• David (unregistered) in reply to frosty

    Shame on TDWTF, blah, blah, blah...yakkity something other.

    If the TDWTF is going to point out a multinational conglomerates mistakes (Marlboro.com's bjorked landing page) http://thedailywtf.com/Articles/Redirection_with_Smoke_And__0x2e__0x2e__0x2e__Smoking_0x3f_.aspx

    Why would it not point out this little companies Web 0.5 alpha site's high tech security mechanism. Ignorance is not an exception or an excuse when running any sort of business.

    Also, I take some sort of pride in what I do (dev.,DBA, sysop) and I come to this site to learn and relax. This article goes under the relax section as its possibly the funniest *cking thing I've read in a while, excuse me if I've got an saddistic streak in me, but that's a mandatory trait for server administrators.

  • (cs) in reply to sigh
    sigh:
    ...if you attempt to undertake legal action under the concerns of being "Slandered" you will fail.

    Another reasons for the failure of a slander suit: all the comments are in writing, so it's not slander, it's libel.

    But, of course, it's not libel to point out the facts. So that would fail, too.

  • anonymous (unregistered) in reply to Sys

    Looks like they went further and removed the agents.html page as well.

    Some businesses crack me up :)

  • OMG (unregistered)

    LMAO!

  • Blue Nova (unregistered)

    it seems they have removed the page http://officers.federalsuppliers.com/agents.html im worried about the ammount of companies getting sucked into these ever growing number of advertising scams.

  • Eggbert Nobacon (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    thank you hackers for trying to destroy federal suppliers guides reputation.

    LOL, I hope this was a joke post by someone. If not, these people are way too dumb to be let anywhere near a computer.

  • Tom (unregistered) in reply to Sys

    This is pure insanity... It's been a day, this has gotten onto Digg, and yet they haven't fixed it. I certainly hope they don't have any sensitive information on that "Agents" site because now most everybody else has it now, too. I stopped looking for this exploit years ago because I didn't think anyone was dumb enough to still use it...

  • B3 (unregistered) in reply to Sys

    hope your joking. At least these guys are telling you about it. this in the wrong hands can damage more! Secure it?

  • Chris H (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    I love the post by the FS Guide Customer Support. We're apparently still hacking their site. Shame on all of us. Not

  • Jim (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    http://209.85.173.104/search?q=cache:abwbU5b-fmIJ:officers.federalsuppliers.com/q/q_in.htm+site:federalsuppliers.com+federalsuppliers.com&hl=en&ct=clnk&cd=79

    Here is a Google Cache of one of their agent pages. This is what you get when you pay your neighbours teenage nephew a couple bucks to make your website for you

  • tom Termini (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Wha wha. Wipe the tears - if you are providing a valuable service to the federal government, you should at least follow NIST's security guidelines. You should be kissing this guy's *ss for finding the simple breach in your "security" -- what would a bunch of Chinese or Russian dudes do? I am sure they would be as helpful. While getting you a visit from the Department of Homeland Security.

    Sheesh. Ingrate.

  • Chris H (unregistered)

    Oh and here's an even worse site. They actually give you the code to get in to the site right above the box you type it in to.

    http://www.sdasa.asn.au/mem.htm

  • Pipis (unregistered) in reply to Steve

    ROFL! Will someone please send call them and explain that they are not securing anything this way..

  • shmatt (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    blah blah blah blah sounds more like you're a crook. Why haven't your "clients" gotten a single call? get a real job.

  • AA (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    just curious on how you found this article?

  • person (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Are you saying that someone considers this "secure"? I learned the problem with this type of "security" when I was maybe 10 years old and started learning HTML.

    I'd say one of the first steps to creating a secure website is DON'T PUT YOUR DAMN PASSWORD AND USERNAME RIGHT IN THE TEXT OF THE SITE. Anyone who has a Web browser can look at that password - if you have Firefox you can go to "View" then click "Page Source" to look at the page's code.

  • Andy (unregistered)

    This is really and truly sad. I mean REALLY REALLY sad. Words cannot describe my feelings when faced with sheer ignorance like this.

