- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
You're still assuming there is a room. Put the sign on a door at the end of a hallway that leads outside where you can see the billboard with their "advertiser listing" and you're closer to the real situation.
It's still visible from the street, and being in the hallway in the first place was obviously optional.
Admin
HAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA Listen up you MORON, your security is such that anyone with 8 seconds of work could "hack" their way in. Your idea of site security is laughable at best, and you need to get a grip.
Admin
Bob Smith: This is the same as leaving your wallet with your bank card and a note that has your PIN at a restaurant.
No, because even with the PIN and the card, accessing his bank account is illegal and you can't just walk up and access his bank account by knowing his branch address and nothing else.
This man has an aardvark. On a pedestal. He has a velvet rope surrounding the pedestal. He has a carnival hawker crying "Guess the secret word and SEE THE AARDVARK! You can't see the aardvark if you don't guess the secret word!".
And, of course, everyone is just looking around the carnival barker, over the velvet rope, and pointing out to him that that's no aardvark, that s a raccoon with a skin condition.
Admin
Bob Smith: This is the same as leaving your wallet with your bank card and a note that has your PIN at a restaurant.
No, because even with the PIN and the card, accessing his bank account is illegal and you can't just walk up and access his bank account by knowing his branch address and nothing else.
This man has an aardvark. On a pedestal. He has a velvet rope surrounding the pedestal. He has a carnival hawker crying "Guess the secret word and SEE THE AARDVARK! You can't see the aardvark if you don't guess the secret word!".
And, of course, everyone is just looking around the carnival barker, over the velvet rope, and pointing out to him that that's no aardvark, that s a raccoon with a skin condition.
Admin
Check this out:
http://www.google.com/search?hl=en&q=site%3Ahttp%3A%2F%2Fofficers.federalsuppliers.com%2F+&btnG=Search
Due to their completely inept security google has spidered and cached all of the pages contents!
Admin
Are you aware of the complexities of lawsuits in an international electronic media environment? I think not.. I could be next door or 6K miles away in a country that has no electronic exploitation laws what so ever.
Threatening people with a wet noodle just pisses them off and opens yourself to alot more grief. Not a good idea.
Defaming an individuals character because they happen to be more skilled in an area than you are is simply childish. So take your spanking, learn from it.. and move on.
Respectfully submitted.
Admin
I'd like to thank the author of this article. I've been contacted several times by FSG regarding getting into their guide but never done it. Now they got a hold of my boss and he wants to do this. In addition, I contacted them regarding getting a GSA contract, which they quoted me on, guaranteed we would get on the schedule or our money back. I was worried about the fact that they insisted on addressing my concerns via phone rather than email (for an easy paper trail).
I was very close to getting the contract signed and sent in, but this is a real eye opener, and I was reminded of the fact that they never sent us a copy of their guide as I requested. Thanks for most likely saving us thousands of dollars (the price they quoted was MUCH lower than other firms that do this, which also worried me). I've disliked their site from the start, it doesn't look professional at all, and after seeing how they handle security and authentication, I'll definitely be looking in another direction. Thanks again!
Admin
The FIRST PARAGRAPH of the Computer Misuse Act (UK only - I've not looked into US law - wouldn't know where to start...):
"A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case. "
To make a point for any UK readers thinking this may be fun:
a. clicking "view source" is to "perform any function" - no matter HOW menial it may appear to an experienced IT specialist. b. the access...is unauthorised - attempts were made to conceal the information, no matter how pathetic. c. "he knows...this is the case" - Pretty self evident from the article.
All in all, I'd say bad show from the TDWTF, stick to anonymity, or wait until April 1st next time...
...but also, if those comments are generally from HSG, grow up and get some professionalism - you're an embarassment.
Admin
I'm glad you've run a successful business in order to support your family (I'm serious about that), but the problem is that your site isn't secured whatsoever by any industry standards.
Your login form is the equivalent of locking the door to your office and taping the key onto the front of the door (and that's being generous). While I don't believe that justifies anyone in using the data, you simply need to use real security.
Admin
You're a moron. There was no CRACKing involved. You gave out the name and password freely with each and every "login" page load. Get a clue.
We have the list of scammed "clients" you so kindly provided openly and will be forwarding it to the FTC and the Attorney General for review. Hold on to your ass pal because you're about to go for a ride.
