Web 2.0 is “a permissive society,” writes Chris Nuttall in today’s Financial Times, “where users borrow, append and mix their data freely with one another.” Free love, software style, can spur a ton of entrepreneurial creativity – a lot of cute offspring get bred really fast. But, as Nuttall notes, it’s an awfully good way to spread disease as well: “The linked-up, sharing, live-updating melting pot of web technologies that has been dubbed the second version of the web is proving fertile ground for infiltrators seeking to inject malicious code into the mix.” Malware, like other forms of software, is becoming a service, as viruses, worms and other nasties piggyback on the multitude of data exchanges that happen automatically and invisibly when users browse the web today.
We’ve already seen malware attacks or vulnerabilities crop up in Yahoo’s web mail service, Google’s RSS service, and MySpace’s core “friending” service, as Nuttall documents. And those are the big, sophisticated players. The biggest vulnerabilities lie in the myriad of smaller services popping up all over the place. It’s fairly easy to hack together an Ajax site, but it’s not so easy to hack together a secure Ajax site. As Nuttall writes, “many Web 2.0 startups are too small to be able to dedicate much time to security.” As services get mashed together and as data and code get shared, the consequences of sloppiness can get magnified quickly.
The problems will likely get worse in the near term, as the bad guys learn how to exploit weaknesses faster than the good guys learn how to avoid or fix them. Eventually, as always, computer security will end up being an unending cat-and-mouse game. Where Web 2.0’s vulnerabilities may have the biggest impact is in impeding the adoption of web-based productivity tools by corporations. It’s easy to criticize IT departments for being a barrier to employees’ experimentation with web-based services, but when malware brings a network down or compromises data, it’s the IT department whose neck is on the line. A corporation would be foolish if it didn’t give system security a higher priority than software experimentation. When it comes to securing Web 2.0 services, the onus has to be on the supplier, not the user.
Not exactly the same thing, but related is the idea that spammers will start diluting tags on various services. People may subscribe to feeds of certain tags on various Web sites (e.g. a stream of all photos on Flickr tagged with something of interest – say an animal or geographical location – showing up on one’s desktop or site). These tags could be “compromised” by people adding them to unrelated material.
This reminds me of a service I was once using to post copies of my latest public bookmarks on my blog. Something went wrong with their scripts (supposedly nothing outright malicious, just neglect) and one day I pulled up my blog with all sorts of random sites showing up under my “recommendations”. I quickly removed the script and haven’t used that site since. It was a helpful reality check in what outside content one may or may not want to add to one’s blog.
I still feature content on my blog from my Flickr account and link to some Amazon book links (via LibraryThing), plus I publish my del.icio.us links daily, but I haven’t added other scripts since.
I think the major theme in “Web 2.0” is the reduction of friction. The friction is the non-productive barrier to sharing, expression, and integration of information. (It is also the same principles applied to computing services themeselves, but this is less well-developed thus far.)
The friction is reduced from the commodization of computing resources due to cost reduction, freeware, and prolific standards. But reduction of friction is not license, nor is it assurance of quality or integrity.