Mon Oct 04 1999 14:45:
So. I'm doing the log analyzer for segfault, and I finally get
Scott to log the referers for people who hit the site. And when
I analyze the logs I find that some of the referring URLs from Slashdot
have Slashdot usernames and passwords in them. We're getting 10-15 passwords a day. Turns out Mike
Popovic has been seeing the same thing in his server logs.
So I mail the Slashdot crew, and I get an email back from Rob Malda that, basically, it's not a bug, it's a feature. They have a thing where you bookmark http://slashdot.org/index.pl?op=userlogin&upasswd=xxxx&unickname=yyyy and you can use that as your bookmark. So people go to that bookmark and it logs them in automatically, then they click on the segfault Slashbox and get taken to our site and we get their username and password. Malda sez: "When the bookmark is given to people it clearly states 'This is horribly insecure, but some people want it anyway'. It's a dumb method, but people are being warned of the risks."
So I don't know what moral can be derived from that, except that a lot of people prefer convenience to security. And that if you want people's Slashdot passwords, you should start a popular site and get a Slashbox for it.
