In Vista, IE7 runs in a sandbox to keep errant downloads from touching important system files. Sometimes, though, it needs a way to break out of that restricted environment, which is why there’s a “Low” temporary directory with “low” security. Since it lives in the temporary directory, this directory can get erased by Windows’ own Disk Cleanup tool.
To replace the “Low” directory and fix the problem, first re-create the “Low” directory. At the command prompt, type:
Alternately, you can turn off Protected Mode in IE and restart your browser. But, this should only be considered as a last resort, as you’re removing an important security function.
A DailyWTF reader named “AJ” discovered an interesting flaw in the Oklahoma Department of Corrections’ online sex offender registry. It was (until they took the page down) vulnerable to SQL injection attacks, giving anyone access to offenders’ social security numbers and other personal info. The same exploit was used to access information about DOC employees themselves, including a table called MSD_MONTHLY_MEDICAL_ACTIVITY, which I’m sure shouldn’t be publicly accessible.
Wow, the Dave security post trifecta:
Sex offenders
Leaked personal information
SQL injection
I should have an award for this kind of thing.
This wasn’t some kind of sneaky trick, either. Links on the site contained a GET parameter named sqlString containing complete SQL SELECT statements.
I don’t know what else to say, except this story was posted on the right site: What the Fuck?!?!?!?!
So, in lieu of more commentary, here’s a video of a cat playing the theramin.
I know I’m going to sound like a member of the tinfoil hat brigade if I say “trust no one”. But, this is just another case that shows that even the people you trust the most can steal your identity. In fact, your trust probably makes it much, much easier for them.
Where is the outrage at the Build-a-Bear store? Last week, Denise Howell (a blogger at ZDNet) wrote about her experience at a Build-a-Bear Workshop, where children were entering personal info to get a “birth certificate” for their new friends:
Before their new friend can get its birth certificate, the kids are prompted to enter a host of very personal personal information: birth date, home address, gender, phone, and email among them. Along the way is the option to “skip” some of this input, but unlike what we’re used to in the world of online retail forms, there’s no effort to communicate what data is “required” for the transaction to proceed, and what’s “optional.” [. . .] I sat there and watched parent after parent prompt their kids to flex their memory muscles and practice their computer skills: “Ok Timmy, now, what’s our address? What’s your birthday? Do you remember our phone number? Good typing!!”
These kids are no doubt told not to give this kind of information to a stranger on the Internet, but in this case they’re being encouraged to put their details into a database. Build-a-Bear’s privacy policy makes it clear that they comply with COPPA in their stores and online, that they will only use the data they collect for specific purposes, and they wont share it with third parties.
I don’t doubt that the people who decided to collect the data have pure intentions. In fact, the main reason they collect it is to reunite kids with lost bears via a unique ID number sewn into each stuff animal. But, if law enforcement agents can’t be trusted with personal information, what reassurance is there that someone after little kids isn’t busy burning DVDs full of kids’ names, birthdays, and home addresses as I write this?
I guess my reassurance comes from the fact that family members and family friends are where the greatest risk of child abuse (sexual and otherwise) comes from. And, the odds of a pedophile working in the Build-a-Bear IT department and misappropriating data are pretty slim. Still, I have to wonder about parents who encourage their kids to turn over that kind of information so readily in one situation, but not another.
Previous Entries
