• Truth (unregistered)

    I believe that I may be just a bit senile in my mid-late teen age, but if this is some super secret private information that no one should have unless given, it should be secured better. A lot better. Who would be as dumb as to use a redirect log-in form, let alone call it "secure?" I'm currently debating whether to log-in or not based on the I-don't-want-an-idiot-judge-to-label-me-a-hacker thing.

  • Thomas (unregistered)

    I'm curious with regards to the Computer Misuse Act. Suppose I create a web page with textboxes labeled for username and password and lower down the page I show the username and password. In addition, I write something on the page about not entering if you are not authorized. If I login, am I breaking the law? If so, then why have the login at all? Why not simply say something to the effect of "If you click this link and are not authorized, you are breaking the law." Why even bother with the login?

  • Agamous Child (unregistered)

    A little more digging, and it looks like they have multiple security problems, from their online invoice payment system, to their open mailer forms for everything from applying for a job to uploading documents for printing.

    They opened themselves up for this by cold-calling.

  • dude, Man, braa (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Umm ....So Let me get this straight. You are mad because you and your wife work at a company that can't secure its own website. I suppose if you can't secure your website you can... oh I don't know ...../sarcasm Secure the personal data of all your clients /sarcasm Right. I mean its no big deal just change a plain text password and hey no one has to live with Identity theft. Here while I am at it let me sign you up at freecreditreports.com and lifelock so that way your children and wife don't have to starve to death in the coming months. In fact I know so much about yet another anonymous user that I will change the password again and present idle brainless threats that I can't back up, because hey I can secure my website with a Frackin If Then Else Statement. I am God . . . . . . .

  • Mike (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Ok, calm down. First, nobody did any hacking. If you know how to write simple code for password protecting a site, in which both the username and password or site itself is obtainable independent of each other, then you have to be prepared to expect that other might know how to read code to. Heck, I never "hacked" a thing in my life and nor do I know html and I could have got the username and password.

    Second, the author of this blog wanted solid info before investing that much money and you just didn't want to give it to him. He was curious, went to your website (which is free and legal to visit), looked at the html code for it (which is free and legal and unavoidable) and found a direct link, let alone the password. No harm done, chill out, I mean, it's only on the front page of Digg, how bad could it be?


  • Jack (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    You sir, are an idiot. A 2 year old could check the site's source code to get its password and a 4 year old can code a more secured site..

  • SaintAndre (unregistered)

    If they really are putting up a huge database of contact info for government contractors, and the best security they can come up with is subverted by reading the page source...

    ...wouldn't that make them guilty of (at best) gross negligence, and (at worst)...treason?

  • George W. Bush (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Don't worry, we got your info too Jim Sprecher. I'll make sure to nominate you for e-idiot of the century awards.

  • ha (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    sorry, but looking at the source code of a web page is not "hacking".

  • (cs)

    This ought to do it:

    function pasuser(form) {
  • (cs)

    You know, my company's site actually got hax0red once (phpbb vuln, turned out our managed hosting wasn't managed quite well enough). It was a deface, standard thing, "pwnt by superhaxors!" or whatever... and it had a link to their IRC channel.

    Did I go on their channel threatening to sue them and berating them for destroying my company?

    No. I did not. I said, "Hey, I'm from blahblah.com; looks like you guys found a vuln. Anybody know who did it?" and they said, "Oh, yeah, it was Joe. Hey, Joe!"

    So I chatted with Joe a bit, he told me about the method used for the deface, gave me some suggestions, and I tipped my hat and went on my way, older and wiser.

    It appears, however, that this is not part of the strategy employed by the business in question. I wish them luck with their chosen alternative.

  • Mania (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    So... if a website had this button:


    Would clicking it count as hacking?

  • (cs) in reply to Mania
    So... if a website had this button:


    Would clicking it count as hacking?

    Fixed that for ya.

