Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Privacy Breach In Canadian Passport Application Site

kdawson posted more than 6 years ago | from the didn't-need-that-old-identity-anyhow dept.

Security 197

Joanna Karczmarek sends us news of a massive privacy breach in the Government of Canada passport website. "A security flaw in Passport Canada's website has allowed easy access to the personal information — including social insurance numbers, dates of birth and driver's license numbers — of people applying for new passports. ... The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser."

cancel ×

197 comments

Sorry! There are no comments related to the filter you selected.

For Xmas or Valentine (0, Offtopic)

Adolf Hitroll (562418) | more than 6 years ago | (#21583135)

Offer her a diamond [worldvision.org.uk] ...

But where is she gonna wear it?

In your BEACH, slashdot (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21583137)

In your BEACH !!

Wonderful (4, Interesting)

Grey_14 (570901) | more than 6 years ago | (#21583145)

Odd's are, lots of people are applying for passports nowadays too, since apparently we Canadians need them to cross the border into americaland in the near future.

Re:Wonderful (0)

Anonymous Coward | more than 6 years ago | (#21583177)

Passports are already required if you fly. By the end of January 2008, they'll be required for crossing over the border by car, foot, train, boat as well.

Re:Wonderful (0)

Anonymous Coward | more than 6 years ago | (#21583221)

damn that america for a huge security flaw in the canadian passport system. oh wait, that doesn't make any sense....

Re:Wonderful (1)

ResidntGeek (772730) | more than 6 years ago | (#21583637)

...which is probably why nobody said it.

Re:Wonderful (0)

Anonymous Coward | more than 6 years ago | (#21583777)

Don't worry, someone will find a way to tie this mess to President Bush.

Here, I'll show you how easy it is to blame President Bush: If it weren't for the Climate of Fear that BushCo created after 9/11, we wouldn't need passports!

See how easy it is? I'd make a great lefty... except, well, for the fact I have an IQ well above average... and I've lived in Leftist hellholes. :)

Re:Wonderful (0)

Anonymous Coward | more than 6 years ago | (#21583837)

Since when has three points above the median value been considered "well above average"?

Re:Wonderful (3, Informative)

Wowsers (1151731) | more than 6 years ago | (#21583423)

In the UK, applying for a passport _now_ gets around the UK's ID card laws and it's Nazi-esque data gathering, oh, and is considerably cheaper now compared to IF the ID cards ever come into existence.

As for this security flaw, there was a similar one found a few months ago in the UK's own online visa applications system http://www.channel4.com/news/articles/business_money/online+visa+security+flaw/517157 [channel4.com] . Maybe they hired the same idiot programmers?

Re:Wonderful (1)

Chris whatever (980992) | more than 6 years ago | (#21583981)

that would be fun to ask the same of them,,,,and every country to ask it from them.

In the news today, to get a passport in the us the wait time is now 3 years,,,,,because 1 % had them now the rest needs it to move around.

It's funny how the United states ask everything out of everyone but gets frustrated and make economics sanction on other countries when the other parties ask the same out of them.

Re:Wonderful (1)

morgan_greywolf (835522) | more than 6 years ago | (#21584039)

Well, here in Americaland, you can't get even get a passport online. So there! :-P

Trash the World (4, Funny)

Smordnys s'regrepsA (1160895) | more than 6 years ago | (#21583165)

3...
2...
1...

Breaking News, a L33t Canadian Hacker broke into a national security site, stealing millions of Dollars worth of personal information.

No word yet on any arrests.

More at 11.

Re:Trash the World (1)

RadioElectric (1060098) | more than 6 years ago | (#21583703)

Nothing to see here eh?

31337 h4x0r (3, Funny)

martinX (672498) | more than 6 years ago | (#21583183)

Any site that documents these breeches? (1)

suso (153703) | more than 6 years ago | (#21583651)

I was wondering, does anyone know of a website that has been keeping track of all the notable security breeches over the past several years? It would be useful to have that information when you need to show it to a manager, etc. Thanks.

.NET Passport (1)

yoshi3 (1118623) | more than 6 years ago | (#21583185)

When I first saw the title I thought Microsoft .NET passoport LOL

Bad Monkey!!!! (3, Funny)

TheeBlueRoom (809813) | more than 6 years ago | (#21583191)

Sounds like some web monkey needs a beating....

Re:Bad Monkey!!!! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21583225)

How about a good spanking?

Re:Bad Monkey!!!! (4, Funny)

chuckymonkey (1059244) | more than 6 years ago | (#21583233)

*Waves hand in the air* I am not the monkey you are looking for.

Re:Bad Monkey!!!! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21583241)

I believe you mean 'spanking'.

Re:Bad Monkey!!!! (2, Insightful)

statusbar (314703) | more than 6 years ago | (#21583657)

Where do these people get educated anyways? And how much of my tax dollars are going to pay for this incompetence?

This is such a simplistic error - it means that there are more simplistic errors hiding in the website as well, not only this one.

passport security is so important, why don't they audit the website BEFORE it goes live?

--jeffk++

Re:Bad Monkey!!!! (2, Insightful)

berzerke (319205) | more than 6 years ago | (#21583957)

passport security is so important, why don't they audit the website BEFORE it goes live?

