- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Guys, guys, you're all missing the point! These are evil SEX OFFENDERS! They commit crimes ranging from rape to the equally heinous crimes of being a 17 year old getting a hummer from their 16 year old girlfriend, to public urination!
They all DESERVE to have their identities stolen. PUBLIC URINATORS NEED TO BE PUNISHED, FOREVER!!!!
Admin
Yes, it's definitely a good thing in this case. Even if there were further failures to fix the site, I would have advocated a vigilante removal of all social security numbers from the database, though that would most certainly land you in jail.
Really, there need to be criminal negligence laws established for foolish programmers like this. If you hire an engineer who doesn't know what he's doing and the bridge collapses, you're in a world of hurt. Insecure applcations should work the same way.
Admin
This is definitly subpar blurring, Even without trying I can see that yahoo.com address. Didn't we already cover the anonymising issue? You are punishing other people for a software guys mistake. Not real fair.
Admin
The real WTF is that they have a column called "Race".
Admin
Some of those images, especially the last one, aren't blurred enough. I can clearly read many of those email addresses.
Admin
The Daily WTF about to get slashdotted.
Article was put up on slashdot, brace for impact. :p
Wow at this. And dude, you need to BLACK OUT the ssns on the images. Really.
Admin
So normally, when we could actually use the name of the company and stuff in order to avoid them for our own safety, they're anonymized the point of the story itself suffering.
But here, you're willing to give random people's full names and barely-blurred email addresses.
Admin
Perhaps even more interesting: http://www.google.com/search?hl=en&q=allinurl%3AsqlString+select
And those are just the geniuses that named the variable sqlString...
I believe we're observing a paradigm shift from "Haha, WTF" to "WTF!!!"
Admin
Let the fun begin!
Admin
w00t!
Admin
TRWTF is how you anonymized some of the email addresses.
I wonder who "jaa262@ya#######" could be. Or "rfm0527@ya#######"
Admin
Admin
slashdot is going to ruin these comments ...
Admin
And you should know better not to blur sensitive data but cut out...
Admin
Admin
I guess someone skipped Common Sense 102?
Don't blur text you want to anonymize. Period.
There's no "subpar" blurring going on here as other posters have suggested. There are only two types of blurred text: one where the original text is completely and accurately recoverable, and one where it's not. All we have here is the former.
One needs to keep in mind that obscuring text is not the same as obscuring facial details. Assuming all numbers and letters are used in a string, there are only 36 different characters, each with its own distinct blur pattern. All one needs to do is approximate the original font and the blur settings Alex used and do some trivial matching.
Come on, this should be obivous.
Admin
This one looks nice too...
Alcoholic Beverage Regulation Administration, Suspended and Revoked Licenses
http://app.abra.dc.gov/services/suspended_licenses.asp?p=3&ps=&q=SELECT+S.business_id+AS+id%2C+S.id+AS+sus_id%2C+S.comment+AS+comment%2C+B.applicant_name%2C+B.trade_name%2C+B.bus_address_f_no%2C+B.bus_street%2C+B.bus_quad%2C+S.effective_date%2C+S.effective_end_date+FROM+abra_rw.tblLicense_hold+AS+B%2C+abra_rw.suspended_licenses+AS+S+WHERE+B.id+%3D+S.business_id+AND+applicant_name+LIKE+%27%25%25%27+ORDER+by+B.applicant_name%3B
Admin
oh no! The Daily WTF front page on Slashdot and no BustedTees ad? How are we going to generate enough click-throughs to get Irish Girl back? oh the humanity!
Admin
The real WTF is when you get v& over this
Admin
Real WTF: http://dheera.net/projects/blur.php
Admin
You're the real WTF.
Admin
I didn't.
Admin
I wonder if the programmer has been terminated given the lack of technological knowledge in upper divisionary levels of government (and elsewhere). Seems "George" didn't really think too much of it - more of a, "Hey there Tad, got some email you might wanna look at." According to the first fix this is exactly what happened. This story going to go to major media outlets?
Admin
Wow.
WOW.
That's not even SQL Injection. That's just piss-poor programming.
BTW, /. picked it up! Now for the AP.
Admin
I am simply stunned ..stunned that Oklahoma has the audacity to have a county called 'Canadian'. I think this is all an attempt to make Canadian's look like a country full of sexual offenders ;)
Admin
There, that's a lot easier to edit.
Admin
I can't believe how many wide-open phpMyAdmin installs there are!
Oh wait, maybe I can.
Admin
OMG!!!!! I would never have thought of that. I would never have assumed people could be so stupid! I've been a frequent visitor of this site for months now (discovered it when it was named "worse than failure" - stupid name to be sure), but this... this is a new low.
Admin
OK.
Called the Oklahoma AP wire and they were VERY interested. :)
You better get your server ready for some hits.
Admin
While I know that was meant to be sarcastic, I think it's worth pointing out that only the original query limited the results to people on the sex offenders registry. Switching things up a bit allowed access to the ENTIRE DOC database system, including (I'm assuming) records of anyone who had been previously incarcerated for any crime, as well as employees of the DOC (see the last screen shot with employee logins and email addresses).
Admin
Why don't you take down those screen shots. It would take me all of about two minutes to unfuzz the social security numbers you have posted. Why are you doing just as bad a job as the people that you are complianing about?
