Hacker News new | past | comments | ask | show | jobs | submit login
Turkish Citizenship Database Leaked (ibtimes.co.uk)
664 points by ponyous on Apr 4, 2016 | hide | past | favorite | 260 comments

TR citizen here, for the last 10 years only those who are really close to AKP got the government contracts including software like this etc. for stupid amounts of money with no know-how. Therefore this is absolutely normal -at least for us-, only thing that surprised me about this leak is this got into front page of HN.

Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.

I'm on that list as well. With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.

Not only there, in other countries in Europe too, in Romania they are prosecuting the boss of the biggest software company we have, he has to sell his paintings and artwork for not being arrested(bail).

The usual opinion is that they all got rich with state contracts building stupid and expensive things that young kids would do in no time for nothing.

As a government agency, of course one would not prefer to hire kids, but these countries, they have good IT persons, they have universities that are struggling with funds and finance(as education is for free there and state universities are way beyond the private factories of diplomas that are known as private universities).

Instead of throwing that money, they could have helped education and develop infrastructure in the same time. Nobody has bloody consciousness any more!

Also kinda sounds like Bulgaria. Maybe we should not be thinking in nation-defined terms but rather look for a global, state-independent solution. Bureaucracies tend to be sluggish anyways...

That sounds like Lithuania to me.. One of the largest local IT companies are prosecuted now because of dirty contracts with SODRA (social care stuff)..

That sounds like definitely TURKEY to me!!!

It might sound like Italy, but here corrupt people are those OUT of jail.

that sounds like india to me

Is he talking about Portugal?

Well, at least we still have good weather.

That sounds like Pakistan to me.

That sounds like China to me.

that sounds like hungary to me

Do you have any anecdotes you can share? I'd be interested.

Our government bought two $1M+ websites in the past years. It's not that the websites would pose as a security risk, or store any valuable information, it's just plain corruption ...

500k only for the planing and teaching how to use $1,2M total, for a site what is essentially a video sharing website: https://hu.wikipedia.org/wiki/Korm%C3%A1nysz%C3%B3viv%C5%91....

$1,7M for the new site of the chamber of agriculture http://index.hu/gazdasag/2016/02/03/agrarkamara/

fun fact in general, the corruption consumes 50% of the eu funded government investment in Hungary according to Transparency International, which means 11.6 billion euro currently

That sounds like Ghana to me

It's Greece!

You are all wrong, folks. Clearly, this is Serbia.

that sounds like bavaria to me

that sounds like Kenya to me

That sounds like Spain to me.

Just a note, it looks like this data comes from Mernis(1), a project with quite bad history, developed in 90's and launched in 2000 and internet access started in 2002.

I know a bit about government IT departments and contractors at the time and I had zero faith in their competence so this breach is no surprise to me. Current government is no different than is predecessors, just business as usual.


It should actually be the other way around. Now that this information is public any kind of link with personally identifiable information should be considered suspect rather than to be used as evidence for wrongdoing without further checking. That information became less valuable with this leak, not more valuable and those things that you could do with that information before should now become harder.

I learned this leak through HN not TR media. Forget about front page, it is NOT even mentioned.

It is only mentioned by social media website @DikenComTr who are heavy-opposition to AKP regime -related with a NL journalist Frederike Geerdink, just because you are NL I wanted to mention-. Diken journalists love to spend some time in custody time to time and website gets shut down every once in a while.

This leak was everywhere on Reddit for along time. Your opposition stories don't mean innocent people ID info should be put online..

Your type of comments show how clueless you are and can't grasp personal privacy attacks from politics bullshit.

I think one of us didn't understand the parent correctly.

Please don't be rude here.

> With that info, a terrorist can buy a SIM card for my name

Well that escalated quickly.. Terrorists wouldn't need this database to supply them with names and addresses as most of that info is public in most countries (white-pages is one place). And I can go to any local shop and get a pre-paid SIM card without any personal info involved.

Also, if your country convicts you merely because someone used your name with no other evidence to tie you to the crime, you have bigger problems.

Name and maybe address can be found somehow but identity number absolutely can not be found (should not be from now on). Private companies confirm auth with name, surname, X,Y,Zth number of identity number.

You have to provide them name, surname and identity number in order to get a SIM card, in this example.

You don't need to be convicted for anything anymore if someone wants you to go to jail :) They get you in and start writing bill of indictment(?).

To give a little more context, if you are TR citizen what information you use and should keep private is: 1)Identity Number 2)Your mother's pre-marital surname.

My mom never changed her name...

Officials would tell her to use both or she'd have to go to European Court of Human Rights to have that simple right. A woman attorney did go ECHR iirc

How does the private company verify that the identity number is not bogus? Do they have some tamper-proof crypto box that validates a secure hash hidden in the ID or would a case like that only be flagged when the SIM registration is pushed to the government?

In any case, if it is customary to routinely hand the whole number to private companies (I read your description as "full number on registration, some digits on subsequent authentication"), then this leak has made that name/ID tuple only slightly less secret than it was before.

It is actually a grey area since the start. Today they get a zerox copy of your entire ID card which includes Identity Number as well but they should not do that.

The terrorist example I gave came from this grey area in fact. IIRC 2 years ago it was in the news that terrorists open up new SIM cards with regular citizens' information. When I checked it with my info, there was only 1 registered which was mine, when I checked my father however, had 4 SIMs registered and only 2 of them were his.

> And I can go to any local shop and get a pre-paid SIM card without any personal info involved.

Which I gather is fully on-topic as you're a Turk writing from Turkey, right?