Because those directly responsible for the bad design have little, if any, liability for screw up. They aren't out any money. Their information isn't public/stolen. They don't face jail time, and it's unlikely their career will take any real hit assuming they can be identified at all.

BTW, it *may* not be the coders that are responsible for the bad design. More than once I've been directly ordered by my past bosses to do something I knew was not a good idea. But, so long as it's not illegal, I have to obey orders.

Re:Bad Monkey!!!! (1)

JuanCarlosII (1086993) | more than 6 years ago | (#21584271)

I can't see how you could possibly not blame the coders responsible. Sure, so it might not be entirely down to them, but I can't think of many bosses who when faced with:

"Option A and B: A & B achieve identical functionality but B comes with enormous security breach"

Would ever be likely to choose B if they were informed of the option. If they weren't informed then it's down to the coders again. Blame the bosses for the fact that this terrible code got live and got to leak sensitive data all over the internet, but at the end of the day terrible code is terrible code and doesn't come from anywhere but a coder.

Disclaimer: of course the other option might be that the bosses made someone do it who wasn't a coder at all but 'knew a bit about websites'. In which case it is entirely their fault, but I can't see that being the case for a project of this importance.

Re:Bad Monkey!!!! (1)

Rasgueado (1027760) | more than 6 years ago | (#21584209)

Unfortunately, Canada has a really bad track record for IT.
Remember the gun registry database? Not a terribly ambitious project... It was budgeted for $2 Million, and ended up running $748 Million over budget (seriously).

(Not the best link, didn't have much time to look for one).
http://cdnshooter.blogspot.com/2007/04/excellent-essay-on-cost-of-gun-control.html [blogspot.com]

Re:Bad Monkey!!!! (1)

canuck57 (662392) | more than 6 years ago | (#21584141)

Sounds like some web monkey needs a beating....

While some grade D web monkey made a fundamental mistake, you have to look towards management for this. Or it will happen again. Where was the pen testing? Peer code review? Design review? (Assuming it was designed and not hacked).

I am NOT a government insider but have visited the government web sites enough to know how it's I/T operates. It is operated by department level politics and fragmented so bad it has no effective leader or policies. Sort of like every political department for themselves being I/T gurus. Ends up being a real mess. Especially when every political manager thinks they are web guru's because they can save html. Grade D web coder was probably a consultant without rules or guidance on basic standards. That is, careless computing at its best.

Go for the management if you want this fixed for real. A centralized I/T groups with industry standard policies including industry best practices enforced across the board. Code and peer reviews before release, version control, pen testing, development, test, production life cycles and the whole 9 yards. And move away from Mr political manager has budget and becomes designer, tester, reviewer, project manager all by his/he incompetent self.

.aspx (0)

Anonymous Coward | more than 6 years ago | (#21583193)

http://www.pptc.gc.ca/index.aspx?lang=e [pptc.gc.ca]
Why doesn't it surprise me it's asp.NET?

Re:.aspx (1)

CelticLo (575344) | more than 6 years ago | (#21583589)

No it's incredibly shoddy coding that could be done on any platform.

Here's an example on how to encrypt URL data in ASP:

Using this encryption, you can transform a standard QueryString like:
/SomePage.asp?SL=ActiveServerPages&N1=4GuysFromRolla.com&N2=FreeURL.com
to utter goobledegook, something that the web surfer will have no idea what variables and values are being passed along through the QueryString:
/SomePage.asp?crypt=w%96%9Ei%7D%9D%AE%91%B7%ACf%86%C4%AC%CA%90%96c%A1%9D%8F%89%B2z%92U%87Z%95%CF%A6%A5i%BE%96%9C%91%B9%AA%A5%97d%BE%BF%95gwb%8C%93%B7%8A%88%A7%A2%94h%B8%A9%AA

Code sample is here:
http://www.4guysfromrolla.com/webtech/code/qs.enc.asp.html [4guysfromrolla.com]

Re:.aspx (3, Informative)

Jellybob (597204) | more than 6 years ago | (#21583669)

I havn't looked at the article, but I doubt that's going to help against someone determined. Sure - Joe Blogs who found the bug this time probably wouldn't have, but that's just an URL encoded string, which are trivial to decode (I believe PHP has an urldecode function for just that).

Never, ever, trust data provided by the user. If there's potential to cause trouble, somebody will do it, which is why the site should have been keeping track of who's application was being filled out on the server, probably in a session variable.

Re:.aspx (1)

telchine (719345) | more than 6 years ago | (#21583843)

Never, ever, trust data provided by the user. If there's potential to cause trouble, somebody will do it, which is why the site should have been keeping track of who's application was being filled out on the server, probably in a session variable.
In order for Session variables to be work, a Session ID must be generated to maintain state. Where do you think the session ID comes from? It's provided by the user in a cookie. By using cookies instead of urls, you won't be solving the problem, you'll only be moving it.

The underlying problem is that the id to maintain state in the web site is so short as to be easy to guess another one that will work. The solution to this is to use much larger session IDs and generate them randomly. I'd say a 128 bit integer at least. On top of that, it'd make sense to have some code in place to detect when a user is trying to guess an ID by brute force. If they try then log the attempted intrusion and block the user.

The Session object in ASP generated Session IDs that were predictable. I think ASP.Net's mechanism is better, but I don't know how much better. I wouldn't trust the Session object to generate non-predictable IDs in all circumstances, it is after all, closed source software and not open to review. It would be prudent when using the Session object to generate State IDs to also ensure that attempts to guess the ID are blocked as well.

Re:.aspx (1)

marcello_dl (667940) | more than 6 years ago | (#21583733)

Some frameworks use a long alphanumeric ID to access objects, gnu enterprise does that, so they thwart this kind of attacks.
But i prefer exposing parameters and ID, and check for validity when parsing the request so that a hacker would need to hijack the session to perform any operation.

Re:.aspx (1)

sonofusion82 (1038268) | more than 6 years ago | (#21583823)

looking at the codes, i would say this is also not really "good" encryption. real security experts don't recommend using home-brew encryption functions like those. even a simple TEA or older algorithms like RC4 or DES are probably much better.

Re:.aspx (2, Insightful)

dave420 (699308) | more than 6 years ago | (#21583995)

This flaw has nothing to do with the webserver or the language the pages are written in, but by an idiotic developer. And believe me, there are idiotic developers in every camp.

Doh!!! (1)

ThirdPrize (938147) | more than 6 years ago | (#21583213)

See subject.

More fool them. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21583229)

I couldn't agree more with the sentiment behind this. To be honest, I think it's just what we needed. Granted, the situation could have been better [snipurl.com] applied [snipurl.com] than it was but heck it's a start at least. We should just be thankful for the grace we have been given I suppose.

Google search results here [google.com]

Re:More fool them. (0)

Anonymous Coward | more than 6 years ago | (#21583345)

Last Measure.

Re:More fool them. (2, Informative)

Bozzio (183974) | more than 6 years ago | (#21583727)

Parent's links are viruses.

Accidentally on purpose (0, Troll)

threaded (89367) | more than 6 years ago | (#21583249)

I just don't get it: someone like me, when I work on such systems just see these kinds of problems and flag them.

So either: no one saw it (which I find very hard to believe), no one flagged it, or was it, as tends to happen: ignored by the clueless management to save money?

Then there is the tin-foil hat reason: they wanted to make it easy for peoples data to be stolen, much like has happened numerous times in the UK recently.

Re:Accidentally on purpose (0)

Anonymous Coward | more than 6 years ago | (#21583409)

It's a combination of clueless management, incompetence, corrupt politicians bought by M$, etc.

Many Canadian government websites, etc. using windoze exclusively, for everything, including running IIS on Win ME, many sites having the infamous 'you must use M$ Internet Explorer', etc., etc.

So, what happens? Our idiots in Ottawa have the incompetent MCSE techies post a webpage about 'how they are taking the security of our information seriously'.

Yep, I'm convinced.

(P.S. And I have on MANY occasions attempted to educate them about this, but as I said, M$ government contracts, bribable politicians, etc., sigh...)

Re:Accidentally on purpose (1)

Jellybob (597204) | more than 6 years ago | (#21583691)

I don't usually reply to ACs, but this is so unbelievably misguided I feel I have to.

1. IIS won't run on Win ME.
2. This sort of security hole could just easily happen on any web platform - ASP, PHP, .Net, Java, even Rails (yup - it is possible to build an insecure Web 2.0 site!)

Re:Accidentally on purpose (0)

Anonymous Coward | more than 6 years ago | (#21583825)

Difference is that because programming for ASP is easy - cheap monkeys do it. Without any formal training those MCSEs just code a webpage, because they can. If they paid people who actually have a clue - probably that page wouldn't be in ASP.NET anyway...

Just my 2p.

Re:Accidentally on purpose (3, Funny)

schon (31600) | more than 6 years ago | (#21584131)

incompetent MCSE techies
Umm, you realize you put a redundant term and an oxymoron in three words?

Re:Accidentally on purpose (0)

Anonymous Coward | more than 6 years ago | (#21583819)

Then there is the tin-foil hat reason: they wanted to make it easy for peoples data to be stolen, much like has happened numerous times in the UK recently.

I'm not normally a conspiracy theorist, but this does look like a remarkably good and easy way to discredit a goverment at the moment. Only needs one low level person to cause a huge embarrassment, and there's nothing anybody can really do to fix it once the damage is done and the data is out

Re:Accidentally on purpose (1, Funny)

Anonymous Coward | more than 6 years ago | (#21584003)

"ignored by the clueless management to save money?"

As a Canadian citizen, allow me to assure you that they were most certainly not concerned with saving money.

Yet more mediocre software from the man ... (0)

Anonymous Coward | more than 6 years ago | (#21583283)

Just another example of the bullshit level of quality we can expect from the Canadian government. From the websites they host which only worked in IE, (looking at you MOT), to the millions they blow on the CRA websites, to this....

If the Canadian government wanted to really be "accountable" [as per Harpers initial acts] they would print the developers name(s) in bold letters on the front page of every newspaper to hang them out to dry. Of course they won't, and the firm they hired to write the software for them will get rewarded with another overpriced underperforming contract in the future.

I swear to god I hate the civil service. Basically as a government employee your only job is to not rock the boat too hard. Take your 2 hr lunch breaks, leave early on fridays, take expensive training classes [that nobody in private sector gets to attend], attend one useless meeting after another, and take 4 years to do what a bright 16 yr old could do over a weekend. That's ok. Because, hey, you're in a union, god forbid you actually have accountability and performance metrics that mean anything...

Let's see the names of those accountable for this!!!

Incompetence! (2)

TheBearBear (1103771) | more than 6 years ago | (#21583291)

Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...

But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts

HAHA! "URL HACKING" is easy to protect against. Maybe they've gone so high tech in security they totally passed on the low tech? Something is awkward here. I will give the developer the benefit of the doubt. I'd expect a half-assed developer to know about URL hacking. I bet this had something more to do with half assed management!

Re:Incompetence! (1)

someone1234 (830754) | more than 6 years ago | (#21583767)

Most web developers know about url hacking but don't care at all. Especially externally contracted ones.
Heh, i'm responsible for internal testing, and when i find such things, even our internal developers usually say: 'who cares' :)

Re:Incompetence! (1)

astrosmash (3561) | more than 6 years ago | (#21584305)

Where do you work?

Re:Incompetence! (1)

canuck57 (662392) | more than 6 years ago | (#21584293)

Not so much a security flaw is it is incompetence. How could the developers miss this? Oh, here's the sweet part. They said the flaw was repaired on Friday. And from the article...

And absolutely nothing in the management process to stop it.

Code reviewed, probably not.

Code designed, not likely,

Security risk assessment, obviously not.

Formal security model reviewed? Not likely.

Project management? Incompetent.

Software design process, absent.

Specifications document? Probably not.

Pen testing, obviously not.

Run time monitoring, absent.

A poster child why department managers should stay out of technologies they know nothing about on how to run properly. But most Canadians already know our SIN numbers are in essence public, have been for some time.

Wow (4, Informative)

asifyoucare (302582) | more than 6 years ago | (#21583307)

This is a simple and fundamental error and I'm amazed that the 'security technique' made it into production on such a major site. Doesn't ANYONE know what they're doing. Geez, this is Web Security 101.

A lot of sites were vulnerable to this sort of thing in 1995 ... If you're going to make URLs user or session specific you need very long random-looking strings.

Who wants to bet that the 'unrelated problem' that resulted the the site shutting down was SQL injection. If you're stupid enough to allow access to other people's details via slight URL changes, you're probably also stupid enough not to check or parameterise form fields.

Re:Wow (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21583387)

Essentially all web development technologies are shit. It doesn't matter if they were using Perl CGI scripts, PHP, some JSP-based framework, ASP, ASP.NET, ColdFushion, Ruby on Rails, Django, or whatever other language/framework/technology you want to consider.

The evolutionary nature of the web has lead to such technologies that just don't mesh well with one another. Bring SQL and JavaScript into the mix, and now you can be mixing four or five different languages in one web application. Most developers don't have the time to adequately learn every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app, for instance.

Frankly, I don't think there is a solution to this problem. We can't go back in time and rework the underlying nature of the web to be more sensible. We'd have to throw so much of it away.

Re:Wow (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21583427)

> Most developers don't have the time to adequately learn
> every aspect of HTML, JavaScript, CSS, PHP, XML and SQL just to put together a small web app

Each may have different syntax, but they also have very different uses. Even if they were all bundled up in the same language, you would still have to *learn* how to use each aspect. You still need to display content to the user, you still need to be able to manipulate that content, you still need to be able to generate it, and to get data out of your database. There's still a lot to learn, but you're using syntax as a scape-goat.

Re:Wow (0)

Anonymous Coward | more than 6 years ago | (#21583609)

In the 1990s we created UIs with C++. We wrote the business logic in C++. We wrote the data abstraction layer in C++ (even if it was calling SQL stored procedures to actually retrieve the data). We created client-server and distributed systems using C++.

In short, we had one technology, C++, that was suitable for all of the tasks that we now need HTML, CSS, JavaScript, etc., to perform. Once you learned C++, your knowledge was applicable in all of those areas. You may have had to learn about a few C++ classes, but that pales in comparison to learning a whole new technology.

Re:Wow (1)

Bozzio (183974) | more than 6 years ago | (#21583807)

Well, look at it this way: Technology has changed a lot since 1990. The final product expected is now much more complicated than can be easily produced with C++.

That's why we have HTML to structure webpages, CSS to enhance the visuals, JavaScript to improve functionality, etc...
With C++, every webpage would need to compile. These abstractions aren't only for the developers, they're also for practicality.

Oh, and have you ever used C++ to communicate with a database via SQL? It's not exactly very flexible.

Re:Wow (1)

morgan_greywolf (835522) | more than 6 years ago | (#21584199)

Right. But a lot has changed since the 1990s. Web applications are complicated. We need specialized languages for specialized tasks.

Usually, in developing a Web application, more than one type of specialist is involved. Often you'll find a Web designer come up with the base layout and design of the HTML, another Web developer who specializes in coding the HTML and JavaScript, using the CSS defined by the Web designer, someone else who plugs in the front-end code, and someone else who writes the middleware, and another to write the back-end code. And you have DBAs, systems adminstrators, network administrators, testers, project managers and so forth.

It's unusual in any moderately-complicated Web application to have one person who does the whole thing him/herself these days. To paraphrase Hillary Clinton, it takes a village to make a Web app.

