So You Hacked Our Site!?

  • Andrew 2008-02-29 10:07
    Oh I hope he called you on a cell phone, and it was auto dialed. If a computer dials your cell for solicitaion reasons, that operator owes you $500.
  • Henrik 2008-02-29 10:09
    I love how you didn't even bother anonymizing it.
  • Kal 2008-02-29 10:13
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.
  • jtl 2008-02-29 10:15
    I love that the site is still the same.
  • Chris 2008-02-29 10:18
    These guys called and gave me a similar sales pitch - didn't want to tell the price until after they had my card number. Not a good sign. I wrote it off as just another scam and didn't think any further.

    It seems that even after chastising you for hacking their site, they haven't done anything about it - the same username and password still work. Hurrah for "secure" websites!
  • snoofle 2008-02-29 10:19
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.

  • sweavo 2008-02-29 10:24
    snoofle:
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.



    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)
  • Alan 2008-02-29 10:27
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.


    Oh well, I hear Cuba is lovely this time of year. Uzbekistan not so much.
  • jtl 2008-02-29 10:32
    Did that guy who cracked the iPhone go to jail?

    No.
  • snoofle 2008-02-29 10:35
    sweavo:
    snoofle:
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.

    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.



    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)

    Sadly, you are probably right. However, I personally would be willing to send a donation to help pay Alex's legal bills!
  • RogL 2008-02-29 10:35
    Surprised nobody has commented on the real WTF:

    It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.

    You don't need the username/password if you have the URL to the page; it opens right up.
  • m 2008-02-29 10:38
    Indeed. In fact, this WTF is like one of those super-interactive alternate reality games, y'know.

    SECURE Federal stuff ftw!
  • Staszek 2008-02-29 10:38
    That is a very frequent scam, just next to "Nigerian Connection" - the one where some Nigerian officials ask you for help transferring huge amounts of money.

    They ask you for a credit card number and fax a document, where you agree not only to pay insane amount of money for being listed on a sheet of paper in somebody's drawer, but in very tiny letters you also agree to be charged yearly.

    You can decline, of course, sending a notice into an address that is non-valid (surprisingly). Of course, since you cannot deliver decline notice, they shall charge you next year...

  • gabba 2008-02-29 10:39
    The real WTF is the hopelessly confusing indentation in the javascript.
  • snoofle 2008-02-29 10:40
    RogL:
    Surprised nobody has commented on the real WTF:

    It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.

    You don't need the username/password if you have the URL to the page; it opens right up.

    True. If you open the page, and click on New York, the first item comes up with:

    From the list below, select the product(s) that you are searching for to obtain information on small businesses located in your selected area

    10.) Weapons <-- first choice


  • bd 2008-02-29 10:41
    FWIW, I've just added their secure page into Google. Maybe those poor sods who shelled out for listing will finally get a call from some prospective client.
  • Lysis 2008-02-29 10:45
    Now THAT'S some l33t h4x0ring!

    Edit: The Page.Title of the "secure" web page even says "SECURE" (caps included). That made me rofl.
  • Jamie 2008-02-29 10:46
    This'll get deleted again as soon as you see it, but you have made yet another mistake:

    "a deluge of companies somehow manage to find to out"

    Do you actually read what you're about to post?
  • bd 2008-02-29 10:48
    Hmm, most of the secret stuff is already in at this moment. Check http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com I don't know whether Google indexes so blazingly fast or if someone else was faster than me. Or perhaps, FSG linked to their secret pages somewhere else on the site... (playing with link: and site: is left as an exercise for the reader).
  • AbbydonKrafts 2008-02-29 10:56
    Awesome. Reminds me of when my mom fell for the Who's Who crap in the early 90s when I was in high school. I'm embarrassed that I'm in it.
  • akatherder 2008-02-29 10:56
    Staszek:
    That is a very frequent scam, just next to "Nigerian Connection" - the one where some Nigerian officials ask you for help transferring huge amounts of money.

    They ask you for a credit card number and fax a document, where you agree not only to pay insane amount of money for being listed on a sheet of paper in somebody's drawer, but in very tiny letters you also agree to be charged yearly.

    You can decline, of course, sending a notice into an address that is non-valid (surprisingly). Of course, since you cannot deliver decline notice, they shall charge you next year...



    And don't forget the fine-print also says you agree not to request a charge-back from your credit card company, punishable by a sizable fine paid to the scammer (who has your cc#).
  • John 2008-02-29 10:57
    sweavo:
    snoofle:
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.



    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)


    The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

    The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
    There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

    Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.
  • stephane 2008-02-29 11:04
    seems to work, they're hiring!
    http://www.pr.com/job/3441945
  • DeLos 2008-02-29 11:05
    Wow. this is an amazing opportunity. Please give me the Phone number so I can sign up. Government agencies spend A LOT of money!
  • Herohtar 2008-02-29 11:06
    Hah, I just hacked their site too! I am so awesome.
  • Edss 2008-02-29 11:11
    Can someone in the US call their toll free customer support and request a password reset? Then when we "hack" the site again someone else can call.

    These people need as much hassle as we can give them.
  • what's the red star for? 2008-02-29 11:13
    Kal:
    Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.


    He lied... he didn't hack the site. He just did a google search on: site:federalsuppliers.com
    http://www.google.com/search?q=site%3Afederalsuppliers.com&btnG=Search



    (hey... why is there a red star next to the "Your Name" field? There's nothing on this page that says what it means.)
  • Rawr 2008-02-29 11:13
    Haha, I just had to see for myself. Hilarious..
  • Jazz 2008-02-29 11:15
    My new business plan:

    1. Start contacting companies in the directory.
    2. Let them know that you discovered their information on the federal supplier's guide.
    3. Tell them that the security on the site can be easily bypassed.
    4. Explain that this allows lots of people who are not Federal Procurement Peons to see their company's listing.
    5. Explain that this is really good for their exposure and will lead to lots of new business.
    6. Let them know that for the small, nominal fee of $5,000, you will post instructions on how to access the directory all over the web, in order to give them that exposure.
    7. Profit!
  • Whitey 2008-02-29 11:21
    John:
    sweavo:
    snoofle:
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.



    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)


    The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

    The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
    There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

    Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.


    To complete the analogy... They put a sticky note next to the door nob telling you the key is under the mat.

    I think it would be good if the people listed on all those pages were somehow contacted and pointed back to this site. I'm sure most of them are obvlivious to the fact that they have been scammed.
  • The Usual Dosage 2008-02-29 11:32
    It's probably already been said, but as of 29 Feb 2008, you can just put http://officers.federalsuppliers.com/agents.html in your browser and skip the "secure login" entirely.

    Security through (weak)obscurity. Genius!
  • jpaull 2008-02-29 11:39
    I found another WTF (at least on IE7). If you start from the home page and click on the "Agents" link, the "Federal Regulations" tab on the menu bar splits into two tabs. It doesn't even split on the whitespace but on the R and E in regulations.

    Nice!
  • real_aardvark 2008-02-29 11:43
    Chris:
    These guys called and gave me a similar sales pitch - didn't want to tell the price until after they had my card number. Not a good sign. I wrote it off as just another scam and didn't think any further.

    It seems that even after chastising you for hacking their site, they haven't done anything about it - the same username and password still work. Hurrah for "secure" websites!
    We'd like to think that these weird "directory" services have been superseded by the intertubes, wouldn't we? Oh well. It'll happen when HR freezes over.

    You're making a few assumptions here, aren't you?

    You're assuming that the salesperp gives a shit and will pass the info on. (Actually, you're even assuming that the salesperp has the slightest idea of what Alex is talking about.) This never happens.

    You're assuming that the boiler-room scam in question has any sort of IT staff whatsoever (down to and not excluding a janitor with basic Front Page skillz). This never happens.

    You're assuming that, in lieu of that, they've employed a smart(ish) fourteen year old, payable in M&Ms and/or porn, to produce this cute little snippet. Well, this probably does happen, and more than we'd care to think. Unfortunately, school vacation is over.

    The alternative is outsourcing, and I await the usual torrent of whines with trepidation. A fix would still be twelve hours away, though. And we'd all like to see it go through QA before being deployed on production, wouldn't we?

  • WhiskeyJack 2008-02-29 11:43
    Whitey:
    To complete the analogy... They put a sticky note next to the door nob telling you the key is under the mat.


    Actually I think it'd be more like a sign saying "There is no key under the mat that unlocks this door!"
  • DC 2008-02-29 11:47
    Like the fact that you can go straight to the URL too (hidden inside the if), not only are the password and username there for all to see.
  • medialint 2008-02-29 11:53
    DC:
    Like the fact that you can go straight to the URL too (hidden inside the if), not only are the password and username there for all to see.


    That's the first thing I did ...

    http://officers.federalsuppliers.com/agents.html

  • German B. 2008-02-29 11:54
    I would be surprised and utterly disappointed if that crappy site would be considered to be "protected" and if their accusation of hacking would be legally viable. All HTML, CSS and Javascript on the web is visible by definition. Nobody is guilty for peeking at page source. What WTF developers expose to the client, they do at their own risk. This doesn't even qualify as obfuscation. The URL is visible and no authentication whatsoever is required to access its contents. There is only a false security facade. Their claim of SECURITY is a blatant lie and their customers should do something about it. WTF !!!!!!
  • Danny V 2008-02-29 11:56
    ROFLMAOSOAOIJNLOL!!!! Ahhh... that site's so secure that nobody accesses it except hackers!
  • Izzy 2008-02-29 11:56
    The Usual Dosage:
    It's probably already been said, but as of 29 Feb 2008, you can just put http://officers.federalsuppliers.com/agents.html in your browser and skip the "secure login" entirely.

    Security through (weak)obscurity. Genius!


    Yep, it's not even a secure site--no user id, no password, no lock symbol in the IE browser. I'd hate to have spies waltzing in there and stealing a list of vendors. Of course, they could just use Google like everyone else.
  • Yep 2008-02-29 12:03
    Everyone is missing the real WTF.

    That page uses frames.
  • Vempele 2008-02-29 12:06
    gabba:
    The real WTFsecurity is the hopelessly confusing indentation in the javascript.

    And brillant security it is indeed - it confused at least one potential hacker!
  • Redbeard 2008-02-29 12:09
    So, the real WTF is that no government purchasing agent is going to search the web for sales leads. They are going to call the guy they met at some trade show or the guy who has a relationship with the purchasing agent.
  • kyle 2008-02-29 12:11
    The sad part it you needn't add your company to Central Contractor Registration for these calls. I field one or two a month and I'm just a lowly video rental store!
  • sweavo 2008-02-29 12:13
    John:
    sweavo:
    snoofle:
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.



    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)


    The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

    The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
    There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

    Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.


    Well, it's hard to have a rational conversation about this since neither of us can be fagged to go and find the wording of the law. But if the law says "thou shalt not circumvent security measures" and someone leaves their door wide open and leaves a post-it on the mat saying "security measure -- do not enter" and you enter, then you're bypassing the security measure.

    The poster does mention opening the source of the page, and displaying the password. So the moron^H^H^H^H^H tabloid press in this country at least would have no problem saying that he "hacked the internet codes" to gain access, and most low-level magistrates wouldn't find it hard to interpret that as a culpable act.

    http://taosecurity.blogspot.com/2008/01/is-jerome-kerviel-hacking.html
  • DMac 2008-02-29 12:17
    I randomly clicked their listings as follows:

    region 6 > california > live animals

    and learned that I could obtain a "far-infrared sauna."

    for all of the times I have visited the zoo I have never encountered one of these. . . Sounds exotic.
  • akatherder 2008-02-29 12:24
    Yep:
    Everyone is missing the real WTF.

    That page uses frames.


    Yes, that makes up for any javascript vulnerabilities because frames securely mediate, by design. Secure multi-mediation is the future of all webbing.
  • Steve 2008-02-29 12:26
    Damn, they just re-secured it by changing the jscript to:


    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="Agent") {
    if (form.pass.value=="fsg2008") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>

    That's really unhackable.
  • sweavo 2008-02-29 12:27
    sweavo:

    Well, it's hard to have a rational conversation about this since neither of us can be fagged to go and find the wording of the law.


    In the UK, the Computer Misuse Act is pretty blanket. I just have to do something that's not authorised.

    http://www.england-legislation.hmso.gov.uk/acts/acts1990/ukpga_19900018_en_1#pb1-l1g1

    If Alex decides I'm not authorised to post comments here then I'm already transgressing.
  • Doug 2008-02-29 12:30
    Thanks! These guys called me and I was considering paying them! You really helped out business owners and stuck it to the hucksters with this. Thanks again!
  • SpamBot 2008-02-29 12:30
    sweavo:
    John:
    sweavo:
    snoofle:
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.



    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)


    The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

    The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
    There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

    Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.


    Well, it's hard to have a rational conversation about this since neither of us can be fagged to go and find the wording of the law. But if the law says "thou shalt not circumvent security measures" and someone leaves their door wide open and leaves a post-it on the mat saying "security measure -- do not enter" and you enter, then you're bypassing the security measure.

    The poster does mention opening the source of the page, and displaying the password. So the moron^H^H^H^H^H tabloid press in this country at least would have no problem saying that he "hacked the internet codes" to gain access, and most low-level magistrates wouldn't find it hard to interpret that as a culpable act.

    http://taosecurity.blogspot.com/2008/01/is-jerome-kerviel-hacking.html

    Yes I think that in the case of burglary there is no requirement for any 'break-in', simply entering, and I'm not even sure if it's necessary to have the intention of taking anything away (exact definitions vary by country, btw).
    Of course, that dosn't mean that 'hacking' would be the same, and I certainly don't think that this particular instance should be a crime anyway (so what: we can order 'Food Preparation Eqipment' from the same suppliers? wow). But I see your point.
  • Greg 2008-02-29 12:31
    It seems that they already changed their "secure" username and password. Too bad it is still stored in the page source!
  • mauhiz 2008-02-29 12:32
    They changed their login/pw since the article. But not the method. The guy writing that JS has to be the dumbest dumbass ever...
  • mister 2008-02-29 12:34
    Something interesting: google for "This Script allows people to enter by using a form that asks for a"
  • sageman 2008-02-29 12:39
    Looks like they caught on and fixed their site... well.... Sort OF... they changed the credentials.

    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="Agent") {
    if (form.pass.value=="fsg2008") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>
  • jtl 2008-02-29 12:46
    Steve:
    Damn, they just re-secured it by changing the jscript to:


    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="Agent") {
    if (form.pass.value=="fsg2008") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>

    That's really unhackable.


    lol, they did it again!
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="buyers") {
    if (form.pass.value=="gov1996") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
  • Rob 2008-02-29 12:48
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?
  • Kederaji 2008-02-29 12:51
    TRWTF is on http://www.federalsuppliers.com/federal.html.

    PAPERLESS PROCUREMENT!


  • GalacticCowboy 2008-02-29 12:51
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?


    WHOIS indicates that they're somehow related to a publishing company that is also based in FL.

    WHOIS
  • jtl 2008-02-29 12:51
    mister:
    Something interesting: google for "This Script allows people to enter by using a form that asks for a"


    lololol
    http://www.dynamicdrive.com/forums/archive/index.php/t-9560.html

    He got the code from a forum. Here's en excerpt:

    MuffinMan
    05-12-2006, 06:03 PM
    If you're looking for a real simple login page, here's some code that I use on our internal website all the time. Change the yourusername, yourpassword, and the www.theurlyouwantogoto.com variables to suit your own code. I hope it will help you.


    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="yourusername") {
    if (form.pass.value=="yourpassword") {
    location="http://www.theurlyouwanttogoto.com"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>
    ...

    elliot
    05-12-2006, 08:43 PM
    Many thanks MuffinMan, I've gone and added that in place which will do nicely
    http://www.bhbgroup.co.uk/client.html

    It doesn't need to be overly sercure only holding a form on the other side for clients to submit orders. They'll need a product code via email to use on the order form so this is more than adequate.

    cheers mate!
  • savar 2008-02-29 12:53
    The really scary part is that anybody who wasn't technically savvy could easily be pulled into a ludricous scheme like this.
  • Frameless Joe 2008-02-29 12:53
    The real WTF is the use of frames on the site.
  • Thane 2008-02-29 12:54
    Actually, you can avoid the "hacking" by just going to "http://officers.federalsuppliers.com/agents.html"
  • Richard Sargent 2008-02-29 12:55
    I wonder how the page displays using a web browser like Lynx (I think that is the right name for a text-only browser)?

    I wonder how the page works with screen readers for the visually impaired (they probably do something with the JavaScript, but who knows)?



    [Footnote:
    My captcha code was already in the IE drop list of previously used text strings. How secure is that?!?!]
  • real_aardvark 2008-02-29 12:56
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?

    Easy-peasy.

    The companies registered in Delaware have had a hundred years or so to get their shit together. The ones in Florida tend to be unsophisticated morons in a trailer park, with a stand-by ticket to one of Ronnie's favourite hot-spots of democracy, like El Salvador or Panama, or even the Grand Caymans.

    If your scam is going to have a half-life measured in months, then go to Florida. If you reckon it's measured in decades, then register in Delaware.
  • savar 2008-02-29 12:57
    Henrik:
    I love how you didn't even bother anonymizing it.


    Best WTF of the year!

    I just clicked through some listings and found this, quite sad actually:

    Alligator Marine 12/05
    3435 Mangrove Ave
    Norfolk, VA 23502
    Telephone: (757) 455-5123 Fax: (757) 455-5124
    Email: info@alligatormarine.com
    Website: www.alligatormarine.com
    Contact Name: Dennis Richardson
    Description: Service-Disabled Veteran-owned small business. Zodiac preferred professional dealer specializing in military, commercial, and first responder boats.

    Soooo this company stole upwards of $600 from a combat-wounded U.S. soldier...shame on them.

    also, I notice that all the pages were written in Microsoft Word 9...sweet.
  • Noam Samuel 2008-02-29 12:58
    Actually, it isn't even obscurity, since the page's URL is right in the login page's source. So it's security through... um...

    Hm.
  • BEtter 2008-02-29 12:59
    If you have any questions about the state listings, you can just call the person who wrote the Word document that generated the list (View Source for the Frame after choosing a state).

    <head>
    <meta http-equiv=Content-Type content="text/html; charset=us-ascii">
    <meta name=ProgId content=Word.Document>
    <meta name=Generator content="Microsoft Word 11">
    <meta name=Originator content="Microsoft Word 11">
    <link rel=File-List href="newjer_files/filelist.xml">
    <title>newjersey</title>
    <!--[if gte mso 9]><xml>
    <o:DocumentProperties>
    <o:Author>Donna DeBoer</o:Author>
    <o:LastAuthor>FSG</o:LastAuthor>
    <o:Revision>58</o:Revision>
    <o:TotalTime>29</o:TotalTime>
    <o:Created>2001-01-17T19:20:00Z</o:Created>
    <o:LastSaved>2008-01-21T14:10:00Z</o:LastSaved>
    <o:Pages>1</o:Pages>
    <o:Words>907</o:Words>
    <o:Characters>5173</o:Characters>
    <o:Company>Cybertown Communications Corp.</o:Company>
    <o:Lines>43</o:Lines>
    <o:Paragraphs>12</o:Paragraphs>
    <o:CharactersWithSpaces>6068</o:CharactersWithSpaces>
    <o:Version>11.8132</o:Version>
    </o:DocumentProperties>
  • savar 2008-02-29 12:59
    RogL:
    Surprised nobody has commented on the real WTF:

    It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.

    You don't need the username/password if you have the URL to the page; it opens right up.


    That was the point of the WTF...did you even read it?
  • jtl 2008-02-29 13:00
    doing some looking about, this script goes back to 2002.

    Here is where I think it originates:

    http://www.javascriptkit.com/script/cut76.shtml
  • Dave 2008-02-29 13:04
    I'm really dissapointed that the newsletter on the home page ...

    Suppliers guides offer inside track on contracts
    By Jane Meinhardt – Staff Writer Tampa Business Journal
    (http://www.federalsuppliers.com/newsletter1.pdf)

    doesn't actually exist. Seems like a real nice community all federal suppliers should be a member of!
  • savar 2008-02-29 13:06
    [quote user="Whitey]I think it would be good if the people listed on all those pages were somehow contacted and pointed back to this site. I'm sure most of them are obvlivious to the fact that they have been scammed. [/quote]
    An e-mail scraper that sends a form message telling people to come to this thread?
  • Henk Poley 2008-02-29 13:06
    Too bad the page it points to if offline
  • Adam 2008-02-29 13:09
    Hah. I'm going to start trying this on more sites. Surely there isn't more of these sites around...
  • Fry-kun 2008-02-29 13:12
    Henk Poley:
    Too bad the page it points to if offline


    It was taken offline a few minutes ago, probably in response to all the "hacking" that's been going on.
  • akatherder 2008-02-29 13:14
    A change as simple as this would make it infinitely more secure. At least neither the password or "secured" page are available by looking at the source.

    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="Agent") {
    location="http://officers.federalsuppliers.com/"+form.pass.value
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>
  • Matt 2008-02-29 13:14
    Damn, 404, now that really is secure!!
  • snoofle 2008-02-29 13:17
    I'm really bored, so I just clicked through to ALL the states - all the pages are not found, except the one from NY.
  • Jay 2008-02-29 13:17
    German B.:
    I would be surprised and utterly disappointed if that crappy site would be considered to be "protected" and if their accusation of hacking would be legally viable. ...


    Years ago Congress proposed some law to make it a felony to use an electronic device to eavesdrop on cell phone conversations. I don't know if it ever passed, but I read a very entertaining editorial on it where the writer pointed out that cell phone transmissions were unencrypted radio signals (maybe with digital phones today that's no longer true, I don't know) that could be easily intercepted by anyone with the technical expertise to modify a radio to the appropriate frequences. So, he said, a law banning eavesdropping would be about as effective as a law saying that page 18 of the New York Times is now reserved for private messages and no one is allowed to read that page unless they are notified that there is a message for them.

    Much the same could be said for many lame security efforts.

    Back when I worked for the military there was one site I had to access that required a password, only given out after you passed a security check ... but every page other than the login page could be reached by simply entering the URL into the browser. I bookmarked several useful pages.

    And hey, don't laugh about the analogy of a gate with no fence. At a former job the big boss's office had a partition in the middle to separate his work area from the secretary's. The partition was several feet short of the walls on either side and well short of the ceiling. In the middle of the partition was a door. And every night the secretary carefully locked this door.
  • hehe 2008-02-29 13:18
    All you IPs belonging to me
  • Henry Miller 2008-02-29 13:18
    Really the poster should have contacted a lawyer first. Someone who specalizes in class action lawsuits would love to investigate this scam, and is sure to find some i that isn't dotted that he can turn into a pile of money. The submitter get a few pennys for his finders fee, and the knowledge that he helped save the world from one more scam.
  • bramster 2008-02-29 13:22
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?



    You need a spot to hang the chad
  • Nick 2008-02-29 13:24
    The last thing we need is more lawyers!!
  • Observer 2008-02-29 13:27
    Steve, you just made my day!

    Great addition to a very funny WTF.
  • JM 2008-02-29 13:27
    And now the page isn't even available :(
  • Smash 2008-02-29 13:28
    Noam Samuel:
    Actually, it isn't even obscurity, since the page's URL is right in the login page's source. So it's security through...

    ... wishful thinking "Our users won't try and see the source code"?
  • ObiWayneKenobi 2008-02-29 13:31
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?


    Hmm... I live near Palm Harbor (like, within 20 minutes). Mayhaps its time to offer my services as an "expert security consultant" to these people?

    Addendum (2008-02-29 13:40):
    But then again, if they're so stupid/cheap as to not be able to hire a real developer (or anyone with half a brain, evidently), then I doubt they could afford my consulting rate.
  • operagost 2008-02-29 13:39
    Herohtar:
    Hah, I just hacked their site too! I am so awesome.

    pls send teh codez
  • campkev 2008-02-29 13:39
    Fry-kun:
    Henk Poley:
    Too bad the page it points to if offline


    It was taken offline a few minutes ago, probably in response to all the "hacking" that's been going on.


    that's even better, now anybody actually logging in, if they exist, gets directed to 404 Not Found.
  • Yep 2008-02-29 13:41
    They're back online!

    Excellent new security measure.. they've changed the USERNAME!

    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="Agent") {
    if (form.pass.value=="fsg2008") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>
  • FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT 2008-02-29 13:44
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.
  • Justin 2008-02-29 13:46
    From what I see you do not even need to "login" as you can just go to the link. Obviously in apache you could configure some restrictions on the access to the files but from their use of javascript i'm sure they do not have someone who knows how apache works other than the fact that there is a web root folder.
  • Lucy 2008-02-29 13:46
    As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.

    I am asking you to stop your actions immediately.
  • ObiWayneKenobi 2008-02-29 13:49
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Would you folks be in the market for consulting services? Your site is not secure by any means, you don't want to be open to hackers, do you? I doubt you would want to lose business and customers to a competitor. For a nominal fee, I could develop a REAL website with security and the like that would actually help increase your business.
  • blunden 2008-02-29 13:50
    Still 404 though. :(
  • Tyr 2008-02-29 13:51
    *heheh* Now the document is no longer found on their site. They've taken it down. However, the code is still the same:

    "<script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="Agent") {
    if (form.pass.value=="fsg2008") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>"

    And this is the response if you put in this login:


    "Not Found
    The requested document was not found on this server.

    Web Server at federalsuppliers.com "
  • Mike626 2008-02-29 13:51
    They decided to take down the agents.html file. That's pretty secure.
  • Alex 2008-02-29 13:52
    It's a pity the page has been taken down. It would have been a marketing jewel.

    ¿Do you have any silly product to sell? Start calling the people listed there, and you'll be amazed at the results.
  • Smash 2008-02-29 13:53
    Not being american, I may be wrong but AFAIK if this company had any government endorsement it should be in a .gov domain.

    Then if I am right TRWTF are people trusting the scammer is government related just because he says so, and his website appears to be (it is even USflag themed). Of course, there are other measures to ensure you're not being fooled but this is a start
  • Z 2008-02-29 13:58
    Umm, not taken offline, just changed.

    http://www.federalsuppliers.com/warning.html
  • elias 2008-02-29 13:58
    Smash:
    Not being american, I may be wrong but AFAIK if this company had any government endorsement it should be in a .gov domain.

    Then if I am right TRWTF are people trusting the scammer is government related just because he says so, and his website appears to be (it is even USflag themed). Of course, there are other measures to ensure you're not being fooled but this is a start

    .gov domains are reserved for sites which are for actual government entities. Government contractors do not get .gov domains.

    See http://en.wikipedia.org/wiki/.gov
  • Anonymous 2008-02-29 14:00
    So, their site is hilarious. On http://www.federalsuppliers.com/company.html they claim at the same time:
    "Federal Suppliers Guide is a small business..."
    and
    "We are the oldest and largest publishing company in
    this industry!"

    So, they're small when they want to claim to understand small businesses. But they're huge when they're claiming credibility.
  • Yep 2008-02-29 14:00
    zzzzzz
    fffxxx

    Rofl
  • Rev. Spaminator 2008-02-29 14:01
    For some reason I imagine the sales rep has the voice of Phil Hartman.
  • dpm 2008-02-29 14:03
    Lucy:
    As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.

    I am asking you to stop your actions immediately.


    Μολὼν Λαβέ.
  • dpm 2008-02-29 14:05
    Rev. Spaminator:
    For some reason I imagine the sales rep has the voice of Phil Hartman.


    I'm hearing Gil Gunderson (the hapless salesman) . . . "Well, if you, well ... really? Wow, Hot, hot dog! A sale!"
  • Changed again 2008-02-29 14:07
    zzzzzz

    fffxxx

    But when you log in it gives a 404. Haha.

    Wonder if the person who built the site got the work from the guide? Probably was the comapny she mentioned and they probably charged the 500,000 for the security too...
  • Benanov 2008-02-29 14:08
    Lucy:
    As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.

    I am asking you to stop your actions immediately.


    Anyone can say anything on the internet. Can you prove that what you say is true?

    Responding on the forums is one of the least effective ways to get your message to the site operators.

    --BK
  • Yep 2008-02-29 14:09
    Lucy:
    As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.

    I am asking you to stop your actions immediately.


    Lucy,

    Having a community of programmers like this one discover a vulnerability in your site is actually a good thing. Most of these people are non-malicious and are actually professionals in the field. Take this opportunity to fix a huge security problem and use the services of one of the many capable coders available here.

    The people on this forum are entitled to their opinion about your business as well as your website's security. That's what this site is about; poking fun at IT problems throughout the industry. The entity that is your company should not take this personally, and proceed to use this as free advice that your site lacks any security measure and that you should hire someone new immediately to solve the problem.
  • Sys 2008-02-29 14:09
    Just changed again...

    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>

    Somebody should tell them that changing the password will not help as long as the password is written there...
  • Michael 2008-02-29 14:12
    I have NEVER posted on this site ever, despite reading it for more than a year. But I just can't let this slide.

    It may be because this is the first not-anonymous-company post ever. But this is the FUNNIEST thing I have ever seen! For obvious reasons, I hope this de-evolves into a flame war. Wouldn't that be great? Looking forward to the responses on this one.
  • Ares 2008-02-29 14:14
    LOL wow... report him to the authorities for what? Viewing the source code to a website? Cause, um, hate to break it to you, but that's not illegal. :-P
  • Neil 2008-02-29 14:14
    D'you think we could get it indexed by Google?
  • Nick 2008-02-29 14:15
    Just a tip - if you paid a professional consulting company to put this together for you, fire 'em.

    If you put it together yourself, it's time to grow up and have someone who knows what they're doing help you with your site.
  • Troy McClure 2008-02-29 14:15
    Looks like the site is down - they keep changing the passwords, but they took down the main page.

    Seriously Alex this story makes up for all the shit you've taken for changing the name of the site...etc. Well done!
  • Boris 2008-02-29 14:16
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
  • nh 2008-02-29 14:17
    wow... you are some bad bad hackers! Shame on you all guys.
  • Matthew 2008-02-29 14:18
    If you and your company are TRULY who you claim to be, then you will be able to naturally rise above this.

    Everything happens for a reason, and your 4 kids may just have to see daddy work a little harder, who knows, maybe you'll lose a little weight too - Now that's American!
  • Thadeous 2008-02-29 14:18
    Sir, that is the most unsecure site in the history of unsecure sites. Hire a developer.
  • smbell 2008-02-29 14:19
    I don't know what's funnier. That they keep changing the password, or that the SECURE page is unprotected anyway.

    Although at this point I almost feel bad for them... almost.
  • Annaleemac 2008-02-29 14:20
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.
  • spacecadet 2008-02-29 14:20
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better.


    It's true to say that the site wasn't protected to our standards, but also true to say that it wasn't protected to any reasonable standard. The security on that page is of a level that could be broken in moments by a reasonably intelligent 10-year-old; what you've got there is the electronic equivalent of locking the door but leaving a key under the welcome mat.
  • Steve 2008-02-29 14:20
    Lucy:
    As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.

    I am asking you to stop your actions immediately.

    Lucy: I suggest you dust off the old resume and start shopping around for a new job.

    Preferably a legitimate one.
  • Casual observer 2008-02-29 14:21
    It's not hacking if you send me a document that requests a User and Password, then provides the User and Password in the very same document.

    This probably isn't the first time a non-member has entered the user name and password you sent them through the web page.
  • A new comic with every refresh. 2008-02-29 14:22
    oh man.

    this entry fucking rocks.

    this is why i read the daily WTF.

    my hats are off to you.
  • It's like this 2008-02-29 14:22
    This is so funny. The way they've been handling this situation today, I actually believe that they are inept enough that a scam does not need to be supposed to explain any of this; they trip my Hanlon's Razor.

    What's even funnier is that this site (the definitive "The Real WTF") decided to ignore their own very wise anonymity policies and possibly exposed themselves to legal retaliation. Best hope they prove to be malicious, stupidity isn't illegal.
  • Another *Perplexed* customer 2008-02-29 14:22
    form.id.value=="zzzzzz"
    form.pass.value=="fffxxx"

    the "agents page is still offline. I guess they are "updating it"
  • SilentBob 2008-02-29 14:23
    Immature? How about you LEARN HOW TO CODE PROPER?!? There is *NO* excuse for this kind of mistake, even a first year student could have told you this was a bad idea. Don't come crying here because you don't know how to secure a webpage.
  • dpm 2008-02-29 14:23
    stephane:
    seems to work, they're hiring!
    http://www.pr.com/job/3441945


    I just wanted to copy the wonderful bits of that page to here, since it will probably disappear soon:

    "Salary Range 7,000 USD per year"

    "GUARANTEED PRE-QUALIFIED LEADS!!"

    "Benefits" [no explanation or details]

    "Potential of earning $65,000-$120,000 ++"

    "Manager assistance is available during entire presentation"

    I can't imagine anyone *not* jumping at this chance . . .
  • Medlir 2008-02-29 14:23
    It's now...

    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {

    I like how even though the page is 404 now, the username and password keep changing as if *that* was the really unsecure part.
  • government salesman 2008-02-29 14:24
    Having worked for a small business that DID government sales I know a) image and talk is EVERYTHING and b) that shit is NOT hard. I signed up with Dun and Bradstreet and several local states. I was 18 at the time. Any monkey that passed grade school could do your job. I'm willing to put you into that category, although capitalization and a basic understanding of how computer security works would put you into the "monkeys that graduated high school" category. Our "technical knowledge" here isn't impressive; you should understand plaintext vs encryption before using ANY kind of online banking or else you're being an irresponsible user.
  • SB 2008-02-29 14:24
    Now I know with whom I shall not do business in the future. Thanks TDWTF! This is exactly why every post that mentions WTFs should list the company's name. So the consumers and business owners out here in the real world know which businesses display really, really bad business practices.

    Why would I want my credit card number to go into the hands of a company like this?

    Stop anonymizing companies in future posts, TDWTF. Please.
  • <myName>Nunya Bidness</myName> 2008-02-29 14:25
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Nobody accused you of scamming anyone. I think the inference is that you are selling something of very little value for waaaaayyy too much money. No one gives a sh!t how long you and your wife have worked there or how proud you are. That doesn't mean diddly in when attempting to establish the value proposition of your offering. Perhaps you could make available the average ROI for advertising $ invested with your company by your clients. That would make a compelling case (in either direction).

    Oh yeah, and your idea of computer security is a joke. That's what you get for buying a developer on price instead of on value, d!ckhead.
  • JaredR26 2008-02-29 14:25
    I hereby nominate this wtf for legendary status.
  • Welshy 2008-02-29 14:25
    Yeah, get on with shooting the messenger while your dodgy little business slides down the pan. Unbelievable.
  • Nuked 2008-02-29 14:25
    So is he still eligible?

    btw, if he did call your 'customers' that haven't heard anything back: so fucking what? I would have tried to find some references on it too.
  • Gw 2008-02-29 14:25
    Share your name so we can all know what companies to avoid that do little to nothing for their own security.
  • fert 2008-02-29 14:26
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.


    what can you even say to someone as ignorant as this?

    Hello, if you read all the comments there are people trying to help you!
  • Heather 2008-02-29 14:26
    LMFAO - that's awesome.
  • sorakiu 2008-02-29 14:26
    I think this is really crappy. This website in the past has changed names and not provided real URLs to a company. Maybe you don't like this guy's business, but I think it is inexcusable to post exploits to another website. Shame on daily wtf.
  • $500,000? 2008-02-29 14:26
    STFU
  • None 2008-02-29 14:27
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.


    Seriously the best WTF ever. They really don't understand.
  • Federal Catalog Scam 2008-02-29 14:27
    This is a joke right? This perceived security is analogous with leaving the keys in the lock of your front door, but throwing a plastic bag over the keys and calling it secure.

    You reap what you sow, and your reputation is what it is... this post changes nothing
  • Thadeous 2008-02-29 14:28
    Dude, he just got some expensive consulting for free. He should be elated.
  • this webcomic is a wtf 2008-02-29 14:28
    Fry-kun:
    Henk Poley:
    Too bad the page it points to if offline


    It was taken offline a few minutes ago, probably in response to all the "hacking" that's been going on.


    you aren't a very good customer then!

    using:

    http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com&hl=en

    I could used google's cached entries and browse their fine merchandise at my leisure.
  • Troy McClure 2008-02-29 14:29
    Federal Catalog Scam:
    This is a joke right? This perceived security is analogous with leaving the keys in the lock of your front door, but throwing a plastic bag over the keys and calling it secure.

    You reap what you sow, and your reputation is what it is... this post changes nothing


    I was thinking putting the key under the mat and locking the door, but putting a sign on the door telling everyone the key is under the mat. And then being surprised when someone breaks in.
  • Thadeous 2008-02-29 14:30
    Troy McClure:
    Federal Catalog Scam:
    This is a joke right? This perceived security is analogous with leaving the keys in the lock of your front door, but throwing a plastic bag over the keys and calling it secure.

    You reap what you sow, and your reputation is what it is... this post changes nothing


    I was thinking putting the key under the mat and locking the door, but putting a sign on the door telling everyone the key is under the mat. And then being surprised when someone breaks in.


    Whoops, forgot the robots.txt file.
  • Nether 2008-02-29 14:30
    Wow, this just wouldn't be half so funny if not for their sad attempts at "security" by changing the password in plain sight over and over, and the unbelievably naive and simple-minded comments from supposed employees of the company. Now I'm hooked.
  • Horton Hears a FAIL 2008-02-29 14:30
    Good news!!!!

