email accounts for Spammer X.
As long as the CAPTCHA is not impossible, people will process them for you for almost free.
HIV Crosses Species Barrier... into Muppets
"Free" web hosting has never been free. I have tried several of them to cut costs for uncoveror.com, and they all fed pop-ups, many of which pushed spyware like gator and bonzi if they were not closed carefully. I would rather pull the plug than do that to readers, so I went to paid hosting. Last time I checked, none of my banner or text ads fed spyware.
The Uncoveror: It's the real news.
Spammers simply proxy the CAPTCHA images, and re-present them on their own sites. Users of their sites then process the CAPTCHA for them, and they turn around and use the user's input to register on the original site.
For example, say compuporn.com wants free geocities accounts. compuporn.com offers free memberships on their site; when Joe Sixpack loads the signup page, compuporn.com runs a script that starts a new registration at geocities.com, and copies the geocities CAPTCA image, presenting it to Joe Sixpack at compuporn.com. Joe Sixpack puts the correct string in for the CAPTCHA, compuporn.com takes Joe's string, and uses it at geocities.com.
Viola. Compuporn.com has a new geocities account, without any OCR, and without any employees of Compuporn.com interpereting the CAPTCHA by hand.
Your CAPTCHA is not immune to this attack either.
John Leyden at The Register has a slightly different take on this story. Essentially Websense is a company trying desperately to sell its "security products" through a campaign of FUD and blatantly obvious "alerts". I think most people here see this as the latter, while most of Websense's target audience probably fall into the former target audience.
Now, as CAPTCHA's get more obscured to try to defeat more sophisticated OCR elements, they become more difficult for humans to read. I recently developed one that I may use on some of my sites that uses identifying the contents of pictures. Demo here. Some of the people I've had test it said it was fun and they actually played it like a game.
Sorry to burst your bubble there, but when I have no javascript enabled, all I get is a "Tell me if I'm human" button. I clicked on it and your script tells me I'm human. Even when I just typed in the validate.php URL in the browser, it still tells me I'm human. So, um. There is a serious flaw in your programming.
There was nothing to download, no b/g music, okay the html was pretty boring, but very easy to read. And that's exactly what I was there for.
And there's dead links everywhere, man.
Free hosting, in promoting both free's, does a great job. Unfortunately, it just takes a couple bastards to ruin it for everyone else.
Free as in speech hosting is different. The key here is to not charge too much, and to put in place your hosting policies to afford as much privacy as you possibly can. Here is an example of what I have learned, YIAAH (yes, I am a hoster):
Basically, be honest and up front, know your limits, ensure your operation is financially viable, and know your shit. Getting into the hosting business sounds a LOT easier than it really is. If you get into it for moral purposes like me (as part of a not-for-profit incorporation), it is even harder. Free as in speech hosting is NOT a cash cow. There are also few rewards and thanks. Your days will be spent not only providing services equal to other top hosters, but without the benefit of a fat paycheck (or any paycheck at all).
The rest of your time will be spent always looking over your shoulder for complaint e-mail. If you host bands, maybe one of them slips in a copyrighted song on their hosting, and one wrong move with the RIAA can shut you down. Maybe someone makes a threat via e-mail, and then you have someone demanding user identity, or trying to enforce the Patriot Act on you. Maybe a site ju
I8-D