Admin
HSG = FSG... duh
Admin
As a former business owner, your company is exactly the kind of scam I came across all the time.
"We'll list you in our directory for a nominal fee."
Usually the fee turns out to be FAR from nominal and the directory is something no one has ever heard of.
You think you're providing a service, fine. Spend some of the fees you are charging to hire a REAL web programmer who can a real layer of security to your site. If I place my home banking password and account number on my website, along with a link to the bank's site, NO prosecutor in their right mind is going to have sympathy on me. Relying upon javascript for authentication is the same thing.
Admin
The likely reason for this is -- electronic text based communication for the purposes of exploitation, extortion or fraud are now covered under the same criminal code as mail fraud.
Cheers.
Admin
I guess use of punctuation and paragraphs is not a paramount requirement for doing business with the federal gub'mint.
Admin
Hey, Good on you for doing the research, however you fail to take into account that a web page (code content) being pushed to an individuals computer becomes public domain and is not protected in the manner your research implies.
Respectfully submitted
Admin
The below link is unauthorized. Only authorized people can click on it.
A secure link.
Admin
*link is authorized
Admin
Or maybe not. Whatever.
Admin
TRWTF here is that only a few comments have pointed out so far that the real WTF is that what the company is trying to keep secret is advertisements. Stuff that just wants to be as friggin public as possible. It is so funny I feel sad. Guys, I think you just blew my funny-fuse.
Admin
Someone DID tell them. They responded to this story, after all, and the information is right there.
Oh, this made me break something laughing. Thank you so much for sharing.
Admin
What really cracks me up about the "webmaster" changing the password to stop "hackers" is that he's probably also sending out company-wide emails with the new password every time he does it. That means that everyone in the company is getting an email every 3-4 minutes saying, "Sorry, guys, for technical reasons, the new password is: zzzzzzzzzz"
Admin
For those who haven't looked at the fax they sent, they included a copy of their privacy policy on page 2:
"As part of our business relationship we do not sell or share your company info with outside companies. You are carefully protected by a privacy policy where your company information is strictly confidential and we're serious about maintaining it."
It is just another fun piece of irony.
Admin
Has anyone tried a google search of pasuser(form) yet? It seems they're not the only ones to use this. It's more likely that they just copied and pasted this function from one of these links.
Admin
Okay, this is getting too hilarious. If you actually look at some of the listings in the Google cache (no access to FSG's wonderful site or any information they could possibly claim was secured), their listing is indexed by state and category.
But if you look at some of them, you'll see that in many of the sections so indexed, they have companies in Montana in a Utah page and one Nevada page only had a North Dakota and a Colorado company listed.
I only checked a couple, but it was enough to convince me that there are probably /many/ more examples.
It does appear to be a scummy operation, and a poorly run one at that. (And for the legally inclined, nothing stated in this post is conveyed to represent fact except those elements that you can independently verify by your own "m4d ski11z" (heh) with publicly available resources.)
Admin
Done, in an email. I also explained that viewing the source is not hacking -- hacking requires actively exploiting a vulnerability or cracking passwords.
Admin
Ok, lets take it step by step:
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer
Yup, got me there, I could easily click the link out of interest.
(b) the access he intends to secure is unauthorised
If, you're were linking to a database of your customers personal details, no matter HOW inadequate the protection, there would MOST DEFINITELY be a case for unauthorised access. You're linking to google, hardly unauthorised information.
(c) he knows at the time when he causes the computer to perform the function that that is the case. "
This is the point where the case is argued - would I expect you to put a direct link up to your customer base? No... by viewing the source code, discovering addresses and THEN making contact with the unauthorised information...?
uhhhh.... not good....
Admin
It appears they moved most of the pages...too bad they can't take them out of Google's cache!
http://72.14.253.104/search?q=cache:ERN77rvMocoJ:officers.federalsuppliers.com/74/74_pa.htm+agents+site:federalsuppliers.com&hl=en&ct=clnk&cd=10&gl=us&client=firefox-a
Admin
Yes, I had always assumed that the anonymity was there to protect the submitter from retaliation, not to protect the company from ridicule. In this case, there is no need for anonymity. Nothing I've seen so far strikes me as "unfair" to this company - a few of the comments are perhaps a bit unkind, but if the original story is to be believed (not to mention posts by supposed employees), then that's entirely understandable
Admin
Sounds like these scammers need to be reported to the FTC.
