It’s time for Plan B: mash-up Canada411 with the DNCL. Feed every single number in the phonebook into the DNCL and starve those bastards out. That’s probably a crime though, so I’ll probably just get call display

Related posts:

1. It’s like “28 Days Later” in T… It’s like “28 Days Later” in Toronto this morning after...
2. 26 Days Until Battlestar Galactica Returns I’ve been resisting the urge to start counting down...

Developers from the Passport Canada office (their IPs point right back to them) started leaving nasty comments on my blog:

Now, now. Everybody must live with the frustration of a world not as perfect as our own little person.

If the Passport application system was able to handle a sudden increase (what? 500% maybe? thanks to USA) without a glitch, it would mean that for many years this system had been running with way too much bandwidth and server muscles. Who would be crying then? Chris, Jonathan, Clay and their friends would be crying to the world that the government was wasting money all these years running such a system! (source – “Jo Blo”)

And on my friend’s blog:

do you know anything about security… whiner

if you can’t even figure out who built it you must be a simpleton.. oh yeah u use a mac … (source – “dl”)

Well this week, Passport Canada had to be completely shutdown for two days when someone noticed that they were saving login credentials in a browser cookie. That is egregious error by a web-developer, and shows a completely disregard for security practices. Now, after two days, they are back online and saying, “Now the Internet site of Passport Canada is one of the most secure” (source).

Are you serious?! Firstly, how are you determining that? Put your site on HTTPS all you want; you cannot repair application security holes through anything but a complete line-by-line examination of your code-base.

Secondly, the security hole I found is still there. You may have found and patched one hole, but the entire system is still open to exploit.

In the end, as a citizen myself, these websites are trying to protect my information and I want to help. I emailed Passport Canada and the CRA to try to get in touch with someone that way. Please, if you read this, drop me a line in the comments. I will do whatever I can to help you close these holes. Even if you don’t believe me that there are some, what do you have to lose?

Related posts:

1. Passport Canada is Error 500′d to Hell Great, just great Passport Canada. Way to let me fill...
2. Air Canada told my bro that ov… Air Canada told my bro that over-the-ear earphones are now...
3. ePass/Canada Revenue Agency Online Tax Filing Suspended A couple of months ago, I blogged about the...

From Discountasp.net:

Dear Customer,

We experienced a network-wide outage Thursday morning and late evening as the result of a distributed denial of service attack. You can read details related to the outage here: http://community.discountasp.net/default.aspx?f=6&m=18216&p=1
…

Developers from the Passport Canada office started leaving nasty comments on my blog:

Now, now. Everybody must live with the frustration of a world not as perfect as our own little person.

If the Passport application system was able to handle a sudden increase (what? 500% maybe? thanks to USA) without a glitch, it would mean that for many years this system had been running with way too much bandwidth and server muscles. Who would be crying then? Chris, Jonathan, Clay and their friends would be crying to the world that the government was wasting money all these years running such a system! (source – “Jo Blo”)

And on my friend’s blog:

do you know anything about security… whiner

if you can’t even figure out who built it you must be a simpleton.. oh yeah u use a mac … (source – “dl”)

Well today a “situation” popped-up that “in order to safeguard existing systems and to maintain the integrity of CRA’s taxpayer information holdings, Mr Dorais ordered tax filing processes halted.” (source). From the CRA commissioner, “The security of taxpayer information remains paramount as we strive to understand and correct this situation” (source). Maybe they finally got it through their heads that ePass is not secure.

It’s a difficult situation since a rewrite of their system would take months, and tax season is upon us. But I’m not sure how safe I, or anyone else, should feel if we’re using their our fundamentally flawed system to file our taxes this year.

A final note, although the CRA website turned off their ePass component, Passport on-line is still up-and-running (and open to exploit).

UPDATE: Looks like they might have just taken the site down because of some “computer work done on the weekend”. *sigh* I’m sure it’ll be back soon, and just as crap-tas-tic (Thanks for the update, Mike)

UPDATE #2: To add insult to injury:

“The security and integrity of taxpayer data has not been compromised. This problem is not the result of illegal activity, computer hackers or a virus.

