Slashdot Mirror
Oklahoma Leaks 10,000 Social Security Numbers
DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."
Please tell me this is a spoof.
Beer is proof that God loves us and wants us to be happy.
(1)Hack the registry
(2)Put your own name in the registry
(3)Sue the state
(4)Profit!!!
(5) (remember to have your name removed from the registry!)
This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).
SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you're not a sexual offender when you're already on their list.
SQL injections. Learn them. Learn how to mitigate them (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures might be the thing to implement. Or even better, use a framework like CakePHP, Rails, or Django with this sort of sanitation built into the queries it generates.
Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Perhaps the ODOC is managed by former Tuttle, OK city manager Jerry Taylor.
... or get there name put on the list.
...the site went down for 'routine maintenance' on April 13 2008. The Reality Distortion Field is weak with this one.Also, how could you figuratively be someone with basic SQL knowledge?
Without reading TFA... how do they know it was (just) 10,000 SSNs? Did they just approximate the number of entries already in the offenders list and just use that? Couldn't there potentially be more?
Proudly supporting the Libertarian Party.
I don't see why those on the list are not suing the government for the damage...
Get over it already. That act got old like 2 or 3 years ago.
Putting aside natural feelings of outrage and injustice exactly what offense with an associate jail term have they committed? I'm not sure about the US, I'm a Brit, but over here offenses under the Data Protection act don't carry jail terms.
init 11 - for when you need that edge.
The author should have completely blacked out the SSNs rather than blur them. They are still decipherable to those that are inclined to do so. This article explains why blurring is a bad idea.
Why? In most cases you are protected from liability and your employer is the one to blame. You may get fired from your job, but you will not get sued. For example my wife works at a school and someone told her they were going to sue her. She notified the principal and the school district took care of it. So no this person should not go for jail they should be fired and the employer should give a bad referral.
I smoked pot once. But I DID NOT inhale. Will you hire me?
Going to jail is a bit over the top. Losing their job is what is called for.
However, if Oklahoma has problems similar to California, then they're faced with a Hobson's choice. They can fire the guy/gal but given the low pay scales, they could well end up with someone just as bad.
What someone needs to do is register a certain G. Oatse as a sex offender in Oklahoma.
last names?
D'oh!
In all seriousness, though, this just goes to show that it always helps to slow down in order to avoid this sort of disaster. One hope s that the genius responsible for this is held accountable. 10,000 social security numbers is a lot of personal data to be throwing around like that.
Who would tag this "humor"? Given the deeply-ingrained social stigma attached to being put on one of these lists, I don't really see how it's funny that one was so horribly misimplemented. Even when something is _obviously_ wrong, as in this case, it can be hard to iron out the impression that actual people get from reading these lists. What if the problem weren't as obvious as this one supposedly is? Would it still be funny?
Generally, no retraction is ever as effective as the original statement. That's probably one of the reasons why libel is such a big deal for some people--just saying "sorry, we were wrong" may not be good enough.
oh but THINK OF THE CHILDERN! What matter if half the state of Oklahoma, portions of Texas, Missouri and all of Southern California end up on the list? If just one child is saved is that not reason enough to ruin the lives, futures, and family of millions? Besides, to fix this mess will require hiring a few thousand more gu'bmint pencil pushers! Thank Mog we have a government that CARES!
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
I'm a Brit, but over here offenses under the Data Protection act don't carry jail terms.
Actually, certain offences related to disclosure of data do carry jail terms in the UK. In theory, a government employee disclosing someone's spent criminal conviction (or a current conviction to someone not entitled to know) can be jailed, though I've never heard of it happening.
Can't read the dailywtf article, but from the summary, I'm thinking one of the biggest problems is that SSNs are on a public facing server when they don't need to be. Working in gov based IT myself, I know that Least Access is many times not followed.
Billy Brown rides on. Yolanda Green bypasses Gary White.
Whereas the names and addresses of these people is a matter of public knowledge, is their email address and SSN also open ? If not, despite what you may think of their actions (public urination ? Really ?), it's not fair of the site to "blur" the relevant details so poorly.
I read the daily WTF, and usually I think it's pretty good, but Alex has made his own WTF here, IMHO.
Simon
Physicists get Hadrons!
So I said to my girlfriend, "I am not a pedophile! But that is a pretty big word for a 10 year old."
Maybe it is time to get rid of these asinine sex offender lists. Why are sex crimes treated worse than attempted murder? Plus, they lump rapists in with flashers (yes, they may have different levels but they still get lumped together when it comes to restrictions). So people would rather see someone try to stick a knife in their kid instead of grab their butt? Maybe, just maybe, the real reason is this nation's simultanious obsession with and fear of sex and denial of early sexual development. Of course this is the same country that can't be pragmatic when it comes to drugs either.
Woulda made a great April Fools prank...
Understanding the scope of the problem is the first step on the path to true panic.
I know it sounds like a lot for making a mistake, but for someone in the web development business, this is a hole you could drive a truck through and the person who made it had to be so inexperienced or malicious that it should have been caught by someone above them. It's really hard to overstate how bad a programmer has to be to give the public complete database access like this.
"Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a RICH hermit you sick pervert."
The Kruger Dunning explains most post on
You know when http://thedailywtf.com/ picks up a story, then it is linked on /. , it's going to be an especially delicious IT failure.
Interesting.
Yeah, but if this guy messes up again, the state can't claim they didn't know how bad he was--they're now aware of his incompetence, which probably increases their liability the next time he screws up. Keeping him might be the right thing to do if they can make sure he learns from it--but it's probably the wrong thing to do from a risk-management perspective.
If you are a nurse, an engineer, or even a barber and you screw up you can lose your license and kiss your career goodbye and be sued.
Normally software developers aren't licensed, but for some things like power plant control systems they should be, because if you screw up it can kill people.
People have been shot for being on the SO list. If your incompetence lets someone put me on the SO list and I get shot, can my family come after you? That's a question society will need to answer sooner or later.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
People learn from their mistakes, and the money spent on damage control and cleanup can be seen as paying for that employee's education, in a way.
I mean, what would you prefer, to fire the person who made a mistake and hire someone with unknown qualifications who may end up making the exact same mistake again later, or keep your already trained employee who was so burned by this mistake that s/he will NEVER make the same mistake again?
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
im in ur sex offender database,
injectin sql.
I know you are being sarcastic, but the bigger these lists are the more useless they become.
If every public urinator and teenager in love gets put on these lists, it's that much harder to spot the really bad guys. The same goes for the really bad people who are now harmless 89-year-old men dying in a nursing home. Get these people off the list ASAP.
If you aren't "level 3" or whatever "really really dangerous" is in your state, only the cops and those who have a proven need to know should have access to your information.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I've known about this "feature" for several months after an idiot even tried to put a friend's name on the list, but apparently failed.
Why not tell anyone with authority? My past experiences with informing those in charge have not been good.
Stealing jokes from SNL is teh lame, man.
There are many people with criminal records who pled guilty because they didn't have the money to fight it.
Prior to the 1990s if you were poor and the 15 year old girl you were dating falsely charged you with statutory rape because you dumped her, the DA probably let you cop a plea to a lesser crime. Later, that charge got added to the SO registry and you are stuck for something you didn't do.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Imagine how many people said:
"OMFG It was only one piss on a tree!!"
And they others saying:
"I remember something about being convicted for that" *shrug* "Out of sight, out of mind!"
Something witty.
Jeffs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The purpose of the SO lists is to identify those likely to re-offend.
Great in theory miserable in practice.
If you want to do an offender registry right, evaluate every ex-con and create lists of people likely to commit new serious crimes.
I'd like to see likely-offender lists for:
* violent crimes including forcible sex crimes, murder, assault, etc.
* crimes involving con games/trickery of people who have no reason to know better
* financial crimes not relying on con games, e.g. bank fraud, felony burglary, etc.
* crimes against children, the elderly, and other easily-victimized groups
For each category, have a "level 1, level 2, level 3" system where level 1 means private registration, level 2 means those who ask and need to know get to see your info, and level 3 means public registration.
If a person is the reincarnation of Adolf Hitler but he's not in a position to commit new crimes, he doesn't get on the list. If a person has a single felony on his record but is deemed likely to commit one of those types of crimes in the near future, he's on the relevant list.
People change, so re-evaluate the list every year.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I've lived in Oklahoma all my life, and it really doesn't surprise me that something like this has occurred. While Oklahoma City and Tulsa actually have some competent officials--Oklahoma City's recent prosperity can be chalked up in large part to a few good decisions--our ability, as a whole, on the technical front is pretty low. Really, I've just been waiting for something like this to come out. Corrupt state officials can only keep this kind of thing hush-hush for so long. I anticipate even more scandals of this kind for my state in the next few years. Especially as we move toward putting more and more information online.
The biggest problem, from what I can see, is that there's still this divide between the older fields of developer and technician/admin. Tech and admins know some basic scripting, but are never taught sound practices, which to my mind is a huge mistake. Maybe that made sense ten or twenty years ago when a sysadmin would be restricted to shell scripts and working with awk and the like, nothing over a few dozen lines. Now IT departments are getting requests for what amount to actual application development, but they have no meaningful training in that area.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I'm typically all for getting people out of jobs that they're obviously unqualified for, but these days they'll just be replaced by some other idiot that will do the same sort of thing next year.
At least this guy won't make this specific mistake ever again, and will likely be more careful with other implementations in the future. That can't be said for his likely replacement.
The whole idea of having the registry is sheer stupidity, but on a scale designed to ruin innocent people.
Let's assume that a given person on the list was really a rapist (and not just convicted of it). If he's served his time and has repented, he won't do it again. So why do we punish him for the rest of his life with the registry? And if you think he will do it again, why is he not in jail?
You may as well just shoot him and be done with it.
but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list.
Why would anyone care if they were put on this list?
This issue has gone to the Supreme Court and they have ruled that these lists are not punishment, and hence does not run afoul of restrictions against ex post facto punishment or due process. So if it is not punishment, why would anyone care if they are on the list?
Stop-Prism.org: Opt Out of Surveillance
DAMN! I'll guess just have to find another way to mess with my old bosses..
hearing it now when the site is down for 'routine maintenance'.... I wanted to add my boss to the list!
This is a rather unique situation. The nature of the mistake indicates an extreme degree of incompetence. I've never seen anybody put SQL queries in URLs, and I've seen some pretty sloppy code. This is bad with a capital B, and, particularly in this age of security compromises big and small, I really question the smarts of someone who would do something like this, because it raises the question of what other things have they done that were equally bone-headed. At the very last, I would want an audit done.
The world's burning. Moped Jesus spotted on I50. Details at 11.
This is an official government list of alleged "sex offenders," not a list of people with parking tickets. Developers tasked with providing public access to such sensitive information, and the people who employ and direct them, should be adhering to the best practices, not the worst practices as in this case.
The real issues are that
(a) No one in the OK government probably cared much about the privacy of these "sex offenders" because, well, they're "sex offenders."
(b) Government agencies are constantly tasked by executives and legislatures to implement programs they're ill-equipped to handle and often receive no additional funding to carry out these mandates. Do you think the OK agency involved had tens of thousands of dollars to hire outside contractors with solid coding skills to undertake this task? Probably they handed it to someone in house who knew how to write SQL queries and a little PHP.
I'd fire the lot of them, including the department heads, and start over with people who have at least some clue about good IT practices. If this fiasco was actually the product of an outside consulting shop, I'd ban them from working for my state government for a very long time.
If we don't have substantial and public penalties for poor management like this, we're just going to be repeating our mistakes.
TRWTF is that OK's DoC did nothing (nothing effective) to stop using SQL statements in the URL's querystring, UNTIL the author showed how manipulating the vulnerability not only put the criminals' personal info at risk, but also the employees' info.
http://www.ticic.state.tn.us/sorsql?sql=sp_SOR_IMAGE+'SO001290'&contenttype=image/jpeg
Posting anonymous for obvious reasons. Guess how I found this one? Google image search for "Richard James". I was looking for Aphex Twin and got SQL injection instead. Lulz.
I don't even know how you could test and debug such a system without inadvertently figuring out a design flaw like that.
Maybe they meant to mess it up on purpose? Sabotage? Maybe it was meant as a back door for later?
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
One other thing. I wonder if the OK legislature will launch an investigation into this fiasco, or will they avoid the problem since the people on the list were, after all, "sex offenders." I'd like to see the head of the Department of Corrections be grilled on why this happened. Unfortunately any legislator who might broach the subject would probably be labeled as sympathetic to sex criminals.
Why offshoring to the cheapest labor monkey is a good idea?
...let me be the first to say Welcome to Oklahoma!
Now, would one of you be so kind as to get me the fuck out of here?
"Quote me as saying I was mis-quoted." -Groucho Marx
"Routine," as in "we clean up messes similar to this one, all the time?"
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Nice rip off of SNL hosted by Ashton Kutcher. AMY!
Wow, an on topic post for my all time favorite XKCD! :)
http://xkcd.com/327/
WWJD?
JWRTFM!
I highly doubt it was "tested" or "debugged" much beyond "Hey look, it actually works!" ...
Who doesn't like free music?
I'm curious if the entire table(s) records could've been wiped by issuing the delete from or truncate table statement.
Eh, that joke's been around for longer than that.
SNL stealing jokes from the public domain is lamer.
Now, my fellow Texans, you may be worried that a leak in the hose could cause them to lose their powerful vacuum, but in fact it's only served to multiply the sucktion! We're safer than ever!
I can just feel my karma evaporating
It's my understanding that Goatse postings are one-off affairs, caused by Slashdotters newly infected by the loser virus. Usually this virus runs its course in short order and the unfortunate victim recovers with a shred of dignity intact, but those chronically afflicted get bored with Slashdot and move on to other things, like alchoholism, drug abuse, and eventually living on the streets. These are the very people that give most honest homeless people a bad name.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I used to work (3 years ago) at a background checking company that would pull/harvest databases off the internet if the county or state wouldn't sell it to us in bulk. You'd be suprised how many county websites have stuff like this.
There is one county in Florida that will return more results by walking thru their ID numbers than by searching for everyone in thier site. That means people who for whatever reason aren't supposed to show up on the website get harvested by companies like the one I worked at.
A county in Texas tried to stop the harvesting by making people sign in and limiting searches but managed to introduce a sql injection hole that lets you do whatever you'd like to the Users tables. I didn't try messing w/ the offenders tables but wouldn't be suprised if it was possible.
These are just two examples that I recalls. There were quite a few more.
The idea that pedophiles have high recidivism rates is a misnomer. Once caught, these people's recidivism rates for sex crimes is pretty low.
Maybe it's because they actually take therapy seriously, or maybe it's because they know they will be the first suspects if there are any crimes in their neighborhood, either way, they aren't a problem. The real problem are those that haven't been caught yet and those who got off on a technicality and are emboldened to try again.
If you want a high-recidivism crime, look to crimes that arise out of a person's circumstance in life, but only look at cases where "the system" did nothing to prepare the ex-con to change those circumstances or learn to live with them. Prostitution, drug abuse, theft to support drug or gambling habits, gang-related crimes, and the like all have high recidivism rates if the person is merely sent to jail to "do his time" then let go right back into the same environment he came out of, without any support system to help him stay legal.
Other high-recidivism crimes are those committed by pathological people such as con artists and pedophiles where there is no system in place to support their efforts to stay straight or scare them into staying straight. Provide the proper mix of support and intimidation and you've got yourself a recipe for success. Don't, and you turn the jails into a revolving door.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Didn't DHS get a D grade on the last government security report card (compared to the government's C- average)?
Please. A government that feels that government is part of the problem has no interest in making it run efficiently.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
I don't know if people are trying to sensationalize things or they are just plain ignorant. Oklahoma didn't put SQL queries in the URL, some lame contracted programmers did. Furthermore, its difficult to imagine that state officials would understand faux pas to even recognize the error.
This story looks a little off. The author talks about the original attempt at a fix where they uppercased the first letter of a field, and how he got around this by querying the ALL_TABLES view.
The ALL_TABLES view is in an Oracle database and the only way to have case sensitive field names is to use quoted identifiers, but there is no sign of quoting in his new query.
If I hire a carpenter to build my house and it collapses, the carpenter is liable. Engineers won't cooperate if management wants to cut corners on a bridge: they have a code of ethics and a body that enforces it.
Software, on the other hand, is a free-for-all today. We need an accreditation program and a code of ethics, just like more traditional disciplines of engineering. That's not to say that we'll restrict compilers to professionals; we don't reserve wrenches for professional mechanics.
