Slashdot Mirror
Privacy Breach In Canadian Passport Application Site
Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."
Odd's are, lots of people are applying for passports nowadays too, since apparently we Canadians need them to cross the border into americaland in the near future.
3...
2...
1...
Breaking News, a L33t Canadian Hacker broke into a national security site, stealing millions of Dollars worth of personal information.
No word yet on any arrests.
More at 11.
Just -1, Troll talking to another.
That's some leet hakking going on there...
http://www.freedom-to-tinker.com/index.php?p=780
http://www.tjmcintyre.com/2005/06/morris-tribunal-learns-pitfalls-of.html
http://blogs.zdnet.com/threatchaos/?p=464
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
Sounds like some web monkey needs a beating....
I wish I was clever!
See subject.
I have excellent Karma and I am not afraid to Troll it.
Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts
HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security they totally passed on the low tech? Something is awkward here. I will give the developer the benefit of the doubt. I'd expect a half-assed developer to know about URL hacking. I bet this had something more to do with half assed management!
Comment removed based on user account deletion
Essentially all web development technologies are shit. It doesn't matter if they were using Perl CGI scripts, PHP, some JSP-based framework, ASP, ASP.NET, ColdFushion, Ruby on Rails, Django, or whatever other language/framework/technology you want to consider.
The evolutionary nature of the web has lead to such technologies that just don't mesh well with one another. Bring SQL and JavaScript into the mix, and now you can be mixing four or five different languages in one web application. Most developers don't have the time to adequately learn every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app, for instance.
Frankly, I don't think there is a solution to this problem. We can't go back in time and rework the underlying nature of the web to be more sensible. We'd have to throw so much of it away.
> Most developers don't have the time to adequately learn
> every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app
Each may have different syntax, but they also have very different uses. Even if they were all bundled up in the same language, you would still have to *learn* how to use each aspect. You still need to display content to the user, you still need to be able to manipulate that content, you still need to be able to generate it, and to get data out of your database. There's still a lot to learn, but you're using syntax as a scape-goat.
Like many institutions, the Canadian government has their own security initiative: MITS (Management of Information Technology Security). It aims specifically at being proactive at safeguarding information and IT systems. It is mandatory for all systems to be certified before they are put into production. It would appear that MITS compliance doesn't mean the system is hacker proof or that there are no bugs. To be more effective, I hope there will be something added to this policy in order to better test applications and not to simply be a paper exercise. Apparently they were able to address the problem rather quickly.
I wouldn't say Americans are that bad at English...
Real Daleks don't climb stairs - they level the building.
No it's incredibly shoddy coding that could be done on any platform.
/SomePage.asp?SL=ActiveServerPages&N1=4GuysFromRolla.com&N2=FreeURL.com
/SomePage.asp?crypt=w%96%9Ei%7D%9D%AE%91%B7%ACf%86%C4%AC%CA%90%96c%A1%9D%8F%89%B2z%92U%87Z%95%CF%A6%A5i%BE%96%9C%91%B9%AA%A5%97d%BE%BF%95gwb%8C%93%B7%8A%88%A7%A2%94h%B8%A9%AA
Here's an example on how to encrypt URL data in ASP:
Using this encryption, you can transform a standard QueryString like:
to utter goobledegook, something that the web surfer will have no idea what variables and values are being passed along through the QueryString:
Code sample is here:
http://www.4guysfromrolla.com/webtech/code/qs.enc.asp.html
Which is exactly why most developers are not be hired to build large applications containing huge amounts of sensitive customer data.
I make a living out of building exactly these kind of applications for major international banks and I simply wouldn't get hired if I didn't know about the above.
The developers should be ashamed of themselves for such a massive lapse, this really is security 101. Equally ashamed should be the people who decided not to bother with running proper penetration testing and security evaluation on such an application
http://www.cbc.ca/consumer/story/2007/12/04/passport-security.html?ref=rss
Irresponsible name to have these days.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
I'm guessing the database the info comes from is not even encrypted. One could come up with half-a-dozen schemes to prevent this. Here's one: every sensitive record in the database is encrypted with a unique key that is mapped to each session via a very long random number generated on a per-session basis. This random number would be used to decrypt the information in the database (combining, of course, with a server-side key to reconstruct a "permanent key"). So each client-side key would be able to decrypt one and only one sensitive record, making a one-session to many-record scenario impossible. Key-pairs would be generated on a per-session basis from a database of permanent keys that are themselves encrypted and served by a key server. I hereby patent this protocol. Please send me money if you use it or I will sue you.