Admin
Also: Who, exactly, has been hurt by what was exposed? How have they been hurt?
This is not "our standards". This is common sense. You are giving out the username and the password, and hoping people don't realize they have them.Admin
So sorry. My bad.
I do believe this will become a legend in the vein of the great Paula.
Brillant!
Admin
I guess my point is, by curiosly viewing the source code (legal), he could see the address of the agent page.
You can not list an html address, and say 'but it is confidential, don't go there'. This is where Alex found himself. (and where I was poorly attempting to replicate with my google link) They did not secure the page whatsoever, they just didn't directly link to it on their page. Thus google was able to cache it, because it's a public page.
Your web server is on public domain, I am free to explore it even if the files are named 'secret.txt'.
Admin
You may or may not be legit. The point of the thing is that your company's sales practices are shady, to say the least. The feelings of the company's employees aren't my concern. The only thing immature here is the poor security of your company's web site. You should be talking to your managers to get it rectified rather than rambling here.
Admin
Admin
The "security" on your site is equivalent to leaving a spare key under your doormat... and then failing to lock the door anyway. If this information is not supposed to be public, then you've failed in your obligations and deserve to be exposed. Anyone with the common sense to click "view source" on the login page could have discovered this issue independently.
Frankly, if any of this information were actual government secrets, you would be the ones in trouble for not securing it properly. If you want to take out your anger, I suggest you contact the folks you paid to "secure" your site and explain exactly how they've failed in their obligations to you.
Admin
You could also argue that once the page is viewed, it's on your system and is now your property, right? :-)
Admin
@FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
If you really are who you say you are, you need to learn a thing or two about the internets and what security is. No one hacked your site, you gave it away, you posted the password publicly. This is pretty sad if you are a government supplier, even a small family business needs to understand a little bit about internet security or hire someone who does to make your website.
Admin
Priceless. My guess is that they'll sue Google for "hacking" next.
Admin
I thought they had actually fixed it when I went to try. But then it turns out it was just noscript :D
Admin
Ok, laying to one side the devil's advocate bit...
This site appears to be hosted by matemedia
Classy... I presume they took the $7/month option?
I suppose they've got their money's worth of SEO now...
Admin
Domain: federalsuppliers.com Registration provider: MateMedia, Inc.
Registrant Jim Sprecher Jim Sprecher ***@countrysidepublishing.com PO Box 1735 Oldsmar, FL 34677 US +1.8139250195 (FAX)
Administrative Countryside Publishing Company Countryside Publishing Company Inc. ***@countrysidepublishing.com 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)
Billing Countryside Publishing Company Countryside Publishing Company Inc. ***@countrysidepublishing.com 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)
Technical Countryside Publishing Company Countryside Publishing Company Inc. ***@countrysidepublishing.com 3135 SR 580 Suite 6 Safety Harbor, FL 34695 US +1.7277263400 (FAX)
Record created on May 18, 1997 Record last updated on November 13, 2006 Record expires on May 19, 2008
Domain Name Servers: NS.RACKSPACE.COM NS2.RACKSPACE.COM
Admin
Public domain? You're kidding, right?
Admin
The funny bit is, no one hacked anything. The user name and password are visible with just one mouse click. They are essentially being broadcast for anyone to see. There is no legal recourse in this matter, because your website is actually telling people what the login is in plain view.
Instead of going after the millions of people that can easily access your "secured" website, you should be more worried about all of the pending lawsuits from people whose information was compromised by a company that is essentially handing out access to their database to anyone with a computer and a right mouse button.
You have been betrayed by the company you work for by their inexcusable gross negligence.
Admin
This company is enbreastled to run their operation however it pleases them.
Admin
How dare you provide a reasonable argument in the midst of a flame war? Good show sir, Good show!
Admin
To FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
I feel for you, since I imagine this wasn't your fault, but this isn't "hacking". Anybody with the slightest bit of tech knowledge will figure this out.
Do your company a favor and secure the page with htaccess, then go look for a real developer. I doubt anyone means your company any real harm, and we aren't slandering it. It's just rather funny how unintelligent that login box is :).
Admin
Hurry up, guys! The time is running out!
Admin
Oh you didn't post the DNS!
Hurry everyone call and report this to Jim.
I smell a job opening.
Admin
TRWTF is all the comments from people thinking that the page was actually password protected in the first place and bothering to copy out and enter the username and "password".