    You may be eligible for support to fix your horrible coding.....Wow! really good news....For only $1500 I can fix that for you....Whaddaya say>?


    702-229-3111
  • Troy McClure 2008-02-29 14:30
    sorakiu:
    I think this is really crappy. This website in the past has changed names and not provided real URLs to a company. Maybe you don't like this guy's business, but I think it is inexcusable to post exploits to another website. Shame on daily wtf.


    You think its bad to expose an obvious scam? Shame on this catalog more like it. They're charging for a service (a LOT of money) so they are to blame.

    FUCK YOU.
  • blubberfest 2008-02-29 14:30
    Then why don't you provide us with some links proving the veracity of your statements? Maybe something believable? That would be grand, thanks.
  • government salesman 2008-02-29 14:34
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.


    1) Yes, we are all geeks and proud of it. So?
    2) In between tokes, many of us work successful jobs in IT, computer programming, system engineering, phone networks and other tech markets. In the 80s, hackers may have been stoned college students, but now their integral members of Fortune 500 companies.
    3) Sticking with your house analogy, this guy came to a house and noticed the key under the doormat (conveniently made out of glass to match everything else.) He then informed the homeowner that their security may be inadequate.
    4) Legality. I'm pretty sure you're home insurance only covers forced entry, so you leave your doors hanging open, you're shit out of luck. I could have "hacked" that site when I was 11, just like an 11 year old can rob a house if you go out of town for Christmas and leave your garage door open.
  • Lucy 2008-02-29 14:34
    So you guys make fun of the sites security. But you couldn't leave it at that. You left your programming world and entered into slandering the business.

    You make mention of contacting the customers and class action lawsuits. Shame on you!
  • RK 2008-02-29 14:35
    Right now, I'm at work, making an honest living by doing who ever wrote that login couldn't. As someone mentioned above, many of us who visits this site are indeed professionals in the field. Please take the time to actually read what we "hackers" are telling you people, and hire someone half competent to fix your little problem. While you may or may not be a scam (though personally I think you guys are), you should probably focus on fixing the problem on your end rather than come here and dish out empty threats.
  • Cam 2008-02-29 14:35
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living.


    Take it from a hard-working, decently-paid, stone-cold-sober software developer for one large and very-well-known company... this shit is frickin' hilarious.

    Well done Alex - I've been waiting for a good old-fashioned belly laugh from TDWTF for quite a while.
  • jb 2008-02-29 14:35
    Don't forget, the internet is Serious Business.
  • dpm 2008-02-29 14:36
    sorakiu:
    I think it is inexcusable to post exploits to another website.


    I think so too.

    Fortunately that didn't happen in this case, since no informed person on the planet would consider selecting _View Source_ off of the browser's menu to be an "exploit".
  • Nuked 2008-02-29 14:37
    My god woman, get a clue already. You have a hole. A giant one. There isn't even a front door at this point: someone drove an SUV through that shit when they got paid to create this website. If anything, I'd be talking to the people you guys paid to create your website, not us.

    FOR THE WIIIN

    Professional Security Services Inc 05/07 4276 North 900 East Buhl ...
    Professional Security Services Inc 05/07 4276 North 900 East Buhl, ID 83316 Telephone: (208) 543-2803 Fax: (208) 543-2803 Email: getaguard@aol.com ...
    officers.federalsuppliers.com/s/s_id.htm - 5k - Cached - Similar pages - Note this is from GOOGLE.
  • this webcomic is a wtf 2008-02-29 14:37
    Yep:
    zzzzzz
    fffxxx

    Rofl


    HOW DID THEY GET MY PASSWORD?
  • Fernando 2008-02-29 14:39
    Dear Sir,
    You should be grateful!! really! you just hit reddit front page, put some google ads and make some money.
  • Steve 2008-02-29 14:40
    Googling for "Federal Suppliers Guide" shows some fairly mixed reviews.

    Apparenty FSG is a "subsidy publisher" (aka "vanity publisher"), among other things

    http://www.macraesbluebook.com/search/company.cfm?company=535243

    out of New Port Richey, Florida.

    Some of the comments on various boards I sampled indicate positive results but given that the comments are anonymous, who can tell?
  • sorakiu 2008-02-29 14:42
    You're missing the point. This website (dailywtf) has, in the past, changed names (usually the submitter and who the work for) in order to differentiate themselves from a script kiddy website. From the story above, it was not obvious to me that they were scammers. It seems to me that they perhaps don't offer a particularly useful service and it is overpriced, but this isn't like nigerian 419 scam. My whole point is in the past, dailywtf has preserved anonymity of the parties involved. I know that hasn't stopped some enterprising googlers from figuring it out on their own.

    So what is it now, we only anonymize if we like you? If you're not an idiot?

    I read this website b/c I enjoy story about mistakes people have made...not because I want to join a gang of internet thugs.

    When you cross the line from posting stories about failures in software development to pointing your readers at exploitable websites (no matter how easily), in my mind, you've moved from being a journalistic site to a gang of vigilantes and thugs.

    If you disagree with me, that's fine...but don't delude yourself w/ some righteous argument about the security of client-side javascript.

    -dave
  • L. Ron Paultard 2008-02-29 14:42
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.

    The business is located in Palm Harbor, FL. That's 11 miles from Scientology HQ, Clearwater, FL. The above comments are textbook examples of a Scientologist "debate" technique called Bullbaiting.

    I guarantee half of this company's employees are Scientologists.
  • amused 2008-02-29 14:42
    Jeeze... this response looks like it was written by a 5 year old. Ever heard of capitalization or punctuation? And you have FOUR kids???? Gawd help them if they are as ignorant as you are.
  • lawl 2008-02-29 14:42
    Great wtf!

    You gotta love how "CUSTOMER SUPPORT" starts this highly unprofessional rant about their family life and how they would qualify for immunity from criticism, then their other "employees" start coming in talking trash.

    I would definitely do business with them. These people seem so legit and professional! Unlike all the posters here, of course. But maybe that's due to my being stoned CONSTANTLY.
  • runamok 2008-02-29 14:43
    Punctuation. Is. Cool.
  • thepensivepoet 2008-02-29 14:43
    I wouldn't worry about it too much.
    Plenty of idiots are hired by the federal government.

    That's pretty much what they do - hire idiots.

    Congrats on perpetuating the failures of our bureaucracy!
  • INIT_6 2008-02-29 14:45
    But how else could I write this code. How can you secure a webpage with out posting the username and password on the page. http://www.fuckinggoogleit.com/ <-- go here to figure out how to secure your webpage.

    and if you cared about your job and your clients you would fix this and thank the kind man for pointing this out.
  • Mad Old Bob 2008-02-29 14:46
    site:officers.federalsuppliers.com in google will give you the contents anyway, by the looks of the results.
  • Fernando 2008-02-29 14:48
    Domain: federalsuppliers.com
    Registration provider: MateMedia, Inc.

    Registrant
    Jim Sprecher
    Jim Sprecher
    ***@countrysidepublishing.com
    PO Box 1735
    Oldsmar, FL 34677 US
    +1.8139250195
    (FAX)

    Administrative
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Billing
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Technical
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)
  • Fernando 2008-02-29 14:48
    Domain: federalsuppliers.com
    Registration provider: MateMedia, Inc.

    Registrant
    Jim Sprecher
    Jim Sprecher
    ***@countrysidepublishing.com
    PO Box 1735
    Oldsmar, FL 34677 US
    +1.8139250195
    (FAX)

    Administrative
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Billing
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Technical
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)
  • cavemanf16 2008-02-29 14:49
    Sys:
    Just changed again...

    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>

    Somebody should tell them that changing the password will not help as long as the password is written there...


    Looks like you guys are making them mad! Now quit all you 1337 computer hacking skills and get back to doing real work. What you are doing is akin to Nigerian 911 scamming, and it WILL be reported to the authorities... because after all, they say RIGHT ON THEIR WEBSITE that they can make you lots of money by using their service, so it must be true.
  • spacecadet 2008-02-29 14:49
    L. Ron Paultard:
    Aren't all you wienies, I mean geeks, just so proud of yourselves?...

    The business is located in Palm Harbor, FL. That's 11 miles from Scientology HQ, Clearwater, FL. The above comments are textbook examples of a Scientologist "debate" technique called Bullbaiting.


    "Bullbaiting"? What, L. Ron Hubbard couldn't spell "ad hominem attack"?
  • Bobachu 2008-02-29 14:51
    ok Annaleemac ...
    the point of the site is to be an elitist programmer snob

    at the expense of poorly programmed examples

    I'm sure no one here denies it
  • zip 2008-02-29 14:52
    Fernando:
    Domain: federalsuppliers.com
    Registration provider: MateMedia, Inc.

    Registrant
    Jim Sprecher
    Jim Sprecher
    ***@countrysidepublishing.com
    PO Box 1735
    Oldsmar, FL 34677 US
    +1.8139250195
    (FAX)

    Administrative
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Billing
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Technical
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)


    What is the point of posting this?
  • elias 2008-02-29 14:54
    spacecadet:
    L. Ron Paultard:
    Aren't all you wienies, I mean geeks, just so proud of yourselves?...

    The business is located in Palm Harbor, FL. That's 11 miles from Scientology HQ, Clearwater, FL. The above comments are textbook examples of a Scientologist "debate" technique called Bullbaiting.


    "Bullbaiting"? What, L. Ron Hubbard couldn't spell "ad hominem attack"?

    He made up new words for everything...
  • smpl 2008-02-29 14:55
    Ya, there is no responsibility to your customers and clients to have their information secure. It's ok to arbitrarily set a price for a service with no expectation of protecting their information, privacy or security. It is everyone else's fault that you created a shitty product and the proper authorities need to know that people are going out of their way to prevent other people from investing in your scam... err.. lack of investment in securing their information. That is obvious slander and your kids should hate them for that.



  • dpm 2008-02-29 14:56
    sorakiu:
    My whole point is in the past, dailywtf has preserved anonymity of the parties involved. I know that hasn't stopped some enterprising googlers from figuring it out on their own.
    {...}
    When you cross the line from posting stories about failures in software development to pointing your readers at exploitable websites (no matter how easily), in my mind, you've moved from being a journalistic site to a gang of vigilantes and thugs.-dave


    I'm not missing the point. While in general I would agree with you, I'm taking into account the actual loss that this particular company is suffering, which is "none", so . . . how exactly am I a thug? There's no product to steal, no source code to download, nothing to reverse-engineer, just a list of their clients which they left wide open and has already been cataloged by Google. No damage. They took themselves offline, not hackers. If they did it because they were suddenly worried about their files being copied, well, it's a little late for that. Who knows how long those files have been viewed by people who did not login? Odds are that they don't even keep logfiles for very long (if at all) so they probably can't even answer that question.

    Where is the damage?
  • RevLee 2008-02-29 14:56
    Don't blame them for insecure code, its not even original code. This site http://www.2createawebsite.com/enhance/password-protect.html offers a familiar looking free script to protect your site:

    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="userID") {
    if (form.pass.value=="password") {
    location="page2.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>
  • Agent1 2008-02-29 14:58
    You sir deserve a pink slip.
  • ObiWayneKenobi 2008-02-29 15:00
    Provided this site is legit, and wants to improve, then I am prepared to offer my consulting services for a nominal fee to A) Redesign their website to make it decent looking, and B) Add some real security and features, not a bunch of hard-coded vaporware. I am located in the Tampa Bay area - if this place is in Palm Harbor, that is only about 20 minutes from where I live. I would not mind assisting a business that is just, to be blunt, ignorant of what needs to be done.

    I'd say about $5,000 for a redesign, some logo branding, and some development sounds about right.
  • this webcomic is a wtf 2008-02-29 15:00
    real_aardvark:
    Rob:
    I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?

    Easy-peasy.

    The companies registered in Delaware have had a hundred years or so to get their shit together. The ones in Florida tend to be unsophisticated morons in a trailer park, with a stand-by ticket to one of Ronnie's favourite hot-spots of democracy, like El Salvador or Panama, or even the Grand Caymans.

    If your scam is going to have a half-life measured in months, then go to Florida. If you reckon it's measured in decades, then register in Delaware.


    WHATS THE MATTER WITH TRAILERPARKS?
  • Mark Robinson 2008-02-29 15:01
    they do this in our neck of the woods too (Scotland) - dirty swine - and they're always Liverpudlian, yet claim to work for the local police department, or fire service, or teenage boys in trouble, "You do want to help the kids now don't you"
  • Sean 2008-02-29 15:02
    It's not "hacking" if you have the username and password out in the open for everyone to see.
  • laoreet 2008-02-29 15:02
    I just can't believe someone working in that environment for ten years would execute such basic grammatical errors.
  • gb 2008-02-29 15:02
    You really, really, need to hire a web professional since clearly whoever is "helping" you now doesn't understand web security in any professional way.

    Just to be clear, you haven't been hacked. Your website is actually publishing the user name and password for anyone who can find the "view source" command available in every browser.

    I've never heard of your company and have no reason to think that you're not legitimate. You will need to either educate your web developer or find someone who can secure your site for you. It's not terribly hard, but the method you're currently using is, obviously, not secure.

  • jtl 2008-02-29 15:03
    RevLee:
    Don't blame them for insecure code, its not even original code. This site http://www.2createawebsite.com/enhance/password-protect.html offers a familiar looking free script to protect your site:

    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="userID") {
    if (form.pass.value=="password") {
    location="page2.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>


    To be fair, the webpage inclues this:

    Free Password Protection Script

    Warning: This script is not totally secure and the password can be seen if someone views your source code.
  • Christopher Key 2008-02-29 15:03
    They've given up on passwords and removed all but their front page.

    It's a shame that Google's cached the lot!

    http://www.google.co.uk/search?q=site:officers.federalsuppliers.com
  • jimmy 2008-02-29 15:03
    I'm awfully sorry for the operators of the site. They didn't expect the drubbing they're taking.

    But Dang! I have to print this out, put it on a wooden table, take a picture, print it, scan it, and call it Brilliant!

    Brilliant!
  • OMGWTFBBQ 2008-02-29 15:07
    That's hilarious! When I first started reading this post, I thought it might have actually been written by someone at FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT.

    Excellent trolling!
  • bighusker 2008-02-29 15:07
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.


    I guarantee you that 99% of the people posting here are like me...people who have a well-paying job and *gasp* also have access to the internet while they're at work. And most of them probably make a lot more money than you do, despite being very young.

    But if it helps you sleep at night, then tell yourself that we're all a bunch of drugged out losers. Just remember that we're laughing *at* you, and not with you.
  • spacecadet 2008-02-29 15:07
    jimmy:
    I'm awfully sorry for the operators of the site. They didn't expect the drubbing they're taking.


    We have left them no choice but to summon BALTRON!
  • Drewc 2008-02-29 15:12
    Did you mention to your clients that you left their personal information on an unsecured server that any kid with a web browser would be able to view? I don't think they'd be very happy with you. Welcome to the internet.
  • Nik 2008-02-29 15:12
    I've never heard of your company and have no reason to think that you're not legitimate. You will need to either educate your web developer or find someone who can secure your site for you. It's not terribly hard, but the method you're currently using is, obviously, not secure.

    The problem is Government agencies DO NOT USE these third party guides. The site in question actually GOES TO THE SAME SITE THE GOVERNMENT DOES to get their leads. The CCR is searchable by anyone. Illegal? No. Useless and immoral? YES. I would not even do business with a company that IS listed with them, because it tells me they can't spot a ripoff.
  • curse666 2008-02-29 15:12
    i honestly find it hard to believe that if you've been working with secure apps for 10 years that you can't do a bit better with your security. If all someone has to do is look at the source code to find out how to "hack" your site it really doesn't give you much credibility. I'm fresh outta' college with no professional experience in web security but I still know how to build something that can't be "hacked" with such ease.
  • duckets 2008-02-29 15:14
    Seems like google has removed the actual pages from the cache.
  • Evil Hacker 2008-02-29 15:14
    Code is still there as above but the login is broken. Silly 12 year olds making websites....
  • Sola 2008-02-29 15:15
    Ah, this warms the cockles of my tiny black heart.
  • J. Grant 2008-02-29 15:16
    The Lulz! TEH LULZ!

    Dear FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    It would be interesting to see you prove in a court of law that Right-Click -> View Source is hacking. How much did you pay your web designer to come up with that one?

    Keep changing the password, though. That'll definitely keep unauthorized people out.

    DIAF,
    J
  • BMH 2008-02-29 15:16
    As much as I sympathise you having found your company in such a poor situation, poor security - or, in this case, IGNORANCE - is no excuse.

    When your insurance company asks all those important questions that help it decide whether or not to willingly assist you in need, your ignorance will not help you.

    The information you hold is useless to me however the transparency with which it is visible is akin to building a bank with an alley-way entrance where the single door made of paper mache by kids in a mental institution leads directly into your vault from behind.

    In this case an inquisitive visitor has punished your company for its incompetence. Whether or not you do a good job is not being looked at. Its whether or not the management made a good choice in choosing a web developer for their site. And a disastrous choice it was.

    Such incompetence, unfortunate as it may be, cannot go unpunished.
  • sorakiu 2008-02-29 15:18
    dpm:
    I'm not missing the point. While in general I would agree with you, I'm taking into account the actual loss that this particular company is suffering, which is "none", so . . . how exactly am I a thug? There's no product to steal, no source code to download, nothing to reverse-engineer, just a list of their clients which they left wide open and has already been cataloged by Google. No damage. They took themselves offline, not hackers. If they did it because they were suddenly worried about their files being copied, well, it's a little late for that. Who knows how long those files have been viewed by people who did not login? Odds are that they don't even keep logfiles for very long (if at all) so they probably can't even answer that question.

    Where is the damage?


    So what you're saying is that there has to be tangible monetary losses in order for them to be anonymous? The whole google cache argument is somewhat irrelevant. In my mind, dailywtf should have edited the article to present the story (which is why I read the site) and leave the involved parties out and anonymous. There should be no pick and choose between whether they think people will get hurt. whether money will be lost. Pick the purpose of this site:
    Is it to be entertained by the folly of people in the industry? Or is it to harass less knowledgeable people in our field? I want no part of any site that delights in the harm of others. That was the best thing about entering the white collar workforce. I can't remember the last time somebody publicly shamed me for the fun of it when I made a mistake. The last time I saw that kind of behavior was in public high school.

    -dave
  • frosty 2008-02-29 15:20
    sorakiu:

    When you cross the line from posting stories about failures in software development to pointing your readers at exploitable websites (no matter how easily), in my mind, you've moved from being a journalistic site to a gang of vigilantes and thugs.

    -dave


    You raise an interesting point. One difference in this case in comparison to normal cases is that this person is from the outside instead of from the inside (such as most if not all of the stories here). This releases the contributer from NDA and other legal issues.

    I can't say if this is enough reason, but it is a difference.
  • this webcomic is a wtf 2008-02-29 15:21
    ObiWayneKenobi:
    Provided this site is legit, and wants to improve, then I am prepared to offer my consulting services for a nominal fee to A) Redesign their website to make it decent looking, and B) Add some real security and features, not a bunch of hard-coded vaporware. I am located in the Tampa Bay area - if this place is in Palm Harbor, that is only about 20 minutes from where I live. I would not mind assisting a business that is just, to be blunt, ignorant of what needs to be done.

    I'd say about $5,000 for a redesign, some logo branding, and some development sounds about right.


    I can do a better job for less. send inquiries to enterprisewebsitedesign@joestrailerpark.com
  • blinder 2008-02-29 15:25
    OMG!!! ok... this is way way too funny.

    you should of protected


    should of???? should of???? is that anything like "should have???" pretty smart aren't you? yeah, maybe not so much.

    so, i wonder what "authorities" are you going to report anyone to by doing a "view source" on your terrible web site? What law is that breaking?
  • Tomaq 2008-02-29 15:27
    So you work for this organization but you don't even have proper grammar skills?
  • J. Grant 2008-02-29 15:28
    Bah. I can do it for HALF THAT and 6 cases of beer. email inquiries to someguywithnotepad@makingwebsites.com
  • Phleabo 2008-02-29 15:28
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living.


    I for one resent the stereotype of us computer geeks sitting along smoking weed in our underwear.

    I for one prefer crack, and I don't wear underwear.
  • Scottish 2008-02-29 15:29
    Even Google read those files. They're in the Google cache. Google's spiders must be hackers too!
  • bj 2008-02-29 15:30
    Let's go back to that great house analogy. This is more like a house built with no walls, doors, or windows. People come by and stare and say WTF people actually live their life in this thing?

    The people paying this company have a right to know that this website is not secure as it claims. If people are hurt and lose money, that is the company's own fault not people revealing the truth!!
  • Jay 2008-02-29 15:30
    In the latest round of "updates" I guess we have a new username and password to lead you to the 404 page:

    [code]
    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>
    {/code]

    Somewhere, someone is changing usernames and passwords as quickly as they can be View Sourced. What a crappy job.
  • dhimes 2008-02-29 15:32
    no--don't tell them... People with their motives can be dangerous if they get smart...
  • saturn 2008-02-29 15:33
    "all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better."

    this is the best quote ever.
  • BobB 2008-02-29 15:34
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    ...
    sorry our site wasn't protected to your standards however
    ...

    Even by my lax standards the site lacks protection.

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    ...
    all of you are being reported to the appropriate authorities as we have your information too.
    ...

    I wonder which authorities these are. I'm certain they will be entertained regardless.

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    ...
    you should of protected your info a little better.
    ...

    Something about a pot and a kettle, I don't remember how the phrase goes however...
  • hax0rz 2008-02-29 15:36
    Horton Hears a FAIL:
    Good news!!!!

    You may be eligible for support to fix your horrible coding.....Wow! really good news....For only $1500 I can fix that for you....Whaddaya say>?


    702-229-3111


    Damn you... I called that number. Now the cops have my information too!!!
  • Demaestro 2008-02-29 15:36
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Perhaps you should look up the meaning of hacking... there is no auth on the landing page where the info lives...there is only auth on the page that provides the link. All one has to do is traverse directly to the landing page. That is where the auth should live

    To hack something one must circumvent security measures... since the page listing the info has no security on it then it isn't possible to hack all one needs to know is the URL.

    Security through obscurity means nothing. Basically you hid the door to the safe but you left it open and worse you did so in a public area. Since you love your company so much you should get them to budget an overhaul of the website and hire someone who knows what they are doing this time.

  • MM 2008-02-29 15:37
    TRWTF is that people keep saying they should get better security, when the only reason they could even want security on that site is to keep people from checking their references like happened in the original story. If they were legit, they would be trying to open up and advertize their site, so that their clients who paid so much to be listed might actually get some traffic off of it.

    Putting username/password boxes on a page while telling everyone who goes to that page what the username and password should be (and telling them where to go directly without putting in that name/password) is something we can laugh at them about, but what identifies them as a scam isn't that they had laughably bad security, it's the fact that they had clearly wanted to have security there.
  • Dazed 2008-02-29 15:42
    sorakiu:
    You're missing the point. ...

    When you cross the line from posting stories about failures in software development to pointing your readers at exploitable websites (no matter how easily) ...

    No, sorry: you are the one missing the point, as you demonstrate by using the word exploitable again. There is no exploit here. What is happening here is a bunch of people laughing at a website. It is no more reprehensible than a bunch of people laughing at any other unintentionally humorous site. If people don't want any risk whatever of their site being laughed at, they shouldn't have a site.
  • dpm 2008-02-29 15:42
    sorakiu:
    dpm:
    Where is the damage?


    So what you're saying is that there has to be tangible monetary losses in order for them to be anonymous?


    No, I want to know what harm I'm causing. I see none.

    The whole google cache argument is somewhat irrelevant.


    No, it illustrates how open they are, and have been.

    In my mind, dailywtf should have edited the article to present the story (which is why I read the site) and leave the involved parties out and anonymous.


    That's your opinion, and I respect it. But you're not convincing me that there's any reason for me to adopt it.

    Is it to be entertained by the folly of people in the industry? Or is it to harass less knowledgeable people in our field? I want no part of any site that delights in the harm of others.


    I think you mean "named others", since clearly this site has been making of people for years. But even in this case, it's just the company, not anyone by name, and it's well-deserved, so I still don't see the harm.

    That was the best thing about entering the white collar workforce. I can't remember the last time somebody publicly shamed me for the fun of it when I made a mistake. The last time I saw that kind of behavior was in public high school.


    There is a value in public shame. You screw up badly enough, people make fun of you, you learn from it.
  • dextron 2008-02-29 15:43
    No,no TRWTF is that servers don't provide support for Basic username/password security for <Directories> out of the box.
  • RevLee 2008-02-29 15:43
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.


    The real issue is that serious businesses use professional level security. This looks like something the owner had his nephew do in his high school web class.

    If the Brinks truck guard carried a squirt gun instead of a real pistol, would you call that real security? It's security theater - it looks secure, but it's not. If you only want to pretend to be secure, then don't get upset when someone points out that it's fake.
  • nosebleed 2008-02-29 15:44
    There was no "hacking" involved with this. The username/password is right there in the page source clear as day! sheesh you couldn't at least use a .htaccess/.htpasswd? A PHP script with MySQL database? It's not like they're all that hard to setup.
  • Demaestro 2008-02-29 15:45
    The problem with what you are saying is that they have it in a public area... it isn't like walking into a privately owned building and ignoring a "Do Not Enter Sign"

    Their server is set up to serve files to anyone who requests them. If I don't go to the page with the JS "auth" and I traverse right to the page they are "protecting" then I haven't circumvented anything since I wasn't on the page with counter measures at all.

    So yes if someone puts a note on a door and it reads "do not enter" and the door is open then you can't enter.... problem is there are about 100,000,000x 100,000,000 other doors into that rooms that don't have the sign.

  • Shawn 2008-02-29 15:46
    Wait... so this critical online guide was taken off-line? That doesn't seem fair to the people that paid hundreds or thousands of dollas to be listed. It also seems like that would really upset the folks in the federal government that relied on that site to get the names of businesses.

    Hmmm... maybe it IS a scam after all.

    PS - to the "employee with the family that entirely depends on this company for his living"... dude we all know you're the guy in charge of the scam. Also - if you want to try to plead your case, you will have better luck if you run your comments through a spell / grammar check first.

    I'm sure one of your clients offers copy editing services -- perhaps you could check with them.
  • swordfishBob 2008-02-29 15:46
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for ...

    I don't usually trawl through the comments, but my interest picked up seeing this one featured.

    The real WTF is how many pages of comments there are. It would have been fewer and duller without FSG's post(s).
  • bk 2008-02-29 15:47
    ROFL. Scam.
  • rodriguez 2008-02-29 15:47
    Is it really "hacking" if you are given the password? I mean, sure the guy didn't say the password over the phone, but by putting the username and password in the Javascript like that, they are basically giving it away. They are giving it to anyone who "asks" for it.

    As for "sorry our site wasn't protected to your standards", it makes me wonder to *what* standards they were protected to. Besides, is there anything there that prevents people from just going to the linked page itself once they know about it... hang on... wouldn't robots be able to get to their "secure" site?
  • dude 2008-02-29 15:48
    So when I started to read this and saw the login box I thought 'oh no, they've left their login open to sql injection', oh dear. But to actually see they think by going to a valid URL is hacking!!
  • wtf 2008-02-29 15:48
    lol
  • TraverseCity 2008-02-29 15:49
    Here it is, you GIVE the people at large the login....It's on the page plain as day. If our government is protected like this then there is no hope for it. Keep doing your shoddy work and put the passwords out so everyone EVERYONE can see it.
  • Troy 2008-02-29 15:54
    Wow... I'm actually registered with CCR and got a call from these guys as well. I did the samething i declined not to be in it for the amount of money. Beware of the phone book as well, expensive with 0 actual leads... all of them were grandmothers trying to install ram in their packard bell, etc. Thats funny you actually took the effort to go and look at the site. Maybe you can pick them up as a client for a nominal fee of $600 to $6000 the price of a single ad and you can fix their site to be secure.
  • Not even a 'hacker' 2008-02-29 15:54
    I don't know if the owner of the FSG co. will come back here, but since no one has spelled this out for him, I'm going to:

    Your username and password information is stored *IN PLAIN TEXT* within the page itself. Anyone who visits your site and views the source code from their browser can glean the login information in this manner. This means that your login is *BY DEFINITION NOT SECURE* You do not have to be a hacker to figure out how to log in. You could just accidentally hit Ctrl-U on your keyboard!

    I should also note that *THE BURDEN TO SECURE THE SITE LIES ON THE OWNER/AUTHOR*, and since you are doing business with federal agencies, this login method does NOT comply with various ISO, NERC, and NIST standards for cyber-security (the standards that typically set the baseline for online security that MUST be adhered to by federal agencies.)

    Maybe this is why the author of this article found out that certain clients of yours received no sales leads from your directory... federal and state agencies have seen that your security (and perhaps by association, your entire organization) is a joke.
  • John 2008-02-29 15:55
    There was another government site that is like this. It was for anti-terrorism training and the password was checked against a MD5. It was such a simple password that the MD5 didn't help protect it any better.
  • It's like this 2008-02-29 15:55
    servers don't provide support for Basic username/password security for <Directories> out of the box.


    It's a shame that toasters don't come turned on. I hate it when you open the box and you have to turn the thing you just bought on. I mean, geeze, I just bought this toaster, is it such a leap of intuition to think I might want to make toast when I open the box??

    Actually, servers do come "out of the box" supporting authentication.
  • umm... 2008-02-29 15:57
    What's really interesting is...despite the fact that this story was posted today - somehow, some way this company has such a small amount of web traffic that they were able to come in to work, notice a bunch of click-throughs from TDWTF, visit here, leave comments, and change their page multiple times since. In fact, they knew this story was posted before I did, and I visit here pretty much daily.

    Hmm...

    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?
  • Andy 2008-02-29 15:59
    It's great how they'll even indicate if you got the right username and the wrong password by giving a different error message. Even if this was done server side, that's a big no-no. Not that it matters, since google's spider is (or others are) capable of following that URL from the javascript.
  • JamesKilton 2008-02-29 16:00
    Aw man, the page itself is now gone.

    Heh, this reminds me of (slightly related as in complete lack of security):



  • spacecadet 2008-02-29 16:02
    umm...:
    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?


    In that case, TRWTF is that their web guy can read this site regularly and STILL have a page like that.
  • Franz Kafka 2008-02-29 16:02
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Okay, who's trolling? Nobody could be this stupid in real life.
  • Another Adverage hacker 2008-02-29 16:03
    BWA ha ha. just wait till someone puts your "for federal eyes only" materials on piratebay. For the people by the people bitch.
  • zip 2008-02-29 16:03
    umm...:
    What's really interesting is...despite the fact that this story was posted today - somehow, some way this company has such a small amount of web traffic that they were able to come in to work, notice a bunch of click-throughs from TDWTF, visit here, leave comments, and change their page multiple times since. In fact, they knew this story was posted before I did, and I visit here pretty much daily.

    Hmm...

    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?


    What's your next guess, Sherlock?
  • andi 2008-02-29 16:05
    sorakiu:
    it was not obvious to me that they were scammers.

    It has been pointed out that they offer a 'service' to register your company with the CCR for merely a few hundred bucks, and from the article I gather that they try to create the impression that they themselves run this select little register for gov't agents and that the callee is lucky enough to be found eligible to be included ("Who's who" anyone?). I ask you, if this is not a scam, then what is?
    A mere hundred and fifty years ago (or less, depends on where you live I guess) such people 'working for their living' (hah!) in such a way probably would have been tarred, feathered and run out of town. They can consider themselves lucky to live in such enlightened times where nothing worse than the ridicule by a bunch of weed-smooking 'geeks' and 'wieners' awaits them.
    If someone reads this who has been suckered for paying for this shit: Organize a class action suit.

    CAPTCHA: 'decet'. 'deceit' mis-spelled? How very fitting ;)
  • dextron 2008-02-29 16:14
    zip:
    umm...:
    ...
    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?


    What's your next guess, Sherlock?


    No way! Only a complete moron would leave their site up after seeing it showcased here. If I ever saw one of my sites here, I'd

    httpd -k stop

    that site as fast as I could.
  • A nonymous 2008-02-29 16:14
    Ahh. was on the fence about their business being a scam.

    <sarcasm>That job posting sure cleared in up for me! no scam here! </sarcasm>
  • Zig 2008-02-29 16:14
    Your base are belong to us. BWAHAHAHAHAHA.
  • Franz Kafka 2008-02-29 16:14
    Annaleemac:
    breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working.

    Your site isn't what I'd call working.

    People who make false statements about others may find themselves at the wrong end of a lawsuit.


    And making baseless threats of legal action against dead german philosophers may make you a laughingstock.

    I'm sure no one could find your address.


    You're right - I checked myself out on one of those slimy peoplefinder sites and it dodn't have anything more current than 2-3 addresses back.

    Maybe you should stop posting here and think about fixing your joke of a site.
  • Arlecchino 2008-02-29 16:14
    For Christ's sake man!!! It's not that our standards are not met, this login page is below ANY web-security related standard. If your work is really so important, then hire somebody who can do better then this.
  • Franz Kafka 2008-02-29 16:15
    Annaleemac:
    breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working.

    Your site isn't what I'd call working.

    People who make false statements about others may find themselves at the wrong end of a lawsuit.


    And making baseless threats of legal action against dead german philosophers may make you a laughingstock.

    I'm sure no one could find your address.


    You're right - I checked myself out on one of those slimy peoplefinder sites and it dodn't have anything more current than 2-3 addresses back.

    Maybe you should stop posting here and think about fixing your joke of a site.
  • Demaestro 2008-02-29 16:16
    Dave you are contradicting yourself...

    First you concede that there is no damage but you argue that it doesn't matter if there is damage or not... then you say "I want no part of any site that delights in the harm of others."

    Again.. where is the harm?

    It is like the guy who got onto planes and hid weapons... then contacted the media and the plane companies to tell them what he did, and how he did it, and why. He was charged but then charges were dropped.... He didn't do it to hurt or ridicule, but to educate. Of course someone will feel some ridicule at having their incompetence exposed but no harm was done. The ridicule would have been worse if the attack was malicious in nature...... instead the attack was used to highlight the need for improved security.... just like here.. This isn't hacking by any means... but if you want to call it that then call it "white hat" at least.
  • A nonymous 2008-02-29 16:19
    isn't that the password an idiot would have on his luggage?
  • Nimrand 2008-02-29 16:20
    Its not hacking unless is at least some real security in place (weak though it may be). Locking the door and then leaving the key in the lock, as you have basically done by leaving the password in the HTML file that is downloaded by the browser, doesn't count as security.
  • Benanov 2008-02-29 16:21
    Okay, before, I was worried that this was going to become a serious problem for Alex...

    but since we've basically figured out that this is a legal but useless company, the employees aren't going to want increased scrutiny.

    This is hilarious!
  • Binks 2008-02-29 16:22
    Hmm...maybe they should make the password "******" to confuse people, or, you know, do some server side validation rather than handing people the password.

    Nice find
  • hamy 2008-02-29 16:22
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.



    dude, seriously....are you retarded about the point being made?
  • stupidkids 2008-02-29 16:23
    do more research before blogging on your lame site. A more polite response would be e-mailing the company and saying "Hey, your login page is insecure by showing the username and password in plaintext on a publically accessable website" instead of your lame excuse for a blog entry.
  • Chris 2008-02-29 16:23
    Alex you made the front page of Reddit, good job. Hopefully, FSG will get their act together and FIRE their web developer and stop wining about "hacking". This is not "hacking" obviously since the username and password is right there in source code for everyone to see. Since when is examining a sites source code "hacking". FSG, just fire your web developer and hire one who knows what the crap their doing.
  • zip 2008-02-29 16:24
    stupidkids:
    your lame excuse for a blog entry.


    Keep typing it! Maybe it will become true!

  • Tohuw 2008-02-29 16:26
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Obvious troll is obvious
  • Catlin 2008-02-29 16:26
    You helped someone make hundreds of thousands of dollers... but can't learn to type?
  • h8r 2008-02-29 16:27
    Your parenthetical remarks aren't funny at all. If your intention was to let your audience know what you think as opposed to what you say then now you're audience knows how pathetic your sense of humor is.

    I'm doing you a favor here. No one else will tell you because they pity you so much. You'll never be Woody Allen and tech advice is miles from Annie Hall.
  • Michael 2008-02-29 16:27
    ... I can't tell if this is real or a joke. Either way it's a funny comment. ^_^
  • Bullwark 2008-02-29 16:27
    stupidkids:
    do more research before blogging on your lame site. A more polite response would be e-mailing the company and saying "Hey, your login page is insecure by showing the username and password in plaintext on a publically accessable website" instead of your lame excuse for a blog entry.


    Ah, yes, of course. Such an e-mail would have been met with ridicule or the like--prompting me to post this "exploit" on this "lame site."
  • wienie0001 2008-02-29 16:29
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.


    You don't know what you're talking about. I'm over 30 have a wife and kids and have earned well over $100k per year since I was in my late 20s. I'm also a regular reader of this site.
  • Bullwark 2008-02-29 16:29
    Tohuw:
    Obvious troll is obvious


    Obvious troll is performing a public service.
  • ezacharyk 2008-02-29 16:31
    They really should have used hidden fields for the user name and password. /sarcasm
  • andi 2008-02-29 16:32
    stupidkids:
    A more polite response would be e-mailing the company and saying "Hey, your login page is insecure by showing the username and password in plaintext on a publically accessable website".

