Strange security issue - why would this happen? [closed] - forms

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
I work for a company which handles some websites that have educational forms prospective students can fill out if they wish to be contacted by a college.
We have attempts coming in from two overseas countries, which are continually filling out and attempting to submit forms using ridiculously bogus information. The only possible outcome if these were to go through would be that the school would try to call them.
I cannot figure out how this could potentially benefit them, in any way shape or form. It seems like it's probably a bot, because they are inserting integers for first name, last name, and email address. I've even considered that some companies I've heard of boost their site traffic unethically by having people (or bots) falsely cause hits on their pages, etc. I don't think that's the case here but I'm not sure.
This isn't my project, but someone mentioned it to me and I found it intriguing. What possible benefit would a bot or hacker have from doing this? Each attempt has been unsuccessful but even if it got through, what's the point? Did someone actually send a bot to try and spam educational websites where all you can do is submit an inquiry to a school? What's going on here, ideas?
My best guess is that it's a bot someone put out there and it's hitting our site by mistake. I don't get it, but I'm not a security ninja. I would love possible scenarios, preferably evidence/fact-based, not opinions if you can't back it up - nothing personal, it's just that I know these are the rules of Stack Overflow.
So if you have a fact-based hypothesis why this may be happening, I would love to understand the how/why...

I don't think that you will ever find any useful answer to your question, because there are lots of reasons that someone may do this. It may be "for fun", increase google ranking, or there are personal "rivalries" between someone else with the company.
Well, you can see at least if the spam comes from automated bot ( if you can change the html/backend code), using the honeypot method, nested somewhere in the form. If the spam stops, it should be an automated spam bot, and most likely you should consider it as a random spam, otherwise someone may have created a spam script for your site and they may do for fun or for other purposes.
P.S. : Do not use ReCaptcha, as some bots can break it.

It's most likely a bot attempting SQL injection.
How does the SQL injection from the "Bobby Tables" XKCD comic work?
The bot isn't trying to insert data into your database. It is trying to maliciously craft responses so that it can retrieve data from your database, or perhaps just delete all of it.
You need to make sure that all your SQL queries are properly escaped to prevent request data from the bot modifying database queries to work in unintended ways.
If you provide some examples of the requests, StackOverflow will be be able to tell you exactly what's going on.

Related

What are the questions that needs to asked before choosing a CMS? [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I want to choose a CMS that will be part of my infrastructure for my company websites.
What do you think are the questions I need to ask before I really choose one?
Choosing a CMS is almost like choosing a framework.
Thanks
Your two starting questions should be about people:
Who will be building and maintaining the technology? If your organisation's IT department is in love with Microsoft solutions, then find the best .NET CMS that meets your needs (Umbraco, Kentico, DotNetNuke etc). If you have no money but you're fairly IT-savvy and have a couple of Web designers on tap to help you out, then a designer-friendly free system like MODX Revolution makes sense. If some of your people have worked with a big system like Drupal, then that's your leading candidate.
Who will be adding content to the system? Internal users will want an interface that rewards use - it must react fast, protect the user from losing their work, make content easy to find, and ease tasks like creating new pages and including links and images. That might push you towards CMS Made Simple, or even WordPresss if your needs are otherwise modest. And if most of the content will be contributed by a user community, the CMS must support a strong forum capability.
After that, take a look at Step Two's document How to evaluate a content management system. These guys know their stuff. You may even want to buy their Content Management Requirements Toolkit. Their evaluation document gives you a starting point for your evaluation.
Do bear in mind, though, that not all requirements are created equal. For instance, many CMS texts stress the importance of complex workflow and versioning. In large publishing businesses, these sometimes matter a lot. In most smaller organisations they don't matter as much. Your workflow may consist of one person putting content into the system and another approving it to go live - the sort of task that can be accomplished with a staging server and email. Versioning may be adequately covered by a regular back-up.
