- Feature Articles
- CodeSOD
- Error'd
- 
                
                    Forums 
- 
                Other Articles
                - Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
 
 
            
Admin
Genious! Brillant, even!
Admin
Well, it is always good to know what is definitely secure, right?
Admin
BRILIANT!
Why does it seem so many WTFs are caused by someone being "too clever" and using javascript to process information instead of...the server-side scripting language they are 'pretending' to use?
Admin
Re. AccountID - I worry about secure sessions too sometimes, since they don't really seem all that secure. Have most people switched over to using GUIDs instead of AccountIDs? That is what I'm considering.
Admin
Could we get the name of the brokerage? I'd like to open an account. For about 15 minutes.
Admin
They probably used an HTML-to-JSP converter.
It seems you can find real security at the web sites of Linux user groups, but not at banks and brokerage houses. Wow!
Admin
Why does it seem so many WTFs are caused by someone being "too clever" and using javascript to process information instead of...the server-side scripting language they are 'pretending' to use?
What are you talking about not server side, it has client side JSP sent to be server side JSP!!! Brillant!!
Admin
What is this, security by this-is-so-unexpected-no-one-will-look-here? Right, and let's trick Al-Qaeda by donating them money...they'll be so bewildered, they won't know what to do with it!
Admin
Kinda funny considering that LUGS advocate openness while banks advocate closed-ness. (still wondering why my bank closes at 1:00 on Saturdays...)
Admin
Been here long? :-)
Admin
<FONT face=Georgia>C'mon, Alex, what are you expecting here? We all know those sophisticated hackers are always 3 steps ahead of the security game.</FONT>
<FONT face=Georgia>The developers were probably going for "Security by Stupidity", hoping that no self-respecting hacker would try something so simple. It's like taking candy from a retarded baby monkey.</FONT>
>BiggBru
Admin
Man, this definitely made my day. lol.... all I can say is roflmao.... Brillant!
Admin
But the press tells us that all hackers are 12 year old children who failed out of school, so probably cannot read!
Admin
After the discussions of the last two days, a WTF which is proof against anyone arguing that it's not a WTF. Quite stomach-churning.
Admin
hence, this program!!
Admin
Apparently not long enough. [:D]
Admin
Someone's going to be up to the challenge of "demonstrating" why this is not a WTF. (Right? Anyone?)
Not to mention there's probably about even odds that someone will end up defending this for real.
Admin
Hello. Paula?
Admin
Clearly the whole system is a cleverly designed honeypot, secretly operated by an elite group of NSA super-hackers. I bet they are catching scammers left and right with this thing.
Admin
I really need to get into the habit of reading the source of a web page. I just can imagine all the wtf goodness I could find...
Admin
This isn't a WTF. The security assessment company was surely being tested by this firm to see if they knew what they were doing.
Admin
I just want to be left alone with the person responsable for letting browser side script comunicate with server side script... just 1 freaking minute... I swear he will make an "I´m so sorry" statement on every blog.
Really, why is it companies keep hiring 2 bucks per day programmers to handle costumer data.... THAT is a WTF itself... The rest is WTF by inheritance.
Admin
I meant 2bucks per day programmers to program modules wich handles costumer data, for those no BRILIANT! enough to understand :P
[Alex, there´s too little time for enabling the edit button]
Admin
I'd comment on the lack of security, but didn't one (more?) of the major banks/brokerages recently lose a tape with something like 30mm account numbers, ss#'s and passwords on it because they shipped it via UPS/FedEx/whomever and it just happened to be misplaced?
Let's face it, even if the code was the purest of pure-bred well designed and thoroughly thought out systems, there are still common-sense WTF's all around us in life.
It is to laugh...
Admin
sooooooooo...... get to the part about what happened when the security company told the client they had no security.
tdog
Admin
costumer --> Misspelling perhaps not !
Admin
<FONT face="Courier New">WHERE R THE TESTERS! [;)]</FONT>
Dear Developers:
