'Spamalot' Subscribers to Get Spam ... a Lot

CrazyWingman writes "It looks like the list of e-mail addresses subscribed to the lists for the Broadway show 'Spamalot' has been nabbed by spammers. The New York Times is reporting that the list was posted on a page that could be found by looking at the source of other Spamalot webpages. All I have to say is that I hope the creators of the Spamalot website have been sacked."

Re:Anyone got the copy of the article?

[shadowsurfr1]

And for other websites, use BugMeNot, the firefox extension. Quite helpful.

Re:Anyone got the copy of the article?

[The Ultimate Fartkno]

It's a floor wax!

Re:Anyone got the copy of the article?

[pyrrhonist]

And a dessert topping!

Boy...

[Rolling_Go]

Who didn't see THAT one coming?

Re:Boy...

[Anonymous Coward]

You missed the joke here, that was :
- "Who expected that ?"
- "NOBODY expects the Spanish Inquisition !"

Re:Boy...

[Pig Hogger]

- "NOBODY expects the Spanish Inquisition !"

Er, you got it wrong. it's:
- "NOBODY expects the Spammish Inquisition !"

Re:Boy...

[macmastery]

Actually, this reporter contacted me for this story. When I heard that site had a problem, I went to check it out for myself. What I found was that the contact form action URL [montypythonsspamalot.com] entered on its own would display all of the nearly 20,000 name, postal and email addresses.

The bug I saw in action is fixed now, but if you select the whole contents of the page, there is still some strange if innocuous text showing there.

Since I used a unique email address for this site, I have been checking to see if I got any spa

That does it.

[AtariAmarok]

That does it. I'm going to sign up at www.freemoneyalot.com If it works like www.spamalot.com does, I'll be on the gravy train!

Re:That does it.

[elgatozorbas]

If it works like www.spamalot.com does, I'll be on the gravy train!

Nope, it works like www.freesmallfurryanimals.com, and they'll free your money from your wallet...

Re:That does it.

[xmas2003]

Nope, it works like www.freesmallfurryanimals.com, and they'll free your money from your wallet...

FreeSmallFurryAnimals [freesmallf...nimals.com] doesn't resolve, but for those that don't care for 'em, try using an M-1 Carbine to hunt rats. [komar.org]

Camelot!

[blackholepcs]

It's only a model.

Ahhhh.... irony

[GPLDAN]

It's a bitch. Is this poetic or ironic justice?

Re:Ahhhh.... irony

[y0saph]

it's neither, but i'd say t'is rather funny

Re:Ahhhh.... irony

[brilinux]

I actually saw Spamalot on Monday, and I must say that it was rather funny. It opens this coming week, I believe, and I recommend that anyone who is not French, Finnish, Jewish, or Gay goes to see it, or, if (s)he is a member of one of those groups, that (s)he have a very good sence of humour. It was quite a good show, though, and a lot of fun to see.

And, John Lithgow was sitting five rows in front of me. He has a bald spot on the back of his head.

Re:Ahhhh.... irony

[brilinux]

Well, if you recall, Holy Grail has the Nordish stuff at the beginning. Spamalot, in keeping with the make fun of the Scandinavians tradition, has a Finnish dancing number at the beginning.

Re:Ahhhh.... irony

[FunWithHeadlines]

The Broadway Playbill that comes with the show even begins with production notes for a Finnish musical. Sure enough, as the narrator at the beginning of the show sets the time and place for the show, the curtain rises on a bright alpine village full of brightly-colored Finns. They then do the Python fish-slapping song. Then the narrator yells, "I said ENGLAND!" The Finns sadly trudge off the stage, the stage gets much darker and murkier, and then we see the monks chanting and slapping their foreheads as

Re:Ahhhh.... irony

[flossie]

bright alpine village full of brightly-colored Finns

Finns. In an Alpine village? Shouldn't that be an Arctic village? Finland is nowhere near the Alps!

Re:Ahhhh.... irony

[DaveJay]

Do the words "Spoiler Warning" mean anything to you? Gee whiz.

Re:Ahhhh.... irony

[FunWithHeadlines]

"Do the words "Spoiler Warning" mean anything to you? Gee whiz."

