Privacy Breach In Canadian Passport Application Site 197
Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."
Re:Wow (Score:2, Insightful)
The evolutionary nature of the web has lead to such technologies that just don't mesh well with one another. Bring SQL and JavaScript into the mix, and now you can be mixing four or five different languages in one web application. Most developers don't have the time to adequately learn every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app, for instance.
Frankly, I don't think there is a solution to this problem. We can't go back in time and rework the underlying nature of the web to be more sensible. We'd have to throw so much of it away.
Re:Wow (Score:1, Insightful)
> every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app
Each may have different syntax, but they also have very different uses. Even if they were all bundled up in the same language, you would still have to *learn* how to use each aspect. You still need to display content to the user, you still need to be able to manipulate that content, you still need to be able to generate it, and to get data out of your database. There's still a lot to learn, but you're using syntax as a scape-goat.
Re:Bad Monkey!!!! (Score:3, Insightful)
This is such a simplistic error - it means that there are more simplistic errors hiding in the website as well, not only this one.
passport security is so important, why don't they audit the website BEFORE it goes live?
--jeffk++
Re:Bad Monkey!!!! (Score:3, Insightful)
passport security is so important, why don't they audit the website BEFORE it goes live?
Because those directly responsible for the bad design have little, if any, liability for screw up. They aren't out any money. Their information isn't public/stolen. They don't face jail time, and it's unlikely their career will take any real hit assuming they can be identified at all.
BTW, it *may* not be the coders that are responsible for the bad design. More than once I've been directly ordered by my past bosses to do something I knew was not a good idea. But, so long as it's not illegal, I have to obey orders.
Re:.aspx (Score:3, Insightful)
Server Side Scripting == Security (Score:2, Insightful)
...and the idea that 3 and 4 are separate and distinct is probably what caused this whole problem in the first place.
Re:Bad Monkey!!!! (Score:5, Insightful)
Option A and B: A & B achieve identical functionality but B comes with an enormous security breach. Implementing A costs one million dollars more than implementing B.
WWDPHBD? [What Would Dilbert's Pointy Haired Boss Do?]
Re:Why are state computing projects always like th (Score:3, Insightful)
Re:Yet more mediocre software from the man ... (Score:3, Insightful)
Having being a civil servant in the past, I take great exception to your comments. In the 10 years I was with the provincial government, I was only able to attend one outside training session. Being in a smaller province, where training *rarely* came to, most training would require travel (typically to another province) which would never happen. I financed most of those out of my own pocket with no reimbursement. You make it sound like I had a free ride, and a free lunch, with all the extra toppings. It is not. I was refused to attend a conference in Vancouver that was specifically on what I was implementing within the department, because it was too "close" to Whistler/Blackcomb. WTF?!?!?!? The reason? The perception would be exactly the crap that you are spewing.
With regard to the union, they screwed me more than they ever helped me. Ever play the "temporary" position game before? They prevented me from getting the "job" as I didn't have the seniority. Nothing worse than filling a position for 8 months and having someone that is completely incompetent that I had to train for the position, all because they had "more time in." The preventing me from getting a better position, because I didn't have a "degree" that was required for the position, yet I was the one that trained the "degree people" for the position. Go figure eh? The union prevented me from being paid what I was worth because the position that I had, didn't reflect the duties I performed. None of the union positions were accurate in this regards. The union screwed me more than they ever protected me. Don't make them sound like they are the golden cup.
I have since gotten out of government, and went over to private sector, with a larger IT consultant company. This was no better, though I was able to get training very easily (x amount per year) and it didn't matter where it was (I attended something in Vegas, which would have never happened within gov't. While there were some benefits, working 12 hours, getting paid for 8, yet billing for the 12 got tiresome really quick.
Government, private sector, independent contractor doesn't really make a difference. In this consumerism driven society, with the corporate mentality to do more, more, more with less, less, less, is what drove me out of the IT industry. And don't get me started on the politics... Gov't or not, the politics are what really wreck things.
From your point of view, the grass may look greener on the other side of the fence, but look where the green grass is; Odds are it's right over the leaking septic tank. Make sure you check the ground before you start grazing.
I'm not saying there aren't some that have ways to abuse the system, but it's not as common as you portray. There are projects out there that are just as bad, except you don't hear about them. Banks, credit card companies, and private sector is just as bad, except, you don't hear about it, except through the network with people within the fields. It doesn't get out there publicly.
I've since turned my back on the entirety of the whole IT industry as a career. There is absolutely no enjoyment in it anymore. As a hobby, I still love it though.
Your spewing the FUD of a stereotype that perhaps may have some truth to it. But that truth you are spewing is the exception, rather than the rule. There are good people that work within the civil sector. And have worked on both sides, one is no better than the other.
Cheers,
Xyst
Re:Yet more mediocre software from the man ... (Score:3, Insightful)