- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Shame on TDWTF, blah, blah, blah...yakkity something other.
If the TDWTF is going to point out a multinational conglomerates mistakes (Marlboro.com's bjorked landing page) http://thedailywtf.com/Articles/Redirection_with_Smoke_And__0x2e__0x2e__0x2e__Smoking_0x3f_.aspx
Why would it not point out this little companies Web 0.5 alpha site's high tech security mechanism. Ignorance is not an exception or an excuse when running any sort of business.
Also, I take some sort of pride in what I do (dev.,DBA, sysop) and I come to this site to learn and relax. This article goes under the relax section as its possibly the funniest *cking thing I've read in a while, excuse me if I've got an saddistic streak in me, but that's a mandatory trait for server administrators.
Admin
Another reasons for the failure of a slander suit: all the comments are in writing, so it's not slander, it's libel.
But, of course, it's not libel to point out the facts. So that would fail, too.
Admin
Looks like they went further and removed the agents.html page as well.
Some businesses crack me up :)
Admin
LMAO!
Admin
it seems they have removed the page http://officers.federalsuppliers.com/agents.html im worried about the ammount of companies getting sucked into these ever growing number of advertising scams.
Admin
LOL, I hope this was a joke post by someone. If not, these people are way too dumb to be let anywhere near a computer.
Admin
This is pure insanity... It's been a day, this has gotten onto Digg, and yet they haven't fixed it. I certainly hope they don't have any sensitive information on that "Agents" site because now most everybody else has it now, too. I stopped looking for this exploit years ago because I didn't think anyone was dumb enough to still use it...
Admin
hope your joking. At least these guys are telling you about it. this in the wrong hands can damage more! Secure it?
Admin
I love the post by the FS Guide Customer Support. We're apparently still hacking their site. Shame on all of us. Not
Admin
http://209.85.173.104/search?q=cache:abwbU5b-fmIJ:officers.federalsuppliers.com/q/q_in.htm+site:federalsuppliers.com+federalsuppliers.com&hl=en&ct=clnk&cd=79
Here is a Google Cache of one of their agent pages. This is what you get when you pay your neighbours teenage nephew a couple bucks to make your website for you
Admin
Wha wha. Wipe the tears - if you are providing a valuable service to the federal government, you should at least follow NIST's security guidelines. You should be kissing this guy's *ss for finding the simple breach in your "security" -- what would a bunch of Chinese or Russian dudes do? I am sure they would be as helpful. While getting you a visit from the Department of Homeland Security.
Sheesh. Ingrate.
Admin
Oh and here's an even worse site. They actually give you the code to get in to the site right above the box you type it in to.
http://www.sdasa.asn.au/mem.htm
Admin
ROFL! Will someone please send call them and explain that they are not securing anything this way..
Admin
blah blah blah blah sounds more like you're a crook. Why haven't your "clients" gotten a single call? get a real job.
Admin
just curious on how you found this article?
Admin
Are you saying that someone considers this "secure"? I learned the problem with this type of "security" when I was maybe 10 years old and started learning HTML.
I'd say one of the first steps to creating a secure website is DON'T PUT YOUR DAMN PASSWORD AND USERNAME RIGHT IN THE TEXT OF THE SITE. Anyone who has a Web browser can look at that password - if you have Firefox you can go to "View" then click "Page Source" to look at the page's code.
Admin
This is really and truly sad. I mean REALLY REALLY sad. Words cannot describe my feelings when faced with sheer ignorance like this.
Admin
Education Level College Degree Salary Range 7,000 USD per year Category Sales Job Type Employee, Full Time
Impressive. Challenge: How to make a living in Florida on 7k$/year.
Admin
Fuck You.
Admin
That is all.
BRILLIANT!!
Admin
Very true.
Not to mention that page has probably been crawled thousands and thousands of times by the various search engines (since you can get right to it by typing in the URI)... so if you look at any search engine you are bound to find the contents of that page.
Admin
ye gods, this is lame. i just checked, it's still exactly the same except that the target page (still linked) got taken down. so now, nobody can log in, but everyone can see the password. o_O
Admin
Instead of bitching how about fixing you shite security. How do you expect anyone to take your company seriously when you can't secure you're public facing website. What's to say that you don't leave the keys to the safe hanging on the outside door. How are people supposed to trust you with the details they give you? Account numbers? with that security. You are joking right?
Admin
And how about this gem on their site:
<FORM ACTION="http://64.58.216.181/cgi-ipad/polyform.exe/federal1" METHOD="POST"> <INPUT TYPE=HIDDEN NAME="recipient" VALUE="[email protected]"> <INPUT TYPE=HIDDEN NAME="recipientbcc" VALUE="[email protected]">Nice, a little perl script would do to abuse it to send spam around on their account (see the recipient address as hidden input field)d
Admin
Thank you hackers for trying to destroy Federal Truckers reputation.
I have been a Trucker here with my wife for 10 years now and have helped hundreds of clients receive federal government goods. I have 4 children and though you don't care, you are hurting the feelings of many good employees and customers by your immature actions.
Sorry our trucks aren't maintained to your standards, we drink 'n drive all the time, and we all drive without a valid driver's license, however all of you are being reported to the appropriate authorities as we have your information too.
You should have protected your info a little better. Not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them.
I am proud to work here and help small businesses obtain government supplies. If you not interested in government supplies or our services of helping small businesses receive federal goods, fine but please don't slander the company.
It's rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hard copy guides and the online directory as well.
So yeah, DIE IN A FIRE!!!!!!!!!
Admin
Un-be-lie-vable !!!!
Admin
It's a fine old tradition: charge people hundreds of dollars for something they can google themselves in 5 ms. It's not a scam, though: it's a stupid tax
Admin
really?
Registration provider: MateMedia, Inc. Registrant Jim Sprecher Jim Sprecher [email protected] PO Box 1735 Oldsmar, FL 34677 US +1.8139250195 (FAX)
Administrative Countryside Publishing Company Countryside Publishing Company Inc. [email protected] 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)
Billing Countryside Publishing Company Countryside Publishing Company Inc. [email protected] 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)
Technical Countryside Publishing Company Countryside Publishing Company Inc. [email protected] 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)
Record created on May 18, 1997 Record last updated on November 13, 2006 Record expires on May 19, 2008
Domain Name Servers: NS.RACKSPACE.COM NS2.RACKSPACE.COM
Admin
If the site referred to in this article is purported to be "secure" by your company's standards, then I would have to say that any damage to the reputation of "Federal Suppliers Guide", from a technical perspective, is most certainly warranted. In addition, the fact that the author attempted to alert your company to the security shortfall prior to publishing is inline with standard practices - whenever someone finds a flaw in software or websites, the first person they advise is the system owner and then, if they refuse to take adequate action, they alert the public so they do not expose themselves to the associated risks.
Regardless of whether your company does or does not conduct itself in good faith or with real returns to your advertisers (who the author appears to have made reasonable effort to contact and survey) the root of the problem is that your website is critically flawed and needs to be seen to by a professional who can apply industry-level security to the system.
Admin
Can still check out the google cache of most of the 'secure' area - try googling site:officers.federalsuppliers.com
or going to:
http://www.google.co.uk/search?q=site:officers.federalsuppliers.com/&hl=en&safe=off&rlz=1T4GZAZ_en-GBGB248GB248&start=10&sa=N
Admin
I would say the best site to learn about hacking, is http://www.opentopix.com , also found in the search bar
Admin
well maybe if you employed someone with an ounce of computer securityness about them then this would of never come about! It not hacking the password is in plain text of the source code of the website! N00bs!
Admin
Beating a dead horse...
A google search for www.federalsuppliers.com results in several pages like this one that helpfully list the user id and password (at the time) in plain text.
Admin
I have never seen code that had a more accurate comment.
/This Script allows people to enter by using a form that asks for a UserID and Password/
See? It never claims to stop unauthorized people from entering.
Admin
LOL! I can't stop laughing...
-abdul
Admin
the question is.. why did the author of the article use INTERNET EXPLORER???
Admin
Oh please report me too, I can't wait!
Don't give someone a lock and a key, and then say "Hey, don't put the two together because if you do, you'll get lots of things for free". That is your company being stupid.
Expect reality, it's all there is.
Admin
Wow, thats pretty lame. You should have turned it around on them and said, "I would be happy to offer YOU my services for making your site more secure". Man, their idea of security is outrageous!
Admin
Wow, thats pretty lame. You should have turned it around on them and said, "I would be happy to offer YOU my services for making your site more secure". Man, their idea of security is outrageous!
Admin
What Tech Department? Trust me - I live in Florida, near where this place is (although I don't know the business), and let me tell you from experience that if this really is a small company, they probably have no IT people at all, and had the website designed cheap and/or free. That's really common with small companies in FL - pay shit, don't want to ever pay money for anything, and look for the cheapest solution that "just works".
