[wdewind]

"As a user, I fully accept it. http://blog.dustincurtis.com has received almost a million pageviews in the past year, and this is the first time this has ever happened. And It happened because I provoked it in an extremely popular article was posted to a community of hackers. To be honest, I expected someone to try this."

as an EDUCATED user YOU accept it, i'm not sure most of the posterous users understand and would make the same decision to user posterous if they did.

this is like saying car companies could sell shitty locks on their cars because they mostly wont be tested anyway, and the driver will have an easier time getting into the car. it's VERY unlikely my mothers car will be broken into just statistically speaking, but hey even if it happens its just one person. not a big deal.

im pretty sure if posterous made it clear how easy this is many users would stay away, just like many people would not buy toyotas if they came with shitty locks, no matter how little they expected to be broken into.

[dcurtis]

If someone steals your car, you're out many thousands of dollars and extremely inconvenienced.

If some random idiot posts a link to a Nigerian scam on your blog, you just delete it and get on with your life.

[tkaemming]

Unless you're one of several companies or high profile individuals that uses the service (YCombinator, Alex Bogusky, etc.)

Edit — More extensive list here: http://posterous.com/explore/moreblogs

[boredguy8]

Assuming that there's a trust being built between users, far more dangerous results can happen than 'nigerian scam' posts.

That's the problem with minimizing security: you're making it so that there can't (or shouldn't) be trust between users because there's no reliable way to know who is making the post.

"Hey, just a quick note to let you know I tried <apple app link> and I love it! Grab it now!"

Or, more dangerously, someone could post a phishing link and because the context is different, people's trained safeguards ("BE WARY OF E-MAIL!") aren't as wary to blog links.

So yes, there are sometimes tradeoffs between security and ease of use. But I think trust is more important to posterous than you credit.

[wdewind]

maybe to you it doesn't matter, but these things can be intensely personal to people. it's still an issue of violating your space (to the layman end user, i know the technical definitions of "your space" are nebulous, im talking about the emotional ones that i think posterous is kind of violating).

and what happens when the idiot who posts the nigerian scam on your blog scams your mother who is reading your blog and assumes it's from you? no big deal? move on with your life? try and be a little imaginative with the things that could be done here...

if it's not a big deal, posterous should make it clear to users what they give up for convenience. again, i really don't think users would make the same choice they are to user posterous if they understood the implication. whether or not it matters to you.

and more importantly, there are a ton of people suggesting pretty viable alternatives that wouldn't make it harder to post and would still allow a lot more security.

[rantfoil]

Appreciate the concern, and we hear you. We're still investigating this particular case. Normally we'll catch these types of spoofed emails. What we need to do is refine our system.

To be honest, we haven't had many complaints about spam emails or spoofs -- it literally never happens, otherwise we would hear about it all the time. We answer every help email we get -- so we have a decent idea of what our users care about and what pains they really see.

If trust is an issue, we will fix it.

[ergo98]

>To be honest, we haven't had many complaints about spam emails or spoofs

Because you're below most people's radar. Compared to blogger or anything similar, you barely measure.

So essentially you are practicing security through obscurity.

Of course we know that is foolhardy.

[coderdude]

I wonder if your users feel the same way.

[Tichy]

Actually, since the internet never forgets, a hacked blog might cause much more severe damage than a stolen car. There are also other sorts of crimes besides Nigerian scams.

[hooande]

This is a pretty weak argument. Windows is notoriously insecure, but many people choose to use it everyday. Making decisions about tradeoffs between insecurity and convenience is part of life, and it's not for us to assume what most people would do.

Further, I think if you made the downsides of everything abundantly clear to people then they would just be really scared. Everything, including posting to hackernews, has horrific potential consequences. But generally as long as bad things don't happen, people don't pay much attention to them. Where there's no smoke, there's no fire.