> And I can go to any local shop and get a pre-paid SIM card without any personal info involved.

You see, the fact that I could go to any shop and buy a pre-paid SIM card in the US was a surprise to me. Don't expect that to hold true anywhere else. Taking Brazil as an example: you need to provide a photo ID.

I had to present a passport in Spain and Russia, though in Russia they accepted my (US) passport card.

>Don't expect that to hold true anywhere else.

It is still possible in some countries. For example Ukrainian president was kicked out of office when he tried to make SIM card registration mandatory like in Russia.

In Portugal, Spain, Germany and Belgium (at minimum) you can buy a pre-paid SIM without any hassle.

That is not true for Spain. Since the attacks on 11-M 2014 in Madrid, it is mandatory to provide in the local shop your National ID card or passport to activate any SIM card. But the verification is done by the shop attendant.

Anyway, I do think it is pointless as there are plenty of ways to get a SIM card anonymously: buy it in other country, steal it, buy it from somebody, clone it...

Italy as well

> you have bigger problems

Yes, we do! And that is why leaks like this are especially harmful.

From experience, some countries require a national ID number to get a SIM, even for the prepaid ones

> Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.

that's great news! sounds like turkey is closer than anyone expected to being a full fledged western member state!

UPDATE: It turns out the database that was claimed captured by hacking is actually a semi-public data. What's correct is the origin of the source of the database. However that database having limited information about voters are shared by the state agency and distributed to the political parties before the public polls by the mandate of voting laws. The database is actually from 2010 and was not obtained by hacking or anything but leaked by one of the political parties.

When I saw the news I did download the database and searched for myself. My information was not there. Because I am not a registered voter since I live in States. However all my siblings' and parents' information there unfortunately.

There's a fierce political rivalry in Turkey increasingly becoming uglier by day. The story was smelling from the beginning anyway, like implicating president, accusing cronyism and trying to score for some political agenda.

I have seen the term "tenderpreneur" applied to those who become enriched through favourable access to government contracts, as in...


  ... a tenderpreneur is a person in government who abuses their
  political power and influence to secure government tenders and
  contracts. The word tenderpreneur is a portmanteau of "tendering"
  and "entrepreneur".
Could the meaning be applied here too?

> With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.

Or, you know, dead. It's a bit optimistic in the current climate to assume they'd arrest you peacefully.

Yeah, this is the worst case. If you google "Ali İsmail Korkmaz" you'll see a young protester, beaten to death by police and regime supporter bakery guy. He was classmate of my gf and he probably was the nicest person you can ever met.

But now you can easily claim the information was stolen, so no judge will ever convict you.

That sounds like Burundi to me. Incompetence is encouraged.

Sounds like Thailand to me.

Interesting, in Sweden this kind of data is already public for anyone to view.

There is also several sites that provide this information like a search service and it's perfectly legal:

http://www.merinfo.se/ http://www.ratsit.se/

Interesting. In Germany this database does not even exist. Each town keeps its own data and they are not connected. I think the reason for this are the evil uses of data bases by the Gestapo during Nazi times.

Most states keep all data in a state-wide database and all registers are electronically connected. This is the reason why you don't need to deregister anymore when moving within Germany, a new registration will suffice.

What there isn't is a single central database and if you want to query data you will need to ask different authorities to get it all.

> the evil uses of data bases by the Gestapo during Nazi times.

IBM leased them the machines and sold them the punched cards. And then sold them the census data they had collected across Europe during the 1930s.


In Germany this database does not even exist.

That seems highly doubtful. How do the EU countries know you're a citizen, then, when you cross the border?

They look at the ID card or passport you present. They may make a record of your entry and may look up whether your ID was stolen or there is a warrant for you.

They certainly don't look up in a database whether you are a citizen. Such an EU-wide thing simply doesn't exist. Heck, even the entry and exit records are not in a common database. At the moment many borders can't even verify the government signature saved on the chip.

That's the same how other government officials determine your German citizenship in most circumstances. Only very few people go through the process of getting definitive proof of their citizenship (Staatsangehörigenausweis) in any point of their life as there is simply no reason to. This process takes quite some time, often including looking at some non-digitized paper documents archived somewhere.

They certainly don't look up in a database whether you are a citizen.

OK, "citizen or valid resident / visa holder / having some other legitimate reason to be holding something that looks like an EU identity card", then.

Whichever -- I was just simplifying. But something tells me that something at major border crossings (e.g. hub airports) has to at least authenticate your right-of-entry -- and that your travel document isn't outright fabricated -- at least a significant portion of the time.

Again, as applies strictly to cases of persons attempting to enter the Shengen area, on the basis of possession of an EU identity card, or a similar travel document asserting current legal residency in one of the member countries. I just don't see how they can (effectively) tell whether the document hasn't been forged or revoked, without comparing against a master list.

I can assure you that they do not check for positive entry in any database when crossing into Schengen whatsoever. Usually they check if the presented document is marked stolen but even that is sometimes skipped as the database (SIS II) is rather slow. This database contains around 50 million entries which shows that it can't possible hold information on all residents.

There is neither an EU-wide database of citizens, nor of permanent residents. They do have a database of most issued short-term Schengen visa nowadays (VIS) but even that took a lot of effort to implement.

And as said, at the moment they can't even verify all electronic signatures in electronic passports but that should be fixed soon.

I'm not even sure how they would create such a database of citizens as even not the German government has a conclusive list of all citizens and I presume it's similar in other member states.

That check for the right-of-entry is done with the presented document alone. Revocations are checked against and while it's possible to forge the documents it's not easy. But yes, there are known cases of people successfully entering with forged documents.