    And then write the entry 'How I helped a completely legit non-scammer company run by honest married hard-working phone scam^H^H^H^H salesmen (with children to feed!) secure their site'. For some reason, this would have been a lot less funny.
  • AT 2008-02-29 16:34
    sorakiu:
    You're missing the point. This website (dailywtf) has, in the past, changed names (usually the submitter and who the work for) in order to differentiate themselves from a script kiddy website.


    A key difference here is that Alex experience this directly. He's not relying on the word of a stranger who could simply be trying to damage a company they don't like. Also, the login simply exposed a *directory listing* of company information that you could find in the phone book. It's not like exposing the protected pages damages anything.
  • hax0rz 2008-02-29 16:35
    The federal suppliers guide.?

    http://answers.yahoo.com/question/index?qid=20080221122622AAn21Qx
  • Irony 2008-02-29 16:35
    Catlin:
    You helped someone make hundreds of thousands of dollers... but can't learn to type?


    E-bo-ny and i-ro-ny!
  • A Penguin 2008-02-29 16:36
    You provide a professional service, but with kindergarten security. How do you expect to be taken seriously ?? Way to protect your "clients".

    Its sad to see such uninformed unintelligent people securing information...
  • Franz Kafka 2008-02-29 16:36
    Tohuw:
    Obvious troll is obvious


    Obvious troll is entertaining.
  • daqq 2008-02-29 16:38
    Well, you had no security to speak of. Think of it as a security audit for free. Others would just charge you hundreds of dollars for such info, however, here it is for free. Whatever the case, I really don't see the point of having to LOGIN to view ADS for which people PAY for. Either your goverment doesn't know of Google or other search methods, or something is smelly in your goverment.
    Anyway, if you want some real security, I bet there's a lot of smart people here willing to do it for you for a small fee ;-)
  • dextron 2008-02-29 16:38
    h8r:
    Your parenthetical remarks aren't funny at all. If your intention was to let your audience know what you think as opposed to what you say then now you're audience knows how pathetic your sense of humor is.

    I'm doing you a favor here. No one else will tell you because they pity you so much. You'll never be Woody Allen and tech advice is miles from Annie Hall.


    Wow, you sure gave Mr. Ambiguous Antecedent the old what-for!
  • Lucas 2008-02-29 16:38
    Google also hacked your site:

    http://www.google.com/search?q=site:officers.federalsuppliers.com&hl=en

    I suggest you bring the full force of your company's legal team, which I assume consists of a man who drinks gasoline and a golden retriever, to bear on this hacking problem.
  • Xich 2008-02-29 16:39
    you hackers


    ... looking at the generated source of a webpage is hardly hacking. Your grandma could do it.

    sorry our site wasn't protected to your standards


    ... or anyone else's standards for that matter.

    and one of my best clients just broke 500,000 dollars in federal sales


    So he sold a toilet seat to the White House?
  • alegr 2008-02-29 16:39
    The real WTF is that people are responding to that fake CUSTOMER SERVICE posting.
  • RxScram 2008-02-29 16:42
    jimmy:
    I'm awfully sorry for the operators of the site. They didn't expect the drubbing they're taking.

    But Dang! I have to print this out, put it on a wooden table, take a picture, print it, scan it, and call it Brilliant!

    Brilliant!



    It's not Brilliant... it's Brillant! See... no "i".

    Please, if you are going to use a former WTF, do it correctly!
  • Bullwark 2008-02-29 16:43
    Xich:


    and one of my best clients just broke 500,000 dollars in federal sales


    So he sold a toilet seat to the White House?


    I hope you're happy. That toilet seat comment has me looking for a dry office chair.
  • tim 2008-02-29 16:43
    It changed again,

    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }

    At this rate it will really be hack proof.

    Seriously, they're so inept that they can't figure out what the security flaw is? That's a real wtf.
  • Cecil 2008-02-29 16:45
    Somebody should tell them that changing the password will not help as long as the password is written there...


    More importantly, note that the destination URL is *also* written there. The username and password are completely extraneous.
  • Walleye 2008-02-29 16:46
    In my mind I'm picturing their office, and everyone is wearing the company uniform, a dark suit, covered with large neon question marks.
  • Lesko 2008-02-29 16:48
    Walleye:
    In my mind I'm picturing their office, and everyone is wearing the company uniform, a dark suit, covered with large neon question marks.


    *shudder*
  • Stenvne 2008-02-29 16:49
    Dear Sir,

    I understand your embarrassment over this issue, however in this environment Flaming (That is what your comment is called) is never a good thing. If you truly want to secure your site, I suggest you hire a website designer that knows a Java script passing the allowable username and password in plain text is not going to cut it.

    How this was discovered. If you go to your login page and right click choosing show/view source you will see how this code is easily accessible. This is not a hack, the information is published in a public environment with inadequate security precautions. Therefore , it is not an intentional exploitation or penetration of any properly secured system and not in any way a violation of any laws governing electronic media. Sorry to add insult to injury.

    Respectfully submitted.
  • JL 2008-02-29 16:49
    I don't understand the purpose of this company. If the customers are submitting information in hopes of sales, you'd think the contact information would be public, and publicized as much as possible. It can't be for want of privacy, because their leads are coming from an already-public list of government contractors. And if it were a scam, why would they bother changing the password after it was discovered? Why bother building a site with the contact information at all?

    I can't help feeling a tiny bit sorry for them, since their web development platform apparently consists of Microsoft Word, an FTP program, and a cheap web host.

    A note to any employee is still reading this thread: If you haven't figured it out by now, you are sending the password (and the address of the "secured" page) in the text of your login web page. This does not secure your web page. There are many ways to actually secure a web page, and none of them involve sending the password to the user. Changing the password will not help, because you will then be sending the new password to the user. The other posts are advising you to get a professional to fix your site, but it's likely that even the kids in your local community college's web development course could come up with a more secure solution than what you've currently got.
  • Instaneous 2008-02-29 16:49
    What's the wtf comment record? We gotta be getting close.
  • John 2008-02-29 16:52
    It's not that the password and the destination URL are "available on view source".

    It's that they're SENT BY THE WEBSERVER TO THE CLIENT. In plain text! In response to the initial HTTP request to the site!

    It's not only "not secure" and it's not "available to 5-year-old hackers". It's sent directly to every single reader, immediately on connection!

    I think all the analogies so far are inaccurate. I say that this is the equivalent of claiming "hacking" because you went to goatse.cx and it sent you a picture of the inside of a man's rectum.
  • Catlin 2008-02-29 16:53
    Nah, I can type, I just can't spell. Besides, I don't claim to have the big bucks job.
  • ExFed 2008-02-29 16:56
    I don't know if FSG CUSTOMER SUPPORT up there is a joke or for real but putting your business in a catalog isn't going to get you government contracts. The best investment a small business can make is in a lobbyist. A good lobbyist can get your stuff sold when it's neither needed nor wanted.
  • RxScram 2008-02-29 16:57
    Hmmm... Has anybody submitted this WTF to slashdot yet?
  • NH_Matt 2008-02-29 16:57
    I had no idea right clicking is "hacking". I am in so much trouble! *yikees*
  • spacecadet 2008-02-29 16:58
    John:
    I say that this is the equivalent of claiming "hacking" because you went to goatse.cx and it sent you a picture of the inside of a man's rectum.


    AAAAAH! YOU HACKED MY EYES!
  • Random832 2008-02-29 17:00
    Actually I think it'd be more like a sign saying "There is no key under the mat that unlocks this door!"


    No, a sign that says "This door is locked, you need a key to get in", on a door that has a dummy keyhole but no actual lock.
  • RogerC 2008-02-29 17:03
    Bullwark:
    Xich:


    and one of my best clients just broke 500,000 dollars in federal sales


    So he sold a toilet seat to the White House?


    I hope you're happy. That toilet seat comment has me looking for a dry office chair.

    I can't remember when I've seen this much irony on this site.
  • Bob Smith 2008-02-29 17:07
    If you are for real, then you really don't get it, do you? No hacking is going on. This is the equivalent of a set of keys with the person's home address attached on the keychain. This is the same as leaving your wallet with your bank card and a note that has your PIN at a restaurant.

    In fact, it's even worse, because by *stating* that this website is "secure" and then blatantly putting the password (!) where it is publicly viewable, the site is operating under false pretenses about their own practices.

    Be thankful that someone with a backbone and a sense of morality has pointed this out while the problem can be fixed.
  • heh 2008-02-29 17:08
    HAHAHAHAHAHAHAHAHAHAHAHA...

    nice trolling.
  • Pro Web Developer 2008-02-29 17:09
    Ummm yeah, your javascript is being sent to every user that visits your site. All you have to do to get the username and password is view the source of the webpage and boom, you got the info to login. It doesn't take a hacker to do that just someone who knows how to use their web browser. Honestly why would you put the username and password in javascript like that?
  • Zock 2008-02-29 17:09
    Congratulations! You've just discovered 'teh Internet'. Now take your hands off the keyboard and back away very slowly.

    :D
  • Daniel 2008-02-29 17:10
    I hope their reply is fake.

    "sorry our site wasn't protected to your standards"
    My 6 year old could get pass that login. It required no hacking, just looking at the html of the page.

    "Blah wife, blah children, blah long time employee, blah, tons of clients"
    Even if this isn't a load of bull, its completely besides the point.

    "its rude, your comments are not truthful we are not a scam"
    How about the references he called? They were all being untruthful?

    Anyways- Just because what you do isn't illegal doesn't mean its not a scam.
  • Anonymous 2008-02-29 17:10
    There is no way this person has a wife AND has had sex 4 different times.
  • MikeW 2008-02-29 17:11
    Oh Oh, they're really on top of this now!

    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>
  • JL 2008-02-29 17:12
    Random832:
    Actually I think it'd be more like a sign saying "There is no key under the mat that unlocks this door!"
    No, a sign that says "This door is locked, you need a key to get in", on a door that has a dummy keyhole but no actual lock.
    No, it's the equivalent of an open doorway with a sign next to it saying: "Please say the password aloud. ... If you said 'eggplant', you may enter the doorway. Otherwise, please leave."
  • wackyvorlon 2008-02-29 17:13
    It isn't hacking if the password is written down in plain sight. You need better code.
  • KludgeQueen 2008-02-29 17:13
    JL:
    ...I don't understand the purpose of this company. If the customers are submitting information in hopes of sales, you'd think the contact information would be public, and publicized as much as possible. It can't be for want of privacy, because their leads are coming from an already-public list of government contractors....

    THAT is TRWTF right there.
  • Intchanter 2008-02-29 17:14
    Random832:
    No, a sign that says "This door is locked, you need a key to get in", on a door that has a dummy keyhole but no actual lock.


    You're still assuming there is a room. Put the sign on a door at the end of a hallway that leads outside where you can see the billboard with their "advertiser listing" and you're closer to the real situation.

    It's still visible from the street, and being in the hallway in the first place was obviously optional.
  • hibs 2008-02-29 17:19
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    HAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
    Listen up you MORON, your security is such that anyone with 8 seconds of work could "hack" their way in. Your idea of site security is laughable at best, and you need to get a grip.
  • John 2008-02-29 17:20
    Bob Smith:
    This is the same as leaving your wallet with your bank card and a note that has your PIN at a restaurant.

    No, because even with the PIN and the card, accessing his bank account is illegal *and* you can't just walk up and access his bank account by knowing his branch address and nothing else.

    This man has an aardvark. On a pedestal. He has a velvet rope surrounding the pedestal. He has a carnival hawker crying "Guess the secret word and SEE THE AARDVARK! You can't see the aardvark if you don't guess the secret word!".

    And, of course, everyone is just looking *around* the carnival barker, over the velvet rope, and pointing out to him that that's no aardvark, that
    s a raccoon with a skin condition.
  • John 2008-02-29 17:20
    Bob Smith:
    This is the same as leaving your wallet with your bank card and a note that has your PIN at a restaurant.

    No, because even with the PIN and the card, accessing his bank account is illegal *and* you can't just walk up and access his bank account by knowing his branch address and nothing else.

    This man has an aardvark. On a pedestal. He has a velvet rope surrounding the pedestal. He has a carnival hawker crying "Guess the secret word and SEE THE AARDVARK! You can't see the aardvark if you don't guess the secret word!".

    And, of course, everyone is just looking *around* the carnival barker, over the velvet rope, and pointing out to him that that's no aardvark, that
    s a raccoon with a skin condition.
  • Bob Dobbs 2008-02-29 17:27
    Check this out:

    http://www.google.com/search?hl=en&q=site%3Ahttp%3A%2F%2Fofficers.federalsuppliers.com%2F+&btnG=Search

    Due to their completely inept security google has spidered and cached all of the pages contents!
  • Stenvne 2008-02-29 17:28
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.


    1) Are you aware of the complexities of lawsuits in an international electronic media environment? I think not.. I could be next door or 6K miles away in a country that has no electronic exploitation laws what so ever.

    2) Threatening people with a wet noodle just pisses them off and opens yourself to alot more grief. Not a good idea.

    3) Defaming an individuals character because they happen to be more skilled in an area than you are is simply childish. So take your spanking, learn from it.. and move on.

    Respectfully submitted.
  • CT 2008-02-29 17:29
    I'd like to thank the author of this article. I've been contacted several times by FSG regarding getting into their guide but never done it. Now they got a hold of my boss and he wants to do this. In addition, I contacted them regarding getting a GSA contract, which they quoted me on, guaranteed we would get on the schedule or our money back. I was worried about the fact that they insisted on addressing my concerns via phone rather than email (for an easy paper trail).

    I was very close to getting the contract signed and sent in, but this is a real eye opener, and I was reminded of the fact that they never sent us a copy of their guide as I requested. Thanks for most likely saving us thousands of dollars (the price they quoted was MUCH lower than other firms that do this, which also worried me). I've disliked their site from the start, it doesn't look professional at all, and after seeing how they handle security and authentication, I'll definitely be looking in another direction. Thanks again!
  • Junkman 2008-02-29 17:30
    The FIRST PARAGRAPH of the Computer Misuse Act (UK only - I've not looked into US law - wouldn't know where to start...):

    "A person is guilty of an offence if—

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

    (b) the access he intends to secure is unauthorised; and

    (c) he knows at the time when he causes the computer to perform the function that that is the case. "

    To make a point for any UK readers thinking this may be fun:

    a. clicking "view source" is to "perform any function" - no matter HOW menial it may appear to an experienced IT specialist.
    b. the access...is unauthorised - attempts *were* made to conceal the information, no matter how pathetic.
    c. "he knows...this is the case" - Pretty self evident from the article.

    All in all, I'd say bad show from the TDWTF, stick to anonymity, or wait until April 1st next time...

    ...but also, if those comments are generally from HSG, grow up and get some professionalism - you're an embarassment.
  • Caleb 2008-02-29 17:31
    i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too.


    I'm glad you've run a successful business in order to support your family (I'm serious about that), but the problem is that your site isn't secured whatsoever by any industry standards.

    Your login form is the equivalent of locking the door to your office and taping the key onto the front of the door (and that's being generous). While I don't believe that justifies anyone in using the data, you simply need to use real security.
  • Anonymous 2008-02-29 17:31
    >thank you hackers for trying to destroy federal suppliers guides reputation

    You're a moron. There was no CRACKing involved. You gave out the name and password freely with each and every "login" page load. Get a clue.

    We have the list of scammed "clients" you so kindly provided openly and will be forwarding it to the FTC and the Attorney General for review. Hold on to your ass pal because you're about to go for a ride.
  • Junkman 2008-02-29 17:32
    HSG = FSG... duh
  • Rev. Spaminator 2008-02-29 17:34
    As a former business owner, your company is exactly the kind of scam I came across all the time.

    "We'll list you in our directory for a nominal fee."

    Usually the fee turns out to be FAR from nominal and the directory is something no one has ever heard of.

    You think you're providing a service, fine. Spend some of the fees you are charging to hire a REAL web programmer who can a real layer of security to your site. If I place my home banking password and account number on my website, along with a link to the bank's site, NO prosecutor in their right mind is going to have sympathy on me. Relying upon javascript for authentication is the same thing.
  • Stenvne 2008-02-29 17:36
    CT:
    ...I was worried about the fact that they insisted on addressing my concerns via phone rather than email (for an easy paper trail)...


    The likely reason for this is -- electronic text based communication for the purposes of exploitation, extortion or fraud are now covered under the same criminal code as mail fraud.

    Cheers.
  • John 2008-02-29 17:41
    I guess use of punctuation and paragraphs is not a paramount requirement for doing business with the federal gub'mint.
  • Stenvne 2008-02-29 17:43
    Junkman:
    The FIRST PARAGRAPH of the Computer Misuse Act (UK only - I've not looked into US law - wouldn't know where to start...):

    "A person is guilty of an offence if—

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

    (b) the access he intends to secure is unauthorised; and

    (c) he knows at the time when he causes the computer to perform the function that that is the case. "

    To make a point for any UK readers thinking this may be fun:

    a. clicking "view source" is to "perform any function" - no matter HOW menial it may appear to an experienced IT specialist.
    b. the access...is unauthorised - attempts *were* made to conceal the information, no matter how pathetic.
    c. "he knows...this is the case" - Pretty self evident from the article.

    All in all, I'd say bad show from the TDWTF, stick to anonymity, or wait until April 1st next time...

    ...but also, if those comments are generally from HSG, grow up and get some professionalism - you're an embarassment.


    Hey, Good on you for doing the research, however you fail to take into account that a web page (code content) being pushed to an individuals computer becomes public domain and is not protected in the manner your research implies.

    Respectfully submitted
  • jtl 2008-02-29 17:43
    Junkman:
    The FIRST PARAGRAPH of the Computer Misuse Act (UK only - I've not looked into US law - wouldn't know where to start...):

    "A person is guilty of an offence if—

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

    (b) the access he intends to secure is unauthorised; and

    (c) he knows at the time when he causes the computer to perform the function that that is the case. "

    To make a point for any UK readers thinking this may be fun:

    a. clicking "view source" is to "perform any function" - no matter HOW menial it may appear to an experienced IT specialist.
    b. the access...is unauthorised - attempts *were* made to conceal the information, no matter how pathetic.
    c. "he knows...this is the case" - Pretty self evident from the article.

    All in all, I'd say bad show from the TDWTF, stick to anonymity, or wait until April 1st next time...

    ...but also, if those comments are generally from HSG, grow up and get some professionalism - you're an embarassment.


    The below link is unauthorized. Only authorized people can click on it.

    A secure link.
  • jtl 2008-02-29 17:44
    *link is authorized
  • jtl 2008-02-29 17:45
    Or maybe not. Whatever.
  • Péter 2008-02-29 17:47
    TRWTF here is that only a few comments have pointed out so far that the real WTF is that what the company is trying to keep secret is advertisements. Stuff that just wants to be as friggin public as possible. It is so funny I feel sad. Guys, I think you just blew my funny-fuse.
  • Samantha Joy 2008-02-29 17:47
    Someone DID tell them. They responded to this story, after all, and the information is right there.

    Oh, this made me break something laughing. Thank you so much for sharing.
  • Heh 2008-02-29 17:50
    What really cracks me up about the "webmaster" changing the password to stop "hackers" is that he's probably also sending out company-wide emails with the new password every time he does it. That means that everyone in the company is getting an email every 3-4 minutes saying, "Sorry, guys, for technical reasons, the new password is: zzzzzzzzzz"
  • Dron 2008-02-29 17:52
    For those who haven't looked at the fax they sent, they included a copy of their privacy policy on page 2:

    "As part of our business relationship we do not sell or share your company info with outside companies. You are carefully protected by a privacy policy where your company information is strictly confidential and we're serious about maintaining it."

    It is just another fun piece of irony.
  • Peter Lombardo 2008-02-29 17:52
    Has anyone tried a google search of pasuser(form) yet? It seems they're not the only ones to use this. It's more likely that they just copied and pasted this function from one of these links.
  • Intchanter 2008-02-29 17:52
    Okay, this is getting too hilarious. If you actually look at some of the listings in the Google cache (no access to FSG's wonderful site or any information they could possibly claim was secured), their listing is indexed by state and category.

    But if you look at some of them, you'll see that in many of the sections so indexed, they have companies in Montana in a Utah page and one Nevada page only had a North Dakota and a Colorado company listed.

    I only checked a couple, but it was enough to convince me that there are probably /many/ more examples.

    It does appear to be a scummy operation, and a poorly run one at that. (And for the legally inclined, nothing stated in this post is conveyed to represent fact except those elements that you can independently verify by your own "m4d ski11z" (heh) with publicly available resources.)
  • anonymous 2008-02-29 17:54

    Somebody should tell them that changing the password will not help as long as the password is written there...


    Done, in an email. I also explained that viewing the source is not hacking -- hacking requires actively exploiting a vulnerability or cracking passwords.
  • Junkman 2008-02-29 17:56
    jtl:
    *link is authorized


    Ok, lets take it step by step:

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer

    Yup, got me there, I could easily click the link out of interest.

    (b) the access he intends to secure is unauthorised

    If, you're were linking to a database of your customers personal details, no matter HOW inadequate the protection, there would MOST DEFINITELY be a case for unauthorised access. You're linking to google, hardly unauthorised information.

    (c) he knows at the time when he causes the computer to perform the function that that is the case. "

    This is the point where the case is argued - would I expect you to put a direct link up to your customer base? No... by viewing the source code, discovering addresses and THEN making contact with the unauthorised information...?

    uhhhh.... not good....
  • Anonymous Citizen 2008-02-29 18:02
    It appears they moved most of the pages...too bad they can't take them out of Google's cache!

    http://72.14.253.104/search?q=cache:ERN77rvMocoJ:officers.federalsuppliers.com/74/74_pa.htm+agents+site:federalsuppliers.com&hl=en&ct=clnk&cd=10&gl=us&client=firefox-a
  • Thelonious 2008-02-29 18:05
    Yes, I had always assumed that the anonymity was there to protect the submitter from retaliation, not to protect the company from ridicule. In this case, there is no need for anonymity. Nothing I've seen so far strikes me as "unfair" to this company - a few of the comments are perhaps a bit unkind, but if the original story is to be believed (not to mention posts by supposed employees), then that's entirely understandable
  • Stephen 2008-02-29 18:05
    Sounds like these scammers need to be reported to the FTC.
  • David Masover 2008-02-29 18:06
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation.

    You did that yourselves. For what you are charging, you should be able to hire someone who has a basic understanding of how the Internet works.
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work.

    Care to list any of them?
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    you are hurting the feelings of many good employees and customers by your immature actions.

    Because blaming other people for your own insecurity is very mature.

    Also: Who, exactly, has been hurt by what was exposed? How have they been hurt?
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    sorry our site wasn't protected to your standards

    This is not "our standards". This is common sense. You are giving out the username and the password, and hoping people don't realize they have them.
  • jimmy 2008-02-29 18:06
    So sorry. My bad.

    I do believe this will become a legend in the vein of the great Paula.

    Brillant!
  • jtl 2008-02-29 18:06
    Junkman:

    No... by viewing the source code, discovering addresses and THEN making contact with the unauthorised information...?

    (I don't have a 'secure' database to link to, use your imagination and pretend it's not google)

    I guess my point is, by curiosly viewing the source code (legal), he could see the address of the agent page.

    You can not list an html address, and say 'but it is confidential, don't go there'. This is where Alex found himself. (and where I was poorly attempting to replicate with my google link) They did not secure the page whatsoever, they just didn't directly link to it on their page. Thus google was able to cache it, because it's a public page.

    Your web server is on public domain, I am free to explore it even if the files are named 'secret.txt'.
  • Abyssleaper 2008-02-29 18:09
    You may or may not be legit. The point of the thing is that your company's sales practices are shady, to say the least. The feelings of the company's employees aren't my concern. The only thing immature here is the poor security of your company's web site. You should be talking to your managers to get it rectified rather than rambling here.
  • jimmy 2008-02-29 18:10
    RxScram:
    jimmy:

    I'm awfully sorry for the operators of the site. They didn't expect the drubbing they're taking.

    But Dang! I have to print this out, put it on a wooden table, take a picture, print it, scan it, and call it Brilliant!

    Brilliant!



    It's not Brilliant... it's Brillant! See... no "i".

    Please, if you are going to use a former WTF, do it correctly!


    So sorry. My bad.

    Brillant!
  • markleo 2008-02-29 18:12
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation.


    The "security" on your site is equivalent to leaving a spare key under your doormat... and then failing to lock the door anyway. If this information is not supposed to be public, then you've failed in your obligations and deserve to be exposed. Anyone with the common sense to click "view source" on the login page could have discovered this issue independently.

    Frankly, if any of this information were actual government secrets, you would be the ones in trouble for not securing it properly. If you want to take out your anger, I suggest you contact the folks you paid to "secure" your site and explain exactly how they've failed in their obligations to you.
  • Abyssleaper 2008-02-29 18:12
    anonymous:
    Done, in an email. I also explained that viewing the source is not hacking -- hacking requires actively exploiting a vulnerability or cracking passwords.


    You could also argue that once the page is viewed, it's on your system and is now your property, right? :-)
  • bob 2008-02-29 18:14
    @FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    If you really are who you say you are, you need to learn a thing or two about the internets and what security is. No one hacked your site, you gave it away, you posted the password publicly. This is pretty sad if you are a government supplier, even a small family business needs to understand a little bit about internet security or hire someone who does to make your website.
  • Abyssleaper 2008-02-29 18:18
    Bob Dobbs:
    Check this out:

    http://www.google.com/search?hl=en&q=site%3Ahttp%3A%2F%2Fofficers.federalsuppliers.com%2F+&btnG=Search

    Due to their completely inept security google has spidered and cached all of the pages contents!


    Priceless. My guess is that they'll sue Google for "hacking" next.
  • Anon 2008-02-29 18:26
    I thought they had actually fixed it when I went to try. But then it turns out it was just noscript :D
  • Junkman 2008-02-29 18:31
    Ok, laying to one side the devil's advocate bit...

    This site appears to be hosted by matemedia

    Classy... I presume they took the $7/month option?

    I suppose they've got their money's worth of SEO now...
  • A Publishing company? 2008-02-29 18:35
    Domain: federalsuppliers.com
    Registration provider: MateMedia, Inc.

    Registrant
    Jim Sprecher
    Jim Sprecher
    ***@countrysidepublishing.com
    PO Box 1735
    Oldsmar, FL 34677 US
    +1.8139250195
    (FAX)

    Administrative
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Billing
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Technical
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    ***@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Record created on May 18, 1997
    Record last updated on November 13, 2006
    Record expires on May 19, 2008

    Domain Name Servers:
    NS.RACKSPACE.COM
    NS2.RACKSPACE.COM
  • Franz Kafka 2008-02-29 18:39
    Stenvne:

    Hey, Good on you for doing the research, however you fail to take into account that a web page (code content) being pushed to an individuals computer becomes public domain and is not protected in the manner your research implies.

    Respectfully submitted


    Public domain? You're kidding, right?
  • Reality 2008-02-29 18:43
    The funny bit is, no one hacked anything. The user name and password are visible with just one mouse click. They are essentially being broadcast for anyone to see. There is no legal recourse in this matter, because your website is actually telling people what the login is in plain view.

    Instead of going after the millions of people that can easily access your "secured" website, you should be more worried about all of the pending lawsuits from people whose information was compromised by a company that is essentially handing out access to their database to anyone with a computer and a right mouse button.

    You have been betrayed by the company you work for by their inexcusable gross negligence.


  • Yep 2008-02-29 18:43
    This company is enbreastled to run their operation however it pleases them.
  • anon 2008-02-29 18:44
    How dare you provide a reasonable argument in the midst of a flame war? Good show sir, Good show!
  • Jim 2008-02-29 18:45
    To FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    I feel for you, since I imagine this wasn't your fault, but this isn't "hacking". Anybody with the slightest bit of tech knowledge will figure this out.

    Do your company a favor and secure the page with htaccess, then go look for a real developer. I doubt anyone means your company any real harm, and we aren't slandering it. It's just rather funny how unintelligent that login box is :).
  • mister 2008-02-29 18:49
    jimmy:
    I do believe this will become a legend in the vein of the great Paula.

    Not unless we come up with a short and easy to remember meme such as "Brillant" or "FILE_NOT_FOUND" :(

    Hurry up, guys! The time is running out!
  • anon 2008-02-29 18:55
    Oh you didn't post the DNS!

    Hurry everyone call and report this to Jim.

    I smell a job opening.
  • Anonymous 2008-02-29 18:55
    TRWTF is all the comments from people thinking that the page was actually password protected in the first place and bothering to copy out and enter the username and "password".
  • Ametheus 2008-02-29 18:56
    umm...:
    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?

    I don't think so, a quick WHOIS revealed an email address. Alex, or any TDWTF frequenter could easily have let them know.
  • Dude 2008-02-29 18:58
    This is just too good to be true! It's gotta be some sort of "Lead Day" trick!!

    HAHAHA!
  • HAX0R.EXE 2008-02-29 18:59
    mister:
    jimmy:
    I do believe this will become a legend in the vein of the great Paula.

    Not unless we come up with a short and easy to remember meme such as "Brillant" or "FILE_NOT_FOUND" :(

    Hurry up, guys! The time is running out!


    Hmm, maybe:

    var password = "secure"; or
    alert("PLZ don\'t hax0r our site!");
  • some guy on the internet ... 2008-02-29 19:04

    I'm sure it's frustrating that your "security" is the punchline to a joke that you don't get, but it really is your fault that it's so laughable.

    You should read and understand the comments before accusing the writers of lying. Everything there is true. They're about your "security" and not about your business as a whole.

    You're essentially using a combination lock with the combination written on it, which, honestly, is moronic if you expect it to work.
  • zzo38 2008-02-29 19:06
    Did anyone tell them about the bad programming on the site? Maybe it is a web-site service provider that you can't do server scripts? In that case, tell them to change the provider. If that cannot be done, another way is to encrypt the page on the client side and use the given password to decrypt it also on the client.
  • Evert 2008-02-29 19:16
    Oh man.. lynch this scammer
  • Cronus 2008-02-29 19:22
    Jazz:
    My new business plan:

    1. Start contacting companies in the directory.
    2. Let them know that you discovered their information on the federal supplier's guide.
    3. Tell them that the security on the site can be easily bypassed.
    4. Explain that this allows lots of people who are not Federal Procurement Peons to see their company's listing.
    5. Explain that this is really good for their exposure and will lead to lots of new business.
    6. Let them know that for the small, nominal fee of $5,000, you will post instructions on how to access the directory all over the web, in order to give them that exposure.
    7. ????
    8. Profit!


    Fixed that for you.
  • Homer Simpson 2008-02-29 19:29
    OMIGAWD!

    Stop it. You're making my sides hurt... I can't stop laughing.

    "It's rude". Welcome to the internet, moron.

  • Smash 2008-02-29 19:35
    JL:
    No, it's the equivalent of an open doorway with a sign next to it saying: "Please say the password aloud. ... If you said 'eggplant', you may enter the doorway. Otherwise, please leave."


    You're close... it's more like a closed doorway with no lock at all, and your sign is right beside it. The owner still could claim you pushed a door you weren't enbreastled to... if there wasn't a truck-sized hole on the wall next to the door (you could use the URL and avoid the "auth" script)
  • J 2008-02-29 19:35
    Now the page has been moved to: http://www.federalsuppliers.com/warning.html

    But they still haven't figured out they need to remove the login/pass from the source...
  • Mark 2008-02-29 19:39
    I just found it too, and its clear that they are incompetant, they chanced the password and user name to zzzzz and fffxxx, but its still right there in the page source. Morons.....
  • Sam Snead 2008-02-29 19:40
    Are you retarded? Seriously?
  • Cry me a river 2008-02-29 19:43
    Pull out the Kleenex and wipe your tears there's a reason to PAY somebody to build your Web site. You should be blaming the idiot that built the Web site not the people that aren't falling for the slick phone salesman saying anything he can to make his commission.
    Being ignorant is no protection under US Law.
  • Chris 2008-02-29 19:44
    what a joke ...
    their new url: http://www.federalsuppliers.com/warning.html

    and the new code:
    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>

    I just love incompetant people, don't you? They are absolutely great for business ...
  • AC 2008-02-29 19:45
    Wow, comments are on page 8 already.

    Great to see a live WTF/scam directly from Alex, hilarious!
  • Zombie_Hunter 2008-02-29 19:45
    Junkman has a point. The REAL WTF is actually the UK Computer Misuse Act.
  • Anooyyymous 2008-02-29 19:46
    The best part of this is I bet they are sending out company-wide e-mails to let everyone know about the "password change".
  • Cronus 2008-02-29 19:49
    Not that there is much to be gained from the listing of businesses, people need to learn that bad security leads to bigger problems.

    Google Hacking

    Just be thankful FSG that you are getting this "review" of your security for free. And that there isn't any more holes that real life hackers can use. Oh wait, if posting the username and password into view source is their version of "security", I would personally HATE to see what security they put up for more CRITICAL information... like say, CREDIT CARD NUMBERS! If I was you FSG, I would take a long HARD look at your security, and make sure that it IS as secure as you THINK it might be.
  • ObiWayneKenobi 2008-02-29 19:54
    Countryside Publishing, eh? I seem to recall once applying for a.. Website Manager job, I think (something like that, it was a management level position) and never receiving a reply back from them, several months ago.

    So... whoever you folks hired to do the job was clearly a bozo, or hired bozos. Makes you regret not giving me a call now, doesn't it?

    FWIW I contacted the company and informed them of how bad the site security is. I even offered to provide them consulting services as I live in the vicinity. I doubt I'll hear anything from them, but if I'm lucky I might have my 'fist!!11' customer for my new consulting business.
  • emurphy 2008-02-29 20:12
    elias:
    spacecadet:
    L. Ron Paultard:
    Aren't all you wienies, I mean geeks, just so proud of yourselves?...

    The business is located in Palm Harbor, FL. That's 11 miles from Scientology HQ, Clearwater, FL. The above comments are textbook examples of a Scientologist "debate" technique called Bullbaiting.


    "Bullbaiting"? What, L. Ron Hubbard couldn't spell "ad hominem attack"?

    He made up new words for everything...


    Well, sorta.

    MM:
    TRWTF is that people keep saying they should get better security, when the only reason they could even want security on that site is to keep people from checking their references like happened in the original story. If they were legit, they would be trying to open up and advertize their site, so that their clients who paid so much to be listed might actually get some traffic off of it.

    Putting username/password boxes on a page while telling everyone who goes to that page what the username and password should be (and telling them where to go directly without putting in that name/password) is something we can laugh at them about, but what identifies them as a scam isn't that they had laughably bad security, it's the fact that they had clearly wanted to have security there.


    This is absolutely the Real WTF, and ties directly into the following:

    umm...:
    What's really interesting is...despite the fact that this story was posted today - somehow, some way this company has such a small amount of web traffic that they were able to come in to work, notice a bunch of click-throughs from TDWTF, visit here, leave comments, and change their page multiple times since. In fact, they knew this story was posted before I did, and I visit here pretty much daily.

    Hmm...

    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?


    I bet what happened is that someone did indeed call some of the companies on the Super Sekrit List, and some of those companies turned right around and called Federal Suppliers to ask them "WTF, mate?" directly. The comments that've been flying here are probably nothing compared to the fit that's been hitting the shan over there.

    Franz Kafka:
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    ("4 kids" sob story snipped for brevity)


    Okay, who's trolling? Nobody could be this stupid in real life.


    Instaneous:
    What's the wtf comment record? We gotta be getting close.


    To both of these questions, I present the only-recently-deceased Desktop Search Showdown. That thread was made of win, and for the same reason as this one (only an order of magnitude more so): the purveyor of the original WTF just insisted on coming back around over and over and over with a fresh supply of new WTFs.
  • kerohazel 2008-02-29 20:13
    Smash:
    JL:
    No, it's the equivalent of an open doorway with a sign next to it saying: "Please say the password aloud. ... If you said 'eggplant', you may enter the doorway. Otherwise, please leave."


    You're close... it's more like a closed doorway with no lock at all, and your sign is right beside it. The owner still could claim you pushed a door you weren't enbreastled to... if there wasn't a truck-sized hole on the wall next to the door (you could use the URL and avoid the "auth" script)


    Is this a clbuttic case of swear filtering?
    (http://thedailywtf.com/Articles/The-Clbuttic-Mistake-.aspx)
  • no name, thanks. 2008-02-29 20:46
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    That's funny, it switches from "we" to "me/my" in the middle. And doesn't use proper grammar or punctuation. Some TDWTFer want to take credit for this, or shall we judged that their legal representation, *that would post comments to a forum* is on a level with their website security?
  • Anon 2008-02-29 20:46
    Their MySQL is on 3306 if anyone wants to try
  • Jimmy 2008-02-29 20:55
    Lol this organisation is ridiculous, cheap mock-up scam that can't even 'invest' in an easy server based php login system
  • Anon 2008-02-29 21:00
    Also someone smarter than I could probably go this route: ftp://federalsuppliers.com
  • Barry 2008-02-29 21:03
    Haha, your going to jail
  • Silentbob 2008-02-29 21:03
    I agree!

    And that employee comment, legendary comment! LUSER !!
  • real_aardvark 2008-02-29 21:04
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

    Oh Jeez, this must be the fourth time I've promised myself not to respond before reading through the posts. Three hundred is a little extreme, though. I just have to; then I'll read the posts.

    This is hysterical. Alex (not you, the other Alex), buy this man a capital letter. (Whoops, that's not Wheel of Fortune, is it?) Even punctuation would help.

