- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
This is just too good to be true! It's gotta be some sort of "Lead Day" trick!!
HAHAHA!
Admin
Hmm, maybe:
var password = "secure"; or alert("PLZ don't hax0r our site!");
Admin
I'm sure it's frustrating that your "security" is the punchline to a joke that you don't get, but it really is your fault that it's so laughable.
You should read and understand the comments before accusing the writers of lying. Everything there is true. They're about your "security" and not about your business as a whole.
You're essentially using a combination lock with the combination written on it, which, honestly, is moronic if you expect it to work.
Admin
Did anyone tell them about the bad programming on the site? Maybe it is a web-site service provider that you can't do server scripts? In that case, tell them to change the provider. If that cannot be done, another way is to encrypt the page on the client side and use the given password to decrypt it also on the client.
Admin
Oh man.. lynch this scammer
Admin
Fixed that for you.
Admin
OMIGAWD!
Stop it. You're making my sides hurt... I can't stop laughing.
"It's rude". Welcome to the internet, moron.
Admin
You're close... it's more like a closed doorway with no lock at all, and your sign is right beside it. The owner still could claim you pushed a door you weren't enbreastled to... if there wasn't a truck-sized hole on the wall next to the door (you could use the URL and avoid the "auth" script)
Admin
Now the page has been moved to: http://www.federalsuppliers.com/warning.html
But they still haven't figured out they need to remove the login/pass from the source...
Admin
I just found it too, and its clear that they are incompetant, they chanced the password and user name to zzzzz and fffxxx, but its still right there in the page source. Morons.....
Admin
Are you retarded? Seriously?
Admin
Pull out the Kleenex and wipe your tears there's a reason to PAY somebody to build your Web site. You should be blaming the idiot that built the Web site not the people that aren't falling for the slick phone salesman saying anything he can to make his commission. Being ignorant is no protection under US Law.
Admin
what a joke ... their new url: http://www.federalsuppliers.com/warning.html
and the new code:
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script>I just love incompetant people, don't you? They are absolutely great for business ...
Admin
Wow, comments are on page 8 already.
Great to see a live WTF/scam directly from Alex, hilarious!
Admin
Junkman has a point. The REAL WTF is actually the UK Computer Misuse Act.
Admin
The best part of this is I bet they are sending out company-wide e-mails to let everyone know about the "password change".
Admin
Not that there is much to be gained from the listing of businesses, people need to learn that bad security leads to bigger problems.
Google Hacking
Just be thankful FSG that you are getting this "review" of your security for free. And that there isn't any more holes that real life hackers can use. Oh wait, if posting the username and password into view source is their version of "security", I would personally HATE to see what security they put up for more CRITICAL information... like say, CREDIT CARD NUMBERS! If I was you FSG, I would take a long HARD look at your security, and make sure that it IS as secure as you THINK it might be.
Admin
Countryside Publishing, eh? I seem to recall once applying for a.. Website Manager job, I think (something like that, it was a management level position) and never receiving a reply back from them, several months ago.
So... whoever you folks hired to do the job was clearly a bozo, or hired bozos. Makes you regret not giving me a call now, doesn't it?
FWIW I contacted the company and informed them of how bad the site security is. I even offered to provide them consulting services as I live in the vicinity. I doubt I'll hear anything from them, but if I'm lucky I might have my 'fist!!11' customer for my new consulting business.
Admin
Well, sorta.
This is absolutely the Real WTF, and ties directly into the following:
I bet what happened is that someone did indeed call some of the companies on the Super Sekrit List, and some of those companies turned right around and called Federal Suppliers to ask them "WTF, mate?" directly. The comments that've been flying here are probably nothing compared to the fit that's been hitting the shan over there.
To both of these questions, I present the only-recently-deceased Desktop Search Showdown. That thread was made of win, and for the same reason as this one (only an order of magnitude more so): the purveyor of the original WTF just insisted on coming back around over and over and over with a fresh supply of new WTFs.
Admin
Is this a clbuttic case of swear filtering? (http://thedailywtf.com/Articles/The-Clbuttic-Mistake-.aspx)
Admin
That's funny, it switches from "we" to "me/my" in the middle. And doesn't use proper grammar or punctuation. Some TDWTFer want to take credit for this, or shall we judged that their legal representation, that would post comments to a forum is on a level with their website security?
Admin
Their MySQL is on 3306 if anyone wants to try
Admin
Lol this organisation is ridiculous, cheap mock-up scam that can't even 'invest' in an easy server based php login system
Admin
Also someone smarter than I could probably go this route: ftp://federalsuppliers.com
Admin
Haha, your going to jail
Admin
I agree!
