- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Not really going to be a problem though since the only cached data is going to be the data they originally wanted posted. Google spiders while cool don't rewrite sql statements when they find them to include SSN, but hey if I am wrong post them I need another CC :)
Admin
I had a semi-similar WTF at my company several years ago. They had rolled out a new series of employee detail pages - I can't even remember what they were for now. You put in your user ID, and it listed out your pertinent information, including your SSN.
After about 30 seconds, I realized I didn't have to enter a password to see my data. So I put in my manager's user ID. Lo and behold, there was his information, including his SSN.
So I wrote it down on a sticky note and explained the problem to him. He was not the least bit concerned. So I looked at the bottom of the page, got the 'send problems to the webmaster' link, found out who it went to, looked up his SSN and sent it to him, with an explanation of the problem.
HE promptly booted it up to his supervisor, and all detailed personal information was immediately removed until the system was password protected.
To me the system was just an oversight. The real WTF to me was my manager's unconcern. ;)
Admin
They reported it as a glitch.. a glitch? It's a gapping huge security hole that should be obvious to any developer. I guess they wanted to downplay it and make it seem like some minor or obscure problem.
Admin
That whole NewsOK article smells of "Let's just throw some Internet-related words at it", to be honest.
Admin
That reminds me of a story I read in a national news paper. Someone had distributed a Word document with sensitive information, and "blacked out" the sensitive parts. And he/she did that by drawing a box on top of it. It was just a matter of dragging the box to another place to see the information...
Admin
I've been a frequent visitor since before it was named "worse than failure", and I can confirm that this is a new low.
Admin
Admin
Alex, would you mind if part of your screen caps are used in a short article about this, with links back to your content? I wanted to get permission before grabbing something.
Becky
Admin
Admin
I can tell you from personal experience (having worked there as a web developer for about a year) that there is some definite incompetence within the OK DOC. BTW, the article fails to point out that George is actually the Director of IT (not that I would expect management to know about things like SQL Injection, etc.).
In Mr. Floyd's defense (not that he's on trial or anything :), from what I saw of him he was working to try to bring some structure to an organization that seemed to lack such things for quite some time from what I could tell.
I worked within a group that wasn't even actually a part of IT and they were working to replace their current Offender Management system. Anyway, it was a freakin' cluster. We had no real requirements to work from.
Basically, we worked off of a prototype that was put together by a couple of guys that told us straight up that they were not programmers. The web pages had SQL all throughout (a project of this size should have been done in layers... if not tiers). Also, the site did not use CSS/ASP.Net Skins/Master Pages so we were constantly changing colors, fonts, etc. of a non-functioning site.
I wanted to say, "Look ladies this isn't Trading Spaces or Home Makeover, etc. Who cares what the pages look like right now? Do I really need to change that font? Does that color really need to be changed when the stupid page doesn't work in the first place? Maybe we should worry about functionality right now".
Actually, I was quite verbal after I had been there for a while and had witnessed some of the incompetence for myself. I did wind up saying it almost that directly... two days later they asked for my resignation :) haha That might have also been brought on by the fact that I mentioned I should call the Fraud, Waste, and Abuse hot-line :) hehe Also, I was told to work from home the day those auditors were in our office :)
Basically, my boss was a former probation officer that learned the previous system well and she was a trainer. Someone up above (obviously knowing nothing of software development, etc.) decided she could manage the project. I don't fault my manager for this as I think she was overwhelmed by all of it and rightfully so. I was like "no that's called a SME (Subject Matter Expert)". When there are experienced managers and PMs and 80% of software development projects go beyond the timeline and budget, what kind of lunatic thinks that a probation officer could manage a software development team?
Anyway, it's late and I'm rambling and probably not making any sense. I could go on and on. Typical government employee ineptitude.
Admin
".. but let's not bother about getting them right:
I know there probably aren't many deep-sea fishermen in Oklahmoma, but it's TRAWL, boys. TROLLs on the other hand.. oh, never mind.
Admin
Wow.
You should have sent them a copy of the book Managing Catastrophic Loss of Sensitive Data as a hint...
Admin
I too have first hand knowledge of ODOC since I work/worked there.
The fault for this type code doesn't belong to to Directors or Deputy Directors, (even though they don't have a clue). The fact that the IT department let this code out there for so long without any testing shows how incompetent the IT department is. If George, Daniel, or Pat did their jobs properly then they would have never let this code out in production in the first place. This type of code has been discouraged for years.
