Since it is possible to inject every possible HTML just prefixing one double quotation mark (“) into the search text field of Italia.it, possibilities are endless.
Click on this link http://www.italia.it/it/scout/text/5,en,SCH………. to see what I quickly come up with (credit: I saw the XSS vulnerability on mentedigitale). Or check the video embedded here below (I made the video because I hope someone will fix this very soon and so the link will work nomore). I just inserted few divs, few paragraphs, and opened some windows, nothing disruptive. You can try it yourself, just copy the following HTML code and paste it into the search text field of Italia.it
Italia.it is the new Web portal for Italy, whose goal should be to emphasize and show to every surfer how freaking gorgeous Italy is. Italy is really a wonderful place, we could probably just live out of light tourism, enjoying our life, meeting and chatting in a friendly and hyper-relaxed way with all the tourists coming to Italy and willing to, how can i say?, subsidize Italians just as friendly keepers of this small and wonderful country that really belongs to the entire world and should be enjoyed by everyone. I’m not joking.
Anyway Italia.it was launched few days ago and I’m very sad to say that reactions have not been good. You can judge by yourself but keep in mind that Italia.it was paid by Italians 40 millions Euros and it took 3 years to complete. After 3 years and 40 millions Euros, everyone was expecting something a bit better. Let me also clarify and explicitly state that Berlusconi government started this shame 3 years ago, Berlusconi government allocated that 40 millions Euro amount of money and that Berlusconi government was not able to produce anything; the current Prodi government (which might not be the best in the world but it is as least 40 millions times better than the Berlusconi one) just quickly concluded the long gestation and presented the work so it should be thanked and cannot be taken as responsible: the entire responsibility of this waste of money and time is on Berlusconi’s ineptitude. About the Web portal, I don’t even want to start to comment on all the big problems the portal has from dozens of different points of view, you can check comments on technorati (822 blog posts at the moment) if you like. And don’t even try to imagine how much we paid for the shity logo.
I guess now you might start saying “it is too easy to criticize” or “why are you making additional noise, helping in destroying the image of Italy in the blogosphere?”. In fact, I love Italy, I terribly love Italy, few years ago I was very foreign-phile but I now think that Italy is the best place in the world to live (no, I have not seen all the places in the world, so I’m totally open to change my mind in future, don’t worry).
So why I’m posting a critique entry also showing a trivial XSS vulnerability affecting Italia.it? Because I think Italia.it was an error (made by Berlusconi by the way) and we must learn from errors, so that in future we don’t redo them. Next time Italian government has to do a Web portal, it can benefit from the current discussion.
So in which sense I think Italia.it was an error and how would I do it? Of course I don’t have the magic wander and also it is not my job designing strategies for national tourist Web portals, but some suggestions could be the following ones.
Surely the development could have been more open, trying to exploit the wisdom of the crowds and the passion of people. For example, post on a dedicated wiki the requirements specification you came up with, let people see it, discuss it and suggest changes. Of course this requires time and attention but it can be helpful in avoiding errors and getting insights. Moreover, leverage on people’s love for Italy (and for technology too): I think that if they would launched a competition for ideas such as “how would you want Italia.it portal?” or “how would you create Italia.it portal?”, there would have been thousands of people having a say, and maybe providing ideas or even actual working systems and prototypes. If there would have been a prize that would have been even more successful: maybe just a visibility prize (like “Your name and photo and URL will be in the Credits section of Italia.it, reachable from the homepage”) or a monetary one (even a small one, well actually in relation with 40.000.000 Euros the prize could be not so small, in fact).
About content in the portal, Italy has so many natural and cultural wonders that just making a catalogue of all of them is very hard. So the government allocated a large part of these 40.000.000 Euros, for provinces so that they pay someone for entering the content related to that province. Did Wikipedia teach nothing at all to us? Or Wikitravel? Is it possible to think that maybe some content can be added, modified and improved by normal Italians? Just because they like to show the world that in their city there is a wonderful monument? I’m not saying a simple and open installation of MediaWiki will succeed by itself and after 2 months we would have the biggest best catalogue about Italian wonders online, but just that creative solutions (not so innovative actually, since Wikipedia is already there to prove the point) can be thought and maybe 20.000.000 Euros can be used for something else?
