Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Oklahoma Leaks 10,000 Social Security Numbers

Zonk posted more than 6 years ago | from the that's-some-good-securitying dept.

Security 245

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

cancel ×

245 comments

Pleeeese! (3, Insightful)

arizwebfoot (1228544) | more than 6 years ago | (#23078076)

Please tell me this is a spoof.

Re:Pleeeese! (1, Flamebait)

trolltalk.com (1108067) | more than 6 years ago | (#23078542)

It's kind of hard to believe ...

leaked the personal data of tens of thousands of people

They have tens of thousands of people in Oklahoma?

And it's also hard to believe they'd have that many people on the sexual offender's list - I mean, they're Okies - they consider it "normal" to marry "kinfolks", polygamy [koco.com] , etc.

Re:Pleeeese! (4, Interesting)

kalidasa (577403) | more than 6 years ago | (#23078628)

READ THE ARTICLE. The same database had all criminal offenders listed - and all employees of the state corrections system. They were using an SQL query in a GET query string! You could pull up anything you wanted from the DB because they didn't lock the permissions correctly. They did a half-assed fix the first time, and only took real action when the whistle-blower pointed out that their own SS#s were accessible.

Re:Pleeeese! (2, Funny)

trolltalk.com (1108067) | more than 6 years ago | (#23078828)

Did you by chance hear a WHOOSH before you posted?

>>--[joke]--->

      __0__ <- your head
          |

Re:Pleeeese! (1, Offtopic)

relikx (1266746) | more than 6 years ago | (#23078760)

The article you posted is from an Oklahoma news organization but makes no reference to anything in the state. We really don't have too many polygamists in these parts, nice try though.

Now anti-semites and racists, that's another story: http://www.adl.org/learn/Ext_US/Elohim.asp?xpicked=3&item=13 [adl.org]

Re:Pleeeese! (-1, Troll)

trolltalk.com (1108067) | more than 6 years ago | (#23078942)

Guess you missed the big news [topix.com]

Or [google.com]

Published: Friday, April 11, 2008

Bed found inside Polygamist temple

ELDORADO, Texas (AP) When authorities moved to search the large white temple on the polygamist compound in West Texas, about five dozen of the sect's men prayed and cried around the structure, state investigators said Thursday.

Schleicher County Sheriff David Doran also said he had been working with a confidential informant for four years who was feeding him information about life inside the polygamist sect.

It wasn't until after the search had begun that Doran learned about marriage beds in the temple and the forced marriages of underage girls to older men.

When authorities gained entrance to the three-story building, no one was inside. But they found beds allegedly used by husbands after they married underage girls on the top floor of the temple. He said authorities made the temple the last stop on the weeklong search because "if there was going to be any resistance at all it would be then."

So let's see - religion, polygamy, rape, child abuse ... about the only thing missing was Jerry Lee Lewis and terr'rists.

Re:Pleeeese! (1)

relikx (1266746) | more than 6 years ago | (#23078982)

Last time I checked Texas wasn't a part of Oklahoma. There is a thing called the Red River which by and large separates the two.

Re:Pleeeese! (1)

sqlrob (173498) | more than 6 years ago | (#23079014)

RTFQ

ELDORADO, Texas (AP)

Re:Pleeeese! (1)

JrOldPhart (1063610) | more than 6 years ago | (#23079000)

Quite often the wind blows people from other states here.

Oblig. (5, Funny)

Ethanol-fueled (1125189) | more than 6 years ago | (#23078090)

(1)Hack the registry

(2)Put your own name in the registry

(3)Sue the state

(4)Profit!!!


(5) (remember to have your name removed from the registry!)

Added to list (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23078106)

I wonder if anyone put this [wikipedia.org] paedophile abuser of children on the list.

Re:Added to list (0)

Anonymous Coward | more than 6 years ago | (#23078228)

Get over it already. That act got old like 2 or 3 years ago.

Re:Added to list (4, Funny)

Anonymous Coward | more than 6 years ago | (#23078564)

So I said to my girlfriend, "I am not a pedophile! But that is a pretty big word for a 10 year old."

Re:Added to list (0)

Anonymous Coward | more than 6 years ago | (#23078912)

Stealing jokes from SNL is teh lame, man.

Re:Oblig. (5, Funny)

cptgrudge (177113) | more than 6 years ago | (#23078184)

(5) (remember to have your name removed from the registry!)

