Oklahoma Leaks 10,000 Social Security Numbers 245
DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."
Pleeeese! (Score:3, Insightful)
Re:*facepalm* (Score:5, Insightful)
Re:Get your lawyer ready.... (Score:3, Insightful)
I know it may seem like a small thing but it's important to remember that not all criminals are caught, and not all convicted people are actually criminals.
Bad blurring (Score:3, Insightful)
I read the daily WTF, and usually I think it's pretty good, but Alex has made his own WTF here, IMHO.
Simon
Minor Correction (Score:4, Insightful)
Re:*facepalm* (Score:4, Insightful)
In these cases, there's little or no commenting. Some things are done as classes, some as functions, there's no particular rhyme or reason, and it became so bloated that the original coders appear to have simply given up. It's terrible spaghetti code, but because it's on the web, no one seems to consider it software development. When you combine this with security, it can create a rather frightening mix of shitty almost undebugable code with an unknown number of potential security holes.
I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web. It's bad enough that there's hackers out there, but much worse that there are incompetents being given the keys to the internal networks and data, without any knowledge of sound coding principles and of how to harden sites against injection attacks and the like.
lists should be minimal in size (Score:5, Insightful)
If every public urinator and teenager in love gets put on these lists, it's that much harder to spot the really bad guys. The same goes for the really bad people who are now harmless 89-year-old men dying in a nursing home. Get these people off the list ASAP.
If you aren't "level 3" or whatever "really really dangerous" is in your state, only the cops and those who have a proven need to know should have access to your information.
Re:*facepalm* (Score:5, Insightful)
Re:*facepalm* (Score:5, Insightful)
By the way, on a somewhat unrelated note, we're using Django [djangoproject.com] for our new web game, and it's both interesting and easy to code, while still (rigorously) maintaining good coding practices. So I think there's also something to be said for those who work with frameworks like CakePHP, Rails, and Django, as those tend to both be object-oriented and to promote good coding practices.
As I've said before, I think PHP can and should be used well; there are just a lot of ways it can be used poorly.
Re:*facepalm* (Score:5, Insightful)
The registry is stupid anyway. (Score:4, Insightful)
Let's assume that a given person on the list was really a rapist (and not just convicted of it). If he's served his time and has repented, he won't do it again. So why do we punish him for the rest of his life with the registry? And if you think he will do it again, why is he not in jail?
You may as well just shoot him and be done with it.
Why Would Anyone Care? (Score:3, Insightful)
Why would anyone care if they were put on this list?
This issue has gone to the Supreme Court and they have ruled [wikipedia.org] that these lists are not punishment, and hence does not run afoul of restrictions against ex post facto punishment [wikipedia.org] or due process [wikipedia.org]. So if it is not punishment, why would anyone care if they are on the list?
Re:wow (Score:4, Insightful)
The real issues are that
(a) No one in the OK government probably cared much about the privacy of these "sex offenders" because, well, they're "sex offenders."
(b) Government agencies are constantly tasked by executives and legislatures to implement programs they're ill-equipped to handle and often receive no additional funding to carry out these mandates. Do you think the OK agency involved had tens of thousands of dollars to hire outside contractors with solid coding skills to undertake this task? Probably they handed it to someone in house who knew how to write SQL queries and a little PHP.
I'd fire the lot of them, including the department heads, and start over with people who have at least some clue about good IT practices. If this fiasco was actually the product of an outside consulting shop, I'd ban them from working for my state government for a very long time.
If we don't have substantial and public penalties for poor management like this, we're just going to be repeating our mistakes.
Re:Why Would Anyone Care? (Score:5, Insightful)
In California, we have this thing called Jessica's Law. That law prohibits registered sex offenders from living a certain distance (usually 1000 ft) away from places children might congregate, such as schools, churches, playgrounds, parks, and in some cases, shopping centers.
