Stack Overflow Code?
Have the developers been using too much Stack Overflow sample code again?
Security flaws have been found in the European Union's electronic identity system that could have been exploited by miscreants to impersonate member states' citizens online. The programming blunders were buried in the five-year-old eIDAS – that's electronic IDentification, Authentication and trust Services – that was designed …
eIDAS – electronic IDentification, Authentication and trust Services
A couple of thoughts on this:
1) I note they didn't dub this 'eIDATS – electronic IDentification, Authentication and Trust Services'. Why are they de-emphasising 'Trust'?
2) The article says eIDAS is 'designed to act as a secure bridge between all the various bureaucracies and ID systems of the 28 countries...'. Please let's not get into '28 -1' discussions about this but as far as I know the UK does not issue eIDs. I have a reference number from HMRC, the NHS, DVLA, the electoral roll and God alone knows what other sub-division of the government and civil service. Does eIDAS allow these 'systems' to cross-reference IDs within the UK and is that a Good Thing?
Well, now that you've mentioned it, Johnson is preparing a National Government ID project to tie all different services together and bridge these various ID number issues.
It will be a grand, sweeping project with an initial budget of just £80 million, to be completed in three years. Three years after that, costs will have ballooned to £450 million, and the planned end date will be six years from then. After ten years working on the project, UK Gov will sadly conclude that £935 million were wasted and bin the project.
Isn't this a bit like what Tony Blair was proposing in the early Noughties ("joined-up government" or something, I think he called it)? Then the Conservatives junked the scheme. (OK, it was an election bribe but even so.)
Are we to understand that Boris now intends introducing the same kind of scheme after next month's General Election?
None of the above are required, and most are only available for UK Nationals:
. A UK Passport is only needed for UK Nationals crossing border control.
. National Insurance numbers are for workers and UK Nationals.
. A UK Driving License is for people who pass their test or exchange their license in the UK.
And now the system is patched, and the function call result is no longer ignored, right ?
So all the systems that were put in place and tested based on ignoring the function's result are now going to have to deal with a new, untested scenario : the function returns False. I'm sure they planned for that back then, but how come nobody ever tested a False before ? Because if they had tested the False scenario and found it worked anyway, this bug would have been raised a long time ago.
Once again, improper testing is the source of a bug.
No, but you should at least test for the common inputs - i.e. each boundary condition, which should include all of true positives, false positives, true negatives and false negatives.
That (minimal) set of tests should have found this.
You can't prove the absence of bugs, but you can find the ones easy to find if they exist.
The best test is one that fails.
If all your tests pass, you might want to write some more tests.
Once again, improper testing is the source of a bug.
No, bad development practices are the source of the bug. The test did not introduce the bug. Now, the test in question could have correctly flagged the error, and the software was shipped regardless. We, out here, don't know.
"For example, a person in France can use their French government-issued electronic ID to access online services in Italy, using eIDAS to identify themselves. All very Brussels, and all a bit complicated."
In what way is it "all a bit complicated"? And how could it be made less complicated?
Or is it just more unwarranted, throwaway, poisonous criticism of Brussels and the EU?
No the UK system is so much less complicated.
Just get the form from the Post Office (if you can find one), fill it out in Black ink...post it, wait 6 weeks, phone up (9am to 4:30pm Monday to Friday, excluding lunch times) to see where the document is, be told they have sent it, wait another 6 weeks, phone back up, be told they never received it after all. Get another form, repeat. Now once you finally receive the documents, you can apply for part two.
“The scope of these vulnerabilities, we note, is rather limited: the software is used by countries to talk to the systems of other countries. It could, therefore, potentially, be used by agents of one nation to pretend to be citizens of another nation – or by miscreants that somehow managed to impersonate or compromise an eIDAS-Node deployment, at which point, you've got bigger fish to fry.”
Are you sure? I read the back-link, and the bigger picture looks much more serious.
Seems like currently any EU citizen has or can have a smart card reader, to read their National ID card, and a ton of organisations have agreed to use the same ID software with potentially common security failure modes.
AllI have to do to subvert this system is get hold of any citizen card reader, open it up, and MITM some of its responses towards a few well chosen organisations web portals, since the standard server side software wasn’t verifying signatures.
“Several public and private organisations allow this login mechanism (e.g. the online tax filing portal, several De-Mail services, several insurance companies)”
OK.....well, I bet the German online tax filing portal patches this PDQ. But every insurance provider and telco? Everywhere in the EU? I just have to find the weakest two or three organisations who fail to patch, out of maybe thousands in the EU, logon there to pwn that ID, and redirect those mailing address to where I like. Normally you only need two or three letters from telco, utility or insurance provider to your address, as evidence of ID for getting other ID’s. This is the mother lode of ID fraud!
Biting the hand that feeds IT © 1998–2019