Q209354 - HOWTO - History of the page

This page provides background information to the parody page Q209354 - HOW TO READ THE F**KING MANUAL.

The original page mentioned "Microsoft" throughout, but I have modified it to "Micronot" so there can be no mistaking that it is a parody page.
Click here to see my sanitised version.

On Feb 23rd 2001 the following URL was posted on certain newsgroups I watch:-
http://www.microsoft.com&item=q209354@www.hwnd.net/pub/mskb/Q209354.asp
(By the way, it no longer works.)

To the unsuspecting, this looks like it is a page on the Microsoft site. Which then leads you to believe that the MS site has been hacked. Not so!

Any text before an "@" is disregarded in decoding the URL, so the page in fact lived at:-
http://www.hwnd.net/pub/mskb/Q209354.asp.
(This no longer works either.)

Allowing text before an @ character, but disregarding it for the sake of deciding which site to connect to is deliberate.
It's the HTTP URL-based authentication mechanism.
It works like this.
Let's say I want to log in to a secure site, XYZ.COM, using my own username "fred" and my password "hello". The URL would be:
http://fred:hello@www.xyz.com

This mechanism has been exploited in the original Q209354 parody page.

The page lasted about 2 days before being removed.
Now there are thousands and thousands of MS parody pages out there (e.g. Microsoft CeMeNT), and I guess MS's lawyers let them go so long as they are obviously parodies.
However, the misleading URL was clearly the deciding factor in taking action.

As of Feb 26th 2001 the original page was still cached at Google:-
http://www.google.com/search?q=cache:www.hwnd.net/pub/mskb/Q209354.asp+Q209354.asp&hl=en
but who knows how long that will last.

Mister Harold would still like to take his hat off to http://www.hwnd.net for a joke well executed. There is some more technical humour there if you wish to go see.

Afterword & Warning

Some unscrupulous people have used the above mechanism to pretend to be other sites, in order to get people to enter usernames, passwords, credit card numbers etc.

The real domain can be obfuscated by encoding ascii characters rather than writing the characters themselves. For example try:-
http://www.microsoft.com@%77%77%57%2E%41%6F%6C%2E%63%4Fm/
You can decode this manually using the ascii chart here.

So be very wary of any URLs with @ or % characters in them!

Don't get paranoid, but be safe. Happy surfing.