This is government you're dealing with. It will never happen.

"But, but, I sued the state and won! Look, here's my legal documents! I'm not a sexual predator, honest!"

"Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a hermit you sick pervert."

Minor Correction (3, Insightful)

geekoid (135745) | more than 6 years ago | (#23078600)

"Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a RICH hermit you sick pervert."

Re:Oblig. (1)

BobSixtyFour (967533) | more than 6 years ago | (#23078268)

They'll probably have it dismissed on the grounds of upholding "national security" and such that its too confidential for them to hear about it.

Re:Oblig. (3, Interesting)

mauthbaux (652274) | more than 6 years ago | (#23079024)

(5) (remember to have your name removed from the registry!)

Rather, this is a boon to those already on the list. Now they can simply claim that their status as a listee was simply a vengeful prank courtesy of an unnamed drinking buddy.

I do hope they have validated archives somewhere.

*facepalm* (5, Informative)

TheSpoom (715771) | more than 6 years ago | (#23078104)

This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).

SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you're not a sexual offender when you're already on their list.

SQL injections. [wikipedia.org] Learn them. Learn how to mitigate them [php.net] (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures [wikipedia.org] might be the thing to implement. Or even better, use a framework like CakePHP [cakephp.org] , Rails [rubyonrails.org] , or Django [djangoproject.com] with this sort of sanitation built into the queries it generates.

Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.

Re:*facepalm* (4, Funny)

samkass (174571) | more than 6 years ago | (#23078224)

ObXKCDComic [xkcd.com]

It's scary how lazy some of the web developers are. For years Yahoo used a system where their login system had the URL to go to once login succeeded urlencoded in the URL. It would have been exceedingly easy to duplicate the login page with a "Username/Password was typed incorrectly. Please try again." Then send people to the authentication page with your page as the follow-on one.

URLs should only be able to contain sanitized field values to search on that the server composes into actual SQL, URLs, etc.

Re:*facepalm* (4, Insightful)

MightyMartian (840721) | more than 6 years ago | (#23078620)

PHP has got to be one of the worst things that ever happened to web development. In the last year I've ended up with two jobs cleaning up someone else's code, and god but that language invites sloppiness on a level I've only experienced in the past with BASIC. The problem seems to be that it's easy enough to get a PHP-based page up, but the actual ability to coherently develop software isn't there. Anyone can learn to code in PHP, but only a few bother or are capable of actually invoking proper coding practices. The problem is that when these projects come up, rather than contracting out to someone who knows what they're doing, or at least hiring or training somebody who can code, they go to Bob the IT guy, who's okay at keeping the network up, and knows a bit of scripting, and who goes online and reads just enough of the PHP tutorial to be really dangerous.

In these cases, there's little or no commenting. Some things are done as classes, some as functions, there's no particular rhyme or reason, and it became so bloated that the original coders appear to have simply given up. It's terrible spaghetti code, but because it's on the web, no one seems to consider it software development. When you combine this with security, it can create a rather frightening mix of shitty almost undebugable code with an unknown number of potential security holes.

I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web. It's bad enough that there's hackers out there, but much worse that there are incompetents being given the keys to the internal networks and data, without any knowledge of sound coding principles and of how to harden sites against injection attacks and the like.

Re:*facepalm* (1)

girasquid (1234570) | more than 6 years ago | (#23078864)

Agreed! I'm a Perl guy, and everyone thinks that Perl looks like line noise - although it doesn't, if you have decent coding practices. I keep getting handed projects that involve fixing PHP, and...I hate it. Because of PHP's low barrier to entry, everyone picks it up - and starts writing crap. I'm not saying any other language is better - it just seems like this happens most often with PHP.

Re:*facepalm* (5, Insightful)

lattyware (934246) | more than 6 years ago | (#23078878)

Don't blame the language because the developers are incompetent.

Re:*facepalm* (4, Insightful)

QuoteMstr (55051) | more than 6 years ago | (#23079098)

The language makes it easily, or even tantalizing, to do it the wrong way, and very difficult to do it the right way.

Re:*facepalm* (5, Insightful)

TheSpoom (715771) | more than 6 years ago | (#23079038)

There are those of us out there that know how to code PHP in a sane, clear, and secure way. Unfortunately, I have to admit that there are a lot more that don't. I think one of the things you can do is to look for those that have languages like C++ and Java on their CV as well, and also for those that have a portfolio of code to review when they apply for a job. When you actually see the code, it's easy to separate the fly-by-night guys from the actual educated, experienced programmers out there.

