- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
You raise an interesting point. One difference in this case in comparison to normal cases is that this person is from the outside instead of from the inside (such as most if not all of the stories here). This releases the contributer from NDA and other legal issues.
I can't say if this is enough reason, but it is a difference.
Admin
I can do a better job for less. send inquiries to [email protected]
Admin
OMG!!! ok... this is way way too funny.
should of???? should of???? is that anything like "should have???" pretty smart aren't you? yeah, maybe not so much.
so, i wonder what "authorities" are you going to report anyone to by doing a "view source" on your terrible web site? What law is that breaking?
Admin
So you work for this organization but you don't even have proper grammar skills?
Admin
Bah. I can do it for HALF THAT and 6 cases of beer. email inquiries to [email protected]
Admin
I for one resent the stereotype of us computer geeks sitting along smoking weed in our underwear.
I for one prefer crack, and I don't wear underwear.
Admin
Even Google read those files. They're in the Google cache. Google's spiders must be hackers too!
Admin
Let's go back to that great house analogy. This is more like a house built with no walls, doors, or windows. People come by and stare and say WTF people actually live their life in this thing?
The people paying this company have a right to know that this website is not secure as it claims. If people are hurt and lose money, that is the company's own fault not people revealing the truth!!
Admin
In the latest round of "updates" I guess we have a new username and password to lead you to the 404 page:
[code]
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>{/code]
Somewhere, someone is changing usernames and passwords as quickly as they can be View Sourced. What a crappy job.
Admin
no--don't tell them... People with their motives can be dangerous if they get smart...
Admin
"all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better."
this is the best quote ever.
Admin
Admin
Damn you... I called that number. Now the cops have my information too!!!
Admin
Perhaps you should look up the meaning of hacking... there is no auth on the landing page where the info lives...there is only auth on the page that provides the link. All one has to do is traverse directly to the landing page. That is where the auth should live
To hack something one must circumvent security measures... since the page listing the info has no security on it then it isn't possible to hack all one needs to know is the URL.
Security through obscurity means nothing. Basically you hid the door to the safe but you left it open and worse you did so in a public area. Since you love your company so much you should get them to budget an overhaul of the website and hire someone who knows what they are doing this time.
Admin
TRWTF is that people keep saying they should get better security, when the only reason they could even want security on that site is to keep people from checking their references like happened in the original story. If they were legit, they would be trying to open up and advertize their site, so that their clients who paid so much to be listed might actually get some traffic off of it.
Putting username/password boxes on a page while telling everyone who goes to that page what the username and password should be (and telling them where to go directly without putting in that name/password) is something we can laugh at them about, but what identifies them as a scam isn't that they had laughably bad security, it's the fact that they had clearly wanted to have security there.
Admin
Admin
No, I want to know what harm I'm causing. I see none.
No, it illustrates how open they are, and have been.
That's your opinion, and I respect it. But you're not convincing me that there's any reason for me to adopt it.
I think you mean "named others", since clearly this site has been making of people for years. But even in this case, it's just the company, not anyone by name, and it's well-deserved, so I still don't see the harm.
There is a value in public shame. You screw up badly enough, people make fun of you, you learn from it.
Admin
No,no TRWTF is that servers don't provide support for Basic username/password security for <Directories> out of the box.
Admin
The real issue is that serious businesses use professional level security. This looks like something the owner had his nephew do in his high school web class.
If the Brinks truck guard carried a squirt gun instead of a real pistol, would you call that real security? It's security theater - it looks secure, but it's not. If you only want to pretend to be secure, then don't get upset when someone points out that it's fake.
Admin
There was no "hacking" involved with this. The username/password is right there in the page source clear as day! sheesh you couldn't at least use a .htaccess/.htpasswd? A PHP script with MySQL database? It's not like they're all that hard to setup.
Admin
The problem with what you are saying is that they have it in a public area... it isn't like walking into a privately owned building and ignoring a "Do Not Enter Sign"
Their server is set up to serve files to anyone who requests them. If I don't go to the page with the JS "auth" and I traverse right to the page they are "protecting" then I haven't circumvented anything since I wasn't on the page with counter measures at all.
So yes if someone puts a note on a door and it reads "do not enter" and the door is open then you can't enter.... problem is there are about 100,000,000x 100,000,000 other doors into that rooms that don't have the sign.
Admin
Wait... so this critical online guide was taken off-line? That doesn't seem fair to the people that paid hundreds or thousands of dollas to be listed. It also seems like that would really upset the folks in the federal government that relied on that site to get the names of businesses.
Hmmm... maybe it IS a scam after all.
PS - to the "employee with the family that entirely depends on this company for his living"... dude we all know you're the guy in charge of the scam. Also - if you want to try to plead your case, you will have better luck if you run your comments through a spell / grammar check first.
I'm sure one of your clients offers copy editing services -- perhaps you could check with them.
Admin
The real WTF is how many pages of comments there are. It would have been fewer and duller without FSG's post(s).
Admin
ROFL. Scam.
Admin
Is it really "hacking" if you are given the password? I mean, sure the guy didn't say the password over the phone, but by putting the username and password in the Javascript like that, they are basically giving it away. They are giving it to anyone who "asks" for it.
As for "sorry our site wasn't protected to your standards", it makes me wonder to what standards they were protected to. Besides, is there anything there that prevents people from just going to the linked page itself once they know about it... hang on... wouldn't robots be able to get to their "secure" site?