In which directions my suggestions are going? Well, they are based on the conviction that for this kind of projects, actually for any creative activity (especially on the Web), Hacker ethic (of work) can be superior to Protestant ethic (of work). [I think Hacker ethic is what we should try always to tend to, as society, because it is what makes human life more human but anyway here the point is that for some tasks Hacker ethic is already more efficient and preferable]. If you have not read yet The Hacker Ethic. And the Spirit of the Information Age by Pekka Himanen, you should, it is a wonderful book that might shed a new light on why we (and you) do stuff during our life (you can start from the very simple “why do you work?” and “are there alternatives?”). In a nutshell, Hacker ethic means you work on what you love, Protestant ethic means you work because you have to. Protestant ethic comes from Max Weber’s famous essay “The Protestant Ethic and the Spirit of Capitalism” (1904-1905): Weber starts out by describing how the notion of work as a duty lies at the core of the capitalist spirit that arose in the sixteenth century: “This peculiar idea, so familiar to us today, but in reality so little a matter of course, of one’s duty in a calling, is what is most characteristic of the social ethic of capitalistic culture, and is in a sense the fundamental basis of it” (from nytimes).
The Hacker ethic instead is very different: The spirit behind other hackers’ creations is very similar to this. Torvalds is not alone in describing his work with statements like “Linux hackers do something because they find it to be very interesting.” For example, Vinton Cerf, who is sometimes called “the father of the Internet,” comments on the fascination programming exerts: “There was something amazingly enticing about programming.” Steve Wozniak, the person who built the first real personal computer, says forthrightly about his discovery of the wonders of programming: “It was just the most intriguing world.” This is a general spirit: hackers program because programming challenges are of intrinsic interest to them. Problems related to programming arouse genuine curiosity in the hacker and make him eager to learn more.
The hacker is also enthusiastic about this interesting thing; it energizes him. From the MIT of the sixties onward, the classic hacker has emerged from sleep in the early afternoon to start programming with enthusiasm and has continued his efforts, deeply immersed in coding, into the wee hours of the morning. A good example of this is the way sixteen-year-old Irish hacker Sarah Flannery describes her work on the so-called Cayley-Purser encryption algorithm: “I had a great feeling of excitement. . . . worked constantly for whole days on end, and it was exhilarating. There were times when I never wanted to stop.
Hacker activity is also joyful. It often has its roots in playful explorations. Torvalds has described, in messages on the Net, how Linux began to expand from small experiments with the computer he had just acquired. In the same messages, he has explained his motivation for developing Linux by simply stating that “it was/is fun working on it.” Tim Berners-Lee, the man behind the Web, also describes how this creation began with experiments in linking what he called “play programs.” Woznick relates how many characteristics of the Apple computer “came from a game, and the fun features that were built in were only to do one pet project, which was to program . . . [a game called] Breakout and show it off at the club.” (from nytimes).
So what is the message here? Next time, we have to design Italia.it, maybe we might try to rely a bit more on the Hacker ethic and a bit less on the Protestant ethic. By the way, even if this is quite obvious, note that hacker ethics does not mean that hackers work for free just because they are passionate about what they do and they will feed themselves with this passion.
Ok, going to conclude this post. Why people participate to BarCamps? Because they are hackers (“Hackers can do almost anything and be a hacker. You can be a hacker carpenter. It’s not necessarily high tech. I think it has to do with craftsmanship and caring about what you’re doing.”), they like to be intellectually engaged with other people (incidentally, this should also be the reason for people doing academic research but sadly this is not always the case).
So, do you want to be a hacker for Italy? Then join a bunch of other hackers that will meet for a special BarCamp: the rItaliaCamp, a BarCamp whose goal is to put our passion, curiosity and enthusiam in creating a better Italia.it which all Italians can be proud of.
In the dedicated wiki, we are trying to organize our passions and ideas. Is it easy? No. It is not easy to coordinate and do in few weeks, unpaid, geographically distributed, what was valued as 40 million Euros, 3 years work. Will we be successful? We don’t know. Shall we try? You bet!
So Join the rItaliaCamp! I see you on March 31, 2007. Bring your passion.
Complimenti per il blog e per i post(anche se l’inglese lo conosco pochissimo)!Ti invito a visitare il mio blog
Looks like it has been fixed. I just tried to click on the link and the injection isn’t working.
I know for my company, we’ve dealt with a lot of XSS injections -> especially for email that we’ve imported into the database. Being a visible source product has really helped my our product better