• Crap (unregistered)

    Reminds me of Capital One's "NO" commercial.

  • uep (unregistered)

    Not all that surprising to me actually. Seems everyone is getting into ASP these days.

  • (cs)

    ... and the problem was fixed by adding "&HACK_PROOF=YES" to all the URLs, right?

  • Anonymous (unregistered) in reply to uep

    !First Post

  • (cs)
    Alex Papadimoulis:
    They say that, as a programmer, you'd better keep your skills and knowledge current, or the latest "revolution" will leave you spinning in the dust and bumped to management. Obviously, "they" haven't heard of the Microsoft's Common Language Runtime, which allows for any programming language to be adapted for development within the rich .NET platform. This means that some languages that some might consider outdated, such as, perhaps, COBOL, to become a tool for developing modern software. As you might imagine, this can yield some fairly interesting results.


    Or C, as in C++.

    I have seen a manual for an OO COBOL.

    Dan did notice, however, that there was just one minor security hole ...

    [image]

    Some of the more hacker-savvy readers might pick up on it as well. When Dan mentioned that you simply need to changed the URL to include LOGGED_ON=YES to "spoof" access, his coworker scoffed, saying something about no one actually looking at those.

    And why did Dan bring up the point?  Maybe, he did look at it.

    But, all's well that end's well. Although Dan is no longer with the consulting firm, he's heard that his coworker is off developing some mission-critical software somewhere.

    The situation could get critical soon, yes.

    Sincerely,

    Gene Wirchenko


  • (cs)

    He should have scrambled it.

    http://www.initech-foundation.org/support/giving.aspx?NO_DEGGOL=ON

    ;-)

  • (cs)

    This guy clearly doesn't know what he's doing. I mean, you can't just grant visitors access like that...you have to assign proper privileges:

    LOGGED_ON=YES&LOGGED_ON_AS=USER

  • Sam (unregistered)

       Probably not fair to blame .NET for this, even though .NET's hardly my favorite environment.

  • Dan Waters (unregistered)

    Cool, it got posted. This is my favorite WTF, happened quite a while back, but still relevent today.

    This guy was kind of a leftover at the place I was consulting ("Initech"), had probably been there for 20+ years and had recently moved from mainframe programming to something more updated. But he didn't take any web dev classes, had no books at his desk, and knew how to pass variables via a query string. And that's all.

    How he got the CC processing to work is beyond my comprehension. I'm sure he probably mocked it up.

    I have no problem with older, more experienced folks, and nobody should, but my goodness, at least make an effort to learn about your job regardless of your age (And listen to input from the younger guys once in a while, too [;)])

     

  • (cs) in reply to ammoQ
    ammoQ:
    He should have scrambled it.

    http://www.initech-foundation.org/support/giving.aspx?NO_DEGGOL=ON

    ;-)


    Or, for SUPER DUPER high security, Rot-13 is your friend:

    http://www.initech-foundation.org/support/giving.aspx?YBTTRQ_BA=BA
  • (cs) in reply to WTF Batman
    WTF Batman:
    ammoQ:
    He should have scrambled it.

    http://www.initech-foundation.org/support/giving.aspx?NO_DEGGOL=ON

    ;-)


    Or, for SUPER DUPER high security, Rot-13 is your friend:

    http://www.initech-foundation.org/support/giving.aspx?YBTTRQ_BA=BA


    This looks like Klingon :-))
  • Colin (unregistered)
    Alex Papadimoulis:
    But, all's well that end's well. Although Dan is no longer with the consulting firm, he's heard that his coworker is off developing some mission-critical software somewhere.


    I sure hope it's not:

    http://secure.intercontinental-ballistic-missle.com/launch.aspx?LOGGED_IN=TRUE&MISSLE_ID=6&KILL_CHILDREN=NO&KILL_WOMEN=NO&KILL_TERRORISTS=YES&TARGET=IRAQ+AFGHANISTAN+IRAN
  • (cs) in reply to Gene Wirchenko
    Gene Wirchenko:

    Sincerely,

    Gene Wirchenko

    <pullinghair>
    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.
    </pullinghair>
  • no one (unregistered) in reply to hash
    hash:
    Gene Wirchenko:

    Sincerely,

    Gene Wirchenko

    <PULLINGHAIR>
    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.
    </PULLINGHAIR>

    No one cares what you think.

