Oklahoma Leaks 10,000 Social Security Numbers

DrJokepu writes "Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state's Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for 'routine maintenance' on April 13 2008."

Pleeeese!

[arizwebfoot]

Please tell me this is a spoof.

Re:

[iknowcss]

An anonymous coward down towards the bottom posted this link to something similar. This one Tennessee apparently. It's no joke :(

http://www.ticic.state.tn.us/sorsql?sql=sp_SOR_IMAGE+'SO001290'&contenttype=image/jpeg

Re:Pleeeese!

[kalidasa]

READ THE ARTICLE. The same database had all criminal offenders listed - and all employees of the state corrections system. They were using an SQL query in a GET query string! You could pull up anything you wanted from the DB because they didn't lock the permissions correctly. They did a half-assed fix the first time, and only took real action when the whistle-blower pointed out that their own SS#s were accessible.

Re:

[trolltalk.com]

Did you by chance hear a WHOOSH before you posted?

>>--[joke]--->

      __0__ <- your head
          |

Re:

[sqlrob]

RTFQ

ELDORADO, Texas (AP)

Oblig.

[Ethanol-fueled]

(1)Hack the registry

(2)Put your own name in the registry

(3)Sue the state

(4)Profit!!!


(5) (remember to have your name removed from the registry!)

Re:Oblig.

[cptgrudge]

(5) (remember to have your name removed from the registry!)

This is government you're dealing with. It will never happen.

"But, but, I sued the state and won! Look, here's my legal documents! I'm not a sexual predator, honest!"

"Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a hermit you sick pervert."

Minor Correction

[geekoid]

"Yeah, sure.. Time to organize the community to hassle you until you leave. Enjoy being a RICH hermit you sick pervert."

Re:

[cptgrudge]

I thought about that, too. But, if the antagonist in my little fiction doesn't believe that the person in question really was on the list by accident, he'd likely disbelieve any claims to litigiously sourced wealth made by the person, as well.

Re:Oblig.

[mauthbaux]

(5) (remember to have your name removed from the registry!)

Rather, this is a boon to those already on the list. Now they can simply claim that their status as a listee was simply a vengeful prank courtesy of an unnamed drinking buddy.

I do hope they have validated archives somewhere.

Re:

[Torvaun]

I hope they don't, the sex offender list is a travesty.

Re:

[sjames]

What's worse, of the 75% who are supposed to be there, many of them are not as advertised.

The sex offender lists are pushed as a list of child molesters and rapists. They are on there, but so are guys who got drunk and peed behind a dumpster (OK, not pleasant but hardly worthy of a scarlet letter), forgot to close the curtains, etc. One woman is there because she went topless at a protest. Then there are those who are on there for taking pictures of themselves while under 18 or for having sex with someone

Re:

[epee1221]

How about instead of using your own name, you gather a list of the politicians who are the most hard-line with regard to the registry (e.g. once accused, always registered), and select a few of them at random. Much less risk to you, and it will certainly create a ruckus over it.

Re:

[Reziac]

No, no, no. Put all the public officials' names on the list. Enjoy the show.

Re:

[guruevi]

(6) Find out that the user querying and inserting, doesn't have permission to issue the DELETE statement.

At least, that's so in my database. The user running on the web-side of my database can insert, update and select but can't delete (there is no reason to let them, if they want to deactivate an entry, there is a column 'active' for that).

Re:Added to list

[Anonymous Coward]

So I said to my girlfriend, "I am not a pedophile! But that is a pretty big word for a 10 year old."

*facepalm*

[TheSpoom]

This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).

SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you're not a sexual offender when you're already on their list.

SQL injections. [wikipedia.org] Learn them. Learn how to mitigate them [php.net] (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures [wikipedia.org] might be the thing to implement. Or even better, use a framework like CakePHP [cakephp.org], Rails [rubyonrails.org], or Django [djangoproject.com] with this sort of sanitation built into the queries it generates.

Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.

Re:*facepalm*

[samkass]

ObXKCDComic [xkcd.com]

It's scary how lazy some of the web developers are. For years Yahoo used a system where their login system had the URL to go to once login succeeded urlencoded in the URL. It would have been exceedingly easy to duplicate the login page with a "Username/Password was typed incorrectly. Please try again." Then send people to the authentication page with your page as the follow-on one.

URLs should only be able to contain sanitized field values to search on that the server composes into actual SQL, URLs, etc.

Re:*facepalm*

[MightyMartian]

PHP has got to be one of the worst things that ever happened to web development. In the last year I've ended up with two jobs cleaning up someone else's code, and god but that language invites sloppiness on a level I've only experienced in the past with BASIC. The problem seems to be that it's easy enough to get a PHP-based page up, but the actual ability to coherently develop software isn't there. Anyone can learn to code in PHP, but only a few bother or are capable of actually invoking proper coding practices. The problem is that when these projects come up, rather than contracting out to someone who knows what they're doing, or at least hiring or training somebody who can code, they go to Bob the IT guy, who's okay at keeping the network up, and knows a bit of scripting, and who goes online and reads just enough of the PHP tutorial to be really dangerous.

In these cases, there's little or no commenting. Some things are done as classes, some as functions, there's no particular rhyme or reason, and it became so bloated that the original coders appear to have simply given up. It's terrible spaghetti code, but because it's on the web, no one seems to consider it software development. When you combine this with security, it can create a rather frightening mix of shitty almost undebugable code with an unknown number of potential security holes.

I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web. It's bad enough that there's hackers out there, but much worse that there are incompetents being given the keys to the internal networks and data, without any knowledge of sound coding principles and of how to harden sites against injection attacks and the like.

Re:*facepalm*

[lattyware]

Don't blame the language because the developers are incompetent.

Re:*facepalm*

[QuoteMstr]

The language makes it easily, or even tantalizing, to do it the wrong way, and very difficult to do it the right way.

Re:*facepalm*

[ivan256]

I disagree with "very difficult to do it the right way"... If you know what you're doing it's only moderately more work.

Java, Perl, and Python all make it easier to do it the wrong way than the right way too. Simply because the wrong way is less work than the right way in almost every aspect of these types of problems.

(The above paragraph is also true for performance)

The parent to your post is spot on. Don't blame the tool because the user is an idiot. The incompetent programmer from this article doesn't have any business doing web development in any other language either, regardless of how much "easier" that language makes it.

Re:*facepalm*

[OpenGLFan]

Yes, and:
Lumber and bricks make it very easy to build something that will fall on you and very hard to make a house.
Steel and wire make it very easy to build something that will snap and kill thousands and very hard to build the Golden Gate Bridge.
The solution is not to build the world out of Nerf. The solution is to keep Nature's fry cooks out of skilled labor jobs.

We need accreditation and liability

[QuoteMstr]

If I hire a carpenter to build my house and it collapses, the carpenter is liable. Engineers won't cooperate if management wants to cut corners on a bridge: they have a code of ethics and a body that enforces it.

Software, on the other hand, is a free-for-all today. We need an accreditation program and a code of ethics, just like more traditional disciplines of engineering. That's not to say that we'll restrict compilers to professionals; we don't reserve wrenches for professional mechanics.

But for a project that has the potential to cause so much harm to so many, a requirement to use trained and certified software engineers (with all the implications of the second word) would be invaluable.

Re:

[jsebrech]

I quite frankly dislike intensely, but it's taken over the world, unfortunately, despite much better languages like Python being out there.

Python, in this case, wouldn't have made a difference because it wouldn't have prevented SQL injection attacks. You can concatenate together your query from GET arguments in any language.

Re:

[MightyMartian]

Yes, in this particular incident, there's no language on earth that would prevent using a URL string to hold a SQL query.

