Slashdot Mirror
Privacy Breach In Canadian Passport Application Site
Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."
Odd's are, lots of people are applying for passports nowadays too, since apparently we Canadians need them to cross the border into americaland in the near future.
3...
2...
1...
Breaking News, a L33t Canadian Hacker broke into a national security site, stealing millions of Dollars worth of personal information.
No word yet on any arrests.
More at 11.
Just -1, Troll talking to another.
That's some leet hakking going on there...
http://www.freedom-to-tinker.com/index.php?p=780
http://www.tjmcintyre.com/2005/06/morris-tribunal-learns-pitfalls-of.html
http://blogs.zdnet.com/threatchaos/?p=464
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
Sounds like some web monkey needs a beating....
I wish I was clever!
http://www.pptc.gc.ca/index.aspx?lang=e
Why doesn't it surprise me it's asp.NET?
See subject.
I have excellent Karma and I am not afraid to Troll it.
I just don't get it: someone like me, when I work on such systems just see these kinds of problems and flag them.
So either: no one saw it (which I find very hard to believe), no one flagged it, or was it, as tends to happen: ignored by the clueless management to save money?
Then there is the tin-foil hat reason: they wanted to make it easy for peoples data to be stolen, much like has happened numerous times in the UK recently.
threadeds blog
Just another example of the bullshit level of quality we can expect from the Canadian government. From the websites they host which only worked in IE, (looking at you MOT), to the millions they blow on the CRA websites, to this....
If the Canadian government wanted to really be "accountable" [as per Harpers initial acts] they would print the developers name(s) in bold letters on the front page of every newspaper to hang them out to dry. Of course they won't, and the firm they hired to write the software for them will get rewarded with another overpriced underperforming contract in the future.
I swear to god I hate the civil service. Basically as a government employee your only job is to not rock the boat too hard. Take your 2 hr lunch breaks, leave early on fridays, take expensive training classes [that nobody in private sector gets to attend], attend one useless meeting after another, and take 4 years to do what a bright 16 yr old could do over a weekend. That's ok. Because, hey, you're in a union, god forbid you actually have accountability and performance metrics that mean anything...
Let's see the names of those accountable for this!!!
Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts
HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security they totally passed on the low tech? Something is awkward here. I will give the developer the benefit of the doubt. I'd expect a half-assed developer to know about URL hacking. I bet this had something more to do with half assed management!
Comment removed based on user account deletion
Last Measure.
One fifth of Canadians immigrants.
http://news.bbc.co.uk/1/hi/world/americas/7128172.stm
If that's official figures. How many are not on the books?
Essentially all web development technologies are shit. It doesn't matter if they were using Perl CGI scripts, PHP, some JSP-based framework, ASP, ASP.NET, ColdFushion, Ruby on Rails, Django, or whatever other language/framework/technology you want to consider.
The evolutionary nature of the web has lead to such technologies that just don't mesh well with one another. Bring SQL and JavaScript into the mix, and now you can be mixing four or five different languages in one web application. Most developers don't have the time to adequately learn every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app, for instance.
Frankly, I don't think there is a solution to this problem. We can't go back in time and rework the underlying nature of the web to be more sensible. We'd have to throw so much of it away.
> Most developers don't have the time to adequately learn
> every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app
Each may have different syntax, but they also have very different uses. Even if they were all bundled up in the same language, you would still have to *learn* how to use each aspect. You still need to display content to the user, you still need to be able to manipulate that content, you still need to be able to generate it, and to get data out of your database. There's still a lot to learn, but you're using syntax as a scape-goat.
Like many institutions, the Canadian government has their own security initiative: MITS (Management of Information Technology Security). It aims specifically at being proactive at safeguarding information and IT systems. It is mandatory for all systems to be certified before they are put into production. It would appear that MITS compliance doesn't mean the system is hacker proof or that there are no bugs. To be more effective, I hope there will be something added to this policy in order to better test applications and not to simply be a paper exercise. Apparently they were able to address the problem rather quickly.
What? No songs about sodomy with incest?
Their humour is seriously going down the tubes these days.
"We are the music makers, and we are the dreamers of dreams [...]."
Why would Canadian be less technical than people from the US? Geez.. Give me a break there. It's like saying why Montreal is the capital of movie cracking and such. That would mean that US people are less technical because they don't how to encrypt a DVD correctly.. Come on!
I would put my finger on Gouverment security. Public services are low funded operation that don't have all the right ressources at the right place. And most of the time, I would say that the staffing have their hand tide because of management policies. Nough said!
a. this is the point of a framework - to give you a secure defined maintained structure to base ur app on.
b. html, javascript, CSS... I wouldn't call these complex or even 'languages' security shouldn't be contingent on any of these either.
c. evolutionary not revolutionary which you should find with most things. not exactly ajax but alot of us were doing zero size divs, javascript to load content into divs and trying to make a web application feel like a desktop application many years before this web2.0 BS
Which is exactly why most developers are not be hired to build large applications containing huge amounts of sensitive customer data.
I make a living out of building exactly these kind of applications for major international banks and I simply wouldn't get hired if I didn't know about the above.
The developers should be ashamed of themselves for such a massive lapse, this really is security 101. Equally ashamed should be the people who decided not to bother with running proper penetration testing and security evaluation on such an application
http://www.cbc.ca/consumer/story/2007/12/04/passport-security.html?ref=rss
What amazed me is the guy didn't get thrown in jail for hacking. The Canadian government acted *sanely* when dealing with the problem (from the article at least). I've seen way too many cases, state side, where the person who find the problem, reports it and get is serious trouble. (multiple cases over the past 20 years, but worse in the past 10)
Yet another sign our friends to the north are more sane. (yeh, I grew up right on the boarder, 18 drinking age and no carding at bars is nice in highschool:)
In the 1990s we created UIs with C++. We wrote the business logic in C++. We wrote the data abstraction layer in C++ (even if it was calling SQL stored procedures to actually retrieve the data). We created client-server and distributed systems using C++.
In short, we had one technology, C++, that was suitable for all of the tasks that we now need HTML, CSS, JavaScript, etc., to perform. Once you learned C++, your knowledge was applicable in all of those areas. You may have had to learn about a few C++ classes, but that pales in comparison to learning a whole new technology.
Irresponsible name to have these days.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
Just wait until the cyborg beaver-moose hybrids invade in the millions. They'll just come right out of the water. You'll never have a chance.
I'm guessing the database the info comes from is not even encrypted. One could come up with half-a-dozen schemes to prevent this. Here's one: every sensitive record in the database is encrypted with a unique key that is mapped to each session via a very long random number generated on a per-session basis. This random number would be used to decrypt the information in the database (combining, of course, with a server-side key to reconstruct a "permanent key"). So each client-side key would be able to decrypt one and only one sensitive record, making a one-session to many-record scenario impossible. Key-pairs would be generated on a per-session basis from a database of permanent keys that are themselves encrypted and served by a key server. I hereby patent this protocol. Please send me money if you use it or I will sue you.
Just callin' it like I see it.
I was wondering, does anyone know of a website that has been keeping track of all the notable security breeches over the past several years? It would be useful to have that information when you need to show it to a manager, etc. Thanks.
Parent's links are viruses.
I just pooped your party.
Doesn't ANYONE know what they're doing
No. Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but a whole metric fuckload - incompetence and lack of any accountability are systemic problems in virtually every government project. Possibly even corruption.
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.
The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.
I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted number is "just under 7 million registered while estimates from the '70s indicated ~10 million in Canada.
At this point, only one province will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.
Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Well, look at it this way: Technology has changed a lot since 1990. The final product expected is now much more complicated than can be easily produced with C++.
That's why we have HTML to structure webpages, CSS to enhance the visuals, JavaScript to improve functionality, etc...
With C++, every webpage would need to compile. These abstractions aren't only for the developers, they're also for practicality.
Oh, and have you ever used C++ to communicate with a database via SQL? It's not exactly very flexible.
I just pooped your party.
Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too.
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.
The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.
I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.
Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
I haven't developed commercially in a while, but it was my understanding that for these larger sites the job would be split up.
One group is in charge of layout.
Another group is in charge of content (graphics, sounds, text).
Another one or two groups is in charge of client/server side scripting.
Another group is in charge of security.
And a final group is in charge of putting everything together.
Finally, everything is audited before it goes live.
Of course, a group might be able to accomplish one or more of these tasks, but not requiring one group to accomplish ALL the tasks ensures the abilities of the developers aren't stretched too thin.
I just pooped your party.
This is not just a moan - it is a serious question.
In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.
The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,
Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.
I'd want to remember something like the connecting IP address as part of the session info on the server too. I think most would just go for the very long random ID with low chance of guessing another.
I wonder if the person who found this would get arrested. Such arrests are reported to happen, which isn't good for security. It would have made me wary of reporting it or even trying.
This tendency for computing projects in non-computing organizations to be "just barely functioning" is discussed by Joel Spolsky in a talk he gave to some students of CS at Yale recently: http://www.joelonsoftware.com/items/2007/12/03.html
Rings true to me.
We get "Service Alerts" with "helpful" information for how we're supposed to do business. Some of these "Service Alerts" contain information that, apparently, only certain people are supposed to know. As a result, they are password protected.
If you save the webpage, the default filename that it will save as is also the password for the super-secret information.
So, this story doesn't surprise me.
Never give in--never, never, never, never, in nothing great or small, large or petty, never give in except to conviction
...and the idea that 3 and 4 are separate and distinct is probably what caused this whole problem in the first place.
Right. But a lot has changed since the 1990s. Web applications are complicated. We need specialized languages for specialized tasks.
Usually, in developing a Web application, more than one type of specialist is involved. Often you'll find a Web designer come up with the base layout and design of the HTML, another Web developer who specializes in coding the HTML and JavaScript, using the CSS defined by the Web designer, someone else who plugs in the front-end code, and someone else who writes the middleware, and another to write the back-end code. And you have DBAs, systems adminstrators, network administrators, testers, project managers and so forth.
It's unusual in any moderately-complicated Web application to have one person who does the whole thing him/herself these days. To paraphrase Hillary Clinton, it takes a village to make a Web app.
My blog
It is pretty sad, but this doesnt even surprise me anyway because the frequency of this type of incidents. I applied for a Canadian Passport this April, so I guess I'm screwed... :(
It's ASP.NET, which the Canadian Government has swallowed hook, line and sinker.
And third-rate programmers using it.
Rich And Stupid is not so bad as Working For Rich And Stupid.
ObXKCD link: http://xkcd.com/327/
Help! I'm a slashdot refugee.
I would put my finger on Gouverment security. Public services are low funded operation that don't have all the right ressources at the right place. And most of the time, I would say that the staffing have their hand tide because of management policies. Nough said!
Did you not mean out of control, over funded and incompetently managed including kickbacks?
With government, it is all about priorities and political will. Resources, the Canadian government has plenty, but why run a tight ship when every department head runs his own out of control I/T show. "Hey, need a fat contract...give me a call..., competency, no issue".
I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.
I've also long wondered what the perpetrators of these text-string-passing SQL bindings were on. That's an 'idea' that just isn't one!
Nose stud.
Lip ring.
Clit ring.
Need I continue?
Well you did say it was a government contract.
It doesn't mean much now, it's built for the future.
This is a thundering mis-representation. I just got my passport earlier this year in six weeks.
All you do is pay the extra fee for expedited processing, which anyone with a job can afford after a couple weeks savings.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Canadian students rank third in the world in science: http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20071204/pisa_test_071204/20071204?hub=SciTech (USA rated in at 29th)
Its damn hard to perfect code with all these polar bears trying to eat our igloos, and mashing the keyboards in mittens makes for some pretty long debugging sessions. Also someone spilled beer on the one copy of "html for dummies" the government makes us share. So soon as we come down from the marijuana and finish the cheetos we'll go over the code again. Has anyone seen my keyboard de-icer? (Hope you can read comments in Frenglish, it was written in Ottawa)
All the good programmers go to work for private companies that pay more.
MABASPLOOM!
"One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit."
Government? While I'm all in favour of blaming our elected overlords - this is what happens when you give a big contract to CGI. A simple task, much like the nationwide vehicle registry, all they had to do was take the source, file off 'Make, Model, Colour' and replace it with 'Manufacturer, Calibre and Barrel Length' and it cost $2 billion?
Don't give the government 100% of the blame, when there is an incompetent company willing to milk the public purse involved as well.
"History doesn't repeat itself, but it does rhyme." Mark Twain
I am getting my passport (I am Canadian) just so that when I am done visiting the family for Christmas, I can come back home with my American wife. Getting export from Canada is the people....unless they are the more French side of the the Canadians....
To see a few of my Android apps goto: www.hartwired.com
Yes, but they don't work for or in government...
