
From: IN%"jsw@netscape.com" "Jeff Weinstein" 9-MAR-1996 04:41:47.02
I predict that 6 months after the first internet rating system is widely deployed, the largest use of search engines such as altavista will be to look for pages with the most "naughty" ratings. Perhaps such services will allow text searches for free, but charge for searches based on the rating tag...
Unfortunately, AltaVista doesn't index based on comments field (in which category the SafeSurf ratings fall). Opentext, given that one supposedly can search for links to a page, may be able to do it on the other hand. Putting together a web spider that would search for such could be a profitable undertaking. I did some checking on AltaVista and found one service by the name of "Naughty Lynx" which automatically checks all of its links every hour or so - one problem with "adult-oriented" sites is that they disappear a lot. Some such feature would probably be necessary. Seems to be a good potential use of the DigiCash system, since one doesn't need merchant anonymnity that much until someone comes up with anonymous-location web pages; the Naughty Lynx system appears to support itself via advertising). Combining this with a web proxy would also be good. -Allen

E. Allen Smith said,
... until someone comes up with anonymous-location web pages...
Has anyone ever considered setting up anonymous web sites on top of usenet? People could post pages anonymously to usenet, and the web sites could grab them and put them up automatically. The pages could expire just like usenet. And just as there are many nntp servers that contain more or less the same informaton, there could be many of these anonweb servers with essentially the same information. Right now a news administrator isn't held responsible of there's some "bad" information in his news spool -- copyright violations, obscenity, etc. If the link between physically hosting a web page and being responsible for its contents could somehow be broken, then anonymous web pages would be possible. If an anonweb server was just a robot that reads usenet, maybe anonweb operators could slide in under the usenet tradition. The distributed nature of the usenet model would also solve another problem with anonymous web pages, namely that it costs money to serve them, and there's no way to tell how popular an anonymous web page will be until you put it out there. Individual ISPs would host anonweb servers for the benefit of their customers (web page readers) rather than the anonymous publishers. If someone puts up an anonweb page that gets 100,000 hits a day, an ISP with 2,000 customers will only have to shoulder a small part of that burden. -- alex

cp@proust.suba.com (Alex Strasheim) writes:
Has anyone ever considered setting up anonymous web sites on top of usenet?
I proposed this a couple of months ago, there should be a bit of discussion left over in the archives. My idea was to have an account keyed to a password - if you emailed the server with the right password, it would take the text of your email and put it in the specified URL. Then you can use remailers to preserve anonymity with the server. It's sort of like the alias.c2.org accounts. It seems like a workable, not-too-difficult idea. Not much interest in it, though. Sameer pointed out that a full c2.org account, if used properly, allows anonymous web pages.
Right now a news administrator isn't held responsible of there's some "bad" information in his news spool -- copyright violations, obscenity, etc. If the link between physically hosting a web page and being responsible for its contents could somehow be broken, then anonymous web pages would be possible.
In trying to shape the policy at various places where I've installed web servers, I urge them to think of allowing users to post web pages to be the same as allowing them to send email or post to Usenet. They're all (potentially) media with lots of exposure and instiutional identification, so why treat them differently? The argument seems to work, and users are allowed to have their own web pages. The problem, of course, is that people do tend to associate the opinions in web pages to the company that owns the web server more than they do with Usenet posts or email. Furthermore, WWW is a permanent medium, where as email and Usenet are commonly perceived to be transitory (this is changing). I decided that if I were to set up an anonymous web server, I as administrator would have to retain absolute control of what is on the server, just to protect whomever my ISP is. The aim would be to weed out any and all potentially illegal text: draconian, but probably necessary to keep the remailer safe. I'd also filter out all CGI and images over some small (icon) size. These days, I'd prevent Java and JavaScript, too. I'm interested in discussing implementation issues in more detail with someone if they think this would be a fun project. I might yet get to it myself in the next few months.

-----BEGIN PGP SIGNED MESSAGE----- On Sat, 9 Mar 1996, Dan Cross wrote:
This is an interesting idea, though I think a really really insecure one. What's keeping someone from posting ``trojan web pages'' and then waiting for the pages to be soaked up by servers? Something that says ``click <here> to see the /etc/passwd file for this site!'' which runs some funky CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy super wiz-bang gadget!'' or the like is a really scary, but very real, possibility if great care is not taken in setting this kind of thing up. News servers, on the other hand, don't suffer from this problem because the data which they contain is much more passive in nature (at least, while in the spool..) than HTML.
The obvious fix would just be to disallow the use of CGI scripts in anonymous web pages. In order for a file to be designated a CGI script, the must be explicitly specified as such in the httpd configuration. The web is every bit as passive as Usenet. The only difference is you can't make a program that will execute on the NNTP server everytime it is retrieved (which would be the Usenet equivalent of CGI). - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUN0ybZc+sv5siulAQGlSAP+N+4Cm0PVcU3zU0WQC6O7m/JXQQJA5RuP dF4/b1OhB8iGeT41PFZhJ/XL94KjKRwmA8TptPThaUKjbJ9feYj6ixm6LvT0xyRY kGDKQkCF4wi3hHlVAw8ADembUw5+gQlNe3xrqnNsXPoZ5FDBpqHqQjFlPOiQhDbV +lR85iyPbRI= =/G3y -----END PGP SIGNATURE-----