Re:

[AmaDaden]

True but we can blame the language for encouraging the developers to be incompetent. This will bring up the "They should learn how to do it right and not depend on the language" argument. I currently do Java web programing (JSPs not applets) and I experience both ends of this. Since Java does fantastic memory management and clean up people are constantly not having their code clean up after it self. On the other hand the strong existing structure for JSPs prevent a lot of possible security issues by giving

Re:

[ivan256]

If you don't understand this type of attack, it is just as easy, and just as likely for this type of thing to happen in a Java backed web app. It's really easy, actually, to have these things creep in to an application if you've got programmers who don't consider security. You just wouldn't think of doing things that way because you know better.

Security features don't work if you don't know to (or why to) use them.

Re:

[Valdrax]

Don't blame the language because the developers are incompetent.

Yeah. And C contributes absolute nothing to memory leaks or buffer overruns. Nothing at all.

Re:*facepalm*

[TheSpoom]

There are those of us out there that know how to code PHP in a sane, clear, and secure way. Unfortunately, I have to admit that there are a lot more that don't. I think one of the things you can do is to look for those that have languages like C++ and Java on their CV as well, and also for those that have a portfolio of code to review when they apply for a job. When you actually see the code, it's easy to separate the fly-by-night guys from the actual educated, experienced programmers out there.

By the way, on a somewhat unrelated note, we're using Django [djangoproject.com] for our new web game, and it's both interesting and easy to code, while still (rigorously) maintaining good coding practices. So I think there's also something to be said for those who work with frameworks like CakePHP, Rails, and Django, as those tend to both be object-oriented and to promote good coding practices.

As I've said before, I think PHP can and should be used well; there are just a lot of ways it can be used poorly.

Re:

[MightyMartian]

When I took computer science courses in high school (back when they used TurboPascal, still one of the great languages), we were taught by our instructor that any language can be used to create good and bad code, but that some languages had something of a psychological effect on the programmer, encouraging either good or bad coding.

For me, at least, the biggest problem with virtually all scripted languages is the weak typing and the automatic casting between types. Even when I was forced to code in VisualB

Re:

[plague3106]

No, I think you're pretty much spot on. I almost left web development because of ASP, which is basically PHP but using VB keywords. I was glad when Asp.Net came to save MS project teams from that horrid language. Why anyone seriously considers script a good way to build an application is beyond me.

Re:*facepalm*

[jsebrech]

PHP has got to be one of the worst things that ever happened to web development.

This particular site was coded in java, so PHP was not at fault here. I don't know what got you onto the topic of PHP.

The problem is that when these projects come up, rather than contracting out to someone who knows what they're doing, or at least hiring or training somebody who can code, they go to Bob the IT guy

Software development has always been rife with contracts that go to the lowest bidder based on a spec that mentions only features and deadlines (not security, quality, or other metrics). This is because most IT projects are managed by people who don't understand IT, and who do the IT equivalent of asking their neighborhood carpenter to build the golden gate bridge. You get what you pay for.

I know I sound elitist here, but goddamn it, PHP and all those lovely little scripting languages have unleashed a disaster on the web.

If PHP didn't exist, someone would invent it. PHP fills the niche of an environment that lets you get up and running quickly with web applications, just like visual basic did it for windows apps, and access did it for databases. Yes, it's a bit elitist to say that all programming environments should be so difficult to program in that they weed out all but the most dedicated (and knowledgeable), but it's also unrealistic, because people would invent easier environments if there weren't any. PHP is actually quite good at blending the capability for quality coding with a low barrier to access.

And besides, the problems with web app security have nothing to do with PHP or any other scripting language, they have to do with visibility. Think about how many two-tier desktop apps there are that let anyone with a bit of knowledge bypass the app and do whatever they want in the database. Nobody makes a fuss about this, because the visibility of those apps is lower.

I would say the primary problem with web app development is not any of the tools, but the perception among IT managers that web app development is simpler, and requires less skill, than desktop development, while the inverse is true. I do both desktop and web development, and it is much more difficult to build good web apps, because you have to pay more attention to architecture, security, performance envelopes, and gui design. That management (even my management) still doesn't understand that is disappointing, but understandable given how the web started out as a toy and still hasn't quite shaken that perception.

