• ID (unregistered)

    Woaw just... woaw.

    I have nothing more to say.

  • SpamBot (unregistered)

    WTF!

  • Saaid (unregistered) in reply to SpamBot

    This is a real WTF and it's not funny.

  • Sean Ellis (unregistered)

    The real WTF is you publishing a screenshot without anonymizing their names and addresses...

    I imagine the residents of Merland Drive, Cindy Road, Lee Avenue, and so on are gathering up their torches and pitchforks as we speak.

  • Koko the gorilla (unregistered)

    EPIC fail. Some must get fired. And prosecuted. And kicked in the balls, twice.

  • Royal (unregistered)

    If ever there was a major WTF, this is it.

  • Suburban Decay (unregistered) in reply to Sean Ellis

    The names and addresses were already available through the registry. The only thing that wasn't supposed to be was the SSN.

  • q (unregistered) in reply to Sean Ellis

    moron

  • Grisen (unregistered)

    You should have helped them by doing a ALTER TABLE and removing the SSN :)

  • Grovesy (cs)

    jeez, they may as well have put their entire database onto a cd, unecryted then loose it in the post... oh wait..

    http://news.bbc.co.uk/1/hi/uk_politics/7117291.stm

  • Anonymous (unregistered)

    _<

    But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.

  • Julia (cs)

    It also doesn't take a lot of imagination to try a SQL UPDATE. Like adding that guy up the road who irritates you to the sex offenders...

  • A Nonny Mouse (cs) in reply to Grovesy
    Grovesy:
    jeez, they may as well have put their entire database onto a cd, unecryted then loose it in the post... oh wait..

    http://news.bbc.co.uk/1/hi/uk_politics/7117291.stm

    heh, i was about to post up http://news.bbc.co.uk/1/hi/uk_politics/7104368.stm :)

    (don't know why i'm smiling... :-\ )

  • anon (unregistered) in reply to Anonymous
    But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.
    oh god at first i thought that was a real comment
  • Sad Buckeye (unregistered) in reply to Grovesy

    That happened here in Ohio too, where our state government's "backup plan" was to send an intern home with an unencrypted tape backup. Where they were to keep it in their home "safe" and sound. One of them left it in their car, which was promptly broken into and the "odd" looking tape was stolen along with other junk from the car.

    More info from this /. http://it.slashdot.org/article.pl?sid=07/07/27/1222215

  • anon (unregistered)

    Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database, but still... makes me wonder what else my great state may be doing in the realm of WTF.

  • KNY (cs)

    I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).

    Again, well done.

  • jonny s. (unregistered) in reply to Anonymous
    Anonymous:
    But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.

    Challenge: make a comment that is so obviously sarcastic it is impossible that someone in the world is the dumb enough to actually think that way. Hint: this is impossible.

    : (

  • pauldwaite (unregistered)

    Maybe Oklahoma should start an online registry of the idiot developers who put this system together, and the managers who let them.

  • Erick (cs)

    When a corporation does this, they take a huge hit in the form of lawsuits, stock drops, and lost business. When the government does it, it's a big brouhaha news story, maybe one person gets fired, and then it's back to business as usual.

  • jcoehoorn (cs)

    That's the kind of breach someone should lose a job over.

  • MadJo@Work (unregistered)

    Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work, I can figure almost all of them out. Might want to use a black pen next time instead of blurring. The Social Security numbers are blurred a bit better, but still it would be better still to use a black pen in whatever photo editing program you are using,

  • anon (unregistered)

    and remember many people are in favor of having the government run healthcare. wtf indeed.

  • Craig (unregistered)

    FUCKING A W E S O M E . . .

  • dkf (unregistered) in reply to MadJo@Work
    MadJo@Work:
    Might want to use a black pen next time instead of blurring.
    Better yet, print it out, use a black pen, then take a picture of the result lying on a wooden table...
  • Grovesy (cs) in reply to anon
    anon:
    Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database, but still... makes me wonder what else my great state may be doing in the realm of WTF.

    Well.. with such a gaping sql injection hole, thankfully no one registered you!...

  • J. Walter Weatherman (unregistered)

    That's nothing compared to what I leaked out of my ass this morning.

  • ptomblin (cs)

    They better hope that Little Bobby Tables never commits a crime.

  • captain obvious (unregistered) in reply to KNY
    KNY:
    I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).

    Again, well done.

    Receptive? They failed, the first time, they took the site down only to have it come up with a failure, a band aid solution. Second time, they resorted to just taking the whole thing down. Agreed on the accusatory nature of organisations though.

    And don't think about congratulating the IT department. This is a disaster. I seriously hope those directly responsible for this are not only fired, sued and maybe even locked up or a shit load of community service. This is an utter failure in their duty of care, why the fuck would you take on a role on a project involving sensitive data if you have any idea how incompetent you are? Sad thing is they probably don't know that, and neither does management.

    captcha: feugiat (bit of an understatement don't you think)

  • ptomblin (cs) in reply to anon

    and remember many people are in favor of having the government run healthcare. wtf indeed.

    Yes, because private companies never leak data.

  • ParkinT (cs) in reply to Grisen
    Grisen:
    You should have helped them by doing a ALTER TABLE and removing the SSN :)
    And that would test their backup strategy (or lack thereof)
  • ParkinT (cs) in reply to anon
    anon:
    Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database, but still... makes me wonder what else my great state may be doing in the realm of WTF.
    April 12, I added your name to the list with a properly formed URL.
  • Martin Dreier (cs) in reply to ptomblin
    ptomblin:
    They better hope that Little Bobby Tables never commits a crime.

    Sorry, but you forgot the obligatory XKCD reference ;).

  • EPE (unregistered)

    Please, do not go to "Advanced Search" at Goolge, and do not look for pages containing SELECT FROM WHERE in the URL... Please, do not do it, oh please!

  • Coditor (cs)

    I vote for an anual "WTF Award" - preferably big and pointy, to be shuved up their *.

  • MAV (unregistered)

    Good gravy... I'm dumbfounded.

    Clearly the terrorists have already won.

  • Mark G (unregistered)

    The real WTF is the poor attempt at blurring the email addresses.

  • DOA (cs)

    And you post this AFTER they took it down? Damned responsible users...

  • CGomez (unregistered)

    Very brave of you to post the exploit in the open like this. I know that your readers could have done the same thing and I also know that nothing is to be gained by shrouding your work in secrecy.

    I'm just thinking there is probably some ridiculous law that has been violated and will be used to blame you for merely showing the incompetence and failure of whomever developed the system.

    Wow. I applaud the work.

  • Frigax (unregistered)

    The real WTF is:

    and upper(zip) = '73064'
  • brian j. parker (unregistered)

    I started the story and thought "seriously now, people working for the government don't know about validating input fields for SQL injection?"... but then I get passing the query in the URL and comments describing the schema in public-readable comments. That is a pretty epic level of WTF.

  • dignissim (unregistered)

    Looks like Paula got a job working for Oklahoma!

  • dlikhten (cs)

    I'm glad you are honest and moral. Also I would have gone straight to the news to ensure that they get their asses whooped for doing something so amazingly stupid and so nasty for regular folks completely unsuspecting.

  • FredSaw (cs)

    I see Pamela Anderson works there. Wonder if she's a guard.

  • Unethical (unregistered)

    My recently-ex boyfriend got married a year ago. I found out this little fact a couple of days back. He lives in OK...

    Why, oh why, did you have to leave this article until after the security hole was closed?

  • maniek (unregistered)

    http://www.google.pl/search?q=allinurl:+select+from+and There are some interesting hits (especially a few pages further into the search results)

  • akatherder (cs) in reply to ParkinT
    ParkinT:
    Grisen:
    You should have helped them by doing a ALTER TABLE and removing the SSN :)
    And that would test their backup strategy (or lack thereof)

    Effectively leaving the data open to the public is their backup strategy. The only difficult part is getting people to admit they have it so they can do a restore.

  • ThePants999 (cs) in reply to Martin Dreier
    Martin Dreier:
    ptomblin:
    They better hope that Little Bobby Tables never commits a crime.

    Sorry, but you forgot the obligatory XKCD reference ;).

    ...because we all knew where it came from anyway!

  • ThePants999 (cs) in reply to captain obvious
    captain obvious:
    why the fuck would you take on a role on a project involving sensitive data if you have any idea how incompetent you are? Sad thing is they probably don't know that, and neither does management.
    Research shows that clever people think they're clever, average people think they're average, and dumb people think they're clever. It's a shame nobody else realised they were dumb though.
  • SomeCoder (unregistered)

    .......

    There are no words. I really hope whoever wrote that code gets Worse Than Fired...

Leave a comment on “Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data”

Log In or post as a guest

Replying to comment #:

« Return to Article