I mean, you can tell the real Canadians from the fakes ones easily enough. Just look for the plethora of Canadian flags sewn to their backpacks and bags.
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
I've been going through a similar experience of my own, although on a much smaller scale. I was hired as a consultant to do a little short-term work for a government agency. (Nothing special, just a sort of scientific project.) In our estimation this project would take one to two months of part-time work on the side for me to complete, and since it's such an independent project I would be able to do it all from home.
I was initially contacted by a recruiter and filled out a basic skills assessment, and then I didn't hear anything for about a month. Then one day they came back and said, surprise! You're hired! No interview, nothing.
A few more weeks were wasted getting all the details together. I had to do a drug screening, fill out a bunch of paperwork, etc. Finally orientation day arrived.
Now the way this is organized is that I actually work for a private company who then sells my services to the government. I'm not working very cheap and I'm sure they're charging at least double. So orientation day comes and it's all about working for the private company who I couldn't possibly care any less about. I sit down and spend two and a half expensive, double-charged hours with some mindless HR drone talking about benefits and health plans and who's an exempt employee and how to fill out timecards and so forth. A special emphasis was put on the fact that timecards must be filled out daily. An extremely brief time was taken to go over how to access company e-mail and the electronic timecard system, but most of the time was spent on insanity like how the retirement plan works, or all the required diversity and drug-awareness training which must be done.
After this excruciating session I was sent home to begin my work. Once I got home I noticed several important things:
At this point I began to spend a great deal of quality time (again, double-charged to the government) on the telephone with the IT help desk trying to straighten some of these things out. I finally got timecard access over a week later (remember how critically important it was to fill that out every single day) but without any paycodes to use on it, which are required for everything. The paycodes still are not here, but I finally got a temporary one I could use a week after that. Since I had no way to record my time in the requested manner and since I wanted to make sure I didn't violate the mindless HR drone's demands, I simply didn't do any work during this period. I still have no access to corporate e-mail, and although I was able to look up who my manager was in the company directory, I still have no idea how to get to the required training. At this point, since they are not important to the project at hand, I plan to ignore them completely until they go away.
So you can see how this works. If this project were being operated in a sane manner, like how the company I work for in my day job would handle it, it would have been done months ago and for half the price. Now imagine what happens on a large project with lots of people and even more insane bureaucracy. The takeover of the HR department along with the mountain of useless junk they bring such as mandatory diversity training, overcomplex health plans, and all the rest means that I get jerked around and the government gets completely shafted.
And yet another webmonkey misses the point: yes Waldo, the syntaxes are similar, but the all-important gotchas for each language and technology can be quite different.
I suspect too that you may be trolling, because you must know that for any medium sized or above projects, European competition law is very strict. The UK Government is not allowed to prefer local suppliers. If you doubt this, ask yourself where are EDS, Thales and Fujitsu Siemens based, just to name three?
My own experience suggests that what is actually needed is to sack a load more incompetent Civil Servants with classics degrees, replace them with some people with a clue, and bring these projects back in house. If we can afford to bankroll the likes of Northern Schlock to the tune of billions, we can afford to buy out the contract terms of the companies who are actually raping us, the taxpayers. If the UK Government showed it was serious about having a decent UK-based IT infrastructure within the Civil Service, and a career structure that did not disadvantage scientists and engineers at every turn against the arts graduates, I suspect a lot of highly skilled people would consider coming home again. And if those scientists and engineers had any clout, the arts graduates would be unable to ignore security, because it would be the security experts that made the policy. "No, Permanent Secretary, no encryption and proof of delivery, no data. You want _what_ on a CD? Sign here where it says 'I understand I am putting my job at risk by....'"
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I like the idea of naming your child "\nEOF"
Teacher: "SlashEnEOhEff?"
Student: "Here, teacher! I go by Slash."
Planning to be moderated ± 1: Bad Pun.
I have setup these type of websites at my current company, and just turned on passwords for that directory in apache. Of course that alone assumes everyone who is allowed to look at one application is allowed to look at all applications.
possible that programmer is told to setup a application for internal use. Management later tells IT to allow outside access, IT moves application to another server, never turns on security. Someone learns they can allow outside people access to their applications by sending a link...
Perfectly good code later ruined by IT and management.