By the way, on a somewhat unrelated note, we're using Django [djangoproject.com] for our new web game, and it's both interesting and easy to code, while still (rigorously) maintaining good coding practices. So I think there's also something to be said for those who work with frameworks like CakePHP, Rails, and Django, as those tend to both be object-oriented and to promote good coding practices.

As I've said before, I think PHP can and should be used well; there are just a lot of ways it can be used poorly.

Re:*facepalm* (5, Interesting)

NeutronCowboy (896098) | more than 6 years ago | (#23078246)

Actually, for something on this scale, I'd like to see jail time for criminally negligent programming. The cost of being on a sex offender list by mistake is mindboggling - I'm on a "have a long chat with a customs officer every time I enter the US" because some data entry monkey made a mistake with my passport, and it's not pretty. I can only imagine what being on a sex offender list can do to you...

Re:*facepalm* (0)

Anonymous Coward | more than 6 years ago | (#23078580)

Cheers to that.

Re:*facepalm* (1)

maxume (22995) | more than 6 years ago | (#23079018)

It gets awfully complicated. If there was a directive to put the information online but no funding or process to review the project, everybody involved is partly responsible. If there was funding and process to review the project, the managers are more responsible than the programmers(because they failed to be even a little aware of what got done).

Re:*facepalm* (2, Interesting)

Gat0r30y (957941) | more than 6 years ago | (#23078292)

I'm not that surprised. This is after all the state where students don't even have to know the age of the earth [slashdot.org] to pass earth science! In a state with those sorts of values, honestly, I really don't expect the greatest in technical expertise to flock there. And even the lowest bidder should have known better. I would bet the work was done internally (only the government itself could hose something this bad).

Re:*facepalm* (2, Funny)

riskeetee (1039912) | more than 6 years ago | (#23078558)

In Oklahoma, the age of the earth is 6000 years. Nuff said.

Re:*facepalm* (2, Informative)

sl0ppy (454532) | more than 6 years ago | (#23078300)

with this sort of sanitation built into the queries it generates.

or, perhaps simply use bind variables instead of trying to generate a query. not only will your application thank you, but your database will as well.

Re:*facepalm* (0)

TheSpoom (715771) | more than 6 years ago | (#23078462)

That's likely a performance question you should ask to the developers of those frameworks. I may be wrong (as I haven't heard of bind variables before now and just Googled them) but what you're talking about seems to be an Oracle-specific thing, though it may be called other things in other RBDMSs. From what I can see here, stored procs would do the same thing even faster.

But like I said, since these web development frameworks generate the SQL queries for you based on your usage of their models (as they all effectively use the Model-View-Controller [wikipedia.org] design pattern), it would be up to them to optimize the generated SQL since, in general, the users of these frameworks don't have to make any SQL themselves, or at least very little.

My guess is that for these frameworks, the generated SQL is already quite optimized.

Re:*facepalm* (1, Informative)

Anonymous Coward | more than 6 years ago | (#23078550)

Bound variables are available in just about every database. They can offer massive performance gains if stored procedures are not an option.

Re:*facepalm* (2, Interesting)

sl0ppy (454532) | more than 6 years ago | (#23078880)

famous last words: "just Googled them".

what you're talking about seems to be an Oracle-specific thing

no, not really. in the case of sane databases, it is the norm. heck, even mysql [mysql.com] supports them.

But like I said, since these web development frameworks generate the SQL queries for you based on your usage of their models

except that generating SQL on the fly is extremely inefficient . the database must then parse the query, measure costs and determine the best execution plan before executing the query even begins. using prepared statements and bind variables obviate the need for this, thus allowing the database to optimize the queries and choose the best execution plan.

not doing this is either ignorance or negligence. i would hope it was the former in the case of oklahoma, and seems to be the case all over.

Re:*facepalm* (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23078314)

They'll have the best technology (your) money can buy when it is used AGAINST you (e.g. Dept of Homeland Security) but when they are doing something FOR you they cut corners and really couldn't care less.

Re:*facepalm* (3, Interesting)

grassy_knoll (412409) | more than 6 years ago | (#23078366)

Stored procedures are almost always a good idea, since you can also limit the permissions to SELECT and EXECUTE. Depending on the DB, using stored procedures also forces the use of bind variables so there's a CPU utilization optimization as well ( from the lowered parse rate ).

