Comment On So You Hacked Our Site!?

Plesk, Inc.

That sounds right. LOL

Nimrand:

[...] cause or intend ham or freud in order for it to be considered illegal.

Sigmund is pleased about that, though he wants to know what the pig's father fixation has to do with it.

laff

whois federalsuppliers.com

Domain: federalsuppliers.com
Registration provider: MateMedia, Inc.

Registrant
Jim Sprecher
Jim Sprecher
jim@countrysidepublishing.com
PO Box 1735
Oldsmar, FL 34677 US
+1.8139250195
(FAX)

this site is on rackspace it appears.

Domain Name Servers:
NS.RACKSPACE.COM
NS2.RACKSPACE.COM

now, I await my visit from gov agents in black suits to arrest me for public knowledge for "hacking"

if this is how our legit gov. handles buisness, ill take my chance with the hackers thank you.

Great stuff, Alex. I love you guys.

"Save those precious bytes to something that have not been written countless times. Thank you"

Shut up, dont tell me what to do. betch

You really have to be joking to think that if you include the username and password in the javascript source of a page that it wont be found.

Seriously!

My comment was in response to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT btw. Smarten up!

internet in general (blogs, comments, etc) is becoming more redundant and predictable everyday...gotta deal wit it

http://google.com/search?q=site:federalsuppliers.com

Updates:

http://officers.federalsuppliers.com/agents.html

that's the page that it takes you to when you "log in". You can skip the entire "log in" process and just straight to that. Down side is they apparently took down the listing. Maybe there's a Google cache of it.

Otherwise, here's the response from whois federalsuppliers.com:

Domain Name: FEDERALSUPPLIERS.COM
Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
Whois Server: whois.itsyourdomain.com
Referral URL: http://www.itsyourdomain.com
Name Server: NS.RACKSPACE.COM
Name Server: NS2.RACKSPACE.COM
Status: clientTransferProhibited
Updated Date: 13-nov-2006
Creation Date: 19-may-1997
Expiration Date: 20-may-2008

Here's the (partial) traceroute result:

11 * te-1-3-pr01.ashburn.va.ibone.comcast.net (68.86.84.154) 32.381 ms 33.949 ms
12 peer-01-ge-1-1-0-104.asbn.twtelecom.net (64.132.69.73) 26.917 ms 26.196 ms 27.974 ms
13 64.132.228.26 (64.132.228.26) 59.692 ms 63.685 ms 59.415 ms
14 64.132.228.26 (64.132.228.26) 58.507 ms 59.372 ms 58.322 ms
15 vl130.core1.sat.rackspace.com (64.39.2.33) 66.247 ms 61.229 ms 62.702 ms
16 64.39.1.149 (64.39.1.149) 62.185 ms 63.492 ms 59.942 ms
17 matemediainc.com (65.61.159.151) 61.192 ms 65.086 ms 60.287 ms

Epic! :-)

I also love the PDF that he faxed you over. From 2006. Wow. Pretty current for govt. agencies, at least. tee-hee.

We're at 712 comments and climbing. Could this be the most popular post of all time?

T $:

We're at 712 comments and climbing.

While technically it's at most 10 different comments.

By the way, they have changed user name and password to something ridiculous, which doesn't matter because you can entirely skip the login process anyway by simple visiting the address hidden in the if construct. Besides, that isn't hacking, as the user name and passwort are directly sent to whoever reads the website. And the target site says SECURE, which is TRWTF because it isn't. And have you notices there aren't any robot.txt files? Maybe Google has a cached version of it. Which would be great, because they have taken down the whole page. By the way, this is the WHOIS info on the domain: *snip* You should arrest me because I'm an evil hacker, yeah, haha, guess what, I'm not.

Did I forget anything?

They changed user an password...

But it's still in the javascript :p

derula:

T $:

We're at 712 comments and climbing.

While technically it's at most 10 different comments.