I think we just found the reason why it takes so long without the fee.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
The point is that in large bureaucracies, projects aren't actually supposed to DO anything. They're just supposed to alter the power structure (or preserve it).
This game requires some way to keep score as to who has the power. That would be capital.
"A few lines of Perl code" is not power in a bureaucracy's eye, because it doesn't require capital expenditure. Ninety consultants, over 6 months, with $250k in hardware, and a $50m annual operating expense budget -- now that's power.
Anything that looks to reduce costs or increase productivity drastically is a challenge to the power structure. It must be shouted down as insecure, non-scalable, non-performant, non-standard, and violating export treaties.
So the game of people that want power is to reduce costs and increase productivity "a little bit". 10%. Maybe 20%, if you wanted to be branded "radical". Anything more and you'll be branded a lunatic and shuffled to "special projects".
The above game is played more often in public organizations than private ones, but knows no natural boundaries, particularly when the organization stays afloat due to a perpetual bread-winner (i.e. monopoly product, taxes, etc.) .
-Stu
The web application detects no cookie is set, a RANDOM GUID is created and your IP address recorded in a database or session cache. The GUID is recorded in a cookie.
For each subsequent page of the form, your cookie is transmitted and the application knows which partially complete record you're filling out, what page of the form you're on, and so forth (sessions in J2EE/PHP/ASP).
Client-chosen GUIDs are unlikely to be valid. Any GUID in a cookie that exists but isn't coming from the right IP address is denied.
THE END
This is just like every other fucking website.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
OK, this is a simple two-part problem.
The truth is, with a breach like this, heads should roll. The project manager should be fired b/c managing this stuff was their job (that's why they make the big bucks). However, it's most likely that nothing will happen. Unless a million people pick up on the Globe and Mail article and start yelling and screaming, then nothing will happen. The good who let this through will happily work away until he collects his government pension. Bunch of amateurs... make me retch just thinking about it.
And all the sucky programmers go to work for government contracts that pay more in one year than one can earn in a typical private company job.
Sad, but true.
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
Hiya, yes, I'm \x00John\n\nFrank Smith\a, how can I help?
Get your own free personal location tracker
You think this is a BIG issue ?
BWAA HAA HAA HAA
In the Socialist Sovereign Democratic Republic of India, you can do that kind of tinkering with the passport application tracking website ever since it was launched. Back in our college days, we actually used to run bash scripts with wget in order to find out which of our classmates had applied for passports.
I recall at least a couple cases of guys getting charged with hacking for altering URLs.
I'm not sure that I would have reported this if I had discovered it. Your mileage may vary.
If you're going to make URLs user or session specific you need very long random-looking strings.
I disagree. That's the ugly (and wrong, in my opinion) way of doing it. I think the better approach is having nice, consice, meaningful strings (http://blah.com/info/?uid=200 is just fine). *BUT*, you authenticate your session with a login (or other authentication) cookie (and do it over an HTTPS session).
Long complicated strings are almost an ugly security through obscurity approach; requiring login credentials appropriate to a given URL is the more proper approach. I hate long URL's, and have never needed them in every secure site I've ever designed.
Love many, trust a few, do harm to none.
It really is unforgivable, but unfortunately it is not as uncommon as you might think. I used to review completed projects from an Indian contractor of a company that I was consulting for and they were about to go into production with a health care information related website that was vulnerable to SQL injection of the login allowing full visibility of all health records of all users. Heck, even after I told them how to fix the problem they fixed it with client side javascript (which of course isn't a fix because the client could turn off javascript and still submit the form) and after that when they fixed their server side code they did it on a per page basis, so in the future if a new developer comes on board and he does not realize what is going on then new pages might be introduced that are again vulnerable to attack because the underlying query mechanism (i.e. building commands as strings and NOT using parameterized queries) remains unchanged. I tried to warn them, but the company didn't renew my contract when they declared the project "finished". As far as I know the site went into production in that state and remains so to this day (names not disclosed to protect the guilty).
In soviet hellhole, IQ average is well above you!
.
- aqk
F U
FU.
Wanna do something, troll? Just shut up and join the W3C.
Troll.
Comment removed based on user account deletion
This is a simple and fundamental error and I'm amazed that the 'security technique' made it into production on such a major site. Doesn't ANYONE know what they're doing. Geez, this is Web Security 101.
... If you're going to make URLs user or session specific you need very long random-looking strings.