  • bwahahaha (unregistered)

    Nice. But, they seemed to removed most of their content. Luckily, Google's cache still has a lot of it: http://www.google.com/search?q=site:federalsuppliers.com

  • gollum (unregistered) in reply to Sys

    This could possibly be the most advertising this site has ever received.....

  • GB (unregistered) in reply to Richard Sargent
    Richard Sargent:
    My captcha code was already in the IE drop list of previously used text strings. How secure is that?!?!

    Captcha is merely a spam filter, doesn't qualify as "security". For some websites with low traffic, an even more elemental captcha system (yes, showing the word as text! maybe with some naive HTML obfuscation!) is enough. It stops spamming bots that target any form with textarea + submit button. There is a difference between "security breach" and "annoyance".

  • (cs) in reply to Logic Man
    Logic Man:
    3. "I am proud to work here and help small businesses obtain government work". This would be ... Red herring? Flat out irrelevant?

    Pre-emptive denial. "We're not rip-off artists, really we aren't!"

    So it looks like some 198 web sites are running on that IP address - including quite a few sex sites - one wonders what kind of legit business would be piled in on a server like that.

    I bet it is indeed an amusing list, but how do you actually get it? (Yeah, this is a gap in my knowledge, I'm an application software guy, sue me.) At a guess, the answer to your question is merely "a cheap one".

    Also, this thread has got to be setting all kinds of records for number of users posting essentially redundant responses because they hit the whine from Father of Four and just couldn't wait any longer. No doubt this will convince FoF and Lucy beyond a shadow of a doubt that we are, in fact, a Huge Shadow Conspiracy bent on their utter destruction. Hee.

  • Jack (unregistered)

    wow...just wow.

    is this what happens when the nephew of one of the manager's who is "really good at that internet thing' is allowed to design a website?

    I'm sure the guy who wrote "Writing Secure Code" just threw his hands in the air and said "I quit.'

  • bahaha (unregistered) in reply to Sys

    roflmao great find.

  • nmn (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    That 'security' is a FUCKING JOKE. You suck and all of the programmers who passed that by do too. This isn't hacking by any means. The password is encoded in plain text on files sent to the client. The password protection needs to be server-side.

    Don't complain if people get around your security when it sucks so bad that its done on the client-side.

  • Smash (unregistered)

    TRWTF is definitely the huge amount of "in reply to 180051" to tell that guy how pathetic is their security. I guess most people here are failing their Spot Checks, because this has got to be a troll! Nobody is that stupid ( <10 INT? ) and can still put a couple words together. Or maybe there's a mbuttive failure on sarcasm detectors everywhere except for a few?

    I almost hope that post was true, cause it granted us some great laughs.

  • Kelli (unregistered)

    How incredibly pathetic. This isn't even "hacking." Hacking would imply that there was something secure there to be bypassed. This is the most amazingly inept piece of coding I've seen in a long time.

    Thanks for the laugh. :)

  • anon (unregistered) in reply to Sys

    man... it does make you wonder though.. how people can be so clueless and yet walk talk and interact like regular people... It makes me wonder if the person actually thinks that their legal threats hold any water.. ironically.. i bet he got your number from a similar such list... I bet the people within the system get passed around regularly as viable targets..... I hope you saved the list... If there is any truth to the list being useless i'm sure every single person on that list would appreciate being contacted... If the product is legitimate... no problem... If not... well.... I guess at the very least they should be informed that their data has been compromised by lax security measures.... who knows how many times before you too....

  • (cs) in reply to Grandpa
    Hey FSG, I have a question for you:

    Three players enter a room and a red or blue hat is placed on each person's head. The color of each hat is determined by a coin toss, with the outcome of one coin toss having no effect on the others. Each person can see the other players' hats but not his own.

    No communication of any sort is allowed, except for an initial strategy session before the game begins. Once they have had a chance to look at the other hats, the players must simultaneously guess the color of their own hats or pass. The group shares a hypothetical $3 million prize if at least one player guesses correctly and no players guess incorrectly.

    What strategy would you use?

    Is right-clicking your hat allowed?

