Salon | Letters to the editor

_______________ PASSWORD SPAMMING BY ANDREW LEONARD (06/03/98)

While Andrew Leonard's "Password spamming: The latest Web marketing trick" nails the privacy issues at stake when companies like Ad Age and Firefly start sharing information, I think it misses another crucial point: our conception of passwords. Given that the Web is not necessarily secure, I think the word "password" often implies too much.
Case in point: The password that Leonard provided to Ad Age that it shared with theglobe.com doesn't unlock any paid services at Ad Age. Nor would a New York Times password. At the Wall Street Journal, on the other hand, a password might be linked to a credit card for back-issue searching. So while the latest example of sending out passwords in plain text was an error, it just highlights the fact that you shouldn't expect security from the Internet unless the company you're dealing with depends upon a proven security record for its livelihood -- Firefly, CDnow or the WSJ, for instance.
Otherwise, use a password you don't care about and that won't unlock anything important.
-- Mathew Schwartz
Westborough, Mass.
I found your article on password spamming extremely interesting. I'd like to make a few comments, as a (fairly) technically savvy computer user. First, passwords and usernames are sent in clear text far more often than a lot of people are aware. Every time you (or anyone else) use programs such as Telnet, or FTP, or when you log onto an unsecure Web server, both username and password are sent in plain, unencrypted ASCII text. That doesn't make it smart for anyone (least of all someone like theglobe.com) to send usernames and passwords by e-mail, but the absurdity of the risks almost any user of a remote online service runs every day puts the spam in a slightly different light.
Secondly, I hope for theglobe.com's sake that they don't have any European (especially not British) users who got that e-mail. Transfers of passwords of that kind would violate the proposed European privacy laws. While this would not normally affect an American company, the proposed European law bans all trade of personal information with countries with weaker privacy laws. In short, if Brussels decided to get uppity (not that unusual for them), a few cases like the one you describe could lead to Europe's disconnecting from the U.S. portion of the Internet. (That might sound absurd, but Europe's like that, and many member countries are already fairly angry with the proposed changes to the domain name registration system, among other things.)
-- Jonathan Day
I'm afraid you completely missed the primary concern raised by the transfer of passwords from Ad Age to theglobe.com. The simple fact is that Ad Age has been negligent if it is even possible for this to have happened. Once I enter a password into a Web service, I expect and demand that that password be completely unretrievable. There should be absolutely no way anyone can recover my original password except by brute force attack! That Ad Age was even capable of transferring plain-text passwords to theglobe.com, even via a secure channel, indicates that it has negligently breached its duty of care toward all 35,000 of its subscribers.
The in-clear transmission of the passwords was a mistake. I don't agree with the current practice of e-mailing passwords to users on subscription; better to send it direct to the Web browser via SSL. It is, however, the flagrant disregard for basic security and the failure to provide the most basic of privacy protections that make this a very serious concern.
-- Andrae Muys

_______________ STARR'S INVESTIGATION TO BE INVESTIGATED BY MURRAY WAAS (06/03/98)

Be still oh beating heart. I was beginning to wonder what had happened to Salon's excellent coverage of that accursed thug Kenneth Starr. He starts to accumulate victory after victory, and then for what seems like weeks at a time I don't hear from the three horsemen of the Republican Apocalypse (Joe Conason, Murray Waas or Gene Lyons). I started to get worried that Starr or Richard Mellon Scaife had done something heinous. Or worse, you had decided to pass the torch. With Waas' article Salon steps boldly back into the fray. You guys are sorely needed.
-- Adam Friedman
_______________ SECOND THOUGHTS BY SALLIE TISDALE (05/28/98)

Thank you for Sallie Tisdale's dizzying, heartbreaking essay. What she describes is surely one of the most difficult moments in parenting: the absolute and critical need to let a child fail/fall/get banged up as a result of his or her choices. Ms. Tisdale may not know it for years -- indeed, her tough-love stance is no guarantee that her charming, con-man son will change -- but she is doing the right thing. She is no monster.
-- Pat Raube-Wilson
Binghamton, N.Y.