    This has got to be the best WTF ever, by far. Not only was the javascript insane; not only was the salesman insane; not only is this hurt response insane; but you've actually managed a Geraldo-level expose.

    And it's funny. Which is the main point.

    Now I'll go get a beer and read the other posts. LOL.
  • real_aardvark 2008-02-29 21:11
    Lucy:
    As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.

    I am asking you to stop your actions immediately.

    Would that be the first, second, third, or fourth series, Lucy?

    Never mind. They're all comedy classics.
  • no name, thanks. 2008-02-29 21:14
    Um, no, good people feel a sense of moral responsibility when writing code or script, a sense that leads one to learn how to do things properly, rather than half-buttockedly, so whoever wrote your website fails the test of "good people."
  • CC 2008-02-29 21:14
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation.


    I really hope that's real. I don't think it's the "hackers" that are damaging his reputation...
  • real_aardvark 2008-02-29 21:15
    dpm:
    Lucy:
    As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.

    I am asking you to stop your actions immediately.


    Μολὼν Λαβέ.

    WTF has this to do with loony Greek gun-fetishists in Wyoming?

    Oh ... I see what you mean.
  • jorge_sur 2008-02-29 21:21
    [quote="RevLee"]Don't blame them for insecure code, its not even original code. This site http://www.2createawebsite.com/enhance/password-protect.html offers a familiar looking free script to protect your site:

    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="userID") {
    if (form.pass.value=="password") {
    location="page2.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>[/quote]

    Which is what yo have to do. Not on client side, not comparing strings and with some java vudu in between. But those are minor details
  • real_aardvark 2008-02-29 21:27
    Just repeating this in case anyone missed it the first time.
    L. Ron Paultard:
    The business is located in Palm Harbor, FL. That's 11 miles from Scientology HQ, Clearwater, FL. The above comments are textbook examples of a Scientologist "debate" technique called Bullbaiting.

    I guarantee half of this company's employees are Scientologists.

    Fuck that thing about four kids. Even Florida social services will look after them better than L. Ron Hubbard.
  • Bob 2008-02-29 21:32
    <script type="text/javascript">
    window.location="http://google.com";
    </script>


    This post is encrypted using 2ROT13. Unauthorized decryption is a violation of the DCMA.

    Ha ha now I can sue everyone and get rich!
  • real_aardvark 2008-02-29 21:34
    this webcomic is a wtf:
    WHATS THE MATTER WITH TRAILERPARKS?

    they tend not to understand the sarcastic implications of uppercase that's what.
  • mouseanon 2008-02-29 21:42
    I am hoping this jackass is a troll, if this is a real reply....

    /facepalm

    captch odio (shouldn't that have been odious?)
  • k3n 2008-02-29 21:43
    If you are a professional, offering professional services which may contain the transmission of potentially sensitive information, it is your obligation to properly secure your website. That goes for anyone with a routable IP.

    Now, I don't really care if you're a legit business or not. Well, actually I do, but that's not why I'm responding. I'm responding because you're way off-base here, man. Unless the "appropriate authorities" that you're referring to actually are ninja developers, in which case I guess the joke's on me!

    I would go as far as to say that a vast majority of the readers here at The Daily What The ..., I mean.. Worse Than Failure, could've done the same thing as Alex. Don't take that as braggadocio, either- its a slam against your site's "security". Said security is equivalent to hiding your car key in the gas tank; _when_ your car gets stolen, the insurance company will laugh at you (while they deny your claim on the grounds of stupidity).

    Spend some money (gasp!) and fix your site. And let me give you a hint here: don't hire a government contractor for the job ;)

    p.s. your domain registration is about to expire.
  • real_aardvark 2008-02-29 21:48
    Lucas:
    Google also hacked your site:

    http://www.google.com/search?q=site:officers.federalsuppliers.com&hl=en

    I suggest you bring the full force of your company's legal team, which I assume consists of a man who drinks gasoline and a golden retriever, to bear on this hacking problem.

    How do you drink a golden retriever?

    Just asking. I figured this dialog could benefit from a bit of grammar nazi-ism...
  • real_aardvark 2008-02-29 21:57
    John:
    Bob Smith:
    This is the same as leaving your wallet with your bank card and a note that has your PIN at a restaurant.

    No, because even with the PIN and the card, accessing his bank account is illegal *and* you can't just walk up and access his bank account by knowing his branch address and nothing else.

    This man has an aardvark. On a pedestal. He has a velvet rope surrounding the pedestal. He has a carnival hawker crying "Guess the secret word and SEE THE AARDVARK! You can't see the aardvark if you don't guess the secret word!".

    And, of course, everyone is just looking *around* the carnival barker, over the velvet rope, and pointing out to him that that's no aardvark, that's a raccoon with a skin condition.

    Do you mind? Many of my best friends are raccoons. Some of them even have psoriasis. And the secret word is We interrupt this broadcast with an important message: the secret word is Criminon!
  • Anonymous 2008-02-29 22:29
    I came across a site a while back with similar security.

    The awesome thing about it was that they actually went the extra mile to (lightly) obfuscate the javascript they used to check the password, but the "secret" URL they were protecting was simply the form element's action attribute. The script would just return false to the form's onsubmit event if you didn't type the right password (which could be easily seen in the urlencoded script anyway).
  • el_oscuro 2008-02-29 22:38
    I have lynx:

    Index Government Work Securing Federal State GSA Contracts Listing ... (p1 of 4)





    >>> Check Out Our Banner Advertisers Here
    *
    * HOME
    * Company
    * GSA
    * Federal Regulations
    * Guide Layout
    *
    * Distribution
    * Procurement
    * Agents

    If you call up the "agents" link, it displays:


    Federal Procurement Officers
    This site is reserved for Federal Procurement Officers only.

    Purchaser Login Area

    User: ____________________
    Password: ____________________

    Reset

    [BUTTON]

    Infobar

    More About GSA

    A GSA Schedule Contract permits you to create customer loyalty,
    increase awareness, and quickly make contract deals through BPAs and
    Teaming Arrangements. LEARN MORE

    Questions?

    If you have any questions about the Directory, just send an email to:
    info@federalsuppliers.com

  • Anon 2008-02-29 22:38
    Then PLEASE spend a few bucks on a web coder to properly secure your website. You are putting your information at risk.
  • Pub1 2008-02-29 22:59
    Hmm, this is a legitimate business that sells overpriced stuff with somewhat high pressure techniques, to presumably unsophisticated businesses.
    I sense the "idea" behind the so-called secure area is not to be too secure -- if you are a government purchasing officer, you would be given password access anywhere and since there are no state secrets here, real security isn't essential.
    But that doesn't change the fact that this service is very poor value and most of the 'stuff' is the selling, not the substance.
  • Smash 2008-02-29 23:02
    kerohazel:
    Is this a clbuttic case of swear filtering?
    (http://thedailywtf.com/Articles/The-Clbuttic-Mistake-.aspx)

    Yes, and I was pretty sure someone would get the joke. It was only a few days back after all.
  • _ 2008-02-29 23:12
    tl;dr
  • SP 2008-02-29 23:15
    Wow, so many comments.

    Yea go ahead report me for hitting your website. I dare you to come get me. I double dare you. Come and get me.

    Come on... Come get me for accessing your "secure" junk.

    Anyway. Your company is slime. What you are doing is legal, but it is slime. I know it, you know it. You got caught redhanded.

    Shut up and take it like a man.
  • hahahaha 2008-02-29 23:33
    sorakiu:
    From the story above, it was not obvious to me that they were scammers.


    This comment leads me to believe you'd be an ideal customer for my new business.

    Are you insured against large, seabound mammals? No? Then your family could be at risk!

    Call 555-7894 and buy new Walrus Insurance today!
  • S 2008-02-29 23:34
    Seriously? This is a joke right? Learn to capitalize letters, use commas, and add spaces between words like "work and." The grammar alone shows that the people running this company are ill educated in the least.
  • Travis 2008-02-29 23:35
    I really hope you're kidding. Your security not being "up to out standards." You know, I had a security system for this awesome fort I built when I was 10. Whenever my parents approached, I would say, "You have to say 'password' to enter."

    Yeah, that's what you guys did on your site.
  • Nobody 2008-02-29 23:42
    Apparently google hacked your site also

    http://www.google.com/search?q=+site:federalsuppliers.com+federalsuppliers.com&hl=en&start=30&sa=N
  • ...... 2008-02-29 23:44
    sounds like a scam
  • Ya-wish 2008-02-29 23:51
    Wow. With that kind of grammar and spelling you are either a troll or lucky to have a job. Good luck with that career! ;)

  • Hacker 2008-02-29 23:52
    Oh man did I hack the crap out of this sight.,
  • ReiserificK 2008-02-29 23:54
    Okay everyone, its time for a family friendly activity: Google Bombing! (I'm aware its not as efective as it used to be with google, but it works just fine for other engines :p)

    So, paste this html tag everywhere and anywhere in comment sections/forums of popular websites:

    <a href="http://www.federalsuppliers.com/">heinous scam</a>

    Enjoy!
  • LOL 2008-02-29 23:55
    own fault, this is so lapse on security. it's like locking your house and hanging the key on the front door. and then claiming someone "broke" into your house.
  • Sam 2008-02-29 23:56
    Tell them for a couple hundred dollars you can secure the page for them.
  • Thomas 2008-02-29 23:56
    QQ

    Hire someone who knows PHP and MySQL. Javascript is not, and never has been, a way to "secure" a webpage. It just says alot if your too lazy create a website proper.
  • Thomas 2008-02-29 23:57
    Thomas:
    QQ

    Hire someone who knows PHP and MySQL. Javascript is not, and never has been, a way to "secure" a webpage. It just says alot if your too lazy create a website proper.


    That was intended for the guy from the "company" who posted on the first page of comments.
  • Some Guy 2008-02-29 23:57
    US Bank, where I formally had my mortgage, did something like this too. In order to make a payment you had to verify by entering the last 4 digits of your SSN. Sure enough in the HTML was javascript with the last 4 of my SSN in it.

    I complained about it and the response: "We don't run that site."

    I complain again, threaten to take my business elsewhere: "We'll give you a $5 credit as part of our 5 star guarantee!"

    Six month later the problem still exists and I've transfered my mortgage to a different bank (at a lower rate).
  • Squiggly 2008-02-29 23:58
    While I can empathize with the position you've found yourself in, anyone - ANYONE - with any kind of web development background would have been able to 'hack' your site, which - on the internet - is a hell of a lot of people. You are lucky that this situation was brought to your attention the way it was and not used against you in some way. There are people out there who could have done some serious damage to your business and would never have told you about it.

    The site is offline, you still have your clients (which you should notify as soon as possible so they at least know you're dealing with the situation) and you can have your site improved to include some ACTUAL security and not just some crap scripted dialog box. I'd say that you're in a far better position than some small businesses who actually get hacked with malicious intent. Deal with the problem at hand, and forget about pursuing a lawsuit unless you have a lot of spare cash lying around you're willing to give to lawyers, as you have absolutely no case whatsoever. You're site was not secure and you had your clients' data exposed, and as such YOU would be more liable than this guy you were trying to sell to.

    You would be well advised to correct your errors and continue to do business rather than attempt some kind of legal retaliation.
  • Smarterthanyou 2008-03-01 00:01
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Because if you have a huge contract like that, you MUST be too cool to capitalize your sentences and proper nouns, use accurate spelling, or even lie convincingly. LOL you have our data. Right. Next time, try using a more secure login form. Like, you know, something that maybe is more like if(userid==5*49) {ok=true), then it'll only work it it's 245, and nobody can figure THAT out.

    BTW the CAPTCHA was "odio", which is "hatred" in Spanish. ^_^
  • Gehn 2008-03-01 00:01
    Somebody should tell them that changing the password will not help as long as the actual address it points to is written right there...
  • J.S 2008-03-01 00:01
    Serious giggles man. Serious.
  • EpicLulz 2008-03-01 00:03
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Sorry to say it buddy, but nobody "hacked" your site. You put the login and password right in a publically viewable source code. That's the same as locking the front door to your house and hanging the key on the doorknob...any bloke's gonna see the key and get into your house and the insurance company wouldn't pay a cent. If you want a secure site go learn yourself some PHP...or at least basic cryptology. Also look into what HTTPS means :).

    P.S. save yourself the embarassment and don't call anyone. Don't email anyone. They're just going to laugh manically at you. Viewing the source code for a web page is not illegal anywhere in the world and if the credentials just happens to be in there...well epic lulz to you my friend.
  • kodek 2008-03-01 00:05
    Ha! You lost all credibility when you said you had their information.


    ...kids these days...
  • Logic Man 2008-03-01 00:07
    So, anyone want to play "Identify the logical fallacies"?
    1. Let's start with "i have worked here with my wife for 10 years now .... I have 4 children" this would be ... Ad Hominem - attacking the integrity of the "hackers" related to this site.
    2. Which brings us to "hackers". This would be ... Hasty Generalization? Fallacy of composition? and\or, of course, Post Hoc, Ergo Propter Hoc.
    3. "I am proud to work here and help small businesses obtain government work". This would be ... Red herring? Flat out irrelevant?
    4. "you are being reported to the appropriate authorities ... we have your information ... you chould have protected your info a little better". Classic appeal to fear.
    5. And finally (though feel free to identify more), all the quoted examples in the last 'paragraph' would fall under Fallacy of Composition, Oversimplification, appeal to ignorance (specifically knowledge of statistics and when they're meaningful), and potentially distorting the facts and Post Hoc, Ergo Propter Hoc.

    These are, of course, well know logical fallacies, easily locatable from a variety of sources. However, today's logic comes courtesy of "Critical Thinking, Reading, and Writing: A Brief Guide to Argument"
    Barnet, Sylvan, and Bedau Hugo. Critical Thinking, Reading, and Writing. '6th ed'. Boston: Bedford/St. Martin's, 2008.
  • Anon 2008-03-01 00:08
    Shill. There's nothing secure about that in the slightest. Hire someone who actually knows how the web works next time you design a site.
  • lol 2008-03-01 00:09
    hilarious, but I seriously doubt you're really the guy that runs that scam
  • Someone 2008-03-01 00:11
    No hacking was ever done... this information is publicly available, since you have it in plain text in your source code. It is most definitely not secure... at all. Period. I haven't gone there and I don't have any desire to, but you really should tighten that up, if you want to have ANY credibility but after this incident I don't think you will.
  • Eric 2008-03-01 00:12
    Dude, this isn't even close to being up to my standards. Why don't you just use the basic .htaccess file that your server provides for god's sake(looks like apache at least). Just do a search ".htaccess apache" and find some 12 year old to set it up.
  • Anonymite 2008-03-01 00:13
    They didn't take it down, it seems they've just moved it to a new page: http://www.federalsuppliers.com/warning.html
  • Idiot 2008-03-01 00:13
    If your making such a considerable amount of money via commission for your customers then why can't you get a programmer that has even a remote sense of encryption or alternative login technologies to program a login system for you. In case you weren't notified, security is the biggest investment in companies that have any basis in technology.
  • anon 2008-03-01 00:14
    LMAO this is a great troll I love it!

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.
  • rt 2008-03-01 00:15
    or better yet, remove the location= URL
  • Matt 2008-03-01 00:16
    Hate to break this to you, but entering in a username and password that is visible in plain sight isn't hacking. Not even close. I am sure you have reported it and I am equally sure that whoever you reported it to had a good laugh, showed it to everyone in the office, who also had a good laugh, and then chucked the complaint in the bin.

    If that is what you consider "secure", then your company is incompetent and your investors should be compensated as you are exposing them to extreme risk without cause.

    Find a new job.
  • anonymous 2008-03-01 00:25
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    i did it for the lulz.
  • Epic lolz 2008-03-01 00:26
    zomg! Clients Word > Your Word
  • Grandpa 2008-03-01 00:26
    Hey FSG, I have a question for you:

    Three players enter a room and a red or blue hat is placed on each person's head. The color of each hat is determined by a coin toss, with the outcome of one coin toss having no effect on the others. Each person can see the other players' hats but not his own.

    No communication of any sort is allowed, except for an initial strategy session before the game begins. Once they have had a chance to look at the other hats, the players must simultaneously guess the color of their own hats or pass. The group shares a hypothetical $3 million prize if at least one player guesses correctly and no players guess incorrectly.

    What strategy would you use?
  • Bruce 2008-03-01 00:27
    Awww, now they've taken the whole thing down:


    Not Found
    The requested document was not found on this server.

    Web Server at federalsuppliers.com

  • lemons 2008-03-01 00:29
    I hate to break it to you, but there really isn't any "hacking" at all involved in "detroying" your website. The username and password are available to anyone with a web browser.

    Although I do feel that it is a little irresponsible of the author of this article to actually post real URLS, it was only a matter of time before somebody went to view->source in their browser.

    If developing a login system is too difficult for your company at the moment, at least look into basic authentication. It is a very simple way to password protect a directory (and access to your .html file) and is easy to setup (depending on your web server, it can be just a matter of a config file).
  • Andrew 2008-03-01 00:37
    So what is your GSA contract number? Also, what does GSA stand for and who is your Contract Administrator?
  • chicagogreg 2008-03-01 00:39
    They took the target page offline. Maybe they are getting smart (er)?

    I wonder if this was one of those "Get Rich Quick on the Internet" scams you see on latenight TV?
  • schmeckelgruben 2008-03-01 00:39
    So, I entered their poetry contest, and they said I was a WINNER and they were going to publish two of my poems in a book! And the book is only $19.95 for the first copy or $34.95 for two copies of the book with my poems in it. But when I sent the $49.95 (including shipping) they never sent me the books. But I am a poetry contest winner!
  • Hackmaster 2008-03-01 00:40
    Yea, we so evil hackers try to ruin your scam, er, business. I'm ROFLing about all this matter. Might I interest you in a montres allison fine watch? nah, forget it, I'm sure the irony of this offer is lost in you.
  • D 2008-03-01 00:43
    So it looks like some 198 web sites are running on that IP address - including quite a few sex sites - one wonders what kind of legit business would be piled in on a server like that.
  • comp.risks fan 2008-03-01 00:49
    2008-02-29 13:44 • by FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    (Big, painfully-embarrassing, unprofessional rant deleted.)

    This is the equivalent of my walking up to someone's door and noticing that the doorframe actually looks like it could be attached to the house with duct tape and then painted over to look like a real doorframe.

    I think: "NO WAY could someone be completely dumb to build it THAT way!"

    So I pull a little on the duct tape for the heck of it - and off falls the door AND the doorframe in one huge crash.

    Now I am stunned, seeing everything in the room. Next thing I know, the houseowner is screaming at me for breaking and entering and spying on his house and now they are calling the police.

    Similarly, the lovely folks at this Federal Suppliers Guide outfit blames Alex Papadimoulis for the online equivalent of pulling on their Javascript duct tape. Wow... and they actually call THAT "hacking"? Do you Federal Suppliers guys know what hacking actually IS?

    So now they are screaming at the authorities and the folks on this website for justice. They are screaming at the wrong people. Why are they not screaming at whoever designed the security scheme for their website to START with? Who the heck IS their web developer anyway? I GOTTA know who could be either stupid or unethical enough to design a site like this for a client? What idiot charged them however many thousands of bucks for the digital equivalent of duct tape holding in a cardboard door and telling the client their website is "secure"? Amazing... just amazing.
  • Adi Oltean 2008-03-01 00:54
    In fact, Google has a cached version of some of the contents of http://officers.federalsuppliers.com

    http://72.14.253.104/search?q=cache:ruy01-8JMasJ:officers.federalsuppliers.com/neb.html+inurl:federalsuppliers.com&hl=en&ct=clnk&cd=5&gl=us

  • Jeff 2008-03-01 00:56
    Never trust a "professional" who types "should of" instead of "should have."

    So the new security is to 404 the page it leads to. I'll bet all of the federal agents who don't visit the site are disappointed to say the least!

    Of note, their site is not in Alexa's top 100k
    http://www.alexa.com/data/details/traffic_details/federalsuppliers.com

    but who here is surprised by that nugget of wisdom?
  • Duke 2008-03-01 00:56
    Hacking is hardly the word I would use... More like in depth looking. You can't expect a website to stay secure when you have the login information hiding inside the HTML code.

    My point is: hire a real web programmer and stop using MS Frontpage...
  • Probes 2008-03-01 01:02
    By hackers you mean anyone who can read right? If I listed my username and password on a publicly viewable website or left the front door to my house open are people actually hacking or just walking in?

    FSG Customer support:"Omgz someone broke into our business officer!"
    Cop: "orly?"
    FSG Customer support: "I had the front door open and didn't expect a skilled criminal to force their way into my private property!"
    Cop: "But sir you had a note on the door which read "Use key under the door mat to unlock door."
    FSG Customer support: "But that note was for our gullible naive clients, not for anyone who walks by..."
  • Mitler 2008-03-01 01:03
    You guys are idiots. Only a retard would put a password in a javascript within HTML. If you actually care about your security take it a bit more seriously.
  • Anon 2008-03-01 01:04
    HAH. That's the best website security I've ever seen!
  • Antoine 2008-03-01 01:06
    It sure looks like it's not legit...
  • comp.risks fan 2008-03-01 01:12
    Aw geez... I read from these postings that some outfit called cybertown-usa.com designed the site and it's excuse for security.

    So I tried to find out who those "web experts" were - and they had no website. So I go do a whois on that domain. No one was listed as owning the name.

    THEN I remembered that the site I used to check the domain name quickly attracts domain name squatters like flies on a you-know-what.

    OOOOPS... well, I guess maybe the original designer didn't want their domain back anyway...

  • Prince Kashzcam of Nigeria 2008-03-01 01:16
    Sir... I feel your pain. Ever since I was exiled from my home in Nigeria (I am a Nigerian prince, you see) I have felt the pain of such Internets Discrimination. Perhaps we can make common cause. If you can send me $5,000 dollars to my paypal account, registered to kashzcam666@spamalot.com, I will have the financial wherewithal to re-take my throne, and will thus be in a position to smite these slanderers.
  • Andrew L. 2008-03-01 01:17
    Looks like the script came from http://www.2createawebsite.com/enhance/password-protect.html

    Utterly pathetic.
  • Chris 2008-03-01 01:20
    I hope my personal information isn't protected like this with any other company. That is just irresponsible
  • Anonymous 2008-03-01 01:22
    If you guys are really dumb enough to use code like this on an internet facing website you deserve to get hacked. And furthermore have no business associating with the federal government. Why don't you take all that "legitimate sales" revenue and buy yourself a decent programmer who knows his ass from a hole in the ground. You're lucky this your website and not your CC database which I'm sure is equally secured by some 5 char password one of your 4 children can guess. I cannot believe a company with a supposed 5 year GSA contract can get away with security this weak...what a joke!
  • Juaughta Knoo 2008-03-01 01:23
    Bwahahahahahahaha!!!!
    pwned.
  • Truth 2008-03-01 01:23
    I believe that I may be just a bit senile in my mid-late teen age, but if this is some super secret private information that no one should have unless given, it should be secured better. A lot better. Who would be as dumb as to use a redirect log-in form, let alone call it "secure?" I'm currently debating whether to log-in or not based on the I-don't-want-an-idiot-judge-to-label-me-a-hacker thing.
  • Thomas 2008-03-01 01:24
    I'm curious with regards to the Computer Misuse Act. Suppose I create a web page with textboxes labeled for username and password and lower down the page I show the username and password. In addition, I write something on the page about not entering if you are not authorized. If I login, am I breaking the law? If so, then why have the login at all? Why not simply say something to the effect of "If you click this link and are not authorized, you are breaking the law." Why even bother with the login?
  • Agamous Child 2008-03-01 01:28
    A little more digging, and it looks like they have multiple security problems, from their online invoice payment system, to their open mailer forms for everything from applying for a job to uploading documents for printing.

    They opened themselves up for this by cold-calling.
  • dude, Man, braa 2008-03-01 01:29
    Umm ....So Let me get this straight. You are mad because you and your wife work at a company that can't secure its own website. I suppose if you can't secure your website you can... oh I don't know ...../sarcasm Secure the personal data of all your clients /sarcasm Right. I mean its no big deal just change a plain text password and hey no one has to live with Identity theft. Here while I am at it let me sign you up at freecreditreports.com and lifelock so that way your children and wife don't have to starve to death in the coming months. In fact I know so much about yet another anonymous user that I will change the password again and present idle brainless threats that I can't back up, because hey I can secure my website with a Frackin If Then Else Statement. I am God . . . . . . .
  • Mike 2008-03-01 01:30
    Ok, calm down. First, nobody did any hacking. If you know how to write simple code for password protecting a site, in which both the username and password or site itself is obtainable independent of each other, then you have to be prepared to expect that other might know how to read code to. Heck, I never "hacked" a thing in my life and nor do I know html and I could have got the username and password.

    Second, the author of this blog wanted solid info before investing that much money and you just didn't want to give it to him. He was curious, went to your website (which is free and legal to visit), looked at the html code for it (which is free and legal and unavoidable) and found a direct link, let alone the password. No harm done, chill out, I mean, it's only on the front page of Digg, how bad could it be?

    Mike
  • Jack 2008-03-01 01:33
    You sir, are an idiot. A 2 year old could check the site's source code to get its password and a 4 year old can code a more secured site..
  • SaintAndre 2008-03-01 01:33
    If they really are putting up a huge database of contact info for government contractors, and the best security they can come up with is subverted by reading the page source...

    ...wouldn't that make them guilty of (at best) gross negligence, and (at worst)...treason?
  • George W. Bush 2008-03-01 01:38
    Don't worry, we got your info too Jim Sprecher. I'll make sure to nominate you for e-idiot of the century awards.
  • ha 2008-03-01 01:41
    sorry, but looking at the source code of a web page is not "hacking".
  • dtfinch 2008-03-01 01:42
    This ought to do it:
    function pasuser(form) {
    
    location="http://officers.federalsuppliers.com/"+form.id.value+form.pass.value+".asp?redir=agents.html"
    }
  • PeriSoft 2008-03-01 01:45
    You know, my company's site actually got hax0red once (phpbb vuln, turned out our managed hosting wasn't managed quite well enough). It was a deface, standard thing, "pwnt by superhaxors!" or whatever... and it had a link to their IRC channel.

    Did I go on their channel threatening to sue them and berating them for destroying my company?

    No. I did not. I said, "Hey, I'm from blahblah.com; looks like you guys found a vuln. Anybody know who did it?" and they said, "Oh, yeah, it was Joe. Hey, Joe!"

    So I chatted with Joe a bit, he told me about the method used for the deface, gave me some suggestions, and I tipped my hat and went on my way, older and wiser.

    It appears, however, that this is not part of the strategy employed by the business in question. I wish them luck with their chosen alternative.
  • Mania 2008-03-01 01:45
    So... if a website had this button:

    "ONLY ADMINISTRATORS MAY CLICK THIS BUTTON"

    Would clicking it count as hacking?
  • PeriSoft 2008-03-01 01:47
    Mania:
    So... if a website had this button:

    "ONLY ADMINISTRATORS MAY CLICK THIS ASSTON"

    Would clicking it count as hacking?


    Fixed that for ya.
  • bwahahaha 2008-03-01 01:48
    Nice. But, they seemed to removed most of their content. Luckily, Google's cache still has a lot of it: http://www.google.com/search?q=site:federalsuppliers.com
  • gollum 2008-03-01 01:50
    This could possibly be the most advertising this site has ever received.....
  • GB 2008-03-01 01:55
    Richard Sargent:

    My captcha code was already in the IE drop list of previously used text strings. How secure is that?!?!


    Captcha is merely a spam filter, doesn't qualify as "security". For some websites with low traffic, an even more elemental captcha system (yes, showing the word as text! maybe with some naive HTML obfuscation!) is enough. It stops spamming bots that target any form with textarea + submit button.
    There is a difference between "security breach" and "annoyance".
  • emurphy 2008-03-01 01:56
    Logic Man:
    3. "I am proud to work here and help small businesses obtain government work". This would be ... Red herring? Flat out irrelevant?


    Pre-emptive denial. "We're not rip-off artists, really we aren't!"

    D:
    So it looks like some 198 web sites are running on that IP address - including quite a few sex sites - one wonders what kind of legit business would be piled in on a server like that.


    I bet it is indeed an amusing list, but how do you actually get it? (Yeah, this is a gap in my knowledge, I'm an application software guy, sue me.) At a guess, the answer to your question is merely "a cheap one".

    Also, this thread has got to be setting all kinds of records for number of users posting essentially redundant responses because they hit the whine from Father of Four and just couldn't wait any longer. No doubt this will convince FoF and Lucy beyond a shadow of a doubt that we are, in fact, a Huge Shadow Conspiracy bent on their utter destruction. Hee.
  • Jack 2008-03-01 01:59
    wow...just wow.

    is this what happens when the nephew of one of the manager's who is "really good at that internet thing' is allowed to design a website?

    I'm sure the guy who wrote "Writing Secure Code" just threw his hands in the air and said "I quit.'
  • bahaha 2008-03-01 02:00
    roflmao
    great find.
  • nmn 2008-03-01 02:01
    That 'security' is a FUCKING JOKE. You suck and all of the programmers who passed that by do too. This isn't hacking by any means. The password is encoded in plain text on files sent to the client. The password protection needs to be server-side.

    Don't complain if people get around your security when it sucks so bad that its done on the client-side.
  • Smash 2008-03-01 02:01
    TRWTF is definitely the huge amount of "in reply to 180051" to tell that guy how pathetic is their security. I guess most people here are failing their Spot Checks, because this has got to be a troll! Nobody is that stupid ( <10 INT? ) and can still put a couple words together. Or maybe there's a mbuttive failure on sarcasm detectors everywhere except for a few?

    I almost hope that post was true, cause it granted us some great laughs.
  • Kelli 2008-03-01 02:09
    How incredibly pathetic. This isn't even "hacking." Hacking would imply that there was something secure there to be bypassed. This is the most amazingly inept piece of coding I've seen in a long time.

    Thanks for the laugh. :)
  • anon 2008-03-01 02:09
    man... it does make you wonder though.. how people can be so clueless and yet walk talk and interact like regular people... It makes me wonder if the person actually thinks that their legal threats hold any water.. ironically.. i bet he got your number from a similar such list... I bet the people within the system get passed around regularly as viable targets..... I hope you saved the list... If there is any truth to the list being useless i'm sure every single person on that list would appreciate being contacted... If the product is legitimate... no problem... If not... well.... I guess at the very least they should be informed that their data has been compromised by lax security measures.... who knows how many times before you too....
  • jpers36 2008-03-01 02:10
    Grandpa:
    Hey FSG, I have a question for you:

    Three players enter a room and a red or blue hat is placed on each person's head. The color of each hat is determined by a coin toss, with the outcome of one coin toss having no effect on the others. Each person can see the other players' hats but not his own.

    No communication of any sort is allowed, except for an initial strategy session before the game begins. Once they have had a chance to look at the other hats, the players must simultaneously guess the color of their own hats or pass. The group shares a hypothetical $3 million prize if at least one player guesses correctly and no players guess incorrectly.

    What strategy would you use?


    Is right-clicking your hat allowed?

    /50%!!!1!!
    //75%
  • Anon 2008-03-01 02:11
    What you don't understand is that your business pretty much got on the front page of Digg.com, so you should be happy about all that exposure. Not really slander IMO.
  • littlefire 2008-03-01 02:11
    So the next level of security will probably be to disable right-click using Javascript so that you can't view page source. Oh wait. *Brain explodes* Ctrl+U in Firefox isn't a right-click is it? :P
  • Ha 2008-03-01 02:13
    Yeah but the site is offline when you click login

    I suppose they should try something besides Javascript lol
  • emurphy 2008-03-01 02:14
    Here's a bit of gold from the Digg discussion. Let's fire up that eeeeeeeeeeeeeevil hacker tool known as View Source and look at their 404 page - y'know, the generic Apache thing? Well, not quite so generic:

    <!--
    - Unfortunately, Microsoft has added a clever new
    - "feature" to Internet Explorer. If the text of
    - an error's message is "too small", specifically
    - less than 512 bytes, Internet Explorer returns
    - its own error message. You can turn that off,
    - but it's pretty tricky to find switch called
    - "smart error messages". That means, of course,
    - that short error messages are censored by default.
    - IIS always returns error messages that are long
    - enough to make Internet Explorer happy. The
    - workaround is pretty simple: pad the error
    - message with a big comment like this to push it
    - over the five hundred and twelve bytes minimum.
    - Of course, that's exactly what you're reading
    - right now.
    -->
  • Better Fu Than U. 2008-03-01 02:15
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    You my friend are being foolish. Looking at the page/script source provided to the client side it not hacking. Coping and pasting a URL from said source is not hacking.

    Using a script the way this site is doing is stupidity. If this site is associated with the government then the web designer and web server administrator should be fired because it is evident their knowledge of web sites is poor at best.

    Thank You.
  • Dustin 2008-03-01 02:16
    If you cared that much you wouldn't be in business with a site that made their password obvious in js
  • Lisa needs Braces 2008-03-01 02:17
    Stop with the copypasta, learn php or find a competent coder.
  • Bill Vincent 2008-03-01 02:21
    Then why did the other "clients' spoken to report "no leads" from your expensive listing? Nice story, but sounds more like a weak scam. And the security isn't "not up to standards" there isn't any security at all! The login and password is right there in the code!
  • Scott 2008-03-01 02:25
    Well they tried to fix it again:

    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>
  • emurphy 2008-03-01 02:29
    emurphy:

    <!--
    - Unfortunately, Microsoft has added a clever new
    - "feature" to Internet Explorer. If the text of
    (etc.)


    Credit where credit is due: Digg user Logistics1 gets the props for pointing out the 404 bit. And reflex768 also nails TRWTF:


    >"FSG Rep: Wait-wait-wait... clients? You called our clients? How did you--"

    Telling. A rep for a good company, which supplies a good service for their clients, smiles when they hear their target customer has spoken to their clients. A scammer is horrified, as this one clearly was.

  • Serious Business Customer Support 2008-03-01 02:44
    *Our* standards are quite a bit lighter than any *real* standards. Your site doesn't follow even the most trivial security recommendations from the National Institute of Standards and Technology (NIST), which ideally any government site (or site hoping to work closely with government agencies) should follow. You may be real (I personally don't care enough to follow up), but if your website is any indication of your professionalism your actions border on criminal negligence and I seriously doubt anyone in your company is a "good" at what they do. You may have four children whom you love (good for you), but you are the sort of stupid that actively makes the world a worse place.

    In closing, I hope you die of cancer.
  • incredulous 2008-03-01 02:46
    4 children? Your genes are so great you decided to procreate four times?!?
  • Zaz 2008-03-01 02:48
    Can it be considered hacking if the source code is public and viewable in a web browser? Really, come on. This is too funny.
  • Contra 2008-03-01 03:03
    In truth, it's only slander to the web admins. Would you invest thousands and give lots of information to a company that runs a website with copy and pasted script?
  • Anon 2008-03-01 03:04
    After you enter the login, its a blank page.
  • l33t_haxor 2008-03-01 03:06
    here's the new page: http://www.federalsuppliers.com/warning.html

    same username and password, but it goes back to that broken page
  • English Grammar God 2008-03-01 03:20
    I used to secure my angelfire website like this in 1999! This is serious business!

    "...you should of protected..."
    This sort of complete grammatical ignorance make me die a little bit inside.
  • Alex 2008-03-01 03:21
    hahaha this is hilarious.

    I didn't realize internet browsers could hack sites so easily! LOL


    Don't even have to phish or anything! Just right click and read!
  • anonymous 2008-03-01 03:35
    I guess someone never learned how to use an .htaccess file.
  • Jefah 2008-03-01 03:47
    Are you for real?

    I'm no hacker, but even I know the old "View Source" trick. These people were doing you a favour by informing you just how UTTERLY INSECURE your website was, rather than it being discovered by someone with more sinister intentions.

    What that guy did to get past the password involved about two clicks. A 10 year old could've gotten into that "password protected" section of your site with no real "ZOMG HACKER!" knowledge whatsoever. Time for a security update, me thinks?
  • Herbiestone 2008-03-01 03:52
    thank you hackers for trying to destroy federal suppliers guides reputation

    Ah, but if anyone is tarnishing your reputation its just yourself. Looking at the source of a web page might be something not anyone everyone knows about, but it is pretty common among web-designers to look to see how a page is build. It is legit too.

    Sending the valid name and password in clear-text to everyone who visits the page in question is what I call willful neglect. And it doesn't stop there, you also give away the URL you will go to after entering the right name & password. I bet anyone who knows how to use google could find out about that 'hidden' page too.

    So now instead of shouting "hackers!" you should be glad someone helped you finding out about your complete lack of security and fix it. ASAP!

    "No, now go away or I shall taunt you a second time." If I may quote Monty Python's Holy Grail here...
  • T. 2008-03-01 04:03
    Too incompetent to be true. If this is not a bad joke then a bunch of people should get fired immediately there.

    Throwing *highly secret* login credentials unasked at every person available - naughty boy if you use them, no? Oh, you don't even HAVE to use them, just follow the the target link (still off-line) - is this then still *hacking the site*?