  • Fant (unregistered) in reply to stephane
    stephane:
    seems to work, they're hiring! http://www.pr.com/job/3441945

    Education Level College Degree Salary Range 7,000 USD per year Category Sales Job Type Employee, Full Time

    Impressive. Challenge: How to make a living in Florida on 7k$/year.

  • F U C K Y O U (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Fuck You.

  • Mark (unregistered)

    That is all.

    BRILLIANT!!

  • Andy (unregistered) in reply to RogL

    Very true.

    Not to mention that page has probably been crawled thousands and thousands of times by the various search engines (since you can get right to it by typing in the URI)... so if you look at any search engine you are bound to find the contents of that page.

  • Dekker3D (unregistered) in reply to Sys

    ye gods, this is lame. i just checked, it's still exactly the same except that the target page (still linked) got taken down. so now, nobody can log in, but everyone can see the password. o_O

  • s3rioshxr (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Instead of bitching how about fixing you shite security. How do you expect anyone to take your company seriously when you can't secure you're public facing website. What's to say that you don't leave the keys to the safe hanging on the outside door. How are people supposed to trust you with the details they give you? Account numbers? with that security. You are joking right?

  • RiLo (unregistered)

    And how about this gem on their site:

    <FORM ACTION="http://64.58.216.181/cgi-ipad/polyform.exe/federal1" METHOD="POST"> <INPUT TYPE=HIDDEN NAME="recipient" VALUE="[email protected]"> <INPUT TYPE=HIDDEN NAME="recipientbcc" VALUE="[email protected]">
      <INPUT TYPE=HIDDEN NAME="required">
       <INPUT TYPE=HIDDEN NAME="subject" VALUE="Form Response">
        <INPUT TYPE=HIDDEN NAME="redirect" VALUE="http://www.federalsuppliers.com/thanks.html">
         <INPUT TYPE=HIDDEN NAME="sort" VALUE="order:company,address,city&amp;state,telephone,fax,email,decision_maker,business_type,employees,sales,referred?,referred_by"></td>
    

    Nice, a little perl script would do to abuse it to send spam around on their account (see the recipient address as hidden input field)d

  • Thomas (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Thank you hackers for trying to destroy Federal Truckers reputation.

    I have been a Trucker here with my wife for 10 years now and have helped hundreds of clients receive federal government goods. I have 4 children and though you don't care, you are hurting the feelings of many good employees and customers by your immature actions.

    Sorry our trucks aren't maintained to your standards, we drink 'n drive all the time, and we all drive without a valid driver's license, however all of you are being reported to the appropriate authorities as we have your information too.

    You should have protected your info a little better. Not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them.

    I am proud to work here and help small businesses obtain government supplies. If you not interested in government supplies or our services of helping small businesses receive federal goods, fine but please don't slander the company.

    It's rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hard copy guides and the online directory as well.

    So yeah, DIE IN A FIRE!!!!!!!!!

  • ychaouche (unregistered)

    Un-be-lie-vable !!!!

  • Hillbilly Geek (unregistered)

    It's a fine old tradition: charge people hundreds of dollars for something they can google themselves in 5 ms. It's not a scam, though: it's a stupid tax

  • really? (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    really?

    Registration provider: MateMedia, Inc. Registrant Jim Sprecher Jim Sprecher [email protected] PO Box 1735 Oldsmar, FL 34677 US +1.8139250195 (FAX)

    Administrative Countryside Publishing Company Countryside Publishing Company Inc. [email protected] 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)

    Billing Countryside Publishing Company Countryside Publishing Company Inc. [email protected] 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)

    Technical Countryside Publishing Company Countryside Publishing Company Inc. [email protected] 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)

    Record created on May 18, 1997 Record last updated on November 13, 2006 Record expires on May 19, 2008

    Domain Name Servers: NS.RACKSPACE.COM NS2.RACKSPACE.COM

  • Ed (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    If the site referred to in this article is purported to be "secure" by your company's standards, then I would have to say that any damage to the reputation of "Federal Suppliers Guide", from a technical perspective, is most certainly warranted. In addition, the fact that the author attempted to alert your company to the security shortfall prior to publishing is inline with standard practices - whenever someone finds a flaw in software or websites, the first person they advise is the system owner and then, if they refuse to take adequate action, they alert the public so they do not expose themselves to the associated risks.