Not only did they put SQL in the query string, they granted more permissions to the DB user for the web app than it needed. If you're just looking up data, not changing it, why does the app need anything other than SELECT ( or EXECUTE if you're using stored procedures )?

A great example of why "just give the app admin rights so it can work" is one of the dumbest statements a developer can make.

Re:*facepalm* (0)

Anonymous Coward | more than 6 years ago | (#23078834)

Not really, it's not a "fix-all". Some developers find out they can have a more "secure" system, over-react and start putting the business logic into Stored Procedures which is NOT a good idea.

The same problems with bad SQL exist in Stored Procedures as well. If someone can access the DB with Write Priveleges then they can just as easily hack the Stored Procedures.

Many times the same applications read data, do something then write results back so they DO need write priveleges to the database, so unless you want to change/set write permissions within your code in many different places, use ACLs to control WHICH programs can read and write what data based on UID or privelege levels (not a bad idea but not easy on a huge DB), it makes the most sense to give Read AND Write to an application. You just have to count on the programmers knowledge to not leave holes.

You must trust the programmers but VERIFY by performing Security Testing BEFORE releasing an application that deals with such sensitive data. I find this last step is very commonly skipped. If done properly these holes would never be in a production system. So don't blame ONLY the developers but blame the Managers too who shortcut or don't perform Security Testing. The managers may or may not be smart but I suspect they were working on a project they can't really do at the cost they bid often leads to pressure to find some savings which often means reducing reviews and walkthrus, minimizing testing and all that leads to big trouble. It's a story as old as the software business, it's just causing new problems such as the security breach metioned.

Re:*facepalm* (1)

geekoid (135745) | more than 6 years ago | (#23078662)

This has nothing to do with being a government agency.
I have seen his in every industry. Including very large Financial institutions.

If you look at the number of websites the the 'government' has, nearly all of them run fine.

I can't speak for Canandian industry or government, my security work was done within the US.

Yes, I am a programmer that now works for a government agency, and no, not the one this article is about.

Re:*facepalm* (1)

TheSpoom (715771) | more than 6 years ago | (#23078928)

I'm not saying that it's unique to government. I'm saying that it's slightly more expected given the stereotypes that are in-place (to which I normally don't subscribe; as I said earlier, many .gc.ca sites and their applications work quite well).

Re:*facepalm* (0)

Anonymous Coward | more than 6 years ago | (#23078688)

I think the problem is exactly the fact that someone WAS reading their "FIRST BOOK on web development" and missed the chapter about idiocy.

I'm astounded that this still happens. It's one of the most exploited non-human holes on the planet.

Tuttle (0)

Anonymous Coward | more than 6 years ago | (#23078128)

Perhaps the ODOC is managed by former Tuttle, OK city manager Jerry Taylor [theregister.co.uk] .

Someone Should Go to Jail for this... (0)

Anonymous Coward | more than 6 years ago | (#23078134)

... or get there name put on the list.

wow (-1, Redundant)

aeskdar (1136689) | more than 6 years ago | (#23078166)

Seriously though someone should go to jail for a mistake like this, either that or get there name put on the offender list!

Re:wow (1)

Silver Sloth (770927) | more than 6 years ago | (#23078236)

Putting aside natural feelings of outrage and injustice exactly what offense with an associate jail term have they committed? I'm not sure about the US, I'm a Brit, but over here offenses under the Data Protection act don't carry jail terms.

Re:wow (1, Informative)

Anonymous Coward | more than 6 years ago | (#23078514)

I'm a Brit, but over here offenses under the Data Protection act don't carry jail terms.

Actually, certain offences related to disclosure of data do carry jail terms in the UK. In theory, a government employee disclosing someone's spent criminal conviction (or a current conviction to someone not entitled to know) can be jailed, though I've never heard of it happening.

Re:wow (1)

BlowHole666 (1152399) | more than 6 years ago | (#23078284)

Why? In most cases you are protected from liability and your employer is the one to blame. You may get fired from your job, but you will not get sued. For example my wife works at a school and someone told her they were going to sue her. She notified the principal and the school district took care of it. So no this person should not go for jail they should be fired and the employer should give a bad referral.

