Slashdot Mirror
Privacy Breach In Canadian Passport Application Site
Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."
Odd's are, lots of people are applying for passports nowadays too, since apparently we Canadians need them to cross the border into americaland in the near future.
3...
2...
1...
Breaking News, a L33t Canadian Hacker broke into a national security site, stealing millions of Dollars worth of personal information.
No word yet on any arrests.
More at 11.
Just -1, Troll talking to another.
That's some leet hakking going on there...
http://www.freedom-to-tinker.com/index.php?p=780
http://www.tjmcintyre.com/2005/06/morris-tribunal-learns-pitfalls-of.html
http://blogs.zdnet.com/threatchaos/?p=464
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
Sounds like some web monkey needs a beating....
I wish I was clever!
Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts
HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security they totally passed on the low tech? Something is awkward here. I will give the developer the benefit of the doubt. I'd expect a half-assed developer to know about URL hacking. I bet this had something more to do with half assed management!
Comment removed based on user account deletion
Essentially all web development technologies are shit. It doesn't matter if they were using Perl CGI scripts, PHP, some JSP-based framework, ASP, ASP.NET, ColdFushion, Ruby on Rails, Django, or whatever other language/framework/technology you want to consider.
The evolutionary nature of the web has lead to such technologies that just don't mesh well with one another. Bring SQL and JavaScript into the mix, and now you can be mixing four or five different languages in one web application. Most developers don't have the time to adequately learn every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app, for instance.
Frankly, I don't think there is a solution to this problem. We can't go back in time and rework the underlying nature of the web to be more sensible. We'd have to throw so much of it away.
I wouldn't say Americans are that bad at English...
Real Daleks don't climb stairs - they level the building.
http://www.cbc.ca/consumer/story/2007/12/04/passport-security.html?ref=rss
Irresponsible name to have these days.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
I'm guessing the database the info comes from is not even encrypted. One could come up with half-a-dozen schemes to prevent this. Here's one: every sensitive record in the database is encrypted with a unique key that is mapped to each session via a very long random number generated on a per-session basis. This random number would be used to decrypt the information in the database (combining, of course, with a server-side key to reconstruct a "permanent key"). So each client-side key would be able to decrypt one and only one sensitive record, making a one-session to many-record scenario impossible. Key-pairs would be generated on a per-session basis from a database of permanent keys that are themselves encrypted and served by a key server. I hereby patent this protocol. Please send me money if you use it or I will sue you.
Just callin' it like I see it.
I havn't looked at the article, but I doubt that's going to help against someone determined. Sure - Joe Blogs who found the bug this time probably wouldn't have, but that's just an URL encoded string, which are trivial to decode (I believe PHP has an urldecode function for just that).
Never, ever, trust data provided by the user. If there's potential to cause trouble, somebody will do it, which is why the site should have been keeping track of who's application was being filled out on the server, probably in a session variable.
Parent's links are viruses.
I just pooped your party.
Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too.
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.
The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.
I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.
Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
This is not just a moan - it is a serious question.
In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.
The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,
Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.
This flaw has nothing to do with the webserver or the language the pages are written in, but by an idiotic developer. And believe me, there are idiotic developers in every camp.
...and the idea that 3 and 4 are separate and distinct is probably what caused this whole problem in the first place.
As a fourth generation Canadian, I too have met a large number of Canadians. While I have no intention of defending the AC, I resent the absurd generalization that Canadians are uneducated and racist. With any large sampling of people, you will encounter the good and the bad. I am sorry to discover that you have clearly encountered only the bad, yet you are a sample of one.
I work at a company with fifteen employees, representing eight distinct nationalities and we operate in perfect harmony. This place is not anomalous; I have lived through several similar situations at other companies.
However, I am also a sample of one. Let us look at statistics. Immigration accounted for two-thirds of Canada's population growth in 2006/2007 (http://www.statcan.ca/Daily/English/070927/d070927a.htm/) and has always been a significant contributor to our population (http://www40.statcan.ca/l01/cst01/demo03.htm?sdi=population%20growth/).
Does this trend pose difficulties? Certainly. However, were such a policy not embraced by the majority of Canadians, it certainly would not persist. The tolerance is real. Join us and see for yourself.
ObXKCD link: http://xkcd.com/327/
Help! I'm a slashdot refugee.
I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.
I've also long wondered what the perpetrators of these text-string-passing SQL bindings were on. That's an 'idea' that just isn't one!
Well you did say it was a government contract.
It doesn't mean much now, it's built for the future.
Canadian students rank third in the world in science: http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20071204/pisa_test_071204/20071204?hub=SciTech (USA rated in at 29th)
All the good programmers go to work for private companies that pay more.
MABASPLOOM!
Lots of breeches listed here.
Having being a civil servant in the past, I take great exception to your comments. In the 10 years I was with the provincial government, I was only able to attend one outside training session. Being in a smaller province, where training *rarely* came to, most training would require travel (typically to another province) which would never happen. I financed most of those out of my own pocket with no reimbursement. You make it sound like I had a free ride, and a free lunch, with all the extra toppings. It is not. I was refused to attend a conference in Vancouver that was specifically on what I was implementing within the department, because it was too "close" to Whistler/Blackcomb. WTF?!?!?!? The reason? The perception would be exactly the crap that you are spewing.
With regard to the union, they screwed me more than they ever helped me. Ever play the "temporary" position game before? They prevented me from getting the "job" as I didn't have the seniority. Nothing worse than filling a position for 8 months and having someone that is completely incompetent that I had to train for the position, all because they had "more time in." The preventing me from getting a better position, because I didn't have a "degree" that was required for the position, yet I was the one that trained the "degree people" for the position. Go figure eh? The union prevented me from being paid what I was worth because the position that I had, didn't reflect the duties I performed. None of the union positions were accurate in this regards. The union screwed me more than they ever protected me. Don't make them sound like they are the golden cup.
I have since gotten out of government, and went over to private sector, with a larger IT consultant company. This was no better, though I was able to get training very easily (x amount per year) and it didn't matter where it was (I attended something in Vegas, which would have never happened within gov't. While there were some benefits, working 12 hours, getting paid for 8, yet billing for the 12 got tiresome really quick.
Government, private sector, independent contractor doesn't really make a difference. In this consumerism driven society, with the corporate mentality to do more, more, more with less, less, less, is what drove me out of the IT industry. And don't get me started on the politics... Gov't or not, the politics are what really wreck things.
From your point of view, the grass may look greener on the other side of the fence, but look where the green grass is; Odds are it's right over the leaking septic tank. Make sure you check the ground before you start grazing.
I'm not saying there aren't some that have ways to abuse the system, but it's not as common as you portray. There are projects out there that are just as bad, except you don't hear about them. Banks, credit card companies, and private sector is just as bad, except, you don't hear about it, except through the network with people within the fields. It doesn't get out there publicly.
I've since turned my back on the entirety of the whole IT industry as a career. There is absolutely no enjoyment in it anymore. As a hobby, I still love it though.
Your spewing the FUD of a stereotype that perhaps may have some truth to it. But that truth you are spewing is the exception, rather than the rule. There are good people that work within the civil sector. And have worked on both sides, one is no better than the other.
Cheers,
Xyst
Yes, because private companies NEVER have security problems or make web sites that only work with IE, and employees of private companies never waste time reading sites like Slashdot instead of debugging their code.
I recall at least a couple cases of guys getting charged with hacking for altering URLs.
I'm not sure that I would have reported this if I had discovered it. Your mileage may vary.