Comment On The Insanity Defense

Reading that code made my lunchtime :) Beaming smile across my face at the insanity of it. No conditional nested If blocks, no database use, badly named variables, no inclusion of security header on target pages... just beautiful.

That's completely insane - firewall?

But I have to agree - lunch is improved with a novel (simple) wtf...

I guess they should be greatful it's not *all* on one line. Seriously though, that's impressive. Sometimes you have to wonder how these people survive a day. It never occurs to them to think "there *has* to be a better way than this."?

kanna:

I guess they should be greatful it's not *all* on one line. Seriously though, that's impressive. Sometimes you have to wonder how these people survive a day. It never occurs to them to think "there *has* to be a better way than this."?

Better way? That's crazy talk!

And now we know to try
http://www.stupiddomain.com/private/index.asp

if we get an error on their main site.
Nice - we can all read the content.
I wonder if they turned off the ability to browse directories?

Unfortunately, looking at Google, there are no easy-to-locate culprits; rather, we see:
Results 1 - 30 of about 136 for inurl:private/index.asp. (0.29 seconds)

And that's assuming that part of the URL wasn't anonymized at.

dreadful, just dreadful. Not only is the design and architecture laughable, theres redundant code everywhere.

i would feel very comfortable saying that this is the work of a tech-boom business major html-er turned programmer.

Seriously, use the same trick on "secret/index.asp" and "secure/index.asp" ... how do you know the URL _isn't_ anonymized?

fennec:

Unfortunately, looking at Google, there are no easy-to-locate culprits; rather, we see:
Results 1 - 30 of about 136 for inurl:private/index.asp. (0.29 seconds)

And that's assuming that part of the URL wasn't anonymized at.

Hey! Try it with "protected/index.asp" wow!

  if ip = "xxx.xxx.xxx.xxx"

      or ip = "xxx.xxx.xxx.xxx"

      or ip = "xxx.xxx.xxx.xxx"

      # ... 11 total, all on one line

  then

      ok = 1

For a while I was thinking all that ip = foo was assignments! THAT would be a complete WTF!

Although, I do think that mixing the assignment operator with the test-equality operator is a small WTF in itself.

They should have used JavaScript, much more secure that way I hear.

That's VB for you...

s|k:

That's VB for you...

You have got to be kidding. How do you figure JavaScript would be more secure? One can write plenty secure Web site security in VBScript and ASP and one can write just as poorly designed Web site security in any language one chooses. What is with this persistent knee-jerk reaction to VBScript and Visual Basic? The WTF is in the bad design, not in the choice of language.

"dubya", said Captcha. I was going to write something here, but that summarizes it more effectively than I ever could have.

This is nothing... really...:

fennec:

Unfortunately, looking at Google, there are no easy-to-locate culprits; rather, we see:
Results 1 - 30 of about 136 for inurl:private/index.asp. (0.29 seconds)

And that's assuming that part of the URL wasn't anonymized at.

Hey! Try it with "protected/index.asp" wow!

The fourth link for that search is a page (The Tax Club) which tells me that my tax return is almost two years late! WTF?

Sgt. Preston:

s|k:

That's VB for you...

You have got to be kidding. How do you figure JavaScript would be more secure?

I think he forgot to enclose his comment in <sarcasm></sarcasm>... Bet he feels silly now!

Sgt. Preston:

s|k:

That's VB for you...

You have got to be kidding. How do you figure JavaScript would be more secure? One can write plenty secure Web site security in VBScript and ASP and one can write just as poorly designed Web site security in any language one chooses. What is with this persistent knee-jerk reaction to VBScript and Visual Basic? The WTF is in the bad design, not in the choice of language.

I think I could surf the internet for 50 years and not get sick of people overreacting to sarcasm.

Jonni:

For a while I was thinking all that ip = foo was assignments! THAT would be a complete WTF!

Although, I do think that mixing the assignment operator with the test-equality operator is a small WTF in itself.

