- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I thought it went more like: Clever people know that they don't know it all, Average people know what they know, Dumb people THINK they know it all.
See http://www.apa.org/journals/features/psp7761121.pdf Figure 4.
Saw this posted before at WTF. It should be required reading for the entire world.
Admin
I'd be very impressed if someone managed to unblur the numbers from the first image. Of course, they'd just learn that not all obscured things have useful data behind them (such as that pdf from Not Too Particular), but I bet it'd be a fun exercise.
And yes, I suppose I could have blurred the emails a bit better. Then again, just about all of them are in the DOC's office directory or the various sherrif departments' contact pages. I guess I'll go blur those y#######om addresses... because, you know, random y#######om addresses are so hard to find, and there's so much damage one can do knowing one.
Admin
Whoever wrote that code should find his/her own name added to the list... right after the new developers and administrators implement really tight security so that the people whose names are on the list cannot modify the list.
Admin
Oh sure you pick out YOUR comment to be featured!!
Admin
In case you too wish to press the "Do Not Press" button, here's a fun search!!
inurl:select inurl:from inurl:where
Remember, Do Not Press....
~Sticky
Admin
Well, I suggest you pass that question on to a few of your local papers, along with the URL of this article and a brief explanation for the benefit of journalists who have never heard of SQL.
Admin
Even if you're right and you know it, you could have avoided all the hassle by blacking them anyway. Spare yourself the flames next time. :)
Admin
It's his site and his article, so why not?
Admin
The author should have tried an SQL injection attack before letting them in on the secret. "; truncate table registration_offender_xref" at the end would've done the trick.
Admin
Estados Unidos Mexicanos aka The Mexican United States, officially speaking that is. What I want to know is what they have against Australian states???!!?
Admin
Oh how I wish I could again see full articles in the front page in Konqueror... It defaults to summaries and pressing the full articles link thoes... nothing.
Admin
Admin
That's very scary... People should be fired and perhaps prosecuted (not just the developers at fault, but the guys that hired the developers at fault and maybe the guys that hired the guys that hired the developers at fault). This kind of thing needs to be made an example of and it really doesn't matter how much it costs to fix.
Admin
I'd bet dollars to donuts that this was done by a consultant.....tax dollars hard at work my friends. From what i've seen most state agencies don't have the resources to write their own software.
Admin
there's a bunch of pics of her on the busted tees site.
Admin
...so they award it to the lowest bidder.
Admin
I just fell of my chair...
Admin
I find the rest of the "removed" so website quite comical as well, it's a nice touch how they've kept the http://docapp8.doc.state.ok.us/servlet/IsItWorking/ page on the server.
Admin
Exceptionally detailed post. Great job getting them to (finally) take things offline to be fixed.
Admin
And how does it preserve privacy to blur SSNs (which are meaningless to most of us) but display names and addresses?
///ark
Admin
Most people on the list will have been born in Oklahoma so the first three digits of their ssn will start with 440-448. Narrows it down quite a bit.
Admin
I tried and got:
No elephant with the name -1 UNION ALL SELECT * FROM users WHERE 1=1/* in the database. !
:((
Admin
Right! After all, if your health insurance company leaks your personal data, you're under no obligation to continue with them. So what if your employer only provides benefits through one company and you can't afford outside insurance?
And hey, it's not like you have to stick with your local electric company or the water authority. It's not like those are monopolies in any form.
Like they say, the private sector does it better!
Admin
Don't sweat it, all Slashdot users have AdBlock Plus installed so they'd never see the ad anyway.
Admin
We apologise for the fault in the website. Those responsible have been sacked.
We apologise again for the fault in the website. Those responsible for sacking the people who have just been sacked have been sacked.
The directors of the firm hired to continue the website development after the other people had been sacked, wish it to be known that they have just been sacked. The website has been completed in an entirely different style at great expense and at the last minute.
Admin
Wow.
I would've loved to go on that website and add myself. For some reason, I get really turned on by people thinking that I like to put my hand up little children.
Even though I don't.
Sidecarsally.com - GO GO GO!
Admin
Some don't like plural nouns for table names. Just a thought.
Admin
ding ding ding! We have a winner!
One of my #1 reasons to be scared if Hillary or Obama gets elected.
Admin
Another big WTF is that the information displayed on the image is STILL recoverable BY UNDO SMUDGING ALGORHITMS. These have been successfully used in a German child porn case. Ans yes, these algorhitms are available in the darker cornewrs of the internet. So WTF TDWTF, please whiten these smudged SSN's out.
Admin
Hahaha... one of the rare comments here that is actually funny.