By the way, they have changed user name and password to something ridiculous, which doesn't matter because you can entirely skip the login process anyway by simple visiting the address hidden in the if construct. Besides, that isn't hacking, as the user name and passwort are directly sent to whoever reads the website. And the target site says SECURE, which is TRWTF because it isn't. And have you notices there aren't any robot.txt files? Maybe Google has a cached version of it. Which would be great, because they have taken down the whole page. By the way, this is the WHOIS info on the domain: *snip* You should arrest me because I'm an evil hacker, yeah, haha, guess what, I'm not.

Did I forget anything?

Yep. The guy who defended the company at first can't spell,

and

The page is now at: http://www.federalsuppliers.com/warning.html. Which I find highly confusing... since that is the page Alex originally gave.

Although I am sympathetic to your story, the simple fact is that its laughable that your company wouldn't do a better job of protecting your website. Please don't address us as hackers with a negative connotation. A hacker wouldn't post this article, a hacker wouldn't tell you about the problem, they would exploit it instead. If you want to fix your site's reputation, why don't you fix the problem?

I used to work for Federal Suppliers Guide, several years ago as a Graphic Artist. I have to say that I was initially skeptical of their product. Final copies are not mass produced, but rather a small-scale print run (each approx. phone book size) delivered to the select Federal Suppliers for that State/Region. Customers do have to pay to get a copy of the book (something like $100). I believe that a copy of their ad is free.

Phone calls and ads are legitimate. Their were at least 4 full-time Graphic Artists to handle the workload. Designs were faxed and e-maiiled to customers for approvals. They had a full time sales staff at several locations (probably 10-12 at the location that I worked). Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.

Other than that, I don't believe that I would label it as a "scam" company. Just a niche product.

Think they also offered services to assist with Federal Suppliers paperwork processing - with a hefty fee if I remember correctly.

FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

not only is the company legit we actually have held a 5 year GSA contract with the federal government

This makes me sad. :(

FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

I rofl'd

Addendum (2008-03-03 10:50):
Posting in a legendary thread.

This is very upsetting news... I get the feeling that every other WTF posted from now is going to pale in comparison to this... :(

T $:

We're at 712 comments and climbing. Could this be the most popular post of all time?

This one is still well ahead, and I'm not even sure if that's the record.

hilarious

Really, clicking "View Source" shouldn't even count as a step. The data that their server is sending you is the raw HTML/Javascript. Your browser interprets it, and "View Source" is just showing you what was actually received. If I used wget, or telnet'ed to port 80 of their webserver and did a GET on the page in question, I would see the username and password right there.

Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.

Aww, look. Pathos.

I wouldn't be much surprised if they wouldn't be safe from SQL inject attack either..

http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=52&_q3=&_orderBy=name

jpers36:

T $:

We're at 712 comments and climbing. Could this be the most popular post of all time?

This one is still well ahead, and I'm not even sure if that's the record.

Ahhh yes. The Hat Riddle. Good times.

http://www.google.com/search?q=+site:federalsuppliers.com+federalsuppliers.com/&hl=en

If you browse the several pages, you'll see the listed addresses of the companies who were marks.

I don't mean to discourage or deface these businesses, but FederalSuppliers is not exactly sharing their information with anyone. I hope that via the Google Cache, they will get at least some attention, and maybe find grounds for a lawsuit against the owner(s) of FederalSuppliers.

Remember, the government isn't the only one interested in buying from these companies. They're in business so EVERYONE can invest, purchase, and make that economic wheel turn.

So how do you know if you're authorized?

How do you know if you're not authorized?

FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

Wow, 15 pages of vitriolic hot-headed comments so far, all because of something that was almost certainly a deliberate troll.

Unless you think that someone with those language skills, that little knowledge of what he's doing, and that offensive a position would actually have come to this website and posted here, especially with such brazen statements like "all of you are being reported to the appropriate authorities as we have your information too".

Granted it was well-crafted to the point where it seems just plausible enough, but everyone who flamed in response to that post should check themselves, as they are a gullible idiot.

Dan.

