Comment On So You Hacked Our Site!?

Oh I hope he called you on a cell phone, and it was auto dialed. If a computer dials your cell for solicitaion reasons, that operator owes you $500.

I love how you didn't even bother anonymizing it.

Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

I love that the site is still the same.

These guys called and gave me a similar sales pitch - didn't want to tell the price until after they had my card number. Not a good sign. I wrote it off as just another scam and didn't think any further.

It seems that even after chastising you for hacking their site, they haven't done anything about it - the same username and password still work. Hurrah for "secure" websites!

Kal:

Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

snoofle:

Kal:

Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

Capcha: appellatio (is that like sucking off a fruit?)

Kal:

Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

Oh well, I hear Cuba is lovely this time of year. Uzbekistan not so much.

Did that guy who cracked the iPhone go to jail?

No.

sweavo:

snoofle:

Kal:

Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

Capcha: appellatio (is that like sucking off a fruit?)

Sadly, you are probably right. However, I personally would be willing to send a donation to help pay Alex's legal bills!

Surprised nobody has commented on the real WTF:

It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.

You don't need the username/password if you have the URL to the page; it opens right up.

Indeed. In fact, this WTF is like one of those super-interactive alternate reality games, y'know.

SECURE Federal stuff ftw!

That is a very frequent scam, just next to "Nigerian Connection" - the one where some Nigerian officials ask you for help transferring huge amounts of money.

They ask you for a credit card number and fax a document, where you agree not only to pay insane amount of money for being listed on a sheet of paper in somebody's drawer, but in very tiny letters you also agree to be charged yearly.

You can decline, of course, sending a notice into an address that is non-valid (surprisingly). Of course, since you cannot deliver decline notice, they shall charge you next year...

The real WTF is the hopelessly confusing indentation in the javascript.

RogL:

Surprised nobody has commented on the real WTF:

It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.

You don't need the username/password if you have the URL to the page; it opens right up.

True. If you open the page, and click on New York, the first item comes up with:

From the list below, select the product(s) that you are searching for to obtain information on small businesses located in your selected area

10.) Weapons <-- first choice

FWIW, I've just added their secure page into Google. Maybe those poor sods who shelled out for listing will finally get a call from some prospective client.

Now THAT'S some l33t h4x0ring!

Edit: The Page.Title of the "secure" web page even says "SECURE" (caps included). That made me rofl.

This'll get deleted again as soon as you see it, but you have made yet another mistake:

"a deluge of companies somehow manage to find to out"

Do you actually read what you're about to post?

Hmm, most of the secret stuff is already in at this moment. Check http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com I don't know whether Google indexes so blazingly fast or if someone else was faster than me. Or perhaps, FSG linked to their secret pages somewhere else on the site... (playing with link: and site: is left as an exercise for the reader).

Awesome. Reminds me of when my mom fell for the Who's Who crap in the early 90s when I was in high school. I'm embarrassed that I'm in it.

Staszek:

That is a very frequent scam, just next to "Nigerian Connection" - the one where some Nigerian officials ask you for help transferring huge amounts of money.

They ask you for a credit card number and fax a document, where you agree not only to pay insane amount of money for being listed on a sheet of paper in somebody's drawer, but in very tiny letters you also agree to be charged yearly.

You can decline, of course, sending a notice into an address that is non-valid (surprisingly). Of course, since you cannot deliver decline notice, they shall charge you next year...

And don't forget the fine-print also says you agree not to request a charge-back from your credit card company, punishable by a sizable fine paid to the scammer (who has your cc#).

sweavo:

snoofle:

Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

Capcha: appellatio (is that like sucking off a fruit?)

The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.

seems to work, they're hiring!
http://www.pr.com/job/3441945

Wow. this is an amazing opportunity. Please give me the Phone number so I can sign up. Government agencies spend A LOT of money!

Hah, I just hacked their site too! I am so awesome.

Can someone in the US call their toll free customer support and request a password reset? Then when we "hack" the site again someone else can call.

These people need as much hassle as we can give them.

Kal:

Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

He lied... he didn't hack the site. He just did a google search on: site:federalsuppliers.com
http://www.google.com/search?q=site%3Afederalsuppliers.com&btnG=Search



(hey... why is there a red star next to the "Your Name" field? There's nothing on this page that says what it means.)

Haha, I just had to see for myself. Hilarious..

My new business plan:

1. Start contacting companies in the directory.
2. Let them know that you discovered their information on the federal supplier's guide.
3. Tell them that the security on the site can be easily bypassed.
4. Explain that this allows lots of people who are not Federal Procurement Peons to see their company's listing.
5. Explain that this is really good for their exposure and will lead to lots of new business.
6. Let them know that for the small, nominal fee of $5,000, you will post instructions on how to access the directory all over the web, in order to give them that exposure.
7. Profit!

John:

sweavo:

snoofle:

Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

Capcha: appellatio (is that like sucking off a fruit?)

The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.

To complete the analogy... They put a sticky note next to the door nob telling you the key is under the mat.

I think it would be good if the people listed on all those pages were somehow contacted and pointed back to this site. I'm sure most of them are obvlivious to the fact that they have been scammed.

It's probably already been said, but as of 29 Feb 2008, you can just put http://officers.federalsuppliers.com/agents.html in your browser and skip the "secure login" entirely.

Security through (weak)obscurity. Genius!

I found another WTF (at least on IE7). If you start from the home page and click on the "Agents" link, the "Federal Regulations" tab on the menu bar splits into two tabs. It doesn't even split on the whitespace but on the R and E in regulations.

Nice!

Chris:

These guys called and gave me a similar sales pitch - didn't want to tell the price until after they had my card number. Not a good sign. I wrote it off as just another scam and didn't think any further.