    Regardless of whether your company does or does not conduct itself in good faith or with real returns to your advertisers (who the author appears to have made reasonable effort to contact and survey) the root of the problem is that your website is critically flawed and needs to be seen to by a professional who can apply industry-level security to the system.

  • bob (unregistered)

    Can still check out the google cache of most of the 'secure' area - try googling site:officers.federalsuppliers.com

    or going to:

    http://www.google.co.uk/search?q=site:officers.federalsuppliers.com/&hl=en&safe=off&rlz=1T4GZAZ_en-GBGB248GB248&start=10&sa=N

  • steve (unregistered) in reply to Steve

    I would say the best site to learn about hacking, is http://www.opentopix.com , also found in the search bar

  • anon. (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    well maybe if you employed someone with an ounce of computer securityness about them then this would of never come about! It not hacking the password is in plain text of the source code of the website! N00bs!

  • C_Boo (unregistered)

    Beating a dead horse...

    A google search for www.federalsuppliers.com results in several pages like this one that helpfully list the user id and password (at the time) in plain text.

  • 28% Genius (unregistered)

    I have never seen code that had a more accurate comment.

    /This Script allows people to enter by using a form that asks for a UserID and Password/

    See? It never claims to stop unauthorized people from entering.

  • Abdul Qabiz (unregistered) in reply to Sys

    LOL! I can't stop laughing...

    -abdul

  • kay (unregistered) in reply to Sys

    the question is.. why did the author of the article use INTERNET EXPLORER???

  • . (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Oh please report me too, I can't wait!

    Don't give someone a lock and a key, and then say "Hey, don't put the two together because if you do, you'll get lots of things for free". That is your company being stupid.

    Expect reality, it's all there is.

  • Chris (unregistered)

    Wow, thats pretty lame. You should have turned it around on them and said, "I would be happy to offer YOU my services for making your site more secure". Man, their idea of security is outrageous!

  • Chris (unregistered)

    Wow, thats pretty lame. You should have turned it around on them and said, "I would be happy to offer YOU my services for making your site more secure". Man, their idea of security is outrageous!

  • (cs) in reply to Odas kane
    Odas kane:
    If your tech depart. wasn't incompetent it would be a problem. I wonder how many other US departments are unsecured and incompetent? "wasn't protected" yep that sums it up. ass.

    What Tech Department? Trust me - I live in Florida, near where this place is (although I don't know the business), and let me tell you from experience that if this really is a small company, they probably have no IT people at all, and had the website designed cheap and/or free. That's really common with small companies in FL - pay shit, don't want to ever pay money for anything, and look for the cheapest solution that "just works".

    Giving benefit of the doubt, the site was probably designed at first with the idea to implement some REAL security - however, at some point either they A) Were too cheap to pay a programmer to implement the site, B) Had someone, but fired him for stupid PHB reasons and/or he quit in disgust, or C) Had a "big client" who needed "secure access" to the site ASAP and the owner couldn't wait long enough to implement security. In any event, I doubt the site was DESIGNED to be like this, just like most small businesses, the owner only is thinking about his own financial security, and doesn't really give a shit about growing a business; it exists solely to allow him to live as rich as he wants, instead of providing a useful service that others are willing to pay for.

  • Jehzeel Laurente (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    The site was made to be hacked. Because it's open for intrusion. T__T

  • LOLOLOL (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    4 children. hahahahahahahahahaha. You're lucky that fucking companies doesn't make them pregnant too.

  • CodeMonkey (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    I happen to work for a major integrator. One of the things I've worked on is basic authentication/authorization software for web applications used by the federal government. Believe me, when I say that my entire team would have been fired on the spot if we made a mistake that bad.

