21st: Piracy on the Web seas

Will Slate be able to fend off the Web's password pirates?

By Andrew Leonard

Published March 9, 1998 8:00PM (EST)

The portcullis slams down today at Slate. Henceforth, readers of the Web magazine who haven't paid their $19.95-a-year subscription fee will smack their eyeballs against the bane of Web surfing -- a dialog box demanding a password.

Media observers, on- and offline, are scrutinizing the fallout from this bold move with great curiosity. Is this the future of Web publishing or the beginning of the end? While pundits speculate on the grander meaning of Slate's decision, the Microsoft-owned magazine -- like every other Web site that's tried to close its doors and charge for access -- now faces some eminently practical questions: How long will it be before Slate passwords fall into the greedy hands of password "sneakers," "leechers" and "traders"? How long before they become just another listing publicly posted on the Web's renegade "free password" sites? In short, how will Slate defend itself against the scourge of the Net -- the dreaded password pirates?

As a service to our colleagues at Slate, Salon decided to find out. Password theft is no laughing matter. As Juliet Lowrie, director of operations for Adult Check, a "verification services" specialist, warns, a site that posts free passwords "can annihilate somebody."

To be frank, it's not all that likely that password pirates are lusting after Slate's punditry -- all they really want is free porn. Slate can look to the example of the Wall Street Journal's Interactive Edition and breath easy -- WSJ executives say they haven't had any significant problems with password piracy.

But Slate would be wise not to relax overmuch. The evolution of Web publishing business models has hardly begun, and controlling access is bound to become increasingly problematic. Developments in the online sex biz often foreshadow what's coming to the mainstream -- and over the past year, the trading and sale of passwords has entirely reshaped the sex-site economic food chain. Like a malign virus, rampant password piracy may soon spread out of the sex-site underworld and into the "legitimate" economy. Even if it doesn't, there are still plenty of lessons to be learned from an excursion into those shady byways.

- - - - - - - - - - - - -

The first lesson is that the mere utterance of the phrase "free
passwords" is a powerful Web-surfer aphrodisiac, an effective marketing
tactic that no responsible businessman should ignore. A close look at the
various forums for password exchanges -- chat rooms, bulletin boards, Web
pages -- reveals that the vast majority of sites advertising free passwords
to porn sites are actually sex sites themselves, luring traffic through the
age-old tactic of deceptive advertising.

As Salon reported last November, an oversupply of product in the
Web-porn industry has led to a frantic battle for traffic. A whole new tier of Web sites subsisting on
revenue derived from sex-site advertising has arisen. At first, those sites
attracted their own traffic by offering free pictures or video. Now,
increasingly, they've taken to offering, or pretending to offer, free
passwords as an added incentive.

Even the "honest" free password sites -- those that actually do post
lists of working "passes" -- often receive their passwords directly from
the sex sites that they purportedly are violating. In many cases, the
relationship is contractual -- the sex sites pay the password sites a flat
fee to feature ostensibly stolen passwords. And even those sites that
are hacking access to passwords or otherwise illegitimately
gathering them are still subsidized, via advertising, by the sex-site

"I sell [advertising] banner space to adult sites," wrote the Webmaster
at Password Corporation via e-mail, "and part of the deal is that I notify
them if any of their passes are compromised. [They] come back month after
month, re-purchasing the banner space. Some XXX Web masters send me passes
to their own sites, & kill the passes after a while. So they must be happy
with the arrangement also. I have even had [a] Webmaster send me a pass
just to see how I rank their site -- they e-mail me later & ask how they
could improve it. It is a peculiar arrangement, but as long as it makes
money, I have no problems with the exercise."

According to Adult Check's Juliet Lowrie, the sex sites keep control of
a potentially volatile situation by giving away their passwords to the
supposedly "pirate" sites.

"You're getting well-managed, manipulated access," says Lowrie.

Forbidden fruit is always the tastiest: Newcomers to the
password-protected world, like Slate, might do well to take note. Perhaps
by seeding some of the pirate sites with "free" Slate passwords, the
magazine could attract readers who might not otherwise be interested. But
it's a risky tactic. No one likes to know that they are being manipulated.

If word got out that a free-password site is in cahoots with the sex
sites, "I think it would kill the mystique of the page," says Lowrie.

