• (cs) in reply to sorakiu
    sorakiu:
    When you cross the line from posting stories about failures in software development to pointing your readers at exploitable websites (no matter how easily), in my mind, you've moved from being a journalistic site to a gang of vigilantes and thugs.

    -dave

    You raise an interesting point. One difference in this case in comparison to normal cases is that this person is from the outside instead of from the inside (such as most if not all of the stories here). This releases the contributer from NDA and other legal issues.

    I can't say if this is enough reason, but it is a difference.

  • this webcomic is a wtf (unregistered) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    Provided this site is legit, and wants to improve, then I am prepared to offer my consulting services for a nominal fee to A) Redesign their website to make it decent looking, and B) Add some real security and features, not a bunch of hard-coded vaporware. I am located in the Tampa Bay area - if this place is in Palm Harbor, that is only about 20 minutes from where I live. I would not mind assisting a business that is just, to be blunt, ignorant of what needs to be done.

    I'd say about $5,000 for a redesign, some logo branding, and some development sounds about right.

    I can do a better job for less. send inquiries to [email protected]

  • blinder (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    OMG!!! ok... this is way way too funny.

    you should of protected

    should of???? should of???? is that anything like "should have???" pretty smart aren't you? yeah, maybe not so much.

    so, i wonder what "authorities" are you going to report anyone to by doing a "view source" on your terrible web site? What law is that breaking?

  • Tomaq (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    So you work for this organization but you don't even have proper grammar skills?

  • J. Grant (unregistered) in reply to this webcomic is a wtf

    Bah. I can do it for HALF THAT and 6 cases of beer. email inquiries to [email protected]

  • Phleabo (unregistered) in reply to Annaleemac
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living.

    I for one resent the stereotype of us computer geeks sitting along smoking weed in our underwear.

    I for one prefer crack, and I don't wear underwear.

  • Scottish (unregistered)

    Even Google read those files. They're in the Google cache. Google's spiders must be hackers too!

  • bj (unregistered) in reply to sorakiu

    Let's go back to that great house analogy. This is more like a house built with no walls, doors, or windows. People come by and stare and say WTF people actually live their life in this thing?

    The people paying this company have a right to know that this website is not secure as it claims. If people are hurt and lose money, that is the company's own fault not people revealing the truth!!

  • Jay (unregistered)

    In the latest round of "updates" I guess we have a new username and password to lead you to the 404 page:

    [code]

    <script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>

    {/code]

    Somewhere, someone is changing usernames and passwords as quickly as they can be View Sourced. What a crappy job.

  • dhimes (unregistered) in reply to Sys

    no--don't tell them... People with their motives can be dangerous if they get smart...

  • saturn (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    "all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better."

    this is the best quote ever.

  • BobB (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    ... sorry our site wasn't protected to your standards however ...
    Even by my lax standards the site lacks protection.
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    ... all of you are being reported to the appropriate authorities as we have your information too. ...
    I wonder which authorities these are. I'm certain they will be entertained regardless.
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    ... you should of protected your info a little better. ...
    Something about a pot and a kettle, I don't remember how the phrase goes however...
  • hax0rz (unregistered) in reply to Horton Hears a FAIL
    Horton Hears a FAIL:
    Good news!!!!

    You may be eligible for support to fix your horrible coding.....Wow! really good news....For only $1500 I can fix that for you....Whaddaya say>?

    702-229-3111

    Damn you... I called that number. Now the cops have my information too!!!

  • Demaestro (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

    Perhaps you should look up the meaning of hacking... there is no auth on the landing page where the info lives...there is only auth on the page that provides the link. All one has to do is traverse directly to the landing page. That is where the auth should live

    To hack something one must circumvent security measures... since the page listing the info has no security on it then it isn't possible to hack all one needs to know is the URL.

    Security through obscurity means nothing. Basically you hid the door to the safe but you left it open and worse you did so in a public area. Since you love your company so much you should get them to budget an overhaul of the website and hire someone who knows what they are doing this time.

  • MM (unregistered)

    TRWTF is that people keep saying they should get better security, when the only reason they could even want security on that site is to keep people from checking their references like happened in the original story. If they were legit, they would be trying to open up and advertize their site, so that their clients who paid so much to be listed might actually get some traffic off of it.

