- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
...is down again...
Admin
Wow, I've been going through all the cached pages I was able to "hack" via Google. I'm actually more amazed than anything else that so many company owners fall for this sort of scam.
/heading off to hack more of Google's cache...
Admin
Someone should point out to Jim Sprecher that removing the website won't help him much. Google caches all.
http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com
Or maybe Google are "hackers" now? :)
Admin
"NEW" url for the site:
http://www.federalsuppliers.com/warning.html
Admin
Alex is playing a joke on us. This can't be happening. This is mega-stupid!
Admin
for advanced hackerish: http://www.google.com/search?q=site%3Aofficers.federalsuppliers.com
google, the mother off all communist hack tools <:o) and invalid markup btw.
Admin
I'm more than happy to make a secure PHP login page for them.... for several hundred thousand dollars.
Admin
And now I'm sure some helpful soul will fill the University of Hawaii in on this lovely debacle.
Here are a couple more folks that could use enlightenment. (I got bored after skimming through the first 30 hits.)
Bevins Design - bought a catalog entry
Virginia state government - lists them among a few dozen other resources
Also, the secondary TRWTF is the still-huge ratio of "hur hur dumb security" to "wait, what motives would make you want to secure this in the first place?". I know we're a bunch of tech guys but, c'mon, learning a little social engineering on top of it will make you ten times more effective.
Admin
I love how we're all being "reported to the authorities". It sure is unfortunate that this site has anonymous posting...
Just so we can all agree. It's not hacking if the user name & password are published on the site.
Also, and I don't want to go off on a whole thing here, but it sounds like that company is more of a scam than anything, taking advantage of small businesses, so good riddance.
Final thought: Apparently the sales force blows, too.
Admin
Admin
Nobody's hacking anything. The URL to the "private" page is embedded in plain text in the javascript code in the public page. All one has to do is "view source" to see where the "private" page is.
It isn't that your "private" page wasn't protected to "our standards", it's that it isn't protected AT ALL. Put the URL in the address bar and presto - you're in!
Tell your programmer that changing usernames and passwords in code that is transmitted to the browser is useless. You need to perform proper authentication on the "private" page, not just hide the link to it in javascript on a publicly-available page.
Read up a little on securing web sites. It's not hard at all to do basic authentication, which will keep most people out.
Admin
Admin
If they think that adding Javascript to their HTML is a way to securely protect anything on their server, anyone associated with them should run for the hills. How is this not a red flag for their department heads? Morons.
Admin
You did the damage to your reputation yourself.
Admin
It's not hacking when people use the credentials that the website supplies - and it's not that "the site wasn't protected to our standards" --- the site wasn't protected at all.
You're charging those people for your service, it is your responsibility to make sure their info is secure.
Quite whining about hurt feelings and do your job.
Admin
It's not hacking, you have published the password in the source of your page. You cannot secure a website with weak client-side javascript, you must protect at the server level. If your company's site is any indicator of their skillset and professional acumen, you'd do well to have a backup gig flipping burgers somewhere.
Admin
Hey!
I could hardly consider what everyone is doing hacking. You do not try to hide something in a safe and then write down the combination on it, do you? I do not know what 10 year old you hired to "secure" your website, but there are about 2000 people (if not more) who have seen this topic, you should disable your login and hire a professional who doesn't use Javascript as a means to protect your site.
Admin
Viewing source code is not hacking. And you should be sorry that your site isn't protected to our standards. Because as you stated, your children are being hurt by your employers low standards. Clearly they don't care about your children or the hundreds of clients you have helped obtain federal government work.
I think you should have protected your info a little better. Because now that I have a list of all your clients, they might be interested in knowing that none of the other contacted clients have ever gotten any work from the company you work for. They may be interested in seeking legal action.
Admin
If this isn't actually the scammer, then good job whoever wrote this, because its hilarious
Admin
So you "got our information". Either than, or you got the information for the last proxy in a string of them. Take your pick. How are you going to get any further than even having an IP address?
