Oklahoma Leaks 10,000 Social Security Numbers

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

Pleeeese!

[arizwebfoot]

Please tell me this is a spoof.

Re:Pleeeese!

[trolltalk.com]

It's kind of hard to believe ...

leaked the personal data of tens of thousands of people

They have tens of thousands of people in Oklahoma?

And it's also hard to believe they'd have that many people on the sexual offender's list - I mean, they're Okies - they consider it "normal" to marry "kinfolks", polygamy, etc.

Re:Pleeeese!

[kalidasa]

READ THE ARTICLE. The same database had all criminal offenders listed - and all employees of the state corrections system. They were using an SQL query in a GET query string! You could pull up anything you wanted from the DB because they didn't lock the permissions correctly. They did a half-assed fix the first time, and only took real action when the whistle-blower pointed out that their own SS#s were accessible.

Re:Pleeeese!

[relikx]

The article you posted is from an Oklahoma news organization but makes no reference to anything in the state. We really don't have too many polygamists in these parts, nice try though.

Now anti-semites and racists, that's another story: http://www.adl.org/learn/Ext_US/Elohim.asp?xpicked=3&item=13

Re:Pleeeese!

[trolltalk.com]

Did you by chance hear a WHOOSH before you posted?

>>--[joke]--->

      __0__ <- your head
          |

Re:Pleeeese!

[trolltalk.com]

Guess you missed the big news

Or

Published: Friday, April 11, 2008

Bed found inside Polygamist temple

ELDORADO, Texas (AP) When authorities moved to search the large white temple on the polygamist compound in West Texas, about five dozen of the sect's men prayed and cried around the structure, state investigators said Thursday.

Schleicher County Sheriff David Doran also said he had been working with a confidential informant for four years who was feeding him information about life inside the polygamist sect.

It wasn't until after the search had begun that Doran learned about marriage beds in the temple and the forced marriages of underage girls to older men.

When authorities gained entrance to the three-story building, no one was inside. But they found beds allegedly used by husbands after they married underage girls on the top floor of the temple. He said authorities made the temple the last stop on the weeklong search because "if there was going to be any resistance at all it would be then."

So let's see - religion, polygamy, rape, child abuse ... about the only thing missing was Jerry Lee Lewis and terr'rists.

Re:Pleeeese!

[relikx]

Last time I checked Texas wasn't a part of Oklahoma. There is a thing called the Red River which by and large separates the two.

Re:Pleeeese!

[JrOldPhart]

Quite often the wind blows people from other states here.

Re:Pleeeese!

[sqlrob]

RTFQ

ELDORADO, Texas (AP)

Re:Pleeeese!

[Skeetskeetskeet]

Hey, you leave me and my sister alone!!

Re:Pleeeese!

[iknowcss]

An anonymous coward down towards the bottom posted this link to something similar. This one Tennessee apparently. It's no joke :(

http://www.ticic.state.tn.us/sorsql?sql=sp_SOR_IMAGE+'SO001290'&contenttype=image/jpeg

Re:Pleeeese!

[Malevolyn]

I think that in this blunder we've actually discovered a level that is below noob. Some kinda of Oklahoma Super Noob!

Re:Pleeeese!

"Real action" is a joke.
They removed the link to the page and blocked off a page.
Google cache reveals the truth, and a link from there even allows searches. I can't be bothered to go SQL-injection hunting today, but I'm betting they're there from one look at the old problems at TheDailyWTF.
http://docapp8.doc.state.ok.us/servlet/page?_dad=portal30&_schema=PORTAL30&_pageid=426

Re:Pleeeese!

[j33pn]

No kidding, everyone knows the sql queries go in POST data.

Re:Pleeeese!

The fact that trolltalk.com got modded flamebait and kalidasa got modded interesting tells me that the vast majority of mods didn't "get" trolltalk's "joke." So, one of two things happened: a. trolltalk expressed his intention so poorly a lot of people failed to see that he was joking, or b. trolltalk decided to retcon his posting into a joke.

Re:Pleeeese!

[trolltalk.com]

You know, as a resident of Canuckistan, I'm always making fun of both Canada and the US, and everyone in between ... (and for those who don't get *that* one, "An airplane crashes on the border between Canada and the US. Where do you bury the survivors?")

Calling them "Okies" should have been the first clue that it wasn't serious ... just like calling graduates from Texas A&M U "Aggies", or people from the west coast "Crunchie granola-bar tree-huggers" (US) or "Lotus-land" (British Columbia). Ditto, Newfies (Newfoundland and Labrador), and Quebec ... whoa, let's not get started on the whole french/english thing ... ;-0

It's just the internet - you can't take it TOO seriously.

Oblig.

[Ethanol-fueled]

(1)Hack the registry

(2)Put your own name in the registry

(3)Sue the state

(4)Profit!!!


(5) (remember to have your name removed from the registry!)

Re:Oblig.

[cptgrudge]

(5) (remember to have your name removed from the registry!)

This is government you're dealing with. It will never happen.

"But, but, I sued the state and won! Look, here's my legal documents! I'm not a sexual predator, honest!"

"Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a hermit you sick pervert."

Re:Oblig.

[BobSixtyFour]

They'll probably have it dismissed on the grounds of upholding "national security" and such that its too confidential for them to hear about it.

Re:Oblig.

[mauthbaux]

(5) (remember to have your name removed from the registry!)
Rather, this is a boon to those already on the list. Now they can simply claim that their status as a listee was simply a vengeful prank courtesy of an unnamed drinking buddy.

I do hope they have validated archives somewhere.

Re:Oblig.

[epee1221]

How about instead of using your own name, you gather a list of the politicians who are the most hard-line with regard to the registry (e.g. once accused, always registered), and select a few of them at random. Much less risk to you, and it will certainly create a ruckus over it.

Re:Oblig.

[Reziac]

No, no, no. Put all the public officials' names on the list. Enjoy the show.

Re:Oblig.

[guruevi]

(6) Find out that the user querying and inserting, doesn't have permission to issue the DELETE statement.

At least, that's so in my database. The user running on the web-side of my database can insert, update and select but can't delete (there is no reason to let them, if they want to deactivate an entry, there is a column 'active' for that).

Re:Oblig.

[blincoln]

At least, that's so in my database. The user running on the web-side of my database can insert, update and select but can't delete (there is no reason to let them, if they want to deactivate an entry, there is a column 'active' for that).

SELECT * FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'some_table') ORDER BY colorder

UPDATE some_table SET col1 = 0, col2 = NULL, col3 = NULL, col4 = ''

etc. You could probably even do it with one relatively complicated query of syscolumns to determine if the column is nullable and its data type, but I don't have time to try it out.

Re:Oblig.

[Torvaun]

I hope they don't, the sex offender list is a travesty.

Re:Oblig.

Actually, the original was probably never correct to begin with. The government openly admits that these registries are wildly innaccurate put still posts them anyways. I've heard studies claim 25% of entries or more are false positives and it is the responsibility of offenders to update their address if they move. I wonder how many go out of their way to do so?

Re:Oblig.

[sjames]

What's worse, of the 75% who are supposed to be there, many of them are not as advertised.

The sex offender lists are pushed as a list of child molesters and rapists. They are on there, but so are guys who got drunk and peed behind a dumpster (OK, not pleasant but hardly worthy of a scarlet letter), forgot to close the curtains, etc. One woman is there because she went topless at a protest. Then there are those who are on there for taking pictures of themselves while under 18 or for having sex with someone within a year of their own age.

They probably have a good case for cruel and unusual punishment but the courts dodge the issue by claiming the list isn't punative.

Of course, the idiots who stick anyone and everyone on the list that they can deserved or not are a real threat to society. If for no other reason, they are slowly rendering the lists meaningless.

Perhaps we need a "scarlet list" of prosecutors who willfully corrupt justice to get their numbers up. Those are people I *REALLY* don't want living in my neighborhood.

*facepalm*

[TheSpoom]

This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).

SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you're not a sexual offender when you're already on their list.

SQL injections. Learn them. Learn how to mitigate them (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures might be the thing to implement. Or even better, use a framework like CakePHP, Rails, or Django with this sort of sanitation built into the queries it generates.

Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.

Re:*facepalm*

[samkass]

ObXKCDComic

It's scary how lazy some of the web developers are. For years Yahoo used a system where their login system had the URL to go to once login succeeded urlencoded in the URL. It would have been exceedingly easy to duplicate the login page with a "Username/Password was typed incorrectly. Please try again." Then send people to the authentication page with your page as the follow-on one.

URLs should only be able to contain sanitized field values to search on that the server composes into actual SQL, URLs, etc.

Re:*facepalm*

[NeutronCowboy]

Actually, for something on this scale, I'd like to see jail time for criminally negligent programming. The cost of being on a sex offender list by mistake is mindboggling - I'm on a "have a long chat with a customs officer every time I enter the US" because some data entry monkey made a mistake with my passport, and it's not pretty. I can only imagine what being on a sex offender list can do to you...

Re:*facepalm*

[Gat0r30y]

I'm not that surprised. This is after all the state where students don't even have to know the age of the earth to pass earth science! In a state with those sorts of values, honestly, I really don't expect the greatest in technical expertise to flock there. And even the lowest bidder should have known better. I would bet the work was done internally (only the government itself could hose something this bad).

Re:*facepalm*

[sl0ppy]

with this sort of sanitation built into the queries it generates.

or, perhaps simply use bind variables instead of trying to generate a query. not only will your application thank you, but your database will as well.

Re:*facepalm*

They'll have the best technology (your) money can buy when it is used AGAINST you (e.g. Dept of Homeland Security) but when they are doing something FOR you they cut corners and really couldn't care less.

Re:*facepalm*

[grassy_knoll]

Stored procedures are almost always a good idea, since you can also limit the permissions to SELECT and EXECUTE. Depending on the DB, using stored procedures also forces the use of bind variables so there's a CPU utilization optimization as well ( from the lowered parse rate ).

Not only did they put SQL in the query string, they granted more permissions to the DB user for the web app than it needed. If you're just looking up data, not changing it, why does the app need anything other than SELECT ( or EXECUTE if you're using stored procedures )?

A great example of why "just give the app admin rights so it can work" is one of the dumbest statements a developer can make.

Re:*facepalm*

[TheSpoom]

That's likely a performance question you should ask to the developers of those frameworks. I may be wrong (as I haven't heard of bind variables before now and just Googled them) but what you're talking about seems to be an Oracle-specific thing, though it may be called other things in other RBDMSs. From what I can see here, stored procs would do the same thing even faster.