Dan:

FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

Wow, 15 pages of vitriolic hot-headed comments so far, all because of something that was almost certainly a deliberate troll.

Unless you think that someone with those language skills, that little knowledge of what he's doing, and that offensive a position would actually have come to this website and posted here, especially with such brazen statements like "all of you are being reported to the appropriate authorities as we have your information too".

Granted it was well-crafted to the point where it seems just plausible enough, but everyone who flamed in response to that post should check themselves, as they are a gullible idiot.

Dan.

He could be trolling in his spare time.

OK, if the website was secure then you could MAYBE have an argument for legal action. But since I could get to this site (which I have not done) without a user name and password, it cannot be called hacking.

Having an unsecured web page that you don't want the general public to go to is not security, it is wishful thinking. (To use the house analogy is is like taking your private journal out of your house and posting all the pages on a bulletin board at the City Hall.)

Just because another page that links to it requires two unique strings for the link to work does not make the page behind the link secure. You need to secure your website for authenticated users, then (even if you are stupid and store your user name and password in the java script) you COULD POSSIBLY have a argument for legal action.

jpers36:

T $:

We're at 712 comments and climbing. Could this be the most popular post of all time?

This one is still well ahead, and I'm not even sure if that's the record.

Not to be a boogerhead about it, but that one is about an interview method. It's kind of subjective.

This one is a newby implementation error (I'm being nice!) by a site that (to most of us apparently) is not far shy of being strung up for their business practices. The phrase "couldn't happen to a nicer guy" comes to mind here.

Then, to top it off, somebody digged it. Brillant!

Now they've changed it to a single input box...

the script now just tacks on ".html" to whatever you type into the box and does a request for that...

I guess they couldn't afford a real web developer... so where does all of that money go then?

tamosius:

I wouldn't be much surprised if they wouldn't be safe from SQL inject attack either..

http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=52&_q3=&_orderBy=name

It shows the following error in the end of the page:

Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists (select 1 from dbimg_ImageAttributeValue iav where iav.a

One more WTF in the list of WTF's for that site.

codemoose:

real_aardvark:

Well, this is apparently what you get when you inadvertently hit the Top Ten in digg or reddit or www.adhd.org -- a stream of repetitive crud.

Is there some way to hack digg/reddit/slash-my-wrists to downgrade the popularity of the site or article? It's worth looking into.

As an alternative, how about insisting on any commentator after the first two hundred or so actually registering. Most of these numb-nuts won't bother to jump through that hoop. Those that do might actually contribute something worthwhile in future.

You're new here aren't...oh, wait, I thought I was on /.

Well, I enjoyed that, even if the last hundred posters didn't.

Maybe we could start a club? It'd be Webby, it'd be 2.0 ... it might even feature photographs.

Now, that'd put most of these pointless swine off the idea of posting.

weirdbeardmt:

I don't know which is the bigger WTF... the actual story, which although humourous is merely a "n00b" (and very common) scripting mistake or the hundreds of pretentious self-righteous tech "geniuses" spouting the same old tired gibberish ad infinitum. I'm actually embarassed to be a part of it.

Fortunately though, the vast majority of the digg et al trolls will disappear soon enough and things round here can get back to normal.

You think?

Tell me again. What country do you live in? When do retarded adolescents grow up in that country?

Anita:

I used to work for Federal Suppliers Guide, several years ago as a Graphic Artist. I have to say that I was initially skeptical of their product. Final copies are not mass produced, but rather a small-scale print run (each approx. phone book size) delivered to the select Federal Suppliers for that State/Region. Customers do have to pay to get a copy of the book (something like $100). I believe that a copy of their ad is free.

Phone calls and ads are legitimate. Their were at least 4 full-time Graphic Artists to handle the workload. Designs were faxed and e-maiiled to customers for approvals. They had a full time sales staff at several locations (probably 10-12 at the location that I worked). Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.

Other than that, I don't believe that I would label it as a "scam" company. Just a niche product.

