| « Prev | Page 1 | Page 2 | Next » |
|
Well, it is always good to know what is definitely secure, right?
|
|
BRILIANT!
Why does it seem so many WTFs are caused by someone being "too clever" and using javascript to process information instead of...the server-side scripting language they are 'pretending' to use? |
|
Re. AccountID - I worry about secure sessions too sometimes, since they don't really seem all that secure. Have most people switched over to using GUIDs instead of AccountIDs? That is what I'm considering.
|
|
Could we get the name of the brokerage? I'd like to open an account. For about 15 minutes.
|
They probably used an HTML-to-JSP converter. It seems you can find real security at the web sites of Linux user groups, but not at banks and brokerage houses. Wow! |
|
Why does it seem so many WTFs are caused by someone being "too clever" and using javascript to process information instead of...the server-side scripting language they are 'pretending' to use? What are you talking about not server side, it has client side JSP sent to be server side JSP!!! Brillant!! |
|
What is this, security by this-is-so-unexpected-no-one-will-look-here? Right, and let's trick Al-Qaeda by donating them money...they'll be so bewildered, they won't know what to do with it!
|
Kinda funny considering that LUGS advocate openness while banks advocate closed-ness. (still wondering why my bank closes at 1:00 on Saturdays...) |
Been here long? :-) |
C'mon, Alex, what are you expecting here? We all know those sophisticated hackers are always 3 steps ahead of the security game. The developers were probably going for "Security by Stupidity", hoping that no self-respecting hacker would try something so simple. It's like taking candy from a retarded baby monkey. >BiggBru |
|
Man, this definitely made my day. lol.... all I can say is roflmao.... Brillant!
|
But the press tells us that all hackers are 12 year old children who failed out of school, so probably cannot read! |
|
After the discussions of the last two days, a WTF which is proof against anyone arguing that it's not a WTF. Quite stomach-churning.
|
hence, this program!! |
Re: Insecurity Assessment
2006-04-28 15:21
•
by
Whiskey Tango Foxtrot? Over.
|
Apparently not long enough. [:D] |
|
Someone's going to be up to the challenge of "demonstrating" why this is not a WTF. (Right? Anyone?)
Not to mention there's probably about even odds that someone will end up defending this for real. |
Hello. Paula? |
Clearly the whole system is a cleverly designed honeypot, secretly operated by an elite group of NSA super-hackers. I bet they are catching scammers left and right with this thing. |
|
I really need to get into the habit of reading the source of a web page. I just can imagine all the wtf goodness I could find...
|
This isn't a WTF. The security assessment company was surely being tested by this firm to see if they knew what they were doing. |
|
I just want to be left alone with the person responsable for letting browser side script comunicate with server side script... just 1 freaking minute... I swear he will make an "I´m so sorry" statement on every blog.
Really, why is it companies keep hiring 2 bucks per day programmers to handle costumer data.... THAT is a WTF itself... The rest is WTF by inheritance. |
|
I meant 2bucks per day programmers to program modules wich handles costumer data, for those no BRILIANT! enough to understand :P
[Alex, there´s too little time for enabling the edit button] |
|
I'd comment on the lack of security, but didn't one (more?) of the major banks/brokerages recently lose a tape with something like 30mm account numbers, ss#'s and passwords on it because they shipped it via UPS/FedEx/whomever and it just happened to be misplaced?
Let's face it, even if the code was the purest of pure-bred well designed and thoroughly thought out systems, there are still common-sense WTF's all around us in life.