We are talking government IT here. The Canadian government appears to be caught in a "race" with the US and British Governments to make the most possible mistakes when it comes to the security of their IT systems... (No doubt the Aussies will be joining in soon, now that they have got an election out of the way.)
A lot of sites were vulnerable to this sort of thing in 1995
Also once the transaction has ended, either by the final "submit" or timeout, the data should no longer exist so far as the webserver is concerned.
I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.
It depends on the country. IIRC there are countries which have lists of approved names, which of course only apply to citizens.
Another issue is where translating someone's name into another langauge e.g. Arabic to English is a one to many operation. As well as all the common IT issues of assuming names cannot be more than X characters long, only contain ASCII characters, cannot contain spaces (or more than one space), etc, etc.
Which is exactly why most developers are not be hired to build large applications containing huge amounts of sensitive customer data.
I make a living out of building exactly these kind of applications for major international banks and I simply wouldn't get hired if I didn't know about the above.
Thing is that it's generally possible for customers to change their bank without having to change everything else. When it comes to changing your government things are a lot more tricky. Generally moving is a requirement.
The developers should be ashamed of themselves for such a massive lapse, this really is security 101. Equally ashamed should be the people who decided not to bother with running proper penetration testing and security evaluation on such an application.
What are the odds that this was oursourced to some contractor who's only skill was being able to make the correct form of "bid" and/or bribe the right people. Whilst subcontracting the actual IT piecemeal. Assume also that none of the people actually making decisions know the first thing about IT and the subcontractors also have the concern of making sure they actually get paid (even though what they actually get is a small fraction of whatever the main contractor charged).
Yeah, I recently took a Chinese class. Acquiring a Chinese given name turned into a lengthy negotiation (my name even has a specified algorithm for translation—my parents are a bit odd—but unfortunately it sees to have failed in this case because of some historical/linguistic misfortune), and my surname is an unresolved disaster. :) (And yes, you recall correctly. Holland, for example, unless they changed matters.)
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth,
:)
But probably far less than they cost the British taxpayers.
$100,000 for a book about dumb blondes
Wonder if there's a book about dumb politicans. Maybe they could be persuaded to all dye their hair blonde
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can.
Replace "Canadian" with "just about any".
Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts.
Probably because they have the ability to put together the right sort of "bid", which has little to do with (except possibly mutual exclusivity) being able to actually deliver something useful on time and on budget.
In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing.
At least in those days MP wern't afraid to stand up and ask "Why have we paid Mr Babbage enough money for a couple of warship and ended up with a useless pile of cogs."
Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone?
At least Babbage had the excuse that he was trying to do something beyond "state of the art". I don't recally even the "eighties brick" phones being that heavy. Though a not too well known reason for "embedded journalists" is ensure that a reliable communication system is available.
The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.
Except that the people making the decisions don't have the first clue. i.e. if you actually gave them the task of "rocket science" you'd probably end up with a 3 litre bottle containing 1 litre of water and 2 litres of compressed air. (With the bottle costing several times it's weight in gold and both fluids costing several thousand pounds per ml.)
Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation.
Often these contractors appear to be holding companies so everything ends up being sub contracted (badly).
If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,
In order to stand any chance of getting such a contract there is a complex and expensive (6-7 figure) bidding process. This excludes the vast majority of companies from even getting their foot in the door, it also means that something in the order of 5 million pounds is likely be added to the bill just to cover the bidding costs. The result is you get a few contractors who's specialty is producing bids for government contracts.
But probably far less than they cost the British taxpayers.
Maybe, but Canada really only got 3 subs (for the price of 4) since one had to be stripped for parts. One man also died and 8 were injured when a fire broke out a couple miles off the coast of the UK.
Pretty sure we got "proper fucked" on that one.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
It depends, but I would say, yes. For example, on facebook, I'm allowed to see the detailed profiles of people who are on my friends list (authenticated by my cookie). The URL's are specific to each user, but the cookie associates my credentials for what I am allowed to see.
There are undoubtedly cases where it's not necessary, and the cookie can carry all the state, but I think that actually leads to *more* confusion. (If someone is left logged in, and you go to your favorite bookmark, seeing their stuff would be confusing, whereas seeing a "you don't have permission for this, dude" is a more reasonable experience.)
Love many, trust a few, do harm to none.