Admin
For those who still haven't gotten it -- the names and addresses are public information that's supposed to be provided by the sex offenders' list anyway.
I do hope this gets picked up by the news wires, although I suspect most of 'em will go "eh, it's just sex offenders anyway", not realizing that it's also every inmate and employee in the OK DOC, and that the database integrity may be compromised to the point that the entire thing has to be rebuilt from court records, as the current data is untrustable.
Admin
Because you are doing it wrong. Remember, they put a quote in there to contain the name so it should have been thus: -1' UNION ALL SELECT * FROM users WHERE 1=1/*
Admin
Whether it happens in private or public sector, low-level heads roll. But high level screw ups, like Bear-Stearns CEOs, or Bush Administration higer-ups, can screw up 1,000 times and they keep their high paying jobs.
Admin
I blame Pamela Anderson (see last screen cap). This should be proof that actors are not good programmers.
Admin
Federal Government != State Government. The Federal government delivers all the mail with few problems and collects all the taxes with even fewer. State governments can't pave fucking roads. Besides, several other countries run socialized medicine just fine.
But nice try Mr. McCain.
Admin
Oh man, if this database is used for proof-of-registration purposes, then any cases of offenders not registering would have to be thrown out....
Admin
My faith in humanity is a 64-bit signed integer and it just underflowed.
Admin
Admin
whee:
http://docapp8.doc.state.ok.us/servlet/page?_pageid=428&_dad=portal30&_schema=PORTAL30&SearchMode=Basic&undefined=Basic&SearchBy=Basic&undefined=ALL&SearchAW=ALL&SearchOpt=ALL®id=-1'%20UNION%20ALL%20SELECT%20*%20FROM%20users%20WHERE%201=1/*
Admin
Through an expiriment on my test server I just realized that this:
SELECT DISTINCT InfoS.TABLE_CATALOG as column1, InfoS.TABLE_NAME as column2, InfoS.COLUMN_NAME as column3, InfoS.COLUMN_NAME as column4, InfoS.COLUMN_NAME as column5 FROM table1, table2, (Select TABLE_CATALOG, TABLE_NAME, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS) InfoS
is perfectly legal. In the SQL sense of course.
Could changing the rights of the web user limit this ability? Obviously you would want to sanitize your SQL statements in the first place... but... Well, there is no but. What is the opposite of GRANT on SQL? DENY or REVOKE, right? :)
Admin
Unblurring is not difficult. The trick is to start with an unblurred numeral, blur it, then compare it to the blurred one. If you can guess the right typeface and blur algorithm, it's totally straightforward.
Admin
I "have personal knowledge" of the I.T. department at Oklahoma DOC. The guy that wrote their Sex Offender Registry system was a contractor. He was with a company that no longer exists. He was NOT a competent programmer.
The administration at DOC has not supported the I.T. department in many years. They play the blame game, and usually get away with it. George Floyd probably didn't report the FIRST phone call to the idiot he works for. That will give them an excuse to use Mr Floyd as a scapegoat. Agency Director Justin Jones has seen the I.T. department as a personal enemy for a long time - not realizing that he is blaming the wrong people for the problems there.
The I.T. staff at Oklahoma DOC are not the villains here. The fault lies with Directors and Deputy Directors.....
BTW, have a look at this link: http://www.okhouse.gov/Documents/OKRVSDFinalReport080103.pdf
Have a look at the part on Information Technology. (page 231 on...)
Admin
And maybe the guy who set up the DB knew everyone else was an idiot and did so.
Admin
Looks like they need this consultant quick!
Oklahoma DCS Central Purchasing Division Status: Open Bid Number: 1310002506 Description: Department of Corrections is soliciting proposals from vendors to provide consultant services to assist DOC in determining requirements, direction, and the acquisition of a new offender management system.
Buyer: Liza Hanke
Find on http://www.dcs.state.ok.us/Solicitations.nsf, or direct link
Admin
TRWTF is that 'white' is a race
Admin
Yes, I see your point. We should model healthcare after the IRS. Let's get started on that right away.
Admin
We should also start the war on anger and jealousy. The war on terrorism just isn't cuttin' it.
Admin
A friend who is a network administrator with the Fed Gov't, emailed me today RE: this article. While he was reviewing the article he saw my name on two of the example sheets (I am a former DOC employee). I left the OK DOC in May, 2007, yet apparently here was my personal info for the taking.
I also recognized some colleagues names, and emailed them about this too....with a link to the article.
Thanks for discovering this,and encouraging the repairs.
Admin
I blame Pamela Anderson.
Admin
Why not? They're the one that put Al Capone away. Those motherfuckers get results.