Citigroup – URL hacked? Seriously?

Apparently the hackers who stole all kinds of personal information to Citigroup’s website did so by URL hacking.

This is just unconscionable.  Even before you get to cyber-security 101, SOMEONE should have figured out that putting the account number in plain text in the URL was a terrible idea.

I don’t care who you are, the first thing you need to know about dealing with a website is that your server cannot trust a user’s input.  This can be for any number of, even very innocent, reasons – but primarily as a way to be ward against potential problems.  It just sickens me that their website had what amounts to zero security.  URL hacking isn’t even really hacking at all, it’s just a matter of tweaking URL address inputs.  It’s essentially the equivalent of dialing a company’s phone number and changing the extension by one digit just to see if you can escape phone-tree-voice-mail-hell. 1 2

I mean, would you, as a bank, put deposit or balance information into the URL?  NO.  Otherwise in 5 seconds everyone would alter their links to include “&currentbalance=100000000000”. 3  Why, then, would you ever include plain text bank account numbers in the URL and not actually verify that information on the server side?!  I mean, this is the kind of security you get with WordPress for free just by installing it.

The Citigroup website is very Web2.0, rounded corners, social-media and blogging links.  It looks great.  Did they just have their web designer handle security?  How the hell did this happen?!

Okay, Sony, Facebook, Twitter – these things get hacked because of lame or re-used passwords.  Those guys got hacked because their attackers were smart.  Citigroup got hacked because they are too stupid to handle a basic website, let alone someone’s money.

  1. Or purgatory? []
  2. Definitely purgatory []
  3. Or, better yet, “&currentbalance=pony” []

Toasted WordPress

I’ve been tinkering with this website trying to move it to a different domain – MakerBlock.com rather than MakerBlocks.com.  (I like both names, but have a slight preference for MakerBlock).  In any case, since I’m rather used to working with WordPress I figured I’d just dive into the MySQL tables and start changing stuff.

This doesn’t work quite as well as you would think it would.  :)  For anyone who is looking to move a WordPress website from one domain (or subdomain) to another, I highly recommend using Domain Name Changer.

Lesson learned.  I’m just a little bit smarter today!  Woo hoo!

Looking forward

This website for documenting my attempt to build a MakerBot Industries CupCake CNC 3D printer.  I’ve got just about no experience working with electronics and no experience building robots.  So, its going to be a wild ride.

It is named “Bender.”

Here’s what I’d like to see happen:

  • Documenting everything inside the CupCake Deluxe CNC kit
    • Right now I’ve only documented the unboxing
    • I’d like to document all the bits inside the various boxes/kits as well
  • Documenting each step (and misstep!) of taking a box of parts to a fully functional 3D printer
    • As I’m a total and complete novice, this should be educational for everyone involved
    • Since the guys at MakerBot suggest two people could assemble a CupCake CNC in leisurely weekend, I suspect it would probably take me about a week or two
  • Printing crazy plastic things for myself and others

Why did I name the website MakerBlock?  Well, if when I get this robot operational, I’d really like to design and print custom blocks that are compatible with various toy construction sets.

Frivolous?  Undoubtedly.  But, a man’s got to dream.