It depends on the harm (1)

davidwr (791652) | more than 6 years ago | (#23078804)

If you are a nurse, an engineer, or even a barber and you screw up you can lose your license and kiss your career goodbye and be sued.

Normally software developers aren't licensed, but for some things like power plant control systems they should be, because if you screw up it can kill people.

People have been shot for being on the SO list. If your incompetence lets someone put me on the SO list and I get shot, can my family come after you? That's a question society will need to answer sooner or later.

Re:wow (4, Interesting)

jmichaelg (148257) | more than 6 years ago | (#23078316)

Going to jail is a bit over the top. Losing their job is what is called for.

However, if Oklahoma has problems similar to California, then they're faced with a Hobson's choice. They can fire the guy/gal but given the low pay scales, they could well end up with someone just as bad.

Re:wow (1)

pilgrim23 (716938) | more than 6 years ago | (#23078482)

oh but THINK OF THE CHILDERN! What matter if half the state of Oklahoma, portions of Texas, Missouri and all of Southern California end up on the list? If just one child is saved is that not reason enough to ruin the lives, futures, and family of millions? Besides, to fix this mess will require hiring a few thousand more gu'bmint pencil pushers! Thank Mog we have a government that CARES!

lists should be minimal in size (5, Insightful)

davidwr (791652) | more than 6 years ago | (#23078850)

I know you are being sarcastic, but the bigger these lists are the more useless they become.

If every public urinator and teenager in love gets put on these lists, it's that much harder to spot the really bad guys. The same goes for the really bad people who are now harmless 89-year-old men dying in a nursing home. Get these people off the list ASAP.

If you aren't "level 3" or whatever "really really dangerous" is in your state, only the cops and those who have a proven need to know should have access to your information.

Re:wow (1)

moderatorrater (1095745) | more than 6 years ago | (#23078596)

Going to jail is a bit over the top
How so? At the very least we know that for the last three years they granted access to thousands of social security numbers and medical records to anyone with internet access and rudimentary skills in sql. This isn't a situation where they made a small mistake, that on one of their report pages they didn't sanitize the 'sort by' field and they got burned. This is the absolute worst mistake that a programmer can make. The programmer should be charged with facilitating identity theft, and everyone in the state's employ whose responsibility was to make sure the site worked. They didn't do any security testing at all.

I know it sounds like a lot for making a mistake, but for someone in the web development business, this is a hole you could drive a truck through and the person who made it had to be so inexperienced or malicious that it should have been caught by someone above them. It's really hard to overstate how bad a programmer has to be to give the public complete database access like this.

Re:wow (1)

MightyMartian (840721) | more than 6 years ago | (#23079138)

The biggest problem, from what I can see, is that there's still this divide between the older fields of developer and technician/admin. Tech and admins know some basic scripting, but are never taught sound practices, which to my mind is a huge mistake. Maybe that made sense ten or twenty years ago when a sysadmin would be restricted to shell scripts and working with awk and the like, nothing over a few dozen lines. Now IT departments are getting requests for what amount to actual application development, but they have no meaningful training in that area.

Re:wow (1)

Etherwalk (681268) | more than 6 years ago | (#23078802)

Yeah, but if this guy messes up again, the state can't claim they didn't know how bad he was--they're now aware of his incompetence, which probably increases their liability the next time he screws up. Keeping him might be the right thing to do if they can make sure he learns from it--but it's probably the wrong thing to do from a risk-management perspective.

Re:wow (1)

Psmylie (169236) | more than 6 years ago | (#23078816)

While I agree that whoever is responsible for this should be fired (and it may not be the person who wrote this, it could be the boss who pushed to have this released before it was ready), I think that people are too quick to fire folks who make mistakes these days.

People learn from their mistakes, and the money spent on damage control and cleanup can be seen as paying for that employee's education, in a way.

I mean, what would you prefer, to fire the person who made a mistake and hire someone with unknown qualifications who may end up making the exact same mistake again later, or keep your already trained employee who was so burned by this mistake that s/he will NEVER make the same mistake again?

Re:wow (1)

dosun88888 (265953) | more than 6 years ago | (#23079180)

I'm typically all for getting people out of jobs that they're obviously unqualified for, but these days they'll just be replaced by some other idiot that will do the same sort of thing next year.

At least this guy won't make this specific mistake ever again, and will likely be more careful with other implementations in the future. That can't be said for his likely replacement.