    Putting username/password boxes on a page while telling everyone who goes to that page what the username and password should be (and telling them where to go directly without putting in that name/password) is something we can laugh at them about, but what identifies them as a scam isn't that they had laughably bad security, it's the fact that they had clearly wanted to have security there.

  • Dazed (unregistered) in reply to sorakiu
    sorakiu:
    You're missing the point. ...

    When you cross the line from posting stories about failures in software development to pointing your readers at exploitable websites (no matter how easily) ...

    No, sorry: you are the one missing the point, as you demonstrate by using the word exploitable again. There is no exploit here. What is happening here is a bunch of people laughing at a website. It is no more reprehensible than a bunch of people laughing at any other unintentionally humorous site. If people don't want any risk whatever of their site being laughed at, they shouldn't have a site.
  • (cs) in reply to sorakiu
    sorakiu:
    dpm:
    Where is the damage?

    So what you're saying is that there has to be tangible monetary losses in order for them to be anonymous?

    No, I want to know what harm I'm causing. I see none.

    The whole google cache argument is somewhat irrelevant.

    No, it illustrates how open they are, and have been.

    In my mind, dailywtf should have edited the article to present the story (which is why I read the site) and leave the involved parties out and anonymous.

    That's your opinion, and I respect it. But you're not convincing me that there's any reason for me to adopt it.

    Is it to be entertained by the folly of people in the industry? Or is it to harass less knowledgeable people in our field? I want no part of any site that delights in the harm of others.

    I think you mean "named others", since clearly this site has been making of people for years. But even in this case, it's just the company, not anyone by name, and it's well-deserved, so I still don't see the harm.

    That was the best thing about entering the white collar workforce. I can't remember the last time somebody publicly shamed me for the fun of it when I made a mistake. The last time I saw that kind of behavior was in public high school.

    There is a value in public shame. You screw up badly enough, people make fun of you, you learn from it.

  • (cs)

    No,no TRWTF is that servers don't provide support for Basic username/password security for <Directories> out of the box.

  • (cs) in reply to Annaleemac
    Annaleemac:
    Aren't all you wienies, I mean geeks, just so proud of yourselves? I guess between taking a few tokes you have nothing better to do than slam people trying to actually work for a living. While you have all day to sit around in your underwear trying to prove your superiority breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working. It must be tough for you to justify your lives without vilifying others. I'm sure you don't even try. People who make false statements about others may find themselves at the wrong end of a lawsuit. People in glass houses shouldn't throw stones. But, don't worry, nothing could possibly happen to you. I'm sure no one could find your address. I'm sure you all operate everything in your life on the up and up and can hold up to scrutiny as well. So, just smoke another one and don't you worry about it.

    The real issue is that serious businesses use professional level security. This looks like something the owner had his nephew do in his high school web class.

    If the Brinks truck guard carried a squirt gun instead of a real pistol, would you call that real security? It's security theater - it looks secure, but it's not. If you only want to pretend to be secure, then don't get upset when someone points out that it's fake.

  • nosebleed (unregistered)

    There was no "hacking" involved with this. The username/password is right there in the page source clear as day! sheesh you couldn't at least use a .htaccess/.htpasswd? A PHP script with MySQL database? It's not like they're all that hard to setup.

  • Demaestro (unregistered) in reply to sweavo

    The problem with what you are saying is that they have it in a public area... it isn't like walking into a privately owned building and ignoring a "Do Not Enter Sign"

    Their server is set up to serve files to anyone who requests them. If I don't go to the page with the JS "auth" and I traverse right to the page they are "protecting" then I haven't circumvented anything since I wasn't on the page with counter measures at all.

    So yes if someone puts a note on a door and it reads "do not enter" and the door is open then you can't enter.... problem is there are about 100,000,000x 100,000,000 other doors into that rooms that don't have the sign.

  • Shawn (unregistered) in reply to Sys

    Wait... so this critical online guide was taken off-line? That doesn't seem fair to the people that paid hundreds or thousands of dollas to be listed. It also seems like that would really upset the folks in the federal government that relied on that site to get the names of businesses.

    Hmmm... maybe it IS a scam after all.

    PS - to the "employee with the family that entirely depends on this company for his living"... dude we all know you're the guy in charge of the scam. Also - if you want to try to plead your case, you will have better luck if you run your comments through a spell / grammar check first.

    I'm sure one of your clients offers copy editing services -- perhaps you could check with them.

