- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
No, actually, he meant "re-soled", that is, given a new thick layer of that gummy plastic stuff because the shoe leather is still good.
And while I'm at it, let me say that whoever brought the system down so that I couldn't study it and learn something from it is a collosal porkface. Now I'll *never* be satisfied.
Hill
Admin
Careful with that bet. I mean if the students were that smart, would they be going to WTFU?
Admin
It would also be interesting to see whether the log files show that the entire web site was indexed by Google...
Admin
As long as there aren't links directly to the pdf files (without needing a login) Google won't index them. Google spiders a site (as in follows links). It doesn't attempt to get past logins, and it doesn't throw random URL's at a domain.
Admin
<FONT face=Tahoma>Hopefully, you have shown this to your friend already because now it's broken... who ever took it down took the fun we're supposed to have... :(
On another thought, maybe they brought it down to apply the necessary security patches required...
</FONT><FONT face="Times New Roman">
</FONT><FONT face=Tahoma>Am I the only one who thinks staying and trying to improve the existing system is better than running for your life fearing the abomination?
I know it's a lot of pain to go through, but...
Guess I really have much to learn about this world... ;)
</FONT>
Admin
Not wanting to be confrontational, Jim simply replied that he didn't what anyone to think that he may have tampered with his own application, as he was "familiar with the technical details of the system".
This is absolutely the SMARTEST thing I have read on The Daily WTF (including comments)!
Admin
I'm sure the person that found it, yelled "WTF!" or something similar, if not less polite.
But perhaps we should start a www.dailyomg.com, for your daily "Oh My God" experiences, or www.dailyrmye.com for that daily Roll My Eyes feeling...
Admin
Didn't they say that about the DVD encryption? Or DRM? Or.... :-)
Admin
Well I don't know much about Norway, except is it so rich (among others, because of Northsea oil) that it is paying dividends to its citizens, and that everybody get's to go to university for free, as well as interest-free loans while studying....so the standards are a little better then in some backwaters of the world (say, the US).
(I had to write this, the US is sometimes so far from knowing what "civilized world" can mean; BTW, the "free university" thing is the norm in Europe)
CAPTCHA = CAPTCHA :-)
Admin
There have been stories about banks doing the same error, just changing the accountnumber in the URL and one can see the transactions and everything from other customers of the bank.
Also a norwegian pizza deliveryfirm had the same problem, where one could get the whole purchase register of other customers (what does your hero like on his/hers pizza?), not that important perhaps, but still a privacy concern...
Admin
I have discovered and repoerted two similar security problems:
- first one compromised customer privacy and exposed the webshop's customer record to www,
- the second one made it possible to read companys internal discussion forum (including bug reports and discussions about profitability of certain accounts) from anywhere in the world wide web.
The first one I reported as a customer, and I never even got an answer. Last time I checked the problem still persisted and I could view other peoples orders in their webshop by changing the URL parameters.
Second case was reported when I was working for a business partner of this company. Their chief programmer replied with "Thanks, we'll investigate". Six months later the security hole was still there. It might still be unpatched, but I'm afraid to test it anymore because I am not certain if that is legal.
In the first case it is possible that some non-technical secretary/customer service rep read my email and tossed it into the waste basket because he didn't understand what it was about. But in the second case the person who acknoledged receiving my message had overall responsibility of the system, but he still chose not to do anything... I even enclosed detailed steps to reproduce (they where not complicated) and couple of screenshots showing sensitive information which they didn't allow even all of their employees to access.
Admin
<FONT face=Tahoma>I haven't been in a certain situation "bad enough" to make me leave but if I do, I'll keep that in mind... Thanks!
</FONT>
Admin
While I agree with most of your comments above, I strongly disagree with your assertion that the culprit of the problem is the fact that source code is open, available, and shared. Source code, and for that matter any type of information, has been shared for thousands of years -- that's how come our civilization has been able to amass such a mind-bogglingly large collection of knowledge throughout its existence.
The problem is not its availability or the sharing of it, but its authoritativeness, and the low barriers to entry offered by very high-level languages. There was a time when programming required strenuous academic training, experience, and understanding of the tools in order for it to work. And not just to work effectively, but to work at all: if you didn't learn the language, how it worked, and how to use it, chances are you wouldn't get your code to compile. Nowadays, highly abstracted languages aimed at being fully accessible to the masses, so that anyone can whip up runnable code without much experience or understanding of the frameworks, are allowing just about anyone with a computer to create multi-user, database-driven applications. This lowers the costs of labor, of course, which is always viewed as a Good Thing (tm) by employers, but culminates in the sort of horrendous buggy and insecure applications we are used to talking about on this forum.
Any idiot can whip up a script with PHP, VBScript, or the like, and connect to a database. This is by design. The problem is that, unfortunately, just about any idiot *does*. Add to this the efficiencies of mass publication of the WWWeb and you get, well, a very large and ever-growing pool of crap code and bogus instruction.