And remember above all that when you put a CMS in an existing organisation, you're engaging in politics. You need to find out what people want, show you're delivering it, explain to them the considerations which they don't know about but which have to be taken into account, and convince them you're acting to bring them the best possible tool. Good luck.

Should a company prevent employees from publishing an app in an appstore in their free time? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
My company is trying to pass a policy forbidding distribution of any application (even free) in any appstore for all developers.
Their reasoning is that "outside work activities create a conflict of interest". They don't want that "you use your spare time to work on your app, and once it takes off you quit your job" (quoting the Head of Development).
A few developers (myself included) have already said it was an abusive, pointless and most of all counter-productive policy (developers will actually be demotivated to work here under such control and to be denied of the freedom to distribute their project).
Personally, I think it is actually in the interest of the company to promote side projects (even commercial activities, if there is no conflict).
I'm also curious, is that common practice?
Needless to say, this is horribly, horribly stupid on so many levels... It may be worth trying to find out whether it's even legal in your jurisdiction.
Anyway and apart from that, if you can, find colleagues who feel the same, and take a stand against it. Try to explain to the management that this is a stupid decision for the company as well. Don't sign anything: A policy like that would probably have to be amended to your work contract to be binding. Chances are, the risk of losing good employees over this outweighs the security they think they get from it.
If there's really nothing that can be done, and you are very unhappy with this (I would be), consider looking for a new job.
As an afterthought, if the practice of limiting your employees' rights to this extent is clearly illegal in your jurisdiction, it could be that simply making them aware of this might stop this without any further trouble.
All companies for which I have worked allowed outside work provided:
no company resources were used (this includes time)
the product of that effort did not directly conflict with the company's interest
the product was not based off of work or specific knowledge gained while working for the company
Typically, companies have a clause in your employment agreement that states that you will inform them when you begin work on outside projects and inform them of the nature so they can approve/deny. In such cases, you want to get that approval in writing.
In your case, this is a pretty difficult situation if this was part of your employment agreement. Even if it isn't, they can fire you for it if your employment is at-will and they find out. Unfortunately, in your situation, you seem to have one of four options:
Convince management that they are being unreasonable.
Fly under the radar and hope you don't get caught.
Find a new job.
Quit and just work on the apps full-time.
If your job is to put out apps in an appstore, though, there's really no way to argue that your outside development of apps for the same appstore isn't a conflict of interest in some respect. If I had to guess, I'd say that either this is the case or you're working for a development manager that doesn't understand the mindset of developers and how they like to tinker and learn outside of work.
While this example sounds a little draconian, it is not uncommon for companies to have some kind of policy regarding outside work. However, this is typically to protect the company from your mistakes rather than to protect them from your departure. If they're that concerned about employees leaving, they should go out of their way to make it the sort of place you would want to stay.
EDIT: I just found this today on a completely unrelated blog, but it totally rings true to this discussion. It's about 11 minutes long, but very entertaining and makes you think too. http://www.youtube.com/watch?v=u6XAPnuFjJc&feature=player_embedded The TL;DR (TL;DW?): Once you get outside the realm of purely physical tasks, organizations that assume you are motivated by money, hands-on direction, etc. will not accomplish their goals nearly as easily as those that assume you are motivated by desires for autonomy (self-direction, self-management), mastery (getting better at doing something) and contribution to something bigger than yourself.
I believe there was a similar pointless rule when I was under the corporate yoke. I think these rules are pointless, backward and wrong. Instead of keeping their developers management pushes them to look for new managment, well, at least the passionate and talented ones.
Unless your employment contract says otherwise, what you develop in your own time belongs to you.
If they are in the business of writing apps for the appstore, then they might have a non-compete argument against you.
If they allow other types of development projects, it is difficult to see the argument as valid.
Depends on the app and the company.
If you're working for an Android app developer, I'd see why they might not like it. 8)
If it competes directly with what your company produces I can see why they'd prohibit it.