But like I said, since these web development frameworks generate the SQL queries for you based on your usage of their models (as they all effectively use the Model-View-Controller design pattern), it would be up to them to optimize the generated SQL since, in general, the users of these frameworks don't have to make any SQL themselves, or at least very little.

My guess is that for these frameworks, the generated SQL is already quite optimized.

Re:*facepalm*

Bound variables are available in just about every database. They can offer massive performance gains if stored procedures are not an option.

Re:*facepalm*

[riskeetee]

In Oklahoma, the age of the earth is 6000 years. Nuff said.

Re:*facepalm*

Cheers to that.

Re:*facepalm*

[MightyMartian]

PHP has got to be one of the worst things that ever happened to web development. In the last year I've ended up with two jobs cleaning up someone else's code, and god but that language invites sloppiness on a level I've only experienced in the past with BASIC. The problem seems to be that it's easy enough to get a PHP-based page up, but the actual ability to coherently develop software isn't there. Anyone can learn to code in PHP, but only a few bother or are capable of actually invoking proper coding practices. The problem is that when these projects come up, rather than contracting out to someone who knows what they're doing, or at least hiring or training somebody who can code, they go to Bob the IT guy, who's okay at keeping the network up, and knows a bit of scripting, and who goes online and reads just enough of the PHP tutorial to be really dangerous.

In these cases, there's little or no commenting. Some things are done as classes, some as functions, there's no particular rhyme or reason, and it became so bloated that the original coders appear to have simply given up. It's terrible spaghetti code, but because it's on the web, no one seems to consider it software development. When you combine this with security, it can create a rather frightening mix of shitty almost undebugable code with an unknown number of potential security holes.

I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web. It's bad enough that there's hackers out there, but much worse that there are incompetents being given the keys to the internal networks and data, without any knowledge of sound coding principles and of how to harden sites against injection attacks and the like.

Re:*facepalm*

[geekoid]

This has nothing to do with being a government agency.
I have seen his in every industry. Including very large Financial institutions.

If you look at the number of websites the the 'government' has, nearly all of them run fine.

I can't speak for Canandian industry or government, my security work was done within the US.

Yes, I am a programmer that now works for a government agency, and no, not the one this article is about.

Re:*facepalm*

I think the problem is exactly the fact that someone WAS reading their "FIRST BOOK on web development" and missed the chapter about idiocy.

I'm astounded that this still happens. It's one of the most exploited non-human holes on the planet.

Re:*facepalm*

Not really, it's not a "fix-all". Some developers find out they can have a more "secure" system, over-react and start putting the business logic into Stored Procedures which is NOT a good idea.

The same problems with bad SQL exist in Stored Procedures as well. If someone can access the DB with Write Priveleges then they can just as easily hack the Stored Procedures.

Many times the same applications read data, do something then write results back so they DO need write priveleges to the database, so unless you want to change/set write permissions within your code in many different places, use ACLs to control WHICH programs can read and write what data based on UID or privelege levels (not a bad idea but not easy on a huge DB), it makes the most sense to give Read AND Write to an application. You just have to count on the programmers knowledge to not leave holes.

You must trust the programmers but VERIFY by performing Security Testing BEFORE releasing an application that deals with such sensitive data. I find this last step is very commonly skipped. If done properly these holes would never be in a production system. So don't blame ONLY the developers but blame the Managers too who shortcut or don't perform Security Testing. The managers may or may not be smart but I suspect they were working on a project they can't really do at the cost they bid often leads to pressure to find some savings which often means reducing reviews and walkthrus, minimizing testing and all that leads to big trouble. It's a story as old as the software business, it's just causing new problems such as the security breach metioned.

Re:*facepalm*

[girasquid]

Agreed! I'm a Perl guy, and everyone thinks that Perl looks like line noise - although it doesn't, if you have decent coding practices. I keep getting handed projects that involve fixing PHP, and...I hate it. Because of PHP's low barrier to entry, everyone picks it up - and starts writing crap. I'm not saying any other language is better - it just seems like this happens most often with PHP.

Re:*facepalm*

[lattyware]

Don't blame the language because the developers are incompetent.

Re:*facepalm*

[sl0ppy]

famous last words: "just Googled them".

what you're talking about seems to be an Oracle-specific thing

no, not really. in the case of sane databases, it is the norm. heck, even mysql supports them.

But like I said, since these web development frameworks generate the SQL queries for you based on your usage of their models

except that generating SQL on the fly is extremely inefficient . the database must then parse the query, measure costs and determine the best execution plan before executing the query even begins. using prepared statements and bind variables obviate the need for this, thus allowing the database to optimize the queries and choose the best execution plan.

not doing this is either ignorance or negligence. i would hope it was the former in the case of oklahoma, and seems to be the case all over.

Re:*facepalm*

[TheSpoom]

I'm not saying that it's unique to government. I'm saying that it's slightly more expected given the stereotypes that are in-place (to which I normally don't subscribe; as I said earlier, many .gc.ca sites and their applications work quite well).

Re:*facepalm*

[maxume]

It gets awfully complicated. If there was a directive to put the information online but no funding or process to review the project, everybody involved is partly responsible. If there was funding and process to review the project, the managers are more responsible than the programmers(because they failed to be even a little aware of what got done).

Re:*facepalm*

[TheSpoom]

There are those of us out there that know how to code PHP in a sane, clear, and secure way. Unfortunately, I have to admit that there are a lot more that don't. I think one of the things you can do is to look for those that have languages like C++ and Java on their CV as well, and also for those that have a portfolio of code to review when they apply for a job. When you actually see the code, it's easy to separate the fly-by-night guys from the actual educated, experienced programmers out there.

By the way, on a somewhat unrelated note, we're using Django for our new web game, and it's both interesting and easy to code, while still (rigorously) maintaining good coding practices. So I think there's also something to be said for those who work with frameworks like CakePHP, Rails, and Django, as those tend to both be object-oriented and to promote good coding practices.

As I've said before, I think PHP can and should be used well; there are just a lot of ways it can be used poorly.

Re:*facepalm*

[QuoteMstr]

The language makes it easily, or even tantalizing, to do it the wrong way, and very difficult to do it the right way.

Re:*facepalm*

No, not criminal, just the "data death penalty".

Require the database be erased, all backups etc.

If they can't keep it secure they can't keep it.

As a side effect (if this was their only database
they are out of a job...).

If this supported tax collections, sorry, no
collections...

Re:*facepalm*

[TheSpoom]

I'll be the first to admit I don't know everything.

Just curious though; how would you suggest that a framework using MVC and models use these things, assuming they don't already? Create a stored proc for each query if it doesn't already exist?

Re:*facepalm*

[sl0ppy]

queries are pretty straightforward:

sth = dbh->prepare("SELECT a, b, c FROM foo WHERE a = ?")
sth->execute(123)

what you don't want to do is:

sth = dbh->prepare("SELECT a, b, c FROM foo WHERE a = " . 123)

prepare could be prepare_cached, depending on your db and client library.

Re:*facepalm*

[MightyMartian]

I agree. PHP really does invite sloppy code. It's the BASIC of the Internet age, an easy and accessible language, but a somewhat incoherent one that is easy to create disasters, even for a reasonably skilled coder. I quite frankly dislike intensely, but it's taken over the world, unfortunately, despite much better languages like Python being out there.

Re:*facepalm*

Posting as AC for obvious reasons. I worked on various Gov't of Canada sites (intranet sites, not internet), and basically 95% of the webapps I've seen on them were classic ASP (then mostly PHP and ColdFusion), using plain old string concatenation. sprocs? not a chance. parameterized queries/prepared statements? no dice. escaping strings? not even. They're basically just as easy to PWN by a script kiddy who's known about SQL injection for 5 minutes.

Hell, one particular webmaster only seemed to know HTML4 (with like, font tags everywhere, all "written" using click-n-drag in dreamweaver, tables for everything, no css at all, etc). You think he's even remotely qualified to secure web apps? But then again, there just didn't seem to be a way to fire him (nor did they seem to want to). Perhaps it's the crappy pay, but something just seems to attract mediocrity.

Re:*facepalm*

[deraj123]

This raises a question that I've wondered for awhile - is there any good reason to NOT use prepared statements and bind variables? I mean, even if I'm required to generate a query on the fly, I still use a prepared statement. It provides a nice separation of "code" vs "data". Recently I was attempting to explain to a relatively novice programmer what a SQL injection attack was (her application had been flagged by a scanning program for potentially having them.) We went round in circles, until I realized that she had never considered building queries dynamically - and used prepared statements for everything. I was rather surprised - it seems like it's normally the other way around.

Re:*facepalm*

[AmaDaden]

True but we can blame the language for encouraging the developers to be incompetent. This will bring up the "They should learn how to do it right and not depend on the language" argument. I currently do Java web programing (JSPs not applets) and I experience both ends of this. Since Java does fantastic memory management and clean up people are constantly not having their code clean up after it self. On the other hand the strong existing structure for JSPs prevent a lot of possible security issues by giving us easy ways to do things securely so we don't have to whip up something that could have a very stupid flaw like this one.

All languages have their good and bad points. Not encouraging the coder do things the right way IS (I think) a bad point.

Re:*facepalm*

Yeah, that's pretty much what he's doing: PHP allows incompetent developers to "get stuff done." You can either take that as: "PHP empowers the common man, and it's lame that elitists spit on such a great tool," or as "It's a bad idea to have so much power with so little discipline; this is why we don't let strip miners use nukes."

It all reduces to the old-as-dirt concerns about power: You want the good guys to have it and the bad guys and fools to not have it. Then the libertarians come in and s ay it's ok for fools to have it, as long as they either can only use it on themselves, or the rest of us have power against them when they make a mess. And here's the real problem: the government was putting lots of power into the hands of people who didn't know what they're doing.

So don't blame PHP. But do blame people who are able to fuck other peoples' lives up (government) for using it.

Re:*facepalm*

[ivan256]

I disagree with "very difficult to do it the right way"... If you know what you're doing it's only moderately more work.

Java, Perl, and Python all make it easier to do it the wrong way than the right way too. Simply because the wrong way is less work than the right way in almost every aspect of these types of problems.

(The above paragraph is also true for performance)

The parent to your post is spot on. Don't blame the tool because the user is an idiot. The incompetent programmer from this article doesn't have any business doing web development in any other language either, regardless of how much "easier" that language makes it.