I thought about it, but I'm describing the first three minutes of the show, and the Playbill describes it even before the show starts. It's not as if I gave away anything more than one joke, and I promise you the show is worth seeing for the hundreds of other jokes it contains.

Re:Ahhhh.... irony

[Chris Pimlott]

No, they don't, and from what I heard, they aren't planning on it for a while, since they the face price on back balcony tickets are only $20.

It is possible to get tickets if you keep trying. Telecharge's pages are pretty nice, you can try to get tickets for a range of dates and if you leave the window open you only have to enter the captcha once. I left it up on the dates I wanted and tried it periodically and managed to get two tickets on the 5th or 6th try.

Re:Ahhhh.... irony

[rob_squared]

"And, John Lithgow was sitting five rows in front of me. He has a bald spot on the back of his head." Yeah, I'm glad someone *finally* pointed that out.

Great show!

[tommck]

I just saw it last friday (one week ago) and I thought it was great. It's well worth going. But, beware, people are trying to mark up the tickets like crazy.

I also recommend, if you like Indian food, to go to Utsav in the theater district. It was friggin awesome. Get the Murg Vindaloo and order the Sterling Cabernet with it. It's a great combo, if you don't mind your food making you sweat :)

Anyway, great show for Holy Grail fans :)

T

Re:Ahhhh.... irony

[rsidd]

If it's like the movie, why wouldn't the French like it? The only French-reference I remember there, the French win: that's the taunting Arthur et al get from the French guy in the castle ("You don't frighten us, English pig-dogs! Go and boil your bottoms, son of a silly person! Ah don' wanna talk to you no more, you empty-headed animal food-trough wiper! Ah fart in your general direction! Your mother was a hamster, and your father smelt of elderberries!") And eventually they have to beat a

Re:Ahhhh.... irony

[brilinux]

It is not that much like the movie with regard to the French.

Re:Ahhhh.... irony

[Silentnite]

No, It is Irony that Parent got modded up Interesting. Or wait, It would be irony if he got modded up informative... Because of the John Lithgow comment.

Its late, Im tired, and I had a joke that sounded a lot better in my head. Good night slashdot.

--------------------
http://www.freeminimacs.com/?r=15622556 [freeminimacs.com]
http://www.surfjunky.com/?r=Silentnite/ [surfjunky.com]

Reg-free link

[Shachaf]

Registration free link [nytimes.com]
Generated using the New York Times Link Generator [blogspace.com].

Re:Reg-free link

[wowbagger]

And the funny thing is, that it is incidents like this that cause people like me to not want to register with sites like the Times, precisely to prevent accidental disclosure of any information.

And yes, I know that you can lie on the forms, but my attitude is, why encourage sites to use registration by lying?

Re:Reg-free link

[JuggleGeek]

And the funny thing is, that it is incidents like this that cause people like me to not want to register with sites like the Times, precisely to prevent accidental disclosure of any information.

That, from wowbagger (69688).

I agree that you should be careful where you register. The NYTimes has never abused my information, just as /. has never abused my information. Those of you that hate the NYTimes because they require a free registration look a little odd to me when you post under an account registe

Re:Reg-free link

[wowbagger]

This is perfectly in keeping with my point. For the risk of logging into Slashdot, I gain several advantages over not logging in - the ability to post messages with more chance of them being read, the ability to filter stories, etc.

The only data Slashdot has on me is my preferred nickname, my Slashdot password, and an email.

The worst that could happen were Slashdot's database comprimised is the revelation of my Slashdot password and my email - so I would have to change one password and I might see a margi

Ripped!

[Anonymous Coward]

"Spamalot" fans who signed up for a newsletter on the Broadway musical's official Web site may end up getting, well, spammed a lot. "Movin' Out" devotees may have the same problem. A security glitch - now fixed - exposed the names and postal and e-mail addresses of more than 31,000 people to savvy computer users.

