- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Except this could've easily been done by accident.
The essential problem here is, the site sent the password to anyone who asked for it. The fact that most browsers would hide the source is irrelevant -- maybe some browser bug would expose it?
It's not that "I found it easy". It's not that it was insecure.
It's like the difference between a closed and an open wireless router. If you leave yours open, you may claim that "Well, it takes a sophisticated user to connect and steal our Internet!" But in reality, your router is sitting there broadcasting that it is there for the taking.
It is difficult, as there really aren't good metaphors for software. We can say "It's like a house", but it really isn't. It's up to us to decide where we draw the line.
But I do think there's a fundamental difference between, say, a SQL injection, and actually broadcasting administrative credentials to anyone who asks. (Consider, too, that they didn't even hide that page in their robots.txt.)
Admin
For not overloading Google I just saved all that cached pages here:
http://www.web-share.net/download/file/item/federalsuppliers.tar.gz_4221
anybody can polish it to really useble directory of supliers, or start new bussiness by offering them better service ... ENJOY
Admin
I think, this example is like placing big advertisment to the more frekvented road in public with small letters on top saying "Do not read, please, if we did not tell you so ..."
Admin
Umm... hello. I hope you don't mind but I just subscribed your phone number to a couple of porn and other advertisement agency call lists. I'm not sure why, but I just felt like doing that.
Have a, uh, nice day?
Admin
i think actually it's more like having a door to the house, with the key taped near the lock, AND with a big neon sign on the door pointing to the second door right beside it, which is wide open.
Admin
Government contracting is my life (OK, that COULD be sad, but it's a really dynamic field and just full of the poor slobs that tried to sell you space in their "directory") The sad part is that NO ONE I know (after 30 years in the business) uses such directories because everything you need to know to do business with the government is available FREE, and I can tell you where!
If he's got a wife and kids to support, I suggest he find a legitimate way to make money rather than rippoing off unsupecting newbies. Sadly there are a LOT of such companies out there. My view is that unless I help you actually make money by creating cash flow for you, then I haven't "earned" anything. No up-front pay for me. And my commpany is doing quite well thank you.
BTW - I get these same solicitations from people who have not done their homework. After they quote me their pricing, I tell them what I charge to do the same thing! It's usually pretty hilarious! And most of them have hacked some site to get their email lists in the first place, and do NOT comply with the Federal CANSPAM Act. So turn the threat around and report them to the FTC!
Admin
Are you kidding me? Everyone knows that a simple ROT13 is not secure enough. No, you need to apply TWO layers of ROT13, THEN it will be unbreakable.
Admin
First off, yes, this a scam, and FSG deserves no mercy.
But the people posting comments here aren't much cleverer than FSG's webguy.
63 People found it necessary to post the same comment about the username/password changing. All probably sure they were contributing to the discussion.
Everyone is rail about the security implications. The whole point of paying them (the ridiculous) $600/year fee is for the advertising. It's sort of weird that FSG is set up so that you needed a password to view the material they were being paid to advertise (imagine if the yellow pages tried this) which is much stranger than the fact that a password was needed.
Admin
argh is on to something.
Okay...here's my refinement to the key-under-the-mat analogy.
When you knock on the door, someone comes out, hands you the key, and points out that the building has no walls, so you don't even need the key.
Admin
I was playing around when I found out this interesting link that leads to thousands of agent ad listing. Have a look at it and someone download everything before it is taken down again! ;)
Here is the link:
http://www.federalsuppliersguide.net/?_orderBy=name&_offset=0
And originally found here:
http://www.federalsuppliers.com/test.html
I have downloaded about 200 ads. :)
Enjoy web securing!
Saad R. www.saadrabia.com
Admin
You mean you subscribed the Las Vegas Police Dept's Missing Child line to agency call lists. I'm sure they'll appreciate your effort.
Retard. Did you really think that was a real phone number? OMGZLOLZ.
Admin
Apparently they just moved it to http://www.federalsuppliers.com/warning.html.
The username is still "zzzzzz" and the password is still "fffxxx". Talk about insecure. The least they could do is include a PHP page.
Admin
The search on that page is based at http://www.federalsuppliersguide.net/ which has a different person as the admin contact. Is it possible that the original site is thieving from a different scam artist?
Admin
Dear Mr. Customer Support:
It's a scam unless you can prove it isn't. In this age of credit fraud, identity theft, and everything else, it's always best for the person with the money to remain skeptical.
But - I have a D&B number too. And a BBB listing, OMG! Woo woo! These can be obtained by just about anyone. But the thing here you need to understand - most companies can provide proof that they provide a service. Can yours? If you can provide the proof, then I'll believe you.
But whether you are a real company or just some big joke, you probably should stop putting the password right in the source code. BTW - looking at source code isn't hacking. You provide it to us.
Admin
Due to the bytes shortage we've been experiencing, I fell a need to sum 90% of the next 300 posts.
1- (reply to 180051) Your security sucks! There was no hacking at all. You don't know how to type or spell. You sent the password and blah blah blah... 2- Now the UserID is "moron" and the password is "scam3000" 3- Hey everyone, they changed the page to http://www.federalsuppliers.com/warning.html 4- Too bad they put it offline now. But I bet it still is available on Google's cache.
If your post resembles any of the statements above, don't bother. Save those precious bytes to something that have not been written countless times. Thank you
Admin
six hunrdid and sitxy sixth!1111!one
Admin
To "FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT":
For a company that claims to have that much prestige, you sure do suck at making a website. What you fail to realize is that anyone with a web browser and the ability to read English can get into your so-called "secure site", it's not "hacking" at all. To get the information posted here, click on the View menu in your browser and choose Source. Voila!
Oh, and next time you post something in an official capacity, as part of a company, use proper capitalization and sentence structure. Especially when you're trying to defend yourself against allegations of illegitimacy.
Admin
What I send in this comment has probably been said several times throughout this discussion, I didn't realize when I posted it that there were more comments than what was on the initial page.
Admin
I notice a few things. It lets you login now, but the page doesn't exist once you do login (or access it directly, it doesn't matter), and it is still in the javascript code. And what is the "Sample Page" menu for? That is also a link to something that doesn't exist. And the link for "FEDERAL R" "EGULATIONS" is broken up on that page, on other pages it is correct, though. I think for some reason, they can't use server script. If they can't use server script, at least encrypt the page. And maybe also they should make the link to that page secret, they can just tell the federal procurement officer when they need it, anyways. Also look at form.html for more things wrong. They still don't use server script, the server script is a different web-site, which doesn't seem to work right now.
Admin
LOL
Admin
5- You people are all posting the same four things!...
Admin
Not hacking if the password and user name are in plain sight !!! read up on your laws :) and get a web developer that understands how to deal with ISO security standards. It could of been worse if a real hacker was on your site they could of extracted vital company info and really caused some havoc , judging from the level of security I am sure you guys are SO out of date and ripe for the picking. lets hope that there are no bored black hats around or your in deep Sh*t and you wouldn't be able to do anything to them they usually do there dirty work on router/server overseas ("non prosecutable ") in the US.
Admin
Send a little cash my way and I can help you seal the big security hole one your website.....
Admin
Dude,
You need to make your site more secured than showing userID and password in the script. No one is hacking your site. You are leaving the information open there.
If you don't understand how to fix it, pay some $$$ to someone who does and fix it. All these folks are actually helping you by pointing out the issue with your site. Take it as help, fix the site and move on.
Admin
I see two real WTF here
Pointing that Google cache has information. AFAIK Google was sued many times for indexing private information
Most of people thinking that anyone found "door" open with sign "do not enter - private area" can free enter and consider this not breaching.
Admin
And this "all of you should have protected your information better" is absolutely juvenile. Just cut it out.
Incidentally, I notice in your list of "check out what we do is real," you didn't suggest checking out the Better Business Bureau. Hmm.
Also incidentally, your company doesn't come up in a search at Dun & Bradstreet, GSA Advantage (which is, y'know, the free catalog service for federal suppliers that everyone who has a GSA schedule contract is required to join, making the whole idea of a printed catalog kind of moot, but whatever), or the West Pasco Chamber of Commerce.
Again, no offense, but it's not slander if it's true.
Admin
TRWTF.
Admin
Voting for removal of "reply" button on featured comments.
Admin
maybe if the comments were more logicly organised next to the comment they comment on instead of just piling them up in one big tree would help prevent reading esentially the same content over and over again?!
Admin
I found if you use google you can find all the pages in their cache also:
Admin
Worked there for 10 years? And you still can't spell? Didn't Mommy teach you upper case?
Son, get lost!
Admin
well now you guys have gone and wrecked this guy's life. His http://officers.federalsuppliers.com/agents.html page is offline now. How can I call up his customers for references?
Admin
You will find that the term 'hackers' probably applier more accurately to the group of individuals who 'hacked' together the password protection that you appear to still have faith in.
Which comments are not truthful? The ones in reference to your cold call? Maybe the segment about calling a disgruntled customer of your service?
Hopefully your tender documents contain better punctuation then your post above.
Admin
whois.net has this to say. Matching it up against the previous info for federalsuppliers.com is left as an exercise for the student.
Registrant:
2256 Toniwood Lane Palm Harbor, FL 34685 US
Domain name: FEDERALSUPPLIERSGUIDE.NET
Administrative Contact: Powers, Jamie [email protected] 2256 Toniwood Lane Palm Harbor, FL 34685 US 813-925-0195 Fax: 000-000-0000
Technical Contact: Powers, Jamie [email protected] 2256 Toniwood Lane Palm Harbor, FL 34685 US 813-925-0195 Fax: 000-000-0000
Registration Service Provider: AccountSupport, [email protected] 1-866-642-4678
Registrar of Record: TUCOWS, INC. Record last updated on 27-Jul-2007. Record expires on 27-Jul-2008. Record created on 27-Jul-2007.
Registrar Domain Name Help Center: http://domainhelp.tucows.com
Domain servers in listed order: NS2.HOSTPROSERVER.COM
NS1.HOSTPROSERVER.COM
Domain status: clientTransferProhibited clientUpdateProhibited
Yeah, but at least Smash's #5 got highlighted as a Featured Comment, so it should be somewhat more effective in stemming the tide.
Admin
Summary: 10 complaints opened within the past three years, 9 closed (4 within the past year) with "they made a reasonable effort to fix it" (and the customer accepted / rejected / was still upset / didn't follow up with the BBB).
Admin
So, did anyone notice that they no longer have a 'login' page on the site? What a shame - no longer can we have duplicate comments (with some cut and paste) about what the password is now :(
Not wanting to be the reason for a lot of more ridicule against these poor sods - but have they not read about not using the phrase 'click here' when doing web pages? To top that off - putting the 'click here' as an image, without any alt tags...well at least the offending javascript routine is now gone.
Oh btw, did anyone try and load the page as https ? Go on try....
Admin
Ok, before anyone TRWTF's me, and really not wanting to repeat any previous posts, I just found the offending js is still on the site (and I am NOT going to post the url here...)
I will call myself stupid, and promise not to post comments after I had a few vodka's.
Man do I feel stupid tight now :(
Admin
Who else notices that there are no robots.txt files? Who says we add the URL for the Google webbot? Who else is for Digg or del.icio.us?
I feel clickey links popping up all over the net.
Admin
I think they may have got the point by now.
This thread is becoming TRWTF. Brillant!
Admin
So, I totally agree with your technical points, but wasn't Kafka born in Prague?
Not trying to troll, we just have to keep one another honest...
Admin
Out of sheer curiosity, I decided to look at US's anti-hacking law. I found a page at http://www.rent-a-hacker.net/hacklaw.htm that covers at least some of the relevant statutes (there might be more than one). In summary, since the "hacked" site was owned by a domestic company, it seems that one would have to either cause or intend ham or freud in order for it to be considered illegal. Technically, though, any unauthorized access, regardless of how inadequate the security measures, could be illegal. Calling it "hacking" though, is still a stretch in my book.
Admin
I know bugger all about secure website development but im guessing you probably need the authentication process done server side.
Admin
Yeah, there's no indication on the front page that there are more comments, or how many more comments there are, there's only a poorly-placed link that says "All Comments". And I didn't even see that until I went back to see if there was such a thing.
Admin
Lol, im glad mine doesnt resemble that xD
Im gonna quote one of the first ones
"its rude, your comments are not truthful we are not a scam"
I dont remember anyone ever saying it was a scam o.O
and if someone did, please copypasta for me
Admin
So TRWTF is that the passwords were too short, right? That's the only possible explanation for the fact that everybody's been able to hack their site.
Fixed script:
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="<span style="color:white;">completelyHackerProofReallyLongSecurePasswordNobodyWouldThinkToCopyPastaFromTheSource</span>") { /* spaces removed from password in order to save, well, space */ location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>I dare you to hack that!
Admin
Aye.
Admin
Whoever wrote that law was evidently computer illiterate. Everybody knows you can't cause ham over the internet!
Admin
Paula! Where have you been?
Admin
Suppose you did one of those "hunt via webcam" things, except in reverse, where you could click on a gate and let a hog into a pen with a bunch of sows? I think that might qualify.
Admin
Obviously, that was supposed to be "harm." Unfortunately, there's no way to go back and edit it now.