Comment On Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back. [expand full text]
« PrevPage 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6Next »

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:48 • by Bert (unregistered)
189868 in reply to 189790
ThePants999:

Research shows that clever people think they're clever, average people think they're average, and dumb people think they're clever. It's a shame nobody else realised they were dumb though.


I thought it went more like:
Clever people know that they don't know it all,
Average people know what they know,
Dumb people THINK they know it all.

See
http://www.apa.org/journals/features/psp7761121.pdf
Figure 4.

Saw this posted before at WTF. It should be required reading for the entire world.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:49 • by Alex Papadimoulis
189869 in reply to 189748
MadJo@Work:
Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work, I can figure almost all of them out. Might want to use a black pen next time instead of blurring. The Social Security numbers are blurred a bit better, but still it would be better still to use a black pen in whatever photo editing program you are using,


I'd be very impressed if someone managed to unblur the numbers from the first image. Of course, they'd just learn that not all obscured things have useful data behind them (such as that pdf from Not Too Particular), but I bet it'd be a fun exercise.

And yes, I suppose I could have blurred the emails a bit better. Then again, just about all of them are in the DOC's office directory or the various sherrif departments' contact pages. I guess I'll go blur those y#######om addresses... because, you know, random y#######om addresses are so hard to find, and there's so much damage one can do knowing one.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:49 • by Steve (unregistered)
189870 in reply to 189791

Whoever wrote that code should find his/her own name added to the list... right after the new developers and administrators implement really tight security so that the people whose names are on the list cannot modify the list.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:02 • by DeLos
189872 in reply to 189869
Alex Papadimoulis:
MadJo@Work:
Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work,


I'd be very impressed if someone managed to unblur the numbers from the first image.
And yes, I suppose I could have blurred the emails a bit better.


Oh sure you pick out YOUR comment to be featured!!

Re: Please!!!

2008-04-15 14:04 • by StickyWidget
189873 in reply to 189822
In case you too wish to press the "Do Not Press" button, here's a fun search!!

inurl:select inurl:from inurl:where

Remember, Do Not Press....

~Sticky

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:10 • by Dazed (unregistered)
189876 in reply to 189739
anon:
Wow, and I live in Oklahoma... makes me wonder what else my great state may be doing in the realm of WTF.


Well, I suggest you pass that question on to a few of your local papers, along with the URL of this article and a brief explanation for the benefit of journalists who have never heard of SQL.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:13 • by AC (unregistered)
189877 in reply to 189869
Alex Papadimoulis:

I'd be very impressed if someone managed to unblur the numbers from the first image. Of course, they'd just learn that not all obscured things have useful data behind them (such as that pdf from Not Too Particular), but I bet it'd be a fun exercise.

And yes, I suppose I could have blurred the emails a bit better. Then again, just about all of them are in the DOC's office directory or the various sherrif departments' contact pages. I guess I'll go blur those y#######om addresses... because, you know, random y#######om addresses are so hard to find, and there's so much damage one can do knowing one.


Even if you're right and you know it, you could have avoided all the hassle by blacking them anyway.
Spare yourself the flames next time. :)

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:15 • by me (unregistered)
189879 in reply to 189872
DeLos:
Alex Papadimoulis:


Oh sure you pick out YOUR comment to be featured!!


It's his site and his article, so why not?

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:24 • by Chahk (unregistered)
The author should have tried an SQL injection attack before letting them in on the secret. "; truncate table registration_offender_xref" at the end would've done the trick.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:27 • by Pecos Bill
189881 in reply to 189853
x:
Xaox:

Unless there is some state named Chihuahua...
.doc.state.ok.us/servlet/page?_pageid=426&_dad=portal30&_schema=PORTAL30&id=regid[/url]

Yes, genius, and it is in Mexico.


Estados Unidos Mexicanos aka The Mexican United States, officially speaking that is. What I want to know is what they have against Australian states???!!?

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:38 • by Prave Konqueror (unregistered)
Oh how I wish I could again see full articles in the front page in Konqueror... It defaults to summaries and pressing the full articles link thoes... nothing.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:43 • by Freddy Bob (unregistered)
189884 in reply to 189869
Alex Papadimoulis:
MadJo@Work:

I'd be very impressed if someone managed to unblur the numbers from the first image.