Re:*facepalm*

[bcdm]

And that's what basically happened here (except the catalyst for change was information that could be used against THEM instead of against YOU). According to TFA, when the Department of Corrections was first told about this, they took the sites down for "routine maintenance". When the sites came back up, the SQL query was STILL in the URL. The only difference? They changed "social_security_number" to "Social_security_number", apparently thinking that was all the protection that sex offenders required.

Their tune changed quickly, however, when the author of TFA pointed out that not only was the sex offenders' information available, but so too was the information of the EMPLOYEES. Site got shut down pretty f#&^in' fast after that.

Re:*facepalm*

[jsebrech]

I quite frankly dislike intensely, but it's taken over the world, unfortunately, despite much better languages like Python being out there.

Python, in this case, wouldn't have made a difference because it wouldn't have prevented SQL injection attacks. You can concatenate together your query from GET arguments in any language.

Re:*facepalm*

[PhrostyMcByte]

The only problem with permissions is that the very people who should use them the most are typically equally ignorant about permissions as they are horrible in coding.

Re:*facepalm*

[ivan256]

If you don't understand this type of attack, it is just as easy, and just as likely for this type of thing to happen in a Java backed web app. It's really easy, actually, to have these things creep in to an application if you've got programmers who don't consider security. You just wouldn't think of doing things that way because you know better.

Security features don't work if you don't know to (or why to) use them.

Re:*facepalm*

[plague3106]

No, I think you're pretty much spot on. I almost left web development because of ASP, which is basically PHP but using VB keywords. I was glad when Asp.Net came to save MS project teams from that horrid language. Why anyone seriously considers script a good way to build an application is beyond me.

Re:*facepalm*

[sl0ppy]

This raises a question that I've wondered for awhile - is there any good reason to NOT use prepared statements and bind variables?

funny you should ask. some databases have a limit on the number of prepared statements that it will keep compiled, and using it all over will negate some of the gains on your larger queries.

as for bind variables, in general, i would never think to not use bind variables - then there's the exception that proves the rule:

a couple of years ago, i was working for a decently sized public company in the entertainment sector. we had a fairly good-sized data-warehouse, and once the schema was set up correctly, and we were getting correct partition elimination, there was still a query that was performing in the hundreds to thousands of seconds instead of less than 5. when run in sqlplus (this was oracle 9i, running RAC), the query would return almost instantly.

the application had been designed to use bind variables the whole way through, but in this query, the cost-based-optimizer was generating a horrible plan and caching it. the only way to get around it was to eliminate the bind variables and generate the query dynamically. we did some serious data scrubbing, but it worked, and solved the problem. it was an obscure bug in oracle 9i.

Re:*facepalm*

[MightyMartian]

Yes, in this particular incident, there's no language on earth that would prevent using a URL string to hold a SQL query.

Re:*facepalm*

Idiots are the worst thing that ever happened to web development. Idiots reinvent the wheel every time they come across a problem. There are a number very well-engineered CMSes written in PHP. Idiots avoid them because they can't be bothered to learn someone else's code.

Re:*facepalm*

[MightyMartian]

When I took computer science courses in high school (back when they used TurboPascal, still one of the great languages), we were taught by our instructor that any language can be used to create good and bad code, but that some languages had something of a psychological effect on the programmer, encouraging either good or bad coding.

For me, at least, the biggest problem with virtually all scripted languages is the weak typing and the automatic casting between types. Even when I was forced to code in VisualBasic, I always worked in declaration mode and always strongly typed my variables. Yes, it does mean doing some extra work, but it's worth it, not only in debugging, but also in aiding in readability of the code (I invoked some naming conventions, so that if I saw sName, I knew I was dealing with a string, or iNum for an integer, and so forth). PHP has no such mechanism, and while it can be simulated, it's like my old instructor said, some languages lean towards a certain psychological mode, and PHP is bad bad bad bad bad that way. I really do loathe it because it makes using sound practices difficult, just like old interpreted BASIC used to.

Re:*facepalm*

but because it's on the web, no one seems to consider it software development

This is the real problem, not PHP. PHP is fairly easy to learn, so it tends to have the most bad code, but the real issue is that companies (and governments, apparently) that hire their high school aged nephew to do web-dev, because "hey, it's just pictures and text files. How hard can it be?".

I've worked for lots of companies that go out of their way to hire the beast and the brightest in Java/C++/whatever development for their main products - with top-end machines and the latest and greatest IDEs, full-on QA resources, requirements documents, code reviews, well planned-out delivery time-lines and the whole nine yards.

Then, when it comes to their e-commerce site or "web-version" product, it's usually all left the lone web resource (me) -- hired as the "super fix-it guru" only after their first web-dev guy fucked up the works due to stress/incompetence -- has to make due with a pirated copy of PhotoShop and whatever shareware text editor I was able to download on a 6 year old hand-me down computer; given insanely tight deadlines (invariablly over a weekend) to pull magic out of my ass from a PSD mock-up they paid a designer way too much money to produce.

Don't bitch about PHP. Bitch about idiot managers who refuse to treat web-dev as real dev work.

Re:*facepalm*

[jd]

6,000 year old topsoil is pretty old.

Re:*facepalm*

[Sancho]

There's also always some database overhead involved in creating a prepared query. If you're only going to use the query once, it may be that performance will be faster to build the query on the web server.

Generally speaking, I'd rather sacrifice database performance for security, but the manager doesn't always agree, does s/he?

Re:*facepalm*

so do you have any openings?

Re:*facepalm*

[Valdrax]

Don't blame the language because the developers are incompetent. Yeah. And C contributes absolute nothing to memory leaks or buffer overruns. Nothing at all.

Re:*facepalm*

[Skylinux]

PHP has got to be one of the worst things that ever happened to web development. Let me guess, you are the type of person blaming a gun or gun manufactures when you shoot yourself in the foot....

How is this PHP's fault? Any wannabe programmer can write crap with any language, ANY language.

BTW, my gmail password is XyZbh*Dfi6fjG8sf ...... damn gmail, why did they not protect me from posting my password online, this has to be gmail's fault!!!!

Re:*facepalm*

Hey brainiac, if you're going use a non-sequitur to bash a whole state, then maybe you should at least get your facts straight. HB 2211 which passed the Oklahoma House (with a Republican majority) never got to the Senate floor because it was killed in committee.

And BTW, this odious piece of legislation did not originate in OK, it was copied, word for word, from a bill that was passed and became law in Texas, a place that has a LOT of technical people living there. In fact, this legislation, which is being pushed by the religious right, will probably end up being voted on in the state where you live, since I doubt that there is one state that doesn't have at least one fucking religious right nutjob as a member of the state legislature.

Re:*facepalm*

[OpenGLFan]

Yes, and:
Lumber and bricks make it very easy to build something that will fall on you and very hard to make a house.
Steel and wire make it very easy to build something that will snap and kill thousands and very hard to build the Golden Gate Bridge.
The solution is not to build the world out of Nerf. The solution is to keep Nature's fry cooks out of skilled labor jobs.

Re:*facepalm*

Actually, take a look at ok.state.gov/registry/access&sql=TABLE%20DROP%20ALL

Re:*facepalm*

[AmaDaden]

I'm not saying that JSPs are secure by default or that PHP is hard to secure, but that to make something that is so blatantly insecure (the SQL was in the damn URL!) would not be the easy to write it in Java. Putting code to do any kind of logic on the page it self is a pain in ass with JSPs compared to putting it in a servlet. So having a JSP page create the SQL on the fly would be avoided by anyone who knew any thing about JSPs at all.

The only way to know for sure if they would have made the same mistake with JSPs as they did with PHP would be to get some equally stupid JSP programmers and have them make the same page.

Re:*facepalm*

[MightyMartian]

If I keep getting someone else's shitty PHP code thrown at me, there will be one soon.

Re:*facepalm*

[jsebrech]

PHP has got to be one of the worst things that ever happened to web development.

This particular site was coded in java, so PHP was not at fault here. I don't know what got you onto the topic of PHP.

The problem is that when these projects come up, rather than contracting out to someone who knows what they're doing, or at least hiring or training somebody who can code, they go to Bob the IT guy

Software development has always been rife with contracts that go to the lowest bidder based on a spec that mentions only features and deadlines (not security, quality, or other metrics). This is because most IT projects are managed by people who don't understand IT, and who do the IT equivalent of asking their neighborhood carpenter to build the golden gate bridge. You get what you pay for.

I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web.

If PHP didn't exist, someone would invent it. PHP fills the niche of an environment that lets you get up and running quickly with web applications, just like visual basic did it for windows apps, and access did it for databases. Yes, it's a bit elitist to say that all programming environments should be so difficult to program in that they weed out all but the most dedicated (and knowledgeable), but it's also unrealistic, because people would invent easier environments if there weren't any. PHP is actually quite good at blending the capability for quality coding with a low barrier to access.

And besides, the problems with web app security have nothing to do with PHP or any other scripting language, they have to do with visibility. Think about how many two-tier desktop apps there are that let anyone with a bit of knowledge bypass the app and do whatever they want in the database. Nobody makes a fuss about this, because the visibility of those apps is lower.

I would say the primary problem with web app development is not any of the tools, but the perception among IT managers that web app development is simpler, and requires less skill, than desktop development, while the inverse is true. I do both desktop and web development, and it is much more difficult to build good web apps, because you have to pay more attention to architecture, security, performance envelopes, and gui design. That management (even my management) still doesn't understand that is disappointing, but understandable given how the web started out as a toy and still hasn't quite shaken that perception.

Re:*facepalm*

[ivan256]

You *can* instantiate new Java objects, and run methods on them from a JSP, and pass form data as parameters. It's ugly, and non-obvious, and anybody who does it should be shot, but I've seen people who don't know better do it (and cleaned up after them, and saw to their removal from the project). It seemed like a reasonable thing to do to them, and they didn't know the right way to solve their problem.

I'm guessing that it was more work for these guys to actually take SQL from the client than it would have been to do it in a more secure fashion, even using PHP.

Re:*facepalm*

[randyest]

I thought it was kind of odd that he linked his own, un-cited journal post at a source for his claim. No big surprise it turned out to be false; thanks for clearing that up AC.

Re:*facepalm*

[Deanalator]

Unfortunately, pretty much every intro to SQL book I have looked at encourages the use of command strings. People get used to them, and then interacting with a SQL database becomes equivalent to string parsing, which they all learned how to do in the last book.