Admin
and counting ...
Admin
Maybe the same 'developers' wrote this page too:
http://megis.maine.gov/metaweb/results.asp?whichpage=2&pagesize=5&sqlQuery=SELECT+CI.TITLE%2CID.Abstract%2CID_Web_Publish.WebPublish+FROM+CI%2CID%2CID_Web_Publish++WHERE+CI.Citation_ID+%3D+ID.Citation_ID++AND+ID.Dataset_ID+%3D+ID_Web_Publish.Dataset_ID++AND+NOT+ID_Web_Publish.WebPublish+%3D+0+AND+NOT+ID.Dataset_Type+%3D+2++AND+(++EXISTS+(SELECT+ID.Dataset_ID%2C+ID_Thesaurus_Keyword.Keyword_Name++FROM+ID_Thesaurus%2C+ID_Thesaurus_Keyword++WHERE+ID.Dataset_ID+%3D+ID_Thesaurus.Dataset_ID+AND+ID_Thesaurus.Thesaurus_ID+%3D+ID_Thesaurus_Keyword.Thesaurus_ID+AND+UPPER(ID_Thesaurus_Keyword.Keyword_Name)+LIKE+'%25HEALTH%25')+)+ORDER+BY+CI.Title
Admin
Search for google "select from where" is for wimps. Real h4k0rz search for "delete from where" ...
Admin
Black-box the social security numbers and CHANGE THE NAME OF THE IMAGE REFERENCE to defeat caching.
Here.
Don't use these as permanent links. Bring them down, then replace. Rename the image reference in the anchor tag.
http://img518.imageshack.us/img518/702/ok2hn1.gif
http://img293.imageshack.us/img293/513/ok1pw3.gif
Admin
That doesn't mean that you aren't in such a database...
Admin
I stumbled across something like this when researching one of the oodles of microsoft "dbconnect string" keywords once. Google found > 250,000 websites that contained 'password' and 'uid' strings for logging into SQL server and access databases. I went to one, curious if it was what it appeared to be...sure enuf, it was similar to this, but exposed all data on county employees for a county in Ohio. I considered sending an email, thought: They're obviously outstandingly ignorant of website security; They're going to be surprised to find out someone KNOWS their password; They're going to take SOME kind of action; Gov'ts often take action by destroying people's lives. I closed the browser window, and went on my way. That county's data may still be exposed, for all I know.
Admin
I think somebody may have already been messing with there data:
[image]Unless there is some state named Chihuahua...
Check it out here:
http://docapp8.doc.state.ok.us/servlet/page?_pageid=426&_dad=portal30&_schema=PORTAL30&id=regid
Admin
Admin
Amen to that. WTF? By the way, blurring the image doesn't help either. This is easily overcome with run-of-the-mill sharpening filters one can learn in Digital Image Processing 101.
Admin
You should give yourself a WTF award. How stupid could you possibly be posting the screen shots with the poorly obscured data. They were just presenting the data out of lack of good programming experience. You are posting data that you know shouldn't be posted, and doing next to nothing to prevent it from being stolen again.
Admin
Using GET requests to run side-effects is super-awesome.
It means all you have to do is publish this on some blog:
[image]and, poof! Sayonara!
(That URL won't exactly work, but inspection should tell you how to change it.)
Admin
A private company that engages in negligence this gross isn't likely to be in business very long. More importantly, if a private company fails in this or any other way, you are not compelled to continue to do business with them.
Admin
You know, you jest, but that's how most people would probably react. Also, the ignorant will likely say, "So what? Who'd want to steal the identity of a sex offender?"
Of course, if you stop and think about it, they're one of the best possible targets for identity theft. If they're in prison, it's going to be a long time coming before they get word that credit cards have been taken in their name, and if they're not, convicted felons are probably least likely to run to the police for help and even less likely to be helped. Many people will think they 'deserve it' and it's God's vengeance upon them. They'll be unlikely to receive a lot of sympathy.
Not to mention the strong possibility that someone buying stuff using their stolen identity needs only purchase items that would cause them parole violations and who are the cops going to believe? Convicted pedophile saying his identity was stolen or a credit card company who says Johnny Pervo bought a bunch of toys, children's clothing, and a box of condoms?
Admin
Nevermind. Seeing that and "Distro Federal (Me" with some county names and I thought that they were pulling the state list from the database. It dosen't help that searching for people based on those states returns the entire list. Then again a little more testing reveals that it does not matter what state I pick, the entire list is still retreived.
At this point a broken search is the least of their problems.
Admin
Admin
Dude, Alex, like everyone else has said:
You need to blacken out the "blurred" parts.
Blurring can be undid, homeskillet!
Excellent article, though.
Admin
This is the sound of job security
Admin
Guess what, it's still vulnerable to SQL injection. Try putting in apostrophes into the search field.
Admin
DUDE!!!!
YOU MADE THE FRONT PAGE OF SLASHDOT! I don't know if that's GOOD or not, but hey, pub is awesome, no?
http://it.slashdot.org/article.pl?no_d2=1&sid=08/04/15/1414223
By the way, I HATE Slashdot and most of the zealots that post there, however, I still feel the need to read that piece of garbage if only to see the lies being told by the OSS community.
Take care, Alex.
By the way, I live in the Cleveland area too. This weather BLOWS!