34
Condor
252d

The cleaning lady saga continues yet again..

Here in Belgium, cleaning ladies are paid with cheques. All fine and dandy, and apparently the parent organization (Sodexo) even migrated to digital cheques. Amazing!!!

If only they did it properly.

Just now I received an email with my login data.
Login: ${FIRSTNAME}${FIRST2CHARSOFLASTNAME}
Password: I won't reveal the amount of characters.. but it's not even hex. It's just uppercase letters, and far from what I'd deem even remotely secure. Hopefully I'll be able to change that shitty password shortly, and not get it mailed back, even when I ask for recovery. Guess I'll have to check that later - the person who made that account was pretty incompetent when it comes to tech after all. Don't ask me why they did it instead of me. I honestly don't really know either.

With that said, this is a government organization after all... Can I really expect them to hash their passwords?

Comments
  • 8
    Probably not. Government software is horrible
  • 6
    @irene it's not actually the government, but a company that's been contracted by the government. But yes, it's horrible.
  • 8
    @epse the lowest bidder? Yep...
  • 3
    @epse yeah, contracted by government
  • 2
    @irene that's not always the rule. EU Commission, as a government, uses awesome software, also contracted.
  • 3
    @mt3o you got me curious, do you have any exemple of good software the EU commission uses ?
  • 4
    @Commodore Belgium: RSA-based PKI for the eID cards. And that's where it ends ¯\_(ツ)_/¯ everything else is unencrypted mailing systems that don't support TLS (had to disable TLSv2 enforcement because of that), probably run on a Cobol framework on a mainframe somewhere in a government basement and things like that.. because long live security when it comes to state and civilian affairs ¯\_(ツ)_/¯

    And don't even get me started on paper-based mail and written signatures that anyone can clone with no more than 2 days of training... If only the governments out there would actually *listen* to the industry and actually implement the fucking standards.
  • 3
    @Commodore example of software that I know they use - Autonomy/HPE/Microfocus IDOL.
    Huge and powerful data analysis engine. Machine learning, unstructured text analysis, scanning and processing tons and tons of documents. Basically you can make your own google search engine with it. Including adwords, adsense, social media integration and whole bunch of other stuff.
    They use it not only to scan and search documents (and their relations) but also to predict effects of some events, i.e. flow of immigration.
    Thing is, that's a very niche tool and not known to broader public. Its stackoverflow is almost dead and empty, mostly because of the support is vendor provides. It's great, but the support and licenses are pretty pricey. However it's worth the price.

    Some time ago HPe tried to sell IDOL in the cloud, but i never heard any buzz around it. It was named Haven or something similar.
  • 2
    @Condor before you go on fire, learn that paper documents live much longer than electronic documents. Standards change, paper stays the same. I'll give you an example. My country emblem is stored public documents in some format that is not working well with current technology. I think it's CIEL based color palette. There are problems with writing with the emblem, because it's hard to recreate correct colors.
    Look, when you have a document which says that color is #00FF00 and the document as to be printed, is impossible, because that color doesn't exist in CMYK. It could be stored as Pantone, but in that case - displays would have problems.
    Now - define a standard for documents. OOXML perhaps? Even when it's main editor is not sticking to the standard? What would happen in two or three hundred years to those documents? Paper, still accepts everything. It's safest medium to store long term data.
  • 4
    @mt3o I frequently get myself my bank card balance papers for archival purposes, and have done so for the past 5 years or so. The papers from all the way back then have deteriorated significantly, despite having only seen the trial of regular storage. Not only that, but the documents would - when just scanned in very high resolution, so no text recognition or anything like that - take no more than 1GB. Meanwhile the paper map easily takes the space of a whole 3.5" hard drive, that could instead be 10TB by today's technology standards. Additionally, the deterioration of the papers vs the permanent availability of digitalized documents when periodically migrated to new healthy drives and constantly replicated to mirrors in case of drive failure, makes me seriously question the legitimacy of paper in today's technological environment. When done properly, digital storage proves itself to be vastly superior.
  • 4
    @mt3o I'd also like to mention that the above assessments are based on consumer drives such as WD Black, Blue and Red. Datacenters are known to use Gold Enterprise drives for on-premises live storage and tape drives for off-premises long-term archival storage instead. The longevity of tape drives usually spans several decades.
  • 2
    @Condor @mt3o correct me if I'm wrong but it feels like you're not arguing about the same thing. Storing transient numerical data is hardly the same problem as storing historical pictures.
  • 2
    That said, I'm enjoying the debate 😋
  • 4
    @Commodore oh, for numerical data and other high-performance storage that you'd be manipulating in real-time, you'd be using RAM and SSD storage like Samsung Evo drives of course. My comments merely cover arbitrary archival storage.
  • 3
    @mt3o as for color palettes, I've got no idea other than the fact that the printer for it, once had to print it based on digital data somehow. I'm not a graphics designer so I've got no authority to speak about this matter. I can't help but be concerned about the idea of verification mechanisms to be based on mere color values of what's very likely a government's individual color palette standard though... Proprietary and a verification scheme that I can't help but question the security of. Regardless of the color palette, what stops me from replicating the exact same color?
  • 2
    @Condor regarding printing:
    There are two dominant ways to get a color. One is to use CMYK (cyan, magenta, yellow, black) in which colpr is made by mixing different amounts of paint. This way you can't print in white, because its expressed as no paint at all. Your printer works that way.
    Other one is Pantone, which is a pallette of predefined colors named as numbers. Graphic designer using Pantone can work on really shitty display and rely on the palette to get correct results.
    Im not sure about Pantone, but in pure cmyk, there is no way to use fluorescent paint, or chrome, silver, gold, and so on. #00FF00 is quite similar to the fluorescent green paint.
    If you have Photoshop, create image in RGB, then convert it to CMYK and back to RGB, then check your green. It will be different than #00FF00 because it's out of reach for the palette.
    Another thing is that CMYK lasts shorter time when exposed to sunlight, it fades.