In ur text, unblurring ur eyes.
http://dheera.net/projects/blur.php

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:44 • by xtremezone
That's very scary... People should be fired and perhaps prosecuted (not just the developers at fault, but the guys that hired the developers at fault and maybe the guys that hired the guys that hired the developers at fault). This kind of thing needs to be made an example of and it really doesn't matter how much it costs to fix.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:46 • by tp_jacques (unregistered)
I'd bet dollars to donuts that this was done by a consultant.....tax dollars hard at work my friends. From what i've seen most state agencies don't have the resources to write their own software.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:58 • by Irish she was drunk (unregistered)
189887 in reply to 189827
tezoatlipoca:
oh no! The Daily WTF front page on Slashdot and no BustedTees ad? How are we going to generate enough click-throughs to get Irish Girl back?
oh the humanity!


there's a bunch of pics of her on the busted tees site.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 14:58 • by Walleye (unregistered)
189888 in reply to 189886
tp_jacques:
I'd bet dollars to donuts that this was done by a consultant.....tax dollars hard at work my friends. From what i've seen most state agencies don't have the resources to write their own software.


...so they award it to the lowest bidder.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:03 • by Kuba (unregistered)
189889 in reply to 189757
ptomblin:
They better hope that Little Bobby Tables never commits a crime.


I just fell of my chair...

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:04 • by Linus (unregistered)
I find the rest of the "removed" so website quite comical as well, it's a nice touch how they've kept the http://docapp8.doc.state.ok.us/servlet/IsItWorking/ page on the server.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:05 • by Blue (unregistered)
Exceptionally detailed post. Great job getting them to (finally) take things offline to be fixed.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:08 • by Mark Wilden (unregistered)
189892 in reply to 189869
And how does it preserve privacy to blur SSNs (which are meaningless to most of us) but display names and addresses?

///ark

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:09 • by anon (unregistered)
189893 in reply to 189884
Most people on the list will have been born in Oklahoma so the first three digits of their ssn will start with 440-448. Narrows it down quite a bit.

Re: Please!!!

2008-04-15 15:11 • by Hannes (unregistered)
189894 in reply to 189764
I tried and got:

No elephant with the name -1 UNION ALL SELECT * FROM users WHERE 1=1/* in the database. !


:((

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:17 • by Justice (unregistered)
189897 in reply to 189857
5|i(3_x:
ptomblin:
<i>and remember many people are in favor of having the government run healthcare. wtf indeed.</i>

Yes, because private companies never leak data.


A private company that engages in negligence this gross isn't likely to be in business very long. More importantly, if a private company fails in this or any other way, you are not compelled to continue to do business with them.


Right! After all, if your health insurance company leaks your personal data, you're under no obligation to continue with them. So what if your employer only provides benefits through one company and you can't afford outside insurance?

And hey, it's not like you have to stick with your local electric company or the water authority. It's not like those are monopolies in any form.

Like they say, the private sector does it better!

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:21 • by Schnapple (unregistered)
189899 in reply to 189887
tezoatlipoca:
oh no! The Daily WTF front page on Slashdot and no BustedTees ad? How are we going to generate enough click-throughs to get Irish Girl back?
oh the humanity!


Don't sweat it, all Slashdot users have AdBlock Plus installed so they'd never see the ad anyway.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:21 • by Disgruntled DBA

We apologise for the fault in the website. Those responsible have been sacked.


We apologise again for the fault in the website. Those responsible for sacking the people who have just been sacked have been sacked.


The directors of the firm hired to continue the website development after the other people had been sacked, wish it to be known that they have just been sacked. The website has been completed in an entirely different style at great expense and at the last minute.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:36 • by sidecarsally.com (unregistered)
Wow.

I would've loved to go on that website and add myself. For some reason, I get really turned on by people thinking that I like to put my hand up little children.

Even though I don't.

Sidecarsally.com - GO GO GO!

Re: Please!!!

2008-04-15 15:41 • by Pope
189903 in reply to 189894
Hannes:
I tried and got:

No elephant with the name -1 UNION ALL SELECT * FROM users WHERE 1=1/* in the database. !