I would consult a lawyer to see just how binding such an agreement would be if you were forced to sign it.
If it's really that odious, your only recourse is to find another employer.
Check your local labor laws. In California, this kind of thing is blatantly illegal.
The policy enumerated by Shaun is reasonable, and something very similar has been in place at most of my previous employers. The one place that tried something like this was quickly pointed at the statute by knowledgable developers, and the "policy" quietly went away.
The answer is in your contract of employment.
But if your job is as a computer programmer, you're almost guaranteed to have something in your employment contract stating that any software you write either in work or outside of work is owned by the company.
If you get written permission from HR and your manager, then if you were to make millions from you out of hours projects, then it would be more difficult for your employer to just take ALL those millions off of you.

Ethics of robots.txt [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I have a serious question. Is it ever ethical to ignore the presence of a robots.txt file on a website? These are some of the considerations I've got in mind:
If someone puts a web site up they're expecting some visits. Granted, web crawlers are using bandwidth without clicking on ads that may support the site but the site owner is putting their site on the web, right, so how reasonable is it for them to expect that they'll never get visited by a bot?
Some sites apparently use a robots.txt exactly in order to keep their site from being crawled by Google or some other utility that might grab prices and therefore allow people to do price comparisons easily. They have private search engines on the site so they obviously want people to be able to search the site; apparently they just don't want people to be able to easily compare their information with other vendors.
As I said, I'm not trying to be argumentative; I would just like to know if anyone has ever come up with a case where it's ethically permissible to ignore the presence of a robots.txt file? I cannot think of a case where it's permissible to ignore the robots.txt mainly because people (or businesses) are paying money to put up their web sites so they should be able to tell the Googles/Yahoos/Other SE's of the world that they don't want to be on their indices.
To put this discussion in context, I'd like to create a price comparison website and one of the major vendors has a robots.txt that basically prevents anyone from grabbing their prices. I'd like to be able to get their information but, as I said, I can't justify simply ignoring the wishes of the site owner.
I have seen some very sharp discussion here and that's why I would like to hear the opinions of developers that follow Stack Overflow.
By the way, there is some discussion of this topic on a Hacker News question but they seem to mainly focus on the legal aspects of this.
Arguments:
A robots.txt file is an implied license, especially since you are aware of it. Thus, continuing to scrape their site could be seen as unauthorized access (i.e., hacking). Sucks, but arguments like this have been made in other legal cases recently (not directly related to robots.txt, but in relation to other "passive controls".)
Grabbing prices violates no copyright law, including DMCA, since copyright does not include factual information, only creative.
Ethically, you should not grab prices because the vendor should have the ability to change prices without worrying about being accused of a bait/switch by people coming from your site.
Have you taken the high road, explaining the site to them and saying you'd love to include them in your list of vendors? Maybe they will love the idea and actually expose the data in a way that is easy for you to consume and less resource-intensive for them to produce.
There are no laws written directly about robots.txt because netiquette is generally followed. Don't be one of the "bad guys."
Some people filter robots because they use URL links to perform "actions" like adding things to carts, and robots leave them with massive numbers of abandoned shopping carts in their database.
Some people filter robots because they have exclusive prices that they can't advertise openly based on agreements with their vendors. You could be putting them in a bad position by exposing those prices on your site.
In this economy, if a company doesn't want to do everything possible to advertise themselves, it's their own fault that you don't include them.
The other use of robots.txt is to help protect web spiders from themselves. It's relatively easy for a web spider to get mired in an infinitely deep forest of links, and a properly constructed robots.txt file will tell the spider that "you don't need to go here".
Many people have tried to build businesses off building "price comparison" engines that scraped major sites.
Once you start getting any sort of traffic/revenue to speak of, you will receive a cease and desist. It's happened to dozens, if not hundreds of projects. I even worked on a small project that received a C&D from Craigslist.