    Sincerely,

    Me

  • Runtime Error (unregistered) in reply to Colin
    Anonymous:
    Alex Papadimoulis:
    But, all's well that end's well. Although Dan is no longer with the consulting firm, he's heard that his coworker is off developing some mission-critical software somewhere.


    I sure hope it's not:

    http://secure.intercontinental-ballistic-missle.com/launch.aspx?LOGGED_IN=TRUE&MISSLE_ID=6&KILL_CHILDREN=NO&KILL_WOMEN=NO&KILL_TERRORISTS=YES&TARGET=IRAQ+AFGHANISTAN+IRAN


    I'm sure he's just working on the software for managing control rods on a nuclear power plant near your house.

    Sleep tight.
  • (cs) in reply to Colin
    Anonymous:
    Alex Papadimoulis:
    But, all's well that end's well. Although Dan is no longer with the consulting firm, he's heard that his coworker is off developing some mission-critical software somewhere.


    I sure hope it's not:

    http://secure.intercontinental-ballistic-missle.com/launch.aspx?LOGGED_IN=TRUE&MISSLE_ID=6&KILL_CHILDREN=NO&KILL_WOMEN=NO&KILL_TERRORISTS=YES&TARGET=IRAQ+AFGHANISTAN+IRAN


    Everyone knows you have to use SSL when executing something like that!

    https://secure.intercontinental-ballistic-missle.com/launch.aspx?LOGGED_IN=TRUE&MISSLE_ID=6&KILL_CHILDREN=NO&KILL_WOMEN=NO&KILL_TERRORISTS=YES&TARGET=IRAQ+AFGHANISTAN+IRAN
  • (cs) in reply to hash

    I'm myself more annoyed by the gratuitous (and so thoroughly argumented) drive-by trolling like "Or C, as in C++."

  • (cs) in reply to Zlodo

    My last reply was in reply to hash.

    I'm going to roll naked in shards of broken glasses, I need to do something more fun than posting using this forum software.

  • (cs) in reply to WTF Batman

    WTF Batman:
    ammoQ:
    He should have scrambled it.

    http://www.initech-foundation.org/support/giving.aspx?NO_DEGGOL=ON

    ;-)


    Or, for SUPER DUPER high security, Rot-13 is your friend:

    http://www.initech-foundation.org/support/giving.aspx?YBTTRQ_BA=BA

    You've completely missed the point. What this guy did is nothing short of genius...placing something like that wide in the open is clearly a new form of security--one based not on obfuscation or encryption, but on psychological deterrence. Anyone looking to break into the site will see it, but the stupidity of it will overwhelm the mind, and the hacker will be "shocked" into giving up.

  • David (unregistered) in reply to hash
    hash:
    Gene Wirchenko:

    Sincerely,

    Gene Wirchenko

    <PULLINGHAIR>
    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.
    </PULLINGHAIR>

    Now that's a WTF. Who cares?

    Sincerely,

    David Hasselhoff

  • lloTr (unregistered) in reply to Zlodo
    Zlodo:
    I'm myself more annoyed by the gratuitous (and so thoroughly argumented) drive-by trolling like "Or C, as in C++."

    Indeed. Nowadays everybody should already know that C (and C++ to some extent) are inadequate for new developments.

    Move on.
  • Onanymous (unregistered) in reply to WTF Batman
    WTF Batman:
    Or, for SUPER DUPER high security, Rot-13 is your friend


    Rot-26 is far superior...
  • (cs) in reply to Dan Waters
    Anonymous:
    I have no problem with older, more experienced folks, and nobody should, but my goodness, at least make an effort to learn about your job regardless of your age (And listen to input from the younger guys once in a while, too [;)])

    Yes, it really should go both ways.  Experienced hands have perspective.  The new guys know the latest.  Combined, they can be great.  "Us" and "Them" does not work very well except for venting ones spleen: "Kids these days...", "Old fogies...".