    The fact that your company cannot splurge for basic serverside protection would lead any sane person in the contracting world to wonder what else you're too cheap to secure.

  • kiddiescripter (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers .. words....words....

    It's not hacking, it's called "viewing the source page".

    It's something that a child can do with no hacking skills.

    Your webmaster should be fired, the rest of the company is probably OK.

  • Gnol (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Hi FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT,

    Even if you are not a scam, it's clear you have no clue how to protect your customers' personal information. Just think about how many innocent clients could have had (or actually have had) their personal information stolen in the time you've been ignorant about this problem.

    You realize if anything happens to those companies because of the information you leaked, it would be your fault? It's the equivalent of a bank hiding all the cash inside a safe with the key on top and no security measures.

    Also, your inability to use grammar and punctuation don't help your case when the original article calls into question your professional (specifically, the lack thereof).

    This article doesn't destroy the FSG reputation. You do, by your poor actions and irresponsible inactions.

  • Sr. Comedy Officer (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    The following is now Certified Comedy:

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.
  • Aaron (unregistered)

    Pretty ammusing. You should have saved a copy of that page so the rest of us could see it.

  • Stefan (unregistered)

    I lol'd

    Fire your web developer :)

  • (cs) in reply to sorakiu
    sorakiu:
    You're missing the point. This website (dailywtf) has, in the past, changed names (usually the submitter and who the work for) in order to differentiate themselves from a script kiddy website.

    At first, the non-anonymity of this article bothered me. It's true that most of Alex's articles in the past have been anonymized. But now I realize that it's mostly to protect the innocent (the submitter) from the guilty (the WTFer). It's like whistleblower protection; we don't want employees getting in trouble for pointing out infractions by their employers. If only the submitter were anonymized then the employer could often figure out who leaked the information. With both anonymized, the employer must first identify themselves as the WTFer.

    On the Sidebar, we make non-anonymized posts all the time. Usually the submitters there aren't affiliated with the WTFer – it's publicly accessible information. Or the submitter judges for himself that the employer won't know or won't care.

    In this case, Alex is the submitter himself so he can judge whether being identified by the WTFer is worth the risk. I don't think he revealed confidential information. He just explained how Federal Suppliers Guide acted and what he thought of their competence and the value of their service.

    As an illustration of FSG's technical incompetence he posted the contents of the most open and widely publicized document type in the history of civilization: a Web page. He then realized from reading that page that there was another, supposedly secure Web page that can actually be read just as easily.

    It would be different if Alex subscribed to FSG, accessed confidential information securely, and then leaked that confidential information.

    I hope Alex doesn't get sued for "hacking" or slander, although I wouldn't be too surprised. If so then watch out. There are also two years of records of the rest of us making "slanderous" statements about Web businesses, software companies, signage installers, and hardware manufacturers.

    At least the name of the case would be amusing: "Federal Suppliers Guide v The Daily WTF".

  • (cs) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions.

    I can agree with you that people who learn of a simple exploit and attempt to continue to do so are immature; however, how does one learn to mature to age without learning? I understand you have a well established rapport with your clients and that you have a family, certainly you know how harassing it can be to be interrupted when trying to spend quality time with them.

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them.

    Well, if those people of the US embody the government for which you work, then apparently it is not quite up to the standards they expect. In fact, I wonder which federal agency has made the mistake of not doing its due diligence in auditing all facets of your security. I also wonder how much of that 500k your client took in of my taxes, thus taking food from the mouthes of my wife and children.

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company.

    I do not doubt you are proud of your work, but honestly, do you help small businesses 'navigate' the federal market or 'exploit' it? If you ask average joe taxpayer, I think there are too many high priced contracts or providers out there who provide very little for what compensation is received. It almost seems like it's the converse of the old adage 'you get what you pay for', but in the case of government spending, 'you don't get what you pay for'. How ironic at best.

    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

    Why, oh why, does the state I live in have to have such a bad stigma about it?

Leave a comment on “So You Hacked Our Site!?”

Log In or post as a guest

Replying to comment #:

« Return to Article