Re:*facepalm*

[NeutronCowboy]

Actually, for something on this scale, I'd like to see jail time for criminally negligent programming. The cost of being on a sex offender list by mistake is mindboggling - I'm on a "have a long chat with a customs officer every time I enter the US" because some data entry monkey made a mistake with my passport, and it's not pretty. I can only imagine what being on a sex offender list can do to you...

Re:

[Anonymous Coward]

No, not criminal, just the "data death penalty".

Require the database be erased, all backups etc.

If they can't keep it secure they can't keep it.

As a side effect (if this was their only database
they are out of a job...).

If this supported tax collections, sorry, no
collections...

Re:

[Gat0r30y]

I'm not that surprised. This is after all the state where students don't even have to know the age of the earth [slashdot.org] to pass earth science! In a state with those sorts of values, honestly, I really don't expect the greatest in technical expertise to flock there. And even the lowest bidder should have known better. I would bet the work was done internally (only the government itself could hose something this bad).

Re:

[riskeetee]

In Oklahoma, the age of the earth is 6000 years. Nuff said.

Re:

[jd]

6,000 year old topsoil is pretty old.

Re:

[sl0ppy]

with this sort of sanitation built into the queries it generates.

or, perhaps simply use bind variables instead of trying to generate a query. not only will your application thank you, but your database will as well.

Re:

[sl0ppy]

famous last words: "just Googled them".

what you're talking about seems to be an Oracle-specific thing

no, not really. in the case of sane databases, it is the norm. heck, even mysql [mysql.com] supports them.

But like I said, since these web development frameworks generate the SQL queries for you based on your usage of their models

except that generating SQL on the fly is extremely inefficient . the database must then parse the query, measure costs and determine the best execution plan before executing the query even

Re:

[TheSpoom]

I'll be the first to admit I don't know everything.

Just curious though; how would you suggest that a framework using MVC and models use these things, assuming they don't already? Create a stored proc for each query if it doesn't already exist?

Re:

[Sancho]

There's also always some database overhead involved in creating a prepared query. If you're only going to use the query once, it may be that performance will be faster to build the query on the web server.

Generally speaking, I'd rather sacrifice database performance for security, but the manager doesn't always agree, does s/he?

Re:*facepalm*

[Anonymous Coward]

They'll have the best technology (your) money can buy when it is used AGAINST you (e.g. Dept of Homeland Security) but when they are doing something FOR you they cut corners and really couldn't care less.

Re:

[bcdm]

And that's what basically happened here (except the catalyst for change was information that could be used against THEM instead of against YOU). According to TFA, when the Department of Corrections was first told about this, they took the sites down for "routine maintenance". When the sites came back up, the SQL query was STILL in the URL. The only difference? They changed "social_security_number" to "Social_security_number", apparently thinking that was all the protection that sex offenders required.

Thei

Dangerous Illusions, There.

[Valdrax]

They'll have the best technology (your) money can buy when it is used AGAINST you (e.g. Dept of Homeland Security) [...]

Now why on Earth would you assume that? Do you honestly think that a government agency founded by this administration is any better staffed with competent people and supplied with well-managed infrastructure than FEMA was? (Which was under the DHS umbrella, mind you.)

Didn't DHS get a D grade on the last government security report card (compared to the government's C- average)?

Please. A government that feels that government is part of the problem has no interest in making it run efficiently.

Re:*facepalm*

[grassy_knoll]

Stored procedures are almost always a good idea, since you can also limit the permissions to SELECT and EXECUTE. Depending on the DB, using stored procedures also forces the use of bind variables so there's a CPU utilization optimization as well ( from the lowered parse rate ).

Not only did they put SQL in the query string, they granted more permissions to the DB user for the web app than it needed. If you're just looking up data, not changing it, why does the app need anything other than SELECT ( or EXECUTE if you're using stored procedures )?

A great example of why "just give the app admin rights so it can work" is one of the dumbest statements a developer can make.