Admin
So when I started to read this and saw the login box I thought 'oh no, they've left their login open to sql injection', oh dear. But to actually see they think by going to a valid URL is hacking!!
Admin
lol
Admin
Here it is, you GIVE the people at large the login....It's on the page plain as day. If our government is protected like this then there is no hope for it. Keep doing your shoddy work and put the passwords out so everyone EVERYONE can see it.
Admin
Wow... I'm actually registered with CCR and got a call from these guys as well. I did the samething i declined not to be in it for the amount of money. Beware of the phone book as well, expensive with 0 actual leads... all of them were grandmothers trying to install ram in their packard bell, etc. Thats funny you actually took the effort to go and look at the site. Maybe you can pick them up as a client for a nominal fee of $600 to $6000 the price of a single ad and you can fix their site to be secure.
Admin
I don't know if the owner of the FSG co. will come back here, but since no one has spelled this out for him, I'm going to:
Your username and password information is stored IN PLAIN TEXT within the page itself. Anyone who visits your site and views the source code from their browser can glean the login information in this manner. This means that your login is BY DEFINITION NOT SECURE You do not have to be a hacker to figure out how to log in. You could just accidentally hit Ctrl-U on your keyboard!
I should also note that THE BURDEN TO SECURE THE SITE LIES ON THE OWNER/AUTHOR, and since you are doing business with federal agencies, this login method does NOT comply with various ISO, NERC, and NIST standards for cyber-security (the standards that typically set the baseline for online security that MUST be adhered to by federal agencies.)
Maybe this is why the author of this article found out that certain clients of yours received no sales leads from your directory... federal and state agencies have seen that your security (and perhaps by association, your entire organization) is a joke.
Admin
There was another government site that is like this. It was for anti-terrorism training and the password was checked against a MD5. It was such a simple password that the MD5 didn't help protect it any better.
Admin
It's a shame that toasters don't come turned on. I hate it when you open the box and you have to turn the thing you just bought on. I mean, geeze, I just bought this toaster, is it such a leap of intuition to think I might want to make toast when I open the box??
Actually, servers do come "out of the box" supporting authentication.
Admin
What's really interesting is...despite the fact that this story was posted today - somehow, some way this company has such a small amount of web traffic that they were able to come in to work, notice a bunch of click-throughs from TDWTF, visit here, leave comments, and change their page multiple times since. In fact, they knew this story was posted before I did, and I visit here pretty much daily.
Hmm...
Sounds to me like their web guy is a TDWTF frequenter...how else could they have known about today's topic so quickly?
Admin
It's great how they'll even indicate if you got the right username and the wrong password by giving a different error message. Even if this was done server side, that's a big no-no. Not that it matters, since google's spider is (or others are) capable of following that URL from the javascript.
Admin
Aw man, the page itself is now gone.
Heh, this reminds me of (slightly related as in complete lack of security):
[image]Admin
In that case, TRWTF is that their web guy can read this site regularly and STILL have a page like that.
Admin
Okay, who's trolling? Nobody could be this stupid in real life.
Admin
BWA ha ha. just wait till someone puts your "for federal eyes only" materials on piratebay. For the people by the people bitch.
Admin
What's your next guess, Sherlock?
Admin
CAPTCHA: 'decet'. 'deceit' mis-spelled? How very fitting ;)
Admin
No way! Only a complete moron would leave their site up after seeing it showcased here. If I ever saw one of my sites here, I'd
httpd -k stop
that site as fast as I could.
Admin
Ahh. was on the fence about their business being a scam.
<sarcasm>That job posting sure cleared in up for me! no scam here! </sarcasm>
Admin
Your base are belong to us. BWAHAHAHAHAHA.
Admin
And making baseless threats of legal action against dead german philosophers may make you a laughingstock.
You're right - I checked myself out on one of those slimy peoplefinder sites and it dodn't have anything more current than 2-3 addresses back.
Maybe you should stop posting here and think about fixing your joke of a site.
Admin
For Christ's sake man!!! It's not that our standards are not met, this login page is below ANY web-security related standard. If your work is really so important, then hire somebody who can do better then this.
Admin
And making baseless threats of legal action against dead german philosophers may make you a laughingstock.
You're right - I checked myself out on one of those slimy peoplefinder sites and it dodn't have anything more current than 2-3 addresses back.
Maybe you should stop posting here and think about fixing your joke of a site.
Admin
Dave you are contradicting yourself...
First you concede that there is no damage but you argue that it doesn't matter if there is damage or not... then you say "I want no part of any site that delights in the harm of others."
Again.. where is the harm?
It is like the guy who got onto planes and hid weapons... then contacted the media and the plane companies to tell them what he did, and how he did it, and why. He was charged but then charges were dropped.... He didn't do it to hurt or ridicule, but to educate. Of course someone will feel some ridicule at having their incompetence exposed but no harm was done. The ridicule would have been worse if the attack was malicious in nature...... instead the attack was used to highlight the need for improved security.... just like here.. This isn't hacking by any means... but if you want to call it that then call it "white hat" at least.
Admin
isn't that the password an idiot would have on his luggage?
Admin
Its not hacking unless is at least some real security in place (weak though it may be). Locking the door and then leaving the key in the lock, as you have basically done by leaving the password in the HTML file that is downloaded by the browser, doesn't count as security.
Admin
Okay, before, I was worried that this was going to become a serious problem for Alex...
but since we've basically figured out that this is a legal but useless company, the employees aren't going to want increased scrutiny.
This is hilarious!