Privacy Breach In Canadian Passport Application Site 197
Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."
Wonderful (Score:5, Interesting)
what's being done (Score:1, Interesting)
Basic Encryption? (Score:3, Interesting)
Wish we could say this was unique. (Score:3, Interesting)
One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.
The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.
I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.
Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.
Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.
Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.
Why are state computing projects always like this? (Score:5, Interesting)
This is not just a moan - it is a serious question.
In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.
The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,
Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.
Re:Basic Encryption? (Score:4, Interesting)
Re:Wow (Score:3, Interesting)
I've always wondered quite how far into unpronounceability (and indeed unprintability) names are allowed to venture. Merely giving your child a name with a formfeed in it would probably cause chaos enough.
I've also long wondered what the perpetrators of these text-string-passing SQL bindings were on. That's an 'idea' that just isn't one!
Re:Bad Monkey!!!! (Score:3, Interesting)
Having previously worked there (the Passport Office), and it's probably the same in every other government branch, I think the big dumb gaping hole comes from outside consultants. Someone applying for a tenured job has to go through various screening processes, and while the screening isn't super-duper, it's still better than nothing. Consultants only need to win a bidding war (if at all), and of course the people who bid low on contracts tend to be the people who aren't worth their carbon in the first place (because good consultants typically aren't desperate).
Now I only had a tangential involvement with "big IT", but they seemed to have a mostly healthy bunch of skilled techies, at least the ones I cared to know
Now again, I wasn't involved in this particular app, I was in a support department. Maybe it was different for the production staff. I'm not necessarily saying that the zillion-dollar system that handles passports was coded in VB by a bunch of Volvo-driving ignorants, but I wouldn't be surprised if that were true, either. It's just far too easy to screw the government, because there's no real boss, just a bunch of PHBs trying to cover their asses.
Re:Are they incompetent? (Score:2, Interesting)