That's actually reassuring, in a way. Thanks for the detailed response.

I have a question: Does your passport have a number?

Just wondering. Thanks for the cool info.

Yes it does (and this is required by international agreement). The number contains an identifier for the issuing authority (and its name is also printed on the passport) so they know where to look for info if they need to.

I'll tell you something interesting. I crossed from Bulgaria to Turkey without presenting my ID to Bulgarian authorities. I crossed into Bulgaria by just showing my ID to Bulgarian authorities. Turkish side stores detailed records but Bulgaria is not interested where I am. They don't know wheter I'm in Bulgaria or not.

On the other hand they know my fingerprints.

Here is a source on Wikipedia: https://en.wikipedia.org/wiki/Resident_registration#Germany

"Unlike common belief there is no central administration — except for foreigners (see Central Register of Foreign Nationals (Germany)) — the resident registration is run by 5283 local offices throughout Germany."

For passports, I'd guess that there is a different database.

For passports, I'd guess that there is a different database.

OK, so that makes sense. So at the national level, they only have your Meldeort (place of registration), as it appears on your ID card -- but not (in theory) your residential address.

There is neither a federal passport nor ID card database. All data is saved in the same databases as the usual resident registration.

If his claim is correct it seems they would call the town in question. Maybe the EU has a database that includes Germans though.

As with most borders, they do not.

If you are German and have a passport then you are in a centralized database.

It exist at the very least for intell reasons.

How can the German IRS do their job then?

In 2007 they introduced a unique tax number for every natural person.

In fact, assigning these numbers was complicated by the fact that there is no central registration data base. They started from all the local data bases and then filtered this data to remove duplicates.

Source: https://de.wikipedia.org/wiki/Steuerliche_Identifikationsnum... (sorry, German only)

German people comply to taxation laws, as no one else in Europe does ;)

The data released contains national identification codes that are confidential. I believe the Swedish equivalent is the 'personnummer'. The sites you indicated appear to be regular person search engines, like the US equivalent Whitepages? Can you show a specific search result, pick any Swedish name you want, that would also list the person's personnummer?

The mentioned websites contain at least the full name, birthdate, registered address and marital status of every Swedish resident (at least above the age of ~16?), with the exception of a very small percentage of people with protected identity (which you can only get if you're under a "serious and concrete threat"). They get this data straight from the government - it's all public.

Go to e.g. http://www.ratsit.se/, write "Stockholm" under "Var" and hit "Sök" and click on a name for an example.

You won't see the personal identification number ("personnummer") that we use for absolutely everything, however as tednoob mentions you can get access to this by paying for premium access. Or you can call the Swedish Tax Authority. They don't have the right to ask who you are or why you want someone's number.

In Finland even salary and capital gains data is released. Newspapers compile high score lists from it each year. There might be some lower limit to how much you need to earn before your data becomes public.

Here's some select tidbits from the data in English: http://yle.fi/uutiset/who_are_finlands_top_earners/8427787

You can actually access the public tax information for anyone if you visit the tax office or call their free customer service. Newspapers publicise only the top earners, but nothing stops you from finding out how much your neighbour earned last year in income and capital gains, if you really want to (and I guess quite many want, Finland is after all known as the "land of million of enviers" in addition to the more famous "land of thousand lakes".)

That is true for the Swedish sites/system as well.

On http://www.upplysning.se/ you can get the full information. But you do have to register for a free account.

It will list the "personnummer", but usually not the last 4 digits. This became a big deal a number of years ago, when they did list the complete numbers, and this was changed so that if the complete number is requested, the party you request information about needs to be informed. However, the complete numbers are still public. Just with that caveat nowadays. (unsure if some still sidestep the "new" legislation, there were some more or less shady companies for a while that still informed you of their full numbers)

The 'personnummer' is also publicly available, though the sites usually have to limit access in order to comply with Personuppgiftslagen/PuL (Swedish version of the Data Protection Directive).

Difference being that in Sweden there is a different requiremnet for causing harm (IE; national ID card or passport - or linked bank account) simply having a social security number and address is not enough for identity theft to occur.

in other countries they treat SSN's as private, thus they are trusted.

But the only way to guarantee they stay as private as they are to begin with is to never use them.

Even if you only share them with people or merchants that you really, really trust, the sharing increases the risk of a leak.

That's not really true. Often you can order stuff from the internet with only knowing the SSN. You can order on invoice with Klarna for example.

Of course, for things that really matter, you need an ID.

But are you liable for those purchases? Can the seller accept some form of post-purchase payment mechanism and go after the SSN holder?

You're not, but it's up to you to deal with the administrativia (reporting it to the police, disputing the invoice).

I thought Klarna would only allow invoicing if the delivery address matched the registered home address of the SSN owner.

I ordered some stuff yesterday and I only had to provide the SSN and it filled out the adress and everything. Then, I specified Klarna and the order was away.

But if you'd tried to get them to ship to a different address than the one they filled in then they would probably refuse. That adds a least a little bit of fraud security.

You are not liable but you can't ignore it either, if you do nothing you are going to go to court in the end.

Actually it is and there have been a couple of cases both in Denmark and Sweden.

The problem is that the CPR is tied to all sorts of information from you credit card to your patient journal. You only need to get access to one of those things before you have the potential of access to all the other places.

It's that stupidly built.