    /50%!!!1!! //75%

  • Anon (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    What you don't understand is that your business pretty much got on the front page of Digg.com, so you should be happy about all that exposure. Not really slander IMO.

  • littlefire (unregistered)

    So the next level of security will probably be to disable right-click using Javascript so that you can't view page source. Oh wait. Brain explodes Ctrl+U in Firefox isn't a right-click is it? :P

  • Ha (unregistered) in reply to Sys

    Yeah but the site is offline when you click login

    I suppose they should try something besides Javascript lol

  • (cs)

    Here's a bit of gold from the Digg discussion. Let's fire up that eeeeeeeeeeeeeevil hacker tool known as View Source and look at their 404 page - y'know, the generic Apache thing? Well, not quite so generic:

    <!-- - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of - an error's message is "too small", specifically - less than 512 bytes, Internet Explorer returns - its own error message. You can turn that off, - but it's pretty tricky to find switch called - "smart error messages". That means, of course, - that short error messages are censored by default. - IIS always returns error messages that are long - enough to make Internet Explorer happy. The - workaround is pretty simple: pad the error - message with a big comment like this to push it - over the five hundred and twelve bytes minimum. - Of course, that's exactly what you're reading - right now. -->
  • Better Fu Than U. (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

    You my friend are being foolish. Looking at the page/script source provided to the client side it not hacking. Coping and pasting a URL from said source is not hacking.

    Using a script the way this site is doing is stupidity. If this site is associated with the government then the web designer and web server administrator should be fired because it is evident their knowledge of web sites is poor at best.

    Thank You.

  • Dustin (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    If you cared that much you wouldn't be in business with a site that made their password obvious in js

  • Lisa needs Braces (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Stop with the copypasta, learn php or find a competent coder.

  • Bill Vincent (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Then why did the other "clients' spoken to report "no leads" from your expensive listing? Nice story, but sounds more like a weak scam. And the security isn't "not up to standards" there isn't any security at all! The login and password is right there in the code!

  • Scott (unregistered) in reply to Steve

    Well they tried to fix it again:

    <script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>
  • (cs) in reply to emurphy
    <!-- - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of (etc.) </div></BLOCKQUOTE> <p>Credit where credit is due: Digg user Logistics1 gets the props for pointing out the 404 bit. And reflex768 also nails TRWTF:</p> <BLOCKQUOTE class="Quote"><div> >"FSG Rep: Wait-wait-wait... clients? You called our clients? How did you--" <p>Telling. A rep for a good company, which supplies a good service for their clients, smiles when they hear their target customer has spoken to their clients. A scammer is horrified, as this one clearly was.</p> </div></BLOCKQUOTE>
  • Serious Business Customer Support (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Our standards are quite a bit lighter than any real standards. Your site doesn't follow even the most trivial security recommendations from the National Institute of Standards and Technology (NIST), which ideally any government site (or site hoping to work closely with government agencies) should follow. You may be real (I personally don't care enough to follow up), but if your website is any indication of your professionalism your actions border on criminal negligence and I seriously doubt anyone in your company is a "good" at what they do. You may have four children whom you love (good for you), but you are the sort of stupid that actively makes the world a worse place.

    In closing, I hope you die of cancer.

  • incredulous (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    4 children? Your genes are so great you decided to procreate four times?!?

  • Zaz (unregistered) in reply to Sys

    Can it be considered hacking if the source code is public and viewable in a web browser? Really, come on. This is too funny.

  • Contra (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    In truth, it's only slander to the web admins. Would you invest thousands and give lots of information to a company that runs a website with copy and pasted script?

  • Anon (unregistered) in reply to Sys

    After you enter the login, its a blank page.

  • l33t_haxor (unregistered) in reply to Sys

    here's the new page: http://www.federalsuppliers.com/warning.html

    same username and password, but it goes back to that broken page

  • English Grammar God (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    I used to secure my angelfire website like this in 1999! This is serious business!

    "...you should of protected..." This sort of complete grammatical ignorance make me die a little bit inside.