But who uses all this crap code? Is it the experienced programmers? I posit it isn't -- as you have pointed out that most of it is bad, I can't imagine you, for example, using this pool as a resource. No, it is those same inexperienced "programmers", the ones using the tools without understanding of their workings, who keep going back to it, and copy+pasting snippets from it verbatim into their own code.
So you see, it is not the sharing of information that is at fault, it is the ease with which bad information is created and masked as authoritative, and a general lack of education, that is the real problem.
-dZ.
Admin
Do you mean it has been Question-Exclamation-ed? WTF is that??
-dZ.
Admin
Oh come on, this isn't a security hole, after all, nobody actually reads URLs anyways.
Admin
Really? I want in.
Even in a top UK university, I could say some of the graduates are less than stellar. Not sure about the postgrads.
Admin
Consult the logo of this site.
Admin
Our entire university network is insecure, and everyone knows it's insecure. It gets even worse when you look at individual passwords.
But I've still seen worse. Unprotected password files are loads of fun.
Admin
I love people who admit not knowing something. It means when they say they do know something they actually might do.
people who always know the answer so often just guess at one to look smart :)
Admin
Then wouldn't it be more appropriate to say 0.o?!
I still say that's stupid. WTF'd seems so much more appropriate.
-dZ.
Admin
I have a tendency to booby trap my web apps against this sort of "hacking". If there is a field I pass through GET (and POST, to a lesser degree), it either doesn't matter if you change it, or it's there to let me know who's trying to game my system.
User friendly is a nice dream, but user hostile makes sure your app is still running fine in the morning.
Admin
Typical.
Admin
Wow. I'm actually suprised it took anyone this long to notice that particular WTF.
Admin
In the US the idoits sue you!
Admin
The real WTF, allow me to state the obvious, is that people who can't code take on web development. Browsers are tolerant enough to render any scribble as if they're valid HTML. Compounded with WYSIWYG tools and idiot-proof applications like ASP.NET, this army of web coders THINK they can code.
It's nearly impossible to tell people apart from their CV/Resume qualifications since they all claim the same. Not to mention in a non-real world, namely, the academics, students are never taught how to build a full web application. Well, I'll heavily doubt the quality if they do. That's why when I recruit programmers, I always ask them to show, or at least describe, the project they've previously worked on. "10 years of experience" is as useless as a university degree nowadays.
Admin
In the USA (and probably everywhere else), universities are run as a business. To that end, they hire the cheapest people the can, and students who are working for the school in exchange for course credit instead of money are as cheap as they come.
That means that they haven't completed their degree, and even if they had a degree, they probably aren't familiar with all the ways that a script can be mis-used. I work for a university and hire students who can't code their way out of a paper bag because they are the only ones who apply for the jobs. Security work takes experience and/or reading security papers. They don't have the former and are too lazy to do the latter. Hence, these problems flourish in academia.
Admin
I am from Denmark (Aarhus city) and equally surprised that it is
that bad! At least at the university where I am a student, the
administrators are paranoid enough, and no such thing has ever
happened here as far as I know.
My guess is, it is the same at the other universities
here in Denmark since they are legally obligated to protect personal
data. But that is the case also in US, right? So what could the explanation be
for such a difference in precautions with regard to security?
The level of competence here is high enough that people outside the
university come to learn security, particularly for
larger networks with a lot of different kinds of users.
As it should be!
Admin
Reality bytes! (niiiiiice)
Admin
Do you also use idiotic markup to make people wonder how idiotic the server side is?
Admin
Admin
Par for the course.
Admin
I doubl anyone here would believe you if you say you are.
Admin
The article states in the first paragraph:
Tom believed that, despite only having a solid year of experience outside of his eighteen years at WTFU, he was The Chosen One, responsible for introducing "his students" into the Real World.
The "ten years" was a reference to what happens in the real world.
~scc4fun
captha: knowhutimean (do ya?)
Admin
What's the problem with putting the account number and check number in the URL? You're logged in, you've got a session that's associated with your user ID and account number. If you change those values to try to look at someone else's check, I would bet that all you get is an error message and your account flagged as an attempted cracker.
The real security problem here is that it's an http URL instead of https. I don't really want my ISP/the NSA/the man-in-the-middle watching my banking activity or viewing my checks.
I hope they at least use https for login.
Admin
Trust me, "most blah blah blah sucks" and "almost all blah blah blah is insecure", for any values of blah blah blah you care to name.
Sturgeon's Law: 90% of everything is shit.
Admin
So your web apps don't take any real parameters. No data from the client side ever has any real effect on what happens on the server side. In what sense are they web apps? How do they do anything?
Admin
No wonder most don't take college systems serious.
Admin
At both universities I had the pleasure to study/work in Italy (www.polimi.it and www.unimib.it), network admins were damn well sure what they were doing. In the latter i was the bofh of a network connected to the university network and I always found them ultra-eager to help as well.
Except they forced us to use their network equipment. :( captcha: wigwam... WTF? O_o