How I made the 'net a less secure place...

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,497
Reaction score
9,994
Credits
95,326
Based on this thread:


Sit down, ol' David is gonna tell you a story of how he made the internet a less secure place for a whole lot of people.

The year was probably 1998 or so. At the time, internet marketing was still in its infancy. They had these things called 'safelists' which were basically online mailing lists of people mailing MLM schemes to each other. If you got in on the top, you could actually make some money - usually from other people who were trying to make money. MLM is multi-level marketing. You know, pyramid schemes.

A buddy of mine was really into this and asked me to write him a script to do this. So, I sat down for a weekend and coded this script in Perl. This was back before PHP was offered at hosting companies, and so Perl was really the only choice one could make for this task.

Now, you're supposed to use chmod on a couple of files. If you don't, then anyone who knows how to add /admin/pass.txt or /users/pass.txt would be able to get the username, password, and email for every single user - including the admin account. I made sure it was diligently installed and secured for my buddy. Storing this information in plain text was really about the only solution one could have at the time. Salting and hashing weren't something mainstream and damned if I knew how to do that.

Maybe a month later, my buddy asked me if he could sell the script. So, I wrote up the install instructions. Unfortunately, people didn't know what chmod meant and so almost none of them actually did so.

Now, he resold this script *thousands* of times. He made a pretty decent chunk of change. All the MLM people wanted to be in at the top and owning/running a safelist was a good way to get there. After all, the owner could promote endless opportunities to the people who subscribed to this safelist.

Unfortunately, there was no security mechanism in place. If you had the script and hosting, you could install it and nobody would be the wiser. So, those people also sold it on or leaked it and it was pirated by tens of thousands of people. Basically, by the year 1999 or 2000, ever MLM safelist was running this horribly insecure script and anyone that understood how it worked could have all that information just from changing the URL in the address bar and pressing the enter button.

Literally, all they had to do was add the above strings to the URL in the address bar and they'd have all the personal data - it was even in a nice CSV format.

Time would pass and the usage would fade, but I still sometimes do a search for 'safelist' and look around to see how many people are still using the least secure script on the planet. Yes, yes it still is running sites all these years later, but they've mostly faded away, thankfully.

Basically, I single-handedly made the web a much less secure place - for years. I am not even mildly embarrassed. In fact, I'm kinda the opposite
 


Thanks for sharing that story, you should have made it call home to see how many people are using it.
 
Thanks for sharing that story, you should have made it call home to see how many people are using it.

I initially just wrote it for one person. When they asked if they could sell it, the only change I made was writing up installation instructions. I expected him to sell one or two copies to friends. He sold it thousands of times, at like $12 (?) a pop. Then, it got shared to the pirate sites.

I probably could have made a call-home feature back then. Though there wasn't any installation process other than manually editing the config and uploading the files (and setting the permissions).
 
Last edited:
Basically, I single-handedly made the web a much less secure place - for years.

And we just made this fellow a Mod ... oh my stars and garters.
:D
 
And we just made this fellow a Mod ... oh my stars and garters.

It was the late 90s. Nothing online was all that secure. Once the cat was out of the bag, there was no putting it back in.

You have my solemn swearing that I'll never write another safelist in Perl.

You're welcome, world.
 

Members online


Top