We have now traced the source of the problem to software maintenance conducted on March 4, 2007. We are currently working to bring all systems back online gradually.” (source)

Related posts:

1. ePass Canada is not Secure If you’re Canadian and have recently tried filing your...
2. Tamiflu Sales Suspended in Canada I guess so many Canadians read my blog that...
3. Passport Canada security breach: I told you almost a year ago Back in January, I blogged about the security holes...

Say your site, and another site, were competing with the same content to get digged first/the most. This is often the case with news organizations since they cull most of their news off the syndication feeds.

If you wanted to make sure your competition’s story didn’t rise on Digg, you could just make sure that the moment it is posted, you digg it first with an incorrect title and description (something no one would ever click on). Since you can’t submit the same URL twice to digg, it wouldn’t be possible for anyone to correct the reference. Then you can digg your own story on the same topic, and if you can get the diggs, you will rise to the top of the digg mod swarm.

Anyhow, I’m not suggesting anyone take advantage of Digg in this way, but it looks like there is a slight crack in their moderation scheme. I think I’ll have to coin the term ‘diggbaiting’ to describe this exploit

UPDATE: Here’s an article toting the end of Digg, partly because of the factors I’ve mentioned. Oh, Digg. Everyone is teaming up on you today. Time to cache out, Kevin (Rose)

Related posts:

1. Mod Swarm moderation swarm [mod-uh-rey-shuhn swawrm] -noun Commonly called: mod swarm Interactive...

I’m been noticing lately how much information web developers applications are giving away in the query string. In this case I can’t really do anything besides redirect to my site, but holes like these make it really easy for phishers to look legit, and trick people into giving them personal information (or worse).

For example, what if you went to a URL starting with https://login.yahoo.com, entered your correct username/password, then we taken to another fake page, that looks just like the “Incorrect password” screen from Yahoo!, where you are asked for your username/password again. Would you really be sure to check the URL again? I think 99% of people would offer up their username/password to the hacker.

Anyhow, you get my point Security good. Phishing bad. Yahoo! vulnerable. *grunt*

Related posts:

1. Yahoo! UI Library I don’t know if I trust this company called...
2. Yahoo! Maps Beta It looks like Yahoo! Maps is coming along nicely....
3. Unfortunate placement of Yahoo ad If you don’t get this, you probably shouldn’t be on...

If you’re a web-developer and you’ve never head of cross-site scripting, take an hour and read up on it. It’s probably the number one open exploit on the web, and if you haven’t heard of it, it’s probably open on your site. In its simplest form, it allows malicious hackers to put up fake login forms (or anything else they want) on a legitimate website and trick visitors into giving away sensitive information.

For example, they could make a page on the government domain gc.ca, secured by SSL, that looks exactly like the ePass login form and trick you into giving the hacker your username and password (a process known as phishing). They can even make it look like you’ve logged in successfully, and if you trust the ePass system, would you really have a second thought to giving them your social insurance number, credit card number, or any other document?

So I ask, why is this big, gaping hole (sorry for the goatse imagery) in the ePass Canada system?! Millions of tax dollars were spent on this program, and it’s completely open to exploit by the lowliest of hackers. We have (and I have to admit that I had to google this one) a Canadian Cyber Incident Response Centre (CCIRC) that is documenting every security hole in Firefox but they aren’t analyzing the government’s own online system? FutureShop.ca is more secure than the ePass system!

In the end, it’s up to you whether you use the ePass system or not. There’s no way I’d file my taxes on paper, so I’ll probably continue using it myself. But rest-assured that someone (whose a much better “hacker” than I) has also seen these same security holes, and if they haven’t exploited them already, it’s just a matter of time. If they already had, would we even know about it?

Related posts:

1. ePass/Canada Revenue Agency Online Tax Filing Suspended A couple of months ago, I blogged about the...
2. Passport Canada security breach: I told you almost a year ago Back in January, I blogged about the security holes...
3. Free Secure Email Certificate Never a bad idea to sign or encrypt your...