Just callin' it like I see it.
I was wondering, does anyone know of a website that has been keeping track of all the notable security breeches over the past several years? It would be useful to have that information when you need to show it to a manager, etc. Thanks.
I havn't looked at the article, but I doubt that's going to help against someone determined. Sure - Joe Blogs who found the bug this time probably wouldn't have, but that's just an URL encoded string, which are trivial to decode (I believe PHP has an urldecode function for just that).
Never, ever, trust data provided by the user. If there's potential to cause trouble, somebody will do it, which is why the site should have been keeping track of who's application was being filled out on the server, probably in a session variable.
I don't usually reply to ACs, but this is so unbelievably misguided I feel I have to.
.Net, Java, even Rails (yup - it is possible to build an insecure Web 2.0 site!)
1. IIS won't run on Win ME.
2. This sort of security hole could just easily happen on any web platform - ASP, PHP,
Parent's links are viruses.
I just pooped your party.
Some frameworks use a long alphanumeric ID to access objects, gnu enterprise does that, so they thwart this kind of attacks.
But i prefer exposing parameters and ID, and check for validity when parsing the request so that a hacker would need to hijack the session to perform any operation.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
Doesn't ANYONE know what they're doing
No. Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but a whole metric fuckload - incompetence and lack of any accountability are systemic problems in virtually every government project. Possibly even corruption.
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.
The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.
I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted number is "just under 7 million registered while estimates from the '70s indicated ~10 million in Canada.
At this point, only one province will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.
Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
At least you're not so brazen as to post such a xenophobic comment without AC status. Also notice that Canada is doing pretty well even with all those filthy horrible non-conformist immigrants.
Oh, and unless you're a Native American, you're an immigrant too. That is assuming the first people to arrive in a country devoid of a human population don't count as immigrants.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Well, look at it this way: Technology has changed a lot since 1990. The final product expected is now much more complicated than can be easily produced with C++.
That's why we have HTML to structure webpages, CSS to enhance the visuals, JavaScript to improve functionality, etc...
With C++, every webpage would need to compile. These abstractions aren't only for the developers, they're also for practicality.
Oh, and have you ever used C++ to communicate with a database via SQL? It's not exactly very flexible.
I just pooped your party.
Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too.
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.
The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.
I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.
Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
looking at the codes, i would say this is also not really "good" encryption. real security experts don't recommend using home-brew encryption functions like those. even a simple TEA or older algorithms like RC4 or DES are probably much better.
I haven't developed commercially in a while, but it was my understanding that for these larger sites the job would be split up.
One group is in charge of layout.
Another group is in charge of content (graphics, sounds, text).
Another one or two groups is in charge of client/server side scripting.
Another group is in charge of security.
And a final group is in charge of putting everything together.
Finally, everything is audited before it goes live.
Of course, a group might be able to accomplish one or more of these tasks, but not requiring one group to accomplish ALL the tasks ensures the abilities of the developers aren't stretched too thin.
I just pooped your party.
The underlying problem is that the id to maintain state in the web site is so short as to be easy to guess another one that will work. The solution to this is to use much larger session IDs and generate them randomly. I'd say a 128 bit integer at least. On top of that, it'd make sense to have some code in place to detect when a user is trying to guess an ID by brute force. If they try then log the attempted intrusion and block the user.
The Session object in ASP generated Session IDs that were predictable. I think ASP.Net's mechanism is better, but I don't know how much better. I wouldn't trust the Session object to generate non-predictable IDs in all circumstances, it is after all, closed source software and not open to review. It would be prudent when using the Session object to generate State IDs to also ensure that attempts to guess the ID are blocked as well.
This is not just a moan - it is a serious question.
In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.
The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,
Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.
This flaw has nothing to do with the webserver or the language the pages are written in, but by an idiotic developer. And believe me, there are idiotic developers in every camp.
"ignored by the clueless management to save money?"
As a Canadian citizen, allow me to assure you that they were most certainly not concerned with saving money.