:((


Some don't like plural nouns for table names. Just a thought.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:49 • by cavemanf16
189904 in reply to 189750
anon:
and remember many people are in favor of having the government run healthcare. wtf indeed.


ding ding ding! We have a winner!

One of my #1 reasons to be scared if Hillary or Obama gets elected.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:49 • by Ruudjah (unregistered)
Another big WTF is that the information displayed on the image is STILL recoverable BY UNDO SMUDGING ALGORHITMS. These have been successfully used in a German child porn case. Ans yes, these algorhitms are available in the darker cornewrs of the internet. So WTF TDWTF, please whiten these smudged SSN's out.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:52 • by savar
189906 in reply to 189900
Disgruntled DBA:

We apologise for the fault in the website. Those responsible have been sacked.


We apologise again for the fault in the website. Those responsible for sacking the people who have just been sacked have been sacked.


The directors of the firm hired to continue the website development after the other people had been sacked, wish it to be known that they have just been sacked. The website has been completed in an entirely different style at great expense and at the last minute.


Hahaha... one of the rare comments here that is actually funny.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 15:58 • by Zathrus (unregistered)
189907 in reply to 189892
And how does it preserve privacy to blur SSNs (which are meaningless to most of us) but display names and addresses?


For those who still haven't gotten it -- the names and addresses are public information that's supposed to be provided by the sex offenders' list anyway.

I do hope this gets picked up by the news wires, although I suspect most of 'em will go "eh, it's just sex offenders anyway", not realizing that it's also every inmate and employee in the OK DOC, and that the database integrity may be compromised to the point that the entire thing has to be rebuilt from court records, as the current data is untrustable.

Re: Please!!!

2008-04-15 16:01 • by KattMan
189909 in reply to 189894
Hannes:
I tried and got:

No elephant with the name -1 UNION ALL SELECT * FROM users WHERE 1=1/* in the database. !


:((


Because you are doing it wrong. Remember, they put a quote in there to contain the name so it should have been thus:
-1' UNION ALL SELECT * FROM users WHERE 1=1/*

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:08 • by Derek (unregistered)
189910 in reply to 189746
Whether it happens in private or public sector, low-level heads roll. But high level screw ups, like Bear-Stearns CEOs, or Bush Administration higer-ups, can screw up 1,000 times and they keep their high paying jobs.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:09 • by Chris Eldredge (unregistered)
I blame Pamela Anderson (see last screen cap). This should be proof that actors are not good programmers.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:15 • by Schnapple (unregistered)
189913 in reply to 189904
cavemanf16:
anon:
and remember many people are in favor of having the government run healthcare. wtf indeed.


ding ding ding! We have a winner!

One of my #1 reasons to be scared if Hillary or Obama gets elected.


Federal Government != State Government. The Federal government delivers all the mail with few problems and collects all the taxes with even fewer. State governments can't pave fucking roads. Besides, several other countries run socialized medicine just fine.

But nice try Mr. McCain.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:20 • by duder (unregistered)
Oh man, if this database is used for proof-of-registration purposes, then any cases of offenders not registering would have to be thrown out....

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:22 • by lolwtf
My faith in humanity is a 64-bit signed integer and it just underflowed.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:28 • by me (unregistered)
189918 in reply to 189917
My faith in humanity is a 64-bit signed integer and it just underflowed.
You must have a hell of a lot of faith in humanity.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:33 • by Mark (unregistered)
whee:

http://docapp8.doc.state.ok.us/servlet/page?_pageid=428&_dad=portal30&_schema=PORTAL30&SearchMode=Basic&undefined=Basic&SearchBy=Basic&undefined=ALL&SearchAW=ALL&SearchOpt=ALL&regid=-1'%20UNION%20ALL%20SELECT%20*%20FROM%20users%20WHERE%201=1/*

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:35 • by Pope
Through an expiriment on my test server I just realized that this:

SELECT DISTINCT InfoS.TABLE_CATALOG as column1, InfoS.TABLE_NAME as column2, InfoS.COLUMN_NAME as column3, InfoS.COLUMN_NAME as column4, InfoS.COLUMN_NAME as column5
FROM table1, table2, (Select TABLE_CATALOG, TABLE_NAME, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS) InfoS

is perfectly legal. In the SQL sense of course.