You know how they say "It's easier to ask forgiveness than it is to get permission"? It doesn't hold true with page scraping. Get permission, or you will be hearing from their lawyers.
If you're lucky, it'll be early on, when you've got nothing to lose. If it's late, you may lose your business and all your work overnight, with a single letter.
Getting permission shouldn't be hard. Unless you're doing something sneaky, you're likely going to drive them additional traffic. Hell, once your product takes off, sites may be begging you, or even paying you to add their data.
One reason we allow robots to dig through the web without complaint is that we have a way to stop them if we want to. Protects both sides.
Remember the uproar when Cuil's robots were accused of going over-the-top, apparently acting like a DoS attack in some cases and using up bandwidth allowances of some small sites?
If too many people violate robots.txt we might get something worse.
"No" means "no".
To answer the narrow question, for the price comparison website you're probably best grabbing the price in real time, rather then scrapping the database in advance. Hard to imagine that being a problem.
An interesting IRL version of story involving The Harvard Coop:
Coop Calls Cops On ISBN Copiers.
Short answer: No.
On the narrow issue: If a seller says that their prices are secret, I think you have to respect that. I'd contact them and ask if they really don't want price comparison engines like yours to include them, or if the "no trespassing" sign is for technical reasons. If the latter, perhaps they'll provide you with an alternative. If the former, then I'd say too bad, they don't get included, they lose some business, and it's their problem.
Tangential rant: Personally, I get pretty annoyed with companies that make me jump through hoops to find out the price of their products, places that make me call and talk to a salesman so he can give me a hard-sell pitch, or worse, make me give them my phone number so their salesman can call and harass me. I figure that if they're afraid to tell me the price, it probably means that it's too high.
In general: A robots.txt file is like a "No Trespassing" sign. It's the owner's right to say who is allowed on their property. If you think their reasons are dumb, you can politely suggest they take the sign down. But you don't have the right to disregard their wishes. If someone puts a No Trespassing sign on his yard, and I say, "Hey, I just want to take a quick short cut, what's the big deal?" -- Maybe I'm stepping on his prized Bulgarian violet bulbs and destroying a valuable investment. Maybe I'm crossing his people's sacred burial ground and offending their religious sensibilities. Or maybe he's just an ornery jerk. But it's still his property and his right. Oh, and if I fall into the dangerous sinkhole after ignoring the No Trespassing sign, who's to blame? (In America, I could probably still sue him for all he's worth despite the fact that he warned me, but is that right?)
I'm showing some ignorance here, but I always thought a bot was something only sent out by a search engine. Like Google or Yahoo.
Thus, if you wrote an application that searched content on the internet, I wouldn't consider that a search engine bot, which to my knowledge is what robots.txt is trying to block.
But this may just be selective ignorance, because I might do it until the webmaster of that site contacted me and asked me to stop :)
If people make it available to public access, they shouldn't try to put limits on it. Adding a robots.txt file to your site is the equivalent to putting a sign on your lawn that says "Please don't look at me."

Is there a good Google Sites competitor? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
A client of ours is a membership organization and they are looking for functionality that seems closely aligned with Google Sites capabilities.
They want a system where their members can have a content managed site of their own that one or more admins can create by submitting a simple form.
The member organization could then add/remove pages, add/edit/remove content, add their own users, modify their color scheme and layout.
They would like the ability to have a url structure like, "member_org_url_to_be_named/member_name" - but it could also be subdomains (i.e. "member_name.member_org_url_to_be_named").
So they need a security hierarchy to be able to have different levels of users:
Admin - can add/edit/remove sites, users, etc.
Member Admin - can add/edit content within their site, add users that are also able to add/edit content within their site.
Member user - can add/edit content within their site.
From what I've seen and read, Google Sites seems to be able to handle this functionality. It's a little difficult to get in touch with someone there who would be able to tell me this definitively, however. So I'm wondering if there are any other platforms that might be able to handle this workflow.
Obviously, I'd love to hear from anyone who has implemented a system like this before. I'd also love to hear from anyone who has actually used Google Sites.
(Disclaimer: I work for Google. I don't know much about Sites though.)
Have you actually tried to use Google Sites for this? It strikes me that it shouldn't take very long to give it a whirl. If you have any Sites-specific questions, the Google Sites help centre and user forum are probably good starting places.
This sounds like content management with roles. Drupal fits this purpose pretty much perfectly.
http://drupal.org/
I've used Google Sites (the free "standard edition") a very little bit, it was easy to setup + easy to reconfigure my DNS records via nearlyfreespeech.net to setup CNAME and MX records to a domain I own.
The mailing list stuff works nicely. The site editing is very easy for anyone to use but a bit slllllooooowwww and somewhat clumsy, and doesn't appear to "play nicely" with the concept of uploading/downloading via FTP/SFTP/etc. I don't like the idea of my group's users spending all this time developing a website, that I can't backup or transfer to someone other than Google if I run into an issue.
I don't know if these issues are addressed in the pay version of Google Sites. For the moment I'm definitely keeping the email-mailing-list features going, but looking around elsewhere for something similar that works better.
(If you find something please post!)

What's a good way to train employees on how to use the software you've just created? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I'm working in a small company and weeks away from deploying a web-app that will be used a lot. Everyone at one location will have to learn to use it, and although I think it's pretty easy and intuitive I may be biased.
I've written a help guide with plenty of screenshots that's available on every page, but I'll still need to train everyone. What's the best way? How do you take a step back and explain code you've been working on for weeks?
First try to avoid the training:
Perform usability testing to ensure your web app is intuitive. Usability testing is a very important aspect of testing and it is often ignored. How you see your system will probably be very different as how a new user sees your system.
Also add contextual help as often as you can. For example when I hover over a tag in stack overflow, I know exactly what clicking it will do, because it tells me.
Also this may seem obvious, but make sure you link to your documentation from the site itself. People may not think of looking in your documentation unless its right in front of their eyes.
About training documentation:
Try to split up your material into how your users would use the system. I personally like the "trails" option that Sun created for their Java tutorials. In this tutorial you can do several things, and you can chose on which trail you'd like to go.
Support random reads in your help documentation. If they have a task to do in your web app, then they should be able to get help on that without reading a bunch of unrelated content.
Make sure your documentation is searchable.
About actual training sessions:
If you are actually performing training sessions, stay away from explaining anything related to your code at all. You don't need to know about the engine to drive a car.
Try to split up your training sessions into very focused aspects of your system. If you only have 1 training session available to you then just do one specialized use case of your system + the overall description of the system. Refer to the different parts of documentation where they can get help.
Letting the community help itself:
No matter how extensive your documentation is, you'll always have cases that you didn't cover. That's why it's a good idea to have a forum available to all users of the system. Allow them to ask each other questions.
You can review this forum and add content to your documentation as needed.
You could also open up a wiki for the documentation itself, but this is probably not desirable if your user base isn't very large.
Few ideas:
Do you have some canned walk-through scenarios? Don't know if it is applicable for your product, but I built a pretty substantial product a couple years ago and developed some training modules that they'd work through - nothing long, maybe 15 minutes tops for each one.
I put together a slide presentation that hit the highlights to talk about what it does. I would spend about 10 minutes going through the app's highlights to familiarize them with it before doing the hands-on stuff.
People don't tend to read stuff, unfortunately. You could put hours and hours into a help document, and still find that folks simply don't read it or skim over it. That can be frustrating. Expect that answers that are in your guide will be the topic of questions your users will have.
Break up any training you do into manageable chunks. I've been to a full-day training exercise before and the trainer broke it into short pieces and made it easy for me to get the training topic in my head. You don't want to data-dump on them because their eyes will gloss over and you'll lose them.
