25 comments

[ 3.7 ms ] story [ 61.2 ms ] thread
(comment deleted)
I guess I have to ask: is this a legal grey area? The UK claims sharing of things like Netflix passwords is illegal[0]. That said, people pay for Netflix, so they wouldn't be dumping those creds on sites like this for all to plunder.

But I still think we need more of these 'skeleton key' type sites, not just one. It's great that it's open source and on GitHub[1] and I encourage as many people as possible to host their own instance.

We can't afford another BugMeNot type shutdown. The Internet needs these types of sites badly, even though it's a possible legal grey area (Don't forget pass sharing is forbidden in some ToS).

[0] https://www.standard.co.uk/tech/password-sharing-illegal-gov...

[1] https://github.com/midzer/dontbore/

> The UK claims sharing of things like Netflix passwords is illegal[0].

The newspaper article you linked to mentions the ICO talking about copyright law.

Personally I think it would be more of a clear-cut case under the UK Computer Misuse Act, "Unauthorised access to computer material":

   A person is guilty of an offence if—
   (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured;
   (b) the access he intends to secure, or to enable to be secured, is unauthorised; and
   (c) he knows at the time when he causes the computer to perform the function that that is the case.

And in terms of somebody operating a password sharing website, "Making, supplying or obtaining articles for use in offence":

   (1)A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA
   (2)A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA
   (3)A person is guilty of an offence if he obtains any article—
   (a)intending to use it to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA, or
   (b)with a view to]its being supplied for use to commit, or to assist in the commission of, an offence under [F21section 1, 3 or 3ZA].
   (4)In this section “ article ” includes any program or data held in electronic form.
Using these sorts of shared credentials could be construed as unauthorized access, which would definitely be legal gray area.
How does this compare to BugMeNot [1]?

[1]: https://bugmenot.com

Not the author. But I guess one difference is that this is not bugmenot. Many sites blacklist accounts from bugmenot. Now there is an alternative. This is of course a whack-mole-game. But when it works it works.
Did you see the part titled “There is BugMeNot. Why another site?”?
I noticed a lot of people on the comment thread never open the link, most of the time the answers are right there but the comments are always like, the above.
Yes, the posted link says nothing about how they compare. Here is what is says.

> It is always good to decentralize the web.

This essentially means "This is not BugMeNot". Doesn't really tell me about how they are better/worse compared to BugMeNot.

> In addition, it seems BugMeNot is not maintained any more

I don't see how it affects the user, when I search for accounts on BugMeNot I still see very recent additions.

> no HTTPS for example

This is factually incorrect, I am connected to BugMeNot.com over HTTPS right now. No certificate issues or anything.

This is really weird to provide 0 comparison and incorrect claims to their most well-known "competitor". There are actually things they can improve, such as

- Better moderation - Checking and removing broken accounts in an automated way - Getting rid of the "This site has been barred from the bugmenot system" stuff.

Why is the main call to action is to perform a search by domain name?

There are like 12 domains total in the list...

May be I am not understanding how it works.

The idea is you can share credentials for any site/domain. So right now there are only 12, but there could be hundreds or thousands.
Problem is the label says "all domains". Not very clear.
I find it funny someone submitted an HN account just created. Seems like a good way to possibly get your main in trouble, assuming the moderation tooling links your main and newly created throwaway.
What I like of this the most is a way of discovering new sites I didn’t know about, hoping I can find something equivalent to when I found Reddit back in the mid 2000s
Kinda wish the username and password were on the same line in the api or web, would make for easier copy+paste with less back and forth between tabs. Here's a bookmarklet that opens in a new tab:

  javascript:(function(){ window.open('https://dontbo.re/'+location.host); window.history.replaceState(null, null, location.href)})()
This has old precedents. A longer time ago than I care to admit cypherpunk/cypherpunk and rms/rms, worked on a lot of services. Then various hacking groups had their own shared passwords. Tor operates as an extension of the same principle, where your traffic could be anyones, and by choosing to share an identity, you protect and preserve your own.

Sort of interesting to think that anonymity doesn't so much protect a secret, but rather it selects who may tell a story about your individual identity and use parts of your life to share with others. I use these polite figleaves of pseudonymity to explore and engage ideas I don't expect other friends to, and then I can bring those experiences back to my relationships as mine to share, and they're not just another performative thing anyone can see on my onlyfans.

A better user experience than a website would be a browser extension that knows all the latest shared credentials, auto fills them, and can upload new ones. I see there is a Firefox extension for BugMeNot, though I’ve never used it and it hasn’t been updated in two years:

https://addons.mozilla.org/en-US/firefox/addon/dontbugme/

In that case, you could even enable the sharing of session cookies as well.
Good point! No need to log in off you already have a logged-in session cookie.