- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Oh I hope he called you on a cell phone, and it was auto dialed. If a computer dials your cell for solicitaion reasons, that operator owes you $500.
Admin
I love how you didn't even bother anonymizing it.
Admin
Is it a smart idea to admit, on a site as popular as this no less, to bypassing a website's security (yes, even that POS implementation is security)? People have been sent to Gitmo, or to Uzbek torturing chambers, for a lot less.
Admin
I love that the site is still the same.
Admin
These guys called and gave me a similar sales pitch - didn't want to tell the price until after they had my card number. Not a good sign. I wrote it off as just another scam and didn't think any further.
It seems that even after chastising you for hacking their site, they haven't done anything about it - the same username and password still work. Hurrah for "secure" websites!
Admin
Anyone who publishes a web page should have some clue that the underlying source (especially jscript) is visible to all who know to look for it. If they are stupid enough to put a username/password in something that is essentially publicly viewable, then they don't get to bitch that the public views, then uses this information. If they don't want you to use it, they should not make it accessible.
Admin
All very nice in principle, but the (technical) idiots are in charge, so you'll find the wording makes it illegal to bypass measures INTENDED to keep you out, whether or not they are laughably inadequate.
Capcha: appellatio (is that like sucking off a fruit?)
Admin
Oh well, I hear Cuba is lovely this time of year. Uzbekistan not so much.
Admin
Did that guy who cracked the iPhone go to jail?
No.
Admin
Admin
Surprised nobody has commented on the real WTF:
It doesn't matter that the username/password are in the page source, because the "SECURE" page isn't.
You don't need the username/password if you have the URL to the page; it opens right up.
Admin
Indeed. In fact, this WTF is like one of those super-interactive alternate reality games, y'know.
SECURE Federal stuff ftw!
Admin
That is a very frequent scam, just next to "Nigerian Connection" - the one where some Nigerian officials ask you for help transferring huge amounts of money.
They ask you for a credit card number and fax a document, where you agree not only to pay insane amount of money for being listed on a sheet of paper in somebody's drawer, but in very tiny letters you also agree to be charged yearly.
You can decline, of course, sending a notice into an address that is non-valid (surprisingly). Of course, since you cannot deliver decline notice, they shall charge you next year...
Admin
The real WTF is the hopelessly confusing indentation in the javascript.
Admin
From the list below, select the product(s) that you are searching for to obtain information on small businesses located in your selected area
10.) Weapons <-- first choice
Admin
FWIW, I've just added their secure page into Google. Maybe those poor sods who shelled out for listing will finally get a call from some prospective client.
Admin
Now THAT'S some l33t h4x0ring!
Edit: The Page.Title of the "secure" web page even says "SECURE" (caps included). That made me rofl.
Admin
This'll get deleted again as soon as you see it, but you have made yet another mistake:
"a deluge of companies somehow manage to find to out"
Do you actually read what you're about to post?
Admin
Hmm, most of the secret stuff is already in at this moment. Check http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com I don't know whether Google indexes so blazingly fast or if someone else was faster than me. Or perhaps, FSG linked to their secret pages somewhere else on the site... (playing with link: and site: is left as an exercise for the reader).
Admin
Awesome. Reminds me of when my mom fell for the Who's Who crap in the early 90s when I was in high school. I'm embarrassed that I'm in it.
Admin
And don't forget the fine-print also says you agree not to request a charge-back from your credit card company, punishable by a sizable fine paid to the scammer (who has your cc#).
Admin
The real-world analog of this is like putting locked door in the park, without having any wall or fence attached, not even land mark.
The trick here is that the "confidential" site is not protected and is accessible without any need for user validation. You don't even have to use the username and password. Literally you can open it just by opening the URL. I won't be surprised if the page could be found in google cache too. There are precedents where companies have left private data on publicly accessible places and this data have been accidentally found by users and copied. One such case is described in "Hacking Democracy" HBO documentary.
Please notice that the article author doesn't say he have used the password to enter the site, so he is safe.
Admin
seems to work, they're hiring! http://www.pr.com/job/3441945
Admin
Wow. this is an amazing opportunity. Please give me the Phone number so I can sign up. Government agencies spend A LOT of money!
Admin
Hah, I just hacked their site too! I am so awesome.
Admin
Can someone in the US call their toll free customer support and request a password reset? Then when we "hack" the site again someone else can call.
These people need as much hassle as we can give them.
Admin
He lied... he didn't hack the site. He just did a google search on: site:federalsuppliers.com http://www.google.com/search?q=site%3Afederalsuppliers.com&btnG=Search
(hey... why is there a red star next to the "Your Name" field? There's nothing on this page that says what it means.)