Re:

[PhrostyMcByte]

The only problem with permissions is that the very people who should use them the most are typically equally ignorant about permissions as they are horrible in coding.

Re:

[geekoid]

This has nothing to do with being a government agency.
I have seen his in every industry. Including very large Financial institutions.

If you look at the number of websites the the 'government' has, nearly all of them run fine.

I can't speak for Canandian industry or government, my security work was done within the US.

Yes, I am a programmer that now works for a government agency, and no, not the one this article is about.

Re:

[TheSpoom]

I'm not saying that it's unique to government. I'm saying that it's slightly more expected given the stereotypes that are in-place (to which I normally don't subscribe; as I said earlier, many .gc.ca sites and their applications work quite well).

Re:

[Deanalator]

Unfortunately, pretty much every intro to SQL book I have looked at encourages the use of command strings. People get used to them, and then interacting with a SQL database becomes equivalent to string parsing, which they all learned how to do in the last book.

You would be surprised what you can find grepping for cmd_str, command_string, cmdStr, etc. Please developers, parametrize your variables. This won't prevent all attacks, but there is NEVER an excuse to use command strings, especially when you are

Umm...

[Oxy the moron]

Without reading TFA... how do they know it was (just) 10,000 SSNs? Did they just approximate the number of entries already in the offenders list and just use that? Couldn't there potentially be more?

Re:

[FooAtWFU]

Easy. They did a SELECT DISTINCT Social_security_number FROM offenders. ;)

(yes, uppercase S. One of their first lame attempts to sanitize it tried to do a case-sensitive replacement on the string "social_security_number", but apparently the uppercase still worked...)

Re:

[Workaphobia]

Weakest attempt to enumerate badness, EVAR.

Re:

[megla]

Well, if it was open to running any query then...

select count(1) from offenderList order by socialSecurityNo asc

Yep, that ought to do it!

Re:

[megla]

Of course, it would have helped if I hadn't run on autopilot and put a needless order by clause on the end, but you get the idea.

Re:Umm...

[Chris Mattern]

They knew it was 10,000 SSNs because the web site allowed them to do a COMPLETE DUMP OF THE ENTIRE DATABASE. Lock, stock and barrel.

Author of WTF article made security mistake also

[joggle]

The author should have completely blacked out the SSNs rather than blur them. They are still decipherable to those that are inclined to do so. This article [dheera.net] explains why blurring is a bad idea.

i dare someone

[Anonymous Coward]

What someone needs to do is register a certain G. Oatse as a sex offender in Oklahoma.

Re:

[Farmer Tim]

What, only Oklahoma?!

Humor?

[Wilson_6500]

Who would tag this "humor"? Given the deeply-ingrained social stigma attached to being put on one of these lists, I don't really see how it's funny that one was so horribly misimplemented. Even when something is _obviously_ wrong, as in this case, it can be hard to iron out the impression that actual people get from reading these lists. What if the problem weren't as obvious as this one supposedly is? Would it still be funny?

Generally, no retraction is ever as effective as the original statement. That's probably one of the reasons why libel is such a big deal for some people--just saying "sorry, we were wrong" may not be good enough.

Re:

[Gregb05]

thedailywtf.com usually posts humorous stories. The tone of this one, however is completely different.
I agree with parent, please tag !humor if that does anything.

Bad blurring

[Space cowboy]

Whereas the names and addresses of these people is a matter of public knowledge, is their email address and SSN also open ? If not, despite what you may think of their actions (public urination ? Really ?), it's not fair of the site to "blur" the relevant details so poorly.

I read the daily WTF, and usually I think it's pretty good, but Alex has made his own WTF here, IMHO.

Simon

obligatory

[Anonymous Coward]

im in ur sex offender database,
injectin sql.

The registry is stupid anyway.

[Dog-Cow]

The whole idea of having the registry is sheer stupidity, but on a scale designed to ruin innocent people.