    Going back to reading.
  • 1
    We've reached moment in which using mobile phone is not enough to respond :D One devrant post is not enough to write everything in here :D

    @Condor, I have to admit, I totally get your point. I had to remove all the books from my parents appartment, and there were over 3.5 tons of them. On that day I swore to myself that i'll never but a physical book for myself. But look, some of those books were decades old. Couple were over hundred years old. In my basement we were starting fire with newspapers that were older than me. Over thirty years. My parents are hoarders for paper stuff :)
    National archives have documents that are thousand years old. Other countries have even older documents.
    By using digital technology, you greatly reduce amount of space (and physical effort to store, but only in short term).
  • 1
    With no text structuring, searching thru these documents takes similar amount of time. In longer term, you have to maintain the data storage containers (thinking of: not 'box filled with paper'), provide access to them, replace containers that wore off. Plenty of job to do. In the past Facebook released some interesting documents on how they organise old data. They were working on a way to store the data on DVDs and have machines to track it and retreive, LOL

    Look in perspective of 200+ years. Paper is the only data storage technology that survived that long.
    We mentioned proofing the documents. Scanned documents have fixed resolution and provide no way to detect forgery, other than inspecting pixels. No carbon based method, no chemical analysis, no UV light, no texture of the paper... Look at paper money or coins, they are not flat.
  • 1
    Regarding the size. You have A4 paper size with 300 ppi is 2480x3508. What's the color space? RGB, 8 bit? (Insufficent, but lets keep it simple.) Thats about 33MB per document. CMYK takes around 40MB. No compression, right?
    If we take different color space (paper is not the same everywhere) like CIEL (it defines perceived color, not amount of paint, its nice when different materials have to be considered, like linen fabric), we have to agree on some lightning conditions. But, well, get a bill and scan it. Then view zoom it. You'll see how many details are missing. All the fine print is blurred. Texture and watermarks are gone.

    Storing documents brings way more edge cases than you can imagine. It surely can be reduced, but can't be removed.

    Regarding your printed documents, well, you probably just have shitty paint or toner. :-)
  • 1
    Speaking about old stuff, I my life replaced 2 or 3 modern FM radios because they broke, loosing wavelength of other subassembly death. And right now, next to me, lies old lamp radio that's older than me (i think was made around 1960), that i want to renovate and sell. :-)
    How to make ancient COBOL or ALGOL work on my pc? Or at least CLIPPER, without using virtual machine? And obsolete operating system? Similar problems.
  • 2
    tl;dr
    you have the point, but you're short sighted :)
  • 3
    @mt3o tl indeed, brb!
  • 5
    @mt3o I would argue that expecting migration to a newer technology to be possible with simply scanning in existing documents with mere optical technology would be short-sighted instead. Just like you can't rely on optics only to verify a document, you can't just use optics to digitalize it either. Same thing with COBOL programs, they shouldn't be run on a modern PC within or without a VM, they should be rewritten instead, and in a way that it can handle system upgrades.

