Site Review – Scribd
Scribd isn’t as well known as many other sites, but what it does, it does quite well. Simply put, it’s a way to share documents via the web. The documents can be in various formats, and the site automatically converts them for you. Once you’ve uploaded a document, you then get the ability to embed it in different sites and download it in different formats. It’s a nice and easy way to share documents.
- Easy to use
- Shifts the bandwidth for hosting large files to someone else
- Requires Flash and therefore may not work well on all platforms (there have been problems with Linux in the past)
- It’s weak on the social networking
- Only two levels of document security: “public” and “private”
- Search doesn’t allow you to search by licensing
The same caveats about security apply to this site as others. In short, you have no way to guarantee that people will use your documents according to the license terms you set, and you have no guarantee that others have the rights to upload the documents that they do. So, be careful building a business model around this site.
However, like many other “Web 2.0” sites, the ease of use of this system makes up for some of the legal ambiguity. Moreover, since it doesn’t support many of the social networking features (pretty much just comments), there’s little risk of social engineering here. In fact, the biggest risks would be getting malware from downloading the original and trusting information that you shouldn’t.
The way that Scribd works, you upload a document and they automatically convert it into other formats. It is highly unlikely that malicious applications would survive an automated conversation between formats, but if you download the original, you might be at risk. You can avoid that one pretty easily by just viewing the document in the built-in viewer.
This one is a risk pretty much all over the Internet, but it can be a bit trickier here. For those in the security field, consider this as a variant of cross site scripting. For those who don’t know what I’m talking about, just bear with me.
See, it’s very easy to make an account. You pick your name, you build your profile, you upload your docs. It would be very easy, for example, for an attacker to pick a moderately known public company and create an account for them. Then, they’d pull down the latest SEC documents and press releases and upload them to the site. Then, they would simply need to fabricate a press release or similar document that would indicate a change in stock price. Once that’s there, the easy sharing nature of Scribd becomes it’s weakness, as it would be trivial for the attacker to post a link to the document and embed it in a different context (be it an email or on a website somewhere).
With this sort of attack, the target is duped into believing the information is accurate and then provoked into a predictable response (often, a “buy stock” or “give me your credit card” response). It would be important to verify any information before acting, especially if it’s marked as “urgent”. The Internet allows us to share vast amounts of data very quickly. This puts social pressure on us to react similarly quickly, and that is exactly what an attacker relys upon.
I use Scribd, albeit not a lot. I think it fills a need, but my content is increasingly in non-document forms, so Scribd doesn’t really apply much. If you are still writing for the print format, but want to share that work via the Internet, Scribd is a great tool. Get an account, become familiar with the system so you can recognize when it is used outside of the main site.
As always, view all emotionally charged content as suspect and verify it before you act.