It is to laugh... |
|
sooooooooo...... get to the part about what happened when the security company told the client they had no security. tdog |
costumer --> Misspelling perhaps not ! |
|
WHERE R THE TESTERS! [;)] Dear Developers: "Invalid AcctId." is too cryptic. I'm typing in "Mama goes Bats" in this field and getting this message. Please format a better message along the lines "My mama is not 'bats'. Please focus on supplying the requested account ID." Also, this application should be able to display errors in multiple languages. nihonAlert('BAKKA YA RO!!!!');
|
IronMountain has been losing tapes lately. Too bad many companies don't check the box labeled "encrypt". |
On the other hand, given the Lowest Common Denominator (tm) method of education used at most schools these days, the ones who can read probably _are_ the ones who are being flunked out. CAPTCHA = SPEAKER. How appropos. |
That is, actually, quite profound. Perhaps too much so for this forum [;)] |
IronMountain has been losing tapes lately. Too bad many companies don't check the box labeled "encrypt". But encrypting the backups takes too long. Then again, sending the backups to anything but /dev/null takes too long. |
|
OMG I know that brokerage firm. Shortly after this happened they reorganized the company and got into the forum software business.
I think they called themselves something like 'Smart Systems' and make a product called 'Community Served'. I'm having a hard time remembering the exact names, but something like that. ;) |
Of course, this is a highly advanced design. You are 100% safe against stuff like this. Imagine the advantages! Nasty old google can't come around and knock down your site just because some stupid user copy-pasted a sensitive link. On top of that, you are safe from email address collecting bots and automated spamming systems. This also saves lots of server resources. Server doesn't have to do too much logic, and in some cases, it has been shown that hard disk useage DECREASES over time! 'nuf said. |
I'm pretty sure you mean 'Mart Systems... |
Of course, a vanilla form feeding to a server-side script can still be more full of security holes than a block of Swiss cheese. But browser-side scripts do lead to the "rely on browser-side data validation" anti-pattern, so yeah, we feel your pain. |
I believe this was about the banking industry, not the movie and theatre industries. WTF? |
|
Until this post I thought the forum software was a 5 minute home grown
job... I can't believe this is commercial! Just ... wow. CAPTCHA == analysis with the 'anal' in a dark bold colour and the 'lysis' in a light, barely readable colour... sums it up really. |
|
Yes, but have you tried Javascr...- nevermind...
|
|
Maybe it's just a Honeypot; anyone attempting any of these breaches gets IP banned...
|
FYI: ???? (?????) is romanized as bakayarou, not "bakka ya ro". |
|
Maybe it was on a SSL server? Still, the cookies... bad programming...
captcha was "bozo" haha |
The sad thing is you are off by probably 3 magnitudes on the price of your programmers |
??????!!! |
|
Pardon me, with this atrocious forum software's inability to edit posts...
I meant to say ???????!! ??????? ? ????? |
No, he got it right. "Shop smart! Shop S-Mart!" ok dpm |
|
Pardon me, with this atrocious forum software's inability to edit posts...
It's been a long while since I had to translate, so I had this site do it for me: http://www.animelab.com/anime.manga/translate Here's what I got in return (using the "translate" button). yo ku de ki ma shi ta ! ! -- evening, night clause outflow tree rub, scrape city who "ba ka ya ro u" wa nan de su ka -- "ba sent, oder question mark furnace u" I, me, oneself, self, ego what outflow to do sent, oder Ahhh, now I understand. [^o)] _jokes_ The nihonAlert() was just a way for me to show that developers can shout at the "user" in more than just plain old English. Hope I did not offend with my rough & rusty romanji. [:^)]
|
|
Man, you laugh at this sort of thing now... But I've had to deal with this sort of crap first hand (fortunately not with a bank) and my stomach just turns when I see it... Please, Alex, spare us (and PLEASE fix the CAPTCHA!)
|
|
But hey! At least they knew something was wrong with their security, and they new that they weren't up to testing it themselves, so they brought in someone who did. A lot of people wouldn't have had that level of self-assesment in the first place. |
|
Actually, in some situations you can't use html pages if you want to
keep the clients session. I think it is where the session tracking is in url rewriting... Going to have to brush up before the scwcd exam in a few weeks ;) |
|
This makes me want to start keeping my money under my mattress.
|
| « Prev | Page 1 | Page 2 | Next » |
R.Flowers: