- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Plesk, Inc.
That sounds right. LOL
Admin
Admin
laff
whois federalsuppliers.com
Domain: federalsuppliers.com Registration provider: MateMedia, Inc.
Registrant Jim Sprecher Jim Sprecher [email protected] PO Box 1735 Oldsmar, FL 34677 US +1.8139250195 (FAX)
this site is on rackspace it appears.
Domain Name Servers: NS.RACKSPACE.COM NS2.RACKSPACE.COM
now, I await my visit from gov agents in black suits to arrest me for public knowledge for "hacking"
if this is how our legit gov. handles buisness, ill take my chance with the hackers thank you.
Admin
Great stuff, Alex. I love you guys.
Admin
"Save those precious bytes to something that have not been written countless times. Thank you"
Shut up, dont tell me what to do. betch
Admin
You really have to be joking to think that if you include the username and password in the javascript source of a page that it wont be found.
Seriously!
Admin
My comment was in response to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT btw. Smarten up!
Admin
internet in general (blogs, comments, etc) is becoming more redundant and predictable everyday...gotta deal wit it
Admin
http://google.com/search?q=site:federalsuppliers.com
Admin
Updates:
http://officers.federalsuppliers.com/agents.html
that's the page that it takes you to when you "log in". You can skip the entire "log in" process and just straight to that. Down side is they apparently took down the listing. Maybe there's a Google cache of it.
Otherwise, here's the response from whois federalsuppliers.com:
Domain Name: FEDERALSUPPLIERS.COM Registrar: INNERWISE, INC. D/B/A ITSYOURDOMAIN.COM Whois Server: whois.itsyourdomain.com Referral URL: http://www.itsyourdomain.com Name Server: NS.RACKSPACE.COM Name Server: NS2.RACKSPACE.COM Status: clientTransferProhibited Updated Date: 13-nov-2006 Creation Date: 19-may-1997 Expiration Date: 20-may-2008
Here's the (partial) traceroute result:
11 * te-1-3-pr01.ashburn.va.ibone.comcast.net (68.86.84.154) 32.381 ms 33.949 ms 12 peer-01-ge-1-1-0-104.asbn.twtelecom.net (64.132.69.73) 26.917 ms 26.196 ms 27.974 ms 13 64.132.228.26 (64.132.228.26) 59.692 ms 63.685 ms 59.415 ms 14 64.132.228.26 (64.132.228.26) 58.507 ms 59.372 ms 58.322 ms 15 vl130.core1.sat.rackspace.com (64.39.2.33) 66.247 ms 61.229 ms 62.702 ms 16 64.39.1.149 (64.39.1.149) 62.185 ms 63.492 ms 59.942 ms 17 matemediainc.com (65.61.159.151) 61.192 ms 65.086 ms 60.287 ms
Admin
Epic! :-)
I also love the PDF that he faxed you over. From 2006. Wow. Pretty current for govt. agencies, at least. tee-hee.
Admin
We're at 712 comments and climbing. Could this be the most popular post of all time?
Admin
By the way, they have changed user name and password to something ridiculous, which doesn't matter because you can entirely skip the login process anyway by simple visiting the address hidden in the if construct. Besides, that isn't hacking, as the user name and passwort are directly sent to whoever reads the website. And the target site says SECURE, which is TRWTF because it isn't. And have you notices there aren't any robot.txt files? Maybe Google has a cached version of it. Which would be great, because they have taken down the whole page. By the way, this is the WHOIS info on the domain: snip You should arrest me because I'm an evil hacker, yeah, haha, guess what, I'm not.
Did I forget anything?
Admin
They changed user an password...
But it's still in the javascript :p
Admin
Yep. The guy who defended the company at first can't spell,
and
The page is now at: http://www.federalsuppliers.com/warning.html. Which I find highly confusing... since that is the page Alex originally gave.
Admin
Although I am sympathetic to your story, the simple fact is that its laughable that your company wouldn't do a better job of protecting your website. Please don't address us as hackers with a negative connotation. A hacker wouldn't post this article, a hacker wouldn't tell you about the problem, they would exploit it instead. If you want to fix your site's reputation, why don't you fix the problem?
Admin
I used to work for Federal Suppliers Guide, several years ago as a Graphic Artist. I have to say that I was initially skeptical of their product. Final copies are not mass produced, but rather a small-scale print run (each approx. phone book size) delivered to the select Federal Suppliers for that State/Region. Customers do have to pay to get a copy of the book (something like $100). I believe that a copy of their ad is free.
Phone calls and ads are legitimate. Their were at least 4 full-time Graphic Artists to handle the workload. Designs were faxed and e-maiiled to customers for approvals. They had a full time sales staff at several locations (probably 10-12 at the location that I worked). Owner/Manager is a Christian woman that seemed to treat employees with respect. Very small company, with it's biggest downfall being (in my opinion) that it didn't offer employees a lunch room and that equipment/software was in need of upgrading.
Other than that, I don't believe that I would label it as a "scam" company. Just a niche product.
Think they also offered services to assist with Federal Suppliers paperwork processing - with a hefty fee if I remember correctly.
Admin
This makes me sad. :(
Admin
I rofl'd
Addendum (2008-03-03 10:50): Posting in a legendary thread.
Admin
This is very upsetting news... I get the feeling that every other WTF posted from now is going to pale in comparison to this... :(
Admin
This one is still well ahead, and I'm not even sure if that's the record.
Admin
hilarious
Admin
Really, clicking "View Source" shouldn't even count as a step. The data that their server is sending you is the raw HTML/Javascript. Your browser interprets it, and "View Source" is just showing you what was actually received. If I used wget, or telnet'ed to port 80 of their webserver and did a GET on the page in question, I would see the username and password right there.
Admin
Aww, look. Pathos.
Admin
I wouldn't be much surprised if they wouldn't be safe from SQL inject attack either..
http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=52&_q3=&_orderBy=name
Admin
Ahhh yes. The Hat Riddle. Good times.
Admin
http://www.google.com/search?q=+site:federalsuppliers.com+federalsuppliers.com/&hl=en
If you browse the several pages, you'll see the listed addresses of the companies who were marks.
I don't mean to discourage or deface these businesses, but FederalSuppliers is not exactly sharing their information with anyone. I hope that via the Google Cache, they will get at least some attention, and maybe find grounds for a lawsuit against the owner(s) of FederalSuppliers.
Remember, the government isn't the only one interested in buying from these companies. They're in business so EVERYONE can invest, purchase, and make that economic wheel turn.
Admin
So how do you know if you're authorized?
How do you know if you're not authorized?
Admin
Wow, 15 pages of vitriolic hot-headed comments so far, all because of something that was almost certainly a deliberate troll.
Unless you think that someone with those language skills, that little knowledge of what he's doing, and that offensive a position would actually have come to this website and posted here, especially with such brazen statements like "all of you are being reported to the appropriate authorities as we have your information too".
Granted it was well-crafted to the point where it seems just plausible enough, but everyone who flamed in response to that post should check themselves, as they are a gullible idiot.
Dan.
Admin
He could be trolling in his spare time.
Admin
OK, if the website was secure then you could MAYBE have an argument for legal action. But since I could get to this site (which I have not done) without a user name and password, it cannot be called hacking.
Having an unsecured web page that you don't want the general public to go to is not security, it is wishful thinking. (To use the house analogy is is like taking your private journal out of your house and posting all the pages on a bulletin board at the City Hall.)
Just because another page that links to it requires two unique strings for the link to work does not make the page behind the link secure. You need to secure your website for authenticated users, then (even if you are stupid and store your user name and password in the java script) you COULD POSSIBLY have a argument for legal action.
Admin
This one is a newby implementation error (I'm being nice!) by a site that (to most of us apparently) is not far shy of being strung up for their business practices. The phrase "couldn't happen to a nicer guy" comes to mind here.
Then, to top it off, somebody digged it. Brillant!
Admin
Now they've changed it to a single input box...
the script now just tacks on ".html" to whatever you type into the box and does a request for that...
I guess they couldn't afford a real web developer... so where does all of that money go then?
Admin
It shows the following error in the end of the page:
One more WTF in the list of WTF's for that site.
Admin
Maybe we could start a club? It'd be Webby, it'd be 2.0 ... it might even feature photographs.
Now, that'd put most of these pointless swine off the idea of posting.
Admin
Tell me again. What country do you live in? When do retarded adolescents grow up in that country?
Admin
What, precisely, is the difference between "scam" and "rip-off" and/or "snake-oil sales"?