Up until Thursday evening, when a reporter from The New York Times pointed out the problem to the Web sites' developer, visiting a specific address on the shows' sites produced a long page with mailing-list data. The security hole was not obvious to casual Web surfers because the address was buried in the site's code. But it could have been discovered by someone deliberately seeking the list data, or by a kind of program used by spammers to scour the Web for new e-mail addresses to bombard.

Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y.

Mr. Stevenson said he had hired a programmer, whom he would not identify, to add the list sign-up function to the sites. He said that the amount of resources put into security on the sites had seemed adequate, but "in retrospect, this was not enough, and we need to do more." He said that a message would be sent to the list with a warning about fraudulent e-mail messages.

Mark Wilkie, a software engineer who maintains Web sites for Gawker Media, said the ability to view the data must have been built into the sign-up software, but it was not clear why someone would do this. "Security-wise, it's a horrible thing to do," he said.

Aaron Meier, a spokesman for Monty Python's "Spamalot," said yesterday that the show would have no comment.

When told by e-mail message about the breach, several people who had signed up for the "Spamalot" list said they were unsurprised, given the state of Internet security and the aggressiveness of spammers. Several noted that there was something appropriately Pythonesque about the incident. After all, Internet historians say that the use of the word spam to refer to junk e-mail messages has its roots in a 1970 Monty Python sketch, in which all conversation in a cafe is drowned out by a group of Vikings chanting the word over and over. The sketch and its song about Spam, the meat product, were adapted for the new musical.

"Are you sure they didn't do it on purpose?" joked one list subscriber, Matthew J. H. Baya of Ellsworth, Me. "Talk about guerrilla marketing."

sacked

[SuperBanana]

All I have to say is that I hope the creators of the Spamalot website have been sacked

The cREators would like to announce that the previous creato

NO CARRIER

The c re a tors of

NO CARRIER

Re:sacked

[flumps]

Mynd you, møøse bites Kan be pretty nasti...

That programmer...

[Faust7]

Mr. Stevenson said he had hired a programmer, whom he would not identify, to add the list sign-up function to the sites.

But why? It's not like we'd want to bludgeon, or bitchslap, or ambush, or lynch the programmer.

Re:That programmer...

[flumps]

.. We could say "NI!" to the poor fellow but it'd be a terrible thing to do to him..

Re:That programmer...

[CableModemSniper]

Are you saying 'ni' to that programmer? What sad times these must be indeed where passing knaves can say 'ni' to programmers.

Re:That programmer...

[stor]

That's OK, he wasn't saying 'ni' to a programmer.

Cheers
Stor

Re:That programmer...

[Reorax]

Burn him!

A moose once bit my sister.

[Picass0]

No, relli!

She was Karving her initials on the moose with the sharpened end of an interspace toothbrush given to her by Svenge- her brother-in-law- an Oslo dentist and star of many Norwegian movies: "The Hot Hands of and Oslo Dentist," "Fillings of Passion," and "The Huge Molars of Horst Nordfink"...

Re:A møøse once bit my sister.

[plover]

Møøses' noses wiped by BJORN IRKESTOM-SLATER WALKER

Large møøse on the left
half side of the screen
in the third scene from
the end, given a thorough
grounding in Latin,
French and "O" Level
Geography by BO BENN

Suggestives poses for the
møøse suggested by VIC ROTTER

Antler-care by LIV THATCHER

"To be spammed..."

[ornil]

If you RTFA, you'd notice that in fact the mailing list subscribers were not spammed. Whoever noticed the security hole was not a spammer, reported it, and the hole was plugged. So, yes, maybe it's funny, but they really were not spammed, which spoils the story.

Re:"To be spammed..."

[Saeed al-Sahaf]

This is Slashdot. We don't need no stinking FACTS!

Re:"To be spammed..."

[Guido von Guido]

The article doesn't say whether or not anyone grabbed the actual mailing list. This is something they could presumably check by looking through the web logs. If the addresses were harvested by somebody's spam bot, I would assume they were added to the spammer's address database. I'm not sure it would have been obvious to anyone that they had been spammed because they had subscribed to the Spamalot mailing list. Anyway, my general assumption is that all spammers out there already have my email address. With effective spam filtering, it's only a minor nuisance.

Re:"To be spammed..."

