Blogger was hacked earlier today. According to Anil (and his guests), the password database was compromised and passwords reset. Guess a blogger's login, and you too could have started running the Orbital Blog Control Laser.
The incident is a bit terrifying from a security perspective when you remember that users casually entrust Blogger with their FTP passwords. It looks like that database was separate from the main Blogger database, so the unthinkable didn't happen this time. Discussion since this morning has centered on whether Blogger's centralized model is intrinsically risky. Decentralized blogging tools -- which, after all, often involve "trusted" web interfaces that can trample your account if not properly secured -- do have one major advantage: an intruder must actually carry out the exploit against each separate host to be attacked. Whereas if you could get yourself in to the Blogger databases, you could probably singlehandedly start or stop the war in Iraq inside of an hour.
And now for the law-school style questions. Is there an important difference between hacking ten thousand sites and hacking one site that controls ten thousand sites? Should Blogger be held to a different (legal) standard for supplying a service instead of supplying software? Should the users who gave Blogger their passwords be in trouble with their local sysadmins? With the law? And now for the kicker: what if Blogger (or its users) had been claiming protection under the DMCA? LawMeme is sorting through the implications.