Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oklahoma Leaks 10,000 Social Security Numbers

Posted by Zonk on from the that's-some-good-securitying dept.

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

8 of 245 comments (clear)

  1. *facepalm* by TheSpoom · · Score: 5, Informative

    This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).

    SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you're not a sexual offender when you're already on their list.

    SQL injections. Learn them. Learn how to mitigate them (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures might be the thing to implement. Or even better, use a framework like CakePHP, Rails, or Django with this sort of sanitation built into the queries it generates.

    Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
    1. Re:*facepalm* by sl0ppy · · Score: 2, Informative

      with this sort of sanitation built into the queries it generates.

      or, perhaps simply use bind variables instead of trying to generate a query. not only will your application thank you, but your database will as well.

    2. Re:*facepalm* by Anonymous Coward · · Score: 1, Informative

      Bound variables are available in just about every database. They can offer massive performance gains if stored procedures are not an option.

    3. Re:*facepalm* by bcdm · · Score: 2, Informative
      And that's what basically happened here (except the catalyst for change was information that could be used against THEM instead of against YOU). According to TFA, when the Department of Corrections was first told about this, they took the sites down for "routine maintenance". When the sites came back up, the SQL query was STILL in the URL. The only difference? They changed "social_security_number" to "Social_security_number", apparently thinking that was all the protection that sex offenders required.

      Their tune changed quickly, however, when the author of TFA pointed out that not only was the sex offenders' information available, but so too was the information of the EMPLOYEES. Site got shut down pretty f#&^in' fast after that.

      --
      I can has sig?
  2. Author of WTF article made security mistake also by joggle · · Score: 5, Informative

    The author should have completely blacked out the SSNs rather than blur them. They are still decipherable to those that are inclined to do so. This article explains why blurring is a bad idea.

  3. Re:Humor? by Gregb05 · · Score: 2, Informative

    thedailywtf.com usually posts humorous stories. The tone of this one, however is completely different.
    I agree with parent, please tag !humor if that does anything.

    --
    --
  4. Re:wow by Anonymous Coward · · Score: 1, Informative

    I'm a Brit, but over here offenses under the Data Protection act don't carry jail terms.

    Actually, certain offences related to disclosure of data do carry jail terms in the UK. In theory, a government employee disclosing someone's spent criminal conviction (or a current conviction to someone not entitled to know) can be jailed, though I've never heard of it happening.

  5. Re:The registry is stupid anyway. by Chyeld · · Score: 2, Informative

    Because most people are convinced that this particular class of offenders can't be rehabilitated and therefore releasing them to the general public is a mistake in and of itself. In order to ensure that they are proven right, they have decided that the "Scarlet Letter" method of tracking these people is justifiable.

    If this range of classification was limited to people who were actually offenders who were likely to commit their crimes again, then this could almost be understandable. However, and especially in conservative regions, often there are completely trivial offenses which one can commit which cause you to be lumped into this group. Offenses which, while not exactly something to be proud off, are not at all indicative of being a 'sexual' offender. Like public urination. Like mooning someone. Like being a 15 year old caught making out with another 15 year old.

    The original idea was sound. There are people out there who have skewed enough thought patterns and responses that they are always at danger of commiting this sort of crime. Keeping closer track of them and preventing them from living in "target rich" environments is reasonable. Unfortunately, the implementation was flawed from the begining, and I'm not talking about this particular site but the lists themselves.