    <bang head to table>
  • Odas kane 2008-03-01 04:07
    If your tech depart. wasn't incompetent it would be a problem.
    I wonder how many other US departments are unsecured and incompetent? "wasn't protected" yep that sums it up. ass.
  • sigh 2008-03-01 04:08
    i believe you are a legitimate individual working under a perfectly legitimate organization, and so i am writing this under the hopes that you will understand that if you attempt to undertake legal action under the concerns of being "Slandered" you will fail. miserably. look up the word slander, reread this post and realize that. knowing how expensive lawyers are, i would imagine that that venture would actually waste more resources on NOTHING, rather than salvage the situation. what this individual has done is point out how insecure your system is. please invest in one that isn't insecure. your source code is public and that is the reason why we can see the login details requested. there is no hacking involved. it is clear that the person you hired to do your website took advantage of your naivety and skipped the proper work to create a back-end appropriate for a "SECURE" system. if this individual is still in your company, FIRE HIM. there are many websites on the internet that teach you how to create the most SIMPLE login system that encrypts and decrypts shit. here is a short overview of what SECURITY on the internet means: http://www.eioba.com/a69760/secure_website_login_programming_with_php_mysql
    i hope this helps you. best of luck.
  • monkey 2008-03-01 04:17
    Considering they appear to be running a scam, naw.
  • Richard 2008-03-01 04:26
    So never mind that the idiot who "secured" the agents page has potentially put the privacy of your clients at risk. "Wasn't protected to your standards"? It wasn't protected to ANY even remotely decent standard! If you want to thank someone for putting the company at risk, "thank" (i.e. "fire") the utter halfwit who "secured" that page, and GENUINELY thank the person who discovered and exposed that little loophole. If it gets fixed, at least something good will have come of it. Hey, if you want ME to fix it, I'll rewrite the whole damn database for the low low price of $65 an hour. And guess what! It'll be secure. Not quote-unquote "secure" wink wink, it'll be ACTUALLY SECURE.

    And seriously..... it doesn't take a hacker to view source on a web page and get the password when the security is THAT bad. Honestly, my mother could have achieved it with minimal guidance.
  • David 2008-03-01 04:29
    Shame on TDWTF, blah, blah, blah...yakkity something other.

    If the TDWTF is going to point out a multinational conglomerates mistakes (Marlboro.com's bjorked landing page)
    http://thedailywtf.com/Articles/Redirection_with_Smoke_And__0x2e__0x2e__0x2e__Smoking_0x3f_.aspx

    Why would it not point out this little companies Web 0.5 alpha site's high tech security mechanism. Ignorance is not an exception or an excuse when running any sort of business.

    Also, I take some sort of pride in what I do (dev.,DBA, sysop) and I come to this site to learn and relax. This article goes under the relax section as its possibly the funniest *cking thing I've read in a while, excuse me if I've got an saddistic streak in me, but that's a mandatory trait for server administrators.
  • Flash 2008-03-01 04:30
    sigh:
    ...if you attempt to undertake legal action under the concerns of being "Slandered" you will fail.


    Another reasons for the failure of a slander suit: all the comments are in writing, so it's not slander, it's libel.

    But, of course, it's not libel to point out the facts. So that would fail, too.
  • anonymous 2008-03-01 04:46
    Looks like they went further and removed the agents.html page as well.

    Some businesses crack me up :)
  • OMG 2008-03-01 04:50
    LMAO!
  • Blue Nova 2008-03-01 04:52
    it seems they have removed the page http://officers.federalsuppliers.com/agents.html
    im worried about the ammount of companies getting sucked into these ever growing number of advertising scams.
  • Eggbert Nobacon 2008-03-01 04:58
    >thank you hackers for trying to destroy federal suppliers guides reputation.

    LOL, I hope this was a joke post by someone. If not, these people are way too dumb to be let anywhere near a computer.
  • Tom 2008-03-01 05:08
    This is pure insanity... It's been a day, this has gotten onto Digg, and yet they haven't fixed it. I certainly hope they don't have any sensitive information on that "Agents" site because now most everybody else has it now, too. I stopped looking for this exploit years ago because I didn't think anyone was dumb enough to still use it...
  • B3 2008-03-01 05:34
    hope your joking. At least these guys are telling you about it. this in the wrong hands can damage more! Secure it?
  • Chris H 2008-03-01 05:35
    I love the post by the FS Guide Customer Support. We're apparently still hacking their site. Shame on all of us. Not
  • Jim 2008-03-01 05:38
    http://209.85.173.104/search?q=cache:abwbU5b-fmIJ:officers.federalsuppliers.com/q/q_in.htm+site:federalsuppliers.com+federalsuppliers.com&hl=en&ct=clnk&cd=79

    Here is a Google Cache of one of their agent pages. This is what you get when you pay your neighbours teenage nephew a couple bucks to make your website for you
  • tom Termini 2008-03-01 05:41
    Wha wha. Wipe the tears - if you are providing a valuable service to the federal government, you should at least follow NIST's security guidelines. You should be kissing this guy's *ss for finding the simple breach in your "security" -- what would a bunch of Chinese or Russian dudes do? I am sure they would be as helpful. While getting you a visit from the Department of Homeland Security.

    Sheesh. Ingrate.
  • Chris H 2008-03-01 05:42
    Oh and here's an even worse site. They actually give you the code to get in to the site right above the box you type it in to.

    http://www.sdasa.asn.au/mem.htm
  • Pipis 2008-03-01 05:42
    ROFL!
    Will someone please send call them and explain that they are not securing anything this way..

  • shmatt 2008-03-01 05:46
    blah blah blah blah sounds more like you're a crook. Why haven't your "clients" gotten a single call? get a real job.
  • AA 2008-03-01 05:49
    just curious on how you found this article?
  • person 2008-03-01 06:04
    Are you saying that someone considers this "secure"? I learned the problem with this type of "security" when I was maybe 10 years old and started learning HTML.

    I'd say one of the first steps to creating a secure website is DON'T PUT YOUR DAMN PASSWORD AND USERNAME RIGHT IN THE TEXT OF THE SITE. Anyone who has a Web browser can look at that password - if you have Firefox you can go to "View" then click "Page Source" to look at the page's code.
  • Andy 2008-03-01 06:19
    This is really and truly sad.
    I mean REALLY REALLY sad.
    Words cannot describe my feelings when faced with sheer ignorance like this.

  • Fant 2008-03-01 06:23
    stephane:
    seems to work, they're hiring!
    http://www.pr.com/job/3441945


    Education Level College Degree
    Salary Range 7,000 USD per year
    Category Sales
    Job Type Employee, Full Time

    Impressive. Challenge: How to make a living in Florida on 7k$/year.
  • F U C K Y O U 2008-03-01 06:23
    Fuck You.
  • Mark 2008-03-01 06:25
    That is all.

    BRILLIANT!!
  • Andy 2008-03-01 06:27
    Very true.

    Not to mention that page has probably been crawled thousands and thousands of times by the various search engines (since you can get right to it by typing in the URI)... so if you look at any search engine you are bound to find the contents of that page.

  • Dekker3D 2008-03-01 06:29
    ye gods, this is lame. i just checked, it's still exactly the same except that the target page (still linked) got taken down. so now, nobody can log in, but everyone can see the password. o_O
  • s3rioshxr 2008-03-01 06:37
    Instead of bitching how about fixing you shite security. How do you expect anyone to take your company seriously when you can't secure you're public facing website. What's to say that you don't leave the keys to the safe hanging on the outside door. How are people supposed to *trust* you with the details they give you? Account numbers? with that security. You are joking right?
  • RiLo 2008-03-01 07:04
    And how about this gem on their site:

    <FORM ACTION="http://64.58.216.181/cgi-ipad/polyform.exe/federal1" METHOD="POST">
    <INPUT TYPE=HIDDEN NAME="recipient" VALUE="info@federalsuppliers.com">
    <INPUT TYPE=HIDDEN NAME="recipientbcc" VALUE="fsginfo@microd.com">

    <INPUT TYPE=HIDDEN NAME="required">
    <INPUT TYPE=HIDDEN NAME="subject" VALUE="Form Response">
    <INPUT TYPE=HIDDEN NAME="redirect" VALUE="http://www.federalsuppliers.com/thanks.html">
    <INPUT TYPE=HIDDEN NAME="sort" VALUE="order:company,address,city&amp;state,telephone,fax,email,decision_maker,business_type,employees,sales,referred?,referred_by"></td>

    Nice, a little perl script would do to abuse it to send spam around on their account (see the recipient address as hidden input field)d
  • Thomas 2008-03-01 07:18
    Thank you hackers for trying to destroy Federal Truckers reputation.

    I have been a Trucker here with my wife for 10 years now and have helped hundreds of clients receive federal government goods. I have 4 children and though you don't care, you are hurting the feelings of many good employees and customers by your immature actions.

    Sorry our trucks aren't maintained to your standards, we drink 'n drive all the time, and we all drive without a valid driver's license, however all of you are being reported to the appropriate authorities as we have your information too.

    You should have protected your info a little better. Not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them.

    I am proud to work here and help small businesses obtain government supplies. If you not interested in government supplies or our services of helping small businesses receive federal goods, fine but please don't slander the company.

    It's rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hard copy guides and the online directory as well.

    So yeah, DIE IN A FIRE!!!!!!!!!
  • ychaouche 2008-03-01 07:23
    Un-be-lie-vable !!!!
  • Hillbilly Geek 2008-03-01 07:24
    It's a fine old tradition: charge people hundreds of dollars for something they can google themselves in 5 ms.
    It's not a scam, though: it's a stupid tax
  • really? 2008-03-01 07:27
    really?

    Registration provider: MateMedia, Inc.
    Registrant
    Jim Sprecher
    Jim Sprecher
    jim@countrysidepublishing.com
    PO Box 1735
    Oldsmar, FL 34677 US
    +1.8139250195
    (FAX)

    Administrative
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    jim@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Billing
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    jim@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Technical
    Countryside Publishing Company
    Countryside Publishing Company Inc.
    jim@countrysidepublishing.com
    3135 SR 580 Suite 6
    Safety Harbor, FL 34695 US
    +1.7277263400
    (FAX)

    Record created on May 18, 1997
    Record last updated on November 13, 2006
    Record expires on May 19, 2008

    Domain Name Servers:
    NS.RACKSPACE.COM
    NS2.RACKSPACE.COM
  • Ed 2008-03-01 07:39
    If the site referred to in this article is purported to be "secure" by your company's standards, then I would have to say that any damage to the reputation of "Federal Suppliers Guide", from a technical perspective, is most certainly warranted. In addition, the fact that the author attempted to alert your company to the security shortfall prior to publishing is inline with standard practices - whenever someone finds a flaw in software or websites, the first person they advise is the system owner and then, if they refuse to take adequate action, they alert the public so they do not expose themselves to the associated risks.

    Regardless of whether your company does or does not conduct itself in good faith or with real returns to your advertisers (who the author appears to have made reasonable effort to contact and survey) the root of the problem is that your website is critically flawed and needs to be seen to by a professional who can apply industry-level security to the system.
  • bob 2008-03-01 07:43
    Can still check out the google cache of most of the 'secure' area - try googling site:officers.federalsuppliers.com

    or going to:

    http://www.google.co.uk/search?q=site:officers.federalsuppliers.com/&hl=en&safe=off&rlz=1T4GZAZ_en-GBGB248GB248&start=10&sa=N
  • steve 2008-03-01 07:44
    I would say the best site to learn about hacking, is http://www.opentopix.com , also found in the search bar
  • anon. 2008-03-01 07:44
    well maybe if you employed someone with an ounce of computer securityness about them then this would of never come about! It not hacking the password is in plain text of the source code of the website! N00bs!
  • C_Boo 2008-03-01 07:52
    Beating a dead horse...

    A google search for www.federalsuppliers.com results in several pages like this one that helpfully list the user id and password (at the time) in plain text.
  • 28% Genius 2008-03-01 07:54
    I have never seen code that had a more accurate comment.

    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/

    See? It never claims to stop unauthorized people from entering.
  • Abdul Qabiz 2008-03-01 07:57
    LOL! I can't stop laughing...


    -abdul
  • kay 2008-03-01 07:57
    the question is.. why did the author of the article use INTERNET EXPLORER???
  • . 2008-03-01 08:10
    Oh please report me too, I can't wait!

    Don't give someone a lock and a key, and then say "Hey, don't put the two together because if you do, you'll get lots of things for free". That is your company being stupid.

    Expect reality, it's all there is.
  • Chris 2008-03-01 08:25
    Wow, thats pretty lame. You should have turned it around on them and said, "I would be happy to offer YOU my services for making your site more secure". Man, their idea of security is outrageous!
  • Chris 2008-03-01 08:25
    Wow, thats pretty lame. You should have turned it around on them and said, "I would be happy to offer YOU my services for making your site more secure". Man, their idea of security is outrageous!
  • ObiWayneKenobi 2008-03-01 08:27
    Odas kane:
    If your tech depart. wasn't incompetent it would be a problem.
    I wonder how many other US departments are unsecured and incompetent? "wasn't protected" yep that sums it up. ass.


    What Tech Department? Trust me - I live in Florida, near where this place is (although I don't know the business), and let me tell you from experience that if this really is a small company, they probably have no IT people at all, and had the website designed cheap and/or free. That's really common with small companies in FL - pay shit, don't want to ever pay money for anything, and look for the cheapest solution that "just works".

    Giving benefit of the doubt, the site was probably designed at first with the idea to implement some REAL security - however, at some point either they A) Were too cheap to pay a programmer to implement the site, B) Had someone, but fired him for stupid PHB reasons and/or he quit in disgust, or C) Had a "big client" who needed "secure access" to the site ASAP and the owner couldn't wait long enough to implement security. In any event, I doubt the site was DESIGNED to be like this, just like most small businesses, the owner only is thinking about his own financial security, and doesn't really give a shit about growing a business; it exists solely to allow him to live as rich as he wants, instead of providing a useful service that others are willing to pay for.
  • Jehzeel Laurente 2008-03-01 08:31
    The site was made to be hacked. Because it's open for intrusion. T__T

  • LOLOLOL 2008-03-01 08:34
    4 children.
    hahahahahahahahahaha.
    You're lucky that fucking companies doesn't make them pregnant too.
  • CodeMonkey 2008-03-01 08:42
    I happen to work for a major integrator. One of the things I've worked on is basic authentication/authorization software for web applications used by the federal government. Believe me, when I say that my entire team would have been fired on the spot if we made a mistake that bad.

    The fact that your company cannot splurge for basic serverside protection would lead any sane person in the contracting world to wonder what else you're too cheap to secure.
  • kiddiescripter 2008-03-01 08:48
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers .. words....words....


    It's not hacking, it's called "viewing the source page".

    It's something that a child can do with no hacking skills.

    Your webmaster should be fired, the rest of the company is probably OK.

  • Gnol 2008-03-01 08:48
    Hi FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT,

    Even if you are not a scam, it's clear you have no clue how to protect your customers' personal information. Just think about how many innocent clients could have had (or actually have had) their personal information stolen in the time you've been ignorant about this problem.

    You realize if anything happens to those companies because of the information you leaked, it would be your fault? It's the equivalent of a bank hiding all the cash inside a safe with the key on top and no security measures.

    Also, your inability to use grammar and punctuation don't help your case when the original article calls into question your professional (specifically, the lack thereof).

    This article doesn't destroy the FSG reputation. You do, by your poor actions and irresponsible inactions.
  • Sr. Comedy Officer 2008-03-01 08:57
    The following is now Certified Comedy:

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.
  • Aaron 2008-03-01 08:58
    Pretty ammusing. You should have saved a copy of that page so the rest of us could see it.
  • Stefan 2008-03-01 09:02
    I lol'd

    Fire your web developer :)
  • AlpineR 2008-03-01 09:06
    sorakiu:
    You're missing the point. This website (dailywtf) has, in the past, changed names (usually the submitter and who the work for) in order to differentiate themselves from a script kiddy website.


    At first, the non-anonymity of this article bothered me. It's true that most of Alex's articles in the past have been anonymized. But now I realize that it's mostly to protect the innocent (the submitter) from the guilty (the WTFer). It's like whistleblower protection; we don't want employees getting in trouble for pointing out infractions by their employers. If only the submitter were anonymized then the employer could often figure out who leaked the information. With both anonymized, the employer must first identify themselves as the WTFer.

    On the Sidebar, we make non-anonymized posts all the time. Usually the submitters there aren't affiliated with the WTFer – it's publicly accessible information. Or the submitter judges for himself that the employer won't know or won't care.

    In this case, Alex is the submitter himself so he can judge whether being identified by the WTFer is worth the risk. I don't think he revealed confidential information. He just explained how Federal Suppliers Guide acted and what he thought of their competence and the value of their service.

    As an illustration of FSG's technical incompetence he posted the contents of the most open and widely publicized document type in the history of civilization: a Web page. He then realized from reading that page that there was another, supposedly secure Web page that can actually be read just as easily.

    It would be different if Alex subscribed to FSG, accessed confidential information securely, and then leaked that confidential information.

    I hope Alex doesn't get sued for "hacking" or slander, although I wouldn't be too surprised. If so then watch out. There are also two years of records of the rest of us making "slanderous" statements about Web businesses, software companies, signage installers, and hardware manufacturers.

    At least the name of the case would be amusing: "Federal Suppliers Guide v The Daily WTF".
  • JoeDelekto 2008-03-01 09:07
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions.


    I can agree with you that people who learn of a simple exploit and attempt to continue to do so are immature; however, how does one learn to mature to age without learning? I understand you have a well established rapport with your clients and that you have a family, certainly you know how harassing it can be to be interrupted when trying to spend quality time with them.

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them.


    Well, if those people of the US embody the government for which you work, then apparently it is not quite up to the standards they expect. In fact, I wonder which federal agency has made the mistake of not doing its due diligence in auditing all facets of your security. I also wonder how much of that 500k your client took in of my taxes, thus taking food from the mouthes of my wife and children.

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company.


    I do not doubt you are proud of your work, but honestly, do you help small businesses 'navigate' the federal market or 'exploit' it? If you ask average joe taxpayer, I think there are too many high priced contracts or providers out there who provide very little for what compensation is received. It almost seems like it's the converse of the old adage 'you get what you pay for', but in the case of government spending, 'you don't get what you pay for'. How ironic at best.

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:

    its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Why, oh why, does the state I live in have to have such a bad stigma about it?
  • Grim Jestor 2008-03-01 09:11
    ...is down again...

  • Aaron 2008-03-01 09:11
    Wow, I've been going through all the cached pages I was able to "hack" via Google. I'm actually more amazed than anything else that so many company owners fall for this sort of scam.

    /heading off to hack more of Google's cache...
  • Anonymous Coward 2008-03-01 09:13
    Someone should point out to Jim Sprecher that removing the website won't help him much. Google caches all.

    http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com

    Or maybe Google are "hackers" now? :)
  • I can hides my information? 2008-03-01 09:15
    "NEW" url for the site:

    http://www.federalsuppliers.com/warning.html
  • ounos 2008-03-01 09:19
    Alex is playing a joke on us. This can't be happening. This is mega-stupid!
  • Samus_ 2008-03-01 09:24
    for advanced hackerish: http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com

    google, the mother off all communist hack tools <:o) and invalid markup btw.
  • Xocide 2008-03-01 09:29
    I'm more than happy to make a secure PHP login page for them.... for several hundred thousand dollars.
  • emurphy 2008-03-01 09:41
    C_Boo:
    Beating a dead horse...

    A google search for www.federalsuppliers.com results in several pages like this one that helpfully list the user id and password (at the time) in plain text.


    And now I'm sure some helpful soul will fill the University of Hawaii in on this lovely debacle.

    Here are a couple more folks that could use enlightenment. (I got bored after skimming through the first 30 hits.)

    Bevins Design - bought a catalog entry

    Virginia state government - lists them among a few dozen other resources

    Also, the secondary TRWTF is the still-huge ratio of "hur hur dumb security" to "wait, what motives would make you want to secure this in the first place?". I know we're a bunch of tech guys but, c'mon, learning a little social engineering on top of it will make you ten times more effective.
  • Joe Blow 2008-03-01 09:47
    I love how we're all being "reported to the authorities". It sure is unfortunate that this site has anonymous posting...

    Just so we can all agree. It's not hacking if the user name & password are published on the site.

    Also, and I don't want to go off on a whole thing here, but it sounds like that company is more of a scam than anything, taking advantage of small businesses, so good riddance.

    Final thought: Apparently the sales force blows, too.
  • ounos 2008-03-01 09:52
    this webcomic is a wtf:
    Fry-kun:
    Henk Poley:
    Too bad the page it points to if offline


    It was taken offline a few minutes ago, probably in response to all the "hacking" that's been going on.


    you aren't a very good customer then!

    using:

    http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com&hl=en

    I could used google's cached entries and browse their fine merchandise at my leisure.

    Hey! How did Google broke into these pages! They are password-protected! It's impossible!! Those burglars!
  • Stan 2008-03-01 09:54
    Nobody's hacking anything. The URL to the "private" page is embedded in plain text in the javascript code in the public page. All one has to do is "view source" to see where the "private" page is.

    It isn't that your "private" page wasn't protected to "our standards", it's that it isn't protected AT ALL. Put the URL in the address bar and presto - you're in!

    Tell your programmer that changing usernames and passwords in code that is transmitted to the browser is useless. You need to perform proper authentication on the "private" page, not just hide the link to it in javascript on a publicly-available page.

    Read up a little on securing web sites. It's not hard at all to do basic authentication, which will keep most people out.
  • Smash 2008-03-01 09:55
    HAX0R.EXE:
    mister:
    jimmy:
    I do believe this will become a legend in the vein of the great Paula.

    Not unless we come up with a short and easy to remember meme such as "Brillant" or "FILE_NOT_FOUND" :(

    Hurry up, guys! The time is running out!

    Hmm, maybe:

    var password = "secure"; or
    alert("PLZ don\'t hax0r our site!");

    I vote for "thank you H4x0rs for trying to destroy Morons Inc. reputation."
  • f-bomb 2008-03-01 09:58
    If they think that adding Javascript to their HTML is a way to securely protect anything on their server, anyone associated with them should run for the hills. How is this not a red flag for their department heads? Morons.
  • Mike 2008-03-01 09:59
    You did the damage to your reputation yourself.
  • Elma 2008-03-01 10:03
    It's not hacking when people use the credentials that the website supplies - and it's not that "the site wasn't protected to our standards" --- the site wasn't protected at all.

    You're charging those people for your service, it is your responsibility to make sure their info is secure.

    Quite whining about hurt feelings and do your job.
  • Gurn Blanston 2008-03-01 10:04
    It's not hacking, you have published the password in the source of your page. You cannot secure a website with weak client-side javascript, you must protect at the server level. If your company's site is any indicator of their skillset and professional acumen, you'd do well to have a backup gig flipping burgers somewhere.
  • Incognito 2008-03-01 10:06
    Hey!

    I could hardly consider what everyone is doing hacking. You do not try to hide something in a safe and then write down the combination on it, do you? I do not know what 10 year old you hired to "secure" your website, but there are about 2000 people (if not more) who have seen this topic, you should disable your login and hire a professional who doesn't use Javascript as a means to protect your site.
  • Kat 2008-03-01 10:16
    Viewing source code is not hacking. And you should be sorry that your site isn't protected to our standards. Because as you stated, your children are being hurt by your employers low standards. Clearly they don't care about your children or the hundreds of clients you have helped obtain federal government work.

    I think you should have protected your info a little better. Because now that I have a list of all your clients, they might be interested in knowing that none of the other contacted clients have ever gotten any work from the company you work for. They may be interested in seeking legal action.
  • GreyICE 2008-03-01 10:22
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.
    I hope and pray that this is for real, because this is easily the funniest thing I've read in a long, long time. Good job scammer!

    If this isn't actually the scammer, then good job whoever wrote this, because its hilarious
  • Bob 2008-03-01 10:23
    So you "got our information". Either than, or you got the information for the last proxy in a string of them. Take your pick. How are you going to get any further than even having an IP address?
  • me 2008-03-01 10:32
    Their government grade encryption has not changed since yesterday.

    Any government employee should be aware enough not to access a site that uses this kind of username password combination. Surely they informed them of all the sudden changes to their secure credentials.......
  • jimmy 2008-03-01 10:33
    Smash:
    HAX0R.EXE:
    mister:
    jimmy:
    I do believe this will become a legend in the vein of the great Paula.

    Not unless we come up with a short and easy to remember meme such as "Brillant" or "FILE_NOT_FOUND" :(

    Hurry up, guys! The time is running out!

    Hmm, maybe:

    var password = "secure"; or
    alert("PLZ don\'t hax0r our site!");

    I vote for "thank you H4x0rs for trying to destroy Morons Inc. reputation."


    Well, heck, let's get some more. We need a secure name.

    How about just "the Secure Site"? Short, easy, and to the point. Anyone else?
  • Burgermeister Meisterburgen 2008-03-01 10:44
    Since when does having a contract with the federal government make your business any more credible or wholesome?
  • not our fault 2008-03-01 10:47
    it's not our fault that you work for a company that doesn't understand how to run a website. i researched the company i work for before i decided to trust them.

    right clicking a web page, choosing "view source", and reading what follows is not hacking or rude.
  • Juan Carlos 2008-03-01 10:58
    I say if they aren't bright bright enough to figure this out --- THEY DESERVE WHAT THEY GET ----
  • Nick 2008-03-01 10:59
    <HTML>
    <HEAD>
    <TITLE>404 Not Found</TITLE>
    </HEAD>
    <BODY>
    <H1>Not Found</H1>
    The requested document was not found on this server.
    <P>
    <HR>
    <ADDRESS>
    Web Server at federalsuppliers.com
    </ADDRESS>
    </BODY>
    </HTML>

    <!--
    - Unfortunately, Microsoft has added a clever new
    - "feature" to Internet Explorer. If the text of
    - an error's message is "too small", specifically
    - less than 512 bytes, Internet Explorer returns
    - its own error message. You can turn that off,
    - but it's pretty tricky to find switch called
    - "smart error messages". That means, of course,
    - that short error messages are censored by default.
    - IIS always returns error messages that are long
    - enough to make Internet Explorer happy. The
    - workaround is pretty simple: pad the error
    - message with a big comment like this to push it
    - over the five hundred and twelve bytes minimum.
    - Of course, that's exactly what you're reading
    - right now.
    -->

    WTF?
  • Chirs 2008-03-01 11:05
    "The best minds are not in government. If any were, business would hire them away."
    - Ronald Reagan
  • Jim 2008-03-01 11:07
    FREELANCE WEB DESIGNER SOUGHT (Home based)
    City: Tampa

    Countryside Publishing is seeking immediate freelance Web Designers to establish relationships with clients for immediate freelance work. Selected designers will join a group of a dozen freelance design professionals, and interface with Management, QC, Editorial, and Development. If you’re a dedicated team player with outstanding design skills looking to grow your already impressive portfolio please apply!

    Responsibilities:

    Create and manipulate graphics to optimize the palette, size and speed of the resulting Web sites

    Develop basic designs which consistently capture and project functionality and brand identity for clients.

    www.countrysidepublishing.com
    www.alliancepublishing.net

    Please respons by email or fax with your resume:
    813-814-4573
  • Garg 2008-03-01 11:15
    Wait... wait... you actually procreated? Everybody out of the gene pool!
  • Rory 2008-03-01 11:22
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    We understand that you are innocent, hard working people, but your anger and frustration with this situation is being misdirected. It's not our fault that you don't have security, but you think you do. We're the ones you DONT have to worry about - it's the people that have the ability to break through this paper thin facade that have malicious intent that you have to worry about. Fix your system because of them and because you work hard. Dont fix it because of the snotty folks here that get jollies making fun of your security. Just fix it. Hire someone and fix it.
  • damaged justice 2008-03-01 11:22
    Cry moar newb.

    Or, to put in adult-talk: When your bank has no locks on its doors and is "protected" by a sign saying "Please don't steal our money", YOU FAIL.
  • Matt 2008-03-01 11:24
    I hope you understand that calling us "hackers" is like calling the guy who logs on to your computer using the password he got from a post-it stuck to your monitor a "hacker."
  • Omar MF Jasso 2008-03-01 11:30
    For such a prestigious working man, your spelling and grammar sucks, man.
  • unbound 2008-03-01 11:35
    Well, regardless of how legitimate or not the post's complaints are, you have a serious security issue on your hand. I wouldn't even call what was done to your site hacking. Do you understand that you have the user id and password in *plain text* for the world to see in the source code of that page?

    Whoever maintains your site needs some *serious* schooling in secure coding practices. It isn't even a matter that security may have been different years ago...that type of coding should *never* have been done in the first place. *You* need to fix that page.
  • Dan M 2008-03-01 11:37
    Are you idiotic? How can you call someone a hacker when you actually send down to their browsers included in the source of your web page the username and password? That is like a mechanic calling someone a hacker for opening the bonnet of their car to check the oil levels.

    Invest in some decent web security, instead of blindly calling people 'hackers' for informing you (for FREE) of your ridiculous security measures.
  • wtf 2008-03-01 11:37
    Government contracts, wasting money involuntarily taken from you since 1913.
  • JamesBond 2008-03-01 11:47
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too.

    So you are reporting that we followed a completely unprotected URL from your site's source code? Doesn't seem illegal to me.
    Also, I'm wondering how you can consider billing companies a few hundred/thousand bucks for NOTHING not a scam.
  • Stan 2008-03-01 11:50
    There is no exploit here. What is happening here is a bunch of people laughing at a website. It is no more reprehensible than a bunch of people laughing at any other unintentionally humorous site. If people don't want any risk whatever of their site being laughed at, they shouldn't have a site.

    Exactly! And it's not the first time the real company involved was exposed either, it's common in these circumstances. The BARF ONLY WTF http://thedailywtf.com/Articles/Special-Order.aspx also linked to the real web page that was the subject of that article.
  • CoderPunk 2008-03-01 12:10
    You destroyed your own reputation. First by using sleazy tactics to sell your so called 'service', and then by purporting to protect your client information with a 'secure' page. You obviously don't know the first thing about computer security, and I sure hope you are not in charge of securing any actual sensitive information.

    Hire a web developer who has a clue next time.

    As for your company, you've been in business 10 years and have only 'helped' hundreds of clients? If your best client is only bringing in 500k in contracts then you haven't helped them much, have you?

    I'd suggest closing up shop and finding a more ethical business to engage in.

    .cp
  • Taku 2008-03-01 12:17
    Haha that's a joke right? Not once did he say it was a scam he merely briefed us on his conversation with a member of the company and the surprising lack of information on it available to prospective clients.

    Would you leave the key in the lock of your car when you left it in a bad suburb (hopefully not). Hiding what is precious to you is just common sense. None the less I found this quite amusing. Hey also loved the way you tried to take us on a little guilt trip, as if that distracts from the fact that your company may not be a wise business decision.

    Cheers
    Taku
  • Brandi Roberts 2008-03-01 12:24
    If you do a Google search on site:federalsuppliers.com you can get access to all the cacheed pages that were taken down due to "hacking". LOL I had a good laugh about this. Thanks.
  • Sir. Consultant 2008-03-01 12:30
    For the low price of a few hundred to a few thousand dollars, I will help you secure your site by a super secret security algorithm code named "ROT13". Act now, before you lose your eligibility!
  • ... 2008-03-01 12:38
    Shut up you idiot. You are obviously just a person who's making money off of this crap.
  • lilricky 2008-03-01 12:38
    I love that plea about his 4 children and such. Maybe if you stop trying to scam people, you could afford to feed them ;P
  • eXeCuTeR 2008-03-01 12:40
    Huh, that was quite funny, lol
    you sure have "hacked" his site ^^
  • spaz 2008-03-01 12:44
    They did remove the agents page you link to... however it is still there under a different name. Going to their main page and clicking on agents you are directed here: http://www.federalsuppliers.com/warning.html Username and password still in the source.
  • bill clinton 2008-03-01 12:45
    working for 10 years, got wife, 4 children, bla bla bla...

    totally classic.

  • Concerned Netizen 2008-03-01 12:51
    The issue here is that the folks from FEDERAL SUPPLIERS GUIDE have provided a way for federal purchasers to log in to a restricted part of their website BUT these same folks have not taken due diligence to restrict the access. What they are doing is like locking the front door to their home but leaving the keys under the welcome mat outside the door.

    If anything, the folks at FEDERAL SUPPLIERS GUIDE should thank the community for bringing this to their attention and not bash the community.

    Also, if for some reason this business were to be audited by the federal government for any sort of security compliance, they would be subject to being shutdown or pay penalties.
  • George 2008-03-01 12:52
    Wow... What a complete f---ing moron.

    Well, maybe I shouldn't say complete moron... It sounds like he has been taking small businesses with this scam for quite some time.

    I think the website is intended to make you believe that this guide is produced by the government, when it obviously just sounds like some people running this out of their home. I highly doubt anything there is secret. They probably just don't want to supply you with a sample guide because there ISN'T ONE... Its just a scam.
  • junkman 2008-03-01 12:55
    In a bid to start some kind of insightful conversation after 12 pages of THE SAME THING... I'd like to know where people believe HACKING starts?

    it's very easy to say 'anyone could view the source code' etc... but this is patently not true. The key point is that a lot of people do not have the technological skills to understand what source code even IS, never mind know how to view and read it.

    That said, using php exploits, and countless other ways are equally 'easy' to someone of succificient skill - so surely the argument of 'well I found it easy therefore it's not hacking' seems slightly misplaced?

    Finally - I'm not supporting and really don't give a flying monkey about some twobit site... my territory is secure to the best of my and my sysadmin's skills. I just would like to raise that as a slightly more interesting talking point than 'ohh how shit are they - lolz etc...'
  • paul 2008-03-01 12:56
    Yes - because hacking involves hitting CTRL+U on my keyboard in firefox and reading.

    All code thats written for a particular website can be viewed at any time - it's called view page source. It's been around, not sure if you've heard of a web browser called mosaic but it was there too.

    This kind of website design would get any legitimate company sued.

    So instead of taking a page out an HTML for dummies guide from 10 years ago - ramp your site up with the proper security. Until then, you have to be smart enough to realized you weren't "hacked" but were dumb enough to print your login and password to your site right on the source code.

    Good luck in trying to "contact the authorities" seeing as no crime was committed, other than you attempting to squeeze a couple brain cells into that hi-tech site of yours.

    BTW - heres some acronyms to toss at ya - SSL, SQL. Learn it.
  • Brian 2008-03-01 13:00
    You're a scammer, and you were caught -- deal with it.
  • Anon 2008-03-01 13:08
    You realize that there is by no means hacking, viewing a html page source is by all means legal, if you have the resources to persure people for using information in clear view of the public then you certaintly have the resources to make a working website..
  • Larry 2008-03-01 13:08
    I know, they need to put some non-alphanumeric characters in the pass.value string, that will foil those feisty hackers!
  • asdf 2008-03-01 13:09
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Perhaps you should go back to school to learn basic punctuation, grammar, and communication techniques.
  • Larry 2008-03-01 13:11
    own fault, this is so lapse on security. it's like locking your house and hanging the key on the front door. and then claiming someone "broke" into your house.

    More like hiding a key in a green plastic rock on the porch and then when someone uses it, you change the lock and put the new key back in the rock.
  • Matt 2008-03-01 13:11
    Man how stupid can they be? ,,,
  • Sam 2008-03-01 13:24
    No, it is like when you have the correct code entered on a keypad a robotic hand turns the key that is already in the lock, when you can just turn the key yourself.
  • what's the red star for? 2008-03-01 13:33
    Steve:
    Damn, they just re-secured it by changing the jscript to:


    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="Agent") {
    if (form.pass.value=="fsg2008") {
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>

    That's really unhackable.


    nuh uh...
    now it says:
    if (form.id.value=="zzzzzz") {
    if (form.pass.value=="fffxxx") {
    location="http://officers.federalsuppliers.com/agents.html"

    and http://officers.federalsuppliers.com/agents.html is now a 404
  • Rotary Jihad 2008-03-01 13:54
    Since its 404'ing does anyone have a cache one level down from the agents page? Like a direct link to a particular state?
  • Dan 2008-03-01 14:06
    Re: Hacked?

    I don't file for breaking an entering if I leave my front door open.
  • petr 2008-03-01 14:15
    Wow, not just the president is dumb scum, but now I see probably most of US government is dumb scum.
    And it is threatening you when you uncover it's felony!
  • Caitlin 2008-03-01 14:17
    You can't just directly to agents.html ?
  • Todd 2008-03-01 14:29
    Funny how they aren't even a member of their local Chamber of Commerce.

    http://www.palmharborcc.org/
  • kayeff 2008-03-01 14:31
    junkman:
    In a bid to start some kind of insightful conversation after 12 pages of THE SAME THING... I'd like to know where people believe HACKING starts?


    Dude, don't you get it? The user name and password are in plain text! And the secure site isn't secure! AND the link to the secure site is also in the source code of the page! Oh, and here's his DNS information. Oh, and they changed it to 'warning.html.' And in case you missed it, the comments in the 404 page are a hoot too! And that's not to mention the 6 pages of posting the exact same code snippet because it "changed."

    You raise a good question though. The defense of "anyone can do it" couldn't possibly justify it. I don't know whose grandmothers regularly look at source code or not, but mine sure as hell doesn't. I could probably teach her an SQL injection with more ease than Javascript though. My guess is that we can call this hacking with a strong sense of, "you should have known better." If I leave my car out on the street unlocked and with the keys in it, I'd still call it theft if someone drove it away.
  • kayeff 2008-03-01 14:32
    Dan:
    I don't file for breaking an entering if I leave my front door open.