  • (cs) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for ...
    I don't usually trawl through the comments, but my interest picked up seeing this one featured.

    The real WTF is how many pages of comments there are. It would have been fewer and duller without FSG's post(s).

  • bk (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    ROFL. Scam.

  • rodriguez (unregistered)

    Is it really "hacking" if you are given the password? I mean, sure the guy didn't say the password over the phone, but by putting the username and password in the Javascript like that, they are basically giving it away. They are giving it to anyone who "asks" for it.

    As for "sorry our site wasn't protected to your standards", it makes me wonder to what standards they were protected to. Besides, is there anything there that prevents people from just going to the linked page itself once they know about it... hang on... wouldn't robots be able to get to their "secure" site?

  • dude (unregistered)

    So when I started to read this and saw the login box I thought 'oh no, they've left their login open to sql injection', oh dear. But to actually see they think by going to a valid URL is hacking!!

  • wtf (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    lol

  • TraverseCity (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Here it is, you GIVE the people at large the login....It's on the page plain as day. If our government is protected like this then there is no hope for it. Keep doing your shoddy work and put the passwords out so everyone EVERYONE can see it.

  • Troy (unregistered) in reply to Sys

    Wow... I'm actually registered with CCR and got a call from these guys as well. I did the samething i declined not to be in it for the amount of money. Beware of the phone book as well, expensive with 0 actual leads... all of them were grandmothers trying to install ram in their packard bell, etc. Thats funny you actually took the effort to go and look at the site. Maybe you can pick them up as a client for a nominal fee of $600 to $6000 the price of a single ad and you can fix their site to be secure.

  • Not even a 'hacker' (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    I don't know if the owner of the FSG co. will come back here, but since no one has spelled this out for him, I'm going to:

    Your username and password information is stored IN PLAIN TEXT within the page itself. Anyone who visits your site and views the source code from their browser can glean the login information in this manner. This means that your login is BY DEFINITION NOT SECURE You do not have to be a hacker to figure out how to log in. You could just accidentally hit Ctrl-U on your keyboard!

    I should also note that THE BURDEN TO SECURE THE SITE LIES ON THE OWNER/AUTHOR, and since you are doing business with federal agencies, this login method does NOT comply with various ISO, NERC, and NIST standards for cyber-security (the standards that typically set the baseline for online security that MUST be adhered to by federal agencies.)

    Maybe this is why the author of this article found out that certain clients of yours received no sales leads from your directory... federal and state agencies have seen that your security (and perhaps by association, your entire organization) is a joke.

  • John (unregistered)

    There was another government site that is like this. It was for anti-terrorism training and the password was checked against a MD5. It was such a simple password that the MD5 didn't help protect it any better.

  • It's like this (unregistered) in reply to dextron
    servers don't provide support for Basic username/password security for <Directories> out of the box.

    It's a shame that toasters don't come turned on. I hate it when you open the box and you have to turn the thing you just bought on. I mean, geeze, I just bought this toaster, is it such a leap of intuition to think I might want to make toast when I open the box??

    Actually, servers do come "out of the box" supporting authentication.

  • umm... (unregistered)

    What's really interesting is...despite the fact that this story was posted today - somehow, some way this company has such a small amount of web traffic that they were able to come in to work, notice a bunch of click-throughs from TDWTF, visit here, leave comments, and change their page multiple times since. In fact, they knew this story was posted before I did, and I visit here pretty much daily.

    Hmm...

    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?

  • Andy (unregistered) in reply to Sys

    It's great how they'll even indicate if you got the right username and the wrong password by giving a different error message. Even if this was done server side, that's a big no-no. Not that it matters, since google's spider is (or others are) capable of following that URL from the javascript.

  • (cs) in reply to Sys

    Aw man, the page itself is now gone.

    Heh, this reminds me of (slightly related as in complete lack of security):

    [image]
  • (cs) in reply to umm...
    umm...:
    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?

    In that case, TRWTF is that their web guy can read this site regularly and STILL have a page like that.

  • Franz Kafka (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

    Okay, who's trolling? Nobody could be this stupid in real life.

  • Another Adverage hacker (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    BWA ha ha. just wait till someone puts your "for federal eyes only" materials on piratebay. For the people by the people bitch.

  • (cs) in reply to umm...
    umm...:
    What's really interesting is...despite the fact that this story was posted today - somehow, some way this company has such a small amount of web traffic that they were able to come in to work, notice a bunch of click-throughs from TDWTF, visit here, leave comments, and change their page multiple times since. In fact, they knew this story was posted before I did, and I visit here pretty much daily.

    Hmm...

    Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?

    What's your next guess, Sherlock?

  • andi (unregistered) in reply to sorakiu
    sorakiu:
    it was not obvious to me that they were scammers.
    It has been pointed out that they offer a 'service' to register your company with the CCR for merely a few hundred bucks, and from the article I gather that they try to create the impression that they themselves run this select little register for gov't agents and that the callee is lucky enough to be found eligible to be included ("Who's who" anyone?). I ask you, if this is not a scam, then what is? A mere hundred and fifty years ago (or less, depends on where you live I guess) such people 'working for their living' (hah!) in such a way probably would have been tarred, feathered and run out of town. They can consider themselves lucky to live in such enlightened times where nothing worse than the ridicule by a bunch of weed-smooking 'geeks' and 'wieners' awaits them. If someone reads this who has been suckered for paying for this shit: Organize a class action suit.

    CAPTCHA: 'decet'. 'deceit' mis-spelled? How very fitting ;)

  • (cs) in reply to zip
    zip:
    umm...:
    ... Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?

    What's your next guess, Sherlock?

    No way! Only a complete moron would leave their site up after seeing it showcased here. If I ever saw one of my sites here, I'd

    httpd -k stop

    that site as fast as I could.

  • A nonymous (unregistered) in reply to dpm

    Ahh. was on the fence about their business being a scam.

    <sarcasm>That job posting sure cleared in up for me! no scam here! </sarcasm>

  • Zig (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Your base are belong to us. BWAHAHAHAHAHA.

  • Franz Kafka (unregistered) in reply to Annaleemac
    Annaleemac:
    breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working.
    Your site isn't what I'd call working.
    People who make false statements about others may find themselves at the wrong end of a lawsuit.

    And making baseless threats of legal action against dead german philosophers may make you a laughingstock.

    I'm sure no one could find your address.

    You're right - I checked myself out on one of those slimy peoplefinder sites and it dodn't have anything more current than 2-3 addresses back.

    Maybe you should stop posting here and think about fixing your joke of a site.

  • Arlecchino (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    For Christ's sake man!!! It's not that our standards are not met, this login page is below ANY web-security related standard. If your work is really so important, then hire somebody who can do better then this.

  • Franz Kafka (unregistered) in reply to Annaleemac
    Annaleemac:
    breaking into what amounts to other people's houses, (albeit, online houses) the rest of the world is working.
    Your site isn't what I'd call working.
    People who make false statements about others may find themselves at the wrong end of a lawsuit.

    And making baseless threats of legal action against dead german philosophers may make you a laughingstock.

    I'm sure no one could find your address.

    You're right - I checked myself out on one of those slimy peoplefinder sites and it dodn't have anything more current than 2-3 addresses back.

    Maybe you should stop posting here and think about fixing your joke of a site.

  • Demaestro (unregistered) in reply to sorakiu

    Dave you are contradicting yourself...

    First you concede that there is no damage but you argue that it doesn't matter if there is damage or not... then you say "I want no part of any site that delights in the harm of others."

    Again.. where is the harm?

    It is like the guy who got onto planes and hid weapons... then contacted the media and the plane companies to tell them what he did, and how he did it, and why. He was charged but then charges were dropped.... He didn't do it to hurt or ridicule, but to educate. Of course someone will feel some ridicule at having their incompetence exposed but no harm was done. The ridicule would have been worse if the attack was malicious in nature...... instead the attack was used to highlight the need for improved security.... just like here.. This isn't hacking by any means... but if you want to call it that then call it "white hat" at least.

  • A nonymous (unregistered) in reply to this webcomic is a wtf

    isn't that the password an idiot would have on his luggage?

  • Nimrand (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Its not hacking unless is at least some real security in place (weak though it may be). Locking the door and then leaving the key in the lock, as you have basically done by leaving the password in the HTML file that is downloaded by the browser, doesn't count as security.

  • (cs)

    Okay, before, I was worried that this was going to become a serious problem for Alex...

    but since we've basically figured out that this is a legal but useless company, the employees aren't going to want increased scrutiny.

    This is hilarious!

Leave a comment on “So You Hacked Our Site!?”

Log In or post as a guest

Replying to comment #:

« Return to Article