Please let's not start that debate again.

I'm trying to figure why they do two checks. Also not using the shortcircuit orelse operator is a waste of cycles. At least this one isn't as eye-gougingly horrible as some recent ones.

captcha: tastey (mmmmm...mmmm good)

Rich:

I think he forgot to enclose his comment in <sarcasm></sarcasm>... Bet he feels silly now!

All right, I give. How can you tell the clever, witty, sarcastic slamming of VB from the usual moronic slamming of VB that plagues this forum? They look pretty similar to me.

Sometimes I wonder if literary types have the same kind of debates of their languages and writing styles?
"Oh, that would have been *so* much more understandable in Spanish"
"The REAL WTF is the leading upside-down question mark in Spanish! How can anyone take that language seriously?"
"You have no idea what you're talking about! Spanish is just as serious as any other language!"
"The problem with Spanish is that too many people speak it, so half of what's written in spanish is trash."
"I don't know what you guys are talking about. Real writers only write in Cyrillic!"

One time, I saw a Javascript authentication system in place for the partner extranet on the Web site of a major manufacturer of fingerprint scanners and biometric security equipment.

The way it worked was, it downloaded a Javascript MD5 implementation, and a list of password hashes as a JSON object. When the onsubmit() event of the login form fired, the password input got hashed and compared against the list. If your password was in the list, the code set a cookie and redirected you to the extranet home page (which would, again through Javascript, redirect you back to the login page if you didn't have the cookie).

There was no robots.txt file (there is now), so the hundreds of precious PDF files that you supposedly needed a paid extranet account to access, linked to by the extranet home page, were available to anyone smart enough to hack the system or disable Javascript, and to anything that wasn't a Web browser, like Google's indexer bot.

The same site used Apache digest auth elsewhere, but that was compromised because the aforementioned JSON file was substantially the same list of MD5 hashes as the .htpasswd.

I'd feel really "secure" using their products. The Department of Homeland Security is one of their biggest customers.

Sgt. Preston:

s|k:

That's VB for you...

You have got to be kidding. How do you figure JavaScript would be more secure? One can write plenty secure Web site security in VBScript and ASP and one can write just as poorly designed Web site security in any language one chooses. What is with this persistent knee-jerk reaction to VBScript and Visual Basic? The WTF is in the bad design, not in the choice of language.

I think the shot at VB was directed at the assignment and equality operator being the same, not at anything to do with security.

I'm assuming they're using IIS, so they completely ignored the built in IP and Domain Name restrictions. Unless of course they're hosting it on a Windows XP version of IIS which has that feature disabled, which would be a WTF in a whole other category.

captcha = cognac (hic!)

Can't belive it :)
dammit.. I'd do myself ara-kiri (how the hell do you write that ?) if I'd write such as waste ;)

kanna:

Sometimes I wonder if literary types have the same kind of debates of their languages and writing styles?
"Oh, that would have been *so* much more understandable in Spanish"
"The REAL WTF is the leading upside-down question mark in Spanish! How can anyone take that language seriously?"
"You have no idea what you're talking about! Spanish is just as serious as any other language!"
"The problem with Spanish is that too many people speak it, so half of what's written in spanish is trash."
"I don't know what you guys are talking about. Real writers only write in Cyrillic!"

Good point, kanna, though the written language equivalent of some of the tiresome VB slamming we see in here would be more like "He wrote it in Spanish. What an idiot! Hee hee hee."

kanna:

Sometimes I wonder if literary types have the same kind of debates of their languages and writing styles?
"Oh, that would have been *so* much more understandable in Spanish"
"The REAL WTF is the leading upside-down question mark in Spanish! How can anyone take that language seriously?"
"You have no idea what you're talking about! Spanish is just as serious as any other language!"
"The problem with Spanish is that too many people speak it, so half of what's written in spanish is trash."
"I don't know what you guys are talking about. Real writers only write in Cyrillic!"

you rock!