Also, you can't be serious about how the IT department has been neglected. When there was a surplus in the budget in 2006, they let Daniel go on a spending spree to buy all new servers and infrastructure equipment (which was needed). They could have done something then to address the issues with OMS that was mentioned in the audit you posted.
There is no excuse for not continually to improve your knowledge of your chosen industry. You should atleast keep up with reading about new technology and the latest threats. The IT department is to blame for this, plain and simple.
btw, I bet you are either George, Daniel, or Pat
Admin
To those who keep saying "sex offenders deserve to have their identities stolen, they are scum of the earth and so on": Being a sex offender doesn't mean you're a rapist. It could mean you were once caught naked in public. Or in this case, it could mean someone added you by changing the URL. ;-)
Admin
Yes it is a personal view, but why do you say it is uneducated? Are you saying that any educated views should have the same opinion? WTF is "politicised uneducated"
I'm not sure what is complicated about branding someone with a Scarlet Letter?
Admin
In deep-sea fishing for tuna, you drop a line behind the boat and TROLL. You try to solicit a bite. Trawling uses big nets and scoops things up. Two different animals.
Admin
this is atrocious, they person coding it should be sacked and his boss and the security person and their boss!
Admin
You made schneier's blog too! This is a bigger acheivement in my book than digg and /. ;o)
Admin
I don't think he reads the comments, there's a contact form http://thedailywtf.com/Contact.aspx
Admin
We said that we wouldn’t get involved.
OOPS.
Some of us are still smart enough not to say anything, but the rest of us still feel that there is something worth saying…
Once Upon a time, the Oklahoma Department of Corrections, faced with the looming Y2K bug, decided to replace their Cobol-based Offender Management system with a product that they would buy from Syscon Justice Systems of Richmond, British Columbia. The IT department had stated that they could update the existing system, but management was convinced that it could not be done in time.
Ironically enough, as the year 2000 approached, it became obvious that the new OMS would not be ready to go online in time and the IT department was told to "fix the Y2K bug". They succeeded, but that brought no accolades.
The Oklahoma Department Of Corrections spent millions of dollars on hardware, network infrastructure and the aforementioned Syscon software. In the spring of 2000 the system went live, and was immediately met with screams of outrage from the user community. Any time you replace an enterprise system you face user resistance, but the powers that be had created a nightmare situation. The entire user community and most of middle management agency-wide had been alienated. The new OMS would never be popular.
This was not a good time to be working in the IT department at Oklahoma’s Department Of Corrections. Source code was not a part of the deal when DOC bought the new system; DOC was expected to pay Syscon to fix any bugs and make any changes, and the programming staff at DOC would not be allowed to touch the system. Meanwhile, users saw the IT department as a dreadful enemy that had shoved a horrible new system down their throats. The project manager saw the IT staff as incompetents and fools, and treated them as such. Syscon Justice Systems, of course, had no reason to give the IT staff any detailed information about the OMS database. (It was their intellectual property after all.) This made report writing and the construction of ancillary systems problematic at best.
In the spring of 2001 work on the Sex Offender Registry, a federally mandated and funded project, was begun. The rules in place at the time did not allow DOC to hire staff to build the system, so they outsourced the job to a less-than-entirely-legitimate consulting firm. The contract programmer who wrote the SOR had never worked in the development environment that was used. He had no real knowledge of database design or of Internet security. For that matter, the original statement of work for the project does not mention security.
Pre-Y2K, Internet security was (comparatively) in its infancy. We know for a fact that members of the DOC IT staff ASKED about security, but they were told that the issue was none of their business.
The timeline now brings us to the “COMIT” project. Mr. Holmes (comment 190231) appears to have been a part of this project.
This project was born when two malcontents in IT convinced a Deputy Director that the entire IT staff, from the IT director on down, was guilty of criminal malfeasance, corruption and bad manners. Obviously all members of the IT staff (except these two) were criminals, idiots and fools.
They said that that they could write a replacement system in six months time.
These two had NO experience in database design. They had NO experience with the development of enterprise applications. They had several other minor deficiencies, BUT one of them was a Deputy Director’s fishing buddy.