"Invalid AcctId." is too cryptic. I'm typing in "Mama goes Bats" in this field and getting this message. Please format a better message along the lines "My mama is not 'bats'. Please focus on supplying the requested account ID." Also, this application should be able to display errors in multiple languages.
<FONT face="Courier New" color=#ff0000 size=6>nihonAlert('BAKKA YA RO!!!!');</FONT>
Admin
IronMountain has been losing tapes lately. Too bad many companies don't check the box labeled "encrypt".
Admin
On the other hand, given the Lowest Common Denominator (tm) method of education used at most schools these days, the ones who can read probably _are_ the ones who are being flunked out.
CAPTCHA = SPEAKER. How appropos.
Admin
That is, actually, quite profound.
Perhaps too much so for this forum [;)]
Admin
But encrypting the backups takes too long. Then again, sending the backups to anything but /dev/null takes too long.
Admin
OMG I know that brokerage firm. Shortly after this happened they reorganized the company and got into the forum software business.
I think they called themselves something like 'Smart Systems' and make a product called 'Community Served'. I'm having a hard time remembering the exact names, but something like that.
;)
Admin
Of course, this is a highly advanced design. You are 100% safe against stuff like this. Imagine the advantages! Nasty old google can't come around and knock down your site just because some stupid user copy-pasted a sensitive link.
On top of that, you are safe from email address collecting bots and automated spamming systems.
This also saves lots of server resources. Server doesn't have to do too much logic, and in some cases, it has been shown that hard disk useage DECREASES over time!
'nuf said.
Admin
I'm pretty sure you mean 'Mart Systems...
Admin
Of course, a vanilla form feeding to a server-side script can still be more full of security holes than a block of Swiss cheese. But browser-side scripts do lead to the "rely on browser-side data validation" anti-pattern, so yeah, we feel your pain.
Admin
I believe this was about the banking industry, not the movie and theatre industries. WTF?
Admin
Until this post I thought the forum software was a 5 minute home grown job... I can't believe this is commercial! Just ... wow. CAPTCHA == analysis with the 'anal' in a dark bold colour and the 'lysis' in a light, barely readable colour... sums it up really.
Admin
Yes, but have you tried Javascr...- nevermind...
Admin
Maybe it's just a Honeypot; anyone attempting any of these breaches gets IP banned...
Admin
FYI: ???? (?????) is romanized as bakayarou, not "bakka ya ro".
Admin
Maybe it was on a SSL server? Still, the cookies... bad programming...
captcha was "bozo" haha
Admin
The sad thing is you are off by probably 3 magnitudes on the price of your programmers
Admin
??????!!!
Admin
Pardon me, with this atrocious forum software's inability to edit posts...
I meant to say
???????!!
??????? ? ?????
Admin
No, he got it right. "Shop smart! Shop S-Mart!"
ok
dpm
Admin
Pardon me, with this atrocious forum software's inability to edit posts...
I meant to say
???????!!
??????? ? ?????
It's been a long while since I had to translate, so I had this site do it for me:
http://www.animelab.com/anime.manga/translate
Here's what I got in return (using the "translate" button).
yo ku de ki ma shi ta ! !
<FONT face="Courier New">-- evening, night clause outflow tree rub, scrape city who </FONT>
"ba ka ya ro u" wa nan de su ka
<FONT face="Courier New">-- "ba sent, oder question mark furnace u" I, me, oneself, self, ego what outflow to do sent, oder </FONT>
Ahhh, now I understand. [^o)] _jokes_
The nihonAlert() was just a way for me to show that developers can shout at the "user" in more than just plain old English. Hope I did not offend with my rough & rusty romanji. [:^)]
Admin
Man, you laugh at this sort of thing now... But I've had to deal with this sort of crap first hand (fortunately not with a bank) and my stomach just turns when I see it... Please, Alex, spare us (and PLEASE fix the CAPTCHA!)
Admin
But hey!
At least they knew something was wrong with their security, and they new that they weren't up to testing it themselves, so they brought in someone who did. A lot of people wouldn't have had that level of self-assesment in the first place.
Admin
Actually, in some situations you can't use html pages if you want to keep the clients session. I think it is where the session tracking is in url rewriting...
Going to have to brush up before the scwcd exam in a few weeks ;)
Admin
This makes me want to start keeping my money under my mattress.