- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It seems that they already changed their "secure" username and password. Too bad it is still stored in the page source!
Admin
They changed their login/pw since the article. But not the method. The guy writing that JS has to be the dumbest dumbass ever...
Admin
Something interesting: google for "This Script allows people to enter by using a form that asks for a"
Admin
Looks like they caught on and fixed their site... well.... Sort OF... they changed the credentials.
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>Admin
lol, they did it again!
<!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="buyers") { if (form.pass.value=="gov1996") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //-->Admin
I would have bet $100 that this company lists their address in Florida since most so many scam companies do. Yes, they are located in Palm Harbor. WTF is the problem with Florida having so many scam operators?
Admin
TRWTF is on http://www.federalsuppliers.com/federal.html.
PAPERLESS PROCUREMENT!
Admin
WHOIS indicates that they're somehow related to a publishing company that is also based in FL.
WHOIS
Admin
lololol http://www.dynamicdrive.com/forums/archive/index.php/t-9560.html
He got the code from a forum. Here's en excerpt:
MuffinMan 05-12-2006, 06:03 PM If you're looking for a real simple login page, here's some code that I use on our internal website all the time. Change the yourusername, yourpassword, and the www.theurlyouwantogoto.com variables to suit your own code. I hope it will help you.
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="yourusername") { if (form.pass.value=="yourpassword") { location="http://www.theurlyouwanttogoto.com" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>...
elliot 05-12-2006, 08:43 PM Many thanks MuffinMan, I've gone and added that in place which will do nicely http://www.bhbgroup.co.uk/client.html
It doesn't need to be overly sercure only holding a form on the other side for clients to submit orders. They'll need a product code via email to use on the order form so this is more than adequate.
cheers mate!
Admin
The really scary part is that anybody who wasn't technically savvy could easily be pulled into a ludricous scheme like this.
Admin
The real WTF is the use of frames on the site.
Admin
Actually, you can avoid the "hacking" by just going to "http://officers.federalsuppliers.com/agents.html"
Admin
I wonder how the page displays using a web browser like Lynx (I think that is the right name for a text-only browser)?
I wonder how the page works with screen readers for the visually impaired (they probably do something with the JavaScript, but who knows)?
[Footnote: My captcha code was already in the IE drop list of previously used text strings. How secure is that?!?!]
Admin
The companies registered in Delaware have had a hundred years or so to get their shit together. The ones in Florida tend to be unsophisticated morons in a trailer park, with a stand-by ticket to one of Ronnie's favourite hot-spots of democracy, like El Salvador or Panama, or even the Grand Caymans.
If your scam is going to have a half-life measured in months, then go to Florida. If you reckon it's measured in decades, then register in Delaware.
Admin
Best WTF of the year!
I just clicked through some listings and found this, quite sad actually:
Alligator Marine 12/05 3435 Mangrove Ave Norfolk, VA 23502 Telephone: (757) 455-5123 Fax: (757) 455-5124 Email: [email protected] Website: www.alligatormarine.com Contact Name: Dennis Richardson Description: Service-Disabled Veteran-owned small business. Zodiac preferred professional dealer specializing in military, commercial, and first responder boats.
Soooo this company stole upwards of $600 from a combat-wounded U.S. soldier...shame on them.
also, I notice that all the pages were written in Microsoft Word 9...sweet.
Admin
Actually, it isn't even obscurity, since the page's URL is right in the login page's source. So it's security through... um...
Hm.
Admin
If you have any questions about the state listings, you can just call the person who wrote the Word document that generated the list (View Source for the Frame after choosing a state).
<head> <meta http-equiv=Content-Type content="text/html; charset=us-ascii"> <meta name=ProgId content=Word.Document> <meta name=Generator content="Microsoft Word 11"> <meta name=Originator content="Microsoft Word 11"> <link rel=File-List href="newjer_files/filelist.xml"> <title>newjersey</title> <!--[if gte mso 9]><xml> <o:DocumentProperties> <o:Author>Donna DeBoer</o:Author> <o:LastAuthor>FSG</o:LastAuthor> <o:Revision>58</o:Revision> <o:TotalTime>29</o:TotalTime> <o:Created>2001-01-17T19:20:00Z</o:Created> <o:LastSaved>2008-01-21T14:10:00Z</o:LastSaved> <o:Pages>1</o:Pages> <o:Words>907</o:Words> <o:Characters>5173</o:Characters> <o:Company>Cybertown Communications Corp.</o:Company> <o:Lines>43</o:Lines> <o:Paragraphs>12</o:Paragraphs> <o:CharactersWithSpaces>6068</o:CharactersWithSpaces> <o:Version>11.8132</o:Version> </o:DocumentProperties>Admin
That was the point of the WTF...did you even read it?
Admin
doing some looking about, this script goes back to 2002.
Here is where I think it originates:
http://www.javascriptkit.com/script/cut76.shtml
Admin
I'm really dissapointed that the newsletter on the home page ...
Suppliers guides offer inside track on contracts By Jane Meinhardt – Staff Writer Tampa Business Journal (http://www.federalsuppliers.com/newsletter1.pdf)
doesn't actually exist. Seems like a real nice community all federal suppliers should be a member of!
Admin
[quote user="Whitey]I think it would be good if the people listed on all those pages were somehow contacted and pointed back to this site. I'm sure most of them are obvlivious to the fact that they have been scammed. [/quote] An e-mail scraper that sends a form message telling people to come to this thread?
Admin
Too bad the page it points to if offline
Admin
Hah. I'm going to start trying this on more sites. Surely there isn't more of these sites around...
Admin
It was taken offline a few minutes ago, probably in response to all the "hacking" that's been going on.
Admin
A change as simple as this would make it infinitely more secure. At least neither the password or "secured" page are available by looking at the source.
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { location="http://officers.federalsuppliers.com/"+form.pass.value } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>Admin
Damn, 404, now that really is secure!!
Admin
I'm really bored, so I just clicked through to ALL the states - all the pages are not found, except the one from NY.
Admin
Years ago Congress proposed some law to make it a felony to use an electronic device to eavesdrop on cell phone conversations. I don't know if it ever passed, but I read a very entertaining editorial on it where the writer pointed out that cell phone transmissions were unencrypted radio signals (maybe with digital phones today that's no longer true, I don't know) that could be easily intercepted by anyone with the technical expertise to modify a radio to the appropriate frequences. So, he said, a law banning eavesdropping would be about as effective as a law saying that page 18 of the New York Times is now reserved for private messages and no one is allowed to read that page unless they are notified that there is a message for them.
Much the same could be said for many lame security efforts.
Back when I worked for the military there was one site I had to access that required a password, only given out after you passed a security check ... but every page other than the login page could be reached by simply entering the URL into the browser. I bookmarked several useful pages.
And hey, don't laugh about the analogy of a gate with no fence. At a former job the big boss's office had a partition in the middle to separate his work area from the secretary's. The partition was several feet short of the walls on either side and well short of the ceiling. In the middle of the partition was a door. And every night the secretary carefully locked this door.
Admin
All you IPs belonging to me
Admin
Really the poster should have contacted a lawyer first. Someone who specalizes in class action lawsuits would love to investigate this scam, and is sure to find some i that isn't dotted that he can turn into a pile of money. The submitter get a few pennys for his finders fee, and the knowledge that he helped save the world from one more scam.
Admin
You need a spot to hang the chad
Admin
The last thing we need is more lawyers!!
Admin
Steve, you just made my day!
Great addition to a very funny WTF.
Admin
And now the page isn't even available :(
Admin
Admin
Hmm... I live near Palm Harbor (like, within 20 minutes). Mayhaps its time to offer my services as an "expert security consultant" to these people?
Addendum (2008-02-29 13:40): But then again, if they're so stupid/cheap as to not be able to hire a real developer (or anyone with half a brain, evidently), then I doubt they could afford my consulting rate.
Admin
Admin
that's even better, now anybody actually logging in, if they exist, gets directed to 404 Not Found.
Admin
They're back online!
Excellent new security measure.. they've changed the USERNAME!
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>Admin
thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.
Admin
From what I see you do not even need to "login" as you can just go to the link. Obviously in apache you could configure some restrictions on the access to the files but from their use of javascript i'm sure they do not have someone who knows how apache works other than the fact that there is a web root folder.
Admin
As an employee of the company, I was just made aware of your site. Our company is legitimate and we're not a scam. The fact that our site security is weak is something we are addressing. We are staffed with good people, we offer a great service, and you are trying to ruin our reputation. You are crossing legal lines.
I am asking you to stop your actions immediately.
Admin
Would you folks be in the market for consulting services? Your site is not secure by any means, you don't want to be open to hackers, do you? I doubt you would want to lose business and customers to a competitor. For a nominal fee, I could develop a REAL website with security and the like that would actually help increase your business.
Admin
Still 404 though. :(
Admin
heheh Now the document is no longer found on their site. They've taken it down. However, the code is still the same:
"<script language="javascript">
<!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>"And this is the response if you put in this login:
"Not Found The requested document was not found on this server.
Web Server at federalsuppliers.com "
Admin
They decided to take down the agents.html file. That's pretty secure.
Admin
It's a pity the page has been taken down. It would have been a marketing jewel.
¿Do you have any silly product to sell? Start calling the people listed there, and you'll be amazed at the results.
Admin
Not being american, I may be wrong but AFAIK if this company had any government endorsement it should be in a .gov domain.
Then if I am right TRWTF are people trusting the scammer is government related just because he says so, and his website appears to be (it is even USflag themed). Of course, there are other measures to ensure you're not being fooled but this is a start
Admin
Umm, not taken offline, just changed.
http://www.federalsuppliers.com/warning.html
Admin
See http://en.wikipedia.org/wiki/.gov