[DustMagnet]

I'm not sure it would have been obvious to anyone that they had been spammed because they had subscribed to the Spamalot mailing list.

It would be obvious to anyone like me who uses a unique e-mail address for each purpose. Since I didn't sign up for Spamalot, I don't know if it was harvested or now.

Re:"To be spammed..."

[rsmith-mac]

Actually, David Gallagher(the reporter who wrote this story) contacted me and some other unknown number of people who were on the list and had used tagged addresses(he apparently went through the list himself looking for contacts for this story), asking if we had received any spam on that address. Interestingly enough, he was the first person to contact me on that address at all, I hadn't received any spam or any email from Spamalot previously in the couple of months I've been on the list. It doesn't appear that it was harvested, though it could just be that no one has used the addresses yet.

If it was harvested though, it opens up an interesting issue since the exposed data included names and physical addresses to go with the email addresses.

Re:"To be spammed..."

[davidfg]

GvG: At least two people on the list signed up for it using 'tagged' addresses that had not been used elsewhere, then received spam at those addresses. One of them was me. This led to some poking around, the discovery of the security hole and the writing of the story.

Re:"To be spammed..."

[kristopher]

To be spammed, or not to be spammed: that is the question: Whether 'tis nobler in the mind to suffer The promises of outrageous fortune, Or to take arms against a sea of spam, And by opposing end them? To die: to sleep; No more; and by a sleep to say we end The spam and the thousand unnatural emails That promise is heir to, 'tis a consummation Devoutly to be wish'd. To die, to sleep; To sleep: perchance to dream: ay, there's the rub; For in that sleep of death what spam may come When we have shuffled off th

Ironic

[dg41]

::instart Fark.com "Ironic" tag here::

Re:Ironic

[wheany]

Yes, I'm sure you find all this very ironic, Alanis.

Not a professional job...

[Saeed al-Sahaf]

From the story:

Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y.

Mr. Stevenson said he had hired a programmer, whom he would not identify, to add the list sign-up function to the sites. He said that the amount of resources put into security on the sites had seemed adequate, but "in retrospect, this was not enough, and we need to do more."

Why would they use some obviously "home grown" half assed mailing list code when there are perfictly good and fairly sold apps out there like Mailman or EZmlm? Sounds like the "designer" hired some friend, prob. som kid who just learned about web scripting...

Web designer's resume...

[Saeed al-Sahaf]

http://www.carapacearts.com/mark_stevenson.htm

Re:Web designer's resume...

[kawika]

"Perhaps the bronze sculptor in Washington state that you linked to isn't the same person as the New York web designer."

Probably you are right. Perhaps we could send the Washington state sculptor to New York to arrange an "unfortunate smelting accident" [imdb.com] for the web designer. I certainly would if he tarnished my name.

Re:integration most likely

[Saeed al-Sahaf]

Nonsense. Mailman and EZmlm can be "seamlessly" integrated into *any* web site, without any work *at all*, they are "stand alone" apps.

Re:Not a professional job...

[chromaphobic]

Calling him a web designer is a stretch. From looking through the other sites he did, they're all filled with shitty Dreamweaver and ImageReady code.

What do you expect...

[TPIRman]

... from a site designer who can't even spell "bandwidth" [montypythonsspamalot.com]? (Or at least spell it twice...)

Well, DUH!!!!

[cbdavis]

Like, what else did you expect from a site named SPAMALOT!!

Re:Well, DUH!!!!

[Attaturk]

Like, what else did you expect from a site named SPAMALOT!!

Zoiks Shaggy what are you doing out of the Mystery Machine?

We dine well..

[Selfbain]

..here in Camelot. We eat ham and jam and spam a lot.

I predict that in the future, Shakespeare and Monty Python will be mentioned together a lot.

The creators

[sp3tt]

SPAM SPAM
SPAM SPAM
SPAM SPAM
SPAM SPAM
SPAM SPAM
We aplogize for the spam, the creators of this website have been sacked
SPAM SPAM
SPAM SPAM
SPAM SPAM
SPAM SPAM
SPAM SPAM
We aplogize for the continued spam, the persons responsible for the sacking of the persons just sacked would like to announce that they have been sacked.