Ultimately, if your app is highly usable, it should be a piece of cake. If it isn't, you'll find out. You might want to have a few folks you know run through your training ahead of time and give you constructive criticism on it. Better to fix it before the big group is trained. You'll be more confident in the product and the training materials (whatever they are) and you'll likely have a better training experience.
If applicable, provide an online help/wiki/faq for them. Sometimes that is helpful.
Best of luck!
You should really have addressed this issue a lot earlier in the development cycle than you are doing.
In my view the ideal scenario for corporate software is one where the users design their own application and write their own documentation and I always try to strive for this. You should have identified key users early on and designed the system with them (I try to get my users to do basic screen designs and menu layouts in Excel or similar - then I implement that as static pages and review before writing a line of significant code, obviously they won't get the design right first time, but it's your job to guide them - and ideally in a way where they think they came up with the correct design decisions, not you :-) ).
These users should then write the user documentation from this design in parallel with you developing the system. I have never seen help documentation delivered by a IT department/software company used significantly in a corporate setting. Instead what happens is the users will create their own folder of notes and work-arounds and refer to this (in fact if you're ever doing system analysis to replace an existing system finding the 'user-bible' for the old system is a key strategy). Getting the users to write their own documentation up-front simply harnesses what will happen anyway - but this is vastly easier if the users feel they have ownership of the system because they designed it themselves in the first place.
Of course this approach needs commitment and time from your users, but generally it's not that hard a sell. It's trite, but working as a facilitator so the users can develop there own system rather than as a third party to give them a system pretty much guarantees user acceptance.
As you are where you are you're too late to implement all of this, but if you can identify a couple of keen, key, users and get time from them to write their own documentation then that would be a good move. If you can't get even that then you need to identify an evangelist who you can train to be the 'departmental' expert and give them 110% of your energy to support them.
The bottom line is that user acceptance is based on perception, and this does not necessarily correlate with how usable an system actually is. You have to focus on the group psychology of this as much as the reality of the system, which tends to be tricky for developers as we're much more factually based than most people.
I'll be looking into something like this too in the next few months.
In your case, hopefully the UI has already undergone user acceptance testing. You say you work in a small company. Is it possible to get the least tech-savvy person there to try it out? In fact, get them to try it out without any guidance from yourself except for questions they ask. Document the questions and make sure your user-guide answers them.
The main thing for me would be logic and consistency. If the app's workflow relates logically to the task it has been designed to accomplish and the UI is consistent you should be OK.
Create a wiki page to describe the use of your system. Giving edit rights to the users of your system lets the users:
update the documentation to correct any errors in the initial release of documentation,
share any tips on usage they may have found.
share unusual uses for the system that you may not have thought of.
request features.
provide any workarounds they've found while waiting for the new functionality to be implemented.
Try a few users first, one or two in a small company. Mostly watch, help as little as possible. This tells you what needs to be fixed, and it creates an experienced user base - so you are not the "training bottleneck" anymore.
Turn core requirements/use cases/storycards into HowTo / walkthroughs for your documentation.
For a public training, prepare a 10..15 minute presentation (just that, not more!) that covers key concepts that the users absolutely must understand, than show your core walkthroughs. Reserve extra time for questions about how to solve various tasks.
Think as a user, not as a techie: - noone cares if it's a SQL database and you spent a lot of time to get the locking mechanisms right. They do care about "does it slow me down" and "does something bad happen when two people do that at the same time". Our job is to make complicated things look easy.
It may help to put the documentation on the intranet in an editable form - page "comments", or wiki maybe. And/or put up a "error wiki" for error messages and blips - where you or your users can quickly add recomendations, workarounds and reasons for anything that does not go as expected.
Rather then train all those people I have chosen a few superusers (at least one person from each department) and trained them to teach the rest of the employees. It is of course vital that those super users are
well respected in their departments
able to teach
like the application
The easy way to ensure that they like the app is to have them to define the way it should work :-). Since they should work with this app each and every day they are the prime stakeholders, no matter what management states