Think they also offered services to assist with Federal Suppliers paperwork processing - with a hefty fee if I remember correctly.

Ha-hem.

What, precisely, is the difference between "scam" and "rip-off" and/or "snake-oil sales"?

A "niche" product is something that you can't find anywhere outside that niche. Granted, it might still be any or all of the above. It might still be what you want.

This one ain't it.

anonymous:

Now they've changed it to a single input box...

the script now just tacks on ".html" to whatever you type into the box and does a request for that...

I guess they couldn't afford a real web developer... so where does all of that money go then?

PS: Don't try typing the obvious word, "procurement", into the input box. Because that is most definitely *NOT* the password (at least at 4pm EST on Monday). Who knows what it will be later.

So, I don't code but work in IT, mostly hardware but I LOVE this website. I got through about the first four pages of the comments, and honestly can't believe that
* This company is not fixing this blatant security issue
* Referring to people here as "hackers" when in reality true hackers would have completely DESTROYED their website, getting personal data/credit card numbers, and god knows what else

Instead of cheap/petty threats from employees from this company, they should be THANKFUL that it was found on this forum where ridicule is the worst consequence of their action (or inaction).

The management would like to inform everyone that the persons responsible for the unmarked sarcasm in the previous post have been sacked.

Why doesn't BBCode have a [sarcasm]marker[/sarcasm] for that?

anonymous:

Now they've changed it to a single input box...

the script now just tacks on ".html" to whatever you type into the box and does a request for that...

I guess they couldn't afford a real web developer... so where does all of that money go then?

Love their new code comments

// **** You WILL NOT get access without a valid password ****
// **** javascript:IPcatch:subject?Source_code_violator ****

ph33r m1 l337 h4xx0r 5k1llz or something lol

<!--
// **** You WILL NOT get access without a valid password ****
var suffix = ".html"

// **** javascript:IPcatch:subject?Source_code_violator ****
var pass_msg = "Password: ";

function go_there() {
location.href = document.pass_form.pass.value + suffix;
}

document.write('<form name="pass_form" onSubmit="go_there();return false">'
+ pass_msg + '<input type="password" name="pass" size="20" value="">'
+ '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
// -->



I just felt the things I outlined it bold were, in fact, rather comical.

Prosthetic Lips:

anonymous:

Now they've changed it to a single input box...

the script now just tacks on ".html" to whatever you type into the box and does a request for that...

I guess they couldn't afford a real web developer... so where does all of that money go then?

PS: Don't try typing the obvious word, "procurement", into the input box. Because that is most definitely *NOT* the password (at least at 4pm EST on Monday). Who knows what it will be later.

Na, that's an actual page. You can access it normally from the 2nd button from the right in the top bar, helpfully labled procurement.

But, as long as someone visits the guide, and they have google toolbar installed, then google will eventually index it.

Stop spoiling our fun you joyless old bastard. Nobody cares.

Anita:

I used to work for Federal Suppliers Guide, several years ago as a Graphic Artist. I have to say that I was initially skeptical of their product. Final copies are not mass produced, but rather a small-scale print run (each approx. phone book size) delivered to the select Federal Suppliers for that State/Region. Customers do have to pay to get a copy of the book (something like $100). I believe that a copy of their ad is free.

Phone calls and ads are legitimate. Their were at least 4 full-time Graphic Artists to handle the workload. Designs were faxed and e-maiiled to customers for approvals. They had a full time sales staff at several locations (probably 10-12 at the location that I worked). Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.

Other than that, I don't believe that I would label it as a "scam" company. Just a niche product.

Think they also offered services to assist with Federal Suppliers paperwork processing - with a hefty fee if I remember correctly.

