Site Review – Scribd

Scribd isn’t as well known as many other sites, but what it does, it does quite well.  Simply put, it’s a way to share documents via the web.  The documents can be in various formats, and the site automatically converts them for you.  Once you’ve uploaded a document, you then get the ability to embed it in different sites and download it in different formats.  It’s a nice and easy way to share documents.

Pros:

  • Easy to use
  • Free
  • Shifts the bandwidth for hosting large files to someone else

Cons:

  • Requires Flash and therefore may not work well on all platforms (there have been problems with Linux in the past)
  • It’s weak on the social networking
  • Only two levels of document security: “public” and “private”
  • Search doesn’t allow you to search by licensing

The same caveats about security apply to this site as others.  In short, you have no way to guarantee that people will use your documents according to the license terms you set, and you have no guarantee that others have the rights to upload the documents that they do.  So, be careful building a business model around this site.

However, like many other “Web 2.0” sites, the ease of use of this system makes up for some of the legal ambiguity.  Moreover, since it doesn’t support many of the social networking features (pretty much just comments), there’s little risk of social engineering here.  In fact, the biggest risks would be getting malware from downloading the original and trusting information that you shouldn’t.

Malware

The way that Scribd works, you upload a document and they automatically convert it into other formats.  It is highly unlikely that malicious applications would survive an automated conversation between formats, but if you download the original, you might be at risk.  You can avoid that one pretty easily by just viewing the document in the built-in viewer.

Trusting Information

This one is a risk pretty much all over the Internet, but it can be a bit trickier here.  For those in the security field, consider this as a variant of cross site scripting.  For those who don’t know what I’m talking about, just bear with me.

See, it’s very easy to make an account.  You pick your name, you build your profile, you upload your docs.  It would be very easy, for example, for an attacker to pick a moderately known public company and create an account for them.  Then, they’d pull down the latest SEC documents and press releases and upload them to the site.  Then, they would simply need to fabricate a press release or similar document that would indicate a change in stock price.  Once that’s there, the easy sharing nature of Scribd becomes it’s weakness, as it would be trivial for the attacker to post a link to the document and embed it in a different context (be it an email or on a website somewhere).

With this sort of attack, the target is duped into believing the information is accurate and then provoked into a predictable response (often, a “buy stock” or “give me your credit card” response).  It would be important to verify any information before acting, especially if it’s marked as “urgent”.  The Internet allows us to share vast amounts of data very quickly.  This puts social pressure on us to react similarly quickly, and that is exactly what an attacker relys upon.

Conclusion

I use Scribd, albeit not a lot.  I think it fills a need, but my content is increasingly in non-document forms, so Scribd doesn’t really apply much.  If you are still writing for the print format, but want to share that work via the Internet, Scribd is a great tool.  Get an account, become familiar with the system so you can recognize when it is used outside of the main site.

As always, view all emotionally charged content as suspect and verify it before you act.

Site Review – Flickr

For those that don’t know, you know, those of you have been under a rock for the last few years, Flickr is a photo sharing site.  It has numerous social media features which make it very easy to post your content, add it to groups, discuss it with others, etc.  It supports all types of cameras as well as files from applications like PhotoShop and PaintShop Pro.  They recently added the ability to share movies.

In short, it’s great.  I use it all the time.

But, like all systems, especially in the fancy 2.0 world, there is a risk assessment that you should consider.

Pros:

  • Easy to use
  • Free to low cost
  • Active community with which to interact

Cons:

  • Who owns your content?
  • How can you use other’s content?
  • How can others use your content?
  • How is your content backed up?
  • Are you at risk from social engineering?

Please note that copyright is a complicated thing and well outside of the scope of this blog.  For real questions, please see a lawyer.  However, I’ll be glad to answer my own fake questions, after all, it’s my blog, right?

Who owns your content?

Well, you do, of course.  You made it, it’s yours.  Yahoo even agrees. Oh, wait a minute.  The Terms of Service state:

Yahoo! Inc. (“Yahoo!”) welcomes you. Yahoo! provides the Yahoo! Services (defined below) to you subject to the following Terms of Service (“TOS”), which may be updated by us from time to time without notice to you.

So maybe it would be more accurate to state that “you own your content right now”.  Not exactly ringing with assurance, but it’s the best we can do.

How can you use other’s content?

Oh, this one is easy!  Each photo is marked as “All rights reserved” (meaning you can’t use it) or “Some rights reserved” (meaning, umm, maybe).  Flickr uses the Creative Commons to allow people to license their photos as they wish.  Luckily, they also provide an advanced search so you can find photos that you can use and alter for commercial use.

Of course, there’s nothing preventing a user from posting a photo that you can re-use and then changing the licensing AFTER you’ve used it.  Any idea how you could prove that it used to licensed differently?  I sure don’t know.

Also, what happens if a photo is licensed so that you can use it but the person in the photo never signed a release?  Is it usable?  Can you be sure?

How can others use your content?

OK, this one should be easy, right?  After all, you upload your photos and you set a license and you’re done.  Flickr does all the magic to make sure that people only use your photos the way you want, right?

Well, not exactly.  See, if you license your photo under any of the Creative Commons options, the original image is available to everyone.  In other words, they have to voluntarily agree to abide by the copyright.  If they don’t, you have to deal with that yourself.  Are you able to monitor all the images on the Internet to make sure that yours are being used according to your wishes?  I know that I’m not.

How is your content backed up?

This really isn’t known.  There’s no mention of backups in the terms of service, and there has been at least one high-profile issue involving backups.  In general, they should be safe, but you might want to consider other options.  Or, you know, just keep a copy of whatever you upload to them.

Are you at risk from social engineering?

Finally, once that can be answered definatively.  Yes.  You are always at risk of social engineering. The more interesting question is “How are you at risk from social engineering?”

Flickr allows you to post photos.  Odds are that these photos will be of people you know and places you’ve been.  You can tag these photos by location, put people’s names into them and otherwise release loads of information for the savvy social engineer.  They can take this information and use to develop friend and family graphs and identify themselves to you or one of your friends as someone who seems trustworthy, but isn’t.

Conclusion

Wow, that’s a lot of negatives.  Does that mean that you shouldn’t use Flickr?

Well, that’s a decision that you have to make on your own.  In case it helps you, this is the decision that I made:

I choose to use flickr because I like the community and because I want others to use my photos.  With the exception of people that have not signed a release, all of my photos are tagged under the Creative Commons to allow re-use but only for non-commercial use and if I am credited.  Also, since a great many of my photos are taken at zoos, I allow zoos to use my photos for free, even for commercial use, so long as they ask politely.

In short, I do not make much of a living directly off of my photos (though I’m working on some projects at the moment that may change that).  Rather than expend my energies pursuing and defending misuse, I choose to trust the majority of people to do the right thing.  I do, however, keep the originals on my systems and am prepared to defend my rights, should I become aware of a violation.

I do NOT use anyone else’s photos for a commercial purpose without their permission.  I do not consider accent and illustritive photos in this blog to be commercial use (as I make no money off this site), so I may use someone’s photo here or there.  However, I am very easy to get ahold of, and if anyone asks me to take down one of their photos, I’m easy to work with.

So yeah, it’s not exactly straightforward, but to me, it’s worth the risk.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.