Sgt. Preston:

Rich:

I think he forgot to enclose his comment in <sarcasm></sarcasm>... Bet he feels silly now!

All right, I give. How can you tell the clever, witty, sarcastic slamming of VB from the usual moronic slamming of VB that plagues this forum? They look pretty similar to me.

A good rule of thumb might be to ask yourself, "am I writing a paragraph of text responding to a 4-word post?"

Because if you are, it's pretty obvious the original author isn't interested in a serious conversation, so you're wasting your time.

kanna:

Sometimes I wonder if literary types have the same kind of debates of their languages and writing styles?
"Oh, that would have been *so* much more understandable in Spanish"
"The REAL WTF is the leading upside-down question mark in Spanish! How can anyone take that language seriously?"
"You have no idea what you're talking about! Spanish is just as serious as any other language!"
"The problem with Spanish is that too many people speak it, so half of what's written in spanish is trash."
"I don't know what you guys are talking about. Real writers only write in Cyrillic!"

You can't discuss languages and WTFs without including Esperanto.

you're aware that wget can happily ignore robots.txt if you pass it the right option, aren't you?

Personally, I really hate VB but this WTF has nothing to do with VB. It has everything to do with the "coder" having severe brain damage :)

Anyone else wonder what happens if you change error=0 when you get forwarded to index.asp?

JavaScript would be almost as secure and easy to maintain (NOT secure and a nightmarish). You could only forward on success, so those with JavaScript disabled aren't automatically forwarded. You'd need a way to jumble the URL too. Someone could look at the list of IP addresses and Class C's, but there would be much easier ways to bypass this Fort Knox-like security than spoofing your IP address.

Uhm... ok not even talking about firewalls, whats so hard about a one line SQL statement?
(psuedo code, since I don't do that ASP garbage)

SELECT COUNT FROM VALID_IPS WHERE IP_ADDR EQUALS ASP_VALUE_OF_IP

if(count == 1){
//yee haw
} else {
//redir goatse
}

I don't know if reading El Quijote in Cyrillic is a good idea, at least for me that I'm spanish. And BTW, more people speak english, such a poor designed language, like Visual Basic... sorry I couldn't resist

Lastchance:

kanna:

Sometimes I wonder if literary types have the same kind of debates of their languages and writing styles?
"Oh, that would have been *so* much more understandable in Spanish"
"The REAL WTF is the leading upside-down question mark in Spanish! How can anyone take that language seriously?"
"You have no idea what you're talking about! Spanish is just as serious as any other language!"
"The problem with Spanish is that too many people speak it, so half of what's written in spanish is trash."
"I don't know what you guys are talking about. Real writers only write in Cyrillic!"

You can't discuss languages and WTFs without including Esperanto.

"You have not experienced Shakespeare until you have read him in the original Klingon." - Chancellor Gorkon

ip2 = Split(ip,".")
ip3 = ip2(0) &"."& ip2(1) &"."& ip2(2)

This strikes me as a fairly odd way of knocking the end off a string.

M. Dizzy:

I'm trying to figure why they do two checks. Also not using the shortcircuit orelse operator is a waste of cycles. At least this one isn't as eye-gougingly horrible as some recent ones.

captcha: tastey (mmmmm...mmmm good)

VBScript doesn't have short-circuit operator. Lame, isn't it?

Captcha: dubya (zark off!!!)

That would not work for the /24-networks he is checking for.

kanna:

Sometimes I wonder if literary types have the same kind of debates of their languages and writing styles?
"Oh, that would have been *so* much more understandable in Spanish"
"The REAL WTF is the leading upside-down question mark in Spanish! How can anyone take that language seriously?"
"You have no idea what you're talking about! Spanish is just as serious as any other language!"
"The problem with Spanish is that too many people speak it, so half of what's written in spanish is trash."
"I don't know what you guys are talking about. Real writers only write in Cyrillic!"

