This is the anniversary of this post.. and it’s one of my favorites. I recall a job interview that only consisted of this story… So here it is again direct from 11 years ago… this post-dates the dot-com bust 🙂
This is my story of a small battle with my local FOX affiliate in Dayton, OH. It involves my love of Star Trek, Bad Web Developers, non-responsive corporations, and the news media. This is rather old, but I just came across the Wired News Story about the incident again, and was inspired to tell the story.
What Started It All.
6 Years ago, the show Star Trek Voyager was on the air, however problems between UPN and Fox, forced many Fox affiliates to drop the UPN Show.
Unfortunately in Dayton, OH they did this during after the 1st part of a 2 parter. I was pissed. After waiting and waiting hoping to hear something about the show, I eventually realized it was no longer going to be aired on broadcast TV in my town.
Protest.
I went to the FOX 45 website, and tried to find an email address to lodge my complaint. This site was the WORST front page site I had ever seen. There was no email contact, only a website form which I proceeded to fill out. A few choice words might I add. Then I proceeded to click that SUBMIT button with a vengeful satisfaction.
The next page alerts me that I did not fill out the form completely. They expected me to not only provide my name and email address, but my full address and telephone number. This was a bit disturbing, but I felt that their offense was so severe, I would do anything to get my show back. So I went back and filled everything out.
A few weeks went by and no response. Not even an autoresponder saying that they got my complaint. So I returned to the website and lodged another complaint, filling in all of my information.
Again, a few weeks went by and nothing.
By this time it had been a month without Star Trek and thanks to the net I was well aware that there was a conclusion to the cliffhanger they left me with. So I found myself back on the website. This time determined to find an email address.
The Discovery
I figured that form I had filled out a few times was simply emailed to someone at the station and the ‘Mail To’ form on the page might have an email address in the HTML code. So, I went back to the page and did a view source. There was no email address to be found but there was a reference to a file. it was something like /_vti_xxx/comments.txt So I simply appended that path to the url… (i.e. www.fox45.com/_vti_xxx/comments.txt) and waited and waited and waited for my dialup connection to load this amazingly large page.
I was dumbfounded. What was there was every single comment submitted to the site, complete with names, addresses, phone numbers and email addresses. The FIRST thing I noticed was that I was not alone in my anger about the Star Trek show. I was only one of hundreds complaining. But I had come to the realization that all of these peoples personal information was there for the taking by anyone with a web browser, including my own personal information (in there twice!).
I was amazed at the sheer lack of competence for a professional organization in their web security. Even in 1999. While that may be expected from a fan site or a hobby site, you would not expect that from a business (at the same time you wouldn’t expect a reputable company to use Frontpage 97).
Trying To Get FOX 45 to Listen
I printed all 500+ pages of this publicly accessable page to my fax program and let my computer send this fax to the station with a cover letter explaining my concern and detailing the problem.
A few weeks pass and no response. The file remained.
So.. again..I resend the fax… I’m sure they really loved the fact I was faxing them more than a ream of paper. TWICE. Someone HAD to notice that.
About 3 days later the contact page disappeared and offered a generic email address to send comments to. However the file containing everyone’s information was still up there. So this time, I altered my cover letter, letting them know that removing the contact page doesnt remove the data that was submitted though the (now) missing page. Another 500+ page fax plus emails to the generic contact addresses listed on the site… (still trying to get their attention).
Drastic Action
A few more weeks passed and nothing. A friend of mine where talking about this and how totally wrong the situation was and decided that we would send the link/url to everyone’s email address who had their information compromised.
I dont’ have a copy of the email we sent anymore, but we explained the situation, provided the url so they could see for themselves, and encouraged everyone to call the station and demand that their information be secured.
We wrote a simple perl script (less than 8 lines of code) to extract all of the email addresses from the file and put them nicely by themselves in a 1 address per line output file. We proceeded to send the emails to everyone who’s information was in there. We also added email addresses of competing television stations in the area, as well as various other media outlets. The emails where sent them under an anonymous name, Black Flag, with a real return email address so that we could get responses.
This was about 1am… The emails went out, we went to bed and then to work in the morning and after work all hell broke loose. Several news agencencies had emailed wanting an interview. Wired being the most notable, wanted an interview, but we didnt respond in time and they ran the story anyway. The file on the net was gone. There was an outpouring of support from people who appreciated what we had done, A few emails to our web-host claiming we where spamming them and The FOX Affiliate cried foul and said that we ‘hacked’ them and claimed that we even changed his password so they could not access the site. All this from a simple VIEW SOURCE command available on all web browsers.
Quote:
“We feel like we got hit in the back of the head,” said Hanson, who claimed that Black Flag had changed his password so that he could not access his site. “They come along and they mess with this info, and then they send a mass mailing, so here we are in this whirlwind.”
Quote:
A search of the file by Wired News uncovered 657 individual email addresses. The page was removed from the site at about 9:25 a.m. PST.
Anyway… it took a lot to get them to take the file down, but after some extreme measures they finally did.
I called and claimed responsibility and asked them if they would hire me. They seemed a bit busy, and declined my job offer.
Why am I writing about something from 6 years ago.. ehh.. I just came across the Wired news story and found it amusing… a bit distorted, but amusing… You can read it here:
http://wired-vig.wired.com/news/technology/0,1282,17437,00.html