Giving benefit of the doubt, the site was probably designed at first with the idea to implement some REAL security - however, at some point either they A) Were too cheap to pay a programmer to implement the site, B) Had someone, but fired him for stupid PHB reasons and/or he quit in disgust, or C) Had a "big client" who needed "secure access" to the site ASAP and the owner couldn't wait long enough to implement security. In any event, I doubt the site was DESIGNED to be like this, just like most small businesses, the owner only is thinking about his own financial security, and doesn't really give a shit about growing a business; it exists solely to allow him to live as rich as he wants, instead of providing a useful service that others are willing to pay for.
Admin
The site was made to be hacked. Because it's open for intrusion. T__T
Admin
4 children. hahahahahahahahahaha. You're lucky that fucking companies doesn't make them pregnant too.
Admin
I happen to work for a major integrator. One of the things I've worked on is basic authentication/authorization software for web applications used by the federal government. Believe me, when I say that my entire team would have been fired on the spot if we made a mistake that bad.
The fact that your company cannot splurge for basic serverside protection would lead any sane person in the contracting world to wonder what else you're too cheap to secure.
Admin
It's not hacking, it's called "viewing the source page".
It's something that a child can do with no hacking skills.
Your webmaster should be fired, the rest of the company is probably OK.
Admin
Hi FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT,
Even if you are not a scam, it's clear you have no clue how to protect your customers' personal information. Just think about how many innocent clients could have had (or actually have had) their personal information stolen in the time you've been ignorant about this problem.
You realize if anything happens to those companies because of the information you leaked, it would be your fault? It's the equivalent of a bank hiding all the cash inside a safe with the key on top and no security measures.
Also, your inability to use grammar and punctuation don't help your case when the original article calls into question your professional (specifically, the lack thereof).
This article doesn't destroy the FSG reputation. You do, by your poor actions and irresponsible inactions.
Admin
The following is now Certified Comedy:
Admin
Pretty ammusing. You should have saved a copy of that page so the rest of us could see it.
Admin
I lol'd
Fire your web developer :)
Admin
At first, the non-anonymity of this article bothered me. It's true that most of Alex's articles in the past have been anonymized. But now I realize that it's mostly to protect the innocent (the submitter) from the guilty (the WTFer). It's like whistleblower protection; we don't want employees getting in trouble for pointing out infractions by their employers. If only the submitter were anonymized then the employer could often figure out who leaked the information. With both anonymized, the employer must first identify themselves as the WTFer.
On the Sidebar, we make non-anonymized posts all the time. Usually the submitters there aren't affiliated with the WTFer – it's publicly accessible information. Or the submitter judges for himself that the employer won't know or won't care.
In this case, Alex is the submitter himself so he can judge whether being identified by the WTFer is worth the risk. I don't think he revealed confidential information. He just explained how Federal Suppliers Guide acted and what he thought of their competence and the value of their service.
As an illustration of FSG's technical incompetence he posted the contents of the most open and widely publicized document type in the history of civilization: a Web page. He then realized from reading that page that there was another, supposedly secure Web page that can actually be read just as easily.
It would be different if Alex subscribed to FSG, accessed confidential information securely, and then leaked that confidential information.
I hope Alex doesn't get sued for "hacking" or slander, although I wouldn't be too surprised. If so then watch out. There are also two years of records of the rest of us making "slanderous" statements about Web businesses, software companies, signage installers, and hardware manufacturers.
At least the name of the case would be amusing: "Federal Suppliers Guide v The Daily WTF".
Admin
I can agree with you that people who learn of a simple exploit and attempt to continue to do so are immature; however, how does one learn to mature to age without learning? I understand you have a well established rapport with your clients and that you have a family, certainly you know how harassing it can be to be interrupted when trying to spend quality time with them.
Well, if those people of the US embody the government for which you work, then apparently it is not quite up to the standards they expect. In fact, I wonder which federal agency has made the mistake of not doing its due diligence in auditing all facets of your security. I also wonder how much of that 500k your client took in of my taxes, thus taking food from the mouthes of my wife and children.
I do not doubt you are proud of your work, but honestly, do you help small businesses 'navigate' the federal market or 'exploit' it? If you ask average joe taxpayer, I think there are too many high priced contracts or providers out there who provide very little for what compensation is received. It almost seems like it's the converse of the old adage 'you get what you pay for', but in the case of government spending, 'you don't get what you pay for'. How ironic at best.
Why, oh why, does the state I live in have to have such a bad stigma about it?