Let's assume that a given person on the list was really a rapist (and not just convicted of it). If he's served his time and has repented, he won't do it again. So why do we punish him for the rest of his life with the registry? And if you think he will do it again, why is he not in jail?

You may as well just shoot him and be done with it.

Re:

[Chyeld]

Because most people are convinced that this particular class of offenders can't be rehabilitated and therefore releasing them to the general public is a mistake in and of itself. In order to ensure that they are proven right, they have decided that the "Scarlet Letter" method of tracking these people is justifiable.

If this range of classification was limited to people who were actually offenders who were likely to commit their crimes again, then this could almost be understandable. However, and especially i

The system is stupid.

[jd]

People can plead "insanity" on the grounds of having trouble telling right from wrong, but not on the grounds of actual mental illness. Rehabilitation is often said to be minimal to non-existant. Reports in the press frequently cover prison violence, gang warfare in the prison system and mental/physical/sexual abuse by both inmates and prison guards. Maximum security prisons are also described as being totally without sunlight (thus depriving the body of vitamin D) and essentially sensory deprivation chambe

Why Would Anyone Care?

[Bob9113]

but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list.

Why would anyone care if they were put on this list?

This issue has gone to the Supreme Court and they have ruled [wikipedia.org] that these lists are not punishment, and hence does not run afoul of restrictions against ex post facto punishment [wikipedia.org] or due process [wikipedia.org]. So if it is not punishment, why would anyone care if they are on the list?

Re:Why Would Anyone Care?

[Damvan]

You are kidding, right?

In California, we have this thing called Jessica's Law. That law prohibits registered sex offenders from living a certain distance (usually 1000 ft) away from places children might congregate, such as schools, churches, playgrounds, parks, and in some cases, shopping centers.

So, if you are on the list, there are alot of places you CANNOT live. There are many cities in California where you can't live at all, simply because there is no place that is at least 1000 ft from the prohibited locations. If I was put on this list, I would be forced to sell my house and move as I live 1000 ft from a church. In fact, I would have to move out of the City I live in entirely as there is no residential areas outside of the prohibited locations.

Re:

[Cro Magnon]

Somehow, I don't think forcing sex offenders to be homeless makes the community safer. Stupid lawmakers!

I think you'd have to try to be that incompetent

[Bobb Sledd]

I don't even know how you could test and debug such a system without inadvertently figuring out a design flaw like that.

Maybe they meant to mess it up on purpose? Sabotage? Maybe it was meant as a back door for later?

Re:

[MP3Chuck]

I highly doubt it was "tested" or "debugged" much beyond "Hey look, it actually works!" ...

Tell me again...

[SCHecklerX]

Why offshoring to the cheapest labor monkey is a good idea?

"Routine" maintenance?

[Sloppy]

"Routine," as in "we clean up messes similar to this one, all the time?"

Obligatory XKCD reference

[gizmonic]

Wow, an on topic post for my all time favorite XKCD! :)

http://xkcd.com/327/ [xkcd.com]

You would be suprised...

[jbsooter]

I used to work (3 years ago) at a background checking company that would pull/harvest databases off the internet if the county or state wouldn't sell it to us in bulk. You'd be suprised how many county websites have stuff like this.

There is one county in Florida that will return more results by walking thru their ID numbers than by searching for everyone in thier site. That means people who for whatever reason aren't supposed to show up on the website get harvested by companies like the one I worked at.

A county in Texas tried to stop the harvesting by making people sign in and limiting searches but managed to introduce a sql injection hole that lets you do whatever you'd like to the Users tables. I didn't try messing w/ the offenders tables but wouldn't be suprised if it was possible.

These are just two examples that I recalls. There were quite a few more.

Re:Get your lawyer ready....

[calebt3]

Get your lawyer ready.

He was probably notified along with all the other offenders.

Re:

[BlowHole666]

It is a sex offender database this is public information.

These registries also protect us from the truly unlucky offenders, such as fornicating teenagers, children who take nude pictures of themselves, and public urinators.