Not all free passwords are bogus. Legitimate (or illegitimate, depending
on your perspective) password trading and hacking occurs on many levels.
Roving bands of password traders cruise the Web, looking for bulletin
boards where nobody is paying attention, and then settle down for a couple
of weeks, offering and requesting highly sought-after passwords. As soon as
some authority notices the action, they move on. Internet Relay Chat
channels are another hotbed of activity -- and indeed, this Salon reporter
was banned for life from several such channels after inquiring too closely
into the password activities of the mysterious GreEcH, a notorious password

Unsurprisingly, providing password defenses has become a booming
industry. Over the past six months, the number of companies that offer to
do site-specific logfile analysis and password monitoring has mushroomed.
And at least 45 companies offer
verification services for networks of adult sites.

The rise of the verification services has led to a hierarchy of value
for certain passwords. The most often requested passwords on the Net, by
far, are those that will work on the Adult Check network -- apparently the
largest network of adult sites. Adult Check handles password authentication
for some 15,000 sites, says director of operations Lowrie. For the low
price of $16.95 a year, one password gains access to all Adult Check sites
-- a value that is reflected in the widespread demand for the password.

Traders have been known to offer as many as three Porno Pass (another
verification system) passwords for one Adult Check. The size of the network
isn't the only reason Adult Check IDs are so valuable. A good, working
Adult Check password is also simply very hard to find.

Adult Check passwords tend not to last long once they enter the public
domain. Lowrie, who claims that Adult Check's four centralized servers
receive 72 verification requests a second, notes that the service
automatically cancels passwords if they are being used by two people at the
same time, or if they are discovered to be originating from different Web
addresses over a given period of time. The result, says Lowrie, has been a
marketing coup for the company.

"When we went out and wrote our detection scripts," says Lowrie, "we
didn't think what attention this will draw to our company. It created a
great desire [on the part of the password traders] to go out and get one.
The attitude is, 'If you can get one of those babies that's working, you're
really something.'"

Which brings us to lesson No. 2 for Slate: The harder it is to gain
access to a site, the more highly people prize that access. Perhaps a few
well publicized crackdowns on Slate hackers might even be in order.

Of course, Slate obviously understands this point, or it wouldn't have
gone forward with a subscription model in the first place. Just the
announcement that Slate is moving to a pay-for-access model, and the
publicity that's generated, has probably boosted its traffic.

Slate may have a harder time cracking down on abuses than its
counterparts in the Web's red light district, however. For example, as
Slate publisher Rogers Weed notes, he would not cancel a Slate password
simply because records indicate accesses originating from multiple
locations. Slate subscribers are expected to be an affluent, on-the-go
demographic: They will doubtless be logging on from both at home and at
work, as well as on the road. Summary cancellation would not go over well.

Weed says Slate has some defenses in place, although for understandable
reasons he preferred not to go into detail. He did say Slate wasn't likely
to call for outside help to monitor site security -- Microsoft is already a
seasoned veteran of the anti-piracy wars.

"It's just like software," says Weed. "You have to deal with the same
issues. We do ask people not to give their password away, and we do have
some ways to detect it if they do. If we find it happening we'll shut it
down, but we're not going to be hard-core about it unless it becomes a
problem. Basically, we'll go by the honor system, with some checks and

Slate is obviously hoping that by cutting off access to its pages, it
will raise the value of its contents and encourage people to pay up. But
the magazine has also thought through the problem of how a
password-protected site gets its message out to the rest of the media
world. Weed says that Slate will give out passwords good for a single day
to people -- reporters, pundits and so on -- with a reason to require access
on a timely basis. Weed also says that Slate is toying with ideas for "site
licenses" that an entire news organization or other business might receive.

Slate is charging $19.95 for a year of access -- a figure that is
intriguingly close to the price for an Adult Check password. But how much
is a Slate password really worth? What will the underworld market pay for
purloined Slate goods?

Knuckled brows met our question.

"I don't know what their value would be," says Lowrie. "If you
came to one of the password sites, someone would think you were a complete
nerd if you had a Slate password."

"unclescoopy," the Webmaster for Pirate Lynx, a Web site
that ranks and reviews free password sites, is even more dismissive.

"I just don't see the frequenters of these sites jumping up and down
with excitement over the publication of the Slate password," says
unclescoopy. "'Oh, happy day, some incisive analysis from Michael Kinsley
on the Uruguay round ... I guess my plan to jerk off over Asian women can

Hmmm. Slate may be safe after all.

Andrew Leonard

Andrew Leonard is a staff writer at Salon. On Twitter, @koxinga21.

MORE FROM Andrew LeonardFOLLOW koxinga21LIKE Andrew Leonard

Related Topics ------------------------------------------