I am sure this was translated from Aremeic before posting, because only that language is appropriate for use during sarcasm.

kanna:

Sometimes I wonder if literary types have the same kind of debates of their languages and writing styles?
"Oh, that would have been *so* much more understandable in Spanish"
"The REAL WTF is the leading upside-down question mark in Spanish! How can anyone take that language seriously?"
"You have no idea what you're talking about! Spanish is just as serious as any other language!"
"The problem with Spanish is that too many people speak it, so half of what's written in spanish is trash."
"I don't know what you guys are talking about. Real writers only write in Cyrillic!"

A well-illustrated point, but unfortunately one based on an invalid comparison. (I have no idea what the VB operator for an invalid comparison might be: "!" perhaps?)

You could make a more apt comparison by substituting "Spanish" with "Klingon" thusly:

"Oh, that would have been *so* much more understandable in Klingon"
"The REAL WTF is the lack of love poetry in Klingon! How can anyone take that language seriously?"
"You have no idea what you're talking about! Klingon is just as serious as any other language!"
"The problem with Klingon is that only Trekkie obsessives speak it, so half of what's written in Klingon is trash."
"I don't know what you guys are talking about. Real writers only write in Borg!"

I think, trolls aside, we can all agree that VB is fine in its place. I think all VB aficionados would agree that this place would not be, say, in the flight control system of an Airbus. It does seem to spread like kudzu, though...

kanna:

I guess they should be greatful it's not *all* on one line.

In the original code sample, each list of IP addresses was all on one line; unfortunately, that doesn't fit very well on the web page. Mea culpa for not mentioning it!

cowboy_k:

"You have not experienced Shakespeare until you have read him in the original Klingon." - Chancellor Gorkon

Damn, somebody beat me to it.

akatherder:

JavaScript would be almost as secure and easy to maintain (NOT secure and a nightmarish). You could only forward on success, so those with JavaScript disabled aren't automatically forwarded. You'd need a way to jumble the URL too. Someone could look at the list of IP addresses and Class C's, but there would be much easier ways to bypass this Fort Knox-like security than spoofing your IP address.

This is a server-side ASP application written in VBScript. I presume that if you switched to JavaScript you would still be writing a server-side ASP application and not a client-side application. The list of IP addresses would not be exposed to the client regardless of which language you used.

You know, I did kind of code something like that as a quick-n-dirty hack code for a message board I ran. But I did it as an IP *blocker*... not a form of security to allow people in!

That's just mind-boggling.

Seejay

Mythbester:

I'm assuming they're using IIS, so they completely ignored the built in IP and Domain Name restrictions. Unless of course they're hosting it on a Windows XP version of IIS which has that feature disabled, which would be a WTF in a whole other category.

captcha = cognac (hic!)

Especially considering that the XP version only allows something like 5 concurrent connections. "Sorry surfer number 6...wait your turn"

Jonni:

Although, I do think that mixing the assignment operator with the test-equality operator is a small WTF in itself.

It's not that bad if you write vb all day. If you switch back and forth between vb and C# frequently like I do, it can be lethal!

I'm just surprised Fran's web admin (or other cow-orker) didn't complain about getting haxx0red by something called "Googlebot".

Wow, that's a nice one... perfect example of how security in web apps is handled... and we care about css/xss attacks... ;)

I like how you have to scroll past dozens of existing comments to find the "Add Comment" link.

Anyway, this is a nice WTF. I read the first part (ip) and thought "ehh, not surprsing". But just when I thought it was gonna be a lame WTF today, the ip2/ip3 part cracked me up.

On the bright side, at least they came up with a way to block out subnets, without having to list each ip in the subnet individually. I am a little suprised actually.

I don't think anybody has mentioned the complete WTF nature of the fact this code does a Response.Redirect, which just tells the browser to load the /private page..... And the browser will clearly show the /private page address in the URL address bar...

So not only is this horribly written, but completely pointless.... If someone wants to link to the page they'll use the address they see in the browser, which will be the /private page anyway...

-Me