Two years later, when no real progress had been made, the fishing buddy astounded the entire IT staff by asking if the OMS could not be “fixed” or rewritten. The IT department contacted Syscon, who offered to sell an updated version of the source code for the OMS to DOC for a fairly reasonable amount. Unfortunately the Deputy Director went fishing that week and the source code purchase idea was abandoned.
More recently, Syscon offered to license the source code to DOC for $60K per year. This contract would run as long as DOC was using any of the Syscon product. (In effect the contract would run forever.) This offer was rejected, but apparently no effort was made to go back to the outright purchase deal.
Mr. Holmes asks "what kind of lunatic thinks that a probation officer could manage a software development team". The answer to that question is obviously "JUSTIN JONES". It seems that every day one of us hears about "typical government employee ineptitude". That dear friends, is very tiring. DOC had some very talented programmers and a few people were are a waste of skin; a situation that can be found in most private sector organizations. (Those of us who have years of experience in the private sector are ranting at this point.)
Now we come to anonymously evil's nemesis. (S)he says that the fault doesn't belong to Directors or Deputy Directors.
It was the preference of Directors and Deputy Directors (among others) that the IT staff keep their nasty hands OFF of the SOR – the excuse being that they hadn’t written it in the first place.
(S)he says that "they would have never let this code out in production in the first place".
The fact that Mr. Floyd didn't find out about the security problems until now is not a huge surprise, considering the neglected shop that he walked into. The fact that someone at DOC changed the case of ONE LETTER and called that a security fix is also not a huge surprise, but Mr. Floyd would be well advised to take a hard look at his shop and make sure that nobody does anything that stupid again.
Anonymously evil "can't be serious about how the IT department has been neglected". HA!
DOC spent a fortune on the OMS, and they spent a second and third fortune on PC's and networks. Having spent those fortunes, between 2000 and 2006, financial times were rough. They were rough enough that furloughs were considered imminent. The fact some fool funded a "spending spree" in 2006 does not obviate the neglect and mishandling that the IT department suffered BEFORE the spree.
We agree that at that time something could have been done to address the issues with OMS. Someone, above the IT manager and the programming staff, decided to spend money on infrastructure. That same someone decided NOT to spend money and/or effort on the very real problems that DOC IT still faces.
Historically, Ed and Justin discounted everyone in the IT department. An IT department that brought DOC out of the Stone Age, and which has more than once earned the trust of the user community, was routinely ignored to support lies and a pipe dream provided by a couple of inexperienced hacks who promised to write an enterprise offender system. It is obvious to those in the know that the fault certainly does belong to Directors and Deputy Directors.
The fix that won’t happen: Management could give the IT department a mandate. They could buy the source code for the OMS. (This should be an outright purchase, not a licensing agreement.) The Sex Offender Registry could be moved into the OMS. The OMS could be rebuilt over a period of time. Security could be made a paramount issue. This would mean that the agency would not be endangered by the problem of non-existent security in the future, as security issues would be addressed up front. This would mean that the user community would be faced with small changes over time instead of struggling through another huge shift in business rules.
It is our humble opinion that buying another canned system is NOT what DOC needs. A slow replacement of a BAD system with a GOOD system - built specifically to fit the needs of Oklahoma's DOC, would cost less and would be worth MUCH more.
It won’t happen, and the Oklahoma Department Of Corrections WILL be sued.
Oh well.
By the way, George, Daniel and Pat are not a part of our group, and we do not believe that any of them are “anonymously evil”.
Admin
@Eugene Jim Ed Justin and others
I do not believe for one minute that you are the individuals listed, but yet another IT person who wishes to defend his/her department. I would have done the same. The IT department may or may not have been negelected but as an IT group, you are responsible for the hardware and software that is comprised of the ODOC network. That means auditing everything, whether you created it or not. Its just good a quality assurance practice.
The root of the issue that I think we both can agree on is that the deputy directors and the director need to leave the decision making resposibility of hardware and software to the IT department.
One other issue that we both agree on is that Phil and Larry had no business saying they could do a better job than OMS. They were and still aren't formally trained in software development. From what I saw of what they had started before Larry left and Phil was removed from the project was just horrendous.
Admin
You must be too young to have a sense of humor or you would have gotten the joke in their title. I don't want to out them but Darth and Ferris and Frances Lee probably had a hand in that post. Don't try for a move into management until you learn the subtlety of logic. I prefer to have the last word and by guaranteeing that I won't post again I get it. "Toe Pick".
Admin
Isn't there a limit on how much data you can put into the query string? I am not sure if the limit is an HTTP 1.0/1.1 limitation or was a browser limitation, but I thought anything over a certain number of characters would cause problems.
Still, three years, I'd sue the state if I was in that database, that's what trial lawyers live for.
Admin
This is unbelievable... the sor_roster.sql command is still available! Anyone can still break into the DOC's systems that way! Talk about incompetence!
Admin
I did that. When I got to page 30 I got a page from Google saying my query looked like automated software and I had to enter a captcha. Since everything is NATted behind one IP, everyone in the company trying to use Google had to enter a captcha for the next three hours. Whoops.
Admin
Admin
..and if you go here http://docapp8.doc.state.ok.us/ you get the Oracle web server welcome page.
Admin
I recieved notification about this breach of security today. Just today. Though the form letter is dated April 18, 2008; it is post marked 05/09/2008.
This notification gives the politically correct version of your statement. They are pretty sure a breach happened, that I was included in it and then the definitions and law concerning such an event.
It never says by whom, for what purpose. Who was negligent, what was to be done about it and how that information was presented at that time.
You see, I fall into a rather unique category, whereby my crime does NOT fall into the category of requiring you to register as a sex offender. HOwever, the written words on my records appear to indicate that I should and during the suspended part of my sentence I was actually required to register. After eight months of being registered as a sex offender and fighting the status legally to no avail, I voluntarily returned to serve my remaining time and was released without the registration requirement.
I have since been arrested by local authorities for failure to register (without incident but due to a 'sweep' of an area of town I live in)and that charge was dismissed after waiting 54 days in jail for that determination.
So now I get this vague notice that someone who was not supposed to, got some information that was not supposed to be made public and did what with it I don't know.
I have had a hard enough time dealing with the public information that is misleading, yet publicly available. I can only imagine what could be taking place with information that was legally supposed to have been protected.
Admin
I am on the Oklahoma registry, and got this in the mail today (May 12) from the Oklahoma DOC:
April 18, 2008 NOTICE According to Oklahoma law, a state agency owning computerized data that contains personal information must inform any Oklahoma resident when there is reasonable basis to believe that such personal information may have been acquired by an unauthorized person. The Oklahoma Department of Corrections has a reasonable basis to believe that your personal information may have been acquired by an unauthorized person on or about April 10, 2008.
The law defines "breach of the security of the “System” as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the state agency, board, commission or other unit or subdivision of state government.
"Personal information" means the first name or first initial and last name of an individual in combination with any one or more of the following data elements: social security number, driver license number, or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to the financial account of an individual.
This notice is provided in compliance with 74 O.S. § 3 113. 1. Please be advised that the agency is working diligently to prevent further security breaches. If you have questions, please go to www.doc.state.ok.us and access the appropriate link.
They're "working diligently" to prevent further security breaches... gee, I feel safer already :rolleyes:
Admin
my name is matthew Tang Brnadolino and im very supported for new ssn codes please respond back
Admin
my name is mathew Brandolino and im very hard to relex so please respond to me banck thanks matthew
Admin
It's the government. Of COURSE that's where the fault lies.
Little guys screw up. Managers point fingers. Government managers never point at each other.
NASA blows up a billion and a half dollars. Does anyone high up lose their jobs? Is a bear Catholic?
AIG screws up. CEO steps down. Now find me an example where a government agency screwed up, and the director stepped down. No, Fannie Mae is not a government agency, it's like the Post Office.
Admin
Ha, that is nothing compared to this: http://hep.fi.infn.it/LHCb/fichambers/utiquery.php
Admin
I think is the best site! Very interesting and useful informations. Excellent work! Really good tutorial include so many helpful informations! Cheers
Admin
Very interesting and useful tips, so many helpful informations include in this article! Thanks for good items! This looks good! Excellent SITE.
Admin
page 29 chastises their inadequate IT resources as well.
Admin
... Back in 99 thru approx 2006 you used to be able to sign into their site after you downloaded their client program with the simple Username and Password of " test " / " test " ... and could access/add/change inmate records... think about THAT ....
Admin
yes... use pasword and username " test " .. and you have access...
Admin
There are other ways of getting Oklahomans ssn through the oscn.net website. It might take a little bit more work than you had to do but there are still convected criminals ssn available for the public eye to see all you need is a simple first or last name and to look through there dockets.
Admin
Interesting.