I had the opportunity to ask some basic security questions of a government system that is rolling out (got invited to a meeting).

So now I am absolutely terrified about any technology that is being rolled out by this particular government agency. Their security model literally ends at "we use HTTPS".

Seriously, how the fuck are these systems not audited before they reach public use? Is this normal??

  • 6
    No need to implement advanced security features, when you can just make it illegal to challenge them and prosecute whoever tries.
  • 0
    @hitko There is a certain irony here in that the gov system in question is for use primarily by lawyers.
  • 2
    Anyone who has seen healthcare.gov would not be surprised by this.
  • 2
    @wannabe If it's something like the one they use here in Spain…

    Right off the bat, it was found that any user logged in could access any case from anyone just by changing the ID in the URL, with no access control whatsoever.

    This was their defense:

    The system is perfectly closed and secure, as long as it's used lawfully and ethically.
Add Comment