  • Alex (unregistered) in reply to Sys

    hahaha this is hilarious.

    I didn't realize internet browsers could hack sites so easily! LOL

    Don't even have to phish or anything! Just right click and read!

  • anonymous (unregistered)

    I guess someone never learned how to use an .htaccess file.

  • Jefah (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Are you for real?

    I'm no hacker, but even I know the old "View Source" trick. These people were doing you a favour by informing you just how UTTERLY INSECURE your website was, rather than it being discovered by someone with more sinister intentions.

    What that guy did to get past the password involved about two clicks. A 10 year old could've gotten into that "password protected" section of your site with no real "ZOMG HACKER!" knowledge whatsoever. Time for a security update, me thinks?

  • Herbiestone (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    thank you hackers for trying to destroy federal suppliers guides reputation
    Ah, but if anyone is tarnishing your reputation its just yourself. Looking at the source of a web page might be something not anyone everyone knows about, but it is pretty common among web-designers to look to see how a page is build. It is legit too.

    Sending the valid name and password in clear-text to everyone who visits the page in question is what I call willful neglect. And it doesn't stop there, you also give away the URL you will go to after entering the right name & password. I bet anyone who knows how to use google could find out about that 'hidden' page too.

    So now instead of shouting "hackers!" you should be glad someone helped you finding out about your complete lack of security and fix it. ASAP!

    "No, now go away or I shall taunt you a second time." If I may quote Monty Python's Holy Grail here...

  • T. (unregistered) in reply to Sys

    Too incompetent to be true. If this is not a bad joke then a bunch of people should get fired immediately there.

    Throwing highly secret login credentials unasked at every person available - naughty boy if you use them, no? Oh, you don't even HAVE to use them, just follow the the target link (still off-line) - is this then still hacking the site?

    <bang head to table>
  • Odas kane (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    If your tech depart. wasn't incompetent it would be a problem. I wonder how many other US departments are unsecured and incompetent? "wasn't protected" yep that sums it up. ass.

  • sigh (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    i believe you are a legitimate individual working under a perfectly legitimate organization, and so i am writing this under the hopes that you will understand that if you attempt to undertake legal action under the concerns of being "Slandered" you will fail. miserably. look up the word slander, reread this post and realize that. knowing how expensive lawyers are, i would imagine that that venture would actually waste more resources on NOTHING, rather than salvage the situation. what this individual has done is point out how insecure your system is. please invest in one that isn't insecure. your source code is public and that is the reason why we can see the login details requested. there is no hacking involved. it is clear that the person you hired to do your website took advantage of your naivety and skipped the proper work to create a back-end appropriate for a "SECURE" system. if this individual is still in your company, FIRE HIM. there are many websites on the internet that teach you how to create the most SIMPLE login system that encrypts and decrypts shit. here is a short overview of what SECURITY on the internet means: http://www.eioba.com/a69760/secure_website_login_programming_with_php_mysql i hope this helps you. best of luck.

  • monkey (unregistered) in reply to Sys

    Considering they appear to be running a scam, naw.

  • Richard (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    So never mind that the idiot who "secured" the agents page has potentially put the privacy of your clients at risk. "Wasn't protected to your standards"? It wasn't protected to ANY even remotely decent standard! If you want to thank someone for putting the company at risk, "thank" (i.e. "fire") the utter halfwit who "secured" that page, and GENUINELY thank the person who discovered and exposed that little loophole. If it gets fixed, at least something good will have come of it. Hey, if you want ME to fix it, I'll rewrite the whole damn database for the low low price of $65 an hour. And guess what! It'll be secure. Not quote-unquote "secure" wink wink, it'll be ACTUALLY SECURE.

    And seriously..... it doesn't take a hacker to view source on a web page and get the password when the security is THAT bad. Honestly, my mother could have achieved it with minimal guidance.

Leave a comment on “So You Hacked Our Site!?”

Log In or post as a guest

Replying to comment #:

« Return to Article