Aberdeen man feared drowned.

So the P&J's headline apparently went back in 1912. Insular, parochial? Just reflecting Aberdeen...

"Using the HTTP Post method of encoding a database query would have meant that a requested page comes with a URL that looks like gibberish, effectively eliminating the problem of URL manipulation"

That's not really how... oh, I can't be arsed.

'Aberdeen Journals Limited maintains a privacy policy that states that "protecting the privacy and personal data of individuals is an important aspect" of how the firm is run.'

They'll use the same words on their response to this issue, because they think it's valid to do so.

Paris, because she thinks it's valid to expose her smalls in public too.

One of the reasons I never fill in web forms with truthful information.

I do not trust the Internet. I do not trust businesses with personal information.

When I first started using the Internet, I though that I was maybe being a little paranoid. As I have grown to understand the underlying technology I realise that I was being astute.

Humans make mistakes, I have made many, I expect I will continue to do so. As the technologies behind the Internet become more complicated and connected, I expect more will be made. But this is a silly mistake, Cisco made a similar error with http access to their routers in IOS 12.0 and earlier.

We don't use our real names and emails for such comments

oh dear have I given the game away about theReg accounts used to comment on articles

indeed, not like firebug reveals form data ;-)

only thing that offers any (albiet not a great deal of) protection, is https with asymetric encryption for the data, and then you are vulnerable to unupdated debian ssl flaws, man in middle and playback attacks

never mind the ease of snarfing over wifi, (think shouting your pin number in a crowded room, and ur halfway there)

do think there should be a license or something required to create systems which handle public data, at least that way the only excuses are apathy and laziness, instead of ignorance and incompetance

I did a similar thing on the capitalone website around 2004 - in the secure message part of your account manager I clicked on a message, then edited the message ID in the url to random numbers. I was happily able to view other peoples private messages with capitalone, even though I was clearly not the author. Appalled, I sent them a message, after receiving no reply or acknowledgement after days I rang, told them off and threatened to tell the papers unless they looked into it seriously. Within the hour the site was down for maintenance!!! Never heard from them again, but the problem was fixed when they were back online. :)

@adnim

I never fill in web forms with truthful information either.

Must be off now, gotta pick up my Ferrari from the garage, before jetting off for a six week holiday in the Bahamas.

Mine's the one that matches the flaming underwear.

> One of the reasons I never fill in web forms with truthful information.

That's all well and good, but you have to feel sorry for the guy at 1 Fake Street who keeps receiving all of your Amazon orders.

"Using the HTTP Post method of encoding a database query would have meant that a requested page comes with a URL that looks like gibberish, effectively eliminating the problem of URL manipulation"

errrr... did this line come out of a gibberish generator? This means nothing to me. Should it?

Anyone care to explain?

And whoever's mailbox is a@b.com

beginners snafu

"How would I sidejack this" should be thought number 1

I do provide the truth to to the few online shopping sites I use, my bank, the DVLA and The Register of course.

All of the above, but it is a local paper after all. P&J has always been so, but rags like the "Mearns Leader" take the biscuit in the parochial stakes.

Paris, because she never made the front page in Stonehaven.

I understood it read, "North East man lost at sea, hundreds others feared drowned". No mention of the recent sale of the good old P&J to Dundee's DC Thomson's?

"In reporting on previous instances of URL mainipulation we've been told that using the HTTP Post method of encoding a database query would mean that a requested page comes with a URL that looks like gibberish, reducing the problem of URL manipulation."

Whoever told you that should in no means be let anywhere near a web site. Using the HTTP POST method sends the query in the body of the request instead of the URL. It means URL manipulation is no longer possible, although content manipulation is still possible for those who know enough. Many websites continue to use GET and simply use some form of encoding/encryption to make the URL hard for a human to parse. That's hard, not impossible. The best answer right now, of course, is complete encryption and POST -- but as with most best practices, it's pretty much ignored.

Journo who doesn't quite grasp the whole GET/POST protocol.

I thought it was 'local man dies in shipping accident'. Ah the good old P&J

"All of the above, but it is a local paper after all. P&J has always been so, but rags like the "Mearns Leader" take the biscuit in the parochial stakes."

Clearly you have not read the Caithness Courier or its sister paper, the John O Groat journal.

30% gossip heard outside the sherrif court, 20% gossip heard in the pub, 40% adverts and 10% of actual news. Any news that they can attach to Wick and Thurso. Normally involving Caithness And Sutherland Enterprise shoving more money into the area attempting to redevelop the area. Badly.

Only the obituaries and marriages are almost always accurate, and even they are fallible...

If the previous poster had said that the JOGJ/CC had the Titanic headline, I'd have believed it without hesitation because that's *exactly* what it's like.

As local papers that far north go, I can say with some authority [as one of the few locals who can read thanks to not being horrifically inbred...] that the P+J isn't actually too bad as a source of news, but I'd never read it if there was a Times available...

Steven R

Once at university I had access to microfilm of the P&J archive and the Titanic story is just a myth. The timing of the sinking (morning UK time) made it far too late for that day's paper and the next day there was full and sensible coverage.

The story should be about the declaration of World War One where the headline of the day is

"Giant Turnip Found At Turriff"

Don't know why everyone's having a pop at Northern local papers. They're all like that, it's their job to be. I read the London Evening Standard once. It was full of stuff about London! It was like the rest of the country didn't exist!

As for this story; anyone who registers with a newspaper website and supplies accurate and confidential information.. well, I'll not say they deserve it, but what exactly are they thinking? Just because a newspaper has the nerve to ask for your home address and mobile number doesn't mean you have to give them it.

>the Titanic story is just a myth

I had always thought it did reek of an urban myth.

Now the Turra neep, THATS news!

and what about the Dundee Courier whitch until fairly recently did not have Front Page news the Front Page was all adverts

... techncally, I do ... where a = [username] and b = [hotmail]

post is meant to be used when the server state changes.

get is used to retrieve a URL based on parameters.

Both can be affected by a lone cracker, get is arguably simpler as you can mainpulate directly in the browser, but of course a cracker can create a program to send crafetd post requests.

In an earlier infomercial, the art of self defense in the browser I think it was called, the author said a problem with a certain site was that a call to a url could be embedded in an external page causing the external site to change account information.

Now, those calls tend to have to be get requests, post requests are not sent automatically via the browsers to another domain. So, in that instance requiring a post would have helped (not made secure but helped).

See, they could have made you fill in a form or cloaked a form as a button, but less chance of an exploit then as it would require user interaction. And of course there is the possibility of using an iframe and an auto submission, could work, would be more obvious though, and would be considered a security hole, therefore a candidate to be patched. Whereas, accessing a url via get should be harmless, because it is not meant to change server state, see how all this works.

But in this instance, post or get it doesn't matter.

Browser security is really based on what does the user allow, that's why the confirm boxes are not really customizable so people cannot switch the ok and cancel around. And that's also why the mouse cursor cannot be moved all round the browser anymore :) Well maybe IE still allows that.

I have lost count of the bozos who think mixing post and get requests is a good idea. Break the model if you like, it is breakable but of course people base security around the model.

Anyhow, the golden rule is never trust the information sent, and verify the place it is sent from, if the system is open to abuse. Amazon one click is an example of something that could be quite easy to abuse or not depending upon how they verify the request.

And whilst we are on the subject, if you are using javascript, then it makes verification simpler and more robust, states can be changed depending upon page exit and tab currently being viewed, so it does amuse me that people advise noscript because in some instances they are lowering their security potential.