The hefty fee would not surprise me in the least; while I do suspect your former employer is not, technically, a scammer (at least, not in the sense of the 419 scammers), I do suspect they can fairly be described as snake-oil salesmen. They are selling a product which is of no practical value for a high price -- and, judging by the experience relayed in the original post, using well-worn sales techniques designed to induce a person to buy without any real knowledge of what exactly they are buying. In short, it would be fair to describe it as a con-job. (Charging large amounts of money for menial copying is also a borderline con-job, BTW.) Some posters have compared it to vanity publishing and "Who's Who?" services, which charge a fee to publish your name and/or work. What they don't tell you (and what they didn't tell the original submitter) is that this information will go into a publication so obscure that it's only a step above where Arthur Dent had to go to find the "publicly displayed" notice that his house was scheduled for demolition (cf. "The Hitchhiker's Guide to the Galaxy").

Me, I'd like to compare it to services which sell lunar or Martian real-estate, or asteroids, or the rights to name stars. In all cases, they are charging customers for something which is utterly meaningless -- but which they have deliberately represented as valuable despite knowing perfectly well that it completely worthless.

Now, such companies have often claimed that they are not con-artists, because they are in fact providing a service for a fee. But the service is so grossly different from what they persuade their customers to buy that it beggars the imagination to think how they might actually think they're doing a service to anybody. There are only two realistic options: either your former employers are deliberately misrepresenting their service, and counting on the fact that their customers are all small business who likely won't have the wherewithal to take them to court, or they are complete and utter morons with a grossly inflated sense of their own importance.

Actually, the javascript snippet might support the "moron" theory. But the conduct of the salesman very strongly supports the "con-artist" theory, because he went out of his way to avoid giving any real information to the prospect which would permit the prospect to fairly judge the offer. Either way, I think it is very much in the public interest to publicize this information. Customers have a right to fairly judge the quality of a proposition. If the people who posted earlier in this thread claiming to be employees actually are, then their protestations of innocence are entirely consistent with trying to prevent the public knowing just how worthless this product actually is.

And that, my friends, is the real WTF. Not the lame-O security, though that was a pretty darned good WTF. One of the best I've ever seen, made so much better by the company's attempts to "fix" the hole. The real WTF is that so many companies can get away with selling products so worthless that they must be either con-artists or the biggest incompetents in history.

anonymous:

Now they've changed it to a single input box...

the script now just tacks on ".html" to whatever you type into the box and does a request for that...

I guess they couldn't afford a real web developer... so where does all of that money go then?

Alright, am I a nerd if I thought it was hilarious to navigate around the site using this form?

I'm pretty sure the web dude at www.federalsuppliers.com is checking this thread pretty often. If so, I thought I'd let you know the navigation on this "login" page is broken now:

<li><a href="http://www.federalsuppliers.com/federal.html">Federal R</a><a href="http://www.federalsuppliers.com/federal.html">egulations</a></li>

The style class is sticking a bar between them which makes it display as:"Federal R | egulations"

Look on the bright side.. you're getting all kinds of free QC and consulting work here. I know companies that have paid millions to have this kind of detailed site audit performed.

With their new login 'http://www.whitehouse.gov/index' as a username works. :P

The new implementation is great. Also I know it was suggested by someone in the comments. So they're actually reading this ^^

Anyone guessed the new password?

Well, at least they made it marginally more secure now.
In fact, they should probably pay The Daily WTF, for solving their glaring security issue.

I just wonder how often they had to tell their "agents" about the new changes to the "security" login.

Reality:

you should be more worried about all of the pending lawsuits from people whose information was compromised by a company that is essentially handing out access to their database to anyone with a computer and a right mouse button.

Lawsuits from people who's ADVERTISEMENTS were actually seen??? That's what's on this site - what this "security" is protecting - it's ads. It's hard to believe clients would be that upset at having their ads be seen. (The security isn't there to protect the clients. It's there to keep people from checking references and recognizing that the service is a scam. It's really sort of a shame that they may be fixing it now.)

CodeMonkey:

The fact that your company cannot splurge for basic serverside protection would lead any sane person in the contracting world to wonder what else you're too cheap to secure.

Now this, on the other hand, might be a valid concern. If someone pretends to secure a site that neither needs nor has any security, it brings in to question what else they're doing that badly.