Yep, certainly not Google.

So I recently posted about Orkut, the new Friendster clone that people
are attributing to Google, but which I think is just the private
project of one Google employee.

A couple of people on #unix joined with fake names to take
a look around and generally get in the way. (One was Jesus Christ.)
To no-one’s surprise both were suspended, but it turns out that
their UIDs were both later reused for new users! As if this
weren’t enough — what if you suspend someone accidentally? — it
turns out their deletion doesn’t work deeply, and those new users
who inherited the suspended accounts’ UIDs also now have the
(offensive!) communities that the #unix guys created attached
permanently to their accounts!

Not a chance that this stuff is directly Google-run.

Also, I just checked the owner of the network that Orkut is located
on — it’s on the /28 Cogent has allocated to Weather Underground, and not
in the /19 directly allocated to Google.

Even better: You can see in their Netcraft
that the server, which now only returns “orkut”, originally
returned “Orkut’s Palace of Love”. Well, colour me disturbed.

Edit: Some other findings thanks to #unix:

  <cstone> fans, interestingly, are tied to username, not uid
  <cstone> when i created another account with my original username, 
                 i got 16 fans instantly

  <Mennonite> I already tested making new accounts with dodgeit
  <Mennonite> You can "recycle" the same invite URL over and over

  <cstone> i'm certainly not going to bother refriending 50 people again
  <cstone> when they reset it briefly all of that state was lost in the 
                 account i took back [from the reused UID]

  <mr_bill> BOFH community (-6 members)

And cstone still has a session open as the UID that was deleted and then recreated, and can change the new user’s password out from under her.

6 responses to “Yep, certainly not Google.”

  1. Yes indeedy. It’s a beta, and clearly says that it’s going to be broken for a while. I believe they’re looking for help finding bugs, but they probably don’t need much assistance exploiting them. ;)

  2. Yes, but it’s a beta run by a guy who has done this before and still doesn’t know that reusing uids is a good idea. I don’t run Word because I don’t trust it not to lose what I’m working on; I’m certainly not going to trust this guy.

    But mostly my problem is that the prevailing opinion is that this is official Googledom, but there really isn’t very much evidence suggesting that it isn’t just a private thing by a guy who works for Google and thus was able to write it on company time.

    As an example, both Google News and Froogle were initially developed by individual Google employees via their program for personal projects on company time, and both of those are in beta still, but they get Google branding and hosting on Google’s network.

    A broken copy of Friendster that was run by some guy at Stanford and later opened up to the whole ‘net doesn’t seem that newsworthy to me, even when that guy has since been hired by Google — and it’s even less trustworthy than it is newsworthy. I don’t want to leave my personal information where there is a relatively high probability of strangers being able to access or edit it, or where I find myself having adopted the offensive community of a suspended user, or any of that.

    As far as I’m concerned, Orlowski has wanted to get The Big Google Scoop at The Register for a long time and thought this was his chance, and didn’t do any legwork. His version of the story is news; I don’t think the full story is news, but his version doesn’t ring true, and people are being misled by reporters at other online publications reporting what they read somewhere else.

  3. Gotcha. I didn’t have any illusions that Google was “behind” orkut aside from funding its developer (which I think differs from funding its development) and really, my only comparison was Friendster. There’s nothing on orkut that people couldn’t find out about me with some reasonable effort; I’m gambling that it’s less effort to find it through traditional snooping than it is to sneak it out of orkut.

    My main concern is this: Orkut is exploding. It requires attention. One day a week isn’t going to be enough to deal with this site, starting yesterday. Clearly its got hardware and bandwidth resources – what about wetware? This, to me, is the question that will be answered over the next few days and the question on which the future of orkut hinges.

  4. It makes me sad this guy works at google and his software is crapfuckular.

    Seriously folks, I can write better shit than this and I never went to college.

  5. Do you have any stories of users being deleted on Monday, February 23, 2004. My account was deleted with no forewarning and no reason (I didn’t violate terms of service as far as I know)


  6. Mine got yanked on the 24th. Again no reason, no warning, no response from the admin and help addresses.

    No violation I was aware of, and no chance to fix or react to what they said I did. Just – WHACK! Gone!