You would be surprised what you can find grepping for cmd_str, command_string, cmdStr, etc. Please developers, parametrize your variables. This won't prevent all attacks, but there is NEVER an excuse to use command strings, especially when you are doing any sort of string manipulation on it.
http://en.wikipedia.org/wiki/SQL_injection#Preventing_SQL_Injection

I work in product security, so I am often the first security pass for code as it comes from the developers. It still shocks me that senior level database engineers express scepticism that an attacker would go to all the trouble to manipulate POST data, and tell me that they have never heard of SQL injection.

As a fun side note, it has given me multiple chances to email out links to xkcd 327 :-)

Re:*facepalm*

[QuoteMstr]

At least for our (ugh) PHP applications, using prepared statements required twice the number of round-trips to the server. We just wrote our own library that does the same the same kind of escaping on the client side. For example,
$res = db_query("SELECT name FROM person WHERE age >= ?", 65);

or for a slightly more complex example,

$people = db_query_dl("SELECT name, age FROM person WHERE zip IN ([zips])",
                                              array('zips' => array('90210', '10005', '12345'));


(db_query_dl queries the current global database and returns a list* of dictionaries* containing the results of the query.)

The library parses the SQL and ignores substitution parameters inside literal strings,
and automatically converts x=? to x IS NULL if the substitution parameter is NULL. (The correctness of that conversion is debatable, but it is undoubtedly useful.)

Come to think of it, there's no reason we couldn't open-source this library if there's any interest in it.

* though it's a purely conceptual difference in PHP, where lists and dictionaries are the same type

Re:*facepalm*

[Deanalator]

What I think really needs to happen, is ISO 17799 (or something similar) needs to be made public, clarified for practical usage, required for all government offices / registered businesses, and enforced.

They could have pulled a kid off the street that would have found this flaw for 50 dollars and an ice cream cone.

No one needs NSA style airgaps, or firewalls that will fry the attackers eyeballs out etc. The problem is that fuzzy line between 0% secure, and 100% secure. Managers know that they aren't going to hit 100%, but there are no solid standards for what they do need to protect.

PCI DSS (http://en.wikipedia.org/wiki/PCI_DSS) is a good example of defining practical security. If they were storing credit card numbers in that pedo database, it never would have gotten broken into.

Re:*facepalm*

[profplump]

Come see me when you re-write java or perl to be self-hosting. Until then you're using C, regardless of how snobbish you are toward the language used to determine where malloc() and free() are called when your memory-ignoring code is executed.

Either that or kidnap Ulrich for long enough to let us put some reasonable string-handling functions into glibc.

Re:*facepalm*

[QuoteMstr]

You only win slightly with server-side prepared queries, and that's only if the prepared queries are cached, not prepared once and thrown away.

Re:*facepalm*

[QuoteMstr]

Hear, hear! When we hire, I'm involved in the interviewing. One of the first questions I ask every candidate is, "can you please describe a SQL injection vulnerability for me?" It's depressing that most candidates have no idea what I'm talking about and stammer out a half-baked answer. The one who had a clue as to what I was talking about excited me, until he told me the solution was to look for "SELECT", "UPDATE", and "DROP" in user strings and signal an error if they're found.

No!

Just escape the damn things and you never have to worry about the actual contents.

Re:*facepalm*

[Heembo]

The one who had a clue as to what I was talking about excited me, until he told me the solution was to look for "SELECT", "UPDATE", and "DROP" in user strings and signal an error if they're found. DOH!

Blacklist validation is BAD. Use whitelist validation (for XSS and others exploits) in ADDITION to using parametrized queries with bound variables for SQL injection protection.

Parametrized queries ALONE are not enough. I've seen programmers (in Java) use the PreparedStatement class but still build their entire SQL statement via string concatenation and just slam it through the PreparedStatement. The real trick is, again, parametrized queries with bound variables.

Re:*facepalm*

[QuoteMstr]

I've seen programmers (in Java) use the PreparedStatement class but still build their entire SQL statement via string concatenation and just slam it through the PreparedStatement.

That just supports the old adage that as soon as you make something foolproof, the universe will go create a bigger fool. You'd think using the parameterized query facility would be easier that building one yourself, so this novice programmer wouldn't go through all that trouble. I guess not.

As far as blacklists go, though, I find it distasteful to limit user input except in ways that are absolutely necessary. I've seen too many "Jill & Jane's Craft Shop" managers get fed up go elsewhere. I think quoting, whether automatic (preferably) or manual, is sufficient.

Re:*facepalm*

[webrunner]

In Oklahoma, the age of the earth is 6000 years. Nuff said. At least until someone hacks into the database to change the number

Re:*facepalm*

[Heembo]

Programming is not supposed to be easy. Many online docs show how to use use ParameterizedQueries properly. No language is foolproof.

Also, quoting of user input is never enough. If you are going to accept all user input, you need to, at least, do full HTML Entity encoding before you place the data in the database in order to prevent all attack categories.

And even then, it's dangerous to do anything other than whitelist validation. Accepting all user input is foolish.

Re:*facepalm*

I'm sure it's entirely *possible* to write (somewhat) sane PHP, but it seems like it would take far too much effort to ever be worth it. PHP is riddled with glaring inconsistencies and missing features, and for the life of me I have yet to find a single redeeming quality.

And this is coming from a Perl guy.

Re:*facepalm*

[QuoteMstr]

I disagree. Nothing in the database should be HTML-encoded, or otherwise encoded. The entity encoding should take place on the display side, no matter where the data actually come from. Leaving encoded data in the database makes querying it by hand that much more difficult and subverts part of the purpose of having a database in the first place.

Re:*facepalm*

[Heembo]

Then you leave yourself open to XSS attacks. You do not want to leave XSS attack code in your DB. Log management tools, web database tools and other possibilities may cause non encoded data to be executed when you least want it to. If you do not whitelist, and you do not encode, you are screwed. This is just AppSec 101.

Re:*facepalm*

[QuoteMstr]

No, leaving unencoded data in the database does not leave one open to XSS attacks, tools or not. If a tool dumps unescaped HTML to a browser, it's broken, and needs to be fixed. And when it's fixed, you'll just see double-escaping with your scheme. Putting encoded data in the database ensures that every tool that uses the database remains broken in exactly the same way. The cure is worse than the disease.

Re:*facepalm*

[Heembo]

No, leaving unencoded data in the database does not leave one open to XSS attacks, tools or not. If a tool dumps unescaped HTML to a browser, it's broken, and needs to be fixed. I the real world, with large enterprises, using old "broken" tools is common. A broken legacy tool causing a large vulnerability is still a vulnerability. You are correct in the ideal world, but the reality of "large enterprise computing" dictates more intelligent behavior.

Re:*facepalm*

[tompaulco]

This is after all the state where students don't even have to know the age of the earth to pass earth science!
So what. I don't think we should give that much credit to a student who is able to recite the age of the Earth according to whichever theory their particular textbook happens to follow. What they should know is that there are many theories about the age of the Earth, and none of them is probably within 100 million years of being right.
Blind faith is blind faith regardless of whether it comes from a Pastor or a high school textbook.

Re:*facepalm*

[QuoteMstr]

I suppose reasonable people can differ on this point. At least we both agree that the user should never see unescaped data, which is something too few people even think about.

Re:*facepalm*

[Heembo]

Just to acknowledge your point - if I had a small company where I had tight control of the software engineering and operations processes, I back your comments. If I was responsible for a fortune 50 type environment, I'd rather have the data encoded right away. I'd rather see ugly double-encoded web pages than have to explain why an admins account was hijacked.

Re:*facepalm*

[geekoid]

I'm just touchy. Ever since I took a government job, I have seen the most knowledgeable, professional and concerned people I have ever worked with.

All this, And I work 4 10s.

In short, I hate that Stereotype.

Re:*facepalm*

[TheSpoom]

Haha, I'm sure this was a joke but we're just a three-man team right now and that won't expand until we get the first launch out the door. Besides which, this is a personal project of mine (ours), so I'm not able to pay anyone until the game itself starts becoming profitable.

I'll probably be looking for beta testers once it gets to a certain point though. :^)

Re:*facepalm*

[Valdrax]

Hey, I'm primarily a C/C++ programmer. I'm just very personally aware that the language doesn't protect you from shooting yourself in the foot repeatedly.

Automating some things just makes life easier.

Re:*facepalm*

I blame the "learn SQL in 5 minutes" tutorials for teaching the bad practice. It's bad enough when people copy and paste example code, worse when they copy incorrect example code.

Re:*facepalm*

[MightyMartian]

Hey, I'm primarily a C/C++ programmer. I'm just very personally aware that the language doesn't protect you from shooting yourself in the foot repeatedly.

Automating some things just makes life easier.

I'm not denying that. Bad code can be written in any language, but there are some languages which certainly seem to encourage it, and PHP is just such a language.

Re:*facepalm*

[martinQblank]

Unless I'm missing something, the URLs at the Oklahoma site indicate they used Java (note the big '/servlet/'). Not sure why PHP qualifies for this level of abuse in this article. And yes, I am a PHP developer who probably writes a bunch of code that is horribly sloppy, insecure, and difficult to debug. But I'm doing my best to improve my skills -- just like everyone else here when they started out.

Re:*facepalm*

[MightyMartian]

Well, I actually took old-fashioned coding courses, where the instructor was a flow-chart comment Nazi who wouldn't even accept any assignment unless there was a flow-chart and pre-code documentation and plan, and if the code wasn't fully documented. Then he'd mark you on the quality of your code. I think the level of detail he required was unnecessary, but it did teach not only the importance of decent code, but of good general practices, including plotting things out before you hit the IDE and began throwing code in.

We all sacrifice those good practices if we're doing a twenty line Perl script to translate some comma-delimited data into SQL statements, but if you continue quick-and-dirty into larger projects, particularly with a language like PHP which easily allows such bad practices (as I said, it's the BASIC of the Internet era, except that most variants of the old BASIC interpreter at least had some reasonably strict typing, even if everything else about the language resembled retarded Fortran).

As I said, probably the biggest problem with web development, overall (and regardless of language involved) is that it is not considered a proper application environment, despite (as someone else pointed out) it in fact being one where rigorous practices are even more important, due to the wide usage a web app is going to get.

For me, other than my long-standing hatred of weak typing and lax casting, I really think the PHP community needs to fix the libraries. What a fucking mess. It's like seeing a decent looking house with a nice yard, but then walking inside and seeing uneven stairs, leaning walls and three doors into the kitchen.

Re:*facepalm*

php5.2.5+suhosin-patch

Re:*facepalm*

[jsebrech]

So what. I don't think we should give that much credit to a student who is able to recite the age of the Earth according to whichever theory their particular textbook happens to follow. What they should know is that there are many theories about the age of the Earth, and none of them is probably within 100 million years of being right.
Blind faith is blind faith regardless of whether it comes from a Pastor or a high school textbook.

Except that the geological age of the earth is not based on blind faith. It's based on reasoning and observations that anyone can follow and double-check for themselves. This contrasts starkly with the 6000 yo claim, which is in fact based on blind faith, and has no other evidence than "because I said so".

This is what the flying spaghetti monster teaches us: once you open the door to every theory (regardless of supporting evidence), you open the door to madness, and might as well give up trying to get anything done.

Re:*facepalm*

[seftonde]

OpenGLFan - I love your quote. I would like to post it on my wall at work. May I have your permission to do that, and your name so I can give proper credit? Please email me, Daniel, at seftonde@ct.metrocast.net. Thanks! D

Re:*facepalm*

actually we might be a really good match for each other because despite being an American with a US education, I'm currently working in a third-world country where my wage is a couple of bucks per hour. Of course rent and other costs are almost nothing either :). Anyway throw an obfuscated e-mail address at me and I'll write you.

Re:*facepalm*

[cduffy]

Generally a good point. OTOH, if one can standardize on use of templating languages that do automatic output-side escaping (Genshi comes to mind), the whole thing should be pretty moot -- and one thing I understand Fortune 50 companies to be pretty good at is managing process and internal standardization. (Wouldn't know firsthand, haven't worked for one yet -- will RSN, as my current employer is in the process of being purchased).

Added to list

I wonder if anyone put this paedophile abuser of children on the list.

Re:Added to list

Get over it already. That act got old like 2 or 3 years ago.

Re:Added to list

So I said to my girlfriend, "I am not a pedophile! But that is a pretty big word for a 10 year old."

Re:Added to list

Stealing jokes from SNL is teh lame, man.

Re:Added to list

Nice rip off of SNL hosted by Ashton Kutcher. AMY!

Re:Added to list

[Sancho]

Eh, that joke's been around for longer than that.

Re:Added to list

SNL stealing jokes from the public domain is lamer.

Re:Added to list

Solidarity with my brothers in the GL movement.

Tuttle

Perhaps the ODOC is managed by former Tuttle, OK city manager Jerry Taylor.

Someone Should Go to Jail for this...

... or get there name put on the list.

wow

[aeskdar]

Seriously though someone should go to jail for a mistake like this, either that or get there name put on the offender list!

Re:wow

[Silver+Sloth]

Putting aside natural feelings of outrage and injustice exactly what offense with an associate jail term have they committed? I'm not sure about the US, I'm a Brit, but over here offenses under the Data Protection act don't carry jail terms.

Re:wow

[BlowHole666]

Why? In most cases you are protected from liability and your employer is the one to blame. You may get fired from your job, but you will not get sued. For example my wife works at a school and someone told her they were going to sue her. She notified the principal and the school district took care of it. So no this person should not go for jail they should be fired and the employer should give a bad referral.

Re:wow

[jmichaelg]

Going to jail is a bit over the top. Losing their job is what is called for.

However, if Oklahoma has problems similar to California, then they're faced with a Hobson's choice. They can fire the guy/gal but given the low pay scales, they could well end up with someone just as bad.

Re:wow

[BobSixtyFour]

Someone should have put George Bush on the offender list...

Re:wow

[pilgrim23]

oh but THINK OF THE CHILDERN! What matter if half the state of Oklahoma, portions of Texas, Missouri and all of Southern California end up on the list? If just one child is saved is that not reason enough to ruin the lives, futures, and family of millions? Besides, to fix this mess will require hiring a few thousand more gu'bmint pencil pushers! Thank Mog we have a government that CARES!

Re:wow

I'm a Brit, but over here offenses under the Data Protection act don't carry jail terms.

Actually, certain offences related to disclosure of data do carry jail terms in the UK. In theory, a government employee disclosing someone's spent criminal conviction (or a current conviction to someone not entitled to know) can be jailed, though I've never heard of it happening.

Re:wow

[jamstar7]

Along with Cheney, Rumsfeld, Wolfowitz, Rice, and the rest of the 'Usual Suspects'.

Woulda made a great April Fools prank...

Re:wow

[moderatorrater]

Going to jail is a bit over the top How so? At the very least we know that for the last three years they granted access to thousands of social security numbers and medical records to anyone with internet access and rudimentary skills in sql. This isn't a situation where they made a small mistake, that on one of their report pages they didn't sanitize the 'sort by' field and they got burned. This is the absolute worst mistake that a programmer can make. The programmer should be charged with facilitating identity theft, and everyone in the state's employ whose responsibility was to make sure the site worked. They didn't do any security testing at all.

I know it sounds like a lot for making a mistake, but for someone in the web development business, this is a hole you could drive a truck through and the person who made it had to be so inexperienced or malicious that it should have been caught by someone above them. It's really hard to overstate how bad a programmer has to be to give the public complete database access like this.

Re:wow

[Etherwalk]

Yeah, but if this guy messes up again, the state can't claim they didn't know how bad he was--they're now aware of his incompetence, which probably increases their liability the next time he screws up. Keeping him might be the right thing to do if they can make sure he learns from it--but it's probably the wrong thing to do from a risk-management perspective.

Re:wow

[Psmylie]

While I agree that whoever is responsible for this should be fired (and it may not be the person who wrote this, it could be the boss who pushed to have this released before it was ready), I think that people are too quick to fire folks who make mistakes these days.

People learn from their mistakes, and the money spent on damage control and cleanup can be seen as paying for that employee's education, in a way.

I mean, what would you prefer, to fire the person who made a mistake and hire someone with unknown qualifications who may end up making the exact same mistake again later, or keep your already trained employee who was so burned by this mistake that s/he will NEVER make the same mistake again?

Re:wow

[MightyMartian]

The biggest problem, from what I can see, is that there's still this divide between the older fields of developer and technician/admin. Tech and admins know some basic scripting, but are never taught sound practices, which to my mind is a huge mistake. Maybe that made sense ten or twenty years ago when a sysadmin would be restricted to shell scripts and working with awk and the like, nothing over a few dozen lines. Now IT departments are getting requests for what amount to actual application development, but they have no meaningful training in that area.

Re:wow

[dosun88888]

I'm typically all for getting people out of jobs that they're obviously unqualified for, but these days they'll just be replaced by some other idiot that will do the same sort of thing next year.

At least this guy won't make this specific mistake ever again, and will likely be more careful with other implementations in the future. That can't be said for his likely replacement.

Re:wow

[MightyMartian]

This is a rather unique situation. The nature of the mistake indicates an extreme degree of incompetence. I've never seen anybody put SQL queries in URLs, and I've seen some pretty sloppy code. This is bad with a capital B, and, particularly in this age of security compromises big and small, I really question the smarts of someone who would do something like this, because it raises the question of what other things have they done that were equally bone-headed. At the very last, I would want an audit done.

Re:wow

[yuna49]

This is an official government list of alleged "sex offenders," not a list of people with parking tickets. Developers tasked with providing public access to such sensitive information, and the people who employ and direct them, should be adhering to the best practices, not the worst practices as in this case.

The real issues are that

(a) No one in the OK government probably cared much about the privacy of these "sex offenders" because, well, they're "sex offenders."

(b) Government agencies are constantly tasked by executives and legislatures to implement programs they're ill-equipped to handle and often receive no additional funding to carry out these mandates. Do you think the OK agency involved had tens of thousands of dollars to hire outside contractors with solid coding skills to undertake this task? Probably they handed it to someone in house who knew how to write SQL queries and a little PHP.

I'd fire the lot of them, including the department heads, and start over with people who have at least some clue about good IT practices. If this fiasco was actually the product of an outside consulting shop, I'd ban them from working for my state government for a very long time.

If we don't have substantial and public penalties for poor management like this, we're just going to be repeating our mistakes.

Re:wow

[yuna49]

One other thing. I wonder if the OK legislature will launch an investigation into this fiasco, or will they avoid the problem since the people on the list were, after all, "sex offenders." I'd like to see the head of the Department of Corrections be grilled on why this happened. Unfortunately any legislator who might broach the subject would probably be labeled as sympathetic to sex criminals.

Re:wow

[jmichaelg]

Keeping him might be the right thing to do if they can make sure he learns from it--but it's probably the wrong thing to do from a risk-management perspective.

Perhaps you're focusing a bit too much on the developer here. The mistake is so egregious that it suggests a first-year programmer produced it. If that's the case, the person's manager is responsible to see that they got adequate security training before putting her/him on a project where their code would be exposed to the outside world.

Secondly, the fact that the code didn't even undergo rudimentary testing to ensure the obvious holes were covered speaks to an organizational issue - something the manager is responsible for. The manager knows this and as a consequence will probably try to cover the situation up as much as possible so the manager doesn't get fired along with the developer.

Slightly off-topic, but I'm curious how many organizations would have caught this error before the page was published. Does your organization have security and testing policies in place such that this error would have prevented the page from being released? Or are you solely responsible for testing and securing your own code?

Re:wow

[Etherwalk]

Good points, though I think even a first-year should know better.

Solely, but as I'm not coding for part of an organization at the moment, that doesn't really mean much. =) Does yours?

Re:wow

[Psmylie]

Oh, I agree, and I believe that all those responsible for this should, at the least, be fired. All I meant in my post was that I've noticed corporate culture swinging more and more towards a "mess up and get fired" policy, and I disagree with that.

An example I can think of from my own experience was someone misreading an instruction and installing software on the wrong server, royally screwing up that server (which, naturally, had some critical apps running on it...). We had our backup up and running within an hour, and the original server working fine by the end of the day, but it was pretty high-profile

The man got fired for it, but I think he should have gotten a written warning and sent back to work. He felt bad enough about it that I seriously doubt he would have ever made the same mistake again.

Re:wow

you know there is an alternate solution to this, right now texas is petitioning the supreme court to execute child sex offenders http://www.dallasnews.com/sharedcontent/dws/news/texassouthwest/stories/041608dntexrapists.696df49b.html

Re:wow

[radiotone]

Some commented below TFA who claims to know the situation, and said the programmer was a contractor. Hence, no real firing possible. Jail unlikely. And are states immune from lawsuits or something (though wikipedia says political subdivisions of a state do not have sovereign immunity). Anyway, I doubt much will happen.

Re:wow

[cduffy]

Slightly off-topic, but I'm curious how many organizations would have caught this error before the page was published. Does your organization have security and testing policies in place such that this error would have prevented the page from being released? Or are you solely responsible for testing and securing your own code?

In my current employer (or at least in the section thereof I currently reside), everything gets desk-checked by at least one other person before it's checked in. They're also picky enough about hiring that I couldn't see this happening in the dev group. (In code written by the sysadmins, maybe -- but they're not supposed to be writing their own tools for just this reason; such things are supposed to be referred over as requests to dev, which go through design and peer review and QA).

Routine Maintenance

[calebt3]

...the site went down for 'routine maintenance' on April 13 2008. The Reality Distortion Field is weak with this one.

Re:Routine Maintenance

[gnick]

...the site went down for 'routine maintenance' on April 13 2008. The scary part is - I wonder how 'routine' catches/fixes like this are. If this had been noticed internally, likely they would fix it during 'routine maintenance' and issue no notification about the fact that the vulnerability had been out there.

Re:Routine Maintenance

[calebt3]

Sounds like what Microsoft does.

Re:Routine Maintenance

[rmsande]

And they still fail. Front page:

Notice To Public: &nbspIf you believe ...

SQL

enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Why not friend/relatives too? You know, for giggles.

Also, how could you figuratively be someone with basic SQL knowledge?

Re:SQL

[Skater]

Can't you just be happy that they used "literally" correctly?

Umm...

[Oxy+the+moron]

Without reading TFA... how do they know it was (just) 10,000 SSNs? Did they just approximate the number of entries already in the offenders list and just use that? Couldn't there potentially be more?

Re:Umm...

[FooAtWFU]

Easy. They did a SELECT DISTINCT Social_security_number FROM offenders. ;)

(yes, uppercase S. One of their first lame attempts to sanitize it tried to do a case-sensitive replacement on the string "social_security_number", but apparently the uppercase still worked...)

Re:Umm...

[megla]

Well, if it was open to running any query then...

select count(1) from offenderList order by socialSecurityNo asc

Yep, that ought to do it!

Re:Umm...

[DrJokepu]

select count(*) from offenders;

Re:Umm...

[megla]

Of course, it would have helped if I hadn't run on autopilot and put a needless order by clause on the end, but you get the idea.

Re:Umm...

[Chris+Mattern]

They knew it was 10,000 SSNs because the web site allowed them to do a COMPLETE DUMP OF THE ENTIRE DATABASE. Lock, stock and barrel.

Re:Umm...

[Workaphobia]

Weakest attempt to enumerate badness, EVAR.

Re:Umm...

[jd]

The underlying database was written in COBOL, the programmers only allowed 4 numeric digits for the key field and the database kept reporting it was full?

Get your lawyer ready....

[sam0737]

I don't see why those on the list are not suing the government for the damage...

Re:Get your lawyer ready....

[calebt3]

Get your lawyer ready. He was probably notified along with all the other offenders.

Re:Get your lawyer ready....

[ZenDragon]

Whats amusing is that the author took the time to blur out the SSN's but left the names, and addresses of the "offenders" in the picture. How much do you want to bet some overzealous reader of that article is going to be sending something fun to one of those addresses?

Re:Get your lawyer ready....

[calebt3]

That information is already publicly available, right?

Re:Get your lawyer ready....

[BlowHole666]

It is a sex offender database this is public information.

These registries also protect us from the truly unlucky offenders, such as fornicating teenagers, children who take nude pictures of themselves, and public urinators. Once you are on the sex offender list you are required to register so people know who you are. It is just one of the things that comes with being a sex offender.

Re:Get your lawyer ready....

[Digi-John]

Pretty sure you can already get the names and addresses of registered sex offenders already. That's kinda what the idea of the registry is.

Re:Get your lawyer ready....

[Gregb05]

The names and addresses were publicly accessible anyhow; that's the reason the list was on the web.
I'll also note that your name and address is public information as well.

Re:Get your lawyer ready....

[$random_var]

Whats amusing is that the author took the time to blur out the SSN's but left the names, and addresses of the "offenders" in the picture. How much do you want to bet some overzealous reader of that article is going to be sending something fun to one of those addresses? The names and addresses were already available by design to the public through the website. The problem was that the SQL injection vulnerability also revealed *additional* restricted data.

Re:Get your lawyer ready....

It is just one of the things that comes with being a sex offender. Please be more careful with your terminology. The correct thing to say here is, "It is just one of the things that comes with being convicted as a sex offender." You can be a sex offender and not be on this list (if you're not caught) and you can be a non-offender and be on this list (if you're wrongfully convicted).

I know it may seem like a small thing but it's important to remember that not all criminals are caught, and not all convicted people are actually criminals.

Re:Get your lawyer ready....

[malinha]

Another question, if only the name and the addresses were to be displayed, why were the other "restricted data" available ? Reminds me off a case that happen were in Portugal, some "big player in politics" got sued and the state asked the phone company ( PT Comunicoes) the phone record's of the politician, so they send an .xls file with more that was asked, for example, phone record's of the president, but were safely protected in a "hidden column"....

Re:Get your lawyer ready....

[MightyMartian]

Which means this site is feeding off of an internal database, rather than off of a database that has only pertinent details. That's pretty crazy in and of itself, but it's pretty common too. Just another way in which silly IT people who think because they can do the odd batch and PHP script that they're now developers. The sensible thing to do is to have a public-facing database with only the details you want seen by the public, which is updated by the master database. There's simply no reason to have SSN's on a public-facing database for anyone, government or bank.

Re:Get your lawyer ready....

[cduffy]

I think that synchronizing multiple databases is a little much overhead -- it's sane to just have a restricted view, accessing only the relevant information, which is the only thing the user the website connects as has authorization to query.

Author of WTF article made security mistake also

[joggle]

The author should have completely blacked out the SSNs rather than blur them. They are still decipherable to those that are inclined to do so. This article explains why blurring is a bad idea.

i dare someone

What someone needs to do is register a certain G. Oatse as a sex offender in Oklahoma.

Re:i dare someone

[Farmer+Tim]

What, only Oklahoma?!

how many distinct

last names?

Let me be the first to say...

[milbournosphere]

D'oh!

In all seriousness, though, this just goes to show that it always helps to slow down in order to avoid this sort of disaster. One hope s that the genius responsible for this is held accountable. 10,000 social security numbers is a lot of personal data to be throwing around like that.

Humor?

[Wilson_6500]

Who would tag this "humor"? Given the deeply-ingrained social stigma attached to being put on one of these lists, I don't really see how it's funny that one was so horribly misimplemented. Even when something is _obviously_ wrong, as in this case, it can be hard to iron out the impression that actual people get from reading these lists. What if the problem weren't as obvious as this one supposedly is? Would it still be funny?

Generally, no retraction is ever as effective as the original statement. That's probably one of the reasons why libel is such a big deal for some people--just saying "sorry, we were wrong" may not be good enough.

Re:Humor?

[Gregb05]

thedailywtf.com usually posts humorous stories. The tone of this one, however is completely different.
I agree with parent, please tag !humor if that does anything.

SSNs

[visible.frylock]

Can't read the dailywtf article, but from the summary, I'm thinking one of the biggest problems is that SSNs are on a public facing server when they don't need to be. Working in gov based IT myself, I know that Least Access is many times not followed.

Re:SSNs

[Workaphobia]

There is of course the other major point, that it is absolutely ridiculous how social security numbers are treated as sensitive information and required information in so many unrelated contexts. What idiot thought up the system of authenticating a person for credit using the same token that hundreds of other organizations use to identify that person?

Maybe in a hundred years we'll have registries of public keys and we'll all have private SS keys that are never shared with your credit card company, bank, and (if we were really lucky) government.

Re:SSNs

[Cro+Magnon]

I wish I could mod you up. As far as I'm concerned, using the SSN to authenticate people is like me using "Cro Magnon" as my /. password.

Re:SSNs

[Kredal]

dang it, now I have to go and change my password. And here I thought CroMagnon would be secure. Maybe I could change it to the same combo I have on my luggage.

Bad blurring

[Space+cowboy]

Whereas the names and addresses of these people is a matter of public knowledge, is their email address and SSN also open ? If not, despite what you may think of their actions (public urination ? Really ?), it's not fair of the site to "blur" the relevant details so poorly.

I read the daily WTF, and usually I think it's pretty good, but Alex has made his own WTF here, IMHO.

Simon

Sex Offender Lists

Maybe it is time to get rid of these asinine sex offender lists. Why are sex crimes treated worse than attempted murder? Plus, they lump rapists in with flashers (yes, they may have different levels but they still get lumped together when it comes to restrictions). So people would rather see someone try to stick a knife in their kid instead of grab their butt? Maybe, just maybe, the real reason is this nation's simultanious obsession with and fear of sex and denial of early sexual development. Of course this is the same country that can't be pragmatic when it comes to drugs either.

Re:Sex Offender Lists

[Tmack]

... they lump rapists in with flashers ...

Actually, urination in public will win you a spot there too...

Re:Sex Offender Lists

[MightyMartian]

Whether or not any particular set of crimes is worse than another set is ultimately up to the wider society. At the moment, sex crimes are right up there. In Louisiana they want to make child rape a capital offense. In general, I'm against capital punishment, so I think this is wrong (and there's also concerns that testimony from young children is notoriously inaccurate, and that it's one thing to lock up a pedophile for long periods of time, where at least you can let him out if it's discovered he didn't do it, but once you kill him, there's no going back).

I'm not convinced such published lists are all that effective. I know of no actual research that demonstrates their effectiveness, and it appears to be simply a way to further punish an offender after their release.

My other big problem with this category is that in many places it's an extremely broad brush. Yes, you get the pedophiles and rapists, but you also get gropers, peepers and flashers that, while clearly people committing some kind of crime, cannot under any reasonable standard be considered in the same league as a child molester or rapist.

The problem with a lot of these laws is that they're extremely kneejerk. Some serial rapist terrifies a neighborhood, the outcry grows, and politicians bring in harsher laws that are really not well thought out at all, but rather seemed to be designed to mollify the mob.

If you want to bring in harsh crimes to keep serious sex offenders behind bars, then sign me up. But if you want every mentally ill flasher forced into the same category as a rapist, then no, I think you're being unreasonable. It's like treating every shoplifter to the same punishments that a bank robber gets.

Minor Correction

[geekoid]

"Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a RICH hermit you sick pervert."

Re:Minor Correction

[cptgrudge]

I thought about that, too. But, if the antagonist in my little fiction doesn't believe that the person in question really was on the list by accident, he'd likely disbelieve any claims to litigiously sourced wealth made by the person, as well.

You know when...

[SilverEyes]

You know when http://thedailywtf.com/ picks up a story, then it is linked on /. , it's going to be an especially delicious IT failure.

It depends on the harm

[davidwr]

If you are a nurse, an engineer, or even a barber and you screw up you can lose your license and kiss your career goodbye and be sued.

Normally software developers aren't licensed, but for some things like power plant control systems they should be, because if you screw up it can kill people.

People have been shot for being on the SO list. If your incompetence lets someone put me on the SO list and I get shot, can my family come after you? That's a question society will need to answer sooner or later.

Re:It depends on the harm

[Cro+Magnon]

People have been shot for being on the SO list. If your incompetence lets someone put me on the SO list and I get shot, can my family come after you? That's a question society will need to answer sooner or later.

Keep in mind that it might not have been the developer's fault. Maybe the bosses wanted it done ASAP, and ordered the devs to rush it through without testing.

Re:It depends on the harm

[Grant_Watson]

Maybe the bosses wanted it done ASAP, and ordered the devs to rush it through without testing.

This is really so egregious that it shouldn't have needed testing; it should have been obvious to everyone involved in the project before it happened.

obligatory

im in ur sex offender database,
injectin sql.

lists should be minimal in size

[davidwr]

I know you are being sarcastic, but the bigger these lists are the more useless they become.

If every public urinator and teenager in love gets put on these lists, it's that much harder to spot the really bad guys. The same goes for the really bad people who are now harmless 89-year-old men dying in a nursing home. Get these people off the list ASAP.

If you aren't "level 3" or whatever "really really dangerous" is in your state, only the cops and those who have a proven need to know should have access to your information.

Re:lists should be minimal in size

[tompaulco]

I agree with you. As a landlord, I have had several tenants that I would have taken, but they couldn't live in my house because it was too close to a school, library or park. Frankly, sex offenders can't hardly find a place to live within the metro area of Oklahoma City. And what was their crime? Having sex with the same person again after they turned 18 but the other didn't. Oooh, how dangerous. Let's keep that guy away from the first graders before he hurts them. After all, he had sex with a 17 year old, so naturally he would want to have sex with first graders too.

Re:lists should be minimal in size

it's that much harder to spot the really bad guys

Somehow I don't think spotting the bad guys is the objective. Do I really have to pull out that quote from Atlas Shrugged?

Old problem...

I've known about this "feature" for several months after an idiot even tried to put a friend's name on the list, but apparently failed.

Why not tell anyone with authority? My past experiences with informing those in charge have not been good.

Re:Old problem...

[DanWS6]

In that case you could have informed one of those news "investigative" reporters to look into it. They would've made something happen.

Very good point about false +'s and false -'s

[davidwr]

There are many people with criminal records who pled guilty because they didn't have the money to fight it.

Prior to the 1990s if you were poor and the 15 year old girl you were dating falsely charged you with statutory rape because you dumped her, the DA probably let you cop a plea to a lesser crime. Later, that charge got added to the SO registry and you are stuck for something you didn't do.

Oh the Chaos!

[SeeSp0tRun]

Imagine how many people said:
"OMFG It was only one piss on a tree!!"

And they others saying:
"I remember something about being convicted for that" *shrug* "Out of sight, out of mind!"

If it were eldorado Texas, just one

[davidwr]

Jeffs.

The purpose of the SO list

[davidwr]

The purpose of the SO lists is to identify those likely to re-offend.

Great in theory miserable in practice.

If you want to do an offender registry right, evaluate every ex-con and create lists of people likely to commit new serious crimes.

I'd like to see likely-offender lists for:
* violent crimes including forcible sex crimes, murder, assault, etc.
* crimes involving con games/trickery of people who have no reason to know better
* financial crimes not relying on con games, e.g. bank fraud, felony burglary, etc.
* crimes against children, the elderly, and other easily-victimized groups

For each category, have a "level 1, level 2, level 3" system where level 1 means private registration, level 2 means those who ask and need to know get to see your info, and level 3 means public registration.

If a person is the reincarnation of Adolf Hitler but he's not in a position to commit new crimes, he doesn't get on the list. If a person has a single felony on his record but is deemed likely to commit one of those types of crimes in the near future, he's on the relevant list.

People change, so re-evaluate the list every year.

Re:The purpose of the SO list

[urcreepyneighbor]

The purpose of the SO lists is to identify those likely to re-offend. Hm. Good idea, but it's missing a key group: the goatse poster. Study after study has proven that this group has a recidivism rate far higher than even pedophiles.

Re:The purpose of the SO list

[Chyeld]

With respect, this would only work in an ideal society where it would be useless in the first place.

Question 1. Who determines what list you get on? If its the same people that are deciding this today, the only list with people on it will be "List 3".

Question 2. In this day and age, do you honestly think that once you get on "List 2" or "List 3" you'll ever be able to drop off? There are people out there right now, compling private databases off these lists for the purposes of ensuring these folk "never again" have a private life.

Even if you could get the people from Q1 to agree that you should be dropped down to "List 1", once Pandora's box is opened....

Re:The purpose of the SO list

[davidwr]

Question 1. Who determines what list you get on? If its the same people that are deciding this today, the only list with people on it will be "List 3". You will never have a perfect criteria. As a start, you use criteria that 1) highly correlate with measured reality, 2) reflect changes in time, and 3) are ever-evolving as information becomes better.

As a practical matter, this means any criteria we develop today will be far less accurate than the version 20 years after such a law goes into effect, simply because we will have more good data.

The criteria should be broad enough to be statistically significant but narrow enough not to bring in people who don't belong. There should also be provisions for a human override if there is clear and compelling evidence that the statistical predictor is just plain wrong for a given individual.

Question 2. In this day and age, do you honestly think that once you get on "List 2" or "List 3" you'll ever be able to drop off? There are people out there right now, compiling private databases off these lists for the purposes of ensuring these folk "never again" have a private life. The use of private databases will have to be regulated so that information that is not up-to-date or which has been sealed as someone goes from 3 to 2 to 1 is no longer disseminated. Also, if the criteria account for changes over time, then people will naturally fall off of the level 3 and level 2 lists.

What do I mean by "changes over time?" I mean as you age, as the number of years since you were discharged increases, as the length of time in your current job increases or goes to zero, as your family situation changes, as your support structure changes, as your health changes, etc., your statistical likelihood of committing particular types of crimes changes, usually for the better. For most crimes, after you have been discharged for X years, your risk is close to the "background risk" for someone in your age/income/family/support situation. X varies with the crime, with age but there does come a point where even absent court supervision you are either at level 1 or no elevated risk at all and will likely remain so for the rest of your life.

Not Entirely Unexpected

[HadouKen24]

I've lived in Oklahoma all my life, and it really doesn't surprise me that something like this has occurred. While Oklahoma City and Tulsa actually have some competent officials--Oklahoma City's recent prosperity can be chalked up in large part to a few good decisions--our ability, as a whole, on the technical front is pretty low. Really, I've just been waiting for something like this to come out. Corrupt state officials can only keep this kind of thing hush-hush for so long. I anticipate even more scandals of this kind for my state in the next few years. Especially as we move toward putting more and more information online.

The registry is stupid anyway.

[Dog-Cow]

The whole idea of having the registry is sheer stupidity, but on a scale designed to ruin innocent people.

Let's assume that a given person on the list was really a rapist (and not just convicted of it). If he's served his time and has repented, he won't do it again. So why do we punish him for the rest of his life with the registry? And if you think he will do it again, why is he not in jail?

You may as well just shoot him and be done with it.

Re:The registry is stupid anyway.

[Chyeld]

Because most people are convinced that this particular class of offenders can't be rehabilitated and therefore releasing them to the general public is a mistake in and of itself. In order to ensure that they are proven right, they have decided that the "Scarlet Letter" method of tracking these people is justifiable.

If this range of classification was limited to people who were actually offenders who were likely to commit their crimes again, then this could almost be understandable. However, and especially in conservative regions, often there are completely trivial offenses which one can commit which cause you to be lumped into this group. Offenses which, while not exactly something to be proud off, are not at all indicative of being a 'sexual' offender. Like public urination. Like mooning someone. Like being a 15 year old caught making out with another 15 year old.

The original idea was sound. There are people out there who have skewed enough thought patterns and responses that they are always at danger of commiting this sort of crime. Keeping closer track of them and preventing them from living in "target rich" environments is reasonable. Unfortunately, the implementation was flawed from the begining, and I'm not talking about this particular site but the lists themselves.

Why Would Anyone Care?

[Bob9113]

but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list.

Why would anyone care if they were put on this list?

This issue has gone to the Supreme Court and they have ruled that these lists are not punishment, and hence does not run afoul of restrictions against ex post facto punishment or due process. So if it is not punishment, why would anyone care if they are on the list?

Re:Why Would Anyone Care?

[rmsande]

Public stigma?

If someone saw your name on the list, they would treat you differently, walk on eggshells around you. It could/would potentially create a negative image of you in all kinds of people around you, including those who sign your paycheck, decide if you get a raise, prepare your food at restaurants, etc.

Re:Why Would Anyone Care?

[Damvan]

You are kidding, right?

In California, we have this thing called Jessica's Law. That law prohibits registered sex offenders from living a certain distance (usually 1000 ft) away from places children might congregate, such as schools, churches, playgrounds, parks, and in some cases, shopping centers.

So, if you are on the list, there are alot of places you CANNOT live. There are many cities in California where you can't live at all, simply because there is no place that is at least 1000 ft from the prohibited locations. If I was put on this list, I would be forced to sell my house and move as I live 1000 ft from a church. In fact, I would have to move out of the City I live in entirely as there is no residential areas outside of the prohibited locations.

Re:Why Would Anyone Care?

[Cro+Magnon]

Somehow, I don't think forcing sex offenders to be homeless makes the community safer. Stupid lawmakers!

Re:Why Would Anyone Care?

