Slashdot Mirror


Oklahoma Leaks 10,000 Social Security Numbers

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

4 of 245 comments (clear)

  1. Re:*facepalm* by NeutronCowboy · · Score: 5, Interesting

    Actually, for something on this scale, I'd like to see jail time for criminally negligent programming. The cost of being on a sex offender list by mistake is mindboggling - I'm on a "have a long chat with a customs officer every time I enter the US" because some data entry monkey made a mistake with my passport, and it's not pretty. I can only imagine what being on a sex offender list can do to you...

    --
    Those who can, do. Those who can't, sue.
  2. Re:wow by jmichaelg · · Score: 4, Interesting

    Going to jail is a bit over the top. Losing their job is what is called for.

    However, if Oklahoma has problems similar to California, then they're faced with a Hobson's choice. They can fire the guy/gal but given the low pay scales, they could well end up with someone just as bad.

  3. Re:Pleeeese! by kalidasa · · Score: 4, Interesting

    READ THE ARTICLE. The same database had all criminal offenders listed - and all employees of the state corrections system. They were using an SQL query in a GET query string! You could pull up anything you wanted from the DB because they didn't lock the permissions correctly. They did a half-assed fix the first time, and only took real action when the whistle-blower pointed out that their own SS#s were accessible.

  4. Re:*facepalm* by jsebrech · · Score: 4, Interesting

    PHP has got to be one of the worst things that ever happened to web development.

    This particular site was coded in java, so PHP was not at fault here. I don't know what got you onto the topic of PHP.

    The problem is that when these projects come up, rather than contracting out to someone who knows what they're doing, or at least hiring or training somebody who can code, they go to Bob the IT guy

    Software development has always been rife with contracts that go to the lowest bidder based on a spec that mentions only features and deadlines (not security, quality, or other metrics). This is because most IT projects are managed by people who don't understand IT, and who do the IT equivalent of asking their neighborhood carpenter to build the golden gate bridge. You get what you pay for.

    I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web.

    If PHP didn't exist, someone would invent it. PHP fills the niche of an environment that lets you get up and running quickly with web applications, just like visual basic did it for windows apps, and access did it for databases. Yes, it's a bit elitist to say that all programming environments should be so difficult to program in that they weed out all but the most dedicated (and knowledgeable), but it's also unrealistic, because people would invent easier environments if there weren't any. PHP is actually quite good at blending the capability for quality coding with a low barrier to access.

    And besides, the problems with web app security have nothing to do with PHP or any other scripting language, they have to do with visibility. Think about how many two-tier desktop apps there are that let anyone with a bit of knowledge bypass the app and do whatever they want in the database. Nobody makes a fuss about this, because the visibility of those apps is lower.

    I would say the primary problem with web app development is not any of the tools, but the perception among IT managers that web app development is simpler, and requires less skill, than desktop development, while the inverse is true. I do both desktop and web development, and it is much more difficult to build good web apps, because you have to pay more attention to architecture, security, performance envelopes, and gui design. That management (even my management) still doesn't understand that is disappointing, but understandable given how the web started out as a toy and still hasn't quite shaken that perception.