Thursday, January 27, 2005

Sketchy bastards abound; Apache Strikes Back

A few casual advances in my Apache Webserver configuration unearthed something disturbing yesterday.

I had finally set up Apache to keep separate logfiles for each of my sites, creating a new log for each day's activity. Not a big deal, but it isn't immediately obvious how to do this when you first install Apache. But it was a nice step forward to a mature, Production-quality configuration.

At about the same time I rearranged the gallery directories - they had all been under the same directory, but as they grew in number they were starting to get a little crowded. So I sorted them out into subdirectories by year (e.g. galleries/2004/blah). And of course I fixed up my code to support the new structure.

Unbeknownst to me, this all had the unintended consequence of making it obvious that someone had been hot-linking to my images (aka image theft - they were displaying my images in their own Webpages, but the images were still being served off my Webserver and using up my bandwidth). In my new, cleanly organized logs I started seeing all these 404 Not Found errors because the hot-linker had pointed to my original gallery directory setup. The logs also showed the URL of the page that was attempting to display my images.

I followed the link - it was a photo posting forum with a post titled "university volleyball hotties". The poster ("orswich" supposedly a 26-yr-old from Canada) eloquently stated "i love sporty women in great outfits, especially the girls in universities and college" (his lack of capitalization, not mine). He then hot-linked to twenty of my UCLA women's volleyball photos.

He even magnanimously offered "i have diving and gymnastics also if interested" which, of course, referred to my diving and gymnastics galleries. One of the follow-up comments, courtesy of jimraynor from Illinois went: "I'm disappointed in the lack of ass-pat of approval, but there were some nice pictures."

This then prompted a follow-up post by shaebae from St. Louis who had his own v-ball pics: "to make up for the guy with the assless volleyball pics lol". To which orswich dutifully responded, "[your] pics were as good as mine.. i do have others with "more ass"..." Which he then proceeded to post - another eighteen shots from my v-ball galleries.

Did I say this was "disturbing"? I meant creepy and disgusting.

And infuriating how orswich referred to my photos as his.

I immediately emailed the forum moderator and reported the image abuse as inappropriate, a violation of my copyright, and a violation of NCAA regulations. I'm glad that I decided to start embedding my copyright statement in all of my posted pics.It leaves little doubt as to who actually owns the photos in question. But on the flip side it's discomforting to have my name attached to photos displayed in that type of environment.

So I was well-motivated to dive deeper into the complexities of Apache to see if I could do something about preventing this sort of thing from happening again. I didn't want to just copy-and-paste the cookie-cutter solutions posted on the Web. I wanted to be sure I understood what I was doing to my Webserver. And, of course, I wanted more functionality than those standard solutions were offering.

In the end I succeeded. Now whenever someone hot-links to one of my images they'll see this graphic instead. As it states, their attempt to access my image over a hot-link will be logged by my Webserver into a special "poachers" log - tracking both their IP address and the URL that contained the illegal hot-link. So not only will I know that the attempt was made, I'll know from whence it came. There are ways to circumvent this, but it's generally reliable.

Some legitimate browsers will mistakenly see the hot-linking graphic when they shouldn't, but most normally-configured browsers should be fine.

I was also a little worried about spiteful retaliation attacks against my Webserver. Most people aren't sophisticated enough to launch Denial-of-Service attacks themselves, but I didn't want to incur any more wrath than necessary. So I didn't write "screw you, ya damn poacher!" like I wanted to. And to the casual surfer, it's not clear that my hot-linking graphic comes from my site at all (I was originally going to say, "go to to view").

I'm glad that I now have these protections in place. No solution is perfect (in fact this one is easily circumvented for those sufficiently motivated) but it will thwart the vast majority. And it's a source of geek pride for me that my Apache knowledge ("Apache-foo" in Keithspeak) is getting rather advanced. The experience has left me with a really gross, unpleasant feeling though. Taking this preventative action makes me feel better. Even still I'm somewhat on the fence as to whether or not those pics should be available at all.


Post a Comment

<< Home