"I would have to move out of the City I live in entirely..." ...Unless you live in San Francisco, where moving out of the city would be illegal. In California, you're required to stay in the county where you were convicted. The county of San Francisco is the same size as the city and there's nowhere unprohibited to live anywhere in the city.

Yes, this really does lead to sex offenders living under bridges, where it's impossible for authorities to keep track of them.

But on the plus side, it's like a fairy tale come to life! "Don't cross the bridge at night, kids, or the troll that lives under it will GET YOU!"

missed opportunity

[kris.montpetit]

they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list

DAMN! I'll guess just have to find another way to mess with my old bosses..

And we are ...

[ArIck]

hearing it now when the site is down for 'routine maintenance'.... I wanted to add my boss to the list!

The Real WTF

[Freeside1]

TRWTF is that OK's DoC did nothing (nothing effective) to stop using SQL statements in the URL's querystring, UNTIL the author showed how manipulating the vulnerability not only put the criminals' personal info at risk, but also the employees' info.

Re:The Real WTF

[El_Oscuro]

This is the first time I saw a story posted on /. and www.thedailywtf.com at the same time!

Oklahoma? Hah! What about this?

http://www.ticic.state.tn.us/sorsql?sql=sp_SOR_IMAGE+'SO001290'&contenttype=image/jpeg

Posting anonymous for obvious reasons. Guess how I found this one? Google image search for "Richard James". I was looking for Aphex Twin and got SQL injection instead. Lulz.

I think you'd have to try to be that incompetent

[Bobb+Sledd]

I don't even know how you could test and debug such a system without inadvertently figuring out a design flaw like that.

Maybe they meant to mess it up on purpose? Sabotage? Maybe it was meant as a back door for later?

Tell me again...

[SCHecklerX]

Why offshoring to the cheapest labor monkey is a good idea?

Re:Tell me again...

[trongey]

Why offshoring to the cheapest labor monkey is a good idea? Because, since this was a state project, it was probably done by a domestic shop.

Being a resident...

[AioKits]

...let me be the first to say Welcome to Oklahoma!

Now, would one of you be so kind as to get me the fuck out of here?

"Routine" maintenance?

[Sloppy]

"Routine," as in "we clean up messes similar to this one, all the time?"

Obligatory XKCD reference

[gizmonic]

Wow, an on topic post for my all time favorite XKCD! :)

http://xkcd.com/327/

Re:I think you'd have to try to be that incompeten

[MP3Chuck]

I highly doubt it was "tested" or "debugged" much beyond "Hey look, it actually works!" ...

Delete from registration_offender_xref

I'm curious if the entire table(s) records could've been wiped by issuing the delete from or truncate table statement.

uh oh

[blakecraw]

"Why doesn't Texas float away into the Gulf of Mexico? Because Oklahoma SUCKS!"

Now, my fellow Texans, you may be worried that a leak in the hose could cause them to lose their powerful vacuum, but in fact it's only served to multiply the sucktion! We're safer than ever!

I can just feel my karma evaporating

Re:uh oh

[trongey]

Does that explain why every few years about half of the Texas legislators suddenly appear in Oklahoma while the other are attempting to Gerrymander the state?

Re:uh oh

[Mox-Dragon]

Why is Oklahoma so windy?
Because Texas blows!

Are you sure about that?

[davidwr]

It's my understanding that Goatse postings are one-off affairs, caused by Slashdotters newly infected by the loser virus. Usually this virus runs its course in short order and the unfortunate victim recovers with a shred of dignity intact, but those chronically afflicted get bored with Slashdot and move on to other things, like alchoholism, drug abuse, and eventually living on the streets. These are the very people that give most honest homeless people a bad name.

You would be suprised...

[jbsooter]

I used to work (3 years ago) at a background checking company that would pull/harvest databases off the internet if the county or state wouldn't sell it to us in bulk. You'd be suprised how many county websites have stuff like this.

There is one county in Florida that will return more results by walking thru their ID numbers than by searching for everyone in thier site. That means people who for whatever reason aren't supposed to show up on the website get harvested by companies like the one I worked at.

A county in Texas tried to stop the harvesting by making people sign in and limiting searches but managed to introduce a sql injection hole that lets you do whatever you'd like to the Users tables. I didn't try messing w/ the offenders tables but wouldn't be suprised if it was possible.

These are just two examples that I recalls. There were quite a few more.

On a more serious note

[davidwr]

The idea that pedophiles have high recidivism rates is a misnomer. Once caught, these people's recidivism rates for sex crimes is pretty low.

Maybe it's because they actually take therapy seriously, or maybe it's because they know they will be the first suspects if there are any crimes in their neighborhood, either way, they aren't a problem. The real problem are those that haven't been caught yet and those who got off on a technicality and are emboldened to try again.

If you want a high-recidivism crime, look to crimes that arise out of a person's circumstance in life, but only look at cases where "the system" did nothing to prepare the ex-con to change those circumstances or learn to live with them. Prostitution, drug abuse, theft to support drug or gambling habits, gang-related crimes, and the like all have high recidivism rates if the person is merely sent to jail to "do his time" then let go right back into the same environment he came out of, without any support system to help him stay legal.

Other high-recidivism crimes are those committed by pathological people such as con artists and pedophiles where there is no system in place to support their efforts to stay straight or scare them into staying straight. Provide the proper mix of support and intimidation and you've got yourself a recipe for success. Don't, and you turn the jails into a revolving door.

Dangerous Illusions, There.

[Valdrax]

They'll have the best technology (your) money can buy when it is used AGAINST you (e.g. Dept of Homeland Security) [...] Now why on Earth would you assume that? Do you honestly think that a government agency founded by this administration is any better staffed with competent people and supplied with well-managed infrastructure than FEMA was? (Which was under the DHS umbrella, mind you.)

Didn't DHS get a D grade on the last government security report card (compared to the government's C- average)?

Please. A government that feels that government is part of the problem has no interest in making it run efficiently.

Misplaced Blame

[Orig_Club_Soda]

I don't know if people are trying to sensationalize things or they are just plain ignorant. Oklahoma didn't put SQL queries in the URL, some lame contracted programmers did. Furthermore, its difficult to imagine that state officials would understand faux pas to even recognize the error.

Suspicious

This story looks a little off. The author talks about the original attempt at a fix where they uppercased the first letter of a field, and how he got around this by querying the ALL_TABLES view.

The ALL_TABLES view is in an Oracle database and the only way to have case sensitive field names is to use quoted identifiers, but there is no sign of quoting in his new query.

We need accreditation and liability

[QuoteMstr]

If I hire a carpenter to build my house and it collapses, the carpenter is liable. Engineers won't cooperate if management wants to cut corners on a bridge: they have a code of ethics and a body that enforces it.

Software, on the other hand, is a free-for-all today. We need an accreditation program and a code of ethics, just like more traditional disciplines of engineering. That's not to say that we'll restrict compilers to professionals; we don't reserve wrenches for professional mechanics.

But for a project that has the potential to cause so much harm to so many, a requirement to use trained and certified software engineers (with all the implications of the second word) would be invaluable.

Re:We need accreditation and liability

[mdm-adph]

And something more than those A+ certifications, eh?

Re:We need accreditation and liability

Well obviously. IIRC, it's not just a code of ethics for "real" engineers. I'm pretty sure they can go to jail if their design injures/kills people due to negligence or incompetence.

Not the only site

[reybrujo]

A quick Google search reveals many sites with similar problems. I like this one, though. You get not only the full query, but the path to the database and the database name =) Not the same, but you find idiots everywhere =)

Indecent Exposure = Sex Offender

This is a little off-topic, but my girlfriend and I considered going to one of those "couples-only" adult theaters out a curiosity and the spice things up a bit (yeah, she's really awesome). As I was researching it I found out that in Texas, if you get busted with "indecent exposure" in an adult theater you get arrested AND you have to register as a "sex offender". I was pretty amazed at how harsh/draconian that is.

You can legally go to a strip club and in some cases see completely naked girls and pay them to hump you. But if you go to an adults-only designed sex venue where exposure is generally expected and exposure yourself, you might find yourself in jail and being forced by law to tell your neighbors about it. Risking getting a ticket + fine is one thing, but this definitely seems cruel and unusual to me.

So not all "sex offenders" are rapists and pedophiles.

Re:Indecent Exposure = Sex Offender

[QuoteMstr]

Also, public urination counts as a sex offense in some areas. This is a modern-day witch hunt. That said, you sound like intelligent, reasonable people; why not move to a more liberal (small 'l') state and let your selection encourage the creation of reasonable laws?

The system is stupid.

[jd]

People can plead "insanity" on the grounds of having trouble telling right from wrong, but not on the grounds of actual mental illness. Rehabilitation is often said to be minimal to non-existant. Reports in the press frequently cover prison violence, gang warfare in the prison system and mental/physical/sexual abuse by both inmates and prison guards. Maximum security prisons are also described as being totally without sunlight (thus depriving the body of vitamin D) and essentially sensory deprivation chambers (driving inmates insane).

Whilst the system may not make a person a criminal (although there are Dickensonian arguments that say otherwise), it's very hard to see how a person can become truly repentent of their actions after such an experience. Repentent of being caught, perhaps, but where in there is a mechanism for establishing what went wrong in the first place, solving underlying issues or providing effective means for a person to not fall back into old patterns on release? The current judicial and prison systems appear geared towards revenge and retribution, not towards corrective action and prevention. In that case, it is entirely reasonable to assume that offenders will re-offend. It's possible you'd end up reaching the same conclusion on a (correctly managed) rehabilitation-oriented system, I won't argue that case, I will only argue that if the typical description of what prevails is accurate, the assumption of lifelong guilt is probably not all that inaccurate.

I have my own theories on what would work better (mostly involving dividing sentencing into two - one segment for punishment, if punishment is called for, and a distinct segment for treatment, if treatment would be useful), however such theories are never going to be tested or meaningfully examined, so in effect constitute un-disprovable hypotheses and therefore merely articles of faith no different from any other system of religious belief.

10,000 people is not so many ...

When you realize that most of them are related to each other.

Little Bobby Tables Strikes Again

Which one of you guys bad touched him?

Take it up with your Landlord's assn and lawmakers

[davidwr]

Seriously, if the Landlord Lobby tells the lawmakers that their bottom line is being hurt, the lawmakers may realize that too much thinkofthechildren hurts hard-working Americans like you.

urcreepyneighbor???

[davidwr]

Damn it just dawned on me who you are.....

Comment removed

[account_deleted]

Comment removed based on user account deletion