Re:Wow (0)

Anonymous Coward | more than 6 years ago | (#21583587)

a. this is the point of a framework - to give you a secure defined maintained structure to base ur app on.

b. html, javascript, CSS... I wouldn't call these complex or even 'languages' security shouldn't be contingent on any of these either.

c. evolutionary not revolutionary which you should find with most things. not exactly ajax but alot of us were doing zero size divs, javascript to load content into divs and trying to make a web application feel like a desktop application many years before this web2.0 BS

Re:Wow (1)

JuanCarlosII (1086993) | more than 6 years ago | (#21583591)

Most developers don't have the time to adequately learn every aspect of HTML, JavaScript, CSS, PHP, XML and SQL

Which is exactly why most developers are not be hired to build large applications containing huge amounts of sensitive customer data.

I make a living out of building exactly these kind of applications for major international banks and I simply wouldn't get hired if I didn't know about the above.

The developers should be ashamed of themselves for such a massive lapse, this really is security 101. Equally ashamed should be the people who decided not to bother with running proper penetration testing and security evaluation on such an application

Re:Wow (1)

Bozzio (183974) | more than 6 years ago | (#21583839)

I haven't developed commercially in a while, but it was my understanding that for these larger sites the job would be split up.
One group is in charge of layout.
Another group is in charge of content (graphics, sounds, text).
Another one or two groups is in charge of client/server side scripting.
Another group is in charge of security.
And a final group is in charge of putting everything together.

Finally, everything is audited before it goes live.

Of course, a group might be able to accomplish one or more of these tasks, but not requiring one group to accomplish ALL the tasks ensures the abilities of the developers aren't stretched too thin.

Server Side Scripting == Security (2, Insightful)

JuanCarlosII (1086993) | more than 6 years ago | (#21584167)

I haven't developed commercially in a while, but it was my understanding that for these larger sites the job would be split up.

One group is in charge of layout.
Another group is in charge of content (graphics, sounds, text).
Another one or two groups is in charge of client/server side scripting.
Another group is in charge of security.
And a final group is in charge of putting everything together.

...and the idea that 3 and 4 are separate and distinct is probably what caused this whole problem in the first place.

Re:Wow (0)

Anonymous Coward | more than 6 years ago | (#21583603)

What amazed me is the guy didn't get thrown in jail for hacking. The Canadian government acted *sanely* when dealing with the problem (from the article at least). I've seen way too many cases, state side, where the person who find the problem, reports it and get is serious trouble. (multiple cases over the past 20 years, but worse in the past 10)
Yet another sign our friends to the north are more sane. (yeh, I grew up right on the boarder, 18 drinking age and no carding at bars is nice in highschool:)

Re:Wow (4, Funny)

tttonyyy (726776) | more than 6 years ago | (#21583615)

Who wants to bet that the 'unrelated problem' that resulted the the site shutting down was SQL injection. If you're stupid enough to allow access to other people's details via slight URL changes, you're probably also stupid enough not to check or parameterise form fields.
I blame that Canadian called '; drop table passport_info -- ' and password = ''; myself.

Irresponsible name to have these days.

Re:Wow (4, Informative)

MMC Monster (602931) | more than 6 years ago | (#21584327)

ObXKCD link: http://xkcd.com/327/ [xkcd.com]

Re:Wow (1)

loraksus (171574) | more than 6 years ago | (#21583801)

Doesn't ANYONE know what they're doing
No. Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but a whole metric fuckload - incompetence and lack of any accountability are systemic problems in virtually every government project. Possibly even corruption.

One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.

The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.

I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted number is "just under 7 million registered while estimates from the '70s indicated ~10 million in Canada.
At this point, only one province will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.

Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.

Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.

Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.

Re:Wow (0)

Anonymous Coward | more than 6 years ago | (#21583887)

I'd want to remember something like the connecting IP address as part of the session info on the server too. I think most would just go for the very long random ID with low chance of guessing another.

I wonder if the person who found this would get arrested. Such arrests are reported to happen, which isn't good for security. It would have made me wary of reporting it or even trying.

Are they incompetent? (-1, Flamebait)

bogaboga (793279) | more than 6 years ago | (#21583315)

I have got this gut feeling that Canadians in general are not that technologically sophisticated as Americans, though more government services are available on-line as compared to the US. That's a plus for them in my opinion.

Re:Are they incompetent? (0)

Anonymous Coward | more than 6 years ago | (#21583533)

Why would Canadian be less technical than people from the US? Geez.. Give me a break there. It's like saying why Montreal is the capital of movie cracking and such. That would mean that US people are less technical because they don't how to encrypt a DVD correctly.. Come on!

I would put my finger on Gouverment security. Public services are low funded operation that don't have all the right ressources at the right place. And most of the time, I would say that the staffing have their hand tide because of management policies. Nough said!

Re:Are they incompetent? (0)

Anonymous Coward | more than 6 years ago | (#21583631)

Just wait until the cyborg beaver-moose hybrids invade in the millions. They'll just come right out of the water. You'll never have a chance.

25% of Canadians not born in Canada. (0)

Anonymous Coward | more than 6 years ago | (#21583359)

One fifth of Canadians immigrants.
http://news.bbc.co.uk/1/hi/world/americas/7128172.stm [bbc.co.uk]
If that's official figures. How many are not on the books?

Re:25% of Canadians not born in Canada. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21583499)

The proportion is much higher in the major Canadian cities like Vancouver, Toronto, Montreal and Ottawa. It's not unusual to go to a mall, and see 45% to 50% of the people who are clearly not born in Canada. This is evident from their clothing, their mannerisms, and especially their near-complete lack of knowledge of English or French.