    Sincerely,

    Gene Wirchenko


  • (cs) in reply to connected
    connected:

    You've completely missed the point. What this guy did is nothing short of genius...placing something like that wide in the open is clearly a new form of security--one based not on obfuscation or encryption, but on psychological deterrence. Anyone looking to break into the site will see it, but the stupidity of it will overwhelm the mind, and the hacker will be "shocked" into giving up.

    I think it's more of a psychological deterrence in that any hacker would see that and think... "wait, this must be a trap!"

    And yes, Gene Wirchenko, everyone hates you.

  • (cs) in reply to Doobie Dan
    Doobie Dan:
    I think it's more of a psychological deterrence in that any hacker would see that and think... "wait, this must be a trap!"

    And yes, Gene Wirchenko, everyone hates you.



    Ah ... but we all know his name and we all will probably remember it the rest of our lives!  

    Reminds me of the Simpsons, and how Mr. Burns can never remember Homer's name or who he is  ... perhaps Gene had a similiar situation in the past, where he never got credit for his work or ideas?
  • Dan (unregistered) in reply to lloTr
    Anonymous:
    Zlodo:
    I'm myself more annoyed by the gratuitous (and so thoroughly argumented) drive-by trolling like "Or C, as in C++."

    Indeed. Nowadays everybody should already know that C (and C++ to some extent) are inadequate for new developments.

    Move on.


    I'm still trying to decide if you're trolling or just that ignorant.

  • uep (unregistered) in reply to lloTr

    It's sad that I'm so tempted to bite because of the C++ comments.

    I've only been in the industry a relatively short amount of time, but in this area (Philly, central Jersey) there seems to be a lot of these ASP.NET jobs going around. Lots of friends, who happen to be relatively new also, tend to be getting positions doing ASP.NET. Is this just the type of job most young people can expect?

  • (cs) in reply to Runtime Error
    Anonymous:
    I'm sure he's just working on the software for managing control rods on a nuclear power plant near your house.

    Sleep tight.


    Oh, easily, now that I have do not have to worry about my nightlight ever burning out.

    Sincerely,

    Gene Wirchenko

  • (cs)

    it is kind of a Yawn .. of a wtf.  Now, seeing a COBAL version of a webpage, now that would be down right neato!  Do we have a screen shot please?

     

  • (cs) in reply to Zlodo
    Zlodo:
    I'm myself more annoyed by the gratuitous (and so thoroughly argumented) drive-by trolling like "Or C, as in C++."


    It is not trolling but historical fact.  The first C++ was implemented as a front-end to a C++ compiler.  Look up "cfront".

    Sincerely,

    Gene Wirchenko

  • (cs) in reply to Jeff S

    hash:
    Gene Wirchenko:

    Sincerely,


    Gene Wirchenko


    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.

    I used to get annoyed with Gene's signature, but then people started whining. But now I find people overreacting to the sig quite entertaining. The irony in people getting so overworked about a sig on a forum called the daily WTF far outweighs my dim memories of being annoyed at Gene's sig.

    Is it just me or are the comments on this forum often more of a WTF than the original post?

  • (cs) in reply to tSQL
    tSQL:

    it is kind of a Yawn .. of a wtf.  Now, seeing a COBAL version of a webpage, now that would be down right neato!  Do we have a screen shot please?



    That's what I was expecting too. I was thinking, "Someone wrote a COBOL compiler that targets .NET CLR?! AND they wrote a WEB PAGE with it?!" Then I realized sad truth, and had to go drown my sorrows in Poland Spring.
  • Awaiting Troll Points (unregistered) in reply to Doobie Dan

    I think the real WTF here, is most obvious from the screen shot.

    What kind of Web Developer would dream of using IE?  That's just nuts! An outdated Mozilla build? ok, a Firefox 1.0 build? yeah, ok, even an Opera Install would have shown some apptitude for the task, but IE... yeah, only if you don't want to debug your applications, or build something Web 2.0.

