Google Contacts API: http://code.google.com/apis/contacts/
Yahoo! Contact API: http://developer.yahoo.com/addressbook/
Windows Live Contact API: http://msdn.microsoft.com/en-us/library/bb463989.aspx
Nobody has a foolproof scheme.
By your argument, HN is a fail too, yet you still click on the links.
But the real reason that Microsoft's URLs suck is that the MSDN Knowledge Base is an older product than Google's, built back when the web was new and people didn't realize that their URLs sucked. And one thing that I respect Microsoft for is actually caring about reverse compatibility.
(Sidenote: This is why you should think about your URLs. They are how your website will be presented to the world.)
I think the links earlier in this thread are a perfect example of why this is useful. You can tell what you'll get when you click on the Yahoo! and Google ones, but the Microsoft one is totally opaque.
Would Jonathan Schwartz's blog ( http://blogs.sun.com/jonathan/ ) count as an enterprise CMS? That has URLs which include the title. Does Wordpress ( http://www.wordpress.com/ ) count as an enterprise CMS? That also has URLs which include the title.
Yahoo's is just better organized.
"how can I take your privacy policies seriously if you aren't willing to treat your competitors' login credentials with the very same respect that you treat your own?"
Although most people on HN and the like will usually opt out or refuse such a request, many people will not care about the privacy/security issues if it means less work for them.
So people get burned by some Nigerian scammer, decide never to do any business online again, and what good does that do for the YC crowd?
Second, there are lots of convenient features that we don't build because they send a terrible message. For instance, it would be really convenient to work with your bank via email.
Third, he's right: many of these services probably do bank your password, which is an absolute nightmare. Almost every web app is going to lose its database to SQL injection at some point in its lifespan.
And the contacts API that the major providers are giving are recent. It's not like services like Yelp and FB had the choice before.
Ps.: Jeff Atwood's "from the hip" writing style shows. I'm yet to find one single post from him that seems slightly insightful. Instead of spending so much time ranting, he could spend a tenth of that time thinking about why Yelp keeps that "feature".
Edit: could someone please explain me why of such aggresive downmodding?
You said that Atwood should have spent time thinking instead of just ranting, but then you kind of did the same thing....
And that's not to mention giving the "they're a company, anything goes" and "it was the only way back then" excuses; those are meaningless.
The same goes for websites that do such thing. They know that some users might be annoyed by such "feature", but the amount of new users that will be exposed is much higher, so they keep doing it.
What I find hard to believe is that the ones that complain about these kinds of mechanisms don't understand that themselves are not part of the target of said mechanism. Instead of simply ignoring it, they feel "victims" of it.
And I'd like to know where I said "anything goes". If that was the case, I would say that scammers are right to do what they do because they never forced the users to give sensitive data. What I did say is that, if a webservice wanted to provide a way for the user to (semi-)automatically invite people in his contact list, the only way to do that required email and the password.
What I find hard to believe is that the ones that complain about these kinds of mechanisms don't understand that themselves are not part of the target of said mechanism.
These mechanisms are prominently shown to all users of the web site who want to import contacts, whether they are technical or not. There isn't a banner above them which says, "this feature is aimed only at people who don't understand the security implications."
Making money by teaching someone to compromise their security is a morally bad thing to do, whether that person knows they are being taught to put themselves at risk or not.
There isn't a banner above them which says, "this feature is aimed only at people who don't understand the security implications."
If you do understand the security implications, then the banner is irrelevant!
Also, they are not saying that you must use the feature either, are they? What happened to freewill? Does everyone think that you are supposed to consume every feature of the service just because it's free and it's there?
And to say they are "teaching to compromise security" is a gross dramatization. They are not teaching anything at all.
I agree that some time ago, it may have been a (dubious-yet-) reasonable feature. Now it's just irresponsible.
... until it bites them in the ass.
Of course people should be hesitant to give their passwords to random web sites, but then again they should also be hesitant to give they address book out to random websites (I don't want spam just because you signed up for some scammy site). The people most likely to fall for scams probably use the same password everywhere, btw.
Your house keys are less dangerous than your email password. As jeff points out, with your email password someone can probably take control of all of your web credentials. It's as if you have them your house keys, and then they use those to take control of your snail mail, and then they apply for new credit cards in your name, and order a new set of car keys, and so on.
And of course, we are not talking about giving your house keys to a friend staying with you. We are talking about giving your house keys to the bartender because he says he can help you invite all your friends to have a drink with you.
If your email is so super secret, then you probably shouldn't trust Yahoo or Microsoft with it either, btw. I'm not saying that there aren't security issues, but you need some perspective here. Facebook is just as secure as Yahoo, so letting them use your Yahoo password really isn't that big of a deal.
Of course, many more accounts blacklisted her once they started receiving the spam messages...
Its stuff like this that makes the first employee want to leave, which leaves the 'salt' effect of remaining employees at the company.
Somehow, the employees (and perhaps students in a school situation) should have some power of a social vote that the boss at least 2 levels up from them needs to acknowledge.
And like this, me, who always spent my times complaining against people who are not careful about security, spammed most of my friends :-(
What are these people thinking?
my reaction is like "wtf ofc im not gonna give you my emailpassword".
If some stranger came up to you in the street and asked for your SSN & bank account number and you were stupid enough to give it to them, who would be at fault? Would that stranger have done anything illegal?