I worked for several years at a Subway in a mall in Toronto. At some times, I'd have to deal with people who didn't know a word of English or French. At busy times, every third person could be like that. One time I had a man from India or Pakistan yell at me in Hindi, Urdu or one of those languages because I put green peppers on his sub after he said "grun peppuh", when he was actually referring to tomatoes.

I don't know why the Canadian government puts so much effort into passports and other security measures only to turn around and accept basically anyone who wants to immigrate to Canada. It's like securing the windows of your house with metal bars, only to tear down one of your walls and put up signs advertising how expensive your big screen TV is, and then wonder why your TV was stolen.

Re:25% of Canadians not born in Canada. (3, Funny)

meringuoid (568297) | more than 6 years ago | (#21583543)

It's not unusual to go to a mall, and see 45% to 50% of the people who are clearly not born in Canada. This is evident from their clothing, their mannerisms, and especially their near-complete lack of knowledge of English or French.

I wouldn't say Americans are that bad at English...

Re:25% of Canadians not born in Canada. (0)

Anonymous Coward | more than 6 years ago | (#21583627)

Oh yeah ? Wanna bet ? ;)

Re:25% of Canadians not born in Canada. (0)

Anonymous Coward | more than 6 years ago | (#21583941)

The subject line is wrong. The most recent census results show that slightly less than 20% of Canadians were born outside Canada.

Re:25% of Canadians not born in Canada. (1)

faloi (738831) | more than 6 years ago | (#21584041)

I wouldn't say Americans are that bad at English.

The problem is not knowing when it's proper to insert "eh", and not always making things like "about" sound like "aboot".

There's a lot more that goes into sounding Canadian than just making your whole head flap.

Re:25% of Canadians not born in Canada. (1)

GameboyRMH (1153867) | more than 6 years ago | (#21583803)

At least you're not so brazen as to post such a xenophobic comment without AC status. Also notice that Canada is doing pretty well even with all those filthy horrible non-conformist immigrants.

Oh, and unless you're a Native American, you're an immigrant too. That is assuming the first people to arrive in a country devoid of a human population don't count as immigrants.

Re:25% of Canadians not born in Canada. (0)

Anonymous Coward | more than 6 years ago | (#21583871)

That is assuming the first people to arrive in a country devoid of a human population don't count as immigrants.

Why?

Re:25% of Canadians not born in Canada. (1)

KudyardRipling (1063612) | more than 6 years ago | (#21584083)

I guess that means birth certificates are meaningless, EH?

Re:25% of Canadians not born in Canada. (-1, Offtopic)

jacquesm (154384) | more than 6 years ago | (#21583817)

Yes, it is so good that subway employees now get the final word on who is and is not a foreigner.
I've met a large number of Canadians, as an employer and a temporary resident and I can tell you from that experience that a large number of so called 'foreigners' in Canada (landed immigrants would be the appropriate term) speak better English, are more trustworthy and in general are more polite than the people that call themselves Canadians.
I've seen overt racism, both against people with off-white skin colours as well as ethnic groups (native Canadians), fraud and a total lack of education on the part of 'Canadians', but none of that by first generation immigrants. /me thinks you have something against Pakistani's or Indians and that you resent having to serve them. After all, they're the ones that apparently keep you employed mr. Subway.
If Canadians wouldn't be so politically correct all the time and able to take a joke as well as display some *REAL* tolerance instead of make-believe then Canada would potentially be one of the nicer countries on the planet. As it is it is just America warmed over with a large dollop of racism thrown in.
   

Re:25% of Canadians not born in Canada. (5, Informative)

kndyer (521626) | more than 6 years ago | (#21584289)

As a fourth generation Canadian, I too have met a large number of Canadians. While I have no intention of defending the AC, I resent the absurd generalization that Canadians are uneducated and racist. With any large sampling of people, you will encounter the good and the bad. I am sorry to discover that you have clearly encountered only the bad, yet you are a sample of one.

I work at a company with fifteen employees, representing eight distinct nationalities and we operate in perfect harmony. This place is not anomalous; I have lived through several similar situations at other companies.

However, I am also a sample of one. Let us look at statistics. Immigration accounted for two-thirds of Canada's population growth in 2006/2007 (http://www.statcan.ca/Daily/English/070927/d070927a.htm/ [statcan.ca] ) and has always been a significant contributor to our population (http://www40.statcan.ca/l01/cst01/demo03.htm?sdi=population%20growth/ [statcan.ca] ).

Does this trend pose difficulties? Certainly. However, were such a policy not embraced by the majority of Canadians, it certainly would not persist. The tolerance is real. Join us and see for yourself.

Re:25% of Canadians not born in Canada. (1)

rubberglove (1066394) | more than 6 years ago | (#21584075)

I shouldn't feed you, but...
I'm an immigrant, and at least I can tell that 25% is not equal to 'one fifth'.
I've heard this said somewhere else:

My family chose this country. You we just born here by chance.


ps. it takes a big man to post crap like that AC.

Terrance and Phillip (-1)

commlinx (1068272) | more than 6 years ago | (#21583437)

Almost had it cracked. First I found Terrance's personal details, but as Phillip's were loading my speakers let out a farting noise and my PC rebooted with a terrible smell.

