* Somebody has to create a mechanism for tracking the population, such as a database. Personal information sells at about 14 bucks in the black market, so
this means you need to create a repository worth a lot of money and give the keys to somebody.

In the United States, there are several examples (although some may not be
well known) of state, federal, and trusted-third-party vendor networks
being hacked and PII being leaked to the black market. A lot of people
have had their IDs stolen as a result of these hacks and don't know it.

Whenever the government (especially federal) starts putting together a new database, it is a big target.


* SLMR 2.1a * DALETECH - for all your home security needs!

---
■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP

* Somebody has to create a mechanism for tracking the population, such as a database. Personal information sells at about 14 bucks in the black market, so
this means you need to create a repository worth a lot of money and give the keys to somebody.

In the United States, there are several examples (although some may not be well known) of state, federal, and trusted-third-party vendor networks
being hacked and PII being leaked to the black market. A lot of people
have had their IDs stolen as a result of these hacks and don't know it.

Whenever the government (especially federal) starts putting together a new database, it is a big target.

* SLMR 2.1a * DALETECH - for all your home security needs!

---
■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP

I remember a friend discovering a flaw in one of the portals used to book hospital visits in Italy by Regioen Lombardia; basically you would enter you "SSN" (codice fiscale) and it would land you to a authentication page, however just having the SSN (really easy to do: https://en.wikipedia.org/wiki/Italian_fiscal_code#Fiscal_code_generation) would provide all kind of sensible personal data from street address to telephone number and so on. All you had to do was looking at the requests and you had a fantastic JSON with all the data possible. Bad design.

---
■ Synchronet ■ bbs.monocul.us > Come visit us!

In the United States, there are several examples (although some may not be well known) of state, federal, and trusted-third-party vendor networks being hacked and PII being leaked to the black market. A lot of people have had their IDs stolen as a result of these hacks and don't know it.

I remember a friend discovering a flaw in one of the portals used to book hospital visits in Italy by Regioen Lombardia; basically you would enter you "SSN" (codice fiscale) and it would land you to a authentication page, however
just having the SSN (really easy to do: https://en.wikipedia.org/wiki/Italian_fiscal_code#Fiscal_code_generation) woul
provide all kind of sensible personal data from street address to telephone number and so on. All you had to do was looking at the requests and you had a fantastic JSON with all the data possible. Bad design.

A few years back, sometime between 2012 and 2016, the US had a web site
where you could go in and fill out forms for student loans (or some other government-backed loan program). Once you got on, they made it easy for
you to pull your transcript of your past IRS tax filings, which were
necessary to apply for the loans.

Needless to say, the way it would get you to that point was not much more secure than what you are describing. So, fraudsters could pull your past
IRS tax filings, too, which have all sorts of info about you. They used
these mainly to file fake tax returns requesting large refunds (but realistic, based on your past filings).

Taxpayers were not aware that their IDs had been compromised until they
went to file their electronic return the next year and their filing was rejected because the fraudster had already filed a return using their ID.


* SLMR 2.1a * Tell me, is something eluding you, Sunshine?

---
■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP

Re: Re: Government databases
By: Dumas Walker to ANDREA on Mon Nov 29 2021 05:00 pm

Stuff like this gives me goosebumps. I don't know if goverments have a special bucket of trash syops, devs and security experts for hire when they have to develop something for the public that needs to be secure. It's like magic; Some courthoses here still have old public ftp servers with documents trown around (some even recent) containing sensitive stuff like transcipts of private conversations and so on. Sad stuff.

---
■ Synchronet ■ bbs.monocul.us > Come visit us!

Stuff like this gives me goosebumps. I don't know if goverments have a special
ucket of trash syops, devs and security experts for hire when they have to dev
op something for the public that needs to be secure. It's like magic; Some cou
hoses here still have old public ftp servers with documents trown around (some
ven recent) containing sensitive stuff like transcipts of private conversation
and so on. Sad stuff.

Governments often have to bid out their work, and the winning bidder is
often (although not always) the cheapest one. If they award something to a bidder that is not the cheapest, the cheapest (who isn't supposed to know
they are but, from past experience, will know they are) will often protest, which winds up costing the government money.

So, they wind up getting what they pay for sometimes... light security on public facing servers.


* SLMR 2.1a * Make BC Great Again! Trump for Premier!!!!

---
■ Synchronet ■ CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP