Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oklahoma Leaks 10,000 Social Security Numbers

Posted by Zonk on from the that's-some-good-securitying dept.

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

12 of 245 comments (clear)

  1. Oblig. by Ethanol-fueled · · Score: 5, Funny

    (1)Hack the registry

    (2)Put your own name in the registry

    (3)Sue the state

    (4)Profit!!!


    (5) (remember to have your name removed from the registry!)

    1. Re:Oblig. by cptgrudge · · Score: 5, Funny

      (5) (remember to have your name removed from the registry!)

      This is government you're dealing with. It will never happen.

      "But, but, I sued the state and won! Look, here's my legal documents! I'm not a sexual predator, honest!"

      "Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a hermit you sick pervert."

      --
      Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
  2. Re:Get your lawyer ready.... by calebt3 · · Score: 4, Funny

    Get your lawyer ready. He was probably notified along with all the other offenders.
  3. Re:*facepalm* by samkass · · Score: 4, Funny

    ObXKCDComic

    It's scary how lazy some of the web developers are. For years Yahoo used a system where their login system had the URL to go to once login succeeded urlencoded in the URL. It would have been exceedingly easy to duplicate the login page with a "Username/Password was typed incorrectly. Please try again." Then send people to the authentication page with your page as the follow-on one.

    URLs should only be able to contain sanitized field values to search on that the server composes into actual SQL, URLs, etc.

    --
    E pluribus unum
  4. i dare someone by Anonymous Coward · · Score: 3, Funny

    What someone needs to do is register a certain G. Oatse as a sex offender in Oklahoma.

  5. Humor? by Wilson_6500 · · Score: 3, Funny

    Who would tag this "humor"? Given the deeply-ingrained social stigma attached to being put on one of these lists, I don't really see how it's funny that one was so horribly misimplemented. Even when something is _obviously_ wrong, as in this case, it can be hard to iron out the impression that actual people get from reading these lists. What if the problem weren't as obvious as this one supposedly is? Would it still be funny?

    Generally, no retraction is ever as effective as the original statement. That's probably one of the reasons why libel is such a big deal for some people--just saying "sorry, we were wrong" may not be good enough.

  6. Re:*facepalm* by riskeetee · · Score: 2, Funny

    In Oklahoma, the age of the earth is 6000 years. Nuff said.

  7. Re:Added to list by Anonymous Coward · · Score: 4, Funny

    So I said to my girlfriend, "I am not a pedophile! But that is a pretty big word for a 10 year old."

  8. Re:Pleeeese! by trolltalk.com · · Score: 2, Funny

    Did you by chance hear a WHOOSH before you posted?

    >>--[joke]--->

          __0__ <- your head
              |

    --
    Kevin Smith on Prince
  9. obligatory by Anonymous Coward · · Score: 3, Funny

    im in ur sex offender database,
    injectin sql.

  10. Obligatory XKCD reference by gizmonic · · Score: 3, Funny

    Wow, an on topic post for my all time favorite XKCD! :)

    http://xkcd.com/327/

    --
    WWJD?
    JWRTFM!
  11. Re:*facepalm* by Anonymous Coward · · Score: 1, Funny

    Actually, take a look at ok.state.gov/registry/access&sql=TABLE%20DROP%20ALL