Once you are on the sex offender list you are required to register so people know who you are. It is just one of the things that comes with being a sex offender.

Re:

[Anonymous Coward]

It is just one of the things that comes with being a sex offender.

Please be more careful with your terminology. The correct thing to say here is, "It is just one of the things that comes with being convicted as a sex offender." You can be a sex offender and not be on this list (if you're not caught) and you can be a non-offender and be on this list (if you're wrongfully convicted).

I know it may seem like a small thing but it's important to remember that not all criminals are caught, and not all convicted people are actually criminals.

Re:

[$random_var]

Whats amusing is that the author took the time to blur out the SSN's but left the names, and addresses of the "offenders" in the picture. How much do you want to bet some overzealous reader of that article is going to be sending something fun to one of those addresses?

The names and addresses were already available by design to the public through the website. The problem was that the SQL injection vulnerability also revealed *additional* restricted data.

Re:

[MightyMartian]

Which means this site is feeding off of an internal database, rather than off of a database that has only pertinent details. That's pretty crazy in and of itself, but it's pretty common too. Just another way in which silly IT people who think because they can do the odd batch and PHP script that they're now developers. The sensible thing to do is to have a public-facing database with only the details you want seen by the public, which is updated by the master database. There's simply no reason to have S

Re:

[Silver Sloth]

Putting aside natural feelings of outrage and injustice exactly what offense with an associate jail term have they committed? I'm not sure about the US, I'm a Brit, but over here offenses under the Data Protection act don't carry jail terms.

Re:

[BlowHole666]

Why? In most cases you are protected from liability and your employer is the one to blame. You may get fired from your job, but you will not get sued. For example my wife works at a school and someone told her they were going to sue her. She notified the principal and the school district took care of it. So no this person should not go for jail they should be fired and the employer should give a bad referral.

Re:wow

[jmichaelg]

Going to jail is a bit over the top. Losing their job is what is called for.

However, if Oklahoma has problems similar to California, then they're faced with a Hobson's choice. They can fire the guy/gal but given the low pay scales, they could well end up with someone just as bad.

Re:

[pilgrim23]

oh but THINK OF THE CHILDERN! What matter if half the state of Oklahoma, portions of Texas, Missouri and all of Southern California end up on the list? If just one child is saved is that not reason enough to ruin the lives, futures, and family of millions? Besides, to fix this mess will require hiring a few thousand more gu'bmint pencil pushers! Thank Mog we have a government that CARES!

lists should be minimal in size

[davidwr]

I know you are being sarcastic, but the bigger these lists are the more useless they become.

If every public urinator and teenager in love gets put on these lists, it's that much harder to spot the really bad guys. The same goes for the really bad people who are now harmless 89-year-old men dying in a nursing home. Get these people off the list ASAP.

If you aren't "level 3" or whatever "really really dangerous" is in your state, only the cops and those who have a proven need to know should have access to your information.

Re:

[moderatorrater]

Going to jail is a bit over the top

How so? At the very least we know that for the last three years they granted access to thousands of social security numbers and medical records to anyone with internet access and rudimentary skills in sql. This isn't a situation where they made a small mistake, that on one of their report pages they didn't sanitize the 'sort by' field and they got burned. This is the absolute worst mistake that a programmer can make. The programmer should be charged with facilitating identity theft, and everyone in the sta

Re:

[MightyMartian]

The biggest problem, from what I can see, is that there's still this divide between the older fields of developer and technician/admin. Tech and admins know some basic scripting, but are never taught sound practices, which to my mind is a huge mistake. Maybe that made sense ten or twenty years ago when a sysadmin would be restricted to shell scripts and working with awk and the like, nothing over a few dozen lines. Now IT departments are getting requests for what amount to actual application development,

Re:

[Etherwalk]

Yeah, but if this guy messes up again, the state can't claim they didn't know how bad he was--they're now aware of his incompetence, which probably increases their liability the next time he screws up. Keeping him might be the right thing to do if they can make sure he learns from it--but it's probably the wrong thing to do from a risk-management perspective.

Re:

[Psmylie]

While I agree that whoever is responsible for this should be fired (and it may not be the person who wrote this, it could be the boss who pushed to have this released before it was ready), I think that people are too quick to fire folks who make mistakes these days.

People learn from their mistakes, and the money spent on damage control and cleanup can be seen as paying for that employee's education, in a way.

I mean, what would you prefer, to fire the person who made a mistake and hire someone with unknown

Re:

[MightyMartian]

This is a rather unique situation. The nature of the mistake indicates an extreme degree of incompetence. I've never seen anybody put SQL queries in URLs, and I've seen some pretty sloppy code. This is bad with a capital B, and, particularly in this age of security compromises big and small, I really question the smarts of someone who would do something like this, because it raises the question of what other things have they done that were equally bone-headed. At the very last, I would want an audit don

Re:wow

[yuna49]

This is an official government list of alleged "sex offenders," not a list of people with parking tickets. Developers tasked with providing public access to such sensitive information, and the people who employ and direct them, should be adhering to the best practices, not the worst practices as in this case.

The real issues are that

(a) No one in the OK government probably cared much about the privacy of these "sex offenders" because, well, they're "sex offenders."

(b) Government agencies are constantly tasked by executives and legislatures to implement programs they're ill-equipped to handle and often receive no additional funding to carry out these mandates. Do you think the OK agency involved had tens of thousands of dollars to hire outside contractors with solid coding skills to undertake this task? Probably they handed it to someone in house who knew how to write SQL queries and a little PHP.

I'd fire the lot of them, including the department heads, and start over with people who have at least some clue about good IT practices. If this fiasco was actually the product of an outside consulting shop, I'd ban them from working for my state government for a very long time.

If we don't have substantial and public penalties for poor management like this, we're just going to be repeating our mistakes.

Re:

[yuna49]

One other thing. I wonder if the OK legislature will launch an investigation into this fiasco, or will they avoid the problem since the people on the list were, after all, "sex offenders." I'd like to see the head of the Department of Corrections be grilled on why this happened. Unfortunately any legislator who might broach the subject would probably be labeled as sympathetic to sex criminals.

Re:

[jamstar7]

Along with Cheney, Rumsfeld, Wolfowitz, Rice, and the rest of the 'Usual Suspects'.

Woulda made a great April Fools prank...

Re:

[Skater]

Can't you just be happy that they used "literally" correctly?

Re:

[gnick]

...the site went down for 'routine maintenance' on April 13 2008.

The scary part is - I wonder how 'routine' catches/fixes like this are. If this had been noticed internally, likely they would fix it during 'routine maintenance' and issue no notification about the fact that the vulnerability had been out there.

Re:

[Tmack]

... they lump rapists in with flashers ...

Actually, urination in public will win you a spot there too...

Re:

[urcreepyneighbor]

The purpose of the SO lists is to identify those likely to re-offend.

Hm. Good idea, but it's missing a key group: the goatse poster. Study after study has proven that this group has a recidivism rate far higher than even pedophiles.

Re:

[Chyeld]

With respect, this would only work in an ideal society where it would be useless in the first place.

Question 1. Who determines what list you get on? If its the same people that are deciding this today, the only list with people on it will be "List 3".

Question 2. In this day and age, do you honestly think that once you get on "List 2" or "List 3" you'll ever be able to drop off? There are people out there right now, compling private databases off these lists for the purposes of ensuring these folk "never aga

Re:

[Workaphobia]

There is of course the other major point, that it is absolutely ridiculous how social security numbers are treated as sensitive information and required information in so many unrelated contexts. What idiot thought up the system of authenticating a person for credit using the same token that hundreds of other organizations use to identify that person?

Maybe in a hundred years we'll have registries of public keys and we'll all have private SS keys that are never shared with your credit card company, bank, and

Re:

[Cro Magnon]

I wish I could mod you up. As far as I'm concerned, using the SSN to authenticate people is like me using "Cro Magnon" as my /. password.