If you've got IE, click on this link to "CNN" to see an interesting exploit. It's not new, but I'd never heard of it. The URL uses the username portion to fool the browser into displaying a string that isn't where it's being sent (forwarded from Keith Wannamaker).