Re:Terrance and Phillip (0, Offtopic)

Xtense (1075847) | more than 6 years ago | (#21583529)

What? No songs about sodomy with incest?

Their humour is seriously going down the tubes these days.

what's being done (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21583463)

Like many institutions, the Canadian government has their own security initiative: MITS (Management of Information Technology Security [tbs-sct.gc.ca] ). It aims specifically at being proactive at safeguarding information and IT systems. It is mandatory for all systems to be certified before they are put into production. It would appear that MITS compliance doesn't mean the system is hacker proof or that there are no bugs. To be more effective, I hope there will be something added to this policy in order to better test applications and not to simply be a paper exercise. Apparently they were able to address the problem rather quickly.

Re:what's being done (1)

hesaigo999ca (786966) | more than 6 years ago | (#21584189)

Seems to me you are a very important piece of the government puzzle handling many people's information, and you are quoting millions of dollars to the budget to develop this site, stop pocketing the money and getting intern to do the job, and go see Microsoft directly and say you want a CRM solution that handles security on the internet etc....they will give it to you for peanuts compared to the real price tag as they are for governments using their products, the only thing we would have to worry about now is what Bill Gates would do with our info!

fixed AND old news. (3, Informative)

notrandom (993713) | more than 6 years ago | (#21583593)

Re:fixed AND old news. (2)

ErroneousBee (611028) | more than 6 years ago | (#21583675)

The article you link to was published yesterday. Exactly how recent does news have to be to escape your oldnews epithet?

As an aside, I see we are dealing with yet another IIS server. What is it with IIS installations and dodgy security?

Re:fixed AND old news. (3, Funny)

Yetihehe (971185) | more than 6 years ago | (#21583759)

What is it with IIS installations and dodgy security?
If you make a server even idiot can run, idiots will be running it.

Re:fixed AND old news. (1)

CRC'99 (96526) | more than 6 years ago | (#21583791)

http://www.cbc.ca/consumer/story/2007/12/04/passport-security.html?ref=rss

Yeah - but weird things start coming up when you change the ref=rss to ref=rsr.

Basic Encryption? (3, Interesting)

LaskoVortex (1153471) | more than 6 years ago | (#21583649)

I'm guessing the database the info comes from is not even encrypted. One could come up with half-a-dozen schemes to prevent this. Here's one: every sensitive record in the database is encrypted with a unique key that is mapped to each session via a very long random number generated on a per-session basis. This random number would be used to decrypt the information in the database (combining, of course, with a server-side key to reconstruct a "permanent key"). So each client-side key would be able to decrypt one and only one sensitive record, making a one-session to many-record scenario impossible. Key-pairs would be generated on a per-session basis from a database of permanent keys that are themselves encrypted and served by a key server. I hereby patent this protocol. Please send me money if you use it or I will sue you.

Re:Basic Encryption? (1)

was kroepoek (1098895) | more than 6 years ago | (#21583779)

I've already done something similar so sue me! Prior art will invalidate your patent.

Re:Basic Encryption? (3, Interesting)

CastrTroy (595695) | more than 6 years ago | (#21584191)

I think the problem doesn't even go as far as encryption. From what I understand, it seems like they were using incremented integers as session codes, instead of using big randomly generated strings. Just doing this will make you system a lot more secure. It doesn't really matter if the information is encrypted on the back end. If you can guess the session code (by incrementing your own by 1), then you effectively become that user, and it doesn't matter if the data is encrypted in the database or not. Likely, the only thing encrypting the actual data would counter against is an internal attack. However, you'd still need to have a table somewhere linking the user session to the data encryption key. You could probably encrypt this table with some secret machine key, but still the data would be readable. You could probably make the internal hacker run around in circles to get the data, but you wouldn't really be too effective in stopping them.

FIRST DEMONIC POST! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21583685)

"Kiss the little Demon, hanging on my wall
Kiss the little Demon, he will answer your call"

"I am alone in the dark when I call the Demon's name
I Am... Am I the one who's insane?
Kiss the Demon, he'll make your wish come true
Kiss the Demon"
- Mercyful Fate, Kiss The Demon

Wish we could say this was unique. (2, Interesting)

loraksus (171574) | more than 6 years ago | (#21583813)

Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too.

One famous example is the gun registry - now I don't want to start a flame war about the registry, but I feel it is the best example of complete incompetence on the part of a Canadian government project and "how stuff like this can happen", so bear with me for a bit.

The registry was supposed to cost 2 million (with a M) dollars when it was "sold" in 2000. They've so far spent well over a billion (with a B) and the CBC was leaked documents from a reputable source that place the cost at 2 billion dollars. BTW, there are still fairly significant fees for the license and registration portion - paid by the person who wants to own the firearm.

I'm honestly not sure who got / gets the money, but clearly, a (2?) billion (plus?) dollars goes to someone, and they are getting a sweet, sweet deal. It's basically a complete failure too - while numbers vary, there is a significant discrepancy between the number of guns registered and the number believed to be in Canada. A frequently quoted statistic is "just under 7 million registered while estimates from the '70s indicated ~10 million firearms in Canada"
At this point, only one province (Quebec) will prosecute people who didn't register their firearms (the decision to prosecute is left to the province), there are substantial problems with the quality of the data in the database (to the point where a number of high profile police chiefs have called for it's abolishment).
Yes, we have 3 territories too, where firearm laws are pretty much ignored.