This tendency for computing projects in non-computing organizations to be "just barely functioning" is discussed by Joel Spolsky in a talk he gave to some students of CS at Yale recently: http://www.joelonsoftware.com/items/2007/12/03.html
Rings true to me.
I wouldn't say Americans are that bad at English.
The problem is not knowing when it's proper to insert "eh", and not always making things like "about" sound like "aboot".
There's a lot more that goes into sounding Canadian than just making your whole head flap.
"It is a miracle that curiosity survives formal education." -Albert Einstein
I'm an immigrant, and at least I can tell that 25% is not equal to 'one fifth'.
I've heard this said somewhere else: My family chose this country. You we just born here by chance.
ps. it takes a big man to post crap like that AC.
I guess that means birth certificates are meaningless, EH?
Submission as evidence constitutes plaintiff and/or prosecutorial misconduct.
We get "Service Alerts" with "helpful" information for how we're supposed to do business. Some of these "Service Alerts" contain information that, apparently, only certain people are supposed to know. As a result, they are password protected.
If you save the webpage, the default filename that it will save as is also the password for the super-secret information.
So, this story doesn't surprise me.
Never give in--never, never, never, never, in nothing great or small, large or petty, never give in except to conviction
...and the idea that 3 and 4 are separate and distinct is probably what caused this whole problem in the first place.
Right. But a lot has changed since the 1990s. Web applications are complicated. We need specialized languages for specialized tasks.
Usually, in developing a Web application, more than one type of specialist is involved. Often you'll find a Web designer come up with the base layout and design of the HTML, another Web developer who specializes in coding the HTML and JavaScript, using the CSS defined by the Web designer, someone else who plugs in the front-end code, and someone else who writes the middleware, and another to write the back-end code. And you have DBAs, systems adminstrators, network administrators, testers, project managers and so forth.
It's unusual in any moderately-complicated Web application to have one person who does the whole thing him/herself these days. To paraphrase Hillary Clinton, it takes a village to make a Web app.
My blog
It is pretty sad, but this doesnt even surprise me anyway because the frequency of this type of incidents. I applied for a Canadian Passport this April, so I guess I'm screwed... :(
It's ASP.NET, which the Canadian Government has swallowed hook, line and sinker.
And third-rate programmers using it.
Rich And Stupid is not so bad as Working For Rich And Stupid.
As a fourth generation Canadian, I too have met a large number of Canadians. While I have no intention of defending the AC, I resent the absurd generalization that Canadians are uneducated and racist. With any large sampling of people, you will encounter the good and the bad. I am sorry to discover that you have clearly encountered only the bad, yet you are a sample of one.
I work at a company with fifteen employees, representing eight distinct nationalities and we operate in perfect harmony. This place is not anomalous; I have lived through several similar situations at other companies.
However, I am also a sample of one. Let us look at statistics. Immigration accounted for two-thirds of Canada's population growth in 2006/2007 (http://www.statcan.ca/Daily/English/070927/d070927a.htm/) and has always been a significant contributor to our population (http://www40.statcan.ca/l01/cst01/demo03.htm?sdi=population%20growth/).
Does this trend pose difficulties? Certainly. However, were such a policy not embraced by the majority of Canadians, it certainly would not persist. The tolerance is real. Join us and see for yourself.
ObXKCD link: http://xkcd.com/327/
Help! I'm a slashdot refugee.
Thank you for taking the time to answer my post.
You make excellent points. Indeed, I am a sample of 'one' but the number of people I have met is much larger than just 'one', in fact during the 5 years I have spent in Canada I have probably met several thousand people. And it's true that not all of them are bigots, but by far the majority of the 'real Canadians' that I have met would definitely fit that category. More so outside of the major population centers than in them (most experience with Toronto and Montreal when it comes to big cities and rural Northern Ontario for 'small town Canada').
I think I have seen a pretty good cross section of Canada and I am actually surprised at the very large gap between my experience and the image that Canada tries to project. I can not recall having ever heard someone in europe refer to another human being as 'trash' but I have heard this many times from the mouths of so-called 'respectable canadian citizens' and on one occasion even from the mouth of a uniformed member of the Toronto police. That leaves me with very very little respect. I could go on like this for a while but I really see no point, as you have correctly observed I am a sample of one and as such my experience may very well be an anomaly. But I think that I have spent enough time in Canada to at least convince myself that there is more than your average 'come to Canada' brochure is letting on. The Canada that I have seen is full of official policies about equality but a lot of racism and bigotry under the hood. That does not extend to all individuals I've met, I am just contrasting this to other countries that I have experience with and for a country that is basing a very large amount of its population growth on immigration this came as a very large shock to me.
best regards,
Jacques.