Could changing the rights of the web user limit this ability? Obviously you would want to sanitize your SQL statements in the first place... but... Well, there is no but. What is the opposite of GRANT on SQL? DENY or REVOKE, right? :)

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:40 • by Ben Roesngart (unregistered)
189921 in reply to 189869
Unblurring is not difficult. The trick is to start with an unblurred numeral, blur it, then compare it to the blurred one. If you can guess the right typeface and blur algorithm, it's totally straightforward.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:42 • by anonymously evil (unregistered)
I "have personal knowledge" of the I.T. department at Oklahoma DOC. The guy that wrote their Sex Offender Registry system was a contractor. He was with a company that no longer exists. He was NOT a competent programmer.

The administration at DOC has not supported the I.T. department in many years. They play the blame game, and usually get away with it. George Floyd probably didn't report the FIRST phone call to the idiot he works for. That will give them an excuse to use Mr Floyd as a scapegoat.
Agency Director Justin Jones has seen the I.T. department as a personal enemy for a long time - not realizing that he is blaming the wrong people for the problems there.

The I.T. staff at Oklahoma DOC are not the villains here. The fault lies with Directors and Deputy Directors.....

BTW, have a look at this link: http://www.okhouse.gov/Documents/OKRVSDFinalReport080103.pdf

Have a look at the part on Information Technology. (page 231 on...)

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:47 • by Anon Sam (unregistered)
189923 in reply to 189920
Pope:
Could changing the rights of the web user limit this ability?

A read-only database could stop someone drop doing a DROP or DELETE.

And maybe the guy who set up the DB knew everyone else was an idiot and did so.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:47 • by Anonymous (unregistered)
Looks like they need this consultant quick!

Oklahoma DCS Central Purchasing Division
Status: Open Bid Number: 1310002506
Description: Department of Corrections is soliciting proposals from vendors to provide consultant services to assist DOC in determining requirements, direction, and the acquisition of a new offender management system.
Buyer: Liza Hanke

Find on http://www.dcs.state.ok.us/Solicitations.nsf, or direct link

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:53 • by v.dog (unregistered)
TRWTF is that 'white' is a race

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 16:59 • by Jon B (unregistered)
189927 in reply to 189913
Schnapple:
cavemanf16:
anon:
and remember many people are in favor of having the government run healthcare. wtf indeed.


ding ding ding! We have a winner!

One of my #1 reasons to be scared if Hillary or Obama gets elected.


Federal Government != State Government. The Federal government delivers all the mail with few problems and collects all the taxes with even fewer. State governments can't pave fucking roads. Besides, several other countries run socialized medicine just fine.

But nice try Mr. McCain.


Yes, I see your point. We should model healthcare after the IRS. Let's get started on that right away.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 17:11 • by Pope
189928 in reply to 189927
Jon B:

Yes, I see your point. We should model healthcare after the IRS. Let's get started on that right away.


We should also start the war on anger and jealousy. The war on terrorism just isn't cuttin' it.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 17:18 • by Kevin Abbey (unregistered)
A friend who is a network administrator with the Fed Gov't, emailed me today RE: this article. While he was reviewing the article he saw my name on two of the example sheets (I am a former DOC employee). I left the OK DOC in May, 2007, yet apparently here was my personal info for the taking.

I also recognized some colleagues names, and emailed them about this too....with a link to the article.

Thanks for discovering this,and encouraging the repairs.



Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 17:21 • by Pamela Anderson (unregistered)
I blame Pamela Anderson.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 17:32 • by Schnapple (unregistered)
189932 in reply to 189927
Jon B:
Schnapple:
cavemanf16:
anon:
and remember many people are in favor of having the government run healthcare. wtf indeed.


ding ding ding! We have a winner!

One of my #1 reasons to be scared if Hillary or Obama gets elected.


Federal Government != State Government. The Federal government delivers all the mail with few problems and collects all the taxes with even fewer. State governments can't pave fucking roads. Besides, several other countries run socialized medicine just fine.

But nice try Mr. McCain.


Yes, I see your point. We should model healthcare after the IRS. Let's get started on that right away.


Why not? They're the one that put Al Capone away. Those motherfuckers get results.
« PrevPage 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6Next »

Add Comment