Exploit Causes Migraines
Hackers pulled off an attack that had a physical effect when they found a way to post flashing images on an epilepsy forum. Some users of the site experienced migraines and “near-seizure reactions.”
The attack happened when hackers exploited a security hole in the foundation’s publishing software that allowed them to quickly make numerous posts and overwhelm the site’s support forums.
I remember learning in my computer ethics class about bad programming practices that led to physical injuries and even death. Lax security can have all sorts of effects, and when you see someone intentionally trying to bring physical harm to a group of people, you get an idea of the type of person we’re working against.
2 thoughts on “Exploit Causes Migraines”
Most security domains do not require a prohibition on flashing images. In a general purpose forum it would be annoying and griefing to post a flashing black/white GIF, and the effects could be moderated away. Because such an image can cause medical harm to epileptics, a new threat emerges. Because the security requirements have changed, the functional requirements must change – users may not post unmoderated images (for example).
Nowadays, software is available to operate forums and social networks with decent security properties in the initial configuration, including user management with rights and privileges, backup, upgrade and documentation. However, one size cannot fit all. The example in the OP is a great illustration of why the “decent security” in the default install isn’t enough when the threat profile changes.
Technology enhanced social networking is another example of a different domain that required different security characteristics. Social engineers with pseudonymous identities infiltrate the network and find new ways to probe organizations. Users have conflicting goals for their information – sometimes wanting off the record conversations but authenticating the other party (see http://www.cypherpunks.ca/otr/ for a good example of technology to accomplish that) and sometimes wanting to broadcast their thoughts to whoever is interested.
That’s my two cents.
[Extra credit question]
How do you know that I wrote this?
@ Scott Shorter
Can’t really know for sure – could do a comparison of where/how your previous comments were made.
But that wouldn’t confirm who you are; more like that the same person/machine is leaving the comments.
Comments are closed.