    To me, a program that can't be upgraded along with the rest of technology is a badly written one. I hate how mainframes still exist to run legacy code that can't possibly be upgraded, and how many banking terminals run insecure systems like Windows XP just because that's the only thing that the kiosk software was written for. I hate how government websites have often times been written for the unique "features" of legacy IE versions, disabling government systems from upgrading to newer systems and better browsers.

    Perhaps I'm short-sighted for thinking how short-sightedly the governments tend to implement their systems and lock themselves into a legacy infrastructure with it. Perhaps that's why I don't like governments so much. If that makes me short-sighted, so be it. I'll just continue using my modern systems.
  • 4
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    @mt3o For example, digitalizing signatures isn't as simple as just writing it on a graphic tablet and calling it a day. Cryptography is to be employed instead, which under the hood would look like this. I really like the Belgian eID system for supporting signatures like this, and hope that it'll be widely adopted over written signatures in the near future. After all, it's too easy to forge a written signature, but it's virtually impossible to forge a digitally signed message like this one without stealing my private key.

    -----BEGIN PGP SIGNATURE-----

    iQFeBAEBCgBIQRxNaWNoYWVsIERlIFJvb3ZlciAoU2lnbmluZyBrZXkgZm9yIEdp
    dEh1YikgPGdpdGh1YkBuaXhtYWdpYy5jb20+BQJb/9E4AAoJEOe1haddhGKr6i4H
    /3jxZ1U50fL7OF1pAopdMsVTAOfBa43HfHxjLU4g9h0ESjn24qquCp/tlr+F03ZA
    jqeEKM3fWogfuws3U8ZZ073qNSF2qbX5y9I5QEBBWfejqQXdZ3UHUvntchfE9cJ5
    qHRLJQUdte90RFeNMECkYZP7MicM/sLEvBngMa/EWfKCJYrq5mi2cX7w+t0eVOK2
    +o1zwp3o9yLpaadWBGd++XOHiI6SoWSKgbFuQGom72V6UjTcHYkF9jjUAlPp3SIN
    ir7u92aEyK+3tCgKq7bWQ4gnJkxWkSS10h8IeW1zLGM4J8BzcPge8/yazNgIGNoD
    rtN6MyTNNDAfsQkidy9njvw=
    =ZxJL
    -----END PGP SIGNATURE-----
  • 3
    @Condor you made assumption that I know what RSA is, know how to calculate it, and preferably, I can sign my messages the same way. With handwriting sign - only thing I need - is my hand. :)
    analog signature is much more error - prone, but at the same time much easier to verify in most cases. But that's whole another topic.
    If you ask me, from point of view of regular citizen knowing what RSA is and how this everything works - using digital signature is overkill for things you do one time and then forget. Car registration, password request, that stuff.
    Like I said, you have and your point. But there are cases where that's not enough. For every rule there is an exception :)
  • 4
    @mt3o that's the reason why it needs to be simplified. Signal and WhatsApp and such do this very well. Digitally signed email or git commits on the other hand? Total pain in the ass, because nobody bats an eye when the email is improperly signed or not signed at all, and because I've been such a genius to add a separate email address for GitHub as a subkey, now apparently everything from me is signed with the fucking thing, and I've no idea why. Intuitive.. if implemented well, otherwise it's pretty much shit 😕

    With that said though, especially signatures should become more secure. And the migration has already been done in another field actually - bank payments. Here in Belgium, every store has payment terminals at the checkout, where you can just use your PIN code to pay. And the best part is, that also uses asymmetric cryptography, making it very secure. Well, minus the banks' other legacy infrastructure of course.

    One thing that I don't like about bank cards is that they've still got that magstripe for backwards compatibility. I always just demagnetize them, as they're completely pointless these days and a security issue.

    But yeah, bank cards.. those are IMO a pretty good example of what a future where everything is digitally signed might look like 🙂
Your Job Suck?
Get a Better Job
Add Comment