Posted Tuesday 2nd September 2008 12:48 GMT
Aberdeen man feared drowned.
So the P&J's headline apparently went back in 1912. Insular, parochial? Just reflecting Aberdeen...
Posted Tuesday 2nd September 2008 12:48 GMT
"Using the HTTP Post method of encoding a database query would have meant that a requested page comes with a URL that looks like gibberish, effectively eliminating the problem of URL manipulation"
That's not really how... oh, I can't be arsed.
Posted Tuesday 2nd September 2008 12:52 GMT
'Aberdeen Journals Limited maintains a privacy policy that states that "protecting the privacy and personal data of individuals is an important aspect" of how the firm is run.'
They'll use the same words on their response to this issue, because they think it's valid to do so.
Paris, because she thinks it's valid to expose her smalls in public too.
Posted Tuesday 2nd September 2008 12:52 GMT
One of the reasons I never fill in web forms with truthful information.
I do not trust the Internet. I do not trust businesses with personal information.
When I first started using the Internet, I though that I was maybe being a little paranoid. As I have grown to understand the underlying technology I realise that I was being astute.
Humans make mistakes, I have made many, I expect I will continue to do so. As the technologies behind the Internet become more complicated and connected, I expect more will be made. But this is a silly mistake, Cisco made a similar error with http access to their routers in IOS 12.0 and earlier.
Posted Tuesday 2nd September 2008 13:49 GMT
We don't use our real names and emails for such comments
oh dear have I given the game away about theReg accounts used to comment on articles
Posted Tuesday 2nd September 2008 13:49 GMT
indeed, not like firebug reveals form data ;-)
only thing that offers any (albiet not a great deal of) protection, is https with asymetric encryption for the data, and then you are vulnerable to unupdated debian ssl flaws, man in middle and playback attacks
never mind the ease of snarfing over wifi, (think shouting your pin number in a crowded room, and ur halfway there)
do think there should be a license or something required to create systems which handle public data, at least that way the only excuses are apathy and laziness, instead of ignorance and incompetance
Posted Tuesday 2nd September 2008 13:49 GMT
I did a similar thing on the capitalone website around 2004 - in the secure message part of your account manager I clicked on a message, then edited the message ID in the url to random numbers. I was happily able to view other peoples private messages with capitalone, even though I was clearly not the author. Appalled, I sent them a message, after receiving no reply or acknowledgement after days I rang, told them off and threatened to tell the papers unless they looked into it seriously. Within the hour the site was down for maintenance!!! Never heard from them again, but the problem was fixed when they were back online. :)
This post has been deleted by its author
Posted Tuesday 2nd September 2008 13:53 GMT
@adnim
I never fill in web forms with truthful information either.
Must be off now, gotta pick up my Ferrari from the garage, before jetting off for a six week holiday in the Bahamas.
Mine's the one that matches the flaming underwear.
Posted Tuesday 2nd September 2008 15:09 GMT
"Using the HTTP Post method of encoding a database query would have meant that a requested page comes with a URL that looks like gibberish, effectively eliminating the problem of URL manipulation"
errrr... did this line come out of a gibberish generator? This means nothing to me. Should it?
Anyone care to explain?
Posted Tuesday 2nd September 2008 15:09 GMT
beginners snafu
"How would I sidejack this" should be thought number 1
Posted Tuesday 2nd September 2008 15:09 GMT
I do provide the truth to to the few online shopping sites I use, my bank, the DVLA and The Register of course.
Posted Tuesday 2nd September 2008 15:09 GMT
All of the above, but it is a local paper after all. P&J has always been so, but rags like the "Mearns Leader" take the biscuit in the parochial stakes.
Paris, because she never made the front page in Stonehaven.
Posted Tuesday 2nd September 2008 18:15 GMT
I understood it read, "North East man lost at sea, hundreds others feared drowned". No mention of the recent sale of the good old P&J to Dundee's DC Thomson's?
Posted Tuesday 2nd September 2008 18:15 GMT
"In reporting on previous instances of URL mainipulation we've been told that using the HTTP Post method of encoding a database query would mean that a requested page comes with a URL that looks like gibberish, reducing the problem of URL manipulation."
Whoever told you that should in no means be let anywhere near a web site. Using the HTTP POST method sends the query in the body of the request instead of the URL. It means URL manipulation is no longer possible, although content manipulation is still possible for those who know enough. Many websites continue to use GET and simply use some form of encoding/encryption to make the URL hard for a human to parse. That's hard, not impossible. The best answer right now, of course, is complete encryption and POST -- but as with most best practices, it's pretty much ignored.
Posted Tuesday 2nd September 2008 18:15 GMT
Journo who doesn't quite grasp the whole GET/POST protocol.
Posted Tuesday 2nd September 2008 18:16 GMT
I thought it was 'local man dies in shipping accident'. Ah the good old P&J
Posted Wednesday 3rd September 2008 00:43 GMT
"All of the above, but it is a local paper after all. P&J has always been so, but rags like the "Mearns Leader" take the biscuit in the parochial stakes."
Clearly you have not read the Caithness Courier or its sister paper, the John O Groat journal.
30% gossip heard outside the sherrif court, 20% gossip heard in the pub, 40% adverts and 10% of actual news. Any news that they can attach to Wick and Thurso. Normally involving Caithness And Sutherland Enterprise shoving more money into the area attempting to redevelop the area. Badly.
Only the obituaries and marriages are almost always accurate, and even they are fallible...
If the previous poster had said that the JOGJ/CC had the Titanic headline, I'd have believed it without hesitation because that's *exactly* what it's like.
As local papers that far north go, I can say with some authority [as one of the few locals who can read thanks to not being horrifically inbred...] that the P+J isn't actually too bad as a source of news, but I'd never read it if there was a Times available...
Steven R
Posted Wednesday 3rd September 2008 09:11 GMT
Once at university I had access to microfilm of the P&J archive and the Titanic story is just a myth. The timing of the sinking (morning UK time) made it far too late for that day's paper and the next day there was full and sensible coverage.
The story should be about the declaration of World War One where the headline of the day is
"Giant Turnip Found At Turriff"
Posted Wednesday 3rd September 2008 10:39 GMT
Don't know why everyone's having a pop at Northern local papers. They're all like that, it's their job to be. I read the London Evening Standard once. It was full of stuff about London! It was like the rest of the country didn't exist!
As for this story; anyone who registers with a newspaper website and supplies accurate and confidential information.. well, I'll not say they deserve it, but what exactly are they thinking? Just because a newspaper has the nerve to ask for your home address and mobile number doesn't mean you have to give them it.
Posted Wednesday 3rd September 2008 11:45 GMT
>the Titanic story is just a myth
I had always thought it did reek of an urban myth.
Now the Turra neep, THATS news!
Posted Wednesday 3rd September 2008 19:28 GMT
and what about the Dundee Courier whitch until fairly recently did not have Front Page news the Front Page was all adverts
Posted Thursday 4th September 2008 09:18 GMT
... techncally, I do ... where a = [username] and b = [hotmail]
Posted Monday 8th September 2008 08:39 GMT
post is meant to be used when the server state changes.
get is used to retrieve a URL based on parameters.
Both can be affected by a lone cracker, get is arguably simpler as you can mainpulate directly in the browser, but of course a cracker can create a program to send crafetd post requests.
In an earlier infomercial, the art of self defense in the browser I think it was called, the author said a problem with a certain site was that a call to a url could be embedded in an external page causing the external site to change account information.
Now, those calls tend to have to be get requests, post requests are not sent automatically via the browsers to another domain. So, in that instance requiring a post would have helped (not made secure but helped).
See, they could have made you fill in a form or cloaked a form as a button, but less chance of an exploit then as it would require user interaction. And of course there is the possibility of using an iframe and an auto submission, could work, would be more obvious though, and would be considered a security hole, therefore a candidate to be patched. Whereas, accessing a url via get should be harmless, because it is not meant to change server state, see how all this works.
But in this instance, post or get it doesn't matter.
Browser security is really based on what does the user allow, that's why the confirm boxes are not really customizable so people cannot switch the ok and cancel around. And that's also why the mouse cursor cannot be moved all round the browser anymore :) Well maybe IE still allows that.
I have lost count of the bozos who think mixing post and get requests is a good idea. Break the model if you like, it is breakable but of course people base security around the model.
Anyhow, the golden rule is never trust the information sent, and verify the place it is sent from, if the system is open to abuse. Amazon one click is an example of something that could be quite easy to abuse or not depending upon how they verify the request.
And whilst we are on the subject, if you are using javascript, then it makes verification simpler and more robust, states can be changed depending upon page exit and tab currently being viewed, so it does amuse me that people advise noscript because in some instances they are lowering their security potential.
Sign up, sign up for The Register's weekly IT security newsletter - click here
Back to the article