    That said just curious, for all the Developers on this forum, except for those doing IE-only .ActiveXXXNet stuff, what Browser do you use?  Anyone already shaking their heads at the Beta2 of IE7 (oh man that's a LOOOOOONG way from a stable, public release)

    Elf 17

  • COBOL GUY (unregistered) in reply to tSQL
    tSQL:

    it is kind of a Yawn .. of a wtf.  Now, seeing a COBAL version of a webpage, now that would be down right neato!  Do we have a screen shot please?

     



    To your pleasure : ASP.NET Cobol
  • Germany (unregistered) in reply to David
    Anonymous:
    hash:
    Gene Wirchenko:

    Sincerely,

    Gene Wirchenko

    <PULLINGHAIR>
    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.
    </PULLINGHAIR>

    Now that's a WTF. Who cares?

    Sincerely,

    David Hasselhoff

    We love you, David!

    Sincerly,

    Germany

  • Norm MacDonald (unregistered) in reply to Germany
    Anonymous:
    Anonymous:
    hash:
    Gene Wirchenko:

    Sincerely,

    Gene Wirchenko

    <PULLINGHAIR>
    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.
    </PULLINGHAIR>

    Now that's a WTF. Who cares?

    Sincerely,

    David Hasselhoff

    We love you, David!

    Sincerly,

    Germany

    Which once again proves my theory that Germans love David Hasselhoff!!!!!

    Sincerly,

    Norm MacDonald

  • (cs)
    Alex Papadimoulis:

    After a few weeks, he was ready to show off the pages. With its entirely 14-Point Times-Roman Underlined text, it certainly wasn't a looker. But hey, it worked! You could enter in billing info and hit submit, and if you logged on as the administrator, you could see the donation and print it off. Dan did notice, however, that there was just one minor security hole ...

    [image]

    Some of the more hacker-savvy readers might pick up on it as well. When Dan mentioned that you simply need to changed the URL to include LOGGED_ON=YES to "spoof" access, his coworker scoffed, saying something about no one actually looking at those.



    I must be missing something here. How is LOGGED_ON=NO a security hole and how does changing it to LOGGED_ON=YES help?
  • (cs) in reply to hash
    hash:
    Gene Wirchenko:

    Sincerely,

    Gene Wirchenko

    <PULLINGHAIR>
    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.
    </PULLINGHAIR>

    You are letting his signature get to you, and I know that feeling - it's just like an itch that you try to ignore until finally you claw your eyes out. But seriously, I don't think anyone thought about it until you started bringing it up every time! No offense, but the problem is you...

    Some forum software allows the user to block sigs and avatars in their personal views. Of course with this software, we cry tears of joy when it actually gets some code right, or inserts a picture...

  • (cs) in reply to Gene Wirchenko
    Gene Wirchenko:
    Zlodo:
    I'm myself more annoyed by the gratuitous (and so thoroughly argumented) drive-by trolling like "Or C, as in C++."


    It is not trolling but historical fact.  The first C++ was implemented as a front-end to a C++ compiler.  Look up "cfront".


    I know that. The creator of C++ chose to do it this way so that he wouldn't have to reinvent all the code generation that was already done by the C compiler.
    But, if I remember correctly what I've read about it, it wasn't a rudimentary preprocessor mindlessly filtering C++ constructs from the input source, it was parsing, checking and regenerating C code from the whole thing.
    Therefore the fact that it was outputting C code and not ASM was only an implementation detail.

    It doesn't means that C evolved into C++, and certainly not that the later is obsolete because the former is (as you may or may not have intentionally implied in your forst post)
  • (cs) in reply to connected
    connected:

    This guy clearly doesn't know what he's doing. I mean, you can't just grant visitors access like that...you have to assign proper privileges:

    LOGGED_ON=YES&LOGGED_ON_AS=USER



    What he needs to do is LOGGED_ON=YES&PASSWORD=12345.  If the password is something harder to guess than "12345", this solution is 100% unhackable!
  • Dan (unregistered) in reply to Awaiting Troll Points
    Anonymous:

    What kind of Web Developer would dream of using IE?


    One with a clue? One who actually acknowledges that over 90% over web users use IE? One who realises that IE has enough failures to comply with standards that it needs to be specifically catered for? One who isn't some kind of bigotted, anti-MS, open source weenie? Take your pick.

