Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oklahoma Leaks 10,000 Social Security Numbers

Posted by Zonk on from the that's-some-good-securitying dept.

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

9 of 245 comments (clear)

  1. Oblig. by Ethanol-fueled · · Score: 5, Funny

    (1)Hack the registry

    (2)Put your own name in the registry

    (3)Sue the state

    (4)Profit!!!


    (5) (remember to have your name removed from the registry!)

    1. Re:Oblig. by cptgrudge · · Score: 5, Funny

      (5) (remember to have your name removed from the registry!)

      This is government you're dealing with. It will never happen.

      "But, but, I sued the state and won! Look, here's my legal documents! I'm not a sexual predator, honest!"

      "Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a hermit you sick pervert."

      --
      Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
  2. *facepalm* by TheSpoom · · Score: 5, Informative

    This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).

    SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you're not a sexual offender when you're already on their list.

    SQL injections. Learn them. Learn how to mitigate them (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures might be the thing to implement. Or even better, use a framework like CakePHP, Rails, or Django with this sort of sanitation built into the queries it generates.

    Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
    1. Re:*facepalm* by NeutronCowboy · · Score: 5, Interesting

      Actually, for something on this scale, I'd like to see jail time for criminally negligent programming. The cost of being on a sex offender list by mistake is mindboggling - I'm on a "have a long chat with a customs officer every time I enter the US" because some data entry monkey made a mistake with my passport, and it's not pretty. I can only imagine what being on a sex offender list can do to you...

      --
      Those who can, do. Those who can't, sue.
    2. Re:*facepalm* by Anonymous Coward · · Score: 5, Insightful

      They'll have the best technology (your) money can buy when it is used AGAINST you (e.g. Dept of Homeland Security) but when they are doing something FOR you they cut corners and really couldn't care less.

    3. Re:*facepalm* by lattyware · · Score: 5, Insightful

      Don't blame the language because the developers are incompetent.

      --
      -- Lattyware (www.lattyware.co.uk)
    4. Re:*facepalm* by TheSpoom · · Score: 5, Insightful

      There are those of us out there that know how to code PHP in a sane, clear, and secure way. Unfortunately, I have to admit that there are a lot more that don't. I think one of the things you can do is to look for those that have languages like C++ and Java on their CV as well, and also for those that have a portfolio of code to review when they apply for a job. When you actually see the code, it's easy to separate the fly-by-night guys from the actual educated, experienced programmers out there.

      By the way, on a somewhat unrelated note, we're using Django for our new web game, and it's both interesting and easy to code, while still (rigorously) maintaining good coding practices. So I think there's also something to be said for those who work with frameworks like CakePHP, Rails, and Django, as those tend to both be object-oriented and to promote good coding practices.

      As I've said before, I think PHP can and should be used well; there are just a lot of ways it can be used poorly.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
  3. Author of WTF article made security mistake also by joggle · · Score: 5, Informative

    The author should have completely blacked out the SSNs rather than blur them. They are still decipherable to those that are inclined to do so. This article explains why blurring is a bad idea.

  4. lists should be minimal in size by davidwr · · Score: 5, Insightful

    I know you are being sarcastic, but the bigger these lists are the more useless they become.

    If every public urinator and teenager in love gets put on these lists, it's that much harder to spot the really bad guys. The same goes for the really bad people who are now harmless 89-year-old men dying in a nursing home. Get these people off the list ASAP.

    If you aren't "level 3" or whatever "really really dangerous" is in your state, only the cops and those who have a proven need to know should have access to your information.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.