Admin
Their government grade encryption has not changed since yesterday.
Any government employee should be aware enough not to access a site that uses this kind of username password combination. Surely they informed them of all the sudden changes to their secure credentials.......
Admin
Well, heck, let's get some more. We need a secure name.
How about just "the Secure Site"? Short, easy, and to the point. Anyone else?
Admin
Since when does having a contract with the federal government make your business any more credible or wholesome?
Admin
it's not our fault that you work for a company that doesn't understand how to run a website. i researched the company i work for before i decided to trust them.
right clicking a web page, choosing "view source", and reading what follows is not hacking or rude.
Admin
I say if they aren't bright bright enough to figure this out --- THEY DESERVE WHAT THEY GET ----
Admin
Not Found
The requested document was not found on this server.Web Server at federalsuppliers.com </BODY> </HTML> <!-- - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of - an error's message is "too small", specifically - less than 512 bytes, Internet Explorer returns - its own error message. You can turn that off, - but it's pretty tricky to find switch called - "smart error messages". That means, of course, - that short error messages are censored by default. - IIS always returns error messages that are long - enough to make Internet Explorer happy. The - workaround is pretty simple: pad the error - message with a big comment like this to push it - over the five hundred and twelve bytes minimum. - Of course, that's exactly what you're reading - right now. -->
WTF?
Admin
"The best minds are not in government. If any were, business would hire them away."
Admin
FREELANCE WEB DESIGNER SOUGHT (Home based) City: Tampa
Countryside Publishing is seeking immediate freelance Web Designers to establish relationships with clients for immediate freelance work. Selected designers will join a group of a dozen freelance design professionals, and interface with Management, QC, Editorial, and Development. If you’re a dedicated team player with outstanding design skills looking to grow your already impressive portfolio please apply!
Responsibilities:
Create and manipulate graphics to optimize the palette, size and speed of the resulting Web sites
Develop basic designs which consistently capture and project functionality and brand identity for clients.
www.countrysidepublishing.com www.alliancepublishing.net
Please respons by email or fax with your resume: 813-814-4573
Admin
Wait... wait... you actually procreated? Everybody out of the gene pool!
Admin
We understand that you are innocent, hard working people, but your anger and frustration with this situation is being misdirected. It's not our fault that you don't have security, but you think you do. We're the ones you DONT have to worry about - it's the people that have the ability to break through this paper thin facade that have malicious intent that you have to worry about. Fix your system because of them and because you work hard. Dont fix it because of the snotty folks here that get jollies making fun of your security. Just fix it. Hire someone and fix it.
Admin
Cry moar newb.
Or, to put in adult-talk: When your bank has no locks on its doors and is "protected" by a sign saying "Please don't steal our money", YOU FAIL.
Admin
I hope you understand that calling us "hackers" is like calling the guy who logs on to your computer using the password he got from a post-it stuck to your monitor a "hacker."
Admin
For such a prestigious working man, your spelling and grammar sucks, man.
Admin
Well, regardless of how legitimate or not the post's complaints are, you have a serious security issue on your hand. I wouldn't even call what was done to your site hacking. Do you understand that you have the user id and password in plain text for the world to see in the source code of that page?
Whoever maintains your site needs some serious schooling in secure coding practices. It isn't even a matter that security may have been different years ago...that type of coding should never have been done in the first place. You need to fix that page.
Admin
Are you idiotic? How can you call someone a hacker when you actually send down to their browsers included in the source of your web page the username and password? That is like a mechanic calling someone a hacker for opening the bonnet of their car to check the oil levels.
Invest in some decent web security, instead of blindly calling people 'hackers' for informing you (for FREE) of your ridiculous security measures.
Admin
Government contracts, wasting money involuntarily taken from you since 1913.
Admin
Admin
There is no exploit here. What is happening here is a bunch of people laughing at a website. It is no more reprehensible than a bunch of people laughing at any other unintentionally humorous site. If people don't want any risk whatever of their site being laughed at, they shouldn't have a site.
Exactly! And it's not the first time the real company involved was exposed either, it's common in these circumstances. The BARF ONLY WTF http://thedailywtf.com/Articles/Special-Order.aspx also linked to the real web page that was the subject of that article.
Admin
You destroyed your own reputation. First by using sleazy tactics to sell your so called 'service', and then by purporting to protect your client information with a 'secure' page. You obviously don't know the first thing about computer security, and I sure hope you are not in charge of securing any actual sensitive information.
Hire a web developer who has a clue next time.
As for your company, you've been in business 10 years and have only 'helped' hundreds of clients? If your best client is only bringing in 500k in contracts then you haven't helped them much, have you?
I'd suggest closing up shop and finding a more ethical business to engage in.
.cp
Admin
Haha that's a joke right? Not once did he say it was a scam he merely briefed us on his conversation with a member of the company and the surprising lack of information on it available to prospective clients.
Would you leave the key in the lock of your car when you left it in a bad suburb (hopefully not). Hiding what is precious to you is just common sense. None the less I found this quite amusing. Hey also loved the way you tried to take us on a little guilt trip, as if that distracts from the fact that your company may not be a wise business decision.
Cheers Taku
Admin
If you do a Google search on site:federalsuppliers.com you can get access to all the cacheed pages that were taken down due to "hacking". LOL I had a good laugh about this. Thanks.
Admin
For the low price of a few hundred to a few thousand dollars, I will help you secure your site by a super secret security algorithm code named "ROT13". Act now, before you lose your eligibility!
Admin
Shut up you idiot. You are obviously just a person who's making money off of this crap.
Admin
I love that plea about his 4 children and such. Maybe if you stop trying to scam people, you could afford to feed them ;P
Admin
Huh, that was quite funny, lol you sure have "hacked" his site ^^
Admin
They did remove the agents page you link to... however it is still there under a different name. Going to their main page and clicking on agents you are directed here: http://www.federalsuppliers.com/warning.html Username and password still in the source.
Admin
working for 10 years, got wife, 4 children, bla bla bla...
totally classic.
Admin
The issue here is that the folks from FEDERAL SUPPLIERS GUIDE have provided a way for federal purchasers to log in to a restricted part of their website BUT these same folks have not taken due diligence to restrict the access. What they are doing is like locking the front door to their home but leaving the keys under the welcome mat outside the door.
If anything, the folks at FEDERAL SUPPLIERS GUIDE should thank the community for bringing this to their attention and not bash the community.
Also, if for some reason this business were to be audited by the federal government for any sort of security compliance, they would be subject to being shutdown or pay penalties.
Admin
Wow... What a complete f---ing moron.
Well, maybe I shouldn't say complete moron... It sounds like he has been taking small businesses with this scam for quite some time.
I think the website is intended to make you believe that this guide is produced by the government, when it obviously just sounds like some people running this out of their home. I highly doubt anything there is secret. They probably just don't want to supply you with a sample guide because there ISN'T ONE... Its just a scam.
Admin
In a bid to start some kind of insightful conversation after 12 pages of THE SAME THING... I'd like to know where people believe HACKING starts?
it's very easy to say 'anyone could view the source code' etc... but this is patently not true. The key point is that a lot of people do not have the technological skills to understand what source code even IS, never mind know how to view and read it.
That said, using php exploits, and countless other ways are equally 'easy' to someone of succificient skill - so surely the argument of 'well I found it easy therefore it's not hacking' seems slightly misplaced?
Finally - I'm not supporting and really don't give a flying monkey about some twobit site... my territory is secure to the best of my and my sysadmin's skills. I just would like to raise that as a slightly more interesting talking point than 'ohh how shit are they - lolz etc...'