But for a project that has the potential to cause so much harm to so many, a requirement to use trained and certified software engineers (with all the implications of the second word) would be invaluable.
A quick Google search reveals many sites with similar problems. I like this one, though. You get not only the full query, but the path to the database and the database name =) Not the same, but you find idiots everywhere =)
This is a little off-topic, but my girlfriend and I considered going to one of those "couples-only" adult theaters out a curiosity and the spice things up a bit (yeah, she's really awesome). As I was researching it I found out that in Texas, if you get busted with "indecent exposure" in an adult theater you get arrested AND you have to register as a "sex offender". I was pretty amazed at how harsh/draconian that is.
You can legally go to a strip club and in some cases see completely naked girls and pay them to hump you. But if you go to an adults-only designed sex venue where exposure is generally expected and exposure yourself, you might find yourself in jail and being forced by law to tell your neighbors about it. Risking getting a ticket + fine is one thing, but this definitely seems cruel and unusual to me.
So not all "sex offenders" are rapists and pedophiles.
Whilst the system may not make a person a criminal (although there are Dickensonian arguments that say otherwise), it's very hard to see how a person can become truly repentent of their actions after such an experience. Repentent of being caught, perhaps, but where in there is a mechanism for establishing what went wrong in the first place, solving underlying issues or providing effective means for a person to not fall back into old patterns on release? The current judicial and prison systems appear geared towards revenge and retribution, not towards corrective action and prevention. In that case, it is entirely reasonable to assume that offenders will re-offend. It's possible you'd end up reaching the same conclusion on a (correctly managed) rehabilitation-oriented system, I won't argue that case, I will only argue that if the typical description of what prevails is accurate, the assumption of lifelong guilt is probably not all that inaccurate.
I have my own theories on what would work better (mostly involving dividing sentencing into two - one segment for punishment, if punishment is called for, and a distinct segment for treatment, if treatment would be useful), however such theories are never going to be tested or meaningfully examined, so in effect constitute un-disprovable hypotheses and therefore merely articles of faith no different from any other system of religious belief.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Perhaps you're focusing a bit too much on the developer here. The mistake is so egregious that it suggests a first-year programmer produced it. If that's the case, the person's manager is responsible to see that they got adequate security training before putting her/him on a project where their code would be exposed to the outside world.
Secondly, the fact that the code didn't even undergo rudimentary testing to ensure the obvious holes were covered speaks to an organizational issue - something the manager is responsible for. The manager knows this and as a consequence will probably try to cover the situation up as much as possible so the manager doesn't get fired along with the developer.
Slightly off-topic, but I'm curious how many organizations would have caught this error before the page was published. Does your organization have security and testing policies in place such that this error would have prevented the page from being released? Or are you solely responsible for testing and securing your own code?
Good points, though I think even a first-year should know better.
Solely, but as I'm not coding for part of an organization at the moment, that doesn't really mean much. =) Does yours?
An example I can think of from my own experience was someone misreading an instruction and installing software on the wrong server, royally screwing up that server (which, naturally, had some critical apps running on it...). We had our backup up and running within an hour, and the original server working fine by the end of the day, but it was pretty high-profile
The man got fired for it, but I think he should have gotten a written warning and sent back to work. He felt bad enough about it that I seriously doubt he would have ever made the same mistake again.
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
When you realize that most of them are related to each other.
Which one of you guys bad touched him?
Seriously, if the Landlord Lobby tells the lawmakers that their bottom line is being hurt, the lawmakers may realize that too much thinkofthechildren hurts hard-working Americans like you.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Damn it just dawned on me who you are.....
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
you know there is an alternate solution to this, right now texas is petitioning the supreme court to execute child sex offenders http://www.dallasnews.com/sharedcontent/dws/news/texassouthwest/stories/041608dntexrapists.696df49b.html
Some commented below TFA who claims to know the situation, and said the programmer was a contractor. Hence, no real firing possible. Jail unlikely. And are states immune from lawsuits or something (though wikipedia says political subdivisions of a state do not have sovereign immunity). Anyway, I doubt much will happen.
Comment removed based on user account deletion
Solidarity with my brothers in the GL movement.