    I'd bet you'd file for theft if someone took something, though.

    Edit: Point being that even though nothing is stolen here, there still is something inherently wrong with being there. As other people have said, just forgetting a login box and having a "don't follow this link unless we told you to" message is very akin to my parents telling me to stay out of their room. There was nothing ever stopping me from going, but actually doing it violated that bit of trust.
  • God 2008-03-01 14:43
    @FSG CS:
    Good riddance you scumbags. Die in a fire.
  • Mike R. 2008-03-01 14:43
    Your web developer should be fired. This is the absolute, most basic, most incompetent error a web developer could make.

    It's generally accepted that hacking involves a bit of skill, and maybe some effort. Anyone that knows how to view the source of a web page will be able to see the login and password for this. I can teach my grandma to view source in two minutes.

    Pass this along to your IT (information technology) guys:

    http://httpd.apache.org/docs/1.3/howto/htaccess.html

    May get them thinking. If they knew what they were doing this is a 10 minute fix. And if you're not using apache, there is something comparable that you can use for your web server.

    The fact that this is a real business that makes real money makes this issue even worse.
  • real_aardvark 2008-03-01 15:02
    Well, this is apparently what you get when you inadvertently hit the Top Ten in digg or reddit or www.adhd.org -- a stream of repetitive crud.

    Is there some way to hack digg/reddit/slash-my-wrists to downgrade the popularity of the site or article? It's worth looking into.

    As an alternative, how about insisting on any commentator after the first two hundred or so actually registering. Most of these numb-nuts won't bother to jump through that hoop. Those that do might actually contribute something worthwhile in future.
  • codemoose 2008-03-01 15:05
    real_aardvark:
    Well, this is apparently what you get when you inadvertently hit the Top Ten in digg or reddit or www.adhd.org -- a stream of repetitive crud.

    Is there some way to hack digg/reddit/slash-my-wrists to downgrade the popularity of the site or article? It's worth looking into.

    As an alternative, how about insisting on any commentator after the first two hundred or so actually registering. Most of these numb-nuts won't bother to jump through that hoop. Those that do might actually contribute something worthwhile in future.


    You're new here aren't...oh, wait, I thought I was on /.
  • Kinglink 2008-03-01 15:24
    Thanks for NOT anonymizing this one. People this stupid deserve to get ridiculed and "hacked".
  • Anonymous Coward 2008-03-01 15:25
    codemoose:
    real_aardvark:
    Well, this is apparently what you get when you inadvertently hit the Top Ten in digg or reddit or www.adhd.org -- a stream of repetitive crud.

    Is there some way to hack digg/reddit/slash-my-wrists to downgrade the popularity of the site or article? It's worth looking into.

    As an alternative, how about insisting on any commentator after the first two hundred or so actually registering. Most of these numb-nuts won't bother to jump through that hoop. Those that do might actually contribute something worthwhile in future.


    You're new here aren't...oh, wait, I thought I was on /.


    hehe.
  • NULL 2008-03-01 15:31
    I sent them an Email about that I don't think they will fix it any time soon though.
  • xploit 2008-03-01 15:35
    No one should tell them. Scammers. They deserve it, and worse. IMHO.
  • Anonymous Coward 2008-03-01 15:44
    xploit:
    No one should tell them. Scammers. They deserve it, and worse. IMHO.


    Don't try to see malevolence in what can be more easily explained by incompetence and ignorance...
  • 8879Factor 2008-03-01 15:46
    This script is great, the messages are informative, kindly indicating which, of the password or UserID, is invalid, but it could be further improved:



    if (form.id.value=="buyers" && form.pass.value=="gov1996") {
    location="http://officers.federalsuppliers.com/agents.html";
    } else if (form.id.value=="buyers" && form.pass.value!="gov1996") {
    alert('You got the UserID right, but not the password. The password is
    gov1996. You MUST enter gov1996 in the password field.');
    } else if (form.id.value!="buyers" && form.pass.value=="gov1996") {
    alert('The password is correct, but not the UserID. Please,
    enter "buyers" (without the quotes) as UserID.');
    } else {
    alert('Hey, you didn't got anything right. Please, take note of
    that: The UserID is "buyers" (without the quotes) and the password
    is gov1996. Put the UserID in the top box, where it's written
    "User:". Put the password in the bottom box, where it's written
    "Password"');
    }
  • herbie d 2008-03-01 15:51
    how retarded. gov't trolls.
  • PG... 2008-03-01 15:55
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    For being so proud of your company and what it does, you sure have some suck ass grammar and punctuation... ;-)
  • 8879Factor 2008-03-01 15:55

    Don't try to see malevolence in what can be more easily explained by incompetence and ignorance...

    Stealing money by incompetence and ignorance?
    That's an interesting kind of incompetence.
  • TZ 2008-03-01 15:59
    I think they got it.... They secured it with a 404 Not Found :)
  • devilspride 2008-03-01 16:04
    boo hoo I'm sure your clients are even less happy at your lack of securing their information
  • freakflag 2008-03-01 16:13
    You are just as ignorant and uninformed as the government agencies that buy your represented services. By the way, your definition of security has no standard. Just as in art, sloppiness is not an art.

    freak
  • Cozmo 2008-03-01 16:14
    That is so pathetic. Wow.
  • Abe 2008-03-01 16:34
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Ha ha ha, see how far that goes. Your an idiot, and the standards aren't that "high". Learn capitalization also...
  • Dan 2008-03-01 16:46
    I checked up on the company at this site:
    http://sunbiz.org/scripts/cordet.exe?action=DETFIL&inq_doc_number=P96000095495&inq_came_from=NAMFWD&cor_web_names_seq_number=0000&names_name_ind=N&names_cor_number=&names_name_seq=&names_name_ind=&names_comp_name=FEDERALSUPPLIERS&names_filing_type=

    Sunbiz.org is the Florida Dept. of State Division of Corporations.

    As you can see the company is inactive, and the directors and the registered agent all resigned. In other words, it's a bogus company.
  • Blaufish 2008-03-01 17:19
    spacecadet:
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better.


    It's true to say that the site wasn't protected to our standards, but also true to say that it wasn't protected to any reasonable standard. The security on that page is of a level that could be broken in moments by a reasonably intelligent 10-year-old; what you've got there is the electronic equivalent of locking the door but leaving a key under the welcome mat.


    Actually... My browser doesn't automatically download what's under the welcome mat. My browser do automatically download the source code of the pages I'm visiting.

    It would be morally wrong for me to check peoples mats, it's not wrong for me to read what people feed my browser. If it contains a URL, of course I have the right to test it (Its more or less the same thing as a link).

    Besides... If the content has been published by the site owner on their own public name, and no username/password is required to access it, it's legal to visit it - at least in Sweden http://www.wired.com/politics/law/news/2002/10/56079 )

    But.... REALLITY CHECK... Is this for real? Or is this entire post an early april's fools joke???

  • Dmitry 2008-03-01 17:26
    I'm laughing so hard my eyes are tearing up. This is crazy. Good job matey. Haven't had so much fun online in a while now.

    Now there is a chance that this response is *real* in which case I should really be crying because there is no way people are *that* stupid. No way!
  • Blaufish 2008-03-01 17:38
    junkman:
    In a bid to start some kind of insightful conversation after 12 pages of THE SAME THING... I'd like to know where people believe HACKING starts?

    it's very easy to say 'anyone could view the source code' etc... but this is patently not true. The key point is that a lot of people do not have the technological skills to understand what source code even IS, never mind know how to view and read it.

    That said, using php exploits, and countless other ways are equally 'easy' to someone of succificient skill - so surely the argument of 'well I found it easy therefore it's not hacking' seems slightly misplaced?


    That's probably the wrong question. What's "hacking" is just a question of opinions. But look at what's happened instead;

    In this case, no protection was circumvented, the information was public (it was in your browser, it was on google, etc etc). Hence no security exploitation of any kind was involved, no defenses were circumvented. So this is fairly easy - as no security exploit was used, and no protected data was accessed, no one except the web designers can be at fault if any perceived security was compromised.

    Let's say someone sent XSS with theft-payload to an administrator, or used a directory traversal exploit against server, or fooled someone to send you the information believing you were someone you are not... then some sort of exploit and security bypass would have been used. So
    1. private data would have been compromised.
    2. possibly laws would have been violated.

    So don't bother discussing if it is hacking or not. Discuss if security exploitation was used to access the data. And since it was not, well... it's just a bit of creative websurfing.

    I'm very happy Swedish court has made it clear that creative web surfing is legal. If it was not, then anyone could arbitrarily be considered a criminal, and the boundaries would be completely impossible to be certain of.

    The moral of it:
    - A web designer is not expected to be 100% able to protect against all security exploits. There might always be something which can be compromised by skilled attackers. T
    - he web developer SHOULD be able to realize that sensitive data cannot be left unprotected on a public web server. If the web designer doesn't know how to password protect someone, web designer is expected to be able to 1) call a security professional and ask for help or 2) google for information on how to protect data.
  • weirdbeardmt 2008-03-01 17:48
    I don't know which is the bigger WTF... the actual story, which although humourous is merely a "n00b" (and very common) scripting mistake or the hundreds of pretentious self-righteous tech "geniuses" spouting the same old tired gibberish ad infinitum. I'm actually embarassed to be a part of it.

    Fortunately though, the vast majority of the digg et al trolls will disappear soon enough and things round here can get back to normal.
  • WTF 2008-03-01 17:52

  • Anonymous 2008-03-01 17:53
    http://officers.federalsuppliers.com/agents.html
    You didn't even have to put in a pass or user.. The link to the agents portion of the website is write in the super awesome javascript pass authentication ssl sign in block of code.
  • Mysid 2008-03-01 18:00
    When you publish a username and password to a site on the site itself, and post it in a public place -- not only is it not protected, but you are actually inviting access it.

    Placing a password in page source is like leaving house and putting up a big sign on the street that says "Neighbors only, please come in.", and taping your front door key to the back of the sign.


    I would recommend enabling basic authentication on your web server software's configuration, and storing your password in a private configuration file.

    This way you don't have to publish access information along with the site itself, and it shouldn't require any programming or
    site design changes.
  • spoomf 2008-03-01 18:00
    Hilarious that the password includes a number ("xxx2008"), a technique to make brute-force attacks harder. And meaningless if the attacker can read the source. They could've just done as my boss does, and use the company's initials as both password and username.
  • Security Professional... 2008-03-01 18:20
    The Federal Suppliers Guide deserves to go out of business. It really does not matter how many clients they've helped, if their system is insecure they will be hacked, and, if they're using anything other than cold hard cash to collect fees, their clients will not be able to protect themselves from crippling fraud.

    I realize that the page only gave access to a limited amount of data, but any sort of failure to secure information makes me doubt your internal systems as well.

    FYI, you can report them to the authorities, but, honestly what they did wasn't hacking - you left a web page completely insecure and available on the web and there is no law against opening the source of a web page. Any tech-savvy judge would both A. toss the case and B. make you pay lawyers fees.
  • Albert 2008-03-01 18:21
    Even a few lines of PHP could achieve a lot more security than that!
  • asdf 2008-03-01 18:22
    its not working anymore.. i tried the password.
  • Quinnum 2008-03-01 18:27
    For the love of god, Alex, is it possible to disable replies to 180051?

    WTF Readers, we got the hint now. What you want to say has probably been said in the other 500 replies.
  • Tom 2008-03-01 18:32
    Awww, boo hoo! Business directory scams have been around forever.
  • jimmy 2008-03-01 18:35
    Okay, folks. We have a naming contest now. Up are:
    haxor.exe:

    var password = "secure"; or
    alert("PLZ don\'t hax0r our site!");
    and
    Smash:
    I vote for "thank you H4x0rs for trying to destroy Morons Inc. reputation."

    and
    Jimmy:
    "the Secure Site"

    Get while the gettings good! We may have a new legend on our hands!
  • emurphy 2008-03-01 18:54
    real_aardvark:
    Well, this is apparently what you get when you inadvertently hit the Top Ten in digg or reddit or www.adhd.org -- a stream of repetitive crud.

    Is there some way to hack digg/reddit/slash-my-wrists to downgrade the popularity of the site or article? It's worth looking into.

    As an alternative, how about insisting on any commentator after the first two hundred or so actually registering. Most of these numb-nuts won't bother to jump through that hoop. Those that do might actually contribute something worthwhile in future.


    Sweet fucking God, mod this man up! The unwashed hordes of unregistered parrots have arguably turned themselves into a brand new WTF on this point.
  • Sanity 2008-03-01 19:07
    junkman:
    it's very easy to say 'anyone could view the source code' etc... but this is patently not true. The key point is that a lot of people do not have the technological skills to understand what source code even IS, never mind know how to view and read it.


    Except this could've easily been done by accident.

    The essential problem here is, the site sent the password to anyone who asked for it. The fact that most browsers would hide the source is irrelevant -- maybe some browser bug would expose it?

    junkman:
    That said, using php exploits, and countless other ways are equally 'easy' to someone of succificient skill - so surely the argument of 'well I found it easy therefore it's not hacking' seems slightly misplaced?


    It's not that "I found it easy". It's not that it was insecure.

    It's like the difference between a closed and an open wireless router. If you leave yours open, you may claim that "Well, it takes a sophisticated user to connect and steal our Internet!" But in reality, your router is sitting there broadcasting that it is there for the taking.

    It is difficult, as there really aren't good metaphors for software. We can say "It's like a house", but it really isn't. It's up to us to decide where we draw the line.

    But I do think there's a fundamental difference between, say, a SQL injection, and actually broadcasting administrative credentials to anyone who asks. (Consider, too, that they didn't even hide that page in their robots.txt.)
  • someone 2008-03-01 19:30
    For not overloading Google I just saved all that cached pages here:

    http://www.web-share.net/download/file/item/federalsuppliers.tar.gz_4221

    anybody can polish it to really useble directory of supliers, or start new bussiness by offering them better service ... ENJOY
  • Gilhad 2008-03-01 19:35
    Sanity:

    It is difficult, as there really aren't good metaphors for software. We can say "It's like a house", but it really isn't. It's up to us to decide where we draw the line.


    I think, this example is like placing big advertisment to the more frekvented road in public with small letters on top saying "Do not read, please, if we did not tell you so ..."
  • Hello 2008-03-01 20:19
    Horton Hears a FAIL:

    Good news!!!!

    You may be eligible for support to fix your horrible coding.....Wow! really good news....For only $1500 I can fix that for you....Whaddaya say>?


    702-229-3111


    Umm... hello. I hope you don't mind but I just subscribed your phone number to a couple of porn and other advertisement agency call lists. I'm not sure why, but I just felt like doing that.

    Have a, uh, nice day?
  • argh 2008-03-01 20:23
    i think actually it's more like having a door to the house, with the key taped near the lock, AND with a big neon sign on the door pointing to the second door right beside it, which is wide open.
  • Tom AT Certified Contracting Solutions.com 2008-03-01 20:30
    Government contracting is my life (OK, that COULD be sad, but it's a really dynamic field and just full of the poor slobs that tried to sell you space in their "directory") The sad part is that NO ONE I know (after 30 years in the business) uses such directories because everything you need to know to do business with the government is available FREE, and I can tell you where!

    If he's got a wife and kids to support, I suggest he find a legitimate way to make money rather than rippoing off unsupecting newbies. Sadly there are a LOT of such companies out there. My view is that unless I help you actually make money by creating cash flow for you, then I haven't "earned" anything. No up-front pay for me. And my commpany is doing quite well thank you.

    BTW - I get these same solicitations from people who have not done their homework. After they quote me their pricing, I tell them what I charge to do the same thing! It's usually pretty hilarious! And most of them have hacked some site to get their email lists in the first place, and do NOT comply with the Federal CANSPAM Act. So turn the threat around and report them to the FTC!
  • SimonSays 2008-03-01 20:38
    Are you kidding me? Everyone knows that a simple ROT13 is not secure enough. No, you need to apply TWO layers of ROT13, THEN it will be unbreakable.
  • First time visitor 2008-03-01 21:03
    First off, yes, this a scam, and FSG deserves no mercy.

    But the people posting comments here aren't much cleverer than FSG's webguy.
    - 63 People found it necessary to post the same comment about the username/password changing. All probably sure they were contributing to the discussion.

    - Everyone is rail about the security implications. The whole point of paying them (the ridiculous) $600/year fee is for the advertising. It's sort of weird that FSG is set up so that you needed a password to view the material they were being paid to advertise (imagine if the yellow pages tried this) which is much stranger than the fact that a password was needed.

  • Flash 2008-03-01 21:18
    argh is on to something.

    Okay...here's my refinement to the key-under-the-mat analogy.

    When you knock on the door, someone comes out, hands you the key, and points out that the building has no walls, so you don't even need the key.
  • Saad Rabia 2008-03-01 21:56
    I was playing around when I found out this interesting link that leads to thousands of agent ad listing. Have a look at it and someone download everything before it is taken down again! ;)

    Here is the link:

    http://www.federalsuppliersguide.net/?_orderBy=name&_offset=0

    And originally found here:

    http://www.federalsuppliers.com/test.html

    I have downloaded about 200 ads. :)


    Enjoy web securing!

    Saad R.
    www.saadrabia.com
  • Troy McClure 2008-03-01 22:16
    Hello:
    Horton Hears a FAIL:

    Good news!!!!

    You may be eligible for support to fix your horrible coding.....Wow! really good news....For only $1500 I can fix that for you....Whaddaya say>?


    702-229-3111


    Umm... hello. I hope you don't mind but I just subscribed your phone number to a couple of porn and other advertisement agency call lists. I'm not sure why, but I just felt like doing that.

    Have a, uh, nice day?


    You mean you subscribed the Las Vegas Police Dept's Missing Child line to agency call lists. I'm sure they'll appreciate your effort.

    Retard. Did you really think that was a real phone number? OMGZLOLZ.
  • confused 2008-03-01 22:19
    Apparently they just moved it to http://www.federalsuppliers.com/warning.html.

    The username is still "zzzzzz" and the password is still "fffxxx". Talk about insecure. The least they could do is include a PHP page.
  • Rotary Jihad 2008-03-01 22:52
    Saad Rabia:
    I was playing around when I found out this interesting link that leads to thousands of agent ad listing. Have a look at it and someone download everything before it is taken down again! ;)

    Here is the link:

    http://www.federalsuppliersguide.net/?_orderBy=name&_offset=0

    And originally found here:

    http://www.federalsuppliers.com/test.html

    I have downloaded about 200 ads. :)


    Enjoy web securing!

    Saad R.
    www.saadrabia.com


    The search on that page is based at http://www.federalsuppliersguide.net/ which has a different person as the admin contact. Is it possible that the original site is thieving from a different scam artist?
  • Ha Ha - This Made My Night 2008-03-01 22:55
    Dear Mr. Customer Support:

    It's a scam unless you can prove it isn't. In this age of credit fraud, identity theft, and everything else, it's always best for the person with the money to remain skeptical.

    But - I have a D&B number too. And a BBB listing, OMG! Woo woo! These can be obtained by just about anyone. But the thing here you need to understand - most companies can provide proof that they provide a service. Can yours? If you can provide the proof, then I'll believe you.

    But whether you are a real company or just some big joke, you probably should stop putting the password right in the source code. BTW - looking at source code isn't hacking. You provide it to us.
  • Smash 2008-03-01 23:11
    Due to the bytes shortage we've been experiencing, I fell a need to sum 90% of the next 300 posts.

    1- (reply to 180051) Your security sucks! There was no hacking at all. You don't know how to type or spell. You sent the password and blah blah blah...
    2- Now the UserID is "moron" and the password is "scam3000"
    3- Hey everyone, they changed the page to http://www.federalsuppliers.com/warning.html
    4- Too bad they put it offline now. But I bet it still is available on Google's cache.

    If your post resembles any of the statements above, don't bother. Save those precious bytes to something that have not been written countless times. Thank you
  • lol 2008-03-01 23:39
    six hunrdid and sitxy sixth!1111!one
  • Felix Lockhart 2008-03-01 23:54
    To "FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT":

    For a company that claims to have that much prestige, you sure do suck at making a website. What you fail to realize is that anyone with a web browser and the ability to read English can get into your so-called "secure site", it's not "hacking" at all. To get the information posted here, click on the View menu in your browser and choose Source. Voila!

    Oh, and next time you post something in an official capacity, as part of a company, use proper capitalization and sentence structure. Especially when you're trying to defend yourself against allegations of illegitimacy.
  • Felix Lockhart 2008-03-01 23:57
    Felix Lockhart:
    To "FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT":

    For a company that claims to have that much prestige, you sure do suck at making a website. What you fail to realize is that anyone with a web browser and the ability to read English can get into your so-called "secure site", it's not "hacking" at all. To get the information posted here, click on the View menu in your browser and choose Source. Voila!

    Oh, and next time you post something in an official capacity, as part of a company, use proper capitalization and sentence structure. Especially when you're trying to defend yourself against allegations of illegitimacy.


    What I send in this comment has probably been said several times throughout this discussion, I didn't realize when I posted it that there were more comments than what was on the initial page.
  • zzo38 2008-03-02 00:40
    I notice a few things. It lets you login now, but the page doesn't exist once you do login (or access it directly, it doesn't matter), and it is still in the javascript code. And what is the "Sample Page" menu for? That is also a link to something that doesn't exist. And the link for "FEDERAL R" "EGULATIONS" is broken up on that page, on other pages it is correct, though. I think for some reason, they can't use server script. If they can't use server script, at least encrypt the page. And maybe also they should make the link to that page secret, they can just tell the federal procurement officer when they need it, anyways. Also look at form.html for more things wrong. They still don't use server script, the server script is a different web-site, which doesn't seem to work right now.
  • Chris 2008-03-02 00:45
    LOL
  • PeriSoft 2008-03-02 00:50
    Smash:
    Due to the bytes shortage we've been experiencing, I fell a need to sum 90% of the next 300 posts.

    1- (reply to 180051) Your security sucks! There was no hacking at all. You don't know how to type or spell. You sent the password and blah blah blah...
    2- Now the UserID is "moron" and the password is "scam3000"
    3- Hey everyone, they changed the page to http://www.federalsuppliers.com/warning.html
    4- Too bad they put it offline now. But I bet it still is available on Google's cache.

    If your post resembles any of the statements above, don't bother. Save those precious bytes to something that have not been written countless times. Thank you


    5- You people are all posting the same four things!...
  • Get a new IT Manager 2008-03-02 01:21
    Not hacking if the password and user name are in plain sight !!! read up on your laws :) and get a web developer that understands how to deal with ISO security standards. It could of been worse if a real hacker was on your site they could of extracted vital company info and really caused some havoc , judging from the level of security I am sure you guys are SO out of date and ripe for the picking. lets hope that there are no bored black hats around or your in deep Sh*t and you wouldn't be able to do anything to them they usually do there dirty work on router/server overseas ("non prosecutable ") in the US.
  • The Fixer 2008-03-02 02:17
    Send a little cash my way and I can help you seal the big security hole one your website.....
  • Whatever 2008-03-02 02:27
    Dude,

    You need to make your site more secured than showing userID and password in the script. No one is hacking your site. You are leaving the information open there.

    If you don't understand how to fix it, pay some $$$ to someone who does and fix it. All these folks are actually helping you by pointing out the issue with your site. Take it as help, fix the site and move on.
  • captcha modo 2008-03-02 03:01
    I see two real WTF here

    1) Pointing that Google cache has information. AFAIK Google was sued many times for indexing private information

    2) Most of people thinking that anyone found "door" open with sign "do not enter - private area" can free enter and consider this not breaching.
  • Watts 2008-03-02 03:50
    sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better.

    Yeah, see, this is the kind of thing that makes you look stupid. No offense. Do you understand that there is no "hacking" that has happened here? That what people have done to find the password and username that you use for your website is to use the "View Source" command that every web browser has? This is the web equivalent of locking a door and leaving the key, no, not under a doormat, but hanging on a hook by the doorknob. Telling you that you have poor security isn't truthful, because you have NO SECURITY AT ALL.

    And this "all of you should have protected your information better" is absolutely juvenile. Just cut it out.

    Incidentally, I notice in your list of "check out what we do is real," you didn't suggest checking out the Better Business Bureau. Hmm.

    Also incidentally, your company doesn't come up in a search at Dun & Bradstreet, GSA Advantage (which is, y'know, the free catalog service for federal suppliers that everyone who has a GSA schedule contract is required to join, making the whole idea of a printed catalog kind of moot, but whatever), or the West Pasco Chamber of Commerce.

    Again, no offense, but it's not slander if it's true.
  • Anon Barbarzyńca 2008-03-02 06:34
    For not overloading Google I just saved all that cached pages here:


    TRWTF.
  • Anonymous 2008-03-02 06:46
    Felix Lockhart:
    What I send in this comment has probably been said several times throughout this discussion, I didn't realize when I posted it that there were more comments than what was on the initial page.

    Aaaah, so that's the problem.

    Voting for removal of "reply" button on featured comments.
  • so your commentsystem is WTF 2008-03-02 07:06
    maybe if the comments were more logicly organised next to the comment they comment on instead of just piling them up in one big tree would help prevent reading esentially the same content over and over again?!
  • Kevin 2008-03-02 08:57
    I found if you use google you can find all the pages in their cache also:
    * site:federalsuppliers.com
  • Air Force General 2008-03-02 10:12
    Worked there for 10 years? And you still can't spell? Didn't Mommy teach you upper case?

    Son, get lost!
  • rocky 2008-03-02 10:32
    well now you guys have gone and wrecked this guy's life. His http://officers.federalsuppliers.com/agents.html page is offline now. How can I call up his customers for references?
  • NoOneReallyCares 2008-03-02 10:55
    thank you hackers for trying to destroy federal suppliers guides reputation


    You will find that the term 'hackers' probably applier more accurately to the group of individuals who 'hacked' together the password protection that you appear to still have faith in.

    your comments are not truthful we are not a scam


    Which comments are not truthful? The ones in reference to your cold call? Maybe the segment about calling a disgruntled customer of your service?

    not only is the company legit we actually have held a 5 year GSA contract with the federal government


    Hopefully your tender documents contain better punctuation then your post above.
  • emurphy 2008-03-02 11:16
    Rotary Jihad:
    Saad Rabia:
    I was playing around when I found out this interesting link that leads to thousands of agent ad listing. Have a look at it and someone download everything before it is taken down again! ;)

    Here is the link:

    http://www.federalsuppliersguide.net/?_orderBy=name&_offset=0

    And originally found here:

    http://www.federalsuppliers.com/test.html

    I have downloaded about 200 ads. :)


    Enjoy web securing!

    Saad R.
    www.saadrabia.com


    The search on that page is based at http://www.federalsuppliersguide.net/ which has a different person as the admin contact. Is it possible that the original site is thieving from a different scam artist?


    whois.net has this to say. Matching it up against the previous info for federalsuppliers.com is left as an exercise for the student.

    Registrant:
    --
    2256 Toniwood Lane
    Palm Harbor, FL 34685
    US

    Domain name: FEDERALSUPPLIERSGUIDE.NET

    Administrative Contact:
    Powers, Jamie howietaylor@countrysidereps.com
    2256 Toniwood Lane
    Palm Harbor, FL 34685
    US
    813-925-0195 Fax: 000-000-0000

    Technical Contact:
    Powers, Jamie howietaylor@countrysidereps.com
    2256 Toniwood Lane
    Palm Harbor, FL 34685
    US
    813-925-0195 Fax: 000-000-0000



    Registration Service Provider:
    AccountSupport, support@accountsupport.com
    1-866-642-4678



    Registrar of Record: TUCOWS, INC.
    Record last updated on 27-Jul-2007.
    Record expires on 27-Jul-2008.
    Record created on 27-Jul-2007.

    Registrar Domain Name Help Center:
    http://domainhelp.tucows.com

    Domain servers in listed order:
    NS2.HOSTPROSERVER.COM
    NS1.HOSTPROSERVER.COM


    Domain status: clientTransferProhibited
    clientUpdateProhibited

    PeriSoft:
    Smash:
    Due to the bytes shortage we've been experiencing, I fell a need to sum 90% of the next 300 posts.

    1- (reply to 180051) Your security sucks! There was no hacking at all. You don't know how to type or spell. You sent the password and blah blah blah...
    2- Now the UserID is "moron" and the password is "scam3000"
    3- Hey everyone, they changed the page to http://www.federalsuppliers.com/warning.html
    4- Too bad they put it offline now. But I bet it still is available on Google's cache.

    If your post resembles any of the statements above, don't bother. Save those precious bytes to something that have not been written countless times. Thank you


    5- You people are all posting the same four things!...


    Yeah, but at least Smash's #5 got highlighted as a Featured Comment, so it should be somewhat more effective in stemming the tide.
  • emurphy 2008-03-02 11:23
    Watts:
    Incidentally, I notice in your list of "check out what we do is real," you didn't suggest checking out the Better Business Bureau. Hmm.


    Summary: 10 complaints opened within the past three years, 9 closed (4 within the past year) with "they made a reasonable effort to fix it" (and the customer accepted / rejected / was still upset / didn't follow up with the BBB).
  • Lucas 2008-03-02 12:56
    So, did anyone notice that they no longer have a 'login' page on the site? What a shame - no longer can we have duplicate comments (with some cut and paste) about what the password is now :(

    Not wanting to be the reason for a lot of more ridicule against these poor sods - but have they not read about not using the phrase 'click here' when doing web pages? To top that off - putting the 'click here' as an image, without any alt tags...well at least the offending javascript routine is now gone.

    Oh btw, did anyone try and load the page as https ? Go on try....



  • Lucas 2008-03-02 13:06
    Lucas:
    So, did anyone notice that they no longer have a 'login' page on the site? What a shame - no longer can we have duplicate comments (with some cut and paste) about what the password is now :(

    Not wanting to be the reason for a lot of more ridicule against these poor sods - but have they not read about not using the phrase 'click here' when doing web pages? To top that off - putting the 'click here' as an image, without any alt tags...well at least the offending javascript routine is now gone.

    Oh btw, did anyone try and load the page as https ? Go on try....



    Ok, before anyone TRWTF's me, and really not wanting to repeat any previous posts, I just found the offending js is still on the site (and I am NOT going to post the url here...)

    I will call myself stupid, and promise not to post comments after I had a few vodka's.

    Man do I feel stupid tight now :(

  • Anonymous Coward 2008-03-02 13:17
    Who else notices that there are no robots.txt files? Who says we add the URL for the Google webbot? Who else is for Digg or del.icio.us?

    I feel clickey links popping up all over the net.
  • OzPeter 2008-03-02 13:45
    I think they may have got the point by now.

    This thread is becoming TRWTF. Brillant!

  • Alfred Baeumler 2008-03-02 14:00

    So, I totally agree with your technical points, but wasn't Kafka born in Prague?

    Not trying to troll, we just have to keep one another honest...
  • Nimrand 2008-03-02 15:42
    Out of sheer curiosity, I decided to look at US's anti-hacking law. I found a page at <http://www.rent-a-hacker.net/hacklaw.htm> that covers at least some of the relevant statutes (there might be more than one). In summary, since the "hacked" site was owned by a domestic company, it seems that one would have to either cause or intend ham or freud in order for it to be considered illegal. Technically, though, any unauthorized access, regardless of how inadequate the security measures, could be illegal. Calling it "hacking" though, is still a stretch in my book.
  • INTit 2008-03-02 15:46
    I know bugger all about secure website development but im guessing you probably need the authentication process done server side.
  • Felix Lockhart 2008-03-02 16:41
    Anonymous:
    Felix Lockhart:
    What I send in this comment has probably been said several times throughout this discussion, I didn't realize when I posted it that there were more comments than what was on the initial page.

    Aaaah, so that's the problem.

    Voting for removal of "reply" button on featured comments.


    Yeah, there's no indication on the front page that there are more comments, or how many more comments there are, there's only a poorly-placed link that says "All Comments". And I didn't even see that until I went back to see if there was such a thing.
  • Lolowner 2008-03-02 17:13
    Lol, im glad mine doesnt resemble that xD

    Im gonna quote one of the first ones

    "its rude, your comments are not truthful we are not a scam"

    I dont remember anyone ever saying it was a scam o.O

    and if someone did, please copypasta for me
  • Vempele 2008-03-02 17:19
    So TRWTF is that the passwords were too short, right? That's the only possible explanation for the fact that everybody's been able to hack their site.

    Fixed script:

    <script language="javascript">
    <!--//
    /*This Script allows people to enter by using a form that asks for a
    UserID and Password*/
    function pasuser(form) {
    if (form.id.value=="Agent") {
    if (form.pass.value=="completelyHackerProofReallyLongSecurePasswordNobodyWouldThinkToCopyPastaFromTheSource") { /* spaces removed from password in order to save, well, space */
    location="http://officers.federalsuppliers.com/agents.html"
    } else {
    alert("Invalid Password")
    }
    } else { alert("Invalid UserID")
    }
    }
    //-->
    </script>

    I dare you to hack that!
  • Ametheus 2008-03-02 17:22
    Anonymous:
    Voting for removal of "reply" button on featured comments.


    Aye.
  • Vempele 2008-03-02 17:44
    Nimrand:
    In summary, since the "hacked" site was owned by a domestic company, it seems that one would have to either cause or intend ham or freud in order for it to be considered illegal.


    Whoever wrote that law was evidently computer illiterate. Everybody knows you can't cause ham over the internet!
  • jimmy 2008-03-02 17:47
    OzPeter:
    I think they may have got the point by now.

    This thread is becoming TRWTF. Brillant!



    Paula! Where have you been?
  • PeriSoft 2008-03-02 18:29
    Vempele:
    Nimrand:
    In summary, since the "hacked" site was owned by a domestic company, it seems that one would have to either cause or intend ham or freud in order for it to be considered illegal.


    Whoever wrote that law was evidently computer illiterate. Everybody knows you can't cause ham over the internet!


    Suppose you did one of those "hunt via webcam" things, except in reverse, where you could click on a gate and let a hog into a pen with a bunch of sows? I think that might qualify.
  • Nimrand 2008-03-02 18:31
    Vempele:
    Nimrand:
    In summary, since the "hacked" site was owned by a domestic company, it seems that one would have to either cause or intend ham or freud in order for it to be considered illegal.


    Whoever wrote that law was evidently computer illiterate. Everybody knows you can't cause ham over the internet!


    Obviously, that was supposed to be "harm." Unfortunately, there's no way to go back and edit it now.
  • https: 2008-03-02 19:09
    Plesk, Inc.

    That sounds right. LOL
  • dkf 2008-03-02 19:11
    Nimrand:
    [...] cause or intend ham or freud in order for it to be considered illegal.
    Sigmund is pleased about that, though he wants to know what the pig's father fixation has to do with it.
  • J Fish 2008-03-02 19:57
    laff

    whois federalsuppliers.com

    Domain: federalsuppliers.com
    Registration provider: MateMedia, Inc.

    Registrant
    Jim Sprecher
    Jim Sprecher
    jim@countrysidepublishing.com
    PO Box 1735
    Oldsmar, FL 34677 US
    +1.8139250195
    (FAX)

    this site is on rackspace it appears.

    Domain Name Servers:
    NS.RACKSPACE.COM
    NS2.RACKSPACE.COM

    now, I await my visit from gov agents in black suits to arrest me for public knowledge for "hacking"

    if this is how our legit gov. handles buisness, ill take my chance with the hackers thank you.
  • Dave G. 2008-03-02 21:39
    Great stuff, Alex. I love you guys.
  • Matt 2008-03-02 22:10
    "Save those precious bytes to something that have not been written countless times. Thank you"

    Shut up, dont tell me what to do. betch
  • Anon 2008-03-02 22:45
    You really have to be joking to think that if you include the username and password in the javascript source of a page that it wont be found.

    Seriously!
  • Anon 2008-03-02 22:46
    My comment was in response to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT btw. Smarten up!
  • d4ve 2008-03-02 23:28
    internet in general (blogs, comments, etc) is becoming more redundant and predictable everyday...gotta deal wit it

  • Josh 2008-03-03 03:51
    http://google.com/search?q=site:federalsuppliers.com
  • alpha754293 2008-03-03 04:41
    Updates:

    http://officers.federalsuppliers.com/agents.html

    that's the page that it takes you to when you "log in". You can skip the entire "log in" process and just straight to that. Down side is they apparently took down the listing. Maybe there's a Google cache of it.

    Otherwise, here's the response from whois federalsuppliers.com:

    Domain Name: FEDERALSUPPLIERS.COM
    Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM
    Whois Server: whois.itsyourdomain.com
    Referral URL: http://www.itsyourdomain.com
    Name Server: NS.RACKSPACE.COM
    Name Server: NS2.RACKSPACE.COM
    Status: clientTransferProhibited
    Updated Date: 13-nov-2006
    Creation Date: 19-may-1997
    Expiration Date: 20-may-2008

    Here's the (partial) traceroute result:

    11 * te-1-3-pr01.ashburn.va.ibone.comcast.net (68.86.84.154) 32.381 ms 33.949 ms
    12 peer-01-ge-1-1-0-104.asbn.twtelecom.net (64.132.69.73) 26.917 ms 26.196 ms 27.974 ms
    13 64.132.228.26 (64.132.228.26) 59.692 ms 63.685 ms 59.415 ms
    14 64.132.228.26 (64.132.228.26) 58.507 ms 59.372 ms 58.322 ms
    15 vl130.core1.sat.rackspace.com (64.39.2.33) 66.247 ms 61.229 ms 62.702 ms
    16 64.39.1.149 (64.39.1.149) 62.185 ms 63.492 ms 59.942 ms
    17 matemediainc.com (65.61.159.151) 61.192 ms 65.086 ms 60.287 ms
  • fizze 2008-03-03 05:51
    Epic! :-)

    I also love the PDF that he faxed you over. From 2006. Wow. Pretty current for govt. agencies, at least. tee-hee.
  • T $ 2008-03-03 07:41
    We're at 712 comments and climbing. Could this be the most popular post of all time?
  • derula 2008-03-03 08:34
    T $:
    We're at 712 comments and climbing.