MP3 Search Engine
I would put my finger on Gouverment security. Public services are low funded operation that don't have all the right ressources at the right place. And most of the time, I would say that the staffing have their hand tide because of management policies. Nough said!
Did you not mean out of control, over funded and incompetently managed including kickbacks?
With government, it is all about priorities and political will. Resources, the Canadian government has plenty, but why run a tight ship when every department head runs his own out of control I/T show. "Hey, need a fat contract...give me a call..., competency, no issue".
I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.
I've also long wondered what the perpetrators of these text-string-passing SQL bindings were on. That's an 'idea' that just isn't one!
I am 125% sure he went to a Canadian public school.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I know, and it's one of the things that make this country so great.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Well you did say it was a government contract.
It doesn't mean much now, it's built for the future.
This is a thundering mis-representation. I just got my passport earlier this year in six weeks.
All you do is pay the extra fee for expedited processing, which anyone with a job can afford after a couple weeks savings.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Canadian students rank third in the world in science: http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20071204/pisa_test_071204/20071204?hub=SciTech (USA rated in at 29th)
Its damn hard to perfect code with all these polar bears trying to eat our igloos, and mashing the keyboards in mittens makes for some pretty long debugging sessions. Also someone spilled beer on the one copy of "html for dummies" the government makes us share. So soon as we come down from the marijuana and finish the cheetos we'll go over the code again. Has anyone seen my keyboard de-icer? (Hope you can read comments in Frenglish, it was written in Ottawa)
All the good programmers go to work for private companies that pay more.
MABASPLOOM!
"One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit."
Government? While I'm all in favour of blaming our elected overlords - this is what happens when you give a big contract to CGI. A simple task, much like the nationwide vehicle registry, all they had to do was take the source, file off 'Make, Model, Colour' and replace it with 'Manufacturer, Calibre and Barrel Length' and it cost $2 billion?
Don't give the government 100% of the blame, when there is an incompetent company willing to milk the public purse involved as well.
"History doesn't repeat itself, but it does rhyme." Mark Twain
I am getting my passport (I am Canadian) just so that when I am done visiting the family for Christmas, I can come back home with my American wife. Getting export from Canada is the people....unless they are the more French side of the the Canadians....
To see a few of my Android apps goto: www.hartwired.com
Yes, but they don't work for or in government...
I mean, you can tell the real Canadians from the fakes ones easily enough. Just look for the plethora of Canadian flags sewn to their backpacks and bags.
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Having being a civil servant in the past, I take great exception to your comments. In the 10 years I was with the provincial government, I was only able to attend one outside training session. Being in a smaller province, where training *rarely* came to, most training would require travel (typically to another province) which would never happen. I financed most of those out of my own pocket with no reimbursement. You make it sound like I had a free ride, and a free lunch, with all the extra toppings. It is not. I was refused to attend a conference in Vancouver that was specifically on what I was implementing within the department, because it was too "close" to Whistler/Blackcomb. WTF?!?!?!? The reason? The perception would be exactly the crap that you are spewing.
With regard to the union, they screwed me more than they ever helped me. Ever play the "temporary" position game before? They prevented me from getting the "job" as I didn't have the seniority. Nothing worse than filling a position for 8 months and having someone that is completely incompetent that I had to train for the position, all because they had "more time in." The preventing me from getting a better position, because I didn't have a "degree" that was required for the position, yet I was the one that trained the "degree people" for the position. Go figure eh? The union prevented me from being paid what I was worth because the position that I had, didn't reflect the duties I performed. None of the union positions were accurate in this regards. The union screwed me more than they ever protected me. Don't make them sound like they are the golden cup.
I have since gotten out of government, and went over to private sector, with a larger IT consultant company. This was no better, though I was able to get training very easily (x amount per year) and it didn't matter where it was (I attended something in Vegas, which would have never happened within gov't. While there were some benefits, working 12 hours, getting paid for 8, yet billing for the 12 got tiresome really quick.