Mail lists...

[LiNKz]

Recently I noticed on a certain college website, every employee's email address was listed on a type of 'contact' page.

Every employee.

It actually was a three column table, on the left side it had the employee's name, next column was for e-mail, and the last for their phone number.

I was sitting with the Administrator that handles the email servers, when I heard recently there has been an ever more increasing spam flow to all the college email addresses.

The new age in spamming ?

[phoxix]

What if the web designer/programmer was actually someone sleeping in bed with the spammers ? .....

<programmer> ok, I am going to create the website for Acme Inc. For 3 grand, I can leave a backdoor for you to get all the email addresses
<spammer> make it 2 grand and 3% cut of all referral fees
<programmer> deal
<spammer> deal

This would get pretty interesting pretty fast ...

Re:The new age in spamming ?

[Karma Farmer]

What if the web designer/programmer was actually someone sleeping in bed with the spammers ?

I would sleep in bed with spammers! They're all hot nubile chicks with pills to make me skinny and my penis huuuuuge!

Developers to be blamed?

[jamienk]

From my experience, though, often a web developer's clients push towards unsecure functionality because of cost/time considerations. I've been hired to add functionality to sites' existing shopping carts, for example, and when I've found and reported massive holes (a list of customers, orders, credit cards all accessable from a web page, for one), I've been met with heavy skepicism about the need to fix these holes now.

"How would anyone find that page?"

"Maybe we'll get to that once we add the international shipping feature."

etc. It gets tiring. After a while, you feel unappreciated. I'm not saying that something like this happened here, but at this point, I don't know that it DIDN'T happen...

My 2 cent American.

Re:[examples] to be blamed?

[jamienk]

You point to stuff. Your client sees that you might be right. (At this point, several exchanges over a few days or weeks.) They disappear for a while, to discus with their boss. They come back to you, reassuringly telling you that they don't think it's a problem. You object. They act annoyed. The entire project was supposed to be 1 days work for $300... You see what I mean?

Re:Developers to be blamed?

[Anonymous Coward]

Grow some balls and tell them flat out that you refuse to add features to a product with serious security problems until they are fixed.

Re:Developers to be blamed?

[jamienk]

I often find myself just doing what the client wants if they insist. Sometimes it's harder to pull out of a project than to just try to mitigate the damage.

Titles

[Life2Short]

Mind you, moose bites can be pretty nasty!

And to clarify....

[Fnkmaster]

Those responsible for the sacking of the web developers, shall also be sacked.

Arghhh

[ewe2]

...bloody vikings!

I'm Brian!

[Anonymous Coward]

Crap, wrong movie.

glitch?

[neckdeepinspecialsau]

Is it me or does anyone else have issues with this being called a glitch? Seems like either sloppy work or deliberate. Either way the page that spat out emails and addresses worked as expected it was simply not locked down.

I think I found the page that caused the issues

[neckdeepinspecialsau]

This looks like it spits out a search at the bottom of the thank you page.

http://www.montypythonsspamalot.com/cgi-bin/spamal ot.cgi?email=

This html is full of artifacts. I would be surprised if they actually hired a web developer and didn't just screw up and use some free script they didn't fully understand.

Anonymous Programmer Is the Cause!

[duerra]

Mr. Stevenson said he had hired a programmer, whom he would not identify, to add the list sign-up function to the sites. He said that the amount of resources put into security on the sites had seemed adequate, but "in retrospect, this was not enough, and we need to do more."

He had hired a programmer.... *nod*
And my mother's still a virgin....
After birthing me yesterday.

They should have hired the Whizzo Web Company...

[rf10573]

Mr. Milton, the sole proprietor is an honest man, so I'm told...

Spammers die!

[Couzin2000]

Why is I that we always hear about attacks on 'this server', 'that server', yet nobody's ever thought of planning a DDoS (Distributed Denial Of Service, read here [grc.com] for more info) Attack on Spammers? Why not? We could potentially get rid of them, make their machines crash... I just don't get why we have to wait for the law to take matters into their incapable hands.

Not that I'm trying to incite you or anything.