Someone else was talking about this with me earlier. His response was the best one I can think of:
"Before, I could pull all the information I wanted from my userinfo page in 5 minutes. Now, I can do it in 2, except I can also do tons of neat stuff with it."
Of course there's the ability to abuse it - there's the ability to abuse any information distribution. But honestly, there is far less ability to abuse this than most information on the user information page. Anyone who has the inclination to parse FOAF data is just as likely to parse user information data.
Data collection is just as much as you want to let people see publically. Your contact information can be hidden from public view - showing it in a machine readable format doesn't make that any easier or harder to find.
In the end, I think that making data machine readable doesn't hurt anything. How much RSS stuff do you see people mentioning they got spam addresses from?
It's easy enough to parse the userinformation that it can't be considered any kind of level of security. If you do consider it so, I highly recommend you revise you viewpoint ;)
I think that it's arguable which is more difficult to parse.
Which field would you like from your userinfo? Something specific? If so, give me 30 seconds to write a one line perl regexp.
Now, I'm not saying that it's not possible that this MIGHT become more easy to take information out of as RDF and FOAF parsers become more common place (which I hope they will). But I don't think the abuse comes from tools like these, and I don't think anyone with any more than a half second of time in passing would be prevented from parsing the userinfo.
*shrug* It's really arguable which is more easily parsable. I don't really think that FOAF is going to lead to any more abuse than having your information availble on your profile would. Not to mention that we don't even use the most commonly used part of your online identity, that is, your email address. Without an email address, most abusers don't really have any interest in you.
Sorry, but "because it's in HTML" is not a valid defense. Period. There are a variety of public and private LJ userinfo scrapers around. In fact, the quizes and test things that show "Compatability" and whatnot are a prime example of LJ scraping. Changing the HTML layout means breaking those too.
No, to defeat data abuse, you must not hide from it, but instead fully embrace it. Make the data completely machine readable, and now you can start to use the data itself to defeat the scammers/scrapers/whatnot. XML-level encryption, reputation and trust vocabularies, 3rd party data assertion providers, all those work with RDF (the format FOAF is in) to provide far better defenses against abuse than "most people can't write a regex".
I'm completely failing to see any possibility for abuse. All the information is publicly available. It was before, it still is now. If there was going to be abuse, there already would be.
What do people think is going to happen? I mean that as an honest question... I don't hold the same security concerns as a lot of people seem to, I'm wondering what is so bad about this.
Re: Welll...vanbeastFebruary 25 2004, 10:23:48 UTC
gah. buzzword overload.
If I understand you correctly, I don't understand how adding machine-readable data about you as a user affects this. If you allow anonymous comments, you're going to get this stuff anyway, and the accessability of your interests list (etc) is not going to change that.
"Before, I could pull all the information I wanted from my userinfo page in 5 minutes. Now, I can do it in 2, except I can also do tons of neat stuff with it."
Of course there's the ability to abuse it - there's the ability to abuse any information distribution. But honestly, there is far less ability to abuse this than most information on the user information page. Anyone who has the inclination to parse FOAF data is just as likely to parse user information data.
Data collection is just as much as you want to let people see publically. Your contact information can be hidden from public view - showing it in a machine readable format doesn't make that any easier or harder to find.
In the end, I think that making data machine readable doesn't hurt anything. How much RSS stuff do you see people mentioning they got spam addresses from?
It's easy enough to parse the userinformation that it can't be considered any kind of level of security. If you do consider it so, I highly recommend you revise you viewpoint ;)
Reply
(The comment has been removed)
Which field would you like from your userinfo? Something specific? If so, give me 30 seconds to write a one line perl regexp.
Now, I'm not saying that it's not possible that this MIGHT become more easy to take information out of as RDF and FOAF parsers become more common place (which I hope they will). But I don't think the abuse comes from tools like these, and I don't think anyone with any more than a half second of time in passing would be prevented from parsing the userinfo.
*shrug* It's really arguable which is more easily parsable. I don't really think that FOAF is going to lead to any more abuse than having your information availble on your profile would. Not to mention that we don't even use the most commonly used part of your online identity, that is, your email address. Without an email address, most abusers don't really have any interest in you.
Reply
(The comment has been removed)
No, to defeat data abuse, you must not hide from it, but instead fully embrace it. Make the data completely machine readable, and now you can start to use the data itself to defeat the scammers/scrapers/whatnot. XML-level encryption, reputation and trust vocabularies, 3rd party data assertion providers, all those work with RDF (the format FOAF is in) to provide far better defenses against abuse than "most people can't write a regex".
Reply
I really can't say that enough. Thank you, thank you, thank you.
Reply
Anyway, yeah, what he said!
Reply
(The comment has been removed)
What do people think is going to happen? I mean that as an honest question... I don't hold the same security concerns as a lot of people seem to, I'm wondering what is so bad about this.
Reply
(The comment has been removed)
If I understand you correctly, I don't understand how adding machine-readable data about you as a user affects this. If you allow anonymous comments, you're going to get this stuff anyway, and the accessability of your interests list (etc) is not going to change that.
Reply
(The comment has been removed)
Reply
What I was thinking.
Thanks.
Reply
Leave a comment