Nice to see
We get value for money from the £500m spent on 'cyber defences'
The Royal Navy's main website has been taken offline following claims by a Romanian hacker that he broke into the site, swiping the login credentials of administrators in the process. The hacker, TinKode, posted information on the web to support his claim to have penetrated the site, www.royalnavy.mod.uk. Royal Navy website is …
We get value for money from the £500m spent on 'cyber defences'
Ten out of ten for style, but minus several million for good thinking, yeah?
What, we thought the French were doing that bit.
Nope Brussels say it's us.
Not the French
Can we blame them anyway?
"his claim to have penetrated the site"
That would seem to be in accordance with Churchill's view of Naval tradition then.
Even the 'maintanance' page has an error:
<centre><img src="navysitedown.gif" alt=""/></centre>
(that's the entire page)
Aside from the lack of a <body> and other WTFery, the closing tag has a '?' in it!
Good to see good old patriotic spelling of center in there as well :)
that the MOD are on top of technology eh?
Interesting <centre> element, too... British spelling is not recognized by my Firefox.
To indicate their level of knowledge: ?html - html, what's that? It's one of those PROGRAMMING LANGUAGES, right?
Of course, I meant 'maintenance' page...
Oh dear, oh dear, oh dear. That really is quite special.
I particularly like <centre> vice <center>, going to the effort of specifying the alt attribute only to leave it blank and the particularly comical 'lightbox effect' on the error message cum GIF-from-hell (score one for accessibility there). Unless I'm very much mistaken, it was achieved with MS Paint - that god-awful dithering is always a give away.
I plugged it into the W3C's validator for giggles expecting it to implode but alas it only found eight things to complain about. Still, for 70 bytes of code, that's pretty impressive.
That's what you get for using some random WYSIWYG editor. No human would have included blank alt tags.
They listened to the comments and changed the element to <centre>
Now it displays on the left of the page.....
The <?html> is still there though!
While I agree that no SANE human would have included blank alt tags, no WYSIWYG editor is going to use an incorrectly spelled center tag, nor would it fail to include massive header and body entries.
So alas, it seems someone really did type that website up in their local text editor and slapped it on the net without so much as a sanity check or checking for inconsistencies.
But if you're coding in XHTML then alt tags are required in images - and if the image is purely a design element then you are SUPPOSED to use a blank alt tag.
Granted - neither case applies in this case ;)
You mean "English spelling", as in, that is how it's used in England. Britain is comprised of more than one country and its inhabitants speak more than one language.
Actually a human would create a blank alt tag if the image was purely presentational and conveyed no information.
A blank alt tags tells a screen reader or other similiar user agent that there is an image here but the user doesn't need to know about it because it's just presentation. If you don't put an alt tag on a presentational image then depending on the user agent it will 'interpret' (read guess) what to do.
Having a user agent guess at what to do is always bad for accessibility. It could be programmed to read out the file name, which could be confusing for the user or embarasing, if your HTML guy likes to name the images with stupid names.
Remember always put an alt tag on an image even if it is blank. The blankness has information...
"Actually a human would create a blank alt tag if the image was purely presentational and conveyed no information."
Except the image we're talking about DID convey information. In fact, it was (is still) the *only* element of the document conveying that the site is down for maintenance (not even a <title> element). The text shown in the article screenshot was part of the image, not imposed over it!
It seems to have been improved a bit now but it still doesn't quite work :)
It's actually a (Captain) Jack Sparrow Turing Machine for converting to/from the language known as Keefeze.
AC because thats one shit joke.
In God's Name is this sort of shit even still possible? Where do they find the people to code these sites?
when they wake up, they're a Navy coder...
(mine's the one with the cosh in the pocket)
I realize that's the standard English spelling, but as far as I know it's never been an HTML tag. Even <center> is only barely right by current web standards.
At least the got the alt tag in there to make it accessible to the blind.
"It's very unlikely that any confidential much yet secret material was kept on a public facing website"
Right, because that never happens....
Any bets on how long it takes before email 'backups' containing the current location of the on-patrol Vanguard hit the torrents?
Causing millions of pounds of improvements in operational efficiency.
Lemme guess ... this site was part of the "Windows for Warships" upgrade? If this can happen to the RN's site, imagine what a WiFi-toting pirate can do to the warships at sea...
ARRRR!!!!! Shiver your timbers!!!!
Also, using <center> in 2010 is pretty embarrassing. And then spelling it wrong (should be spelt "center") isn't great either!
They just put up a 'maintenance' page?
WTF do they have all those cruise missiles for, if not to deal with lowlives like TinCock or whatever he calls himself?
...and the target coordinates are somewhere in in Whitehall. It should be "Headquarters, Naval Training and Education Command".
Alternatively, "HQ, Royal Radio Corps", "HQ, Royal Engineers".
First they have an SQL insertion weakness and then they can't even do proper HTML. Any more words needed ? The leadership needs to go here.
If this had happened to a Pentagon website, again, they would be screaming terrorism, loss of secrets, etc. and demanding the alleged whiz behind this attack be handed over immediately.
Won't happen because Romania has balls and would tell them to get stuffed.< www.sheepscreek.com/recipe.html > unlike a certain island nation we know of..
......the Navy's public-facing PR website containing no secret data is not as secure or well built as their operational systems?
<Extremely heavy sarcasm>
My, I am surprised. This is a disaster and no mistake.
</Extremely heavy sarcasm>
You do protest to much with sarcam, so it's OK that a web site that should have security as its top priority was hacked? Gives me full confidence.
Allow me to be the first to congratulate you on the headline, that's fab.
As for the coder of the maintenance page - I have word that he was recently transferred to the post, following early completion of his duties as captain of the HMS Astute (a nuclear submarine recently attacked by a small island off the coast of Scotland).
... return a 404: http://www.royalnavy.mod.uk/helicopter-warfare
Shoddy site management in anyone's books... a 503 - Service Temporarily Unavailable header should be returned, unless they want to mess up with their indexing within search engines.
The thought that they would fall victim to a trivial SQL injection that could have been cooked up by any 13 year old kid .... (lets be honest, it basically boils down to typing something extra into the address bar on your browser .. hardly a massively sophisticated and unexpected attack vector)
Or .. is it that the website is the public facing side of the navy, and as is contains no secret data, no defence inplications and no security risks ... ddoes it matter that it was not very secure and hacked with a few kestrokes into a webbrowser ...
Or ... is the REALLY worrying thing that the "secret stuff" thats not exposed to the web actually MORE insecure, and the shambolic coding standards on the public facing website are actually hardened and tougher than the internal backend systems defending our country ????
Really? They store their passwords in the DB? Somewhat worse than writing crap HTML. If its true.
A village in Romania is about to take delivery of several Royal Navy Tomahawk cruise missiles....
..the RN had their pants down until 16:40 German time. I am sure other navies a deeply impressed by British Cyber Capabilities.
The Romanian guy is already busy defacing something else via TOR and these muppets will never catch him.
The current state is:
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<div><img src="navysitedown.gif" alt="A screenshot of the Royal Navy homepage" title="Royal Navy site down for essential maintenance"/></div>
..a colonel who can write& debug 20000 lines of C++ code would have handled the situation. Logs would have been analyzed by an ad-hoc team of PHP/.net/Java (whatever kludge they use for content mgmt) programmers.
The weakness would be found in less than 1 hour by just analyzing logs and re-running the evil requests and debugging the CMS. If required, the colonel would call Cheltenham and have them look at it, too.
The senior NCO who is the webmaster would have had a simple text file as the index.html saying "due to service, currently offline. webmaster". That would have saved that html embarrassment.
All would be up and running again. They certainly would log in a secure manner. The Evil Romanian Hacker would not be able to erase logs.
But I guess the muppets currently download the latest version of their CMS from sourceforge and hope for the best. Everything runs as root. Or as "Adminstrator" ??
I used to work with a C programmer who'd worked on missile guidance systems for the MOD.
Given that this bloke was fond of large amounts of beer at lunchtime then (just as he is now) its perhaps no wonder there is so much "collateral damage" in modern warfare.