- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Woaw just... woaw.
I have nothing more to say.
Admin
WTF!
Admin
This is a real WTF and it's not funny.
Admin
The real WTF is you publishing a screenshot without anonymizing their names and addresses...
I imagine the residents of Merland Drive, Cindy Road, Lee Avenue, and so on are gathering up their torches and pitchforks as we speak.
Admin
EPIC fail. Some must get fired. And prosecuted. And kicked in the balls, twice.
Admin
If ever there was a major WTF, this is it.
Admin
The names and addresses were already available through the registry. The only thing that wasn't supposed to be was the SSN.
Admin
moron
Admin
You should have helped them by doing a ALTER TABLE and removing the SSN :)
Admin
jeez, they may as well have put their entire database onto a cd, unecryted then loose it in the post... oh wait..
http://news.bbc.co.uk/1/hi/uk_politics/7117291.stm
Admin
But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.
Admin
It also doesn't take a lot of imagination to try a SQL UPDATE. Like adding that guy up the road who irritates you to the sex offenders...
Admin
heh, i was about to post up http://news.bbc.co.uk/1/hi/uk_politics/7104368.stm :)
(don't know why i'm smiling... :-\ )
Admin
Admin
That happened here in Ohio too, where our state government's "backup plan" was to send an intern home with an unencrypted tape backup. Where they were to keep it in their home "safe" and sound. One of them left it in their car, which was promptly broken into and the "odd" looking tape was stolen along with other junk from the car.
More info from this /. http://it.slashdot.org/article.pl?sid=07/07/27/1222215
Admin
Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database, but still... makes me wonder what else my great state may be doing in the realm of WTF.
Admin
I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).
Again, well done.
Admin
Challenge: make a comment that is so obviously sarcastic it is impossible that someone in the world is the dumb enough to actually think that way. Hint: this is impossible.
: (
Admin
Maybe Oklahoma should start an online registry of the idiot developers who put this system together, and the managers who let them.
Admin
When a corporation does this, they take a huge hit in the form of lawsuits, stock drops, and lost business. When the government does it, it's a big brouhaha news story, maybe one person gets fired, and then it's back to business as usual.
Admin
That's the kind of breach someone should lose a job over.
Admin
Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work, I can figure almost all of them out. Might want to use a black pen next time instead of blurring. The Social Security numbers are blurred a bit better, but still it would be better still to use a black pen in whatever photo editing program you are using,
Admin
and remember many people are in favor of having the government run healthcare. wtf indeed.
Admin
FUCKING A W E S O M E . . .
Admin
Admin
Well.. with such a gaping sql injection hole, thankfully no one registered you!...
Admin
That's nothing compared to what I leaked out of my ass this morning.
Admin
They better hope that Little Bobby Tables never commits a crime.
Admin
And don't think about congratulating the IT department. This is a disaster. I seriously hope those directly responsible for this are not only fired, sued and maybe even locked up or a shit load of community service. This is an utter failure in their duty of care, why the fuck would you take on a role on a project involving sensitive data if you have any idea how incompetent you are? Sad thing is they probably don't know that, and neither does management.
captcha: feugiat (bit of an understatement don't you think)
Admin
and remember many people are in favor of having the government run healthcare. wtf indeed.
Yes, because private companies never leak data.
Admin
Admin
Admin
Sorry, but you forgot the obligatory XKCD reference ;).
Admin
Please, do not go to "Advanced Search" at Goolge, and do not look for pages containing SELECT FROM WHERE in the URL... Please, do not do it, oh please!
Admin
I vote for an anual "WTF Award" - preferably big and pointy, to be shuved up their *.
Admin
Good gravy... I'm dumbfounded.
Clearly the terrorists have already won.
Admin
The real WTF is the poor attempt at blurring the email addresses.
Admin
And you post this AFTER they took it down? Damned responsible users...
Admin
Very brave of you to post the exploit in the open like this. I know that your readers could have done the same thing and I also know that nothing is to be gained by shrouding your work in secrecy.
I'm just thinking there is probably some ridiculous law that has been violated and will be used to blame you for merely showing the incompetence and failure of whomever developed the system.
Wow. I applaud the work.
Admin
The real WTF is:
Admin
I started the story and thought "seriously now, people working for the government don't know about validating input fields for SQL injection?"... but then I get passing the query in the URL and comments describing the schema in public-readable comments. That is a pretty epic level of WTF.
Admin
Looks like Paula got a job working for Oklahoma!
Admin
I'm glad you are honest and moral. Also I would have gone straight to the news to ensure that they get their asses whooped for doing something so amazingly stupid and so nasty for regular folks completely unsuspecting.
Admin
I see Pamela Anderson works there. Wonder if she's a guard.
Admin
My recently-ex boyfriend got married a year ago. I found out this little fact a couple of days back. He lives in OK...
Why, oh why, did you have to leave this article until after the security hole was closed?
Admin
http://www.google.pl/search?q=allinurl:+select+from+and There are some interesting hits (especially a few pages further into the search results)
Admin
Effectively leaving the data open to the public is their backup strategy. The only difficult part is getting people to admit they have it so they can do a restore.
Admin
Admin
Admin
.......
There are no words. I really hope whoever wrote that code gets Worse Than Fired...