    While technically it's at most 10 different comments.

    By the way, they have changed user name and password to something ridiculous, which doesn't matter because you can entirely skip the login process anyway by simple visiting the address hidden in the if construct. Besides, that isn't hacking, as the user name and passwort are directly sent to whoever reads the website. And the target site says SECURE, which is TRWTF because it isn't. And have you notices there aren't any robot.txt files? Maybe Google has a cached version of it. Which would be great, because they have taken down the whole page. By the way, this is the WHOIS info on the domain: *snip* You should arrest me because I'm an evil hacker, yeah, haha, guess what, I'm not.

    Did I forget anything?
  • Eulbobo 2008-03-03 08:39
    They changed user an password...

    But it's still in the javascript :p
  • More 2008-03-03 09:19
    derula:
    T $:
    We're at 712 comments and climbing.

    While technically it's at most 10 different comments.

    By the way, they have changed user name and password to something ridiculous, which doesn't matter because you can entirely skip the login process anyway by simple visiting the address hidden in the if construct. Besides, that isn't hacking, as the user name and passwort are directly sent to whoever reads the website. And the target site says SECURE, which is TRWTF because it isn't. And have you notices there aren't any robot.txt files? Maybe Google has a cached version of it. Which would be great, because they have taken down the whole page. By the way, this is the WHOIS info on the domain: *snip* You should arrest me because I'm an evil hacker, yeah, haha, guess what, I'm not.

    Did I forget anything?


    Yep. The guy who defended the company at first can't spell,

    and

    The page is now at: http://www.federalsuppliers.com/warning.html. Which I find highly confusing... since that is the page Alex originally gave.
  • wtf 2008-03-03 09:44
    Although I am sympathetic to your story, the simple fact is that its laughable that your company wouldn't do a better job of protecting your website. Please don't address us as hackers with a negative connotation. A hacker wouldn't post this article, a hacker wouldn't tell you about the problem, they would exploit it instead. If you want to fix your site's reputation, why don't you fix the problem?
  • Anita 2008-03-03 10:01
    I used to work for Federal Suppliers Guide, several years ago as a Graphic Artist. I have to say that I was initially skeptical of their product. Final copies are not mass produced, but rather a small-scale print run (each approx. phone book size) delivered to the select Federal Suppliers for that State/Region. Customers do have to pay to get a copy of the book (something like $100). I believe that a copy of their ad is free.

    Phone calls and ads are legitimate. Their were at least 4 full-time Graphic Artists to handle the workload. Designs were faxed and e-maiiled to customers for approvals. They had a full time sales staff at several locations (probably 10-12 at the location that I worked). Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.

    Other than that, I don't believe that I would label it as a "scam" company. Just a niche product.

    Think they also offered services to assist with Federal Suppliers paperwork processing - with a hefty fee if I remember correctly.
  • just visiting 2008-03-03 10:23
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    not only is the company legit we actually have held a 5 year GSA contract with the federal government


    This makes me sad. :(
  • Lysis 2008-03-03 10:41
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    I rofl'd

    Addendum (2008-03-03 10:50):
    Posting in a legendary thread.
  • m 2008-03-03 11:03
    This is very upsetting news... I get the feeling that every other WTF posted from now is going to pale in comparison to this... :(
  • jpers36 2008-03-03 11:04
    T $:
    We're at 712 comments and climbing. Could this be the most popular post of all time?


    This one is still well ahead, and I'm not even sure if that's the record.
  • amused 2008-03-03 11:26
    hilarious
  • Torauma 2008-03-03 11:39
    Really, clicking "View Source" shouldn't even count as a step. The data that their server is sending you is the raw HTML/Javascript. Your browser interprets it, and "View Source" is just showing you what was actually received. If I used wget, or telnet'ed to port 80 of their webserver and did a GET on the page in question, I would see the username and password right there.
  • Benanov 2008-03-03 12:35
    Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.


    Aww, look. Pathos.
  • tamosius 2008-03-03 12:40
    I wouldn't be much surprised if they wouldn't be safe from SQL inject attack either..

    http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=52&_q3=&_orderBy=name
  • hax0rz 2008-03-03 12:44
    jpers36:
    T $:
    We're at 712 comments and climbing. Could this be the most popular post of all time?


    This one is still well ahead, and I'm not even sure if that's the record.


    Ahhh yes. The Hat Riddle. Good times.
  • Harshmage 2008-03-03 13:36
    http://www.google.com/search?q=+site:federalsuppliers.com+federalsuppliers.com/&hl=en

    If you browse the several pages, you'll see the listed addresses of the companies who were marks.

    I don't mean to discourage or deface these businesses, but FederalSuppliers is not exactly sharing their information with anyone. I hope that via the Google Cache, they will get at least some attention, and maybe find grounds for a lawsuit against the owner(s) of FederalSuppliers.

    Remember, the government isn't the only one interested in buying from these companies. They're in business so EVERYONE can invest, purchase, and make that economic wheel turn.
  • wavq 2008-03-03 13:39
    So how do you know if you're authorized?

    How do you know if you're not authorized?
  • Dan 2008-03-03 14:23
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Wow, 15 pages of vitriolic hot-headed comments so far, all because of something that was almost certainly a deliberate troll.

    Unless you think that someone with those language skills, that little knowledge of what he's doing, and that offensive a position would actually have come to this website and posted here, especially with such brazen statements like "all of you are being reported to the appropriate authorities as we have your information too".

    Granted it was well-crafted to the point where it seems just plausible enough, but everyone who flamed in response to that post should check themselves, as they are a gullible idiot.

    Dan.
  • Instaneous 2008-03-03 14:25
    Dan:
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Wow, 15 pages of vitriolic hot-headed comments so far, all because of something that was almost certainly a deliberate troll.

    Unless you think that someone with those language skills, that little knowledge of what he's doing, and that offensive a position would actually have come to this website and posted here, especially with such brazen statements like "all of you are being reported to the appropriate authorities as we have your information too".

    Granted it was well-crafted to the point where it seems just plausible enough, but everyone who flamed in response to that post should check themselves, as they are a gullible idiot.

    Dan.


    He could be trolling in his spare time.
  • Vaccano 2008-03-03 14:48
    OK, if the website was secure then you could MAYBE have an argument for legal action. But since I could get to this site (which I have not done) without a user name and password, it cannot be called hacking.

    Having an unsecured web page that you don't want the general public to go to is not security, it is wishful thinking. (To use the house analogy is is like taking your private journal out of your house and posting all the pages on a bulletin board at the City Hall.)

    Just because another page that links to it requires two unique strings for the link to work does not make the page behind the link secure. You need to secure your website for authenticated users, then (even if you are stupid and store your user name and password in the java script) you COULD POSSIBLY have a argument for legal action.
  • jimmy 2008-03-03 14:53
    jpers36:
    T $:
    We're at 712 comments and climbing. Could this be the most popular post of all time?


    This one is still well ahead, and I'm not even sure if that's the record.

    Not to be a boogerhead about it, but that one is about an interview method. It's kind of subjective.

    This one is a newby implementation error (I'm being nice!) by a site that (to most of us apparently) is not far shy of being strung up for their business practices. The phrase "couldn't happen to a nicer guy" comes to mind here.

    Then, to top it off, somebody digged it. Brillant!
  • anonymous 2008-03-03 15:31
    Now they've changed it to a single input box...

    the script now just tacks on ".html" to whatever you type into the box and does a request for that...

    I guess they couldn't afford a real web developer... so where does all of that money go then?
  • Renan "C#" Sousa 2008-03-03 15:43
    tamosius:
    I wouldn't be much surprised if they wouldn't be safe from SQL inject attack either..

    http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=52&_q3=&_orderBy=name


    It shows the following error in the end of the page:

    Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists (select 1 from dbimg_ImageAttributeValue iav where iav.a


    One more WTF in the list of WTF's for that site.
  • real_aardvark 2008-03-03 15:44
    codemoose:
    real_aardvark:
    Well, this is apparently what you get when you inadvertently hit the Top Ten in digg or reddit or www.adhd.org -- a stream of repetitive crud.

    Is there some way to hack digg/reddit/slash-my-wrists to downgrade the popularity of the site or article? It's worth looking into.

    As an alternative, how about insisting on any commentator after the first two hundred or so actually registering. Most of these numb-nuts won't bother to jump through that hoop. Those that do might actually contribute something worthwhile in future.


    You're new here aren't...oh, wait, I thought I was on /.

    Well, I enjoyed that, even if the last hundred posters didn't.

    Maybe we could start a club? It'd be Webby, it'd be 2.0 ... it might even feature photographs.

    Now, that'd put most of these pointless swine off the idea of posting.
  • real_aardvark 2008-03-03 15:49
    weirdbeardmt:
    I don't know which is the bigger WTF... the actual story, which although humourous is merely a "n00b" (and very common) scripting mistake or the hundreds of pretentious self-righteous tech "geniuses" spouting the same old tired gibberish ad infinitum. I'm actually embarassed to be a part of it.

    Fortunately though, the vast majority of the digg et al trolls will disappear soon enough and things round here can get back to normal.

    You think?

    Tell me again. What country do you live in? When do retarded adolescents grow up in that country?
  • real_aardvark 2008-03-03 15:54
    Anita:
    I used to work for Federal Suppliers Guide, several years ago as a Graphic Artist. I have to say that I was initially skeptical of their product. Final copies are not mass produced, but rather a small-scale print run (each approx. phone book size) delivered to the select Federal Suppliers for that State/Region. Customers do have to pay to get a copy of the book (something like $100). I believe that a copy of their ad is free.

    Phone calls and ads are legitimate. Their were at least 4 full-time Graphic Artists to handle the workload. Designs were faxed and e-maiiled to customers for approvals. They had a full time sales staff at several locations (probably 10-12 at the location that I worked). Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.

    Other than that, I don't believe that I would label it as a "scam" company. Just a niche product.

    Think they also offered services to assist with Federal Suppliers paperwork processing - with a hefty fee if I remember correctly.

    Ha-hem.

    What, precisely, is the difference between "scam" and "rip-off" and/or "snake-oil sales"?

    A "niche" product is something that you can't find anywhere outside that niche. Granted, it might still be any or all of the above. It might still be what you want.

    This one ain't it.
  • Prosthetic Lips 2008-03-03 16:19
    anonymous:
    Now they've changed it to a single input box...

    the script now just tacks on ".html" to whatever you type into the box and does a request for that...

    I guess they couldn't afford a real web developer... so where does all of that money go then?


    PS: Don't try typing the obvious word, "procurement", into the input box. Because that is most definitely *NOT* the password (at least at 4pm EST on Monday). Who knows what it will be later.
  • All your base are belong to ME! 2008-03-03 16:22
    So, I don't code but work in IT, mostly hardware but I LOVE this website. I got through about the first four pages of the comments, and honestly can't believe that
    * This company is not fixing this blatant security issue
    * Referring to people here as "hackers" when in reality true hackers would have completely DESTROYED their website, getting personal data/credit card numbers, and god knows what else

    Instead of cheap/petty threats from employees from this company, they should be THANKFUL that it was found on this forum where ridicule is the worst consequence of their action (or inaction).


  • Prosthetic Lips 2008-03-03 16:38
    The management would like to inform everyone that the persons responsible for the unmarked sarcasm in the previous post have been sacked.

    Why doesn't BBCode have a [sarcasm]marker[/sarcasm] for that?
  • Stiggy 2008-03-03 17:13
    anonymous:
    Now they've changed it to a single input box...

    the script now just tacks on ".html" to whatever you type into the box and does a request for that...

    I guess they couldn't afford a real web developer... so where does all of that money go then?

    Love their new code comments
    // **** You WILL NOT get access without a valid password ****
    // **** javascript:IPcatch:subject?Source_code_violator ****

    ph33r m1 l337 h4xx0r 5k1llz or something lol
  • Rawr 2008-03-03 17:20
    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Password: ";

    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
    // -->



    I just felt the things I outlined it bold were, in fact, rather comical.
  • phire 2008-03-03 17:21
    Prosthetic Lips:

    anonymous:

    Now they've changed it to a single input box...

    the script now just tacks on ".html" to whatever you type into the box and does a request for that...

    I guess they couldn't afford a real web developer... so where does all of that money go then?


    PS: Don't try typing the obvious word, "procurement", into the input box. Because that is most definitely *NOT* the password (at least at 4pm EST on Monday). Who knows what it will be later.


    Na, that's an actual page. You can access it normally from the 2nd button from the right in the top bar, helpfully labled procurement.

    But, as long as someone visits the guide, and they have google toolbar installed, then google will eventually index it.
  • Dave G. 2008-03-03 17:43
    Stop spoiling our fun you joyless old bastard. Nobody cares.
  • Calli Arcale 2008-03-03 17:58
    Anita:
    I used to work for Federal Suppliers Guide, several years ago as a Graphic Artist. I have to say that I was initially skeptical of their product. Final copies are not mass produced, but rather a small-scale print run (each approx. phone book size) delivered to the select Federal Suppliers for that State/Region. Customers do have to pay to get a copy of the book (something like $100). I believe that a copy of their ad is free.

    Phone calls and ads are legitimate. Their were at least 4 full-time Graphic Artists to handle the workload. Designs were faxed and e-maiiled to customers for approvals. They had a full time sales staff at several locations (probably 10-12 at the location that I worked). Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.

    Other than that, I don't believe that I would label it as a "scam" company. Just a niche product.

    Think they also offered services to assist with Federal Suppliers paperwork processing - with a hefty fee if I remember correctly.


    The hefty fee would not surprise me in the least; while I do suspect your former employer is not, technically, a scammer (at least, not in the sense of the 419 scammers), I do suspect they can fairly be described as snake-oil salesmen. They are selling a product which is of no practical value for a high price -- and, judging by the experience relayed in the original post, using well-worn sales techniques designed to induce a person to buy without any real knowledge of what exactly they are buying. In short, it would be fair to describe it as a con-job. (Charging large amounts of money for menial copying is also a borderline con-job, BTW.) Some posters have compared it to vanity publishing and "Who's Who?" services, which charge a fee to publish your name and/or work. What they don't tell you (and what they didn't tell the original submitter) is that this information will go into a publication so obscure that it's only a step above where Arthur Dent had to go to find the "publicly displayed" notice that his house was scheduled for demolition (cf. "The Hitchhiker's Guide to the Galaxy").

    Me, I'd like to compare it to services which sell lunar or Martian real-estate, or asteroids, or the rights to name stars. In all cases, they are charging customers for something which is utterly meaningless -- but which they have deliberately represented as valuable despite knowing perfectly well that it completely worthless.

    Now, such companies have often claimed that they are not con-artists, because they are in fact providing a service for a fee. But the service is so grossly different from what they persuade their customers to buy that it beggars the imagination to think how they might actually think they're doing a service to anybody. There are only two realistic options: either your former employers are deliberately misrepresenting their service, and counting on the fact that their customers are all small business who likely won't have the wherewithal to take them to court, or they are complete and utter morons with a grossly inflated sense of their own importance.

    Actually, the javascript snippet might support the "moron" theory. But the conduct of the salesman very strongly supports the "con-artist" theory, because he went out of his way to avoid giving any real information to the prospect which would permit the prospect to fairly judge the offer. Either way, I think it is very much in the public interest to publicize this information. Customers have a right to fairly judge the quality of a proposition. If the people who posted earlier in this thread claiming to be employees actually are, then their protestations of innocence are entirely consistent with trying to prevent the public knowing just how worthless this product actually is.

    And that, my friends, is the real WTF. Not the lame-O security, though that was a pretty darned good WTF. One of the best I've ever seen, made so much better by the company's attempts to "fix" the hole. The real WTF is that so many companies can get away with selling products so worthless that they must be either con-artists or the biggest incompetents in history.
  • Hugues 2008-03-03 18:00
    anonymous:
    Now they've changed it to a single input box...

    the script now just tacks on ".html" to whatever you type into the box and does a request for that...

    I guess they couldn't afford a real web developer... so where does all of that money go then?

    Alright, am I a nerd if I thought it was hilarious to navigate around the site using this form?

    I'm pretty sure the web dude at www.federalsuppliers.com is checking this thread pretty often. If so, I thought I'd let you know the navigation on this "login" page is broken now:

    <li><a href="http://www.federalsuppliers.com/federal.html">Federal R</a><a href="http://www.federalsuppliers.com/federal.html">egulations</a></li>

    The style class is sticking a bar between them which makes it display as:"Federal R | egulations"

    Look on the bright side.. you're getting all kinds of free QC and consulting work here. I know companies that have paid millions to have this kind of detailed site audit performed.

  • Anonymous Coward 2008-03-03 18:00
    With their new login 'http://www.whitehouse.gov/index' as a username works. :P
  • derula 2008-03-03 18:37
    The new implementation is great. Also I know it was suggested by someone in the comments. So they're actually reading this ^^

    Anyone guessed the new password?
  • Alcari 2008-03-03 19:52
    Well, at least they made it marginally more secure now.
    In fact, they should probably pay The Daily WTF, for solving their glaring security issue.

    I just wonder how often they had to tell their "agents" about the new changes to the "security" login.
  • MM 2008-03-03 20:03
    Reality:
    you should be more worried about all of the pending lawsuits from people whose information was compromised by a company that is essentially handing out access to their database to anyone with a computer and a right mouse button.
    Lawsuits from people who's ADVERTISEMENTS were actually seen??? That's what's on this site - what this "security" is protecting - it's ads. It's hard to believe clients would be that upset at having their ads be seen. (The security isn't there to protect the clients. It's there to keep people from checking references and recognizing that the service is a scam. It's really sort of a shame that they may be fixing it now.)

    CodeMonkey:
    The fact that your company cannot splurge for basic serverside protection would lead any sane person in the contracting world to wonder what else you're too cheap to secure.
    Now this, on the other hand, might be a valid concern. If someone pretends to secure a site that neither needs nor has any security, it brings in to question what else they're doing that badly.
  • MM 2008-03-03 20:04
    Thomas:
    I'm curious with regards to the Computer Misuse Act. Suppose I create a web page with textboxes labeled for username and password and lower down the page I show the username and password. In addition, I write something on the page about not entering if you are not authorized. If I login, am I breaking the law? If so, then why have the login at all? Why not simply say something to the effect of "If you click this link and are not authorized, you are breaking the law." Why even bother with the login?
    That's how a lot of adult websites keep underage viewers out - with a "click here only if you're authorized to" link. If someone goes through who isn't authorized, it's their own fault for lying, and not the website's fault. It's not really for security so much as a shifting of blame.
  • MM 2008-03-03 20:04
    Anonymous:
    Felix Lockhart:
    What I send in this comment has probably been said several times throughout this discussion, I didn't realize when I posted it that there were more comments than what was on the initial page.

    Aaaah, so that's the problem.

    Voting for removal of "reply" button on featured comments.
    Seconded. This isn't the only thread that's gotten bogged down with duplicate responses from people who only see the featured comments.
  • LordOfThePigs 2008-03-03 20:12
    Well... It's still security by obscurity, but at least it's a bit better.

    Hey FederalSuppliers guys, here's an advice for you: Go buy an internet security 101 book before somebody meaner and badder than the good guys here punch a hole in your security again and does some real damage.
  • KM 2008-03-03 20:32
    So the new password is listing, found this out by using

    google to search

    http://www.federalsuppliers.com/warning.html

    then using the view similar pages link

    So, its not my fault that google is a gateway tool
  • anon 2008-03-03 21:12
    "Should HAVE protected your info," not "should OF."
  • kormoc 2008-03-03 21:14
    Actually it's not, that's in the clear under Procurement, and then click on the index link.

    What's amusing is the real password is test.

    test.html redirects to http://www.federalsuppliersguide.net/ where all their data is in the clear.
  • derula 2008-03-03 21:32
    Actually, the new login secures the whole web, or at least all addresses that end with .html! Even more, it assigns an own password to every .html page on the web! Brillant!

    Alcari:
    I just wonder how often they had to tell their "agents" about the new changes to the "security" login.

    I wonder how they described this incident to their agents. Maybe something like "A gang of Internet Hackers, supposedly from the organization known as "Anonymous", hacked our servers, therefor we had to change the password."
    ----
    "Oh nose, they did it again! Here's the new login data."
    ----
    "Oh dear, such brillant hackers. Here, the new login data."
    ----
    "Sorry, we had to take the site down because of recent attacks. We are working on a better protection system."
    ----
    "Gladly, one of the hackers has posted a better solution. Let this be his fate. The new password is blabla."

    And what their agents must have thought: "WhoTF are you? Oh.... whatever." - "WTF, again? Lulz." - "WHATTHE- nevermind." - "....... OMG" - "WhoTF cares?"
  • Security101 2008-03-03 22:03
    They also left their database open with unsanatized inputs on page:
    http://www.federalsuppliers.com/test.html
    ENJOY!
  • Captain Obvious 2008-03-03 22:16
    Here's my take on TRWTF. According to the article, Federal Suppliers Guide states that their guide is used EXCLUSIVELY by the gub'ment. They're hoping you misinterpret that to mean the government uses their guide exclusively - as in that's the only place they go to find these products and services. That would be insane. However, by "securing" these ads and only providing access to government agencies they can honestly say that they ARE USED (passive voice here) exclusively by the government.
  • Security101 2008-03-03 22:21
    FSG uses their own service to hire web-developers, trust me I work for the government, I know how shitty the contractors are roflmao!
  • Captain Obvious 2008-03-03 22:35
    Rawr:
    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Password: ";


    I think I'm going to adopt this style in my work.
    // **** This code WILL NOT crash ****
    // **** Users WILL NOT complain ****
    // **** Boss WILL ISSUE bonus ****
    // **** javascript:Execute:subject?Childish_made_up_code
  • lank 2008-03-03 23:24
    Dang, now you need the password to get in

    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Password: ";

    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
  • Bob 2008-03-03 23:31
    Dang, no robots.txt either, google doesnt have the files either :-(
  • Meredith 2008-03-03 23:41
    On the off-chance that this is a legitimate employee from FSG, I just want to say: it doesn't matter what YOU tell us. What matters is what your CLIENTS tell us. Regardless of how the client information was obtained, the fact is that the clients have been unsatisfied with your service. Instead of complaining about how "evil hackers" are hurting your service, how about improving your service so your current clients will be proud to recommend you to others?
  • Sean 2008-03-04 01:26
    Who needs a password

    http://www.federalsuppliersguide.net

    Search to your hearts content (about 3 seconds)
  • Lorenzo 2008-03-04 02:24
    The password is "listing".
  • hacking haero 2008-03-04 03:37
    Currently seen on http://www.federalsuppliers.com/warning.html


    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Password: ";

    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
    // -->


    Which is a very fandangled way of doing a user-supplied redirect.

    Sure enough, entering "test" forwards you to http://www.federalsuppliers.com/test.html where all ads can be searched.


    Captcha: haero
  • DC 2008-03-04 03:47
    Lorenzo:
    The password is "listing".


    Did you email them?!
  • Micky 2008-03-04 04:14
    Lorenzo:
    The password is "listing".


    No it's not, it's 'test'

    Hmm, I just tried searching, and got this error

    <p>Your search did not match any ads.</p>
    Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists (select 1 from dbimg_ImageAttributeValue iav where iav.a

    I was going to say 'at least they sanitise their SQL inputs', but I'm not so sure they do now - with an SQL statement like that (even allowing for truncation), I wonder if anyone there has got a clue what they're doing.

    Why would anyone do 'select 1 from <table> where <anything>'?? Wouldn't just 'select 1' do? Does he really mean 'select * from ... LIMIT 1'?

    (This reminds me of the Tim Tang Test...)

  • jimmy 2008-03-04 04:27
    Micky:
    Lorenzo:
    The password is "listing".


    No it's not, it's 'test'

    Hmm, I just tried searching, and got this error

    <p>Your search did not match any ads.</p>
    Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists (select 1 from dbimg_ImageAttributeValue iav where iav.a

    I was going to say 'at least they sanitise their SQL inputs', but I'm not so sure they do now - with an SQL statement like that (even allowing for truncation), I wonder if anyone there has got a clue what they're doing.

    Why would anyone do 'select 1 from <table> where <anything>'?? Wouldn't just 'select 1' do? Does he really mean 'select * from ... LIMIT 1'?

    (This reminds me of the Tim Tang Test...)



    Try searching with no parameters. Only way I got it to work. Of course, it's not worth more than about 3 seconds of trying, so I did not do an exhaustive test.

    (danm figners keep hittign teh wrogn kesy)
  • Jussi 2008-03-04 04:52
    I just love the way the "fixed" it. It redicts to page [YourPassword].html .
  • BassBone 2008-03-04 05:50
    Grammar is your friend, mmmkay. Why the government should trust you is beyond me.
  • BassBone 2008-03-04 05:51
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    Grammar is your friend, mmmkay. Why the government should trust you is beyond me.
  • Project2501a 2008-03-04 06:02
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Password: ";

    function go_there() {
    location.href = <b>document.pass_form.pass.value + suffix;</i>
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');


    priceless.
  • trees 2008-03-04 06:20
    listing is the password, takes you to the original page.

    the test.html page is just a test page the rookie webmaster has left up!

    Theres probably index2.html, etc still about aswell.

    This site makes me cry :'(
  • Ametheus 2008-03-04 06:20
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    {...} as we have your information too. {...}


    Idle threat. You may have our information, but seeing your JS skillz, i doubt you know where to look.

    If you find anyone who does, ask him to fix your security for you while he's at it.
  • RichardD 2008-03-04 06:32
    Sounds a lot like some of the "charity publishing" scams operating out of Merseyside, England for the last few years. Small businesses get cold-called and invited to make a small donation to a charity in return for advertising space on wallplanners, diaries or booklets to be distributed in the community. The charities never see more than a few pennies, the publications don't exist, and the crooks run off with your money.

    Only difference is, this scam is online, and hopefully the US authorities take it more seriously than the UK ones.
  • More 2008-03-04 06:34
    lank:
    Dang, now you need the password to get in

    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Password: ";

    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');


    Don't worry... you can still get in using a google search.

    That way you don't have to "hack" the site by using the password "listing" that someone was kind enough to find for us.
  • IByte 2008-03-04 06:56
    KM:
    So the new password is listing, found this out by using

    google to search

    http://www.federalsuppliers.com/warning.html

    then using the view similar pages link

    So, its not my fault that google is a gateway tool
    Yes, or by using Google's "site:" keyword.

    So will they sue Google for breaching their "security"? ;-D
  • CipherChaos 2008-03-04 08:09
    It might help if you actually knew how to program... these people are actually doing you a favor.
  • Jesus 2008-03-04 10:14
    Reading source code isint hacking thats like putting the combo to a safe on the safe then sitting it in the middle of a park- then yelling THIEF! when someone opens it.

    "though you don't care you are hurting the feelings of many good employees and customers by your immature actions."

    You need to find new employees if thats the best password mechanism they can accomplish to produce.
  • Boob 2008-03-04 10:16

    http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=&_q3=&_orderBy=name


  • Mexi-Fry 2008-03-04 10:23
    Checking the Script node under FireFox DOM Inspector for this stupid site. I thought you guys might get a kick out of this. It appears that they left some useful information on their 404 page. Of course... you have to HACK their site to read it... but oh well.

    &lt;HTML&gt;
    2&lt;HEAD&gt;
    3&lt;TITLE&gt;404 Not Found&lt;/TITLE&gt;
    4&lt;/HEAD&gt;
    5&lt;BODY&gt;
    6&lt;H1&gt;Not Found&lt;/H1&gt;
    7The requested document was not found on this server.
    8&lt;P&gt;
    9&lt;HR&gt;
    10&lt;ADDRESS&gt;
    11Web Server at federalsuppliers.com
    12&lt;/ADDRESS&gt;
    13&lt;/BODY&gt;
    14&lt;/HTML&gt;
    15
    16&lt;!--
    17 - Unfortunately, Microsoft has added a clever new
    18 - "feature" to Internet Explorer. If the text of
    19 - an error's message is "too small", specifically
    20 - less than 512 bytes, Internet Explorer returns
    21 - its own error message. You can turn that off,
    22 - but it's pretty tricky to find switch called
    23 - "smart error messages". That means, of course,
    24 - that short error messages are censored by default.
    25 - IIS always returns error messages that are long
    26 - enough to make Internet Explorer happy. The
    27 - workaround is pretty simple: pad the error
    28 - message with a big comment like this to push it
    29 - over the five hundred and twelve bytes minimum.
    30 - Of course, that's exactly what you're reading
    31 - right now.
    32 --&gt;
  • David 2008-03-04 10:56
    I think the WTF now is that most of this is HTML. meaning somebody typed that entire list in a single file, and not SQL or something useful
  • Tristan 2008-03-04 10:56
    "listing" is for the index... but "gallery" gets even better.
  • Kevin Harris 2008-03-04 11:06
    I was just randomly playing with their site and figured out a password to access the list. If you go to http://www.federalsuppliers.com/warning.html and use "test" as the password, it will give you full access. Let's see how long this will work.

    Kevin Harris
    http://www.thekevdog.com
    harriskevine@ou.edu
  • derula 2008-03-04 11:12
    More:
    That way you don't have to "hack" the site by using the password "listing" that someone was kind enough to find for us.

    Stop saying that, "listing" is as much of a password as "http://www.ccr.gov/index", as both these pages are linked to on the procurement page
  • Alba 2008-03-04 11:20
    Try test and you're in:)
  • Jessica 2008-03-04 13:06

    I wonder if this company is secretly managed by the city of <a href=http://www.centos.org/modules/news/article.php?storyid=127>Tuttle</a>, Oklahoma?
  • Stiggy 2008-03-04 14:55
    Login page now says
    This section of our website is currently undergoing maintenance. Please check back later or contact your FSG representative for assistance. . Please check back later or contact your FSG representative for assistance..

    http://www.federalsuppliers.com/gallery.html still works just fine, though.

    Somewhere in Florida, a 14-year old CEO's nephew is having a bad couple of days...
  • WhiskeyJack 2008-03-04 15:24
    At least they're actively working on it.

    Anyone else noticing a larger than usual amount of spam being sent to your domain over the last few days?
  • The Dean 2008-03-04 19:19
    Right.

    http://answers.yahoo.com/question/index?qid=20080221122622AAn21Qx

    Even the nimrods at Yahoo Answers know your company is a scam.
  • Dale Penguiculus 2008-03-04 21:00
    That's a lot of traffic all the sudden!

    http://www.alexa.com/data/details/traffic_details/officers.federalsuppliers.com
  • Alcari 2008-03-04 22:05
    http://www.federalsuppliers.com/warning.html

    Now showing:

    This section of our website is currently undergoing maintenance. Please check back later or contact your FSG representative for assistance. .
  • China 2008-03-04 22:40
    Ha ha - 4 more yank kids starving to death. Just a few million more to go.
  • no name, thanks. 2008-03-05 06:00
    LordOfThePigs:
    Well... It's still security by obscurity, but at least it's a bit better.

    Hey FederalSuppliers guys, here's an advice for you: Go buy an internet security 101 book before somebody meaner and badder than the good guys here punch a hole in your security again and does some real damage.


    It would be doubtful that this would be covered. Internet security authors assume that you're clever enough to turn the computer on before writing "secure" websites. FederalSuppliers obviously gets their mommies to turn the PC on for them.
  • mendel 2008-03-05 06:09
    Dale Penguiculus:
    That's a lot of traffic all the sudden!
    Unfortunately, little of it going to be directed to their banner advertisements since these banner ads work like no other banner ads I've ever seen (i.e. they are not integrated with the content pages). Instead you need to click on the text "Check Out Our Banner Advertisers Here" before you even get to see those! Wtf?
  • Alcari 2008-03-05 07:23
    mendel:
    Dale Penguiculus:
    That's a lot of traffic all the sudden!
    Unfortunately, little of it going to be directed to their banner advertisements since these banner ads work like no other banner ads I've ever seen (i.e. they are not integrated with the content pages). Instead you need to click on the text "Check Out Our Banner Advertisers Here" before you even get to see those! Wtf?


    Well, at least it's visitor friendly, even if it hurts in the wallet.
  • Schnitzel 2008-03-05 09:00
    Here's something interesting:
    I ran across this post in a computers forum, where a user asked about this exact code (the forum is in Hebrew, but you can see the code right there).

    This took me by surprise, so I performed a small Google search and found this script as an example in a few javascript teaching websites:
    http://www.javascriptkit.com/script/cut76.shtml
    http://www.2createawebsite.com/enhance/password-protect.html
    http://www.sitepoint.com/forums/showthread.php?p=677417
  • cloeven 2008-03-05 11:00
    Great post - I wonder if anyone has similar stories about the Marcus Evans group, whose sales team appears to have taken the same training courses as these guys and has the same 'value add'? Or maybe it's the same company - sounds too similar.
  • Troy McClure 2008-03-05 11:05
    The new "code" is from right here...

    http://lordnick.proboards6.com/index.cgi?board=introduce&action=display&thread=1018399396&page=4#1020689979
  • ailaG 2008-03-05 11:23
    That popup doesn't necessarily mean JS - they could have used AJAX to verify the password at the server's side.

    But they didn't.
  • Hackster 2008-03-05 11:47
    OK, so I entered 'test' as a password, was able to do a search, and selected only Florida in the State field of the search criteria. Here is what came out:

    "Your search did not match any ads.

    Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists(select 1 from dbimg_ImageAttributeValue iav where iav.a"

    So either the server side is programmed about as well as the web page, or else no companies in Florida were stupid enough to fall for the scam?

    SQL injection, anyone?
  • gVee 2008-03-05 14:16
    Seriously, just go to this url to "hack" the site

    http://www.federalsuppliers.com/test.html
  • lantastik 2008-03-05 16:31
    Forgot the plethora of already mentioned WTFs, I haven't seen that much static HTML since 1995.
  • l33t 2008-03-05 16:50
    is this the "new" page? of suppliers?

    http://www.federalsuppliers.com/gallery.html
  • BridgeTroll 2008-03-05 17:01
    You, sir, are a certain kind of special. First off, it's not "hacking" if you can figure it out by viewing page source. Secondly, I highly doubt an organization without the technical brainpower to secure a page beyond javascript-based password prompting would have the wherewithal to "get our info" so quickly - sorry, charlie, but subpoenas don't go through THAT quickly.

    And for the love of Christ, could you PLEASE learn the difference between "of" and "have"? It's *should have*, not *should of*. How people with such a poor grasp of the English language manage to land and keep jobs is beyond me. Oh, wait, I almost forgot - sales doesn't require intelligence or a real education.
  • derula 2008-03-05 19:25
    ailaG:
    That popup doesn't necessarily mean JS - they could have used AJAX to verify the password at the server's side.

    But they didn't.

    1. Of course it does. There's no AJAX without JS, see? That's what the J in AJAX stands for!
    2. You're right, this could be done - but as Alex wrote: the popup appearing that fast can only mean it's client-side validation. AJAX would most probably have taken a little longer.
  • emurphy 2008-03-05 19:33
    Mexi-Fry:
    Checking the Script node under FireFox DOM Inspector for this stupid site. I thought you guys might get a kick out of this. It appears that they left some useful information on their 404 page. Of course... you have to HACK their site to read it... but oh well.

    &lt;HTML&gt;
    2&lt;HEAD&gt;
    3&lt;TITLE&gt;404 Not Found&lt;/TITLE&gt;
    4&lt;/HEAD&gt;
    5&lt;BODY&gt;
    6&lt;H1&gt;Not Found&lt;/H1&gt;
    7The requested document was not found on this server.
    8&lt;P&gt;
    9&lt;HR&gt;
    10&lt;ADDRESS&gt;
    11Web Server at federalsuppliers.com
    12&lt;/ADDRESS&gt;
    13&lt;/BODY&gt;
    14&lt;/HTML&gt;
    15
    16&lt;!--
    17 - Unfortunately, Microsoft has added a clever new
    18 - "feature" to Internet Explorer. If the text of
    19 - an error's message is "too small", specifically
    20 - less than 512 bytes, Internet Explorer returns
    21 - its own error message. You can turn that off,
    22 - but it's pretty tricky to find switch called
    23 - "smart error messages". That means, of course,
    24 - that short error messages are censored by default.
    25 - IIS always returns error messages that are long
    26 - enough to make Internet Explorer happy. The
    27 - workaround is pretty simple: pad the error
    28 - message with a big comment like this to push it
    29 - over the five hundred and twelve bytes minimum.
    30 - Of course, that's exactly what you're reading
    31 - right now.
    32 --&gt;


    A bit of Googling suggests that this is stock boilerplate text from the Plesk control panel, which FSG has previously been noted as using.
  • ebay 2008-03-05 22:27
    THAT IS AMAZINK!

    I just entered my "special" password "http://www.ebay.com/index" and it appears that the list has been replaced by Ebay, who knew you could purchase federal supplies there.