Government, private sector, independent contractor doesn't really make a difference. In this consumerism driven society, with the corporate mentality to do more, more, more with less, less, less, is what drove me out of the IT industry. And don't get me started on the politics... Gov't or not, the politics are what really wreck things.
From your point of view, the grass may look greener on the other side of the fence, but look where the green grass is; Odds are it's right over the leaking septic tank. Make sure you check the ground before you start grazing.
I'm not saying there aren't some that have ways to abuse the system, but it's not as common as you portray. There are projects out there that are just as bad, except you don't hear about them. Banks, credit card companies, and private sector is just as bad, except, you don't hear about it, except through the network with people within the fields. It doesn't get out there publicly.
I've since turned my back on the entirety of the whole IT industry as a career. There is absolutely no enjoyment in it anymore. As a hobby, I still love it though.
Your spewing the FUD of a stereotype that perhaps may have some truth to it. But that truth you are spewing is the exception, rather than the rule. There are good people that work within the civil sector. And have worked on both sides, one is no better than the other.
Cheers,
Xyst
I suspect too that you may be trolling, because you must know that for any medium sized or above projects, European competition law is very strict. The UK Government is not allowed to prefer local suppliers. If you doubt this, ask yourself where are EDS, Thales and Fujitsu Siemens based, just to name three?
My own experience suggests that what is actually needed is to sack a load more incompetent Civil Servants with classics degrees, replace them with some people with a clue, and bring these projects back in house. If we can afford to bankroll the likes of Northern Schlock to the tune of billions, we can afford to buy out the contract terms of the companies who are actually raping us, the taxpayers. If the UK Government showed it was serious about having a decent UK-based IT infrastructure within the Civil Service, and a career structure that did not disadvantage scientists and engineers at every turn against the arts graduates, I suspect a lot of highly skilled people would consider coming home again. And if those scientists and engineers had any clout, the arts graduates would be unable to ignore security, because it would be the security experts that made the policy. "No, Permanent Secretary, no encryption and proof of delivery, no data. You want _what_ on a CD? Sign here where it says 'I understand I am putting my job at risk by....'"
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I like the idea of naming your child "\nEOF"
Teacher: "SlashEnEOhEff?"
Student: "Here, teacher! I go by Slash."
Planning to be moderated ± 1: Bad Pun.
I have setup these type of websites at my current company, and just turned on passwords for that directory in apache. Of course that alone assumes everyone who is allowed to look at one application is allowed to look at all applications.
possible that programmer is told to setup a application for internal use. Management later tells IT to allow outside access, IT moves application to another server, never turns on security. Someone learns they can allow outside people access to their applications by sending a link...
Perfectly good code later ruined by IT and management.
Your best bet is to generate a random GUID and use that to identify the user. Any data you don't want to be tampered with, such as usernames or access rights, you shouldn't let out of the server, even in an "encrypted" form.
Yes, because private companies NEVER have security problems or make web sites that only work with IE, and employees of private companies never waste time reading sites like Slashdot instead of debugging their code.
As a Canadian citizen who was not born in Canada, I have one thing to say to you: go make me a sandwich, with plenty of green peppers.
Also, very Canadian of you to complain under a cloak of anonymity. And what's this babble in your last paragraph? Canada will accept anyone... Blah. I hope noone steals your pretty TV, and I hope you curb down on the racist undertones.
One great thing I can say about Canada (I live in states now), is that it really integrates second generations of immigrants well. Of all of my Canadian friends who were born to non Canadian parents, I can't think of a single one that has not been of great benefit to the country as a whole.
Integration in the US is hard at best. Generations have passed for some ethnic minorities without much improvement. Be proud of your Canadian heritage, and understand that every single person ever born did not speak English at some point, and had to learn it out of personal need and/or benefit. Have compassion, sandwich boy.
I think we just found the reason why it takes so long without the fee.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
The point is that in large bureaucracies, projects aren't actually supposed to DO anything. They're just supposed to alter the power structure (or preserve it).
This game requires some way to keep score as to who has the power. That would be capital.
"A few lines of Perl code" is not power in a bureaucracy's eye, because it doesn't require capital expenditure. Ninety consultants, over 6 months, with $250k in hardware, and a $50m annual operating expense budget -- now that's power.