Re:wow (-1, Flamebait)

BobSixtyFour (967533) | more than 6 years ago | (#23078324)

Someone should have put George Bush on the offender list...

Re:wow (1)

jamstar7 (694492) | more than 6 years ago | (#23078592)

Along with Cheney, Rumsfeld, Wolfowitz, Rice, and the rest of the 'Usual Suspects'.

Woulda made a great April Fools prank...

Routine Maintenance (1)

calebt3 (1098475) | more than 6 years ago | (#23078174)

...the site went down for 'routine maintenance' on April 13 2008.
The Reality Distortion Field is weak with this one.

Re:Routine Maintenance (1)

gnick (1211984) | more than 6 years ago | (#23078736)

...the site went down for 'routine maintenance' on April 13 2008.
The scary part is - I wonder how 'routine' catches/fixes like this are. If this had been noticed internally, likely they would fix it during 'routine maintenance' and issue no notification about the fact that the vulnerability had been out there.

Re:Routine Maintenance (1)

calebt3 (1098475) | more than 6 years ago | (#23078874)

Sounds like what Microsoft does.

Re:Routine Maintenance (1)

rmsande (1262198) | more than 6 years ago | (#23078974)

And they still fail. Front page:

Notice To Public: &nbspIf you believe ...

SQL (0)

Anonymous Coward | more than 6 years ago | (#23078176)

enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list.
Why not friend/relatives too? You know, for giggles.

Also, how could you figuratively be someone with basic SQL knowledge?

Re:SQL (1)

Skater (41976) | more than 6 years ago | (#23078340)

Can't you just be happy that they used "literally" correctly?

Umm... (1)

Oxy the moron (770724) | more than 6 years ago | (#23078178)

Without reading TFA... how do they know it was (just) 10,000 SSNs? Did they just approximate the number of entries already in the offenders list and just use that? Couldn't there potentially be more?

Re:Umm... (1)

FooAtWFU (699187) | more than 6 years ago | (#23078226)

Easy. They did a SELECT DISTINCT Social_security_number FROM offenders. ;)

(yes, uppercase S. One of their first lame attempts to sanitize it tried to do a case-sensitive replacement on the string "social_security_number", but apparently the uppercase still worked...)

Re:Umm... (1)

megla (859600) | more than 6 years ago | (#23078256)

Well, if it was open to running any query then...

select count(1) from offenderList order by socialSecurityNo asc
Yep, that ought to do it!

Re:Umm... (1)

megla (859600) | more than 6 years ago | (#23078286)

Of course, it would have helped if I hadn't run on autopilot and put a needless order by clause on the end, but you get the idea.

Re:Umm... (1)

DrJokepu (918326) | more than 6 years ago | (#23078270)

select count(*) from offenders;

Re:Umm... (3, Interesting)

Chris Mattern (191822) | more than 6 years ago | (#23079168)

They knew it was 10,000 SSNs because the web site allowed them to do a COMPLETE DUMP OF THE ENTIRE DATABASE. Lock, stock and barrel.

Get your lawyer ready.... (1)

sam0737 (648914) | more than 6 years ago | (#23078202)

I don't see why those on the list are not suing the government for the damage...

Re:Get your lawyer ready.... (4, Funny)

calebt3 (1098475) | more than 6 years ago | (#23078212)

Get your lawyer ready.
He was probably notified along with all the other offenders.

Re:Get your lawyer ready.... (1)

ZenDragon (1205104) | more than 6 years ago | (#23078264)

Whats amusing is that the author took the time to blur out the SSN's but left the names, and addresses of the "offenders" in the picture. How much do you want to bet some overzealous reader of that article is going to be sending something fun to one of those addresses?

Re:Get your lawyer ready.... (1)

calebt3 (1098475) | more than 6 years ago | (#23078372)

That information is already publicly available, right?

Re:Get your lawyer ready.... (1)

BlowHole666 (1152399) | more than 6 years ago | (#23078396)

It is a sex offender database this is public information.

These registries also protect us from the truly unlucky offenders, such as fornicating teenagers, children who take nude pictures of themselves, and public urinators.
Once you are on the sex offender list you are required to register so people know who you are. It is just one of the things that comes with being a sex offender.