As an American with a Swedish wife, I was very surprised to learn about the availability of this data. But something that really turned me around was that it makes verifying strangers much easier. My cousin-in-law was using it to look up the people offering to become au pair to her children. Then also of course, I remembered that we have the same service in the United States, it just costs you ten or fifteen dollars for the information. You can get exactly this information that is up-to-date and accurate by paying for one of those background checks from one of the major providers. Same stuff.

Well, I'm turkish and living in Sweden. I can see myself in the dumps as well as in those swedish search services.

Amazing. I wonder what the benefit is of having information such as you home address public.

I would say there is more issues than gains. But sometimes it's nice, I once found someones wallet and was able to find his phone number with the service. Called the guy, he came and picked up his wallet and gave me 500kr as thanks.

"Sometimes nice" is not good enough to do this.

It is largely a cultural difference; in Norway they also publish everyone's details along with their tax return data.

In one country giving someone a pair of shoes is seen as a nice present, in another it is considered a grave insult.

What you grow up with as a kid can have a big influence on what you consider acceptable.

In my personal view as long as the rules apply the same to all then that's the largest problem solved.

EDIT: fixed typo

Presumably you can opt out in case an Ex decides to come round and harass /kill you.

I am not joking when I worked for a Telco they used this scenario to empathize whey you should not do favours for friends and lookup peoples address.

I'd argue there is none, because friends and family already know how to reach you. However, both sites display ads.

I'm not saying there aren't drawbacks, but I can think of two benefits:

1. It makes some forms of investigative journalism easier. For example, there has been a lot of discussion about the potential problems of having most of the influential journalists in Sweden living within a very small "hipster" area in Stockholm.

2. E-commerce companies may decide to only ship to the adress where you are officially registered, making it harder to commit e-commerce fraud.

On the other hand it's trivial to change someone's official address. Just send a certain form by mail to the tax agency. (Not sure if they send a confirmation to the old address; but if they do, the perpetrator only has to pick someone who's on vacation; hello Twitter & Facebook.)

If you have registered an email / phone number they will send a message there about your changed address.

I don't know if they've done this yet but a while ago there were articles about them working on a way to disallow changing your address via the mail form:


In case it goes offline:

    #Turkish Citizenship Database

    Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?
    This leak contains the following information for 49,611,709 Turkish citizens: (IN CLEARTEXT)

    - National Identifier (TC Kimlik No)
    - First Name
    - Last Name
    - Mother's First Name
    - Father's First Name
    - Gender
    - City of Birth
    - Date of Birth
    - ID Registration City and District
    - Full Address

    **Lesson to learn for Turkey:**

    - Bit shifting isn't encryption.
    - Index your database. We had to fix your sloppy DB work.
    - Putting a hardcoded password on the UI hardly does anything for security.
    - Do something about Erdogan! He is destroying your country beyond recognition.

    **Lessons for the US?** We really shouldn't elect Trump, that guy sounds like he knows even less about running a country than Erdogan does.
    [Example Data]
    [Download URL]

What an odd place to put an anti-Trump comment.

Right, because Clinton...who ran her own private email server and sent classified information from her house...is much more qualified when it comes to data security?

Or Bernie, who lost his email password long time ago...

cmon guys, you are too serious:


what is the deal with email, anyways:)

I really don't care about US politics. I came across the link on Reddit and found it interesting. Make out of it what you want.

Sorry, didn't mean to imply that you made the comment.

What sub did u find it in?


I don't think he was accusing you of anything.

Huh, I get it... I was thinking completely out of context when I read his comment.

Well, Trump was my first thought seeing the headline. He wants to ban Muslims from the US. Turkey is a Muslim country.

I thought Turkey was a secular democracy not an Islamic state. A lot of the population call themselves Muslims though for sure.

I'm not saying their system of government is Muslim. I'm saying that 98% of their population is Muslim.

Given that now we cannot trust the identities of any Turkish citizens, I'd like to suggest we start by banning Turks. Sorry guys.

Probably won't come down anytime soon, this box is hosted by Voxility, they're notoriously terrible for dealing with abuse complaints.

Better formatting: https://www.pastery.net/adffrv/

This data is being circulated for a while now.

This makes me so angry. It is good that you show the infrastructure is bad, but how stupid does one have to be to say "do something about Erdogan" to the people who are facing identity theft directly due to one's actions?

Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).

Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).

Maybe they should learn a lesson from here - information that you do not control should not be used for authentication. Especially the one that is in its essence public.

Exactly! This is about as secure as having your first dog's name as a password reset hint. I either already know or can simply ask about the birthday, address and mother's maiden name of practically anyone I know.

I've always hated the mother's maiden name security question because my mother kept her maiden name so it's not exactly a hard thing to figure out in my case.

I think that one will go away sooner than later though, because taking a husband's name is becoming less common in a lot of societies.

Pro tip: You shouldn't be answering those questions truthfully.

But you have to remember the answers correctly. How do you keep track ?

The lazy way (which is still arguably better than answering truthfully) is to use the same answer for all the security questions. The better way is to treat each answer as another password and encrypt and store the answers somewhere safe.

Realistically how many people outside (or even inside) HN are going to do that? No matter how you spin it, security questions are a very bad "security pattern" in my opinion and we should get rid of them.

I do that, the security questions and answers just get added to the site's entry in 1Password.

I use KeyPass and save all the security questions and answers too. I should use fake answers next time though...

The same way as you keep track of any secure password: either with a password manager like 1Password, etc, or else through some Byzantine scheme that you manage yourself.

I use 1Password for this as well, but I recently had a security questions form (can't remember where) that tried to reject random strings because they didn't look like words.

Luckily, 1Password has a 'correct horse battery staple'-generator these days as well.