N E X T+P A G E+| More on the gender-bending 3-year-old

_______________ PASSWORD SPAMMING BY ANDREW LEONARD (06/03/98)
	While Andrew Leonard's "Password spamming: The latest Web marketing trick" nails the privacy issues at stake when companies like Ad Age and Firefly start sharing information, I think it misses another crucial point: our conception of passwords. Given that the Web is not necessarily secure, I think the word "password" often implies too much. Case in point: The password that Leonard provided to Ad Age that it shared with theglobe.com doesn't unlock any paid services at Ad Age. Nor would a New York Times password. At the Wall Street Journal, on the other hand, a password might be linked to a credit card for back-issue searching. So while the latest example of sending out passwords in plain text was an error, it just highlights the fact that you shouldn't expect security from the Internet unless the company you're dealing with depends upon a proven security record for its livelihood -- Firefly, CDnow or the WSJ, for instance. Otherwise, use a password you don't care about and that won't unlock anything important. -- Mathew Schwartz Westborough, Mass. I found your article on password spamming extremely interesting. I'd like to make a few comments, as a (fairly) technically savvy computer user. First, passwords and usernames are sent in clear text far more often than a lot of people are aware. Every time you (or anyone else) use programs such as Telnet, or FTP, or when you log onto an unsecure Web server, both username and password are sent in plain, unencrypted ASCII text. That doesn't make it smart for anyone (least of all someone like theglobe.com) to send usernames and passwords by e-mail, but the absurdity of the risks almost any user of a remote online service runs every day puts the spam in a slightly different light. Secondly, I hope for theglobe.com's sake that they don't have any European (especially not British) users who got that e-mail. Transfers of passwords of that kind would violate the proposed European privacy laws. While this would not normally affect an American company, the proposed European law bans all trade of personal information with countries with weaker privacy laws. In short, if Brussels decided to get uppity (not that unusual for them), a few cases like the one you describe could lead to Europe's disconnecting from the U.S. portion of the Internet. (That might sound absurd, but Europe's like that, and many member countries are already fairly angry with the proposed changes to the domain name registration system, among other things.) -- Jonathan Day I'm afraid you completely missed the primary concern raised by the transfer of passwords from Ad Age to theglobe.com. The simple fact is that Ad Age has been negligent if it is even possible for this to have happened. Once I enter a password into a Web service, I expect and demand that that password be completely unretrievable. There should be absolutely no way anyone can recover my original password except by brute force attack! That Ad Age was even capable of transferring plain-text passwords to theglobe.com, even via a secure channel, indicates that it has negligently breached its duty of care toward all 35,000 of its subscribers. The in-clear transmission of the passwords was a mistake. I don't agree with the current practice of e-mailing passwords to users on subscription; better to send it direct to the Web browser via SSL. It is, however, the flagrant disregard for basic security and the failure to provide the most basic of privacy protections that make this a very serious concern. -- Andrae Muys
_______________ STARR'S INVESTIGATION TO BE INVESTIGATED BY MURRAY WAAS (06/03/98)
	Be still oh beating heart. I was beginning to wonder what had happened to Salon's excellent coverage of that accursed thug Kenneth Starr. He starts to accumulate victory after victory, and then for what seems like weeks at a time I don't hear from the three horsemen of the Republican Apocalypse (Joe Conason, Murray Waas or Gene Lyons). I started to get worried that Starr or Richard Mellon Scaife had done something heinous. Or worse, you had decided to pass the torch. With Waas' article Salon steps boldly back into the fray. You guys are sorely needed. -- Adam Friedman
_______________ SECOND THOUGHTS BY SALLIE TISDALE (05/28/98)
	Thank you for Sallie Tisdale's dizzying, heartbreaking essay. What she describes is surely one of the most difficult moments in parenting: the absolute and critical need to let a child fail/fall/get banged up as a result of his or her choices. Ms. Tisdale may not know it for years -- indeed, her tough-love stance is no guarantee that her charming, con-man son will change -- but she is doing the right thing. She is no monster. -- Pat Raube-Wilson Binghamton, N.Y. N E X T+P A G E+\| More on the gender-bending 3-year-old