Anything that looks to reduce costs or increase productivity drastically is a challenge to the power structure. It must be shouted down as insecure, non-scalable, non-performant, non-standard, and violating export treaties.
So the game of people that want power is to reduce costs and increase productivity "a little bit". 10%. Maybe 20%, if you wanted to be branded "radical". Anything more and you'll be branded a lunatic and shuffled to "special projects".
The above game is played more often in public organizations than private ones, but knows no natural boundaries, particularly when the organization stays afloat due to a perpetual bread-winner (i.e. monopoly product, taxes, etc.) .
-Stu
The web application detects no cookie is set, a RANDOM GUID is created and your IP address recorded in a database or session cache. The GUID is recorded in a cookie.
For each subsequent page of the form, your cookie is transmitted and the application knows which partially complete record you're filling out, what page of the form you're on, and so forth (sessions in J2EE/PHP/ASP).
Client-chosen GUIDs are unlikely to be valid. Any GUID in a cookie that exists but isn't coming from the right IP address is denied.
THE END
This is just like every other fucking website.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
OK, this is a simple two-part problem.
The truth is, with a breach like this, heads should roll. The project manager should be fired b/c managing this stuff was their job (that's why they make the big bucks). However, it's most likely that nothing will happen. Unless a million people pick up on the Globe and Mail article and start yelling and screaming, then nothing will happen. The good who let this through will happily work away until he collects his government pension. Bunch of amateurs... make me retch just thinking about it.
Yeah, those damn foreign-born Canadians...
And all the sucky programmers go to work for government contracts that pay more in one year than one can earn in a typical private company job.
Sad, but true.
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
Hiya, yes, I'm \x00John\n\nFrank Smith\a, how can I help?
Get your own free personal location tracker
Basically as a government employee your only job is to not rock the boat too hard. Take your 2 hr lunch breaks, leave early on fridays, take expensive training classes, attend one useless meeting after another, and take 4 years to do what a bright 16 yr old could do over a weekend.
And this is different from a private sector job?
I've worked in both public and private sector long enough to know that there is negligible difference in productivity or waste between the two.
During my time at the Dept of Transportation, the roads budget tripled for the same maintenance projects year-to-year after switching to private contractors.
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
I recall at least a couple cases of guys getting charged with hacking for altering URLs.
I'm not sure that I would have reported this if I had discovered it. Your mileage may vary.
If you're going to make URLs user or session specific you need very long random-looking strings.
I disagree. That's the ugly (and wrong, in my opinion) way of doing it. I think the better approach is having nice, consice, meaningful strings (http://blah.com/info/?uid=200 is just fine). *BUT*, you authenticate your session with a login (or other authentication) cookie (and do it over an HTTPS session).
Long complicated strings are almost an ugly security through obscurity approach; requiring login credentials appropriate to a given URL is the more proper approach. I hate long URL's, and have never needed them in every secure site I've ever designed.
Love many, trust a few, do harm to none.
It really is unforgivable, but unfortunately it is not as uncommon as you might think. I used to review completed projects from an Indian contractor of a company that I was consulting for and they were about to go into production with a health care information related website that was vulnerable to SQL injection of the login allowing full visibility of all health records of all users. Heck, even after I told them how to fix the problem they fixed it with client side javascript (which of course isn't a fix because the client could turn off javascript and still submit the form) and after that when they fixed their server side code they did it on a per page basis, so in the future if a new developer comes on board and he does not realize what is going on then new pages might be introduced that are again vulnerable to attack because the underlying query mechanism (i.e. building commands as strings and NOT using parameterized queries) remains unchanged. I tried to warn them, but the company didn't renew my contract when they declared the project "finished". As far as I know the site went into production in that state and remains so to this day (names not disclosed to protect the guilty).
In soviet hellhole, IQ average is well above you!
.
- aqk
F U
You know something... now that I pause to think about it for a moment, my company probably represents a comparable number of nationalities, but I had never really considered it before.
I won't suggest that attitude is universal, but to me at least, that is what it means to be Canadian.
sig fault
Comment removed based on user account deletion
This is a simple and fundamental error and I'm amazed that the 'security technique' made it into production on such a major site. Doesn't ANYONE know what they're doing. Geez, this is Web Security 101.
... If you're going to make URLs user or session specific you need very long random-looking strings.