Re:Get your lawyer ready.... (3, Insightful)

Anonymous Coward | more than 6 years ago | (#23078538)

It is just one of the things that comes with being a sex offender.
Please be more careful with your terminology. The correct thing to say here is, "It is just one of the things that comes with being convicted as a sex offender." You can be a sex offender and not be on this list (if you're not caught) and you can be a non-offender and be on this list (if you're wrongfully convicted).

I know it may seem like a small thing but it's important to remember that not all criminals are caught, and not all convicted people are actually criminals.

Very good point about false +'s and false -'s (1)

davidwr (791652) | more than 6 years ago | (#23078938)

There are many people with criminal records who pled guilty because they didn't have the money to fight it.

Prior to the 1990s if you were poor and the 15 year old girl you were dating falsely charged you with statutory rape because you dumped her, the DA probably let you cop a plea to a lesser crime. Later, that charge got added to the SO registry and you are stuck for something you didn't do.

Re:Get your lawyer ready.... (1)

Digi-John (692918) | more than 6 years ago | (#23078398)

Pretty sure you can already get the names and addresses of registered sex offenders already. That's kinda what the idea of the registry is.

Re:Get your lawyer ready.... (1)

Gregb05 (754217) | more than 6 years ago | (#23078424)

The names and addresses were publicly accessible anyhow; that's the reason the list was on the web.
I'll also note that your name and address is public information as well.

Re:Get your lawyer ready.... (1)

$random_var (919061) | more than 6 years ago | (#23078428)

Whats amusing is that the author took the time to blur out the SSN's but left the names, and addresses of the "offenders" in the picture. How much do you want to bet some overzealous reader of that article is going to be sending something fun to one of those addresses?
The names and addresses were already available by design to the public through the website. The problem was that the SQL injection vulnerability also revealed *additional* restricted data.

Re:Get your lawyer ready.... (1)

MightyMartian (840721) | more than 6 years ago | (#23078678)

Which means this site is feeding off of an internal database, rather than off of a database that has only pertinent details. That's pretty crazy in and of itself, but it's pretty common too. Just another way in which silly IT people who think because they can do the odd batch and PHP script that they're now developers. The sensible thing to do is to have a public-facing database with only the details you want seen by the public, which is updated by the master database. There's simply no reason to have SSN's on a public-facing database for anyone, government or bank.

Re:Get your lawyer ready.... (1)

malinha (1273344) | more than 6 years ago | (#23078654)

Another question, if only the name and the addresses were to be displayed, why were the other "restricted data" available ? Reminds me off a case that happen were in Portugal, some "big player in politics" got sued and the state asked the phone company ( PT Comunicoes) the phone record's of the politician, so they send an .xls file with more that was asked, for example, phone record's of the president, but were safely protected in a "hidden column"....

Author of WTF article made security mistake also (5, Informative)

joggle (594025) | more than 6 years ago | (#23078258)

The author should have completely blacked out the SSNs rather than blur them. They are still decipherable to those that are inclined to do so. This article [dheera.net] explains why blurring is a bad idea.

i dare someone (3, Funny)

Anonymous Coward | more than 6 years ago | (#23078334)

What someone needs to do is register a certain G. Oatse as a sex offender in Oklahoma.

Re:i dare someone (1)

Farmer Tim (530755) | more than 6 years ago | (#23078762)

What, only Oklahoma?!

how many distinct (0)

Anonymous Coward | more than 6 years ago | (#23078362)

last names?

If it were eldorado Texas, just one (1)

davidwr (791652) | more than 6 years ago | (#23078968)

Jeffs.

Let me be the first to say... (1)

milbournosphere (1273186) | more than 6 years ago | (#23078364)

D'oh!

In all seriousness, though, this just goes to show that it always helps to slow down in order to avoid this sort of disaster. One hope s that the genius responsible for this is held accountable. 10,000 social security numbers is a lot of personal data to be throwing around like that.

Humor? (3, Funny)

Wilson_6500 (896824) | more than 6 years ago | (#23078370)

Who would tag this "humor"? Given the deeply-ingrained social stigma attached to being put on one of these lists, I don't really see how it's funny that one was so horribly misimplemented. Even when something is _obviously_ wrong, as in this case, it can be hard to iron out the impression that actual people get from reading these lists. What if the problem weren't as obvious as this one supposedly is? Would it still be funny?

Generally, no retraction is ever as effective as the original statement. That's probably one of the reasons why libel is such a big deal for some people--just saying "sorry, we were wrong" may not be good enough.