  • Urlsy 2008-03-05 22:41
    Just so you don't have to play catchup with their "clever" password schemes, here are some core urls;

    List of ads sorted by Name:
    http://www.federalsuppliersguide.net/?_orderBy=name

    Individual ad (enumerate imageId if you wish):
    http://www.federalsuppliersguide.net/?_orderBy=name&imageId=4221

    Individual ad (by name):
    http://www.federalsuppliersguide.net/?_name=Spwipes

    And finally the not surprising proof that you could just use SQL injection to steal the entire database:
    http://www.federalsuppliersguide.net/?_name=%25&_description=%25&_q1=1&_q2=52&_q3=156&_orderBy=name

    Your search did not match any ads.
    
    Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists (select 1 from dbimg_ImageAttributeValue iav where iav.a


    CAPTCHA: Mummy ate my monster!
  • Inno 2008-03-06 07:08
    Whitey:
    John:
    sweavo:
    snoofle:
    Police, fire and EMS radio frequencies are restricted for use by those personnel, yet courts have ruled that you can buy a scanner, and listen to, but not intrude on their conversations.

    Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.



    All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.

    Capcha: appellatio (is that like sucking off a fruit?)


    The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.

    The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too.
    There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.

    Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.


    To complete the analogy... They put a sticky note next to the door nob telling you the key is under the mat.

    I think it would be good if the people listed on all those pages were somehow contacted and pointed back to this site. I'm sure most of them are obvlivious to the fact that they have been scammed.


    A better analogy is that they put the key in a park but forgot to put the door!
  • Bob Holness 2008-03-06 08:23
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    It is 'should have' not 'should of'. Otherwise the posting could use a little more white-space, perhaps the odd paragraph break.
  • derula 2008-03-06 08:51


    Isn't there a function to disallow comments on an article?
  • Bumble Bee Tuna 2008-03-06 11:54
    Troy McClure:
    The new "code" is from right here...

    http://lordnick.proboards6.com/index.cgi?board=introduce&action=display&thread=1018399396&page=4#1020689979


    interesting that the code they took is called "Cut-N-Paste JavaScript" but then says it has a copyright. Does he want the code to be copied or not?
  • Stenvne 2008-03-06 15:11
    Hey Franz...

    To clarify the term Public Domain usage. I am aware that the content of the page is copyright protected, however the usage of the content is not. As long as an individual were to give credit and reference the source, which has been done in this instance, it is not protected by any other means. Why is this true? Because the information (code) was sent to an individuals internet browser on request without requiring special security or authentication to acquire it. In other words it has been provided without charge or special privilege into the public domain.

    If you disagree please be kind enough to elaborate.

    Respectfully Submitted,
  • blub 2008-03-06 16:06
    Yay :D

    [ http://www.federalsuppliers.com/warning.html ]

    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Password: ";

    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
    // -->
  • Khat 2008-03-06 19:20
    lmao. Yeah. Glanced at the code and the first thing I thought was "just rabbit the damn list page"
    http://www.google.com/search?q=site%3Awww.federalsuppliers.com)

    Seventh link on the list.

    XD

    These guys are pro. It's kind of fun to use their little 'password' box to navigate to various pages around their site.

    If they get paid that much for each client then they ought to get a webmaster that can handle a little server-side code. FFS...
  • dumbo 2008-03-06 19:31
    http://www.federalsuppliersguide.net
  • GSA contractor 2008-03-06 22:34
    I get calls from them. Their sales people call me and start off with some absurd question like, "would you accept a no-bid contract for up to $100,000" or something like that. They won't stop reading their script when I try to interrupt them with some question like, "are you calling from a federal agency?" I've never signed up with them, because everyone knows, or should know, that Federal buyers shop on GSAAdvantage, and GSAAdvantage is free for all GSA contract holders.
  • LMAO 2008-03-06 23:11
    What's up with this form?

    http://www.federalsuppliers.com/form.html

    I can't figure out where I'm supposed to enter my company name.

  • Edgard Castro 2008-03-07 01:06
    It's "secure" now because you need an unique password. If you type something it redirects you to a non-existing page.

    But hey, wait... Let's just try something... What about "test"?

    Uh-oh. What? It worked.
  • Steve S. 2008-03-07 01:15
    Back when I was an over the road trucker (I came off the road in 2002), all I had to do to listen to cell phone calls was turn on my Bearcat 800 scanner and set it to frequency roam. I was always picking up cell phones, especially in the 800 - 900 mHz range. I didn't even have to tweak the scanner; it worked that way right from the factory.
  • ssparacino 2008-03-07 09:54
    they may have held a gsa but that ended more than 7 years ago....they don't tell you probably 90% of companies never get a single call from thier guides..thats why they dont want you contacting thier clients most sign up for a year and never again.once they realized they were duped....thank god new companies are formed every year(pool of new suckers)
    once they take your money and put a ad in thier guide thier job is done.as someone who worked for them before...just like first commentator...we know all the lies they have people tell to get your money








    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.
  • Sabkor 2008-03-07 12:30
    Everything always seems to happen in pairs... Here's another company now accusing someone of "hacking" their site, just because they found a URL that wasn't secured:

    hxxp://www.dslreports.com/shownews/MobiTV-Threatens-HowardForums-Shutdown-92429
  • Matt 2008-03-07 16:32
    I entered 'test' just to see what it would do if I got the wrong password. Turns out it was the right password. WTF indeed.
  • Michel Rouzic 2008-03-07 16:37
    You're kidding right? You can't even start your sentences with a capital letter or use an apostrophe and your comment is filled with typos characteristic of the way teenagers write ("should of"? Get outta here!), how do you want to be taken seriously?
  • real_aardvark 2008-03-08 14:16
    jpers36:
    T $:
    We're at 712 comments and climbing. Could this be the most popular post of all time?


    This one is still well ahead, and I'm not even sure if that's the record.

    Oh, I just love to bring this back as an example of why basic reading comprehension is important. (It's on 830+, btw -- some of which, bizarrely, date from 2008. And none of those add anything remotely worthwhile. We are sad people, out here.) But here goes:

    iron:
    DavidN:
    I know that you won't see this reply, but I have to say it anyway. It's not a 50/50 chance. The reasons have been stated and thoroughly explained several hundred times over the eighteen pages of this continuing debate.

    Please, please - I hope this is the last post on this quite frankly distressing thread.

    What reason? The 2/8 nonsense?

    According to the logic you are supporting, if I flip two "heads" in a row, and then flip again, it will be a "tails" most of the time! Or if two of your friends flip the same, does that mean you will flip the other most of the time? Of course not. Try it.

    Each coin toss (or hat colour) is independent of others.

    Having said that, has anyone found a solution to the hats problem? The one person guessing with a 50/50 chance seems to be the best solution.

    Um. No, it's not. Hint: there is a difference between tossing coins (or even yourself, given a large proportion of the 830+), and wearing hats.

    Can we stop this now?

    Can we stop that now?
  • Vartan Christopher Simonian (yes, my real name) 2008-03-08 16:40
    rofl?

    Anyone could make their site secure, even a 13-year old. And I'm not just saying that because I'm thirteen, too. :P There must be people 9 or 8 years old who can protect these websites.

    It's a shame - I hope that if any legal situation arises (and it seems to already have) that they are proven wrong. I saw a comment here about google search returning the "secret" page - that doesn't seem too smart.

    Interestingly, the design of the website isn't too bad - I like it. But the programming beneath it sucks, and I'm not bringing any news to the table.
  • whatever 2008-03-08 18:54
    listing gives you how to USE the guide, gallery gives you the guide ITSELF.
    Basically the password is just the name of the file the guide is, so go to google and type in inurl:federalsuppliers and it will give you all of the "passwords" you need.
  • whatever 2008-03-08 19:08
    Scratch that, all you need to do is go to federalsuppliers.net.
    In order to secure their website, they changed the domain and made a new login page as a diversion. Real sneaky.
  • whatever 2008-03-08 19:12
    sorry(again) but I don't have an edit button. Maybe you can clean this up later.
    It is federalsuppliersguide.net
  • JS 2008-03-09 00:54
    Now moved to the oh so secret location of agents.federalsuppliers.com/agents.html no password required
  • Rob W 2008-03-09 10:04
    Another quirky thing I noticed: that sample ad they sent you has a recent copyright notice at the bottom... but the ad is from 1986.

    Delcowire has been in business for 12 years! That's right: since 1974.
  • Rob W 2008-03-09 10:16
    Note to Federal Suppliers Guide: you don't need to do anything complicated. You don't need a database, and you can stick with plain old HTML on your server. Just use standard password authentication for this section of your website.

    Google something like ".htaccess user authentication" to find instructions.

    It seems like you're hosted with RackSpace -- pretty expensive for what you actually need! ..but I'll bet they'd be happy to set it up for you if you're having trouble.

    I'd suggest giving different clients different passwords, but you can even just go back to one username & one password (just choose them carefully).
  • Susan 2008-03-09 14:45
    Love the "wasted money" graphic they have on their front page ---- seems pretty appropriate for their services.
  • Mike 2008-03-09 19:40
    Saw that same thing in the code but get this. They are just appending whatever you type in the "password" box to a redirection on the server. To get in, just type in the word test and wham you can search their database of ads. Has their programmer seriously never heard of SERVER side authentication? I mean come on.
  • adwin 2008-03-10 02:42
    they are getting smart rightnow lol ... :p

  • fastersec 2008-03-10 11:51
    hehe .. !! is very simple to see what page is going to be the ****.html

    google "site:officers.federalsuppliers.com" you will find a lot of pages if the page has taken offline you still can view it on cache..
    these post is very funny while they will never scape to google cache until they made a full site re-implementation
  • Bob Gill 2008-03-10 11:54
    Whats funny is network security consultants aren't that expensive for an operation thats that "large". You also know that their not defrauding you cause they would have more common sense if they were.
  • Bill 2008-03-10 12:32
    He grabbed that new fancy password code from a geocities site and didnt give the author credit... classy!

    http://www.geocities.com/o3wishes/TIPS.html
  • JamesKilton 2008-03-11 10:03
    Man, these guys are ON TOP OF THINGS! As soon as someone finds the new way to access the list, IT CHANGES!

    Wait, what does that mean for people who paid to be listed on the site?

    It must be hell to deal with these people.
  • Kyle 2008-03-11 16:26
    http://www.federalsuppliers.com/listing.html
  • rotorootr 2008-03-12 00:56
    You fail.
  • ajmac 2008-03-13 02:07
    This make me laugh real hard. Reading the comments
    i thought that this is just a joke. So i tried
    to open the site.

    http://www.federalsuppliers.com/warning.html

    looking at the "secure javascript code" it made me
    realize that it is quite secure... but my grandmother
    told me that i should type "listing" in the password
    input fields.

    what is this any federal listing anyway?
  • Steve 2008-03-16 11:11
    Hello Folks--Seeking comments-- thoughts!! our business is currently talking with Federal Suppliers (Guide) about their service to prepare the GSA Schedule proposal for GSA award to us as a qualified GSA Schedule (48) Contractor. The GSA Schedule proposal is a daunting task unless ya have much of the govt boiler plate "response " info in your system & a cost proposal can be tricky unless you have a great deal of experience in preparing the cost proposal. UGH !! So just this past week ( March 12) the Federal Supplier company when also pitching us to buy into their "guide", they said they will prepare our response for the GSA Schedule contract proposal. They ask $4500 vs $16,000 from another company in the Washington DC area. Sounds pretty good (??) But when we asked for a reference of a customer who they had done this GSA Schedule for, they said that is "proprietary" . UGH> Do any of you know of them doing this service of GSA Schedule proposal preparation?? My email: steve@campbellmoving.com Thanks, Steve .
  • bob the builder 2008-03-17 12:19
    Your a tool no one in your company cares if you have been hacked also you said you held that means it is past tense so you no longer have it and the comments were truthful this is some ones opinion so that is fact and if you want your website "Hacked" get real security so it will be fun to rip your site up and go ahead and pull my info I have randomized my info and am will probably come up as being a twelve year old girl
  • Inurbanus 2008-03-17 19:56
    Bob, learn2type. And in-ter-punc-tu-ate!
  • my 2008-03-18 02:31
    A clever way to disguise the name of the page in a password:
    http://www.federalsuppliers.com/listing.html
  • hire someone 2008-03-19 13:04
    dear fsg,

    i think its time to hire someone to upgrade your site to beef up your security, even if it's just your secure area.


  • Dan 2008-03-20 11:11
    I just wanted to say thank you to the Daily WTF for this article. Recently I started a new company and we filed with the CCR, just before I read this article. Only one day after filing I received a call from...guess who...Federal Suppliers. I respectfully told them I had not interest in their "product."

    Thanks again for saving me time and money.
  • Jp 2008-03-24 00:49
    the page test.html call urchinTracker() from http://www.google-analytics.com/urchin.js
    Javascript is Greek to me, so I have no idea what it does. Probably just keeps track of how many people have hacked. :) I tried to submit their form, but it was broken. I wonder who wrote it.
  • ZangieF 2008-03-24 15:53
    It's not really a password, just whatever you put in with ".html" at the end. If you type the word "warning" into that field, you'll get the same page you're on.
  • Jordan 2008-03-28 22:05
    Why wouldn't you tell the clients and save them some money. And why would you tell

    the scaming company. Just seems childish and stupid. Sorry I'm responding in a mean way

    but it just doesn't make sense to be that heartless.
  • human 2008-03-29 01:55
    Your sales rep sucked. What he said, did, and sent made your business seem like a scam.

    If the author is guilty of slander then so are all your clients he called to get their honest opinion of your services.

    You should look in your client list and find some competent web designers.
  • James 2008-03-31 22:52
    Located in Florida eh? Florida is the "right-to-scam" state, isn't it?
  • kenman 2008-04-04 11:55
    http://answers.yahoo.com/question/index?qid=20080221122622AAn21Qx

    Holy crap, did you see the smear campaign they waged against the responder? LOL

    Its funny that they had to post 7 replies to try and discredit the answerer, and even funnier that they say things like "grow up"!
  • Safety Tom 2008-04-07 20:04
    Thanks to the wonderful person who caught this flaw. I co-own Professional Security Services Inc., and our business information was kindly displayed to the world via the hole in this so called 'legitimate' business, that we've never heard of (page 4). Besides that, no harm done on our part, and if anything came from it, it was more advertising. A scary way of doing it, but we prefer to maintain a positive attitude. Again thanks to the whistle blower, those who maintain this site, and all hackers that enjoy to knock companies off their high horse, before the bad guys actually get the information.
  • Lora 2008-04-13 14:07
    http://funnyhack.blogspot.com

    Here you can see some funny hack tips and tricks/....
  • Kim André Akerø 2008-04-15 09:58
    You've.. GOT to be kidding me! They still haven't learned, apparently. Their only sense of security heavily relies on relative obscurity. It didn't take much skill to break through their current "wall of security" today, either.

    I just went to their front page, http://www.federalsuppliers.com/ and clicked on "Agent Login" which lead me to http://www.federalsuppliers.com/component/option,com_wrapper/Itemid,51/lang,english/. Just clicking "Verify" without entering a password showed me that they were putting the login form itself inside an iframe -> http://www.federalsuppliers.com/agent_login.html. The source of this page shows the following snippet just around the login form code portion:

        <script language="JavaScript">
    

    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Enter Password: ";
    var pass_form = "agents08-dsp";

    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
    // -->

    </script>


    "Naw, they couldn't have...."

    But sure enough, just paste the "pass_form" and "suffix" JavaScript variables together and use it with the current directory of the page you get http://www.federalsuppliers.com/agents08-dsp.html, which claims "You have been authenticated!" along with a link that says "Click here to launch the List". This link further leads to http://agents.federalsuppliers.com/target.htm.

    Amazing. Again, you'd think they would've learned by now.
  • Jordan 2008-04-15 13:31
    Password is still in the page, but now its called pass_form.
    Try hitting this page and using the value of pass_form.

    Wow... these guys are bright.
    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"
    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Enter Password: ";
    var pass_form = "agents08-dsp";
    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }
    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
    // -->
  • Jordan 2008-04-15 13:33
    Dang... Kim André Akerø beat me to it... sorry for the dupe post
  • mdmadph 2008-04-15 15:15
    Even after a month... they STILL aren't getting why their security sucks... :\
  • Amused Anonymously 2008-04-15 15:33
    This is great - I like how you begin with telling us about your kids and how your feelings are hurt, etc. etc. It is, after all, OK to scam money out of people if you have some kids. I am sure they are all millionaire fatcat bachelors with no dependents. No small business run by a family barely getting by, investing a large portion of their savings in a listing in a database that gets them nothing, will end up being destroyed by these hard sell tactics.

    Also, accessing a publicly available web page is, last I checked, not illegal. You gave out the password freely, to the public, no 'hacking' involved. Viewing source is hacking in the same way that window shopping is armed robbery. And where is the comment that is 'not truthful'? The statement that he called some of the clients and they were not satisfied? Are you saying every one of your clients gets showered in federal contracts? And slander? again, where is the untrue comment? The author says he thinks this is a scam. That is an opinion. Are you saying he doesn't think it is a scam, and is lying about that opinion? Wouldn't that be slandering himself, not the company? On the plus side, this is one of the funnier things I have read today, so thank you for that. Keep up the good work.
  • lImbus 2008-04-15 18:21
    really impressive they do not seem to get it.

    If I had money like shit (sounds like) and had a technical problem (looks like), I'd call somebody to help me, be it for money, and be it somebody from the directory I hold.
  • Matthew Flaschen 2008-04-16 08:54
    They've finally fixed it. Now it's top of the line security.

    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Enter Password: ";
    var pass_form = "agents08-dsp";

    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
    // -->
  • Ponedonkey 2008-04-16 12:14
    Lammer:"Man, I got 5 kids to feed..."
    So called hacker:"I thought you said you had 4."
    Lammer:"Gimme your credit cards."


    The "So-Called-Hacker" checked with your customers. You can scam the gov't quite easy-like. My Father did it for 8 years.
    If this guy is telling the truth, i'll eat my hat.






    Captcha: Erat.
    Doushenozzles are e-rats.
    Doushenozzles like this guy.
  • root 2008-04-16 12:27
    What's with the title of the page? "Agents Government Work Securing Federal State GSA Contracts Listing Federal Suppliers Guide"
  • Tom 2008-04-17 15:09
    You don't even need a password anymore to get to the agent page.

    This link goes straight to it!
    -http://agents.federalsuppliers.com/target.htm

    They also changed the login method. The password inputed is the actual page name. They add the suffix .html to the end of the password to redirect to a page to open the link above!
  • Not a Contractor 2008-04-17 16:06
    These guys are so low budget, it's unbelievable.

    They changed their "secure" login page to an IFRAME and now you don't even have to know a password imbedded in JS - you just have to piece together a url:


    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Enter Password: ";
    var pass_form = "agents08-dsp";

    function go_there() {
    location.href = document.pass_form.pass.value + suffix;
    }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'
    + pass_msg + '<input type="password" name="pass" size="20" value="">'
    + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
    // -->


    Despite the scary commented warning to all of us "hackers", you do indeed gain access with this url:

    http://www.federalsuppliers.com/agents08-dsp.html

    Presto! You're greeted with a warm-feeling "You have been authenticated!" reward message for getting in - and then you may browse the horribly formatted list beyond this golden gate.

    Apparently, they spend so little on IT (as if you couldn't tell from the security), that they roll out updates with a double KO combo of MicroVision WebExpress and Word's "Save as HTML" function, (from MicroVision's website) "Now anyone can have a quality web page without spending a lot of time or money." Now, why should companies spend good money to list when federal suppliers definitely doesn't want to spend the money to keep it up properly?

    For kicks check the source to find author names like Donna DeBoer and Customer.
  • 1337 2008-04-17 21:25
    Been changed again, dangit it took me a little while to work out the 2048bit RSA cypher this time....
  • eh..... 2008-04-22 04:36
    http://agents.federalsuppliers.com/target.htm

    Look ma, no password!
  • flamingtooth 2008-04-23 00:07
    This has been going on for months. You'd think they'd just hire somebody that knew something about Web security and end this. Idiots.
  • Konrad 2008-04-23 01:39
    23rd April and the thing is still got a javascript password.

    Even a complete novice would have been able to find an online tutorial on how to do basic server side password verification by now.

    that is assuming that their hosting account allows for a server side script. (most of the free ones dont).

  • Josh in California 2008-04-23 01:45
    I'm tempted to offer to secure their site for a nominal fee. Say, about $10,000. Best five minutes of work I'd ever do. ;-)
  • r30 2008-04-23 01:53
    Wow. Just... wow. You know, people could get away with javascript passwords... in 1998. Hell, you could even obfuscate the password using javascript or simply secure it using .htaccess, but no. They are complete and utter morons.

    I just ran wget -r on their site. I'll write a secure version, rebrand it and make millions! Seriously, I've had this list for years. It's called yellowpages.com.
  • awhaha 2008-04-23 02:05
    hilarious. i only read the first page because i got no time, but where he threatens you and says he tells you about his kids - lol -


    death to scammers. theres a reason comcast.fl is blocked at the firewall.
  • keeble 2008-04-23 02:37
    if you want to take the easy copy and paste approach instead of using a database (you make millions, i bet! and you can't even afford a decent developer?)
    <?

    if(isset($_GET['auth']) && $_GET['auth'] == "pazzwurdl0lz123"){
    include("shitty_catalog.html");
    }else{
    die("ERRAR INVALID PAZZWURD!!!!!1");
    }

    ?>

    login.php?auth=pazzwurdl0lz123

    hey, at least nobody will be able to see your password WITH THE CLICK OF TWO FUCKING BUTTONS.

    View->Page Source.
    THAT IS ALL IT TAKES.
    Why can't you get it?
  • duh 2008-04-23 02:39
    http://en.wikipedia.org/wiki/Honeypot_%28computing%29
  • Paolo 2008-04-23 03:52
    Actually, the password need not be in the iframe anymore, but they _are_ putting it!!! There are actually two things called pass_form (a variable and a form field). The variable is unused, but they still send it and it has the password in clear!
  • WAH!? 2008-04-23 07:13
    Honeypot!? are you kidding me? a honeypot for people who know how to view source...yeh thats gonna attract all the 1337 eastern european blackhats.
  • demosthenes 2008-04-23 07:51
    well, it's been a while since the author first "hacked" their "secure area", but they have yet to rectify the situation.

    the only explanation i can put forward is that they honestly think that the people posting on this forum are a bunch of hackers. hence, they probably don't feel it's worth spending money getting a real website made, since normal, non-hacker types won't be able to "hack" in, and there are very few "hackers" out there who know how to do this type of thing.

    godspeed, fsg, godspeed.

    ...that name reminds me of a food preservative.
  • Disable right click 2008-04-23 08:34
    I can just see them for there next security step is to disable right click. hahahaha

  • postmode 2008-04-23 10:36
    Drewc:
    Did you mention to your clients that you left their personal information on an unsecured server that any kid with a web browser would be able to view? I don't think they'd be very happy with you. Welcome to the internet.


    *internets
  • Thom S 2008-04-23 13:12
    Perhaps someone should report them to the Better Business Bureau or something. This is absurd. Somebody needs to convince them that they need REAL security.
  • gobbledygook 2008-04-23 14:16
    New website, new poll: http://www.federalsuppliers.com/

    Sadly their poll has trouble "remembering" ip addresses ...
  • postmode 2008-04-23 15:29
    It would seem that they finally got a clue and set it up correctly. The Agent Login page now goes to a page that use's Joomla's PHP-based login system (I believe). Which is good, because now maybe they can will actually realize that one login for everybody is really a bad idea... Glad to see a happy ending to this.

    Now if we can just get them to start doing what they advertise, per the comments of other people who have "used" the "service" and didn't get anything out of it...
  • Bruce 2008-04-24 21:27
    Damn, they changed it to php.
    It looks like they need a CAPTCHA on their polls, or at least an IP recorder.

    Direct Marketing - Email
    1337 84%

    Combination of two or more of the above
    138 8.7%

    ;)

  • Daniil 2008-04-26 18:30
    This is absolutely hilarious. These people are completely out of their mind and don't know a thing about security. As if JavaScript is the only thing that exists these days. For God's sake, use PHP or CGI!!!
  • Daniil 2008-04-26 19:04
    HAHAHAHA.... There are absolutely no legal lines to be crossed here. He is giving the complete truth about what happened, and even I, who barely knows anything about security, can tell you that that is the absolute stupidest way to secure your site. I do not believe that this is not a scam, and am looking into taking legal action on behalf of all the people who you have "scammed" (the post even gives real examples).
  • sanjeev sharma 2008-04-29 08:35
    Do you really want to remain hidden from GOOGLE? .Crawlers always try to get deeper into your web sites.
    Google has recently decided to let it’s Googlebot crawl through forms in an effort to index the “Deep Web”. Googlebot is about to start submitting forms in an effort to get to your website’s deeper data.

    want to read the whole story
    http://sanjevsharma.blogspot.com/2008/04/googlebot-attacks.html
  • sanjeev sharma 2008-04-29 08:36
    Do you really want to remain hidden from GOOGLE? .Crawlers always try to get deeper into your web sites.
    Google has recently decided to let it’s Googlebot crawl through forms in an effort to index the “Deep Web”. Googlebot is about to start submitting forms in an effort to get to your website’s deeper data.

    want to read the whole story
    http://sanjevsharma.blogspot.com/2008/04/googlebot-attacks.html
  • Pete 2008-05-27 20:05
    Hey, these guys are legit for sure! They have Segways at their head office!

    http://www.federalsuppliers.com/content/view/12/26/lang,english/

    See!
  • oppeto 2008-05-28 16:57
    what is funny is they now claim SSL tranacations though their pages are not even filtered though SSL. They have mod_SSL installed on their server, but that doesn't make the connections SSL hah!
  • Zennehoy 2008-05-30 11:27
    Either I missed out in grade school math classes, or something just shouts faked data to me:
  • Zennehoy 2008-05-30 11:28
    Either I missed out in grade school math classes, or something just shouts faked data to me:
  • Zennehoy 2008-05-30 11:30
    Sorry about the double post.

    Btw, I found this really interesting site that lists a bunch of businesses:
    http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=&_q3=&_orderBy=name
  • T@[[$ 2008-06-02 11:23
    Heh, Funny how they're company at http://www.federalsuppliers.com/ uses an open source content management system called Joomla http://www.joomla.org/ to build their website.

    Just found that kind of funny,
    Taccs.
  • Elixer 2008-06-04 13:59
    Seriously, some 13 year old could of come up with that story. What kind of company replies to a blog. Your website is nothing but text, imagery, and lies. You're just another parasite on the nationalist economy. Die.
  • Biff 2008-06-08 16:59
    Looks like someone did hack their site:

    Main heading is "Where fuckers and qualified small businesses meet"

    and in the source, it says: <!-- D.T. WAS HERE ASSHOLES! -->

    I guess it was just a matter of time given their practices.
  • ANONYMOUS 2008-06-08 18:49
    Well MR. you dont give your name have you always been a legit company or just recently have you got 1 person out of a million has actually got a job from it so . so go ahead keep ripping people off I hope you sleep well at night
  • David S 2008-06-16 06:06
    DramaQueen....

    If you guys just would spend some $$$ to security and hiring some real webdeveloper(and not some scriptkiddie), you would not have any problems....
  • Peter 2008-08-19 15:06
    Wow, first off, nice spam there.

    Second: Looks like they got around to hiring a new web designer, as it now no longer uses javascript to authenticate and now uses php.
  • hoq 2008-10-27 15:56
    FAIL. Your four children must come from different men, because you're so impotent that you code your passwords DIRECTLY INTO THE PAGE. If you're that incompetent, you deserve to be homeless and your four children sold into indentured servitude to pay your hosting service bill.

    Real hackers don't care whose feelings they hurt. They take credit card numbers. The service you just got for free costs thousands of dollars at "real" companies, under the guise 'Security Audit'.
  • Funny 2008-12-08 11:19
    So I know this is an old article but came across it and decided to look into a few things.

    After going through their site I noticed they finally send the login information to a php script for validation. A few weird things I noticed were:

    1) In all the login forms I saw on their site today refer back to their site as HTTP://sitename.com not HTTPs://sitename.com not something like login.php; index.php or ever / or hey nothing at all. I never program an full url unless I am posting to ssl (which isn't completely safe either), they aren't even doing that.

    2) One login form uses "POST" and the other (note going to the same place uses "GET" as the method. Thats double work for the programmer for the same results.

    Not your typical programming.

    Also, not that this totally means anything but adds suspicion, the owner of this company is all over the place with at least 3-4 other businesses in different cities in Florida. Not to mention he is not doing a good job keeping his registries consistent with the sites let along each other. He also uses multiple personal email addresses instead of consolidating to one which is what most business owners of multiple companies do.

    This just sounds all together odd but not too uncommon. As I have investigated many businesses, these actually comes up often but I usually can discredit a vast majority of them.
  • theemonopolyguy 2009-01-08 15:32
    Hey man. That site is back upand there now using joomla. Is this like the same site as before? Please let me know if it is, because if so, his site is going offline. My neighbor lost a lot of money from guys like him.
  • Andrea SEO 2009-01-22 15:30
    You are right, this is the worst way.
    Any server side programmer knows that you have to avoid these kind of access points and typical injections.

    Posizionamento
  • wilbur 2009-02-20 12:10
    http://www.contractortalk.com/f11/fema-today-48533/
    http://ripoffreport.com/reports/0/420/RipOff0420717.htm
    HE'S AT IT AGAIN
    http://800notes.com/Phone.aspx/1-864-297-4663/2
    INTERESTING READING MATERIAL
  • LOL 2009-05-06 08:08
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
    and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.


    LOL This can't be real, surely? A company does itself in by it's own stupidity, and everyone else is to blame?
  • LOL 2009-05-06 09:10
    JL:
    I don't understand the purpose of this company. If the customers are submitting information in hopes of sales, you'd think the contact information would be public, and publicized as much as possible. It can't be for want of privacy, because their leads are coming from an already-public list of government contractors. And if it were a scam, why would they bother changing the password after it was discovered? Why bother building a site with the contact information at all?


    I am guessing there are two types of customer:

    1. Those who pay large fees to be listed.
    2. Those who pay large fees to be given 'their own exclusive password' to access the 'secure' website.

    In other words, I am guessing that the 'purpose' has nothing to do with providing a service, it simply about having an excuse to charge fees.
  • LOL 2009-05-06 09:14
    JL:
    Random832:
    Actually I think it'd be more like a sign saying "There is no key under the mat that unlocks this door!"
    No, a sign that says "This door is locked, you need a key to get in", on a door that has a dummy keyhole but no actual lock.
    No, it's the equivalent of an open doorway with a sign next to it saying: "Please say the password aloud. ... If you said 'eggplant', you may enter the doorway. Otherwise, please leave."


    Or given the nature of the "exploit" and the way web-pages work, like sending a mass-mailing to millions of random people by e-mail saying "We have a new website! And the username and password to enter is..."
  • LOL 2009-05-06 09:20
    John:
    I guess use of punctuation and paragraphs is not a paramount requirement for doing business with the federal gub'mint.


    No doubt yet another of George Dubya's executive decisions about to be rolled back by Obama...
  • LOL 2009-05-06 10:28
    Jussi:
    I just love the way the "fixed" it. It redicts to page [YourPassword].html .


    I know - let's call this an experiment in "natural selection".

    Can selection pressure from our comments cause them to "evolve" a truly secure solution by trial and error? How many generations will it take?
  • Carter 2009-09-11 00:10
    It seems as if they've disabled the submit button completely by removing the form tags now.
  • Teemu 2009-12-14 08:53
    Apparently these people have learned their lesson. Out of curiosity, I checked their new login page here, and tried to enter, without success. In fact, without any effect at all. So I checked the source for that login page... and aside from some weird nested tables in the login form, the real novelty is that it lacks an action entirely. Click that login button however many times you want, the form will never be submitted anywhere.

    Now THAT is what I call unhackable. Of course, it's also bloody useless.
  • Phyllis Ferris 2010-03-08 10:49


    ilI paid FSG $2,600 for advertising space. I got nothing.
    According to a Stuart Fl customer, he lost $1,500
    According to a Brookville Fl customer, he lost $5,000
    According to a Date County customer, he lost $400.

    This person who spoke with FSG rep right after he signed up with CCR had almost the identical conversation as I did when I signed up.

    I am happy that you and your have had a living from this business but these complaints are from people who was ripped off by Federal Supplier Guides. This company has got to get it's business in order and provide what promised or the need to shut down. A publishing company must have a Proof of Publication that works. People should not be expected to put up thousands of dollars and nothing to show for it.
  • Ron 2010-06-08 12:46
    The Federal Suppliers Guide is a massive con that has been going on since the 90's. Countryside Publishing in Oldsmar, Fla, bought the company in late 2006, and have continued the fraud. There is also another company doing the same scam it is called: The Set Aside Guide. They both have the same con. They contact only small business, both of these companies were owned separate by a set of sisters from New Port Richey, Fla. They keep their ad prices under 5000 to avoid lawsuits, and do not solicit business in Florida. The Feds will not and can not use these supposed Guides. How do I know these things, I worked for both companies for several years each!
  • Iain Dooley 2010-12-08 02:52
    s/should of/should have/
  • Will 2011-01-06 04:23
    Teemu:
    Apparently these people have learned their lesson. Out of curiosity, I checked their new login page here, and tried to enter, without success. In fact, without any effect at all. So I checked the source for that login page... and aside from some weird nested tables in the login form, the real novelty is that it lacks an action entirely. Click that login button however many times you want, the form will never be submitted anywhere.

    Now THAT is what I call unhackable. Of course, it's also bloody useless.


    Now in 2011, they still haven't noticed.
  • brainless 2011-05-04 13:05
    Teemu:
    Apparently these people have learned their lesson. Out of curiosity, I checked their new login page here, and tried to enter, without success. In fact, without any effect at all. So I checked the source for that login page... and aside from some weird nested tables in the login form, the real novelty is that it lacks an action entirely. Click that login button however many times you want, the form will never be submitted anywhere.

    Now THAT is what I call unhackable. Of course, it's also bloody useless.
    I looked at the sourcecode too and noticed the same!
    Still a cheaters company
  • ObiWayneKenobi 2011-10-13 15:04
    Having lived and worked in this area of FL for many years, businesses like this are commonplace. It's usually a wealthy Northerner (typically Boston area or Jersey or New York) with money to throw around who thinks he's a bigshot and comes down here for the low cost of living and no state taxes.

    This person starts one, and typically multiple, businesses and skimp and cut corners on everything from office space to equipment (except for themselves, of course) to technical skills to employee pay to maximize their own profit. They act like a Feudal baron, lording it over their employees and usually make excessive demands or even have employees nearly worship the ground they walk on because they are "the boss".

    They invest as little as possible into a business so if things go belly up they can pack up their snake-oil and migrate to one of their other "front" businesses or just start another - they almost always have a lot of personal wealth (not usually filthy rich, but rich nonetheless) and lots of personal and professional contacts who can keep their business breaking even at the least, and provide a quick way to get up and running if they have to start another business. They typically bribe the press to publish news articles saying how amazing they and their company are and gush over meaningless awards like "Inc 500" or "Fastest Growing Business in Tampa", pointing to them as proof how good they and their company are. The company culture in places like this is one of a cult - employees praise the owner and act as though they work for the greatest company on the fact of the earth, and how thankful they should be to work at such a place (no joke - I have actually seen this attitude at jobs) and are completely oblivious to everything and anything. The entire company operates like the Borg.

    This is how businesses operate in this area of Florida in 9/10 cases. There are some exceptions but most of the time ANY business in the Tampa area (incl. St Petersburg, Clearwater, Oldsmar, Tampa, New Port Richey, Tarpon Springs, Saftey Harbor, Hudson and Spring Hill) is going to be a cult-like scam organization that does nothing right (or is even aware they're doing things wrong) and has employees who are completely brainwashed into thinking the company is the center of the universe.

    I'm not joking. This is 100% serious. I live and work in this area and this is what I see all the time.
  • Joe Johnson 2011-11-08 07:09
    If you call cold calling potential dupes work then you are a deluded person.You should be in prison for preying on hard "working" people who are trying to grow their businesses.
  • too6nll 2012-03-24 21:58
    you're a half-ass moron!
  • Jonathan Halpert 2012-03-30 23:30
    This is funny... get a load of it before they fix it lol http://wgih.listen2myradio.com
  • test 2012-05-18 04:49
    http://800notes.com/Phone.aspx/1-864-297-4663/3
  • test 2012-05-18 04:51
    Small Business Scam - GSA Applications, Pinellas Hosting

    http://800notes.com/news/gsa-application-services
  • FastLizard4 2013-03-18 04:39
    Although federalsuppliers.com is now a deadlink, it looks like the comapny has indeed respawned according to this BBB report (city and a few other details match up) and is now http://www.federalverification.com, or a bunch of other addresses even, such as http://www.gsaapplications.com/ (my personal favorite, since it's the closest resemblence to the original federalsuppliers.com site).
  • ObiWayneKenobi 2013-03-28 15:45
    I'm sure the owner of those sites is a con-artist. They all are. No clue at all of anything wrong, just a business to do the minimum possible while generating income. Maybe a spouse/sibling/child is the on-paper owner so they can tell their friends that they own a business (no joke I worked for a guy for a while whose sole purpose being in business was so his wife could tell her friends back home she owned her own company).
  • dcmobilya 2013-05-25 16:49
    C* TİM
  • Fleex 2014-06-25 19:42
    Their entire website now returns a blank page with the title "invalid entry."