On Sun, 10 Mar 1996, Mark M. wrote:
On Sat, 9 Mar 1996, Dan Cross wrote:
This is an interesting idea, though I think a really really insecure one. What's keeping someone from posting ``trojan web pages'' and then waiting for the pages to be soaked up by servers? Something that says ``click <here> to see the /etc/passwd file for this site!'' which runs some funky CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy super wiz-bang gadget!'' or the like is a really scary, but very real, possibility if great care is not taken in setting this kind of thing up. News servers, on the other hand, don't suffer from this problem because the data which they contain is much more passive in nature (at least, while in the spool..) than HTML.
The obvious fix would just be to disallow the use of CGI scripts in anonymous web pages. In order for a file to be designated a CGI script, the must be explicitly specified as such in the httpd configuration. The web is every bit as passive as Usenet. The only difference is you can't make a program that will execute on the NNTP server everytime it is retrieved (which would be the Usenet equivalent of CGI).
Doesn't solve the problem completely, or even the individual example given above.
From your public html directory, try 'ln -s /etc/passwd passwords.txt'.
Then add a link to your homepage.... Jon ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser@rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA.

On Tue, 12 Mar 1996 00:35:38 -0500 (EST) jlasser@rwd.goucher.edu (Bruce Zambini) wrote:
On Sun, 10 Mar 1996, Mark M. wrote:
From your public html directory, try 'ln -s /etc/passwd passwords.txt'.
Then add a link to your homepage....
Er, I believe CERN, NCSA, and N*tscape all disallow following symbolic links by default for precisely this reason. There is a follow-symlinks-for-owner-only option that we recently turned on. -rich Institute for Ernst Zundel Revisionism http://www.c2.org/~rich/Press/Swedish/

-----BEGIN PGP SIGNED MESSAGE----- On Tue, 12 Mar 1996, Bruce Zambini wrote:
On Sun, 10 Mar 1996, Mark M. wrote:
On Sat, 9 Mar 1996, Dan Cross wrote:
This is an interesting idea, though I think a really really insecure one. What's keeping someone from posting ``trojan web pages'' and then waiting for the pages to be soaked up by servers? Something that says ``click <here> to see the /etc/passwd file for this site!'' which runs some funky CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy super wiz-bang gadget!'' or the like is a really scary, but very real, possibility if great care is not taken in setting this kind of thing up. News servers, on the other hand, don't suffer from this problem because the data which they contain is much more passive in nature (at least, while in the spool..) than HTML.
The obvious fix would just be to disallow the use of CGI scripts in anonymous web pages. In order for a file to be designated a CGI script, the must be explicitly specified as such in the httpd configuration. The web is every bit as passive as Usenet. The only difference is you can't make a program that will execute on the NNTP server everytime it is retrieved (which would be the Usenet equivalent of CGI).
Doesn't solve the problem completely, or even the individual example given above.
From your public html directory, try 'ln -s /etc/passwd passwords.txt'.
Then add a link to your homepage....
In order to add a symbolic link on a file system, you have to have shell access to that system. The whole point of this anonymous web pages thread is that web pages could be distributed among different servers which could store the pages on the filesystem and make access available through the web. An attacker could not put a link to the password file simply through anonymous web pages. Besides, password file should be shadowed anyway, and httpd should never be run as root. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUXe8bZc+sv5siulAQHu8gP9FAy5ylQULMIUxRWB36Ab/33CdpTexa+5 cv0ezgxAkD06Ui6Epfn4Vj1qmNl9YFs4klHUmGT3dloxiJE7/jHmgLzvb/ka7NUT 5IxXBIsHbD+UOrUkn4g4iHjjAS6PJpMEElvtpN2EAZP8lTyjrTmo+D/8lLEvbL+D 5df/zqRYd6E= =JekR -----END PGP SIGNATURE-----

Alex Strasheim <cp@proust.suba.com> writes:
Has anyone ever considered setting up anonymous web sites on top of usenet? People could post pages anonymously to usenet, and the web sites could grab them and put them up automatically.
I see two problems right off the top: 1. Given the number of images, sound files, and movies that the most popular web pages will invariably have, the load incurred by propagating the associated files all over the net would be tremendous; 2. If CDA begins to be seriously enforced, Usenet will suffer as much as the Web: as soon as ISPs have reason to believe that such and such a newsgroup is carrying unlawful material, they'll have to stop spooling those groups. The material will move into off-topic groups, ISPs will get tipped off, and they'll have to shut those off too. I can imagine a whole army of busybodies scanning the comp.* hierarchy for pictures of tits... -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/
participants (8)
-
Alex Strasheim
-
Bruce Zambini
-
Dan Cross
-
E. ALLEN SMITH
-
Just Rich
-
Mark M.
-
Nelson Minar
-
Roger Williams