One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.But the best part is what it took to get the state to fix it:The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.
— Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data, by Alex Papadimoulis in Feature Articles, The Daily WTF, 2008-04-15
I emailed George again, this time explaining the problem much more clearly and advising in BOLD, RED, CAPS that the "roster page" should be taken down immediately. I also demonstrated the power of the ALL_TABLES table, the contents of an "interesting" table named MSD_MONTHLY_MEDICAL_ACTIVITY, and how even their information was available for all to see:And suddenly the offending page disappeared. Apparently it's not enough to explain to some people that they're leaking personal information about everybody in the state. You have to explain they're leaking information about themselves. And it's good risk management to have such people in charge of information about the public?
-jsq
I gather it's called eating your own dogfood ... or drinking your own koolaid. Having the employees put their own data up in their system might be a good idea :)
Posted by: Iang | April 15, 2008 at 06:24 PM
In Unix-land and nowadays in open software, it's always been considered a good thing to build software that you're going to use yourself. This seems like a corollary: maybe the developers of any public-facing system should be required to expose their own information as much as anybody else.
Posted by: jsqrisk | April 16, 2008 at 08:58 AM
Other instances of government agencies allowing access to personal and financial information include the recent threats to veterans through a contractors stolen lap top and more. Find out about these stories and how can keep your credit safe by visiting http://www.identitytheftsecrets.com/veterans-what-you-should-know-to-prevent-and-recov.html#more
Posted by: Lisa | May 01, 2008 at 10:26 PM