Comment On So You Hacked Our Site!?

Not too long ago, I added my company, Inedo, to the federal government's Central Contractor Registration system. I don't know, I just didn't want to miss out on all the fun every one seems to have with government work. Whenever one signs up for virtually any government thing, a deluge of companies somehow manage to find to out. The CCR is certainly no exception.

One of the many companies that contacted me after signing up was the Federal Suppliers Guide. The initial cold call went something like this:

FSG Rep: Hi Alex, I've got some great news for you!

(Let me guess... you can save me a lot of money on something...)
Me: Okay...

FSG Rep: We've reviewed your CCR registration, and it looks like your company could be eligible for placement in our guide!

(Wow, that *is* great news!)
Me: Your guide?

FSG Rep: The Suppliers Guide! It's used *exclusively* by state and federal agencies to purchase services and products. Anyway, to confirm your eligibility, I'll need to ask a few questions. First, where are you located?

--- snipped a total of three questions asked ---

FSG Rep: Okay... well, let me punch this in here -- clickity clickity clicky -- wow! This is really good! You are, in fact, eligible for the guide! Would you like to be in our guide?

(There's no possible way there could be any sort of catch here...)
Me: Sure! Why not?

FSG Rep: Fantastic! There's just a nominal fee to get started, so if you'll just get me your credit card number we can--

Me: How much is the nominal fee?

FSG Rep: Heh, it's really very little actually. It's a fantastic investment that ranges anywhere from six hundred to several thousand.

Me: I can't make that decision right now; can you send me over some information?

FSG Rep: Oh. You can't? Well, I mean, I guess I could send you more information... but you know, I can just answer any questions you have now. I mean, I'd hate for you to lose your eligibility, that's all!

(What a nice guy! And this whole time, I thought he was a fast-talking salesman...)
Me: I guess we'll just have to take that risk; can you also send me a copy the guide, too?

FSG Rep: Err, gee... well, you know... that's the one thing I can't do. You see, these guides are to be used *exclusively* by government agents. We can't just give them to anyone, you know.

(And to think, I was questioning whether they were even legitimate!)
Me: Okaaaay... just send me what you can then.

After a bit more back-and-forth about how he could "just answer any questions I had right now", the sales rep pointed me to their sample ads, a 7mb PDF with sixteen pages of seemingly real companies, all with the same phone number (555-555-5555) and the same website (00000000000.com). Somehow, that didn't convince me to "invest" several hundred dollars, so the salesman faxed over some more inforation with a single, real ad.

As I eagerly waited for the follow-up call later that day, I thought I'd take a minute or two to check out their website. Almost immediately, I came across their Federal Procurement Officers Only page. Out of curiousity, I entered a username and password, and then clicked the Login button. Instantly, a JavaScript dialog popped-up...

Since there's really only one thing that could cause such a dialog to pop-up so fast, I checked the source code...

<script language="javascript">
<!--//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
if (form.id.value=="buyers") { 
if (form.pass.value=="gov1996") {              
location="http://officers.federalsuppliers.com/agents.html" 
} else {
alert("Invalid Password")
}
} else {  alert("Invalid UserID")
}
}
//-->
</script>

And sure enough, following that URL (UPDATE: now taken offline) led me to the "SECURE Federal Suppliers Guide Listings for Agents" [sic] page. Having obviously way too much free time on my hands, I clicked through the secure guide and called a few of the companies listed to inquire about the ad. The response was overwhelmingly the same: we spent several [hundred|thousand] bucks on this ad, and haven't had a single call -- aside from yours just now -- in [one|two|three] year[s] regarding it.

When the sales rep called later, I decided to politely explain why I wouldn't be "investing" at this time...

Me: I called a few of your clients for references, and none of them received a single lead from the--

FSG Rep: Wait-wait-wait... clients? You called our clients? How did you--

Me: Err, well, I just clicked the "Agents" link--

FSG Rep: You can't access that page! That's for Federal Procurement Officers Only! It's password protected!

Me: Well, umm, the password was right there on the--

FSG Rep: So you hacked our site!? You can't do that! It's SECURE! You can get in a lot of trouble for hacking!

The conversation quickly went downhill from there. Needless to say, I decided against investing in the guide. But the good news is, despite hacking their site, I'm still eligible for inclusion in the guide!