    Anonymous:

    That said just curious, for all the Developers on this forum, except for those doing IE-only .ActiveXXXNet stuff, what Browser do you use?


    There's only one good answer to this: "as many as possible".

  • Alun Jones (unregistered) in reply to ferrengi

    ferrengi:

    I must be missing something here. How is LOGGED_ON=NO a security hole and how does changing it to LOGGED_ON=YES help?

    I see what you are getting at - after all, the flag "LOGGED_ON=NO" could simply mean "so you don't have to complain that I didn't provide you with a cookie that verifies my ID".

    I'm going to guess that the reason it's a WTF is that it was just as brain-dead as it implies, where "LOGGED_ON=YES" would give you the access you needed.

  • (cs) in reply to lloTr
    Anonymous:
    Zlodo:
    I'm myself more annoyed by the gratuitous (and so thoroughly argumented) drive-by trolling like "Or C, as in C++."

    Indeed. Nowadays everybody should already know that C (and C++ to some extent) are inadequate for new developments.

    Move on.


    Rolling naked in sgards of broken glass has lost some of its fun, so I could aswell respond to a troll.

    C++ is one of the  few language providing OO programming (and generic programming, exceptions, etc.) that is designed to be compiled efficiently into native code.
    Out of these, it's the most widespread and the one for which it's the most easy to find a compiler for about any platform.

    Therefore, it is not quite obsolete yet. Unless of course you feel that the IT industry at large including the gazillion of embedded calculators you might find about everywhere, aswell as everything that doesn't have the luxury to waste responsiveness, memory and cpu cycles on a VM, could tomorrow replace every single piece of native code by some JIT-ed junk.
  • (cs) in reply to Zlodo

    s/sgards/shards

  • (cs) in reply to ferrengi
    ferrengi:
    I must be missing something here. How is LOGGED_ON=NO a security hole and how does changing it to LOGGED_ON=YES help?
    It is implied that changing the URL manually to LOGGED_ON=YES will give the user access. Since this is very easy to guess it would be trivial for an unauthorized user to gain access. It is a but like having a door lock with the lock/unlock on the outside.
  • ATM (unregistered) in reply to paranoidgeek

    We actually have a book that is titled "Elements of COBOLWeb Programming".  I come from a COBOL background but I don't think I would ever even consider web enabling any of my legacy programs.

  • (cs) in reply to COBOL GUY
    COBOL GUY:

    To your pleasure : ASP.NET Cobol


    F*CK... the times when I had to write COBOL programs are almost 20 years in the past, and I can still read that stuff... must be a permanent injury.
  • your mom (unregistered) in reply to R.Flowers
    R.Flowers:
    hash:
    Gene Wirchenko:

    Sincerely,

    Gene Wirchenko

    <pullinghair>
    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.
    </pullinghair>

    You are letting his signature get to you, and I know that feeling - it's just like an itch that you try to ignore until finally you claw your eyes out. But seriously, I don't think anyone thought about it until you started bringing it up every time! No offense, but the problem is you...

    Some forum software allows the user to block sigs and avatars in their personal views. Of course with this software, we cry tears of joy when it actually gets some code right, or inserts a picture...



    But it's not a signature...  You'll notice there is no short horizontal line above it.  Anyway, it has been discussed many times at great length, and most of us tend to just ignore it.
  • (cs) in reply to paranoidgeek

    I think I know where this guy is working now:

    http://www.inetonsite.com/onsite/default.asp?ADMIN=False

     

     

  • (cs) in reply to hash
    hash:
    Gene Wirchenko:

    Sincerely,

    Gene Wirchenko

    <pullinghair>
    Can you PLEASE stop ending every post like that?! It annoys the crap out of me everytime I read one of your posts, I doubt i'm alone.
    </pullinghair>


    No, I am pretty sure you are alone.  How do you feel about cartoons involving the prophet Mohammed, by the way?....

Leave a comment on “COBOL_SECURITY”

Log In or post as a guest

Replying to comment #:

« Return to Article