I 'time shift' each number in date of birth so neither the day, month, or year are correct. My secret key is the formula I use.

For other questions I use answers that 'belong' to a friend or relative. My secret key is the formula for figuring out who that is.

I wonder how many 'bits' those secret keys have? Maybe one or two? E.g. how long to brute force those answers.

If it's only 2 bits, you're assuming the attacker already knows that the formula is "Using someone else's information" and that there are only 4 possible people whose information you would use.

Even knowing that you're using a formula is a bit of information. The type of formula is potentially thousands of bits of information. An attacker doesn't know whether it's a cipher, or a code, or something more complex, and only then can they begin figuring out the parameters to that formula.

Pretty sure lots of people use relatives' info. Very, very few use ciphers in their head.

Friend used to have a car with a keycode door lock. He just used 5555 or whatever. I suggested he use the address where the car was parked, or some hash of that. Wouldn't have to remember it! And it would vary some at least.

Well, sure, 8 bits of entropy isn't going to help you much if your password is "password". Those bits only provide the opportunity for randomness. At the end of the day you still have to apply that entropy effectively by picking something that can't be guessed easily. The point is that there are opportunities for people savvy enough to recognize them.

My aim isn't to guard against the answers being guessed, it is to deny the operator of the service asking those questions from gathering accurate data about me that may later be exposed.

Someone then trying to fraudulently use my identity info, or for any kind of socially engineered attack, would lose out.

E.g. calling some financial service provider and trying to get a password reset based on D.O.B, mother's maiden name, or whatever.

I usually store it as another password field in keepass http://keepass.info/

you only have to remember that for password resets, if you already store your password in 1password you're golden.

Thank goodness KeePassX remembers my mother's maiden name! I always have a hard time remembering NortOrnEgMeefibrocEu myself.

Think of those fields as secondary password fields and act accordingly.

Diceware can also be useful for when they need to be spoken on the phone. With the right amount of words (7 or more) it has reasonably good entropy too.

I just tell them my dog's name was Beez6Ich8eeso5uil6Pha4omailai2fu and store it in my Dropbox-stored KeePass database.

Well we just used to call him old Bee..

Thank you for answering the security question Mr. Stavros. I'll accept "Bee" as your dog's name. To which offshore bank did you say you wanted to transfer the money ?

Easiest things on the planet to mine, too - the below lark appears to still work, from its ongoing prevalence.

"Your superhero name is your first pet's name, your mother's maiden name, and the street you grew up on - mine is Muffy Hitler Queen, what's yours?"

Recently United Airlines changed their online security policy and added security questions. The answers to which must be chosen from dropdowns.

I always mash the keyboard for those

Unfortunately when people can control it they lose it.

Not just public information, but unchangeable information.

If the information is "compromised" by being looked up in a publicly available database, what are you going to do? Change your birthday?

Let's hope that leaks like this forces the banks you speak of to care more about authentication.

> Many companies use date of birth and address for authentication.

Who does? I've seen them used as part of the signup process for some services but never as standalone authentication.

If you add in a phone number, almost every company I interact with in Ireland.

> The only thing that is missing is mother's maiden name.

It's extremely unsafe for known distribution of last names. E.g. in leaked db most frequent 12 last names correspond to 10% share of population, and most frequent 50 names "explain" 20% of population.

How to companies verify mother's maiden name? I've never used my mothers real maiden name when filling out any kind of account application form and no one has ever batted an eye.

Do you know whether Turkish state authorities are aware of this thing?

They seem aware, they just blocked the page that we can not access without Vpn.

The leak reported to be from YSG [1], organization that manages the election registers.

Software used by them developed by Cybersoft [2]. Cybersoft was part of the system who developed the new identity system in Turkey. The practices used by Cybersoft reported to be horrible. I know someone who worked on that project (about 15 years ago), reportedly they were really bad, playing games on servers where the all identity data of the citizens are stored. I do also know that any employee who was part of the project had access to the query systems, so it was possible to query the database for all citizens of Turkey, not sure how much data it revealed but it revealed the number of people with that name and surname ever born for sure.

Now, I'm not a fan of Erdogan but Cybersoft was developing stuff before Erdogan even got elected. So yes, maybe the government who started to work with Cybersoft was corrupt, maybe the current one is too but let's not just use every single baseless argument to attack Erdogan, it doesn't help anything.

[1] http://www.ysk.gov.tr/ysk/faces/Anasayfa.jspx

[2] http://www.cs.com.tr/TR/

I've been working for Cybersoft for the last 20 years, and I know we have not developed that system, whatever system is in question. We never had contracted work for either the NVI - Nufus Vatandaslik Isleri (General Directorate of Civil Registration and Nationality http://www.nvi.gov.tr/English,En_Html.html), the owner of the data on Turkish citizens, or the YSK - Yuksek Secim Kurulu (Directorate of Elections http://www.ysk.gov.tr/ - they lack content on the English page) the state organizer for elections, and a client of NVI for voter information.

As far as I know, development of the NVI system for "Central Population Management System (MERNİS), Identity Share System and Address Registration System" was contracted to and is still maintained by Kale Yazilim (http://www.kaleyazilim.com.tr/EN/Pages/Haberler.aspx). Likewise the development of the YSK system was contracted to and still maintained by HAVELSAN (http://www.havelsan.com.tr/ENG/Main/urun/2321/the-supreme-el...). Both projects were contracted when AKP was ruling, though I'm not sure why we are discussing this aspect. If the software leaked information, it is the usual suspect: the Turkish government awards contracts on price-point and the easy way to build cheap software is to forgo testing and quality assurance. As Murphy's law states: "Never forget that your weapon was made by the lowest bidder." You get what you payed for.