Re:Humor? (2, Informative)

Gregb05 (754217) | more than 6 years ago | (#23078456)

thedailywtf.com usually posts humorous stories. The tone of this one, however is completely different.
I agree with parent, please tag !humor if that does anything.

SSNs (1)

visible.frylock (965768) | more than 6 years ago | (#23078520)

Can't read the dailywtf article, but from the summary, I'm thinking one of the biggest problems is that SSNs are on a public facing server when they don't need to be. Working in gov based IT myself, I know that Least Access is many times not followed.

Bad blurring (2, Insightful)

Space cowboy (13680) | more than 6 years ago | (#23078540)

Whereas the names and addresses of these people is a matter of public knowledge, is their email address and SSN also open ? If not, despite what you may think of their actions (public urination ? Really ?), it's not fair of the site to "blur" the relevant details so poorly.

I read the daily WTF, and usually I think it's pretty good, but Alex has made his own WTF here, IMHO.

Simon

Sex Offender Lists (0)

Anonymous Coward | more than 6 years ago | (#23078572)

Maybe it is time to get rid of these asinine sex offender lists. Why are sex crimes treated worse than attempted murder? Plus, they lump rapists in with flashers (yes, they may have different levels but they still get lumped together when it comes to restrictions). So people would rather see someone try to stick a knife in their kid instead of grab their butt? Maybe, just maybe, the real reason is this nation's simultanious obsession with and fear of sex and denial of early sexual development. Of course this is the same country that can't be pragmatic when it comes to drugs either.

Re:Sex Offender Lists (1)

Tmack (593755) | more than 6 years ago | (#23078910)

... they lump rapists in with flashers ...

Actually, urination in public will win you a spot there too...

The purpose of the SO list (1)

davidwr (791652) | more than 6 years ago | (#23079054)

The purpose of the SO lists is to identify those likely to re-offend.

Great in theory miserable in practice.

If you want to do an offender registry right, evaluate every ex-con and create lists of people likely to commit new serious crimes.

I'd like to see likely-offender lists for:
* violent crimes including forcible sex crimes, murder, assault, etc.
* crimes involving con games/trickery of people who have no reason to know better
* financial crimes not relying on con games, e.g. bank fraud, felony burglary, etc.
* crimes against children, the elderly, and other easily-victimized groups

For each category, have a "level 1, level 2, level 3" system where level 1 means private registration, level 2 means those who ask and need to know get to see your info, and level 3 means public registration.

If a person is the reincarnation of Adolf Hitler but he's not in a position to commit new crimes, he doesn't get on the list. If a person has a single felony on his record but is deemed likely to commit one of those types of crimes in the near future, he's on the relevant list.

People change, so re-evaluate the list every year.

You know when... (1)

SilverEyes (822768) | more than 6 years ago | (#23078668)

You know when http://thedailywtf.com/ [thedailywtf.com] picks up a story, then it is linked on /. , it's going to be an especially delicious IT failure.

obligatory (3, Funny)

Anonymous Coward | more than 6 years ago | (#23078844)

im in ur sex offender database,
injectin sql.

Old problem... (0)

Anonymous Coward | more than 6 years ago | (#23078892)

I've known about this "feature" for several months after an idiot even tried to put a friend's name on the list, but apparently failed.

Why not tell anyone with authority? My past experiences with informing those in charge have not been good.

Re:Old problem... (1)

DanWS6 (1248650) | more than 6 years ago | (#23078962)

In that case you could have informed one of those news "investigative" reporters to look into it. They would've made something happen.

Oh the Chaos! (1)

SeeSp0tRun (1270464) | more than 6 years ago | (#23078940)

Imagine how many people said:
"OMFG It was only one piss on a tree!!"

And they others saying:
"I remember something about being convicted for that" *shrug* "Out of sight, out of mind!"

Not Entirely Unexpected (1)

HadouKen24 (989446) | more than 6 years ago | (#23079090)

I've lived in Oklahoma all my life, and it really doesn't surprise me that something like this has occurred. While Oklahoma City and Tulsa actually have some competent officials--Oklahoma City's recent prosperity can be chalked up in large part to a few good decisions--our ability, as a whole, on the technical front is pretty low. Really, I've just been waiting for something like this to come out. Corrupt state officials can only keep this kind of thing hush-hush for so long. I anticipate even more scandals of this kind for my state in the next few years. Especially as we move toward putting more and more information online.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...