The reason why I am posting this now is because I went looking for it today, to dig some information up (using the techniques decribed in the article) and the site was GONE.
I submitted this article to 2600 and to Frequency, and neither published it. Granted it wasn't the best written article. But I was right about the site and the article was right on so I am posting it here now for your enjoyment. It will also be up on the article page when I finally get around to that as well.
Hotlinks – Bad idea, terrible execution
“Hey I’ve got an idea, what if we all combined our bookmarks together and made one gigantic bookmarks page where we can share our links!”
That’s probably how it started for the people who made the Hotlinks.com site (The even go so far as to proclaim themselves “Next generation”). It sounded good at a frat party, and a whole business was formed around it. I am being sarcastic because it is quite simply a very dumb site. Basically, they ask users to register with them, and then the user uploads his or her bookmarks to the site. These bookmarks are combined with the bookmarks from all of the other users to make a giant database of sites. If you haven’t seen the lunacy of this idea yet, please let me explain why this is a waste of time for any user with half a brain.
First of all, the idea of gathering your bookmarks with others may be fine and dandy. But do you really want your great grandmother in Idaho to see your collection of porno sites listed next to your link to Yahoo.com search engine? Do you want anyone to see these sites? We all share sites with whomever we choose, but with hotlinks setup, you no longer have the luxury of choice. Once you have uploaded your links, you are out of luck. You are now exposed to the world (In more ways than one, as I will explain later). They claim they have an option to share “some or all” of your links, but I did not see this option anywhere, and I am sure it is not the default.
Secondly, what is the point here? I mean, what is the possibility that someone else who shares my same interests actually has a bookmark that I haven’t already found? This is only potentially helpful if it is some “top secret” or private site, but the moment it is suddenly added to a huge database of other sites, well, it just isn’t very private anymore is it? And even if the site does have a new site, what would bring me to hotlink and not to IWon or Lycos or some other corporate search engine?
Where is the first place you go when you are looking for a new site or for information? For me, it depends on how mainstream it is. If I just cant think of some corporate web site, or some popular download site, then I go to Yahoo, the king of portal style search engines. If it is more obscure, I use the AltaVista search engine or some site powered by the Inktomi search engine (such as HotBot, GoTo, or Yahoo). I cannot think of any circumstances where I would find myself going to Hotlinks to find a page. Knowing that it only contains those sites that are input by it’s users makes it extremely limited, whereas a normal search engine continuously finds new pages on its own. It is kind of like trying to find a skyscraper in backwoods Kentucky, instead of going to New York City. You are looking in the wrong place!
Why do I do a search on Hotmail and get 38,000+ results? Ok, I get it. A lot of people have Hotmail bookmarked. Is there really a need to have them ALL REFLECTED in the search results? It is painfully obvious that the engine is about as dumb as a box of hammers. It gives me a list of usernames of every member that has a link to Hotmail, not realizing that there are not 38,000 DIFFERENT hotmail sites. Not only is this the DEFINITION of REDUNDANCY (Literally, according to The American Heritage Dictionary), but also the lack of thought being put into security boggles the mind.
When will they fulfill their guarantee of security? This is actually my main problem with the site. As is the case with many other half-baked ideas out there, this one was also fundamentally flawed (and I hesitate to the use the word “mental” with this site). What I am about to explain has been happening at their site since it started in 1998, and very little has changed since then. They did finally modify the ability to find FTP login ID’s and Passwords by removing the actual “L:” or “P:” portion of the URL link from the database. Basically now they only search on the link TEXT (IE: Hotmail – The worlds FREE web-based E-mail) instead if the actual URL (IE: http://www.hotmail.com/). Just do a search for Hotmail.com and you will not get the 38,000+ hits described earlier. Do they know about these problems and ignore them? Or are they just stupid and don’t see them at all.
Take the above example using Hotmail for example. I thumb few some results and sitting right there in plain site (I am sure everyone saw this coming except for hotlinks. This is why I say it is “fundamentally flawed”) is someone’s USERNAME and PASSWORD. Now I am not going to flame a common user for putting their name and password in their bookmark. It is, after all, their bookmark. Some users just do not have that much foresight to see what they might be doing. But I will happily flame the company that makes it public due to their negligence. Personally, I would consider a lawsuit against anyone who did not provide one OUNCE of the security that the claim they have. I could (and note that I said, “Could”. Obviously I wouldn’t do this since I am a hacker and not a criminal, and this is all done for educating people on what not to do. I sincerely hope that NO ONE USES WHAT I HAVE SHOWN FOR ILLEGAL PURPOSES!) log into the unknowing user’s email account and learn that they are currently searching for a new job. I might also notice several order receipts (with credit card numbers in plain view) from their online purchases. There may be political messages, personal (IE: embarrassing) messages, and even other USERNAME/PASWORD information for other sites. Even the outgoing/sent messages are in plain view.
Obviously, you can see how this can quickly snowball. Within about 5 minutes, I can have the users name, address, credit card information, and personal information. I can login into to his or her accounts on several different sites and impersonate them, or gather more information for some other sinister purposes (again, I didn’t, nor would I, but someone else might)
So, the point (besides showing that Jonathan Abrams and the rest of the Hotlinks crew are, in my opinion, idiots) is to think about what the long-term effects are when you sign up for a sight. I still haven’t figured out the need to become a “member” since I did everything without ever signing up for a damn thing. Now that I have made this information public, how long before they fix it? What is even more disturbing is that this site is a member of TRUSTe and supposedly has its privacy practices approved. This also tells me all I need to know about TRUSTe as well. I guess the best thing to say, no matter how cliché it sounds, is to “trust no one”.