As a reference system we developed, check out the General Directorate of Revenues' automation for its 1000+ tax offices and the 2003 ComputerWorld Honors winning Internet Tax Office.

Last, we have English content at http://www.cybersoft.com.tr/ENG/?q=node, where you can check our references.

This is the product of self-righteous activism. You'd have to be pretty deluded and starving for attention to think effectively releasing tens of millions of private individuals' complete identification data is justifiable in some way.

Couldn't you say this about every personal data leak ever? I'd say the problem is companies won't take you seriously if you simply say "you have a security hole here". They'll probably report you, maybe fix an immediate bug that covers the exact issue you found and move on.

If they, on the other hand, get thousands of customers complaining and leaving, they'll take security much more seriously in the future. There's also a good chance that affected users will be more careful and proactive about their personal data in the future.

...but this is a country.

In the immediate, the only thing that can happen, if at all, is for some people to lose their jobs.

I think he is hoping that if the leak is well covered enough by the media, it will be adding oil to the fire of public discontent. Perhaps in a way that would dislodge the current government.

Way I see it though, that's quite a long shot :)

in the end of 199x in Russia a lot of big government databases - incl. individuals' passports, companies' registrations, real estate property data, etc.. got leaked and become widely available. It was very convenient - you could immediately verify all the stuff about people and companies you were dealing with, and such ability is extremely important in the environment when fraud is a normal everyday matter.

It could positively influence bad auth practices.

Hardly so for Turkey. Important positions in Turkish bureaucracy are being filled by people who have close ties to the ruling party. I guess this is somewhat normal in many countries given that you have some appropriate filters, unfortunately such filters are diminishing every year. Just last week the prime minister announced they would hire 750k long term government employees bypassing the regular procedures and by creating adhoc exams for each position. Regularly Turkey has this nationwide exam called KPSS which you would have to pass to be a government employee, bypassing this exam will even further reduce the government quality. I don't see how people without the necessary qualifications can improve these systems.

It is bad that decision makers can't on their own see that change is needed, but leaks like this could change public opinion, which is what influences politicians and businesses.

This reminded me 2010 KPSS scandal of Gulenists.I guess they want to go other way around..

And losses of millions of turkish liras for a while is a feasible trade-off for that?

Whoeves did this is an utter idiot, a profoundly inconsiderate hacktivist, whatever that shall be.

I see your point and I might agree with you (didn't make up my mind yet), but how is this different than disclosing someone else's vulnerability with a "hardcoded" date? In some cases, getting from disclosure to a working exploit is trivial.

If this data was so easy to get, any state actor probably had it for years now. Also powerful criminal organisations.

Wasn't the harm potentially done already and this might trigger a change? Maybe now all those banks will not accept whatever data is in this leak as a way to authenticate a customer. In that scenario we would be in a better situation because of the leak.

Quoting a Turkish friend:

---start quote---

Luckily there’s no really valuable data, other than personnummer. But i am sure with a little bit of digging it would be super easy, during Gezi police had a pwd like 12345

The important thing with the data is national stats, which is super important commercially. And that is for free now. More spam in the mailbox for everyone.

Obviously, for stalkers, sickos, or pedophiles this is an open source to attack. That is another security concern, because there was no db as in Sweden where you can access someone’s address this easy

---end quote---

> The important thing with the data is national stats

Or just playing with data, xkcd.com/1409 :)

    select first, count(*) from citizen group by first order by count(*) DESC limit 10;
      first   |  count  
     MEHMET   | 1172984
     FATMA    | 1154754
     MUSTAFA  |  898672
     AYSE     |  893053
     EMINE    |  756675
     AHMET    |  719391
     ALI      |  663136
     HATICE   |  659000
     HUSEYIN  |  521240
     HASAN    |  487906

How is the address data not valuable? Even dangerous.

I don't know about other countries but in the US, there are things called Whitepages which list names, addresses and phone numbers of the majority of people/businesses.

Address data is pretty worthless considering how many places you can get such data.

It's 2016 -- forget the Whitepages. Most people publicly update all of this information everyday, multiple times per day, through their social media accounts.

They usually don't publish their street address on social media.

You're right, they usually post a GPS location that is even more specific.

Good point. I think most people don't do that, though, since it's typically "opt-in".

People do opt in. People outside of the tech game don't think of these as making themselves more vulnerable -- they only see convenience (or just blindly click yes to anything).

I had a Twitter app (Tweetcaster?) that had a "show local tweets" option, and was amazed by how I could determine the individual dorm rooms tweets were coming from on a nearby college campus.

personnummer? Sounds very Scandinavian to me and quick googling doesn't yield anything particularly Turkish about that word?

In Turkish it is called "tc kimlik numarasi", that would translate to "Turkish Republic ID Number"

My guess is German (because of the historical links between Germany and Turkey).

The word exists in Swedish exactly like that and also is a very common word. Means "person number" or "person ID" basically.

No, personnummer does not mean anything in Turkish. It's TC Kimlik No.

Some readers have complained about this data being posted here. That's reasonable, but so is the community discussion. So we changed the URL from to the least bad news article we could google. If someone has a better URL, we can change it again.

Why bother removing the URL only to post it again in a comment?

Taking it out of the story link was the important thing. At that point HN was no longer broadcasting it.

Not to include it the comment, especially since we always include the previous url in a comment, would have invited accusations of suppression, which would only call more attention to it.

Only a matter of time before the whole US SS/IRS database is dumped into the public domain by political hackers too. Pieces of it have been liberated by sloppy corporations and medical databases. But not the whole thing from the government.

Checked my girlfriends family. Some of them are army officials and their info is in there as well. With that info you could actually do some serious damage.

Also, based on address info we know this dump is 2-6 years old.

Note: I wrote this up as a reply but the parent was deleted in the interim so posting at the top level instead.

> Which server is this? A Whois lookup returned nothing.

The whois command works on domain names, not IP addresses.

To get the DNS name associated with an IP address you can try a reverse lookup:

    $ dig -x
Unfortunately that only works if the the reverse record has been set up and it hasn't in this case.

You can still see where the server is located via tracepath:

   $ tracepath
    12:  lon-tel-01c.voxility.net                             86.537ms asymm 16 
    13:  buc-ird-01c.voxility.net                            147.516ms asymm 17 
    14:  buc-ird-27sw.voxility.net                           136.914ms asymm 18 
    15:  buc-ird-46sw.voxility.com                           149.699ms asymm 18 
    16:                                       143.626ms reached
So most likely the server is hosted on voxility.com which looks like an IaaS provider.

What do you mean by "whois does not work on IP addresses",

$ whois

Abuse contact info: abuse@flokinet.is

inetnum: - netname: FlokiNET-Romania descr: FlokiNET ehf country: RO admin-c: KW2732-RIPE tech-c: KW2732-RIPE status: ASSIGNED PA mnt-by: FlokiNET created: 2015-12-15T13:52:42Z last-modified: 2016-02-05T18:53:56Z source: RIPE

person: FlokiNET ehf address: P.O. Box No 4 address: 121 address: Reykjavík address: ICELAND phone: +3544150300 nic-hdl: KW2732-RIPE mnt-by: is-flokinet-1-mnt created: 2015-05-13T15:26:09Z last-modified: 2016-02-01T06:46:24Z source: RIPE

route: descr: FlokiNET ehf origin: AS200651 mnt-by: FlokiNET created: 2016-02-05T18:52:09Z last-modified: 2016-02-05T18:52:09Z source: RIPE

Wow I didn't know you put IPs directly in there. If so, it returns back the ownership info of the IP from ARIN. Not quite the same as getting the contact info for a domain name but still quite nifty. Thanks!

Does the publisher of this leak really think the other politicians are better off in keeping private citizens' information private? S/he must have not heard the Clinton's own email server leak issue. Yeah, yeah, it's a cliché, but it shows exactly how much they care about security.

Clinton's email server didn't leak anything, so far as we know. The emails you've read have been released by the State Department as public government records.

FBI hasn't officially concluded the investigation. We'll see.

A criminal thief putting personal data online and giving political lessons, shame on you really.

When your true goals are phishing, criminal activities, spamming to robe innocent people, at least be honest and do not make such grandiose statements. /rant

So the folks who did this complained about a bad DB (needing indexes) but then failed to convert the DOB's to date types.

Maybe it's really stored as text?

Yeah but a simple query can add a column, copy the data while parsing it into a native date and then drop the original column. It can all be in a transaction too so that if there is a failure nothing is lost.

I was mainly referring to the high and mighty attitude about fixing their broken db. If you're gonna fix it, it's all or nothing in my book.

True. Although showing how unprofessionally the data is kept makes a good point, too.

Only on HN.

Interesting, but to be fair a typical facebook page has more information.

If you choose to sign up for facebook with real information, sure.

You don't have much choice in the data your government loses about you.


Interesting how what once was basic know-how (don't use your real name everywhere on the web) is now almost criminal as Facebook does their best to enforce, legally and otherwise, -real accounts, and way to many sites use Facebook as comments system / login etc or otherwise require you to sign with a full name.

You don't have much choice when your friends or relatives post about you on Facebook either, and there, lying to Facebook is out of your hands.

Privacy isn't transactional, it's environmental.

I do not know, but strongly suspect, that my absence from Facebook means I'm rarely mentioned there. Certainly I'm mentioned less than if I had an account.

Even if I am mentioned there, Zuckerberg & friends don't have any account to cross-reference to target me with ads, etc.

So, my absence from Facebook is nonetheless a significant enhancement of my privacy.

It is worth noting that Facebook maintains "ghost" profiles for people who aren't members, but of whom they are aware. I'm having trouble finding a reference, but I remember it came out that when your friends ("friends") give Facebook their email contacts so that they can locate other people using their service, Facebook remembers contacts which do not yet hold accounts. I speculate this information wouldn't be valuable if they didn't attempt to infer that particular posts mentioned these non-member profiles.

You shouldn't share this around. This is going to mess up a lot of innocent people's lives.

It's too late for that. Criminals have access to it already. I would argue we should indeed share it around so that at least average Turkish citizens are aware their data has been stolen.

Really right! Even there should be a wiki containing all data leaks, at least the description if not the data.

And we shall call it.. WikiLeaks. Oh wait.


It's interesting that the data doesn't have values with the Turkish dotted or dotless I, ie the one in İstanbul, İbrahim, or Diyarbakır. Seems pretty important to store people's names correctly.


Then again -- if they can't figure out how to index their databases... then most likely they probably can't out how to do locales and character sets properly, either.

Ah! And this ironically relevant 2008 post from Coding Horror about testing your code in the Turkish locale.


Why host the dump on an IP instead of a domain?

I mean, I suppose skipping a domain means one less company that knows your personal information, but doesn't this mean Voxility[1] can lookup the customer for this IP?