It seems that even after chastising you for hacking their site, they haven't done anything about it - the same username and password still work. Hurrah for "secure" websites!

We'd like to think that these weird "directory" services have been superseded by the intertubes, wouldn't we? Oh well. It'll happen when HR freezes over.

You're making a few assumptions here, aren't you?

You're assuming that the salesperp gives a shit and will pass the info on. (Actually, you're even assuming that the salesperp has the slightest idea of what Alex is talking about.) This never happens.

You're assuming that the boiler-room scam in question has any sort of IT staff whatsoever (down to and not excluding a janitor with basic Front Page skillz). This never happens.

You're assuming that, in lieu of that, they've employed a smart(ish) fourteen year old, payable in M&Ms and/or porn, to produce this cute little snippet. Well, this probably does happen, and more than we'd care to think. Unfortunately, school vacation is over.

The alternative is outsourcing, and I await the usual torrent of whines with trepidation. A fix would still be twelve hours away, though. And we'd all like to see it go through QA before being deployed on production, wouldn't we?

Whitey:

To complete the analogy... They put a sticky note next to the door nob telling you the key is under the mat.

Actually I think it'd be more like a sign saying "There is no key under the mat that unlocks this door!"

Like the fact that you can go straight to the URL too (hidden inside the if), not only are the password and username there for all to see.

DC:

Like the fact that you can go straight to the URL too (hidden inside the if), not only are the password and username there for all to see.

That's the first thing I did ...

http://officers.federalsuppliers.com/agents.html

I would be surprised and utterly disappointed if that crappy site would be considered to be "protected" and if their accusation of hacking would be legally viable. All HTML, CSS and Javascript on the web is visible by definition. Nobody is guilty for peeking at page source. What WTF developers expose to the client, they do at their own risk. This doesn't even qualify as obfuscation. The URL is visible and no authentication whatsoever is required to access its contents. There is only a false security facade. Their claim of SECURITY is a blatant lie and their customers should do something about it. WTF !!!!!!

ROFLMAOSOAOIJNLOL!!!! Ahhh... that site's so secure that nobody accesses it except hackers!

The Usual Dosage:

It's probably already been said, but as of 29 Feb 2008, you can just put http://officers.federalsuppliers.com/agents.html in your browser and skip the "secure login" entirely.

Security through (weak)obscurity. Genius!

Yep, it's not even a secure site--no user id, no password, no lock symbol in the IE browser. I'd hate to have spies waltzing in there and stealing a list of vendors. Of course, they could just use Google like everyone else.

Everyone is missing the real WTF.

That page uses frames.

gabba:

The real WTFsecurity is the hopelessly confusing indentation in the javascript.

And brillant security it is indeed - it confused at least one potential hacker!

So, the real WTF is that no government purchasing agent is going to search the web for sales leads. They are going to call the guy they met at some trade show or the guy who has a relationship with the purchasing agent.

The sad part it you needn't add your company to Central Contractor Registration for these calls. I field one or two a month and I'm just a lowly video rental store!

John:

sweavo:

snoofle:

Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

Capcha: appellatio (is that like sucking off a fruit?)

The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.

Well, it's hard to have a rational conversation about this since neither of us can be fagged to go and find the wording of the law. But if the law says "thou shalt not circumvent security measures" and someone leaves their door wide open and leaves a post-it on the mat saying "security measure -- do not enter" and you enter, then you're bypassing the security measure.

The poster does mention opening the source of the page, and displaying the password. So the moron^H^H^H^H^H tabloid press in this country at least would have no problem saying that he "hacked the internet codes" to gain access, and most low-level magistrates wouldn't find it hard to interpret that as a culpable act.

http://taosecurity.blogspot.com/2008/01/is-jerome-kerviel-hacking.html

I randomly clicked their listings as follows:

region 6 > california > live animals

and learned that I could obtain a "far-infrared sauna."

for all of the times I have visited the zoo I have never encountered one of these. . . Sounds exotic.

Yep:

Everyone is missing the real WTF.

That page uses frames.

Yes, that makes up for any javascript vulnerabilities because frames securely mediate, by design. Secure multi-mediation is the future of all webbing.

sweavo:

Well, it's hard to have a rational conversation about this since neither of us can be fagged to go and find the wording of the law.

In the UK, the Computer Misuse Act is pretty blanket. I just have to do something that's not authorised.

http://www.england-legislation.hmso.gov.uk/acts/acts1990/ukpga_19900018_en_1#pb1-l1g1

If Alex decides I'm not authorised to post comments here then I'm already transgressing.

Thanks! These guys called me and I was considering paying them! You really helped out business owners and stuck it to the hucksters with this. Thanks again!

sweavo:

John:

sweavo:

snoofle:

Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

Capcha: appellatio (is that like sucking off a fruit?)

The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.

Well, it's hard to have a rational conversation about this since neither of us can be fagged to go and find the wording of the law. But if the law says "thou shalt not circumvent security measures" and someone leaves their door wide open and leaves a post-it on the mat saying "security measure -- do not enter" and you enter, then you're bypassing the security measure.

The poster does mention opening the source of the page, and displaying the password. So the moron^H^H^H^H^H tabloid press in this country at least would have no problem saying that he "hacked the internet codes" to gain access, and most low-level magistrates wouldn't find it hard to interpret that as a culpable act.

http://taosecurity.blogspot.com/2008/01/is-jerome-kerviel-hacking.html

Yes I think that in the case of burglary there is no requirement for any 'break-in', simply entering, and I'm not even sure if it's necessary to have the intention of taking anything away (exact definitions vary by country, btw).
Of course, that dosn't mean that 'hacking' would be the same, and I certainly don't think that this particular instance should be a crime anyway (so what: we can order 'Food Preparation Eqipment' from the same suppliers? wow). But I see your point.