Nice to see
We get value for money from the £500m spent on 'cyber defences'
The Royal Navy's main website has been taken offline following claims by a Romanian hacker that he broke into the site, swiping the login credentials of administrators in the process. The hacker, TinKode, posted information on the web to support his claim to have penetrated the site, www.royalnavy.mod.uk. Royal Navy website …
Oh dear, oh dear, oh dear. That really is quite special.
I particularly like <centre> vice <center>, going to the effort of specifying the alt attribute only to leave it blank and the particularly comical 'lightbox effect' on the error message cum GIF-from-hell (score one for accessibility there). Unless I'm very much mistaken, it was achieved with MS Paint - that god-awful dithering is always a give away.
I plugged it into the W3C's validator for giggles expecting it to implode but alas it only found eight things to complain about. Still, for 70 bytes of code, that's pretty impressive.
While I agree that no SANE human would have included blank alt tags, no WYSIWYG editor is going to use an incorrectly spelled center tag, nor would it fail to include massive header and body entries.
So alas, it seems someone really did type that website up in their local text editor and slapped it on the net without so much as a sanity check or checking for inconsistencies.
Actually a human would create a blank alt tag if the image was purely presentational and conveyed no information.
A blank alt tags tells a screen reader or other similiar user agent that there is an image here but the user doesn't need to know about it because it's just presentation. If you don't put an alt tag on a presentational image then depending on the user agent it will 'interpret' (read guess) what to do.
Having a user agent guess at what to do is always bad for accessibility. It could be programmed to read out the file name, which could be confusing for the user or embarasing, if your HTML guy likes to name the images with stupid names.
Remember always put an alt tag on an image even if it is blank. The blankness has information...
"Actually a human would create a blank alt tag if the image was purely presentational and conveyed no information."
Except the image we're talking about DID convey information. In fact, it was (is still) the *only* element of the document conveying that the site is down for maintenance (not even a <title> element). The text shown in the article screenshot was part of the image, not imposed over it!
It seems to have been improved a bit now but it still doesn't quite work :)
"It's very unlikely that any confidential much yet secret material was kept on a public facing website"
Right, because that never happens....
Any bets on how long it takes before email 'backups' containing the current location of the on-patrol Vanguard hit the torrents?
...and the target coordinates are somewhere in in Whitehall. It should be "Headquarters, Naval Training and Education Command".
Alternatively, "HQ, Royal Radio Corps", "HQ, Royal Engineers".
First they have an SQL insertion weakness and then they can't even do proper HTML. Any more words needed ? The leadership needs to go here.
If this had happened to a Pentagon website, again, they would be screaming terrorism, loss of secrets, etc. and demanding the alleged whiz behind this attack be handed over immediately.
Won't happen because Romania has balls and would tell them to get stuffed.< www.sheepscreek.com/recipe.html > unlike a certain island nation we know of..
Allow me to be the first to congratulate you on the headline, that's fab.
As for the coder of the maintenance page - I have word that he was recently transferred to the post, following early completion of his duties as captain of the HMS Astute (a nuclear submarine recently attacked by a small island off the coast of Scotland).
The thought that they would fall victim to a trivial SQL injection that could have been cooked up by any 13 year old kid .... (lets be honest, it basically boils down to typing something extra into the address bar on your browser .. hardly a massively sophisticated and unexpected attack vector)
Or .. is it that the website is the public facing side of the navy, and as is contains no secret data, no defence inplications and no security risks ... ddoes it matter that it was not very secure and hacked with a few kestrokes into a webbrowser ...
Or ... is the REALLY worrying thing that the "secret stuff" thats not exposed to the web actually MORE insecure, and the shambolic coding standards on the public facing website are actually hardened and tougher than the internal backend systems defending our country ????
..the RN had their pants down until 16:40 German time. I am sure other navies a deeply impressed by British Cyber Capabilities.
The Romanian guy is already busy defacing something else via TOR and these muppets will never catch him.
The current state is:
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Royal Navy</title>
</head>
<body>
<div><img src="navysitedown.gif" alt="A screenshot of the Royal Navy homepage" title="Royal Navy site down for essential maintenance"/></div>
</body>
</html>"
..a colonel who can write& debug 20000 lines of C++ code would have handled the situation. Logs would have been analyzed by an ad-hoc team of PHP/.net/Java (whatever kludge they use for content mgmt) programmers.
The weakness would be found in less than 1 hour by just analyzing logs and re-running the evil requests and debugging the CMS. If required, the colonel would call Cheltenham and have them look at it, too.
The senior NCO who is the webmaster would have had a simple text file as the index.html saying "due to service, currently offline. webmaster". That would have saved that html embarrassment.
All would be up and running again. They certainly would log in a secure manner. The Evil Romanian Hacker would not be able to erase logs.
But I guess the muppets currently download the latest version of their CMS from sourceforge and hope for the best. Everything runs as root. Or as "Adminstrator" ??
I used to work with a C programmer who'd worked on missile guidance systems for the MOD.
Given that this bloke was fond of large amounts of beer at lunchtime then (just as he is now) its perhaps no wonder there is so much "collateral damage" in modern warfare.