Admin
Haha, I just had to see for myself. Hilarious..
Admin
My new business plan:
Admin
To complete the analogy... They put a sticky note next to the door nob telling you the key is under the mat.
I think it would be good if the people listed on all those pages were somehow contacted and pointed back to this site. I'm sure most of them are obvlivious to the fact that they have been scammed.
Admin
It's probably already been said, but as of 29 Feb 2008, you can just put http://officers.federalsuppliers.com/agents.html in your browser and skip the "secure login" entirely.
Security through (weak)obscurity. Genius!
Admin
I found another WTF (at least on IE7). If you start from the home page and click on the "Agents" link, the "Federal Regulations" tab on the menu bar splits into two tabs. It doesn't even split on the whitespace but on the R and E in regulations.
Nice!
Admin
You're making a few assumptions here, aren't you?
You're assuming that the salesperp gives a shit and will pass the info on. (Actually, you're even assuming that the salesperp has the slightest idea of what Alex is talking about.) This never happens.
You're assuming that the boiler-room scam in question has any sort of IT staff whatsoever (down to and not excluding a janitor with basic Front Page skillz). This never happens.
You're assuming that, in lieu of that, they've employed a smart(ish) fourteen year old, payable in M&Ms and/or porn, to produce this cute little snippet. Well, this probably does happen, and more than we'd care to think. Unfortunately, school vacation is over.
The alternative is outsourcing, and I await the usual torrent of whines with trepidation. A fix would still be twelve hours away, though. And we'd all like to see it go through QA before being deployed on production, wouldn't we?
Admin
Actually I think it'd be more like a sign saying "There is no key under the mat that unlocks this door!"
Admin
Like the fact that you can go straight to the URL too (hidden inside the if), not only are the password and username there for all to see.
Admin
That's the first thing I did ...
http://officers.federalsuppliers.com/agents.html
Admin
I would be surprised and utterly disappointed if that crappy site would be considered to be "protected" and if their accusation of hacking would be legally viable. All HTML, CSS and Javascript on the web is visible by definition. Nobody is guilty for peeking at page source. What WTF developers expose to the client, they do at their own risk. This doesn't even qualify as obfuscation. The URL is visible and no authentication whatsoever is required to access its contents. There is only a false security facade. Their claim of SECURITY is a blatant lie and their customers should do something about it. WTF !!!!!!
Admin
ROFLMAOSOAOIJNLOL!!!! Ahhh... that site's so secure that nobody accesses it except hackers!
Admin
Yep, it's not even a secure site--no user id, no password, no lock symbol in the IE browser. I'd hate to have spies waltzing in there and stealing a list of vendors. Of course, they could just use Google like everyone else.
Admin
Everyone is missing the real WTF.
That page uses frames.
Admin
Admin
So, the real WTF is that no government purchasing agent is going to search the web for sales leads. They are going to call the guy they met at some trade show or the guy who has a relationship with the purchasing agent.
Admin
The sad part it you needn't add your company to Central Contractor Registration for these calls. I field one or two a month and I'm just a lowly video rental store!
Admin
Well, it's hard to have a rational conversation about this since neither of us can be fagged to go and find the wording of the law. But if the law says "thou shalt not circumvent security measures" and someone leaves their door wide open and leaves a post-it on the mat saying "security measure -- do not enter" and you enter, then you're bypassing the security measure.
The poster does mention opening the source of the page, and displaying the password. So the moron^H^H^H^H^H tabloid press in this country at least would have no problem saying that he "hacked the internet codes" to gain access, and most low-level magistrates wouldn't find it hard to interpret that as a culpable act.
http://taosecurity.blogspot.com/2008/01/is-jerome-kerviel-hacking.html
Admin
I randomly clicked their listings as follows:
region 6 > california > live animals
and learned that I could obtain a "far-infrared sauna."
for all of the times I have visited the zoo I have never encountered one of these. . . Sounds exotic.
Admin
Yes, that makes up for any javascript vulnerabilities because frames securely mediate, by design. Secure multi-mediation is the future of all webbing.
Admin
Damn, they just re-secured it by changing the jscript to:
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>That's really unhackable.
Admin
In the UK, the Computer Misuse Act is pretty blanket. I just have to do something that's not authorised.
http://www.england-legislation.hmso.gov.uk/acts/acts1990/ukpga_19900018_en_1#pb1-l1g1
If Alex decides I'm not authorised to post comments here then I'm already transgressing.
Admin
Thanks! These guys called me and I was considering paying them! You really helped out business owners and stuck it to the hucksters with this. Thanks again!
Admin