A "niche" product is something that you can't find anywhere outside that niche. Granted, it might still be any or all of the above. It might still be what you want.
This one ain't it.
Admin
PS: Don't try typing the obvious word, "procurement", into the input box. Because that is most definitely NOT the password (at least at 4pm EST on Monday). Who knows what it will be later.
Admin
So, I don't code but work in IT, mostly hardware but I LOVE this website. I got through about the first four pages of the comments, and honestly can't believe that
Instead of cheap/petty threats from employees from this company, they should be THANKFUL that it was found on this forum where ridicule is the worst consequence of their action (or inaction).
Admin
The management would like to inform everyone that the persons responsible for the unmarked sarcasm in the previous post have been sacked.
Why doesn't BBCode have a [sarcasm]marker[/sarcasm] for that?
Admin
Admin
I just felt the things I outlined it bold were, in fact, rather comical.
Admin
Na, that's an actual page. You can access it normally from the 2nd button from the right in the top bar, helpfully labled procurement.
But, as long as someone visits the guide, and they have google toolbar installed, then google will eventually index it.
Admin
Stop spoiling our fun you joyless old bastard. Nobody cares.
Admin
The hefty fee would not surprise me in the least; while I do suspect your former employer is not, technically, a scammer (at least, not in the sense of the 419 scammers), I do suspect they can fairly be described as snake-oil salesmen. They are selling a product which is of no practical value for a high price -- and, judging by the experience relayed in the original post, using well-worn sales techniques designed to induce a person to buy without any real knowledge of what exactly they are buying. In short, it would be fair to describe it as a con-job. (Charging large amounts of money for menial copying is also a borderline con-job, BTW.) Some posters have compared it to vanity publishing and "Who's Who?" services, which charge a fee to publish your name and/or work. What they don't tell you (and what they didn't tell the original submitter) is that this information will go into a publication so obscure that it's only a step above where Arthur Dent had to go to find the "publicly displayed" notice that his house was scheduled for demolition (cf. "The Hitchhiker's Guide to the Galaxy").
Me, I'd like to compare it to services which sell lunar or Martian real-estate, or asteroids, or the rights to name stars. In all cases, they are charging customers for something which is utterly meaningless -- but which they have deliberately represented as valuable despite knowing perfectly well that it completely worthless.
Now, such companies have often claimed that they are not con-artists, because they are in fact providing a service for a fee. But the service is so grossly different from what they persuade their customers to buy that it beggars the imagination to think how they might actually think they're doing a service to anybody. There are only two realistic options: either your former employers are deliberately misrepresenting their service, and counting on the fact that their customers are all small business who likely won't have the wherewithal to take them to court, or they are complete and utter morons with a grossly inflated sense of their own importance.
Actually, the javascript snippet might support the "moron" theory. But the conduct of the salesman very strongly supports the "con-artist" theory, because he went out of his way to avoid giving any real information to the prospect which would permit the prospect to fairly judge the offer. Either way, I think it is very much in the public interest to publicize this information. Customers have a right to fairly judge the quality of a proposition. If the people who posted earlier in this thread claiming to be employees actually are, then their protestations of innocence are entirely consistent with trying to prevent the public knowing just how worthless this product actually is.
And that, my friends, is the real WTF. Not the lame-O security, though that was a pretty darned good WTF. One of the best I've ever seen, made so much better by the company's attempts to "fix" the hole. The real WTF is that so many companies can get away with selling products so worthless that they must be either con-artists or the biggest incompetents in history.
Admin
I'm pretty sure the web dude at www.federalsuppliers.com is checking this thread pretty often. If so, I thought I'd let you know the navigation on this "login" page is broken now:
The style class is sticking a bar between them which makes it display as:"Federal R | egulations"
Look on the bright side.. you're getting all kinds of free QC and consulting work here. I know companies that have paid millions to have this kind of detailed site audit performed.
Admin
With their new login 'http://www.whitehouse.gov/index' as a username works. :P
Admin
The new implementation is great. Also I know it was suggested by someone in the comments. So they're actually reading this ^^
Anyone guessed the new password?
Admin
Well, at least they made it marginally more secure now. In fact, they should probably pay The Daily WTF, for solving their glaring security issue.
I just wonder how often they had to tell their "agents" about the new changes to the "security" login.
Admin