So, if you are on the list, there are alot of places you CANNOT live. There are many cities in California where you can't live at all, simply because there is no place that is at least 1000 ft from the prohibited locations. If I was put on this list, I would be forced to sell my house and move as I live 1000 ft from a church. In fact, I would have to move out of the City I live in entirely as there is no residential areas outside of the prohibited locations.
Re:wow (Score:3, Insightful)
Re:*facepalm* (Score:3, Insightful)
All languages have their good and bad points. Not encouraging the coder do things the right way IS (I think) a bad point.
Re:*facepalm* (Score:5, Insightful)
Java, Perl, and Python all make it easier to do it the wrong way than the right way too. Simply because the wrong way is less work than the right way in almost every aspect of these types of problems.
(The above paragraph is also true for performance)
The parent to your post is spot on. Don't blame the tool because the user is an idiot. The incompetent programmer from this article doesn't have any business doing web development in any other language either, regardless of how much "easier" that language makes it.
Re:SSNs (Score:3, Insightful)
Maybe in a hundred years we'll have registries of public keys and we'll all have private SS keys that are never shared with your credit card company, bank, and (if we were really lucky) government.
Re:*facepalm* (Score:5, Insightful)
Lumber and bricks make it very easy to build something that will fall on you and very hard to make a house.
Steel and wire make it very easy to build something that will snap and kill thousands and very hard to build the Golden Gate Bridge.
The solution is not to build the world out of Nerf. The solution is to keep Nature's fry cooks out of skilled labor jobs.
We need accreditation and liability (Score:5, Insightful)
Software, on the other hand, is a free-for-all today. We need an accreditation program and a code of ethics, just like more traditional disciplines of engineering. That's not to say that we'll restrict compilers to professionals; we don't reserve wrenches for professional mechanics.
But for a project that has the potential to cause so much harm to so many, a requirement to use trained and certified software engineers (with all the implications of the second word) would be invaluable.
The system is stupid. (Score:3, Insightful)
Whilst the system may not make a person a criminal (although there are Dickensonian arguments that say otherwise), it's very hard to see how a person can become truly repentent of their actions after such an experience. Repentent of being caught, perhaps, but where in there is a mechanism for establishing what went wrong in the first place, solving underlying issues or providing effective means for a person to not fall back into old patterns on release? The current judicial and prison systems appear geared towards revenge and retribution, not towards corrective action and prevention. In that case, it is entirely reasonable to assume that offenders will re-offend. It's possible you'd end up reaching the same conclusion on a (correctly managed) rehabilitation-oriented system, I won't argue that case, I will only argue that if the typical description of what prevails is accurate, the assumption of lifelong guilt is probably not all that inaccurate.
I have my own theories on what would work better (mostly involving dividing sentencing into two - one segment for punishment, if punishment is called for, and a distinct segment for treatment, if treatment would be useful), however such theories are never going to be tested or meaningfully examined, so in effect constitute un-disprovable hypotheses and therefore merely articles of faith no different from any other system of religious belief.
Re:Oblig. (Score:3, Insightful)
Re:Oblig. (Score:3, Insightful)
What's worse, of the 75% who are supposed to be there, many of them are not as advertised.
The sex offender lists are pushed as a list of child molesters and rapists. They are on there, but so are guys who got drunk and peed behind a dumpster (OK, not pleasant but hardly worthy of a scarlet letter), forgot to close the curtains, etc. One woman is there because she went topless at a protest. Then there are those who are on there for taking pictures of themselves while under 18 or for having sex with someone within a year of their own age.
They probably have a good case for cruel and unusual punishment but the courts dodge the issue by claiming the list isn't punative.
Of course, the idiots who stick anyone and everyone on the list that they can deserved or not are a real threat to society. If for no other reason, they are slowly rendering the lists meaningless.
Perhaps we need a "scarlet list" of prosecutors who willfully corrupt justice to get their numbers up. Those are people I *REALLY* don't want living in my neighborhood.