And that employee comment, legendary comment! LUSER !!
Admin
This is hysterical. Alex (not you, the other Alex), buy this man a capital letter. (Whoops, that's not Wheel of Fortune, is it?) Even punctuation would help.
This has got to be the best WTF ever, by far. Not only was the javascript insane; not only was the salesman insane; not only is this hurt response insane; but you've actually managed a Geraldo-level expose.
And it's funny. Which is the main point.
Now I'll go get a beer and read the other posts. LOL.
Admin
Never mind. They're all comedy classics.
Admin
Um, no, good people feel a sense of moral responsibility when writing code or script, a sense that leads one to learn how to do things properly, rather than half-buttockedly, so whoever wrote your website fails the test of "good people."
Admin
I really hope that's real. I don't think it's the "hackers" that are damaging his reputation...
Admin
Oh ... I see what you mean.
Admin
Which is what yo have to do. Not on client side, not comparing strings and with some java vudu in between. But those are minor details
Admin
Just repeating this in case anyone missed it the first time.
Fuck that thing about four kids. Even Florida social services will look after them better than L. Ron Hubbard.Admin
This post is encrypted using 2ROT13. Unauthorized decryption is a violation of the DCMA.
Ha ha now I can sue everyone and get rich!
Admin
Admin
I am hoping this jackass is a troll, if this is a real reply....
/facepalm
captch odio (shouldn't that have been odious?)
Admin
If you are a professional, offering professional services which may contain the transmission of potentially sensitive information, it is your obligation to properly secure your website. That goes for anyone with a routable IP.
Now, I don't really care if you're a legit business or not. Well, actually I do, but that's not why I'm responding. I'm responding because you're way off-base here, man. Unless the "appropriate authorities" that you're referring to actually are ninja developers, in which case I guess the joke's on me!
I would go as far as to say that a vast majority of the readers here at The Daily What The ..., I mean.. Worse Than Failure, could've done the same thing as Alex. Don't take that as braggadocio, either- its a slam against your site's "security". Said security is equivalent to hiding your car key in the gas tank; when your car gets stolen, the insurance company will laugh at you (while they deny your claim on the grounds of stupidity).
Spend some money (gasp!) and fix your site. And let me give you a hint here: don't hire a government contractor for the job ;)
p.s. your domain registration is about to expire.
Admin
Just asking. I figured this dialog could benefit from a bit of grammar nazi-ism...
Admin
Admin
I came across a site a while back with similar security.
The awesome thing about it was that they actually went the extra mile to (lightly) obfuscate the javascript they used to check the password, but the "secret" URL they were protecting was simply the form element's action attribute. The script would just return false to the form's onsubmit event if you didn't type the right password (which could be easily seen in the urlencoded script anyway).
Admin
I have lynx:
Index Government Work Securing Federal State GSA Contracts Listing ... (p1 of 4)
If you call up the "agents" link, it displays:
Federal Procurement Officers This site is reserved for Federal Procurement Officers only.
Infobar
More About GSA
A GSA Schedule Contract permits you to create customer loyalty, increase awareness, and quickly make contract deals through BPAs and Teaming Arrangements. LEARN MORE
Questions?
If you have any questions about the Directory, just send an email to: [email protected]
Admin
Then PLEASE spend a few bucks on a web coder to properly secure your website. You are putting your information at risk.
Admin
Hmm, this is a legitimate business that sells overpriced stuff with somewhat high pressure techniques, to presumably unsophisticated businesses. I sense the "idea" behind the so-called secure area is not to be too secure -- if you are a government purchasing officer, you would be given password access anywhere and since there are no state secrets here, real security isn't essential. But that doesn't change the fact that this service is very poor value and most of the 'stuff' is the selling, not the substance.
Admin
Admin
tl;dr
Admin
Wow, so many comments.
Yea go ahead report me for hitting your website. I dare you to come get me. I double dare you. Come and get me.
Come on... Come get me for accessing your "secure" junk.
Anyway. Your company is slime. What you are doing is legal, but it is slime. I know it, you know it. You got caught redhanded.
Shut up and take it like a man.
Admin
This comment leads me to believe you'd be an ideal customer for my new business.
Are you insured against large, seabound mammals? No? Then your family could be at risk!
Call 555-7894 and buy new Walrus Insurance today!
Admin
Seriously? This is a joke right? Learn to capitalize letters, use commas, and add spaces between words like "work and." The grammar alone shows that the people running this company are ill educated in the least.
Admin
I really hope you're kidding. Your security not being "up to out standards." You know, I had a security system for this awesome fort I built when I was 10. Whenever my parents approached, I would say, "You have to say 'password' to enter."
Yeah, that's what you guys did on your site.