Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oklahoma Leaks 10,000 Social Security Numbers

Posted by Zonk on from the that's-some-good-securitying dept.

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

21 of 245 comments (clear)

  1. Oblig. by Ethanol-fueled · · Score: 5, Funny

    (1)Hack the registry

    (2)Put your own name in the registry

    (3)Sue the state

    (4)Profit!!!


    (5) (remember to have your name removed from the registry!)

    1. Re:Oblig. by cptgrudge · · Score: 5, Funny

      (5) (remember to have your name removed from the registry!)

      This is government you're dealing with. It will never happen.

      "But, but, I sued the state and won! Look, here's my legal documents! I'm not a sexual predator, honest!"

      "Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a hermit you sick pervert."

      --
      Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
  2. *facepalm* by TheSpoom · · Score: 5, Informative

    This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).

    SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you're not a sexual offender when you're already on their list.

    SQL injections. Learn them. Learn how to mitigate them (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures might be the thing to implement. Or even better, use a framework like CakePHP, Rails, or Django with this sort of sanitation built into the queries it generates.

    Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
    1. Re:*facepalm* by samkass · · Score: 4, Funny

      ObXKCDComic

      It's scary how lazy some of the web developers are. For years Yahoo used a system where their login system had the URL to go to once login succeeded urlencoded in the URL. It would have been exceedingly easy to duplicate the login page with a "Username/Password was typed incorrectly. Please try again." Then send people to the authentication page with your page as the follow-on one.

      URLs should only be able to contain sanitized field values to search on that the server composes into actual SQL, URLs, etc.

      --
      E pluribus unum
    2. Re:*facepalm* by NeutronCowboy · · Score: 5, Interesting

      Actually, for something on this scale, I'd like to see jail time for criminally negligent programming. The cost of being on a sex offender list by mistake is mindboggling - I'm on a "have a long chat with a customs officer every time I enter the US" because some data entry monkey made a mistake with my passport, and it's not pretty. I can only imagine what being on a sex offender list can do to you...

      --
      Those who can, do. Those who can't, sue.
    3. Re:*facepalm* by Anonymous Coward · · Score: 5, Insightful

      They'll have the best technology (your) money can buy when it is used AGAINST you (e.g. Dept of Homeland Security) but when they are doing something FOR you they cut corners and really couldn't care less.

    4. Re:*facepalm* by MightyMartian · · Score: 4, Insightful

      PHP has got to be one of the worst things that ever happened to web development. In the last year I've ended up with two jobs cleaning up someone else's code, and god but that language invites sloppiness on a level I've only experienced in the past with BASIC. The problem seems to be that it's easy enough to get a PHP-based page up, but the actual ability to coherently develop software isn't there. Anyone can learn to code in PHP, but only a few bother or are capable of actually invoking proper coding practices. The problem is that when these projects come up, rather than contracting out to someone who knows what they're doing, or at least hiring or training somebody who can code, they go to Bob the IT guy, who's okay at keeping the network up, and knows a bit of scripting, and who goes online and reads just enough of the PHP tutorial to be really dangerous.

      In these cases, there's little or no commenting. Some things are done as classes, some as functions, there's no particular rhyme or reason, and it became so bloated that the original coders appear to have simply given up. It's terrible spaghetti code, but because it's on the web, no one seems to consider it software development. When you combine this with security, it can create a rather frightening mix of shitty almost undebugable code with an unknown number of potential security holes.

      I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web. It's bad enough that there's hackers out there, but much worse that there are incompetents being given the keys to the internal networks and data, without any knowledge of sound coding principles and of how to harden sites against injection attacks and the like.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    5. Re:*facepalm* by lattyware · · Score: 5, Insightful

      Don't blame the language because the developers are incompetent.

      --
      -- Lattyware (www.lattyware.co.uk)
    6. Re:*facepalm* by TheSpoom · · Score: 5, Insightful

      There are those of us out there that know how to code PHP in a sane, clear, and secure way. Unfortunately, I have to admit that there are a lot more that don't. I think one of the things you can do is to look for those that have languages like C++ and Java on their CV as well, and also for those that have a portfolio of code to review when they apply for a job. When you actually see the code, it's easy to separate the fly-by-night guys from the actual educated, experienced programmers out there.

      By the way, on a somewhat unrelated note, we're using Django for our new web game, and it's both interesting and easy to code, while still (rigorously) maintaining good coding practices. So I think there's also something to be said for those who work with frameworks like CakePHP, Rails, and Django, as those tend to both be object-oriented and to promote good coding practices.

      As I've said before, I think PHP can and should be used well; there are just a lot of ways it can be used poorly.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    7. Re:*facepalm* by QuoteMstr · · Score: 4, Insightful

      The language makes it easily, or even tantalizing, to do it the wrong way, and very difficult to do it the right way.

    8. Re:*facepalm* by ivan256 · · Score: 4, Insightful

      I disagree with "very difficult to do it the right way"... If you know what you're doing it's only moderately more work.

      Java, Perl, and Python all make it easier to do it the wrong way than the right way too. Simply because the wrong way is less work than the right way in almost every aspect of these types of problems.

      (The above paragraph is also true for performance)

      The parent to your post is spot on. Don't blame the tool because the user is an idiot. The incompetent programmer from this article doesn't have any business doing web development in any other language either, regardless of how much "easier" that language makes it.

    9. Re:*facepalm* by OpenGLFan · · Score: 4, Insightful

      Yes, and:
      Lumber and bricks make it very easy to build something that will fall on you and very hard to make a house.
      Steel and wire make it very easy to build something that will snap and kill thousands and very hard to build the Golden Gate Bridge.
      The solution is not to build the world out of Nerf. The solution is to keep Nature's fry cooks out of skilled labor jobs.

    10. Re:*facepalm* by jsebrech · · Score: 4, Interesting

      PHP has got to be one of the worst things that ever happened to web development.

      This particular site was coded in java, so PHP was not at fault here. I don't know what got you onto the topic of PHP.

      The problem is that when these projects come up, rather than contracting out to someone who knows what they're doing, or at least hiring or training somebody who can code, they go to Bob the IT guy

      Software development has always been rife with contracts that go to the lowest bidder based on a spec that mentions only features and deadlines (not security, quality, or other metrics). This is because most IT projects are managed by people who don't understand IT, and who do the IT equivalent of asking their neighborhood carpenter to build the golden gate bridge. You get what you pay for.

      I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web.

      If PHP didn't exist, someone would invent it. PHP fills the niche of an environment that lets you get up and running quickly with web applications, just like visual basic did it for windows apps, and access did it for databases. Yes, it's a bit elitist to say that all programming environments should be so difficult to program in that they weed out all but the most dedicated (and knowledgeable), but it's also unrealistic, because people would invent easier environments if there weren't any. PHP is actually quite good at blending the capability for quality coding with a low barrier to access.

      And besides, the problems with web app security have nothing to do with PHP or any other scripting language, they have to do with visibility. Think about how many two-tier desktop apps there are that let anyone with a bit of knowledge bypass the app and do whatever they want in the database. Nobody makes a fuss about this, because the visibility of those apps is lower.

      I would say the primary problem with web app development is not any of the tools, but the perception among IT managers that web app development is simpler, and requires less skill, than desktop development, while the inverse is true. I do both desktop and web development, and it is much more difficult to build good web apps, because you have to pay more attention to architecture, security, performance envelopes, and gui design. That management (even my management) still doesn't understand that is disappointing, but understandable given how the web started out as a toy and still hasn't quite shaken that perception.

  3. Re:Get your lawyer ready.... by calebt3 · · Score: 4, Funny

    Get your lawyer ready. He was probably notified along with all the other offenders.
  4. Author of WTF article made security mistake also by joggle · · Score: 5, Informative

    The author should have completely blacked out the SSNs rather than blur them. They are still decipherable to those that are inclined to do so. This article explains why blurring is a bad idea.

  5. Re:wow by jmichaelg · · Score: 4, Interesting

    Going to jail is a bit over the top. Losing their job is what is called for.

    However, if Oklahoma has problems similar to California, then they're faced with a Hobson's choice. They can fire the guy/gal but given the low pay scales, they could well end up with someone just as bad.

  6. Re:Added to list by Anonymous Coward · · Score: 4, Funny

    So I said to my girlfriend, "I am not a pedophile! But that is a pretty big word for a 10 year old."

  7. Re:Pleeeese! by kalidasa · · Score: 4, Interesting

    READ THE ARTICLE. The same database had all criminal offenders listed - and all employees of the state corrections system. They were using an SQL query in a GET query string! You could pull up anything you wanted from the DB because they didn't lock the permissions correctly. They did a half-assed fix the first time, and only took real action when the whistle-blower pointed out that their own SS#s were accessible.

  8. lists should be minimal in size by davidwr · · Score: 5, Insightful

    I know you are being sarcastic, but the bigger these lists are the more useless they become.

    If every public urinator and teenager in love gets put on these lists, it's that much harder to spot the really bad guys. The same goes for the really bad people who are now harmless 89-year-old men dying in a nursing home. Get these people off the list ASAP.

    If you aren't "level 3" or whatever "really really dangerous" is in your state, only the cops and those who have a proven need to know should have access to your information.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  9. Re:Why Would Anyone Care? by Damvan · · Score: 4, Insightful

    You are kidding, right?

    In California, we have this thing called Jessica's Law. That law prohibits registered sex offenders from living a certain distance (usually 1000 ft) away from places children might congregate, such as schools, churches, playgrounds, parks, and in some cases, shopping centers.

    So, if you are on the list, there are alot of places you CANNOT live. There are many cities in California where you can't live at all, simply because there is no place that is at least 1000 ft from the prohibited locations. If I was put on this list, I would be forced to sell my house and move as I live 1000 ft from a church. In fact, I would have to move out of the City I live in entirely as there is no residential areas outside of the prohibited locations.

  10. We need accreditation and liability by QuoteMstr · · Score: 4, Insightful

    If I hire a carpenter to build my house and it collapses, the carpenter is liable. Engineers won't cooperate if management wants to cut corners on a bridge: they have a code of ethics and a body that enforces it.

    Software, on the other hand, is a free-for-all today. We need an accreditation program and a code of ethics, just like more traditional disciplines of engineering. That's not to say that we'll restrict compilers to professionals; we don't reserve wrenches for professional mechanics.

    But for a project that has the potential to cause so much harm to so many, a requirement to use trained and certified software engineers (with all the implications of the second word) would be invaluable.