Y2K State Surveys Security Holegreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread |
http://newstrolls.com/news/dev/guest/110199.htm
diva Note: As of 9AM EST Monday, neither NewsTrolls nor NetworkCommand has heard back from anyone related to the site. We have been trying to contact them since last Friday. For security reasons we are not publishing which US state has the following security hole so that Y2K surveys already entered will not be compromised. Unfortunately, the ability to exploit the hole still exists.
Y2K State Surveys Security Hole By Mike of NetworkCommand
Overview: ========= Y2K information subject to exaggeration or gross understatement.
Issue: ====== Because no one is really sure what to expect, be sure to expect the unexpected.
Platform Effected: ================== Earth.
Summary: ======== Currently, a State Government web site is providing Y2K Preparedness information to the general public. You, as a citizen, may go and review this information. You can view the status of Public Utilities (gas, water, power), Health Care Providers, the 911 system, Telecommunications, etc. You can read what you might expect:
-We're almost done. -We do not impact essential functions.
You can read what you might not expect: 2) Do you have, manufacture, or distribute any equipment controlled by computers? NO 3) If you answered "yes" to the above question, can failure of computer controlled equipment cause untreated sewage to be released to the environment or an interruption of service? YES
So, does this company have any computers? Or, could the failure of those computers they don't have cause the the untreated sewage to be released?
Even more, this one from a Natural Gas Company: 3) What is the date that the Y2K project started? (mm/dd/yyyy) 11/1998 Contingency Plan Development Start Date (mm/dd/yyyy) 12/1997
Aren't those backwards? Don't you have to start the project before you make a Contingency Plan? Are you guessing?
Anyway, as you can see I'm not sure these people can be trusted with paperwork.
Now here's the kicker.
These Preparedness statements are available online. If you're a company, you can fill one out. If you're a citizen, you can review them.
However, due to an error in the web sites code, if you can find an org_id, you can submit a Preparedness statement. An org_id looks like this: view.cgi?org_id=14633927754506433&round=2 And guess what they are using for authenication? You got it, the org_id. Someone who wanted to modify these statements could get the org_id and click the button called "Submit Preparedness Statement." They could then change an existing statement or send in a new one.
Please bear in mind, this is all in accordance with a state law.
At this time multiple attempts have been made to contact the administrators of this web site and inform them of the problem.
Hopefully no one will modify these documents in the meantime. I doubt they have any tape backups.
The moral of this story?
If I have to spell it out, it wouldn't make sense to you anyway...
Mike NetworkCommand.com (when you can't just pull the plug)
Why the heck aren't these items secured??? Share your opinion and outrage in Threads.
) NewsTrolls, Inc. 1998, 1999, all rights reserved
-- Helium (Heliumavid@yahoo.com), November 01, 1999
The moral is that people are stupid?
-- Mara (MaraWayne@aol.com), November 01, 1999.