Tying it in with this article - there are allegations that either the registry has been hacked - or (far more likely) some people with access to the registry are using the registry to find gun owners with large collections to rob. We've had a number of robberies of collectors homes recently.

Other wonderful Canadian projects include buying dented (one apparantly hit a whale) and leaking submarines from the UK for far more than they were worth, a quarter-million dollars for a sculpture made of guns, $100,000 for a book about dumb blondes, and $250,000 to sculpt the face of St. Jean the Baptist on a hillside in Quebec by cutting and planting trees - the list goes on and on.

Unfortunately, the Canadian government feels that it can just piss away public money without any repercussion - which it can. Nobody will get fired for this, and the folks who designed the passport site will continue to get contracts. I'd be willing to bet the same folks that did the gun registry worked on this project.

Re:Wish we could say this was unique. (1)

Arimus (198136) | more than 6 years ago | (#21584057)

"Basically the majority of all Canadian government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in virtually every government project. Corruption too."


Fixed version:
Basically the majority of all government projects go badly and go overbudget, not just a wee little bit, but by a lot - incompetence and lack of any accountability are systemic problems in every government project together with corruption and bribes.

Canada is no different to the rest of the world. The majority of projects are run by bean counters who wouldn't no the correct solution if it jumped and bit them on the ass. Providing the project is run the way they like (which usually isn't the way engineers would choose to run the project) and gives them a nice safe comfy job when they retire from the civil service they're happy. None of them care whether the solution they've gone for is the sane one or the insane one providing it gives jobs to the boys at the gold club.

still watching fake 'clouds' being applied today (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21583821)

no mention by media, candidates, etc.... it must not be good for us or the corepirate nazis would be bragging about it. time to get real yet? eye gas knot.

http://video.google.com/videosearch?hl=en&q=video+cloud+spraying [google.com]

other underpublished inf.

http://www.washingtonpost.com/wp-dyn/content/article/2007/12/02/AR2007120201637.html?hpid=opinionsbox1 [washingtonpost.com]
sounds familiar?

empty pockets, empty (distracted) minds?

http://www.cnn.com/2007/US/12/03/us.debt.ap/index.html [cnn.com]

looks like only evile deeds get any sort of 'privacy'?

the lights are coming up all over now. see you there?

Why are state computing projects always like this? (4, Interesting)

Richard Kirk (535523) | more than 6 years ago | (#21583867)

This is not just a moan - it is a serious question.

In the UK, every large computer project since the Navy sponsored the Babbige engine seems to end up running hugely over budget and time, and often delivering nothing. Often, many of these projects could have been done on standard equipment from the high street shop. Remember the 10 lb military wearable computer and radio that did little more than a mobile phone? The recent leak of disks with 25 million UYK residents' personal information, most of which was not wanted by the people it was going to was not removed because that was 'too labour intensive'. A few lines of perl, tops. If they want to send discs, then can send discs of random numbers, and do one-time pad encryption. If you have a proper source of random numbers, then provided the discs arrive with the seals intact, they can send the actual data XORed with the one-time pad. Not exactly rocket science, any of this.

The usual explanation is a lack of market forces. State projects tend to get offered to contractors with vetted personnel, contractors who have done similar projects before. If you have a military requirement then your choice is restriced to positively vetted people who don't mind working on such stuff. Certainly, in the UK, there seems to be a cosy relationship between the state and the contractors. I am not sure I altogether buy this explanation. If there really is a free market, then more talented people ought eventually to come to the top if the contracts are so lucrative,

Perhaps the problem lies with the national interest. The UK government would have to prever UK companies to overseas ones. Sometimes the competition has to come from outside a country. 20 years ago, prescription glasses used to be expensive and took a week to arrive. If you were going to the US, you could take your prescription, and get a pair made in an hour. Now you can get the same service in the UK. In the US, it is hard to get a mobile phone unlocked - it is looked on as illegal, but in the UK this is commonplace. IN both cases, I don't think there was anyhing that was actively preventing competition: it just wasn't happening.

Re:Why are state computing projects always like th (1)

brundlefly (189430) | more than 6 years ago | (#21584005)

This tendency for computing projects in non-computing organizations to be "just barely functioning" is discussed by Joel Spolsky in a talk he gave to some students of CS at Yale recently: http://www.joelonsoftware.com/items/2007/12/03.html [joelonsoftware.com]

Rings true to me.

It's Canada (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21584001)

Who cares?

Where I work (1)

Malakusen (961638) | more than 6 years ago | (#21584105)

We get "Service Alerts" with "helpful" information for how we're supposed to do business. Some of these "Service Alerts" contain information that, apparently, only certain people are supposed to know. As a result, they are password protected.

If you save the webpage, the default filename that it will save as is also the password for the super-secret information.

So, this story doesn't surprise me.

This doesnt even surprise me anyway (1)

Sepiraph (1162995) | more than 6 years ago | (#21584259)

It is pretty sad, but this doesnt even surprise me anyway because the frequency of this type of incidents. I applied for a Canadian Passport this April, so I guess I'm screwed... :(

ASP.NET (1)

Dystopian Rebel (714995) | more than 6 years ago | (#21584263)

It's ASP.NET, which the Canadian Government has swallowed hook, line and sinker.

And third-rate programmers using it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>