Hacker Newsnew | past | comments | ask | show | jobs | submit | more robmurrer's commentslogin

I guess the difference would be that there is usually only one electric company that can supply you with power.


A coffee shop has very little equipment, and what they have tends to be isolated from other utilities (such as gas): they could easily run their shop off a generator (mate even a battery for a short time).


>> required visiting an AT&T web address with a particular – and easy to guess – code tagged onto the end.

How is this different than a password?


A password at least makes it clear to a bystander that some access control is intended at that URL. Consider the silly case where I have a server responding to example.com/funny/ and then try to claim that it was secure simply because I had not published the link. People would be quite confused if they went to jail for visiting it.


Someone can provide you with a clickable link, as in for instance this submission, and you would never even know that the content you are accessing is supposed to be "protected".


You can format a link to be something like:

http://username:password@members.example.com

I wouldn't say that means the account in question is unprotected.


If you are going to nitpick, I will say that this is a feature that relies on browser-support. It's not fundamental to the web. Query-strings however by definition needs to be supported on the server-side. They are a part of the web. They are required for the web to work.

Why is "browser-support" relevant? Your example is not supported in MSIE. I also thought it was removed from Chrome (in the name of "simplicity"), but I may be wrong.

A link with query-strings is guaranteed to work for everyone.

http://support.microsoft.com/kb/834489


Huh, I had no idea that feature had been deprecated. I guess it's been a little longer since I used it than I thought.


It was used for lots of http://famous-website.com:long-token-nobody-will-ever-read@p... style attacks.

Microsoft's solution to the problem may not have been ideal, but at least that was the reasoning behind it.

Edit: And what do you see once you click post? Hacker news ironically proving Microsoft's point. It's a wonderful world we live in.


I see your point, but how does this apply to this case?


I guess this is exactly the thing that the court must decide on: whether guessing that code can be considered as a circumvention of security measures or not.


Following that logic breeds bizarre results.

What if you find this magic token because it was embedded in some client-side, javascript login-form? Are you a hacker for viewing the source?

Securing content on the internet is easy. If you don't want it accessible to anyone, don't give the content to anyone who provides an unauthenticated HTTP request.

Why are we putting the legal responsibility of maintaining security on that content on everyone except the ones actually in position to do so?


If I look under your doormat, and there is a key, and I use it to open your front door...


Rather if you leave a (possibly classified) document under your doormat, am I a criminal if I find them and read them?


Depends on the document and jurisdiction. If I remember correctly, some levels of military classifications here in Finland require you to not read the document and return it to the officials. Of course the one who left the document would also get reprimanded at least.

Using someones password without permission is as illegal whether you shoulder surfed it, cracked it or red it from a post-it note.


A house's front door implies an expectation of privacy. A web server implies an expectation of public access.


Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: