Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

  • ID 2008-04-15 08:09
    Woaw just... woaw.

    I have nothing more to say.
  • SpamBot 2008-04-15 08:12
    WTF!
  • Saaid 2008-04-15 08:17
    This is a real WTF and it's not funny.
  • Sean Ellis 2008-04-15 08:17
    The real WTF is you publishing a screenshot without anonymizing their names and addresses...

    I imagine the residents of Merland Drive, Cindy Road, Lee Avenue, and so on are gathering up their torches and pitchforks as we speak.
  • Koko the gorilla 2008-04-15 08:22
    EPIC fail.
    Some must get fired.
    And prosecuted.
    And kicked in the balls, twice.
  • Royal 2008-04-15 08:22
    If ever there was a major WTF, this is it.

  • Suburban Decay 2008-04-15 08:22
    The names and addresses were already available through the registry. The only thing that wasn't supposed to be was the SSN.
  • q 2008-04-15 08:29
    moron
  • Grisen 2008-04-15 08:30
    You should have helped them by doing a ALTER TABLE and removing the SSN :)

  • Grovesy 2008-04-15 08:32
    jeez, they may as well have put their entire database onto a cd, unecryted then loose it in the post... oh wait..

    http://news.bbc.co.uk/1/hi/uk_politics/7117291.stm

  • Anonymous 2008-04-15 08:32
    >_<

    But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.
  • Julia 2008-04-15 08:33
    It also doesn't take a lot of imagination to try a SQL UPDATE. Like adding that guy up the road who irritates you to the sex offenders...
  • A Nonny Mouse 2008-04-15 08:35
    Grovesy:
    jeez, they may as well have put their entire database onto a cd, unecryted then loose it in the post... oh wait..

    http://news.bbc.co.uk/1/hi/uk_politics/7117291.stm


    heh, i was about to post up http://news.bbc.co.uk/1/hi/uk_politics/7104368.stm :)

    (don't know why i'm smiling... :-\ )
  • anon 2008-04-15 08:36
    But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.

    oh god at first i thought that was a real comment
  • Sad Buckeye 2008-04-15 08:39
    That happened here in Ohio too, where our state government's "backup plan" was to send an intern home with an unencrypted tape backup. Where they were to keep it in their home "safe" and sound. One of them left it in their car, which was promptly broken into and the "odd" looking tape was stolen along with other junk from the car.

    More info from this /. http://it.slashdot.org/article.pl?sid=07/07/27/1222215
  • anon 2008-04-15 08:40
    Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database, but still... makes me wonder what else my great state may be doing in the realm of WTF.
  • KNY 2008-04-15 08:52
    I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).

    Again, well done.
  • jonny s. 2008-04-15 08:54
    Anonymous:
    But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.


    Challenge: make a comment that is so obviously sarcastic it is impossible that someone in the world is the dumb enough to actually think that way.
    Hint: this is impossible.

    : (
  • pauldwaite 2008-04-15 08:57
    Maybe Oklahoma should start an online registry of the idiot developers who put this system together, and the managers who let them.
  • Erick 2008-04-15 08:59
    When a corporation does this, they take a huge hit in the form of lawsuits, stock drops, and lost business. When the government does it, it's a big brouhaha news story, maybe one person gets fired, and then it's back to business as usual.
  • jcoehoorn 2008-04-15 09:01
    That's the kind of breach someone should lose a job over.
  • MadJo@Work 2008-04-15 09:06
    Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work, I can figure almost all of them out. Might want to use a black pen next time instead of blurring. The Social Security numbers are blurred a bit better, but still it would be better still to use a black pen in whatever photo editing program you are using,
  • anon 2008-04-15 09:07
    and remember many people are in favor of having the government run healthcare. wtf indeed.
  • Craig 2008-04-15 09:10
    FUCKING
    A W E S O M E . . .
  • dkf 2008-04-15 09:11
    MadJo@Work:
    Might want to use a black pen next time instead of blurring.
    Better yet, print it out, use a black pen, then take a picture of the result lying on a wooden table...
  • Grovesy 2008-04-15 09:15
    anon:
    Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database, but still... makes me wonder what else my great state may be doing in the realm of WTF.


    Well.. with such a gaping sql injection hole, thankfully no one registered you!...
  • J. Walter Weatherman 2008-04-15 09:19
    That's nothing compared to what I leaked out of my ass this morning.
  • ptomblin 2008-04-15 09:21
    They better hope that Little Bobby Tables never commits a crime.
  • captain obvious 2008-04-15 09:21
    KNY:
    I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).

    Again, well done.

    Receptive? They failed, the first time, they took the site down only to have it come up with a failure, a band aid solution. Second time, they resorted to just taking the whole thing down. Agreed on the accusatory nature of organisations though.

    And don't think about congratulating the IT department. This is a disaster. I seriously hope those directly responsible for this are not only fired, sued and maybe even locked up or a shit load of community service. This is an utter failure in their duty of care, why the fuck would you take on a role on a project involving sensitive data if you have any idea how incompetent you are? Sad thing is they probably don't know that, and neither does management.

    captcha: feugiat (bit of an understatement don't you think)
  • ptomblin 2008-04-15 09:23
    <i>and remember many people are in favor of having the government run healthcare. wtf indeed.</i>

    Yes, because private companies never leak data.
  • ParkinT 2008-04-15 09:23
    Grisen:
    You should have helped them by doing a ALTER TABLE and removing the SSN :)


    And that would test their backup strategy (or lack thereof)
  • ParkinT 2008-04-15 09:25
    anon:
    Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database, but still... makes me wonder what else my great state may be doing in the realm of WTF.

    April 12, I added your name to the list with a properly formed URL.
  • Martin Dreier 2008-04-15 09:26
    ptomblin:
    They better hope that Little Bobby Tables never commits a crime.


    Sorry, but you forgot the obligatory XKCD reference ;).
  • EPE 2008-04-15 09:33
    Please, do not go to "Advanced Search" at Goolge, and do not look for pages containing SELECT FROM WHERE in the URL... Please, do not do it, oh please!
  • Coditor 2008-04-15 09:39
    I vote for an anual "WTF Award" - preferably big and pointy, to be shuved up their *.
  • MAV 2008-04-15 09:39
    Good gravy... I'm dumbfounded.

    Clearly the terrorists have already won.
  • Mark G 2008-04-15 09:41
    The real WTF is the poor attempt at blurring the email addresses.
  • DOA 2008-04-15 09:43
    And you post this AFTER they took it down? Damned responsible users...
  • CGomez 2008-04-15 09:43
    Very brave of you to post the exploit in the open like this. I know that your readers could have done the same thing and I also know that nothing is to be gained by shrouding your work in secrecy.

    I'm just thinking there is probably some ridiculous law that has been violated and will be used to blame you for merely showing the incompetence and failure of whomever developed the system.

    Wow. I applaud the work.
  • Frigax 2008-04-15 09:55
    The real WTF is:

    and upper(zip) = '73064'
  • brian j. parker 2008-04-15 09:58
    I started the story and thought "seriously now, people working for the government don't know about validating input fields for SQL injection?"... but then I get passing the query in the URL and comments describing the schema in public-readable comments. That is a pretty epic level of WTF.
  • dignissim 2008-04-15 10:01
    Looks like Paula got a job working for Oklahoma!
  • dlikhten 2008-04-15 10:10
    I'm glad you are honest and moral. Also I would have gone straight to the news to ensure that they get their asses whooped for doing something so amazingly stupid and so nasty for regular folks completely unsuspecting.
  • FredSaw 2008-04-15 10:17
    I see Pamela Anderson works there. Wonder if she's a guard.
  • Unethical 2008-04-15 10:23
    My recently-ex boyfriend got married a year ago. I found out this little fact a couple of days back. He lives in OK...

    Why, oh why, did you have to leave this article until after the security hole was closed?
  • maniek 2008-04-15 10:33
    http://www.google.pl/search?q=allinurl:+select+from+and
    There are some interesting hits (especially a few pages further into the search results)
  • akatherder 2008-04-15 10:33
    ParkinT:
    Grisen:
    You should have helped them by doing a ALTER TABLE and removing the SSN :)


    And that would test their backup strategy (or lack thereof)


    Effectively leaving the data open to the public is their backup strategy. The only difficult part is getting people to admit they have it so they can do a restore.
  • ThePants999 2008-04-15 10:36
    Martin Dreier:
    ptomblin:
    They better hope that Little Bobby Tables never commits a crime.


    Sorry, but you forgot the obligatory XKCD reference ;).

    ...because we all knew where it came from anyway!
  • ThePants999 2008-04-15 10:37
    captain obvious:
    why the fuck would you take on a role on a project involving sensitive data if you have any idea how incompetent you are? Sad thing is they probably don't know that, and neither does management.

    Research shows that clever people think they're clever, average people think they're average, and dumb people think they're clever. It's a shame nobody else realised they were dumb though.
  • SomeCoder 2008-04-15 10:40
    .......

    There are no words. I really hope whoever wrote that code gets Worse Than Fired...
  • Jordan 2008-04-15 10:52
    Guys, guys, you're all missing the point! These are evil *SEX OFFENDERS*! They commit crimes ranging from rape to the equally heinous crimes of being a 17 year old getting a hummer from their 16 year old girlfriend, to public urination!

    They all DESERVE to have their identities stolen. PUBLIC URINATORS NEED TO BE PUNISHED, FOREVER!!!!
  • vt_mruhlin 2008-04-15 10:56
    KNY:
    I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).

    Again, well done.


    Yes, it's definitely a good thing in this case. Even if there were further failures to fix the site, I would have advocated a vigilante removal of all social security numbers from the database, though that would most certainly land you in jail.

    Really, there need to be criminal negligence laws established for foolish programmers like this. If you hire an engineer who doesn't know what he's doing and the bridge collapses, you're in a world of hurt. Insecure applcations should work the same way.
  • DeLos 2008-04-15 10:59
    MadJo@Work:
    Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work, I can figure almost all of them out. Might want to use a black pen next time instead of blurring. The Social Security numbers are blurred a bit better, but still it would be better still to use a black pen in whatever photo editing program you are using,


    This is definitly subpar blurring, Even without trying I can see that yahoo.com address. Didn't we already cover the anonymising issue? You are punishing other people for a software guys mistake. Not real fair.
  • knarf 2008-04-15 11:01
    The real WTF is that they have a column called "Race".
  • Todd 2008-04-15 11:04
    Some of those images, especially the last one, aren't blurred enough. I can clearly read many of those email addresses.
  • micksam7 2008-04-15 11:06
    The Daily WTF about to get slashdotted.

    Article was put up on slashdot, brace for impact. :p

    Wow at this. And dude, you need to BLACK OUT the ssns on the images. Really.
  • webrunner 2008-04-15 11:08
    So normally, when we could actually use the name of the company and stuff in order to avoid them for our own safety, they're anonymized the point of the story itself suffering.

    But here, you're willing to give random people's full names and barely-blurred email addresses.
  • luke 2008-04-15 11:11
    maniek:
    http://www.google.pl/search?q=allinurl:+select+from+and
    There are some interesting hits (especially a few pages further into the search results)


    Perhaps even more interesting:
    http://www.google.com/search?hl=en&q=allinurl%3AsqlString+select

    And those are just the geniuses that named the variable sqlString...

    I believe we're observing a paradigm shift from "Haha, WTF" to "WTF!!!"
  • moola 2008-04-15 11:11
  • maniek 2008-04-15 11:16
  • Herr Killjoy 2008-04-15 11:18
    TRWTF is how you anonymized some of the email addresses.

    I wonder who "jaa262@ya#######" could be. Or "rfm0527@ya#######"
  • Alan 2008-04-15 11:20
    ThePants999:
    Martin Dreier:
    ptomblin:
    They better hope that Little Bobby Tables never commits a crime.


    Sorry, but you forgot the obligatory XKCD reference ;).

    ...because we all knew where it came from anyway!

    I have that one on the wall next to me.
  • DeLos 2008-04-15 11:21
    slashdot is going to ruin these comments ...
  • J 2008-04-15 11:31
    And you should know better not to blur sensitive data but cut out...
  • elias 2008-04-15 11:42
    EPE:
    Please, do not go to "Advanced Search" at Goolge, and do not look for pages containing SELECT FROM WHERE in the URL... Please, do not do it, oh please!

    Thanks. I pressed your "Do Not Press" button, and now my faith in humanity is at an all-time low.
  • Eam 2008-04-15 11:44
    I guess someone skipped Common Sense 102?

    Don't blur text you want to anonymize. Period.

    There's no "subpar" blurring going on here as other posters have suggested. There are only two types of blurred text: one where the original text is completely and accurately recoverable, and one where it's not. All we have here is the former.

    One needs to keep in mind that obscuring text is not the same as obscuring facial details. Assuming all numbers and letters are used in a string, there are only 36 different characters, each with its own distinct blur pattern. All one needs to do is approximate the original font and the blur settings Alex used and do some trivial matching.

    Come on, this should be obivous.
  • You 2008-04-15 11:51
    This one looks nice too...

    Alcoholic Beverage Regulation Administration, Suspended and Revoked Licenses

    http://app.abra.dc.gov/services/suspended_licenses.asp?p=3&ps=&q=SELECT+S.business_id+AS+id%2C+S.id+AS+sus_id%2C+S.comment+AS+comment%2C+B.applicant_name%2C+B.trade_name%2C+B.bus_address_f_no%2C+B.bus_street%2C+B.bus_quad%2C+S.effective_date%2C+S.effective_end_date+FROM+abra_rw.tblLicense_hold+AS+B%2C+abra_rw.suspended_licenses+AS+S+WHERE+B.id+%3D+S.business_id+AND+applicant_name+LIKE+%27%25%25%27+ORDER+by+B.applicant_name%3B
  • tezoatlipoca 2008-04-15 12:16
    oh no! The Daily WTF front page on Slashdot and no BustedTees ad? How are we going to generate enough click-throughs to get Irish Girl back?
    oh the humanity!
  • Tyler 2008-04-15 12:16
    The real WTF is when you get v& over this
  • DAMN 2008-04-15 12:22
    Real WTF:
    http://dheera.net/projects/blur.php
  • Rob Speed 2008-04-15 12:23
    Sean Ellis:
    The real WTF is you publishing a screenshot without anonymizing their names and addresses...

    I imagine the residents of Merland Drive, Cindy Road, Lee Avenue, and so on are gathering up their torches and pitchforks as we speak.


    You're the real WTF.
  • Ben 2008-04-15 12:29
    I didn't.
  • Huh 2008-04-15 12:30
    I wonder if the programmer has been terminated given the lack of technological knowledge in upper divisionary levels of government (and elsewhere). Seems "George" didn't really think too much of it - more of a, "Hey there Tad, got some email you might wanna look at." According to the first fix this is exactly what happened. This story going to go to major media outlets?
  • Former Jr. Programmer 2008-04-15 12:37
    Wow.

    WOW.

    That's not even SQL Injection. That's just piss-poor programming.

    BTW, /. picked it up! Now for the AP.
  • Craig 2008-04-15 12:38
    I am simply stunned ..stunned that Oklahoma has the audacity to have a county called 'Canadian'. I think this is all an attempt to make Canadian's look like a country full of sexual offenders ;)
  • Anon Sam 2008-04-15 12:40

    http://app.abra.dc.gov/services/suspended_licenses.asp?p=1&ps=&q=SELECT S.business_id AS id, S.id AS sus_id, S.comment AS comment, B.applicant_name, B.trade_name, B.bus_address_f_no, B.bus_street, B.bus_quad, S.effective_date, S.effective_end_date FROM abra_rw.tblLicense_hold AS B, abra_rw.suspended_licenses AS S WHERE B.id = S.business_id AND applicant_name LIKE '%%' ORDER by B.applicant_name;


    There, that's a lot easier to edit.
  • Brock 2008-04-15 12:41
    I can't believe how many wide-open phpMyAdmin installs there are!

    Oh wait, maybe I can.
  • KG 2008-04-15 12:42
    luke:
    maniek:
    http://www.google.pl/search?q=allinurl:+select+from+and
    There are some interesting hits (especially a few pages further into the search results)


    Perhaps even more interesting:
    http://www.google.com/search?hl=en&q=allinurl%3AsqlString+select

    And those are just the geniuses that named the variable sqlString...

    I believe we're observing a paradigm shift from "Haha, WTF" to "WTF!!!"



    OMG!!!!!
    I would never have thought of that. I would never have assumed people could be so stupid! I've been a frequent visitor of this site for months now (discovered it when it was named "worse than failure" - stupid name to be sure), but this... this is a new low.
  • Former Jr. Programmer 2008-04-15 12:45
    OK.

    Called the Oklahoma AP wire and they were VERY interested. :)

    You better get your server ready for some hits.
  • Bob N Freely 2008-04-15 12:48
    Jordan:
    Guys, guys, you're all missing the point! These are evil *SEX OFFENDERS*! They commit crimes ranging from rape to the equally heinous crimes of being a 17 year old getting a hummer from their 16 year old girlfriend, to public urination!

    They all DESERVE to have their identities stolen. PUBLIC URINATORS NEED TO BE PUNISHED, FOREVER!!!!


    While I know that was meant to be sarcastic, I think it's worth pointing out that only the original query limited the results to people on the sex offenders registry. Switching things up a bit allowed access to the ENTIRE DOC database system, including (I'm assuming) records of anyone who had been previously incarcerated for any crime, as well as employees of the DOC (see the last screen shot with employee logins and email addresses).
  • kzoo 2008-04-15 12:50
    Why don't you take down those screen shots. It would take me all of about two minutes to unfuzz the social security numbers you have posted. Why are you doing just as bad a job as the people that you are complianing about?
  • RandomGuy 2008-04-15 12:54
    and counting ...
  • genelisp 2008-04-15 12:56
    Maybe the same 'developers' wrote this page too:

    http://megis.maine.gov/metaweb/results.asp?whichpage=2&pagesize=5&sqlQuery=SELECT+CI.TITLE%2CID.Abstract%2CID_Web_Publish.WebPublish+FROM+CI%2CID%2CID_Web_Publish++WHERE+CI.Citation_ID+%3D+ID.Citation_ID++AND+ID.Dataset_ID+%3D+ID_Web_Publish.Dataset_ID++AND+NOT+ID_Web_Publish.WebPublish+%3D+0+AND+NOT+ID.Dataset_Type+%3D+2++AND+(++EXISTS+(SELECT+ID.Dataset_ID%2C+ID_Thesaurus_Keyword.Keyword_Name++FROM+ID_Thesaurus%2C+ID_Thesaurus_Keyword++WHERE+ID.Dataset_ID+%3D+ID_Thesaurus.Dataset_ID+AND+ID_Thesaurus.Thesaurus_ID+%3D+ID_Thesaurus_Keyword.Thesaurus_ID+AND+UPPER(ID_Thesaurus_Keyword.Keyword_Name)+LIKE+'%25HEALTH%25')+)+ORDER+BY+CI.Title
  • Mike 2008-04-15 12:59
    Search for google "select from where" is for wimps. Real h4k0rz search for "delete from where" ...
  • Former Jr. Programmer 2008-04-15 13:01
    Black-box the social security numbers and CHANGE THE NAME OF THE IMAGE REFERENCE to defeat caching.

    Here.

    Don't use these as permanent links. Bring them down, then replace. Rename the image reference in the anchor tag.

    http://img518.imageshack.us/img518/702/ok2hn1.gif

    http://img293.imageshack.us/img293/513/ok1pw3.gif
  • mG 2008-04-15 13:05
    anon:
    Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database...



    That doesn't mean that you aren't in such a database...
  • Moonrock 2008-04-15 13:08
    I stumbled across something like this when researching one of the oodles of microsoft "dbconnect string" keywords once. Google found > 250,000 websites that contained 'password' and 'uid' strings for logging into SQL server and access databases. I went to one, curious if it was what it appeared to be...sure enuf, it was similar to this, but exposed *all* data on county employees for a county in Ohio. I considered sending an email, thought: They're obviously outstandingly ignorant of website security; They're going to be surprised to find out someone KNOWS their password; They're going to take SOME kind of action; Gov'ts often take action by destroying people's lives. I closed the browser window, and went on my way. That county's data may still be exposed, for all I know.
  • Xaox 2008-04-15 13:12
    I think somebody may have already been messing with there data:



    Unless there is some state named Chihuahua...

    Check it out here:

    http://docapp8.doc.state.ok.us/servlet/page?_pageid=426&_dad=portal30&_schema=PORTAL30&id=regid
  • x 2008-04-15 13:18
    Xaox:

    Unless there is some state named Chihuahua...
    .doc.state.ok.us/servlet/page?_pageid=426&_dad=portal30&_schema=PORTAL30&id=regid[/url]

    Yes, genius, and it is in Mexico.
  • Michael Day 2008-04-15 13:22
    Amen to that. WTF? By the way, blurring the image doesn't help either. This is easily overcome with run-of-the-mill sharpening filters one can learn in Digital Image Processing 101.
  • anon 2008-04-15 13:23
    You should give yourself a WTF award. How stupid could you possibly be posting the screen shots with the poorly obscured data. They were just presenting the data out of lack of good programming experience. You are posting data that you know shouldn't be posted, and doing next to nothing to prevent it from being stolen again.
  • Anon Sam 2008-04-15 13:23
    Using GET requests to run side-effects is super-awesome.

    It means all you have to do is publish this on some blog:

    <img src="http://app.abra.dc.gov/services/suspended_licenses.asp?p=1&ps=&q=DELETED+FRO+abra%5Frw%2EtblLicense%5Fhold">

    and, poof! Sayonara!

    (That URL won't exactly work, but inspection should tell you how to change it.)

  • 5|i(3_x 2008-04-15 13:27
    ptomblin:
    <i>and remember many people are in favor of having the government run healthcare. wtf indeed.</i>

    Yes, because private companies never leak data.


    A private company that engages in negligence this gross isn't likely to be in business very long. More importantly, if a private company fails in this or any other way, you are not compelled to continue to do business with them.
  • Dvnt 2008-04-15 13:31
    Jordan:
    Guys, guys, you're all missing the point! These are evil *SEX OFFENDERS*! They commit crimes ranging from rape to the equally heinous crimes of being a 17 year old getting a hummer from their 16 year old girlfriend, to public urination!

    They all DESERVE to have their identities stolen. PUBLIC URINATORS NEED TO BE PUNISHED, FOREVER!!!!


    You know, you jest, but that's how most people would probably react. Also, the ignorant will likely say, "So what? Who'd want to steal the identity of a sex offender?"

    Of course, if you stop and think about it, they're one of the best possible targets for identity theft. If they're in prison, it's going to be a long time coming before they get word that credit cards have been taken in their name, and if they're not, convicted felons are probably least likely to run to the police for help and even less likely to be helped. Many people will think they 'deserve it' and it's God's vengeance upon them. They'll be unlikely to receive a lot of sympathy.

    Not to mention the strong possibility that someone buying stuff using their stolen identity needs only purchase items that would cause them parole violations and who are the cops going to believe? Convicted pedophile saying his identity was stolen or a credit card company who says Johnny Pervo bought a bunch of toys, children's clothing, and a box of condoms?

  • Xaox 2008-04-15 13:33
    x:
    Yes, genius, and it is in Mexico.


    Nevermind. Seeing that and "Distro Federal (Me" with some county names and I thought that they were pulling the state list from the database. It dosen't help that searching for people based on those states returns the entire list. Then again a little more testing reveals that it does not matter what state I pick, the entire list is still retreived.

    At this point a broken search is the least of their problems.
  • Anon Sam 2008-04-15 13:35
    Dvnt:
    and who are the cops going to believe? Convicted pedophile saying his identity was stolen or a credit card company who says Johnny Pervo bought a bunch of toys, children's clothing, and a box of condoms?

    10 Points to whomever can craft a CSRF attack that will make this purchase come directly from the pedo's computer.
  • Adam DiCarlo 2008-04-15 13:36
    Dude, Alex, like everyone else has said:

    You need to blacken out the "blurred" parts.

    Blurring can be undid, homeskillet!

    Excellent article, though.
  • Dorkquemada 2008-04-15 13:36
    This is the sound of job security
  • Mark 2008-04-15 13:37
    Guess what, it's still vulnerable to SQL injection. Try putting in apostrophes into the search field.
  • Slashdot hater, but Slashdot READER 2008-04-15 13:41
    DUDE!!!!

    YOU MADE THE FRONT PAGE OF SLASHDOT! I don't know if that's GOOD or not, but hey, pub is awesome, no?

    http://it.slashdot.org/article.pl?no_d2=1&sid=08/04/15/1414223

    By the way, I HATE Slashdot and most of the zealots that post there, however, I still feel the need to read that piece of garbage if only to see the lies being told by the OSS community.

    Take care, Alex.

    By the way, I live in the Cleveland area too. This weather BLOWS!
  • Bert 2008-04-15 13:48
    ThePants999:

    Research shows that clever people think they're clever, average people think they're average, and dumb people think they're clever. It's a shame nobody else realised they were dumb though.


    I thought it went more like:
    Clever people know that they don't know it all,
    Average people know what they know,
    Dumb people THINK they know it all.

    See
    http://www.apa.org/journals/features/psp7761121.pdf
    Figure 4.

    Saw this posted before at WTF. It should be required reading for the entire world.
  • Alex Papadimoulis 2008-04-15 13:49
    MadJo@Work:
    Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work, I can figure almost all of them out. Might want to use a black pen next time instead of blurring. The Social Security numbers are blurred a bit better, but still it would be better still to use a black pen in whatever photo editing program you are using,


    I'd be very impressed if someone managed to unblur the numbers from the first image. Of course, they'd just learn that not all obscured things have useful data behind them (such as that pdf from Not Too Particular), but I bet it'd be a fun exercise.

    And yes, I suppose I could have blurred the emails a bit better. Then again, just about all of them are in the DOC's office directory or the various sherrif departments' contact pages. I guess I'll go blur those y#######om addresses... because, you know, random y#######om addresses are so hard to find, and there's so much damage one can do knowing one.
  • Steve 2008-04-15 13:49

    Whoever wrote that code should find his/her own name added to the list... right after the new developers and administrators implement really tight security so that the people whose names are on the list cannot modify the list.
  • DeLos 2008-04-15 14:02
    Alex Papadimoulis:
    MadJo@Work:
    Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work,


    I'd be very impressed if someone managed to unblur the numbers from the first image.
    And yes, I suppose I could have blurred the emails a bit better.


    Oh sure you pick out YOUR comment to be featured!!
  • StickyWidget 2008-04-15 14:04
    In case you too wish to press the "Do Not Press" button, here's a fun search!!

    inurl:select inurl:from inurl:where

    Remember, Do Not Press....

    ~Sticky
  • Dazed 2008-04-15 14:10
    anon:
    Wow, and I live in Oklahoma... makes me wonder what else my great state may be doing in the realm of WTF.


    Well, I suggest you pass that question on to a few of your local papers, along with the URL of this article and a brief explanation for the benefit of journalists who have never heard of SQL.
  • AC 2008-04-15 14:13
    Alex Papadimoulis:

    I'd be very impressed if someone managed to unblur the numbers from the first image. Of course, they'd just learn that not all obscured things have useful data behind them (such as that pdf from Not Too Particular), but I bet it'd be a fun exercise.

    And yes, I suppose I could have blurred the emails a bit better. Then again, just about all of them are in the DOC's office directory or the various sherrif departments' contact pages. I guess I'll go blur those y#######om addresses... because, you know, random y#######om addresses are so hard to find, and there's so much damage one can do knowing one.


    Even if you're right and you know it, you could have avoided all the hassle by blacking them anyway.
    Spare yourself the flames next time. :)
  • me 2008-04-15 14:15
    DeLos:
    Alex Papadimoulis:


    Oh sure you pick out YOUR comment to be featured!!


    It's his site and his article, so why not?
  • Chahk 2008-04-15 14:24
    The author should have tried an SQL injection attack before letting them in on the secret. "; truncate table registration_offender_xref" at the end would've done the trick.
  • Pecos Bill 2008-04-15 14:27
    x:
    Xaox:

    Unless there is some state named Chihuahua...
    .doc.state.ok.us/servlet/page?_pageid=426&_dad=portal30&_schema=PORTAL30&id=regid[/url]

    Yes, genius, and it is in Mexico.


    Estados Unidos Mexicanos aka The Mexican United States, officially speaking that is. What I want to know is what they have against Australian states???!!?
  • Prave Konqueror 2008-04-15 14:38
    Oh how I wish I could again see full articles in the front page in Konqueror... It defaults to summaries and pressing the full articles link thoes... nothing.
  • Freddy Bob 2008-04-15 14:43
    Alex Papadimoulis:
    MadJo@Work:

    I'd be very impressed if someone managed to unblur the numbers from the first image.

    In ur text, unblurring ur eyes.
    http://dheera.net/projects/blur.php
  • xtremezone 2008-04-15 14:44
    That's very scary... People should be fired and perhaps prosecuted (not just the developers at fault, but the guys that hired the developers at fault and maybe the guys that hired the guys that hired the developers at fault). This kind of thing needs to be made an example of and it really doesn't matter how much it costs to fix.
  • tp_jacques 2008-04-15 14:46
    I'd bet dollars to donuts that this was done by a consultant.....tax dollars hard at work my friends. From what i've seen most state agencies don't have the resources to write their own software.
  • Irish she was drunk 2008-04-15 14:58
    tezoatlipoca:
    oh no! The Daily WTF front page on Slashdot and no BustedTees ad? How are we going to generate enough click-throughs to get Irish Girl back?
    oh the humanity!


    there's a bunch of pics of her on the busted tees site.
  • Walleye 2008-04-15 14:58
    tp_jacques:
    I'd bet dollars to donuts that this was done by a consultant.....tax dollars hard at work my friends. From what i've seen most state agencies don't have the resources to write their own software.


    ...so they award it to the lowest bidder.
  • Kuba 2008-04-15 15:03
    ptomblin:
    They better hope that Little Bobby Tables never commits a crime.


    I just fell of my chair...
  • Linus 2008-04-15 15:04
    I find the rest of the "removed" so website quite comical as well, it's a nice touch how they've kept the http://docapp8.doc.state.ok.us/servlet/IsItWorking/ page on the server.
  • Blue 2008-04-15 15:05
    Exceptionally detailed post. Great job getting them to (finally) take things offline to be fixed.
  • Mark Wilden 2008-04-15 15:08
    And how does it preserve privacy to blur SSNs (which are meaningless to most of us) but display names and addresses?

    ///ark
  • anon 2008-04-15 15:09
    Most people on the list will have been born in Oklahoma so the first three digits of their ssn will start with 440-448. Narrows it down quite a bit.
  • Hannes 2008-04-15 15:11
    I tried and got:

    No elephant with the name -1 UNION ALL SELECT * FROM users WHERE 1=1/* in the database. !


    :((
  • Justice 2008-04-15 15:17
    5|i(3_x:
    ptomblin:
    <i>and remember many people are in favor of having the government run healthcare. wtf indeed.</i>

    Yes, because private companies never leak data.


    A private company that engages in negligence this gross isn't likely to be in business very long. More importantly, if a private company fails in this or any other way, you are not compelled to continue to do business with them.


    Right! After all, if your health insurance company leaks your personal data, you're under no obligation to continue with them. So what if your employer only provides benefits through one company and you can't afford outside insurance?

    And hey, it's not like you have to stick with your local electric company or the water authority. It's not like those are monopolies in any form.

    Like they say, the private sector does it better!
  • Schnapple 2008-04-15 15:21
    tezoatlipoca:
    oh no! The Daily WTF front page on Slashdot and no BustedTees ad? How are we going to generate enough click-throughs to get Irish Girl back?
    oh the humanity!


    Don't sweat it, all Slashdot users have AdBlock Plus installed so they'd never see the ad anyway.
  • Disgruntled DBA 2008-04-15 15:21

    We apologise for the fault in the website. Those responsible have been sacked.


    We apologise again for the fault in the website. Those responsible for sacking the people who have just been sacked have been sacked.


    The directors of the firm hired to continue the website development after the other people had been sacked, wish it to be known that they have just been sacked. The website has been completed in an entirely different style at great expense and at the last minute.
  • sidecarsally.com 2008-04-15 15:36
    Wow.

    I would've loved to go on that website and add myself. For some reason, I get really turned on by people thinking that I like to put my hand up little children.

    Even though I don't.

    Sidecarsally.com - GO GO GO!
  • Pope 2008-04-15 15:41
    Hannes:
    I tried and got:

    No elephant with the name -1 UNION ALL SELECT * FROM users WHERE 1=1/* in the database. !


    :((


    Some don't like plural nouns for table names. Just a thought.
  • cavemanf16 2008-04-15 15:49
    anon:
    and remember many people are in favor of having the government run healthcare. wtf indeed.


    ding ding ding! We have a winner!

    One of my #1 reasons to be scared if Hillary or Obama gets elected.
  • Ruudjah 2008-04-15 15:49
    Another big WTF is that the information displayed on the image is STILL recoverable BY UNDO SMUDGING ALGORHITMS. These have been successfully used in a German child porn case. Ans yes, these algorhitms are available in the darker cornewrs of the internet. So WTF TDWTF, please whiten these smudged SSN's out.
  • savar 2008-04-15 15:52
    Disgruntled DBA:

    We apologise for the fault in the website. Those responsible have been sacked.


    We apologise again for the fault in the website. Those responsible for sacking the people who have just been sacked have been sacked.


    The directors of the firm hired to continue the website development after the other people had been sacked, wish it to be known that they have just been sacked. The website has been completed in an entirely different style at great expense and at the last minute.


    Hahaha... one of the rare comments here that is actually funny.
  • Zathrus 2008-04-15 15:58
    And how does it preserve privacy to blur SSNs (which are meaningless to most of us) but display names and addresses?


    For those who still haven't gotten it -- the names and addresses are public information that's supposed to be provided by the sex offenders' list anyway.

    I do hope this gets picked up by the news wires, although I suspect most of 'em will go "eh, it's just sex offenders anyway", not realizing that it's also every inmate and employee in the OK DOC, and that the database integrity may be compromised to the point that the entire thing has to be rebuilt from court records, as the current data is untrustable.
  • KattMan 2008-04-15 16:01
    Hannes:
    I tried and got:

    No elephant with the name -1 UNION ALL SELECT * FROM users WHERE 1=1/* in the database. !


    :((


    Because you are doing it wrong. Remember, they put a quote in there to contain the name so it should have been thus:
    -1' UNION ALL SELECT * FROM users WHERE 1=1/*
  • Derek 2008-04-15 16:08
    Whether it happens in private or public sector, low-level heads roll. But high level screw ups, like Bear-Stearns CEOs, or Bush Administration higer-ups, can screw up 1,000 times and they keep their high paying jobs.
  • Chris Eldredge 2008-04-15 16:09
    I blame Pamela Anderson (see last screen cap). This should be proof that actors are not good programmers.
  • Schnapple 2008-04-15 16:15
    cavemanf16:
    anon:
    and remember many people are in favor of having the government run healthcare. wtf indeed.


    ding ding ding! We have a winner!

    One of my #1 reasons to be scared if Hillary or Obama gets elected.


    Federal Government != State Government. The Federal government delivers all the mail with few problems and collects all the taxes with even fewer. State governments can't pave fucking roads. Besides, several other countries run socialized medicine just fine.

    But nice try Mr. McCain.
  • duder 2008-04-15 16:20
    Oh man, if this database is used for proof-of-registration purposes, then any cases of offenders not registering would have to be thrown out....
  • lolwtf 2008-04-15 16:22
    My faith in humanity is a 64-bit signed integer and it just underflowed.
  • me 2008-04-15 16:28
    My faith in humanity is a 64-bit signed integer and it just underflowed.
    You must have a hell of a lot of faith in humanity.
  • Mark 2008-04-15 16:33
    whee:

    http://docapp8.doc.state.ok.us/servlet/page?_pageid=428&_dad=portal30&_schema=PORTAL30&SearchMode=Basic&undefined=Basic&SearchBy=Basic&undefined=ALL&SearchAW=ALL&SearchOpt=ALL&regid=-1'%20UNION%20ALL%20SELECT%20*%20FROM%20users%20WHERE%201=1/*
  • Pope 2008-04-15 16:35
    Through an expiriment on my test server I just realized that this:

    SELECT DISTINCT InfoS.TABLE_CATALOG as column1, InfoS.TABLE_NAME as column2, InfoS.COLUMN_NAME as column3, InfoS.COLUMN_NAME as column4, InfoS.COLUMN_NAME as column5
    FROM table1, table2, (Select TABLE_CATALOG, TABLE_NAME, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS) InfoS

    is perfectly legal. In the SQL sense of course.

    Could changing the rights of the web user limit this ability? Obviously you would want to sanitize your SQL statements in the first place... but... Well, there is no but. What is the opposite of GRANT on SQL? DENY or REVOKE, right? :)
  • Ben Roesngart 2008-04-15 16:40
    Unblurring is not difficult. The trick is to start with an unblurred numeral, blur it, then compare it to the blurred one. If you can guess the right typeface and blur algorithm, it's totally straightforward.
  • anonymously evil 2008-04-15 16:42
    I "have personal knowledge" of the I.T. department at Oklahoma DOC. The guy that wrote their Sex Offender Registry system was a contractor. He was with a company that no longer exists. He was NOT a competent programmer.

    The administration at DOC has not supported the I.T. department in many years. They play the blame game, and usually get away with it. George Floyd probably didn't report the FIRST phone call to the idiot he works for. That will give them an excuse to use Mr Floyd as a scapegoat.
    Agency Director Justin Jones has seen the I.T. department as a personal enemy for a long time - not realizing that he is blaming the wrong people for the problems there.

    The I.T. staff at Oklahoma DOC are not the villains here. The fault lies with Directors and Deputy Directors.....

    BTW, have a look at this link: http://www.okhouse.gov/Documents/OKRVSDFinalReport080103.pdf

    Have a look at the part on Information Technology. (page 231 on...)
  • Anon Sam 2008-04-15 16:47
    Pope:
    Could changing the rights of the web user limit this ability?

    A read-only database could stop someone drop doing a DROP or DELETE.

    And maybe the guy who set up the DB knew everyone else was an idiot and did so.
  • Anonymous 2008-04-15 16:47
    Looks like they need this consultant quick!

    Oklahoma DCS Central Purchasing Division
    Status: Open Bid Number: 1310002506
    Description: Department of Corrections is soliciting proposals from vendors to provide consultant services to assist DOC in determining requirements, direction, and the acquisition of a new offender management system.
    Buyer: Liza Hanke

    Find on http://www.dcs.state.ok.us/Solicitations.nsf, or direct link

  • v.dog 2008-04-15 16:53
    TRWTF is that 'white' is a race
  • Jon B 2008-04-15 16:59
    Schnapple:
    cavemanf16:
    anon:
    and remember many people are in favor of having the government run healthcare. wtf indeed.


    ding ding ding! We have a winner!

    One of my #1 reasons to be scared if Hillary or Obama gets elected.


    Federal Government != State Government. The Federal government delivers all the mail with few problems and collects all the taxes with even fewer. State governments can't pave fucking roads. Besides, several other countries run socialized medicine just fine.

    But nice try Mr. McCain.


    Yes, I see your point. We should model healthcare after the IRS. Let's get started on that right away.
  • Pope 2008-04-15 17:11
    Jon B:

    Yes, I see your point. We should model healthcare after the IRS. Let's get started on that right away.


    We should also start the war on anger and jealousy. The war on terrorism just isn't cuttin' it.
  • Kevin Abbey 2008-04-15 17:18
    A friend who is a network administrator with the Fed Gov't, emailed me today RE: this article. While he was reviewing the article he saw my name on two of the example sheets (I am a former DOC employee). I left the OK DOC in May, 2007, yet apparently here was my personal info for the taking.

    I also recognized some colleagues names, and emailed them about this too....with a link to the article.

    Thanks for discovering this,and encouraging the repairs.



  • Pamela Anderson 2008-04-15 17:21
    I blame Pamela Anderson.
  • Schnapple 2008-04-15 17:32
    Jon B:
    Schnapple:
    cavemanf16:
    anon:
    and remember many people are in favor of having the government run healthcare. wtf indeed.


    ding ding ding! We have a winner!

    One of my #1 reasons to be scared if Hillary or Obama gets elected.


    Federal Government != State Government. The Federal government delivers all the mail with few problems and collects all the taxes with even fewer. State governments can't pave fucking roads. Besides, several other countries run socialized medicine just fine.

    But nice try Mr. McCain.


    Yes, I see your point. We should model healthcare after the IRS. Let's get started on that right away.


    Why not? They're the one that put Al Capone away. Those motherfuckers get results.
  • Andre LePlume 2008-04-15 18:04
    42 States have breach notification laws:
    http://privacylaw.proskauer.com/2008/04/articles/security-breach-notification-l/more-breach-notification-laws-42-states-and-counting/

    OK is one of that 8 that doesn't. Surprise!
  • BrownHornet 2008-04-15 18:33
    Craig:
    I am simply stunned ..stunned that Oklahoma has the audacity to have a county called 'Canadian'. I think this is all an attempt to make Canadian's look like a country full of sexual offenders ;)
    It's not just Oklahoma - Ohio, Wisconsin and Alabama are in on it too, with assistance from Ontario!
    Planned Green License Plates Are For Sex Offenders In The US
  • mxsscott 2008-04-15 18:48
    cavemanf16:
    One of my #1 reasons to be scared if Hillary or Obama gets elected.


    When I first glanced at the title of this story in my RSS reader I thought it said "Obama Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data".
  • Paperino 2008-04-15 19:03
    This redefines what a SQL Injection is. I guess SQL Execution is more appropriate since there is literally nothing to inject
  • Mark Wilden 2008-04-15 19:07
    @Zathrus: "For those who still haven't gotten it -- the names and addresses are public information that's supposed to be provided by the sex offenders' list anyway."

    Read the entry again. It's clear the author disapproves of this ridiculous practice. So why put the possibly "fornicating teenagers" through more humiliation?

    Frankly, I'd be a hell of a lot more interested in a list of known murderers.

    ///ark

  • Ed Falk 2008-04-15 19:53
    > When a corporation does this, they take a huge hit in the form of lawsuits, stock drops, and lost business

    Do they? Can you give an example?
  • Shanya Almafeta 2008-04-15 19:59
    cavemanf16:
    One of my #1 reasons to be scared if Hillary or Obama gets elected.


    Don't you mean "injected"?

    captcha: populus
  • Shanya Almafeta 2008-04-15 20:11
    Alex Papadimoulis:
    I'd be very impressed if someone managed to unblur the numbers from the first image.


    TRWTF is that you went to the trouble of using a reversable filter when just blanking it out in the first place would have been easier and faster to do.
  • Eternal Density 2008-04-15 20:24
    Bert:
    ThePants999:

    Research shows that clever people think they're clever, average people think they're average, and dumb people think they're clever. It's a shame nobody else realised they were dumb though.


    I thought it went more like:
    Clever people know that they don't know it all,
    Average people know what they know,
    Dumb people THINK they know it all.
    And then there's SpectateSwamp...
  • Jon W 2008-04-15 20:27
    From that report link:

    The current software is so out of date that it
    cannot reside on newer computer equipment and is maintained on an antiquated hardware
    platform that is becoming increasingly difficult to repair. A recent malfunction of this server took
    OMS down for over a full day while replacement parts were located. If this hardware ultimately
    fails, the agency will lose its most vital technology resource in the day-to-day management of the
    offender population.


    I can just see a VAX sitting in a corner, sucking down on a power cord and coughing spastically every so often.
  • random_garbage 2008-04-15 20:32
    Erick:
    When a corporation does this, they take a huge hit in the form of lawsuits, stock drops, and lost business. When the government does it, it's a big brouhaha news story, maybe one person gets fired, and then it's back to business as usual.


    Yeah, anyone who loses customer data has a tough time dealing with all the lawsuits and lost business... (e.g. Bank of America, HSBC, Citigroup, Ameritrade, Ernst&Young losing Hotels.com data, etc... Not to mention the thousands of entries in the Attrition.org Data Loss Database...)

    At least Wells Fargo went to court... and we can see how well that went...
  • Jon 2008-04-15 21:24
    elias:
    Thanks. I pressed your "Do Not Press" button, and now my faith in humanity is at an all-time low.
    While we're at it, don't press this button either.
  • EnterUserNameHere 2008-04-15 21:27
    Did this story remind anyone of this little gem? ;)

    http://xkcd.com/327/

    Addendum (2008-04-15 21:35):
    Crap. I see it did.

    Never mind.
  • Vargen 2008-04-15 21:29
    Bet developer is an outsource or a bunch from one of the "raising powers"
  • Travis 2008-04-15 21:37
    Anonymous:
    Looks like they need this consultant quick!

    Oklahoma DCS Central Purchasing Division
    Status: Open Bid Number: 1310002506
    Description: Department of Corrections is soliciting proposals from vendors to provide consultant services to assist DOC in determining requirements, direction, and the acquisition of a new offender management system.
    Buyer: Liza Hanke

    Find on http://www.dcs.state.ok.us/Solicitations.nsf, or direct link



    The total cost to the
    agency from 1998 to 2002 for development and support of OMS was $3.6 million.

    Enough said!
  • nobody 2008-04-15 21:55
    pauldwaite:
    Maybe Oklahoma should start an online registry of the idiot developers who put this system together, and the managers who let them.


    Amen to that.
  • Pope 2008-04-15 22:04
    I just want to say thanks to all of who introduced me to xkcd. Since I saw it for the first time the other day, I have nearly gone through all the cartoons. It's like they were made for me. Very strange. Well... I'm not crazy about some of the romance ones, but I love the majority of them.

    Thanks again!
  • jlrobins 2008-04-15 22:09
    Another one, this one Coast Guard related:

    http://www.vesselsafetycheck.org/ideaexchange.asp?sql=Select+*+from+Best_Table+where+OKtoView+%3D+1+Order+by+DatePosted+Desc&startwith=5
  • Simmo 2008-04-15 22:18
    That is just awesome... The best thing I've read on this site for ages. Bloody excellent.

    Thanks for that. It truly helps me relax and de-stress. Just to know there are some total turkeys out there so that even on a bad day I'm still pretty competent (probably not earning more money though).

    You can just see their minds going... 'Well, it's Oracle. That's unbreakable isn't it?'

    More! More!
  • dmitriy 2008-04-15 22:37
    From the article:

    ... names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.


    This appears to me to be the worst part of this story.
  • topeka 2008-04-16 00:12
    the real WTF will be the moment u see hot and sexy chicks on _millionaireloves.com_ it's just breathtaking!!!
  • Fraggle My Rock 2008-04-16 03:00
    me:
    DeLos:
    Alex Papadimoulis:


    Oh sure you pick out YOUR comment to be featured!!


    It's his site and his article, so why not?


    Communist!!
  • Program.X 2008-04-16 03:41
    So I take it "For those unaware, the SVOR is a federally-mandated, publically-available registry designed to protect us from the truly horrendous specimens of humanity by forever branding those convicted of a certain crimes with a big “SO”." is a personal, uneducated view?

    If you were a UK citizen, I'd assumed you'd got that politicised uneducated nonsense from The Daily Mail. For those who are educated in the causes of Sex Offences, it is a little more complicated.
  • You didn't see me right? 2008-04-16 04:06
    jlrobins:
    Another one, this one Coast Guard related:

    http://www.vesselsafetycheck.org/ideaexchange.asp?sql=Select+*+from+Best_Table+where+OKtoView+%3D+1+Order+by+DatePosted+Desc&startwith=5


    The rWTF here is calling a table Best_Table
  • csrster 2008-04-16 04:09
    KG:
    luke:
    maniek:
    http://www.google.pl/search?q=allinurl:+select+from+and
    There are some interesting hits (especially a few pages further into the search results)


    Perhaps even more interesting:
    http://www.google.com/search?hl=en&q=allinurl%3AsqlString+select

    And those are just the geniuses that named the variable sqlString...

    I believe we're observing a paradigm shift from "Haha, WTF" to "WTF!!!"



    OMG!!!!!
    I would never have thought of that. I would never have assumed people could be so stupid! I've been a frequent visitor of this site for months now (discovered it when it was named "worse than failure" - stupid name to be sure), but this... this is a new low.


    I just did this for the country I live in - and one of the links which came up is for the trades union for IT professionals.
  • BlueEagle 2008-04-16 04:19
    That would be an idea for the next wtf programming contest.

    Submit an entry for the Oklahoma DOC.

    Ofcourse all entries will be submitted and the contract will be the prize. :p
  • Livid Gibbon 2008-04-16 05:07
    A common feature of many of these sites appears to be the use of "sqlquery" in the querystring (i.e. to find a whole bunch you just need allinurl: sqlquery) suggesting the possibility that this disgrace stems from a single, original, potentially traceable source. As a starting point some of the sites contain an advert for their creator, which is a useful anti-pattern to watch for if you're planning on using the perpetrator for any development.

    ahhhhhhh - I love the smell of a witchhunt in the morning...
  • Paolo G 2008-04-16 05:46
    <grammarnazi>
    The real WTF is that there's no such word as "publically", and adverbs that can't be misunderstood as adjectives as don't get hyphenated when qualifying an adjective that qualifies a noun. So it's "publicly available registry".
    </grammarnazi>

    Believe me, this is *so* much more important than whether this information is publicly available or not ;)
  • dkf 2008-04-16 06:32
    Jon B:
    Yes, I see your point. We should model healthcare after the IRS. Let's get started on that right away.
    On the plus side, they've got a plentiful supply of blood (extracted from stones, I believe...)
  • Anon 2008-04-16 07:44
    Sometimes this kind of thing makes me think we programmers should need to earn a 'licence to code' :) Whoever wrote this mess would immediately have it revoked!
  • Yazeran 2008-04-16 08:01
    csrster:


    I just did this for the country I live in - and one of the links which came up is for the trades union for IT professionals.


    Yea, Mee too.. Quite disgusting really

    Found out that they ran their database on PostgreSQL and that the pg_class table was WORLD READABLE for C... sake!!!! (hint pg_class stores info on tables in the database such as table names etc making guessing table names real easy...)

    I didn't look more into it, and didn't get the table names etc, but I did get the amount of rows a 'SELECT * FROM pg_class' would generate (some 20 or so)

    Yours Yazeran

    Plan: To go to Mars one day with a hammer.
  • SomeBody_Else 2008-04-16 08:06
    Anon:
    Sometimes this kind of thing makes me think we programmers should need to earn a 'licence to code' :) Whoever wrote this mess would immediately have it revoked!



    Yeah, Sure. Like licenses prevent drivers from being idiots! Having a license is no guarantee of ability, they are more about keeping out competition.
  • Anon 2008-04-16 08:23
    Program.X:
    So I take it "For those unaware, the SVOR is a federally-mandated, publically-available registry designed to protect us from the truly horrendous specimens of humanity by forever branding those convicted of a certain crimes with a big “SO”." is a personal, uneducated view?

    If you were a UK citizen, I'd assumed you'd got that politicised uneducated nonsense from The Daily Mail. For those who are educated in the causes of Sex Offences, it is a little more complicated.

    I think your sarcasm detector is on the blink :)
  • David 2008-04-16 08:33
    Thanks for sharing that. It was fascinating. It sounds so much like several places I have worked that it's fascinating. This assessment resembles something that could have been written about Hennepin Count Minnesota in their effort to acquire a new jail management system. The Sheriff assigned oversight to an employee who had no experience overseeing technology projects. How naive. But then, what did the Sheriff know about IT? Probably nothing. Our industry sure faces some tough challenges supporting those we serve.
  • David 2008-04-16 08:35
    Licensing doesn't prevent idiot drivers. but it reduces them. Imagine who would be driving if NO licenses were required.
  • Pope 2008-04-16 08:45
    Livid Gibbon:
    A common feature of many of these sites appears to be the use of "sqlquery" in the querystring (i.e. to find a whole bunch you just need allinurl: sqlquery) suggesting the possibility that this disgrace stems from a single, original, potentially traceable source. As a starting point some of the sites contain an advert for their creator, which is a useful anti-pattern to watch for if you're planning on using the perpetrator for any development.

    ahhhhhhh - I love the smell of a witchhunt in the morning...


    I was thinking about this last night. A person with access to this kind of information could make a lot of money working with those who do not wish to be recognized as pedophiles. "Slide me a thousand bucks and I'll erase you out of the registry."

    Where's my torch and pitchfork?
  • Nick J 2008-04-16 08:46
    http://docapp8.doc.state.ok.us/pls/portal30/url/page/sor_roster?sqlString=drop table registration_offender_xref

    Way to commit any sort of crime in Oklahome and get away with it!
  • Erick 2008-04-16 09:21
    Ed Falk:
    > When a corporation does this, they take a huge hit in the form of lawsuits, stock drops, and lost business

    Do they? Can you give an example?


    http://identitytheft911.org/alerts/alert.ext?sp=10431
    http://www.networkworld.com/news/2007/060807-tjx.html
    http://www.usatoday.com/tech/news/computersecurity/infotheft/2007-04-03-radio-shack-id_N.htm

    Granted, the larger companies are seemingly as immune as the government when it comes to this negligence. Hopefully that will change. Unfortunately it seems that it's going to take more than a lost CD or laptop before someone takes serious action.
  • Scott 2008-04-16 09:54
    Fortunately, he didn't accuse me of hacking their site

    I saw on the local (Oklahoma City) news last night that an "unknown hacker" had retrieved data from the OK Dept. of Corrections web site before they fixed it. I assume that's you.... Sheesh.
  • mister 2008-04-16 10:01
    Maybe it's all according to spec, and the "vulnerability" is just the required federal backdoor.
  • Trudy 2008-04-16 10:54
    Oklahoma has another website (http://www.oscn.net/applications/oscn/start.asp) where they share all sorts of personal information, including physical description and date of birth on people with traffic offenses and other legal issues. I don't know of any other state that violates the privacy of its citizens like that. It's time to get out of this primitive backwards state.

  • Sean 2008-04-16 11:48
    I've always thought that the ODOC websites in Oklahoma were poorly developed. I'm glad someone finally hacked in and caused a ruckus.
  • Richard 2008-04-16 11:50
    Can you say (Irreparable damage), this is ridiculous! My great grandfather would've went CRAZY over a rights violation of this magnitude.
    This is probably the beginning, the foresight we will look back upon and realize a lot of things could've been prevented with common sense. Our nation is becoming incredibly delusional, all the sudden the effects that christened America so great has become discarded for good intentions.
    This is the war I see, it’s a war on our children and our rights! Sex Offenders are the other form of terrorist according to the government, because you don’t know who they are or where they are. So the government says to protect us and our children they will implant V Chips, not only in us, but in our cars, passports, identification, and run surveillance on our streets, homes, friends, and conversations. 96.5% of sex offenders are family members or friends to the victim, 97% are male, and only 3.5% of overall convicted sex offenders reoffend sexually... Therefore the odds are YOU are more of a threat to commit a sex offense than a "sex offender". Mull over that for a moment. What will the next set of laws be? Will they treat us more like criminals than they currently are over of statistics like these? Will we again support them for the reasons or justifications of “good intentions”? In fact I have already seen the question that leads to this, (We need to constantly ask "Legislators," why they continually focus new more restrictive legislation on ALL registered sex offenders, when they have the lowest recidivism rate, and legislators ignore the group committing "96.5% of new sex offenses," persons who have never before committed a sex offense?)
    How can we prosecute people for life knowing how easy it is to be charged and convicted of a sex offense? Do you realize how many death row inmates have been found innocent due to D.N.A.? They convict sex offenders every day with merely ones word against anothers, today, a simple lie can wreck your life! How do V Chips, satellites, surveillance, and treating us like criminals stop our children from having a sexual encounter, protect our credit, or save us from terrorists that our government antagonizes?
    We let them ignore Americans rights because we agree with the “good intentions” they sell us. Isn’t that what the Bible states the path to Hell is paved with? Did you know since that registry began the recidivism rate has increased, not declined, and the rate of sex offenses has not changed? There have however been thousands of vigilante attacks that have gotten an estimated 4000 innocent people hurt and even killed by mistaken identity or wrong addresses all together. In one case a pregnant woman was burned alive for nothing she had done. I have heard of “American justice” before, but it was in times when a guilty man unjustly went free. Not on a man who served HARD time in prison, not after the humiliation of refacing the public, and never after he was continually punished during and after his parole by the state. Now we harass or kill his family and friends as well? Is this what we have become? We now allow rights to be ignored?
    Hitler used the media, fear mongering tactics, and created monsters to use as justifiable leverage against peoples rights, turned the people against one another, tortured people, held secret prisons, and reversed the impact of the word "WAR" till it was a good thing to happen to a nation. He too painted himself the protector and guardian. It makes me wonder if it is just a coincidence that Bushs’ grandfather worked for and with Hitler.
    How are we keeping out terrorists if we can’t keep out drugs? How does opening our borders protect our borders? If this is what our country has become maybe the “terrorist” have us pegged, and we deserve whatever we get.
    I for one do not need the government to protect my children and still hope we are a great and proud country because of our freedom, honor, fairness, and morals on life, liberty, and justice.
  • root 2008-04-16 12:04
    @Richard: Whatever you wrote, nobody read it. Maybe you should consider shortening your future comments to less than the length of the article in question.

    ... And by the way, HAHAHAHAHAHAHHAHAHAHAHAHAHAHAHHAHAHAHAHAH @ "upper(zip) = '73064'", that made my day.
  • heinzkunz 2008-04-16 12:22
    Alex Papadimoulis:

    I'd be very impressed if someone managed to unblur the numbers from the first image.


    Just don't use blur. This *is* recoverable:
    http://www.schneier.com/blog/archives/2007/01/how_to_recover.html
  • SKFox 2008-04-16 12:45
    http://newsok.com/article/3230675/1208345421

    The bloggers used certain search parameters to troll for the information.


    captcha: validus

    Certainly not...
  • petvirus 2008-04-16 13:00
  • umm... 2008-04-16 14:53
    David:
    Licensing doesn't prevent idiot drivers. but it reduces them. Imagine who would be driving if NO licenses were required.

    I suppose that assumption really makes you feel alot safer. Too bad a good feeling can't help you to actually be any safer - why don't you try to present even one theoretical example of these dangerous unlicensed drivers you refer to, who are being prevented from driving simply by the requirement to be licensed. It certainly won't be the drunk, unlicensed, uninsured moron who totalled my car a few years ago.

    On the other hand, and also in reference to the wonderful Hennepin County system mentioned in the comment above yours, I've twice had a 'suspended' license, due to either software or data-entry screw-ups on the part of that county. You know how great that is? It's so nice to get pulled over for no apparent reason, to have the nice officer approach the vehicle with gun drawn, barking orders, and then to lose a couple hours of my life inspecting the back seat of his police cruiser. Thankfully, I was eventually able, purely by way of having a completely perfect driving record, to convince the officer that it had to be a mixup, so he let me go. In the second occurrence I was lucky enough to have had friends riding with me, so one of them could take the wheel...otherwise, since the officers wouldn't listen to reason, I'd have had my car impounded and spent the night in jail.

    Yep, the existence of driver's licenses has sure made my life alot better.
  • Andrew 2008-04-16 15:29
    too bad that even though they took it down, all that information is still available cached away in google, and now with the press on this article boatloads more people are looking for it.
  • m0ffx 2008-04-16 15:54
    umm...:
    David:
    Licensing doesn't prevent idiot drivers. but it reduces them. Imagine who would be driving if NO licenses were required.

    I suppose that assumption really makes you feel alot safer. Too bad a good feeling can't help you to actually be any safer - why don't you try to present even one theoretical example of these dangerous unlicensed drivers you refer to, who are being prevented from driving simply by the requirement to be licensed. It certainly won't be the drunk, unlicensed, uninsured moron who totalled my car a few years ago.

    On the other hand, and also in reference to the wonderful Hennepin County system mentioned in the comment above yours, I've twice had a 'suspended' license, due to either software or data-entry screw-ups on the part of that county. You know how great that is? It's so nice to get pulled over for no apparent reason, to have the nice officer approach the vehicle with gun drawn, barking orders, and then to lose a couple hours of my life inspecting the back seat of his police cruiser. Thankfully, I was eventually able, purely by way of having a completely perfect driving record, to convince the officer that it had to be a mixup, so he let me go. In the second occurrence I was lucky enough to have had friends riding with me, so one of them could take the wheel...otherwise, since the officers wouldn't listen to reason, I'd have had my car impounded and spent the night in jail.

    Yep, the existence of driver's licenses has sure made my life alot better.


    There were some major screwups in the UK a while back, with people's license classes getting randomly changed, so suddenly someone with a motorbike license gets told they can't drive a motorbike - but are licensed to drive a tank! In some cases the attitude of the DVLA (organisation responsible for licensing) was 'retake your test. And no we won't even pay for it'.

    But licensing driving is still important. Not to stop the 'dangerous unlicensed drivers' we have, who drive despite being banned, but in helping ensure that EVERYONE on the roads has at least a minimum level of competence - that required to pass the test in the first place (of course it's not foolproof, loads of people forget some of it, and wouldn't pass a snap retest were such things administered). If there was no driving license, we'd soon have a lot of crap drivers on the road; those who currently learn what they have to, but if they weren't compelled to, wouldn't bother.
  • Anonymous 2008-04-16 15:56
    Not really going to be a problem though since the only cached data is going to be the data they originally wanted posted. Google spiders while cool don't rewrite sql statements when they find them to include SSN, but hey if I am wrong post them I need another CC :)
  • Master TMO 2008-04-16 16:29
    I had a semi-similar WTF at my company several years ago. They had rolled out a new series of employee detail pages - I can't even remember what they were for now. You put in your user ID, and it listed out your pertinent information, including your SSN.

    After about 30 seconds, I realized I didn't have to enter a password to see my data. So I put in my manager's user ID. Lo and behold, there was his information, including his SSN.

    So I wrote it down on a sticky note and explained the problem to him. He was not the least bit concerned. So I looked at the bottom of the page, got the 'send problems to the webmaster' link, found out who it went to, looked up his SSN and sent it to him, with an explanation of the problem.

    HE promptly booted it up to his supervisor, and all detailed personal information was immediately removed until the system was password protected.

    To me the system was just an oversight. The real WTF to me was my manager's unconcern. ;)
  • gruckiii 2008-04-16 16:39
    SKFox:
    http://newsok.com/article/3230675/1208345421

    The bloggers used certain search parameters to troll for the information.


    captcha: validus

    Certainly not...


    They reported it as a glitch.. a glitch? It's a gapping huge security hole that should be obvious to any developer. I guess they wanted to downplay it and make it seem like some minor or obscure problem.
  • DavidN 2008-04-16 17:50
    That whole NewsOK article smells of "Let's just throw some Internet-related words at it", to be honest.
  • Mr 2008-04-16 18:03
    DAMN:
    Real WTF:
    http://dheera.net/projects/blur.php


    That reminds me of a story I read in a national news paper. Someone had distributed a Word document with sensitive information, and "blacked out" the sensitive parts. And he/she did that by drawing a box on top of it. It was just a matter of dragging the box to another place to see the information...
  • Mr 2008-04-16 18:04
    KG:
    I've been a frequent visitor of this site for months now (discovered it when it was named "worse than failure" - stupid name to be sure), but this... this is a new low.


    I've been a frequent visitor since before it was named "worse than failure", and I can confirm that this is a new low.
  • Jon 2008-04-16 18:24
    umm...:
    I suppose that assumption really makes you feel alot safer. Too bad a good feeling can't help you to actually be any safer - why don't you try to present even one theoretical example of these dangerous unlicensed drivers you refer to, who are being prevented from driving simply by the requirement to be licensed. It certainly won't be the drunk, unlicensed, uninsured moron who totalled my car a few years ago.

    On the other hand, and also in reference to the wonderful Hennepin County system mentioned in the comment above yours, I've twice had a 'suspended' license, due to either software or data-entry screw-ups on the part of that county. You know how great that is? It's so nice to get pulled over for no apparent reason, to have the nice officer approach the vehicle with gun drawn, barking orders, and then to lose a couple hours of my life inspecting the back seat of his police cruiser. Thankfully, I was eventually able, purely by way of having a completely perfect driving record, to convince the officer that it had to be a mixup, so he let me go. In the second occurrence I was lucky enough to have had friends riding with me, so one of them could take the wheel...otherwise, since the officers wouldn't listen to reason, I'd have had my car impounded and spent the night in jail.

    Yep, the existence of driver's licenses has sure made my life alot better.
    You have convinced me that we need Internet licenses. Yours has just been revoked.
  • lolagoetz 2008-04-16 20:33
    Alex, would you mind if part of your screen caps are used in a short article about this, with links back to your content? I wanted to get permission before grabbing something.

    Becky
  • umm... 2008-04-16 22:50
    Jon:
    umm...:
    I suppose that assumption really makes you feel alot safer...
    You have convinced me that we need Internet licenses. Yours has just been revoked.

    Nice try. Next time you might want to actually make a point of some kind. You know, kind of like this:

    m0ffx:
    umm...:
    David:
    Licensing doesn't prevent idiot drivers. but it reduces them. Imagine who would be driving if NO licenses were required.

    I suppose that assumption really makes you feel alot safer...


    There were some major screwups in the UK a while back, with people's license classes getting randomly changed, so suddenly someone with a motorbike license gets told they can't drive a motorbike - but are licensed to drive a tank! In some cases the attitude of the DVLA (organisation responsible for licensing) was 'retake your test. And no we won't even pay for it'.

    But licensing driving is still important. Not to stop the 'dangerous unlicensed drivers' we have, who drive despite being banned, but in helping ensure that EVERYONE on the roads has at least a minimum level of competence - that required to pass the test in the first place (of course it's not foolproof, loads of people forget some of it, and wouldn't pass a snap retest were such things administered). If there was no driving license, we'd soon have a lot of crap drivers on the road; those who currently learn what they have to, but if they weren't compelled to, wouldn't bother.

    I can appreciate the theory, but observing other drivers has only convinced me that in driver's ed, they mostly learned to stop when they should go, and to go when they should stop. Either that, or they were all too busy discussing how to make home-made bongs, as was the case back when I attended.
  • Joe Holmes 2008-04-17 04:15
    I can tell you from personal experience (having worked there as a web developer for about a year) that there is some definite incompetence within the OK DOC. BTW, the article fails to point out that George is actually the Director of IT (not that I would expect management to know about things like SQL Injection, etc.).

    In Mr. Floyd's defense (not that he's on trial or anything :), from what I saw of him he was working to try to bring some structure to an organization that seemed to lack such things for quite some time from what I could tell.

    I worked within a group that wasn't even actually a part of IT and they were working to replace their current Offender Management system. Anyway, it was a freakin' cluster. We had no real requirements to work from.

    Basically, we worked off of a prototype that was put together by a couple of guys that told us straight up that they were not programmers. The web pages had SQL all throughout (a project of this size should have been done in layers... if not tiers). Also, the site did not use CSS/ASP.Net Skins/Master Pages so we were constantly changing colors, fonts, etc. of a non-functioning site.

    I wanted to say, "Look ladies this isn't Trading Spaces or Home Makeover, etc. Who cares what the pages look like right now? Do I really need to change that font? Does that color really need to be changed when the stupid page doesn't work in the first place? Maybe we should worry about functionality right now".

    Actually, I was quite verbal after I had been there for a while and had witnessed some of the incompetence for myself. I did wind up saying it almost that directly... two days later they asked for my resignation :) haha That might have also been brought on by the fact that I mentioned I should call the Fraud, Waste, and Abuse hot-line :) hehe Also, I was told to work from home the day those auditors were in our office :)

    Basically, my boss was a former probation officer that learned the previous system well and she was a trainer. Someone up above (obviously knowing nothing of software development, etc.) decided she could manage the project. I don't fault my manager for this as I think she was overwhelmed by all of it and rightfully so. I was like "no that's called a SME (Subject Matter Expert)". When there are experienced managers and PMs and 80% of software development projects go beyond the timeline and budget, what kind of lunatic thinks that a probation officer could manage a software development team?

    Anyway, it's late and I'm rambling and probably not making any sense. I could go on and on. Typical government employee ineptitude.
  • Andrew 2008-04-17 07:49
    DavidN:
    That whole NewsOK article smells of "Let's just throw some Internet-related words at it", to be honest.


    ".. but let's not bother about getting them right:

    > The bloggers used certain search parameters to troll for the information.


    I know there probably aren't many deep-sea fishermen in Oklahmoma, but it's TRAWL, boys. TROLLs on the other hand.. oh, never mind.
  • Jasper 2008-04-17 08:23
    Wow.

    You should have sent them a copy of the book Managing Catastrophic Loss of Sensitive Data as a hint...
  • anonymously evil's nemesis 2008-04-17 09:54
    anonymously evil:
    I "have personal knowledge" of the I.T. department at Oklahoma DOC. The guy that wrote their Sex Offender Registry system was a contractor. He was with a company that no longer exists. He was NOT a competent programmer.

    The administration at DOC has not supported the I.T. department in many years. They play the blame game, and usually get away with it. George Floyd probably didn't report the FIRST phone call to the idiot he works for. That will give them an excuse to use Mr Floyd as a scapegoat.
    Agency Director Justin Jones has seen the I.T. department as a personal enemy for a long time - not realizing that he is blaming the wrong people for the problems there.

    The I.T. staff at Oklahoma DOC are not the villains here. The fault lies with Directors and Deputy Directors.....

    BTW, have a look at this link: http://www.okhouse.gov/Documents/OKRVSDFinalReport080103.pdf

    Have a look at the part on Information Technology. (page 231 on...)


    I too have first hand knowledge of ODOC since I work/worked there.

    The fault for this type code doesn't belong to to Directors or Deputy Directors, (even though they don't have a clue). The fact that the IT department let this code out there for so long without any testing shows how incompetent the IT department is. If George, Daniel, or Pat did their jobs properly then they would have never let this code out in production in the first place. This type of code has been discouraged for years.

    Also, you can't be serious about how the IT department has been neglected. When there was a surplus in the budget in 2006, they let Daniel go on a spending spree to buy all new servers and infrastructure equipment (which was needed). They could have done something then to address the issues with OMS that was mentioned in the audit you posted.

    There is no excuse for not continually to improve your knowledge of your chosen industry. You should atleast keep up with reading about new technology and the latest threats. The IT department is to blame for this, plain and simple.

    btw, I bet you are either George, Daniel, or Pat
  • lolwtf 2008-04-17 16:12
    To those who keep saying "sex offenders deserve to have their identities stolen, they are scum of the earth and so on": Being a sex offender doesn't mean you're a rapist. It could mean you were once caught naked in public. Or in this case, it could mean someone added you by changing the URL. ;-)
  • chrismcb 2008-04-17 20:50
    Program.X:
    So I take it "For those unaware, the SVOR is a federally-mandated, publically-available registry designed to protect us from the truly horrendous specimens of humanity by forever branding those convicted of a certain crimes with a big “SO”." is a personal, uneducated view?

    If you were a UK citizen, I'd assumed you'd got that politicised uneducated nonsense from The Daily Mail. For those who are educated in the causes of Sex Offences, it is a little more complicated.


    Yes it is a personal view, but why do you say it is uneducated? Are you saying that any educated views should have the same opinion?
    WTF is "politicised uneducated"

    I'm not sure what is complicated about branding someone with a Scarlet Letter?
  • lolagoetz 2008-04-18 01:10
    Andrew:
    DavidN:
    That whole NewsOK article smells of "Let's just throw some Internet-related words at it", to be honest.


    ".. but let's not bother about getting them right:

    > The bloggers used certain search parameters to troll for the information.


    I know there probably aren't many deep-sea fishermen in Oklahmoma, but it's TRAWL, boys. TROLLs on the other hand.. oh, never mind.


    In deep-sea fishing for tuna, you drop a line behind the boat and TROLL. You try to solicit a bite. Trawling uses big nets and scoops things up. Two different animals.
  • anon 2008-04-18 04:57
    this is atrocious, they person coding it should be sacked and his boss and the security person and their boss!
  • WTF + Schneier fan 2008-04-18 09:05
    You made schneier's blog too! This is a bigger acheivement in my book than digg and /. ;o)
  • Random832 2008-04-18 13:17
    lolagoetz:
    Alex, would you mind if part of your screen caps are used in a short article about this, with links back to your content? I wanted to get permission before grabbing something.

    Becky


    I don't think he reads the comments, there's a contact form http://thedailywtf.com/Contact.aspx
  • Eugene Jim Ed Justin and others 2008-04-18 14:51
    We said that we wouldn’t get involved.

    OOPS.

    Some of us are still smart enough not to say anything, but the rest of us still feel that there is something worth saying…

    Once Upon a time, the Oklahoma Department of Corrections, faced with the looming Y2K bug, decided to replace their Cobol-based Offender Management system with a product that they would buy from Syscon Justice Systems of Richmond, British Columbia. The IT department had stated that they could update the existing system, but management was convinced that it could not be done in time.

    Ironically enough, as the year 2000 approached, it became obvious that the new OMS would not be ready to go online in time and the IT department was told to "fix the Y2K bug". They succeeded, but that brought no accolades.

    The Oklahoma Department Of Corrections spent millions of dollars on hardware, network infrastructure and the aforementioned Syscon software. In the spring of 2000 the system went live, and was immediately met with screams of outrage from the user community. Any time you replace an enterprise system you face user resistance, but the powers that be had created a nightmare situation. The entire user community and most of middle management agency-wide had been alienated. The new OMS would never be popular.

    This was not a good time to be working in the IT department at Oklahoma’s Department Of Corrections. Source code was not a part of the deal when DOC bought the new system; DOC was expected to pay Syscon to fix any bugs and make any changes, and the programming staff at DOC would not be allowed to touch the system. Meanwhile, users saw the IT department as a dreadful enemy that had shoved a horrible new system down their throats. The project manager saw the IT staff as incompetents and fools, and treated them as such. Syscon Justice Systems, of course, had no reason to give the IT staff any detailed information about the OMS database. (It was their intellectual property after all.) This made report writing and the construction of ancillary systems problematic at best.

    In the spring of 2001 work on the Sex Offender Registry, a federally mandated and funded project, was begun. The rules in place at the time did not allow DOC to hire staff to build the system, so they outsourced the job to a less-than-entirely-legitimate consulting firm. The contract programmer who wrote the SOR had never worked in the development environment that was used. He had no real knowledge of database design or of Internet security. For that matter, the original statement of work for the project does not mention security.

    Pre-Y2K, Internet security was (comparatively) in its infancy. We know for a fact that members of the DOC IT staff ASKED about security, but they were told that the issue was none of their business.

    The timeline now brings us to the “COMIT” project. Mr. Holmes (comment 190231) appears to have been a part of this project.

    This project was born when two malcontents in IT convinced a Deputy Director that the entire IT staff, from the IT director on down, was guilty of criminal malfeasance, corruption and bad manners. Obviously all members of the IT staff (except these two) were criminals, idiots and fools.

    They said that that they could write a replacement system in six months time.

    These two had NO experience in database design. They had NO experience with the development of enterprise applications. They had several other minor deficiencies, BUT one of them was a Deputy Director’s fishing buddy.

    Two years later, when no real progress had been made, the fishing buddy astounded the entire IT staff by asking if the OMS could not be “fixed” or rewritten. The IT department contacted Syscon, who offered to sell an updated version of the source code for the OMS to DOC for a fairly reasonable amount. Unfortunately the Deputy Director went fishing that week and the source code purchase idea was abandoned.

    More recently, Syscon offered to license the source code to DOC for $60K per year. This contract would run as long as DOC was using any of the Syscon product. (In effect the contract would run forever.) This offer was rejected, but apparently no effort was made to go back to the outright purchase deal.

    Mr. Holmes asks "what kind of lunatic thinks that a probation officer could manage a software development team". The answer to that question is obviously "JUSTIN JONES". It seems that every day one of us hears about "typical government employee ineptitude". That dear friends, is very tiring. DOC had some very talented programmers and a few people were are a waste of skin; a situation that can be found in most private sector organizations. (Those of us who have years of experience in the private sector are ranting at this point.)

    Now we come to anonymously evil's nemesis. (S)he says that the fault doesn't belong to Directors or Deputy Directors.

    It was the preference of Directors and Deputy Directors (among others) that the IT staff keep their nasty hands OFF of the SOR – the excuse being that they hadn’t written it in the first place.

    (S)he says that "they would have never let this code out in production in the first place".

    1. George was not a DOC employee when the code went to production.
    2. Daniel was in charge of network security, but NOT application security.
    3. Pat was a programmer when the code went to production. She had hoped to be the one who got to write the SOR. If she had been, we can assure you that we wouldn't be having this debate.

    The fact that Mr. Floyd didn't find out about the security problems until now is not a huge surprise, considering the neglected shop that he walked into. The fact that someone at DOC changed the case of ONE LETTER and called that a security fix is also not a huge surprise, but Mr. Floyd would be well advised to take a hard look at his shop and make sure that nobody does anything that stupid again.

    Anonymously evil "can't be serious about how the IT department has been neglected". HA!

    DOC spent a fortune on the OMS, and they spent a second and third fortune on PC's and networks. Having spent those fortunes, between 2000 and 2006, financial times were rough. They were rough enough that furloughs were considered imminent. The fact some fool funded a "spending spree" in 2006 does not obviate the neglect and mishandling that the IT department suffered BEFORE the spree.

    We agree that at that time something could have been done to address the issues with OMS. Someone, above the IT manager and the programming staff, decided to spend money on infrastructure. That same someone decided NOT to spend money and/or effort on the very real problems that DOC IT still faces.

    Historically, Ed and Justin discounted everyone in the IT department. An IT department that brought DOC out of the Stone Age, and which has more than once earned the trust of the user community, was routinely ignored to support lies and a pipe dream provided by a couple of inexperienced hacks who promised to write an enterprise offender system. It is obvious to those in the know that the fault certainly does belong to Directors and Deputy Directors.


    The fix that won’t happen:
    Management could give the IT department a mandate. They could buy the source code for the OMS. (This should be an outright purchase, not a licensing agreement.) The Sex Offender Registry could be moved into the OMS. The OMS could be rebuilt over a period of time. Security could be made a paramount issue. This would mean that the agency would not be endangered by the problem of non-existent security in the future, as security issues would be addressed up front. This would mean that the user community would be faced with small changes over time instead of struggling through another huge shift in business rules.

    It is our humble opinion that buying another canned system is NOT what DOC needs. A slow replacement of a BAD system with a GOOD system - built specifically to fit the needs of Oklahoma's DOC, would cost less and would be worth MUCH more.

    It won’t happen, and the Oklahoma Department Of Corrections WILL be sued.

    Oh well.

    By the way, George, Daniel and Pat are not a part of our group, and we do not believe that any of them are “anonymously evil”.

  • anonymously evil's nemesis 2008-04-18 16:50
    @Eugene Jim Ed Justin and others

    I do not believe for one minute that you are the individuals listed, but yet another IT person who wishes to defend his/her department. I would have done the same. The IT department may or may not have been negelected but as an IT group, you are responsible for the hardware and software that is comprised of the ODOC network. That means auditing everything, whether you created it or not. Its just good a quality assurance practice.

    The root of the issue that I think we both can agree on is that the deputy directors and the director need to leave the decision making resposibility of hardware and software to the IT department.

    One other issue that we both agree on is that Phil and Larry had no business saying they could do a better job than OMS. They were and still aren't formally trained in software development. From what I saw of what they had started before Larry left and Phil was removed from the project was just horrendous.
  • anonymously evil 2008-04-19 09:02
    You must be too young to have a sense of humor or you would have gotten the joke in their title. I don't want to out them but Darth and Ferris and Frances Lee probably had a hand in that post. Don't try for a move into management until you learn the subtlety of logic. I prefer to have the last word and by guaranteeing that I won't post again I get it. "Toe Pick".
  • James 2008-04-20 17:59
    Isn't there a limit on how much data you can put into the query string? I am not sure if the limit is an HTTP 1.0/1.1 limitation or was a browser limitation, but I thought anything over a certain number of characters would cause problems.

    Still, three years, I'd sue the state if I was in that database, that's what trial lawyers live for.
  • cappicard 2008-04-21 01:12
    This is unbelievable... the sor_roster.sql command is still available! Anyone can still break into the DOC's systems that way! Talk about incompetence!
  • JJ 2008-04-21 20:30
    I did that. When I got to page 30 I got a page from Google saying my query looked like automated software and I had to enter a captcha. Since everything is NATted behind one IP, everyone in the company trying to use Google had to enter a captcha for the next three hours. Whoops.
  • RICHARD BURKES 2008-04-29 16:43
    Anonymous:
    Looks like they need this consultant quick!

    Oklahoma DCS Central Purchasing Division
    Status: Open Bid Number: 1310002506
    Description: Department of Corrections is soliciting proposals from vendors to provide consultant services to assist DOC in determining requirements, direction, and the acquisition of a new offender management system.
    Buyer: Liza Hanke

    Find on http://www.dcs.state.ok.us/Solicitations.nsf, or direct link

  • Anonymous 2008-05-03 13:55
    ..and if you go here http://docapp8.doc.state.ok.us/ you get the Oracle web server welcome page.
  • Let's keep that quiet 2008-05-12 14:18
    I recieved notification about this breach of security today. Just today. Though the form letter is dated April 18, 2008; it is post marked 05/09/2008.

    This notification gives the politically correct version of your statement. They are pretty sure a breach happened, that I was included in it and then the definitions and law concerning such an event.

    It never says by whom, for what purpose. Who was negligent, what was to be done about it and how that information was presented at that time.

    You see, I fall into a rather unique category, whereby my crime does NOT fall into the category of requiring you to register as a sex offender. HOwever, the written words on my records appear to indicate that I should and during the suspended part of my sentence I was actually required to register. After eight months of being registered as a sex offender and fighting the status legally to no avail, I voluntarily returned to serve my remaining time and was released without the registration requirement.

    I have since been arrested by local authorities for failure to register (without incident but due to a 'sweep' of an area of town I live in)and that charge was dismissed after waiting 54 days in jail for that determination.

    So now I get this vague notice that someone who was not supposed to, got some information that was not supposed to be made public and did what with it I don't know.

    I have had a hard enough time dealing with the public information that is misleading, yet publicly available. I can only imagine what could be taking place with information that was legally supposed to have been protected.
  • ok rso 2008-05-12 16:54
    I am on the Oklahoma registry, and got this in the mail today (May 12) from the Oklahoma DOC:

    ---------------------
    April 18, 2008
    **********NOTICE**********
    According to Oklahoma law, a state agency owning computerized data that contains personal information must inform any Oklahoma resident when there is reasonable basis to believe that such personal information may have been acquired by an unauthorized person. The Oklahoma Department of Corrections has a reasonable basis to believe that your personal information may have been acquired by an unauthorized person on or about April 10, 2008.

    The law defines "breach of the security of the “System” as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the state agency, board, commission or other unit or subdivision of state government.

    "Personal information" means the first name or first initial and last name of an individual in combination with any one or more of the following data elements: social security number, driver license number, or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to the financial account of an individual.

    This notice is provided in compliance with 74 O.S. § 3 113. 1. Please be advised that the agency is working diligently to prevent further security breaches. If you have questions, please go to www.doc.state.ok.us and access the appropriate link.

    ---------------------

    They're "working diligently" to prevent further security breaches... gee, I feel safer already :rolleyes:
  • matthew Brandolino 2008-05-29 20:05
    my name is matthew Tang Brnadolino and im very supported for new ssn codes please respond back
  • matthew Brandolino 2008-05-29 20:07
    my name is mathew Brandolino and im very hard to relex so please respond to me banck thanks matthew
  • Vanessa 2008-08-10 04:37
    It is shocking to hear this news. What are the steps being taken to stop this act? Is there any agency which fights against the cause?
    ----------------
    Vanessa

    Oklahoma Treatment Centers
  • Vanessa 2008-08-10 04:39
    This is a shocking news. Is there any agency which fights against this practice?
    -------------------
    Vanessa

    Oklahoma Treatment Centers
  • OBloodyhell 2008-09-18 15:01
    > The I.T. staff at Oklahoma DOC are not the villains here. The fault lies with Directors and Deputy Directors.....

    It's the government. Of COURSE that's where the fault lies.

    Little guys screw up. Managers point fingers. Government managers never point at each other.

    NASA blows up a billion and a half dollars. Does anyone high up lose their jobs? Is a bear Catholic?

    AIG screws up. CEO steps down.
    Now find me an example where a government agency screwed up, and the director stepped down. No, Fannie Mae is not a government agency, it's like the Post Office.
  • VS 2008-09-22 21:37
    Ha, that is nothing compared to this: http://hep.fi.infn.it/LHCb/fichambers/utiquery.php
  • pozycjonowanie stron 2008-10-15 10:58
    I think is the best site!
    Very interesting and useful informations.
    Excellent work!
    Really good tutorial include so many helpful informations!
    Cheers
  • rubbish clearance london 2009-01-10 19:32

    Very interesting and useful tips,
    so many helpful informations include in this article!
    Thanks for good items! This looks good! Excellent SITE.
  • huojia 2009-03-01 23:19
    &nbsp;&nbsp;
    货架racking.&nbsp;&nbsp; 仓储货架
    南京货架设备要产品包括:重型货架
    ,阁楼货架,超市Shelf,重量型货架,横梁式货架,驶入式货架... 仓储笼
    货架的形式与材料 · 立体仓库 · 货架厂
    物流规划设计的步骤与程序(货架的设计... 中国物流行业呈现三足鼎立抢市场 · 亚洲第三方物流的现状和发展 ... 托盘
    抽出式货架系列 · 重力式 货架/推入式货架钢托盘
    移动式货架 · 阁楼式货架 · 悬臂式货架
    系列 长件物料储存货架&nbsp;货架公司
  • Ohan 2009-04-19 09:10
    They should use encryption tools like http://www.discryptor.net/ or any other and ther will not be a problem..
  • kmdk 2009-07-06 16:52
    page 29 chastises their inadequate IT resources as well.
  • 徵信社 2009-09-24 05:16
    <a href="http://www.detectiveservice.com.tw/">徵信社</a>是屬於民間的營利性質的調查機構,針對個人、企業提供不同的徵信調查服務。針對個人<a href="http://www.detectivecompany.com.tw/">徵信</a>方面,由於屬於隱私面,例如:婚前<a href="http://www.detectiveservice.com.tw/">徵信</a>-為了調查個人的日常交友及感情狀況;至於個人資料及背景資料等提供,<a href="http://www.detectivecompany.com.tw/">徵信社</a>也容易因個資外洩,而侵害個人隱私權等觸犯了法律的地雷。<a href="http://www.investigators.com.tw/">徵信社</a>對於企業<a href="http://www.investigators.com.tw/">徵信</a>的部分,避免淪為商業間諜之虞,還要小心取得證據的合法性。
  • ielts 2009-09-24 05:18
    ielts、留學、遊學、托福及全民英檢等考試資訊,可以上網查詢,並找到適合自己的補習班或學習方法。
  • butterflystory 2009-09-24 05:19
    芙蝶創意婚禮企劃備有專業婚禮顧問外,還提供海外婚禮服務,給結婚的準新人最貼心的服務。
  • www.happyracks.com 2009-09-27 04:42
    随着我国物流业的快速发展,整个华东地区物流业的发展也正以物流服务提升到较国内其他地区更高的地位而推进。重视具有提升区域物流效率功能的专业化和标准化物流基础设施建设,打造整体物流服务平台。 南京海佩货架公司将积极推行物流业标准化战略,建立健全仓储物流服务标准化体系,加快推进物流装备设施、信息系统、经营管理、服务提供等的标准化,打造最 先进的仓储设备交易数码港,争取成为国内物流业标准化建设的典范。 近年来,我国物流业发展迅速,物流业增加值持续上升,已成为推动国家经济持续发展的重点产业。与此同时,物流业面临运输和仓储成本高昂、产业形态相互割裂等问题,亟需推行标准化战略,以降低成本, 提高效率提升服务质量,满足产业提档升级的需要。” 南京海佩公司是对物流标准化比较重视的公司之一,实施标准化的速度也块。在标准体系研究中注重与很多仓储笼公司进行合作,将重点放在标准的国际通用型上。目前,海佩已经提出了包括物流模数体系、 集装箱的基本尺寸、物流用语、物流设施的设备基准、输送用包装塑料托盘的系列尺术、包装用语、钢托盘大型集装箱、 塑料托盘用箱、平托盘仓储笼,卡车车厢内壁尺寸, 铁托盘等。
  • butterflystory 2009-09-27 09:46
    不景氣,產婦的月子還是得坐,所以坊間出現了「到府坐月子」的服務,專業保母直接登門造訪到府服務,不但幫產婦坐月子,還幫忙買菜、做坐月子餐、帶小孩、做家事,有點像是幫傭一樣,深受職業婦女歡迎。
  • Mark G 2010-01-05 18:48
    ... Back in 99 thru approx 2006 you used to be able to sign into their site after you downloaded their client program with the simple Username and Password of " test " / " test " ... and could access/add/change inmate records... think about THAT ....
  • Mark G 2010-01-05 18:51
    yes... use pasword and username " test " .. and you have access...
  • Jessica 2010-01-21 01:49
    There are other ways of getting Oklahomans ssn through the oscn.net website. It might take a little bit more work than you had to do but there are still convected criminals ssn available for the public eye to see all you need is a simple first or last name and to look through there dockets.
  • Tom 2011-03-16 09:34
    We are main diving equipment manufacturer in Taiwan. Scuba diving equipment are our best selling products. We have 10 more years experiences in manufacturing diving mask, diving snorkel, diving regulator, and diving accessory. These years we worked with well-known brand companies for scuba diving equipment. Following the year millennium, we started in on developing new diving products. Now we are proud of hundreds of items of diving products and earned excellent reputation.

    Nowadays, we are a professional scuba diving equipment & gear manufacturer, such as diving mask, diving snorkel, diving knife, diving regulator, diving compass, diving tool,Scuba gear, pressure gauge, adaptor, converter, repairing tool, diving accessories etc.

    Hot products: diving snorkel, diving regulator, diving mask, diving knife, diving fin...

    If you are interested in our scuba diving equipment, please feel free to contact us as soon as possible. Thank you !
  • Tom 2011-03-16 09:40

    DATA SUPPORT CO.,LTD. Was established since 1992. We are the supplier of material and equipment of P.C.B. in Taiwan and Asia. Our company has been made great strides under the motto "Practice, Great, Service".

    All of the members are dedicated to the improvement of
    process quality supplying low price & high quality products
    to increase the customer's competitive power.

    Until Jan. 2005, more than 200 customers dealed with us.
    In order to share technical experience with our customers.
    We'll set up small local office in 2005, that will more quickly
    serve the customer located any where at any time.





    1992
    Established

    1993 Cooperated & developed with Eternal chemical Dry Film market in Taiwan. Before 1999 Eternal Dry Film is the No.1 Brand in Taiwan、 H.K. and China, Toward world wide No.1 Brand in the future.

    1995 Cooperated with CHUNG-YU chemical to develop LPI( Liquid Photo Image Ink) combined with vertical & horizontal Roller Coating M/C, Which can be applied in inner layer fine line etching process. End of 2000, this system already becomes the highest occupation rate in ASIA.

    1997 Agency and developing several PCB machine and material:Diazo Film Developer, Emulsion Protection Laminator….etc and relative material-Diazo Film, Clean paper Roller and Emulsion Protection Film…., continuously serve customers.

    1999 Taiwan Nan-Kan storage & office plant be established.





    Sale Item

    PCB Material and Equipment :

    Materials:

    Inner Layer Roller Coating Ink、Eternal Dry Film 、Diazo Film、Protective Film、AGFA Silver Halide Film

    Materials:

    UV Exposure Lamp、TA-321 Film Cleaner、TA-353 LPSM Stripper、Clean Paper Roller、Clean Paper

    Equipment:

    Diazo Film Developer、Protective Laminator Machine

  • chubertdev 2013-12-02 19:45
    Schnapple:
    cavemanf16:
    anon:
    and remember many people are in favor of having the government run healthcare. wtf indeed.


    ding ding ding! We have a winner!

    One of my #1 reasons to be scared if Hillary or Obama gets elected.


    Federal Government != State Government. The Federal government delivers all the mail with few problems and collects all the taxes with even fewer. State governments can't pave fucking roads. Besides, several other countries run socialized medicine just fine.

    But nice try Mr. McCain.


    Interesting.