We are talking government IT here. The Canadian government appears to be caught in a "race" with the US and British Governments to make the most possible mistakes when it comes to the security of their IT systems... (No doubt the Aussies will be joining in soon, now that they have got an election out of the way.)
A lot of sites were vulnerable to this sort of thing in 1995
Also once the transaction has ended, either by the final "submit" or timeout, the data should no longer exist so far as the webserver is concerned.
I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.
It depends on the country. IIRC there are countries which have lists of approved names, which of course only apply to citizens.
Another issue is where translating someone's name into another langauge e.g. Arabic to English is a one to many operation. As well as all the common IT issues of assuming names cannot be more than X characters long, only contain ASCII characters, cannot contain spaces (or more than one space), etc, etc.
Which is exactly why most developers are not be hired to build large applications containing huge amounts of sensitive customer data.
I make a living out of building exactly these kind of applications for major international banks and I simply wouldn't get hired if I didn't know about the above.
Thing is that it's generally possible for customers to change their bank without having to change everything else. When it comes to changing your government things are a lot more tricky. Generally moving is a requirement.
The developers should be ashamed of themselves for such a massive lapse, this really is security 101. Equally ashamed should be the people who decided not to bother with running proper penetration testing and security evaluation on such an application.
What are the odds that this was oursourced to some contractor who's only skill was being able to make the correct form of "bid" and/or bribe the right people. Whilst subcontracting the actual IT piecemeal. Assume also that none of the people actually making decisions know the first thing about IT and the subcontractors also have the concern of making sure they actually get paid (even though what they actually get is a small fraction of whatever the main contractor charged).
Yeah, I recently took a Chinese class. Acquiring a Chinese given name turned into a lengthy negotiation (my name even has a specified algorithm for translation—my parents are a bit odd—but unfortunately it sees to have failed in this case because of some historical/linguistic misfortune), and my surname is an unresolved disaster. :) (And yes, you recall correctly. Holland, for example, unless they changed matters.)
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth,
:)
But probably far less than they cost the British taxpayers.
$100,000 for a book about dumb blondes
Wonder if there's a book about dumb politicans. Maybe they could be persuaded to all dye their hair blonde
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can.
Replace "Canadian" with "just about any".
Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts.
Probably because they have the ability to put together the right sort of "bid", which has little to do with (except possibly mutual exclusivity) being able to actually deliver something useful on time and on budget.
In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing.
At least in those days MP wern't afraid to stand up and ask "Why have we paid Mr Babbage enough money for a couple of warship and ended up with a useless pile of cogs."
Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone?
At least Babbage had the excuse that he was trying to do something beyond "state of the art". I don't recally even the "eighties brick" phones being that heavy. Though a not too well known reason for "embedded journalists" is ensure that a reliable communication system is available.
The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.
Except that the people making the decisions don't have the first clue. i.e. if you actually gave them the task of "rocket science" you'd probably end up with a 3 litre bottle containing 1 litre of water and 2 litres of compressed air. (With the bottle costing several times it's weight in gold and both fluids costing several thousand pounds per ml.)
Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation.
Often these contractors appear to be holding companies so everything ends up being sub contracted (badly).
If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,
In order to stand any chance of getting such a contract there is a complex and expensive (6-7 figure) bidding process. This excludes the vast majority of companies from even getting their foot in the door, it also means that something in the order of 5 million pounds is likely be added to the bill just to cover the bidding costs. The result is you get a few contractors who's specialty is producing bids for government contracts.
But probably far less than they cost the British taxpayers.
Maybe, but Canada really only got 3 subs (for the price of 4) since one had to be stripped for parts. One man also died and 8 were injured when a fire broke out a couple miles off the coast of the UK.
Pretty sure we got "proper fucked" on that one.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
It depends, but I would say, yes. For example, on facebook, I'm allowed to see the detailed profiles of people who are on my friends list (authenticated by my cookie). The URL's are specific to each user, but the cookie associates my credentials for what I am allowed to see.
There are undoubtedly cases where it's not necessary, and the cookie can carry all the state, but I think that actually leads to *more* confusion. (If someone is left logged in, and you go to your favorite bookmark, seeing their stuff would be confusing, whereas seeing a "you don't have permission for this, dude" is a more reasonable experience.)
Love many, trust a few, do harm to none.