[1] koolba's comment: https://news.ycombinator.com/item?id=11420959

A domain adds another point of failure (we want to take you down, we can just block the domain vs the server). As other have pointed out the abuse report for that hosted is quite terrible, so it might take a while to get taken down.

Also, a domain name costs money, and you get little use of it (just paid $20 for a domain that gets taken offline in a few days). And even if there was a domain name, what should it be? Turkish-citizenship-dump.com? What values does it add if the site only sticks around for a few days?

Well, they have blocked the IP within few hours.

There are countries where they "Ban" stuff by just not lookup up the domain name. I guess that why he did it this way.

Isn't the real lesson here twofold?

1. Governments can't keep this kind of data secure.

2. Massive troves of information that identify individuals are a very tempting target.

This sort of breach argues against big centralized (e.g. NSA's "sniff it all") data stores. They're just too easy to get into the wrong hands.

A user named testing123123 wrote about the dump on ##crypto, on Freenode. He claimed to be the one who dumped the database. It happened yesterday, on Sunday.

Log: http://pastebin.com/EgKhCj6z (Time is EEST, UTC +3)

Where others see a weakness, I see an opportunity: that's how we could send traffic-tickets straight to policemen's door. Enjoy watching "Rémi GAILLARD vs POLICE" http://www.youtube.com/watch?v=bJMLS4RDAzk

How illegal is it to download this database?

About 4

Does it contain the addresses of citizens with a double nationality who now live abroad?

If you were a voter in 2010, as far as I know. But I don't know if it contains foreign home addresses. Some people say that it was fetched from ysk.gov.tr . Normally MERNİS has more detailed database, so they say that it cannot be MERNİS. MERNİS stands for Central Citizenship Administration Center, it contains even pre-Turkish Republic "citizens", like from Ottoman Empire. YSK stands for Supreme Electoral Council. A friend of mine had access to MERNİS, he once said that the leaked data is not directly from MERNİS.

No need. They're all in Germany anyway.

If a structural engineer builds a bridge that collapses and kills someone, they are liable in one way or another. What if the same was applied to software engineering. That would sure change how seriously you take PII.

New attack vectors come out every day. The one they used may have not even been related to THE application that someone built for this. If you built something 4 years ago for the gov't to use and they didn't keep the server patched how is that your fault as a software engineer?

Gulenist police provide data to them to take revenge from Erdoğan.I expect more to come since Erdoğan is still alive.Gulen said Erdoğan will be poisened, he must have a spy near Erdoğan.

Somewhat interesting to think that this very personal information of tens of millions of citizens is just 1.5 gigs in size.

Are the implications of the National identifier similar to an SSN in the US?

Not to the same extent.

Is this the Russian answer to Sukhoi plane incident?

What are the ethics around analysing the data here in aggregate form (not individual info).

I guess this data is leaked from inside. Like most others.

By the way, why the heck is this in ASCII?

In order to bit shift it?

How do the citizens of Turkey deserve this?

ну ахуеть теперь...

Guys, tell me, please: If I add this base and create UI for find people to search by Name, birth date, etc. Is it legally?

I think that as well!!!

that's what I think as well!!!!



It doesnt seem too reasonable to compare a businessman to someone who supports terrorism and radical islam.

I wouldn't put it past Trump to encourage radical christian violence, whether that would be terrorism is in the eye of the beholder.

Erdohan certainly is using the situation to crack down on national opposition and get as many separatists killed while the rest of the world is focusing on the Syrian civil war and its exports of violence. That's simply realpolitik though, not ideology.

That said, the tone and message accompanying this leak is ridiculous.


This is a hoax. I looked at the torrent file, the hash for every part is 7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6, which is the sha1sum of 2MiB of zero bytes. I told Transmission to verify local data, and it now thinks it has the whole file.

On the behalf of all Kurds worldwide, I would like to congratulate the wonderful people who did this hack and released the information. You guys are just like those who opposed Nazi Germany. We Kurds shall be forever grateful to you.

To any Turk that may read this: Ne Mutlu Kürdüm Diyene (Happy is he who says I am a Kurd :)


This comment doesn't belong here. Please keep nationalist politics off Hacker News.

Cryptographers: 1 -- Idiots: 0

The winners here are fraudsters and the losers are the Turkish people. Cryptographers never enter into the equation.

I definitely agree. If only a single cryptographer would have been part of the equation, no one would have had a reason to write “Bit shifting isn't encryption” . Looking at my comment again again, I guess it was simply too short to be understood as a cinical “read it with a smile” kind of thing. Just to be sure no one gets me wrong: I surely did not want to hype any of the bad guys, nor make fun of the victims… the innocent Turkish citizens involved. Yet, I can’t help to shake my head that a Turkish governmental agency was stupid enough to use a near to “xor-by-one” snakeoil crypto thingy instead of well-vetted and security proven cryptographic algorithms and protocols. If they would have, there wouldn’t be a problem – just a blob of encrypted data. Which is why I said: “cryptographers 1 – Idiots 0”… which was merely meant to be interpreted as “roll your own crypto, eat your own poison – no cryptographer would have stepped into the stupid pitfall of using home-brew toys instead of well-vetted algos & protocols”. Hope that somewhat is able to explain what I meant with my comment. If my cynical comment was misunderstood due to its minimalism – my bad. Downvotes correctly punished me accordingly for my comment being too short to be understood upon first glimpse – next time, I’ll be sure to be clearer.

I am imagining what PKK could do with that info.

Not much. Not their style of warfare really.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact