Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
I'm on that list as well. With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.
The usual opinion is that they all got rich with state contracts building stupid and expensive things that young kids would do in no time for nothing.
As a government agency, of course one would not prefer to hire kids, but these countries, they have good IT persons, they have universities that are struggling with funds and finance(as education is for free there and state universities are way beyond the private factories of diplomas that are known as private universities).
Instead of throwing that money, they could have helped education and develop infrastructure in the same time. Nobody has bloody consciousness any more!
Well, at least we still have good weather.
500k only for the planing and teaching how to use $1,2M total, for a site what is essentially a video sharing website: https://hu.wikipedia.org/wiki/Korm%C3%A1nysz%C3%B3viv%C5%91....
$1,7M for the new site of the chamber of agriculture http://index.hu/gazdasag/2016/02/03/agrarkamara/
fun fact in general, the corruption consumes 50% of the eu funded government investment in Hungary according to Transparency International, which means 11.6 billion euro currently
I know a bit about government IT departments and contractors at the time and I had zero faith in their competence so this breach is no surprise to me. Current government is no different than is predecessors, just business as usual.
It is only mentioned by social media website @DikenComTr who are heavy-opposition to AKP regime -related with a NL journalist Frederike Geerdink, just because you are NL I wanted to mention-. Diken journalists love to spend some time in custody time to time and website gets shut down every once in a while.
Your type of comments show how clueless you are and can't grasp personal privacy attacks from politics bullshit.
Well that escalated quickly.. Terrorists wouldn't need this database to supply them with names and addresses as most of that info is public in most countries (white-pages is one place). And I can go to any local shop and get a pre-paid SIM card without any personal info involved.
Also, if your country convicts you merely because someone used your name with no other evidence to tie you to the crime, you have bigger problems.
You have to provide them name, surname and identity number in order to get a SIM card, in this example.
You don't need to be convicted for anything anymore if someone wants you to go to jail :) They get you in and start writing bill of indictment(?).
In any case, if it is customary to routinely hand the whole number to private companies (I read your description as "full number on registration, some digits on subsequent authentication"), then this leak has made that name/ID tuple only slightly less secret than it was before.
The terrorist example I gave came from this grey area in fact. IIRC 2 years ago it was in the news that terrorists open up new SIM cards with regular citizens' information. When I checked it with my info, there was only 1 registered which was mine, when I checked my father however, had 4 SIMs registered and only 2 of them were his.
Which I gather is fully on-topic as you're a Turk writing from Turkey, right?
You see, the fact that I could go to any shop and buy a pre-paid SIM card in the US was a surprise to me. Don't expect that to hold true anywhere else. Taking Brazil as an example: you need to provide a photo ID.
It is still possible in some countries. For example Ukrainian president was kicked out of office when he tried to make SIM card registration mandatory like in Russia.
Anyway, I do think it is pointless as there are plenty of ways to get a SIM card anonymously: buy it in other country, steal it, buy it from somebody, clone it...
Yes, we do! And that is why leaks like this are especially harmful.
that's great news! sounds like turkey is closer than anyone expected to being a full fledged western member state!
When I saw the news I did download the database and searched for myself. My information was not there. Because I am not a registered voter since I live in States. However all my siblings' and parents' information there unfortunately.
There's a fierce political rivalry in Turkey increasingly becoming uglier by day. The story was smelling from the beginning anyway, like implicating president, accusing cronyism and trying to score for some political agenda.
... a tenderpreneur is a person in government who abuses their
political power and influence to secure government tenders and
contracts. The word tenderpreneur is a portmanteau of "tendering"
Or, you know, dead. It's a bit optimistic in the current climate to assume they'd arrest you peacefully.
There is also several sites that provide this information like a search service and it's perfectly legal:
What there isn't is a single central database and if you want to query data you will need to ask different authorities to get it all.
IBM leased them the machines and sold them the punched cards. And then sold them the census data they had collected across Europe during the 1930s.
That seems highly doubtful. How do the EU countries know you're a citizen, then, when you cross the border?
They certainly don't look up in a database whether you are a citizen. Such an EU-wide thing simply doesn't exist. Heck, even the entry and exit records are not in a common database. At the moment many borders can't even verify the government signature saved on the chip.
That's the same how other government officials determine your German citizenship in most circumstances. Only very few people go through the process of getting definitive proof of their citizenship (Staatsangehörigenausweis) in any point of their life as there is simply no reason to. This process takes quite some time, often including looking at some non-digitized paper documents archived somewhere.
OK, "citizen or valid resident / visa holder / having some other legitimate reason to be holding something that looks like an EU identity card", then.
Whichever -- I was just simplifying. But something tells me that something at major border crossings (e.g. hub airports) has to at least authenticate your right-of-entry -- and that your travel document isn't outright fabricated -- at least a significant portion of the time.
Again, as applies strictly to cases of persons attempting to enter the Shengen area, on the basis of possession of an EU identity card, or a similar travel document asserting current legal residency in one of the member countries. I just don't see how they can (effectively) tell whether the document hasn't been forged or revoked, without comparing against a master list.
There is neither an EU-wide database of citizens, nor of permanent residents. They do have a database of most issued short-term Schengen visa nowadays (VIS) but even that took a lot of effort to implement.
And as said, at the moment they can't even verify all electronic signatures in electronic passports but that should be fixed soon.
I'm not even sure how they would create such a database of citizens as even not the German government has a conclusive list of all citizens and I presume it's similar in other member states.
That check for the right-of-entry is done with the presented document alone. Revocations are checked against and while it's possible to forge the documents it's not easy. But yes, there are known cases of people successfully entering with forged documents.
Just wondering. Thanks for the cool info.
On the other hand they know my fingerprints.
"Unlike common belief there is no central administration — except for foreigners (see Central Register of Foreign Nationals (Germany)) — the resident registration is run by 5283 local offices throughout Germany."
For passports, I'd guess that there is a different database.
OK, so that makes sense. So at the national level, they only have your Meldeort (place of registration), as it appears on your ID card -- but not (in theory) your residential address.
In fact, assigning these numbers was complicated by the fact that there is no central registration data base. They started from all the local data bases and then filtered this data to remove duplicates.
(sorry, German only)
Go to e.g. http://www.ratsit.se/, write "Stockholm" under "Var" and hit "Sök" and click on a name for an example.
You won't see the personal identification number ("personnummer") that we use for absolutely everything, however as tednoob mentions you can get access to this by paying for premium access. Or you can call the Swedish Tax Authority. They don't have the right to ask who you are or why you want someone's number.
Here's some select tidbits from the data in English: http://yle.fi/uutiset/who_are_finlands_top_earners/8427787
in other countries they treat SSN's as private, thus they are trusted.
Even if you only share them with people or merchants that you really, really trust, the sharing increases the risk of a leak.
Of course, for things that really matter, you need an ID.
The problem is that the CPR is tied to all sorts of information from you credit card to your patient journal. You only need to get access to one of those things before you have the potential of access to all the other places.
It's that stupidly built.
In one country giving someone a pair of shoes is seen as a nice present, in another it is considered a grave insult.
What you grow up with as a kid can have a big influence on what you consider acceptable.
In my personal view as long as the rules apply the same to all then that's the largest problem solved.
EDIT: fixed typo
I am not joking when I worked for a Telco they used this scenario to empathize whey you should not do favours for friends and lookup peoples address.
1. It makes some forms of investigative journalism easier. For example, there has been a lot of discussion about the potential problems of having most of the influential journalists in Sweden living within a very small "hipster" area in Stockholm.
2. E-commerce companies may decide to only ship to the adress where you are officially registered, making it harder to commit e-commerce fraud.
I don't know if they've done this yet but a while ago there were articles about them working on a way to disallow changing your address via the mail form:
#Turkish Citizenship Database
Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?
This leak contains the following information for 49,611,709 Turkish citizens: (IN CLEARTEXT)
- National Identifier (TC Kimlik No)
- First Name
- Last Name
- Mother's First Name
- Father's First Name
- City of Birth
- Date of Birth
- ID Registration City and District
- Full Address
**Lesson to learn for Turkey:**
- Bit shifting isn't encryption.
- Index your database. We had to fix your sloppy DB work.
- Putting a hardcoded password on the UI hardly does anything for security.
- Do something about Erdogan! He is destroying your country beyond recognition.
**Lessons for the US?** We really shouldn't elect Trump, that guy sounds like he knows even less about running a country than Erdogan does.
what is the deal with email, anyways:)
This makes me so angry. It is good that you show the infrastructure is bad, but how stupid does one have to be to say "do something about Erdogan" to the people who are facing identity theft directly due to one's actions?
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
Maybe they should learn a lesson from here - information that you do not control should not be used for authentication. Especially the one that is in its essence public.
I think that one will go away sooner than later though, because taking a husband's name is becoming less common in a lot of societies.
Luckily, 1Password has a 'correct horse battery staple'-generator these days as well.
For other questions I use answers that 'belong' to a friend or relative. My secret key is the formula for figuring out who that is.
Even knowing that you're using a formula is a bit of information. The type of formula is potentially thousands of bits of information. An attacker doesn't know whether it's a cipher, or a code, or something more complex, and only then can they begin figuring out the parameters to that formula.
Friend used to have a car with a keycode door lock. He just used 5555 or whatever. I suggested he use the address where the car was parked, or some hash of that. Wouldn't have to remember it! And it would vary some at least.
Someone then trying to fraudulently use my identity info, or for any kind of socially engineered attack, would lose out.
E.g. calling some financial service provider and trying to get a password reset based on D.O.B, mother's maiden name, or whatever.
Diceware can also be useful for when they need to be spoken on the phone. With the right amount of words (7 or more) it has reasonably good entropy too.
"Your superhero name is your first pet's name, your mother's maiden name, and the street you grew up on - mine is Muffy Hitler Queen, what's yours?"
If the information is "compromised" by being looked up in a publicly available database, what are you going to do? Change your birthday?
Who does? I've seen them used as part of the signup process for some services but never as standalone authentication.
It's extremely unsafe for known distribution of last names. E.g. in leaked db most frequent 12 last names correspond to 10% share of population, and most frequent 50 names "explain" 20% of population.
Software used by them developed by Cybersoft . Cybersoft was part of the system who developed the new identity system in Turkey. The practices used by Cybersoft reported to be horrible. I know someone who worked on that project (about 15 years ago), reportedly they were really bad, playing games on servers where the all identity data of the citizens are stored. I do also know that any employee who was part of the project had access to the query systems, so it was possible to query the database for all citizens of Turkey, not sure how much data it revealed but it revealed the number of people with that name and surname ever born for sure.
Now, I'm not a fan of Erdogan but Cybersoft was developing stuff before Erdogan even got elected. So yes, maybe the government who started to work with Cybersoft was corrupt, maybe the current one is too but let's not just use every single baseless argument to attack Erdogan, it doesn't help anything.
As far as I know, development of the NVI system for "Central Population Management System (MERNİS), Identity Share System and Address Registration System" was contracted to and is still maintained by Kale Yazilim (http://www.kaleyazilim.com.tr/EN/Pages/Haberler.aspx). Likewise the development of the YSK system was contracted to and still maintained by HAVELSAN (http://www.havelsan.com.tr/ENG/Main/urun/2321/the-supreme-el...). Both projects were contracted when AKP was ruling, though I'm not sure why we are discussing this aspect. If the software leaked information, it is the usual suspect: the Turkish government awards contracts on price-point and the easy way to build cheap software is to forgo testing and quality assurance. As Murphy's law states: "Never forget that your weapon was made by the lowest bidder." You get what you payed for.
As a reference system we developed, check out the General Directorate of Revenues' automation for its 1000+ tax offices and the 2003 ComputerWorld Honors winning Internet Tax Office.
Last, we have English content at http://www.cybersoft.com.tr/ENG/?q=node, where you can check our references.
If they, on the other hand, get thousands of customers complaining and leaving, they'll take security much more seriously in the future. There's also a good chance that affected users will be more careful and proactive about their personal data in the future.
In the immediate, the only thing that can happen, if at all, is for some people to lose their jobs.
I think he is hoping that if the leak is well covered enough by the media, it will be adding oil to the fire of public discontent. Perhaps in a way that would dislodge the current government.
Way I see it though, that's quite a long shot :)
Whoeves did this is an utter idiot, a profoundly inconsiderate hacktivist, whatever that shall be.
If this data was so easy to get, any state actor probably had it for years now. Also powerful criminal organisations.
Wasn't the harm potentially done already and this might trigger a change? Maybe now all those banks will not accept whatever data is in this leak as a way to authenticate a customer. In that scenario we would be in a better situation because of the leak.
Luckily there’s no really valuable data, other than personnummer. But i am sure with a little bit of digging it would be super easy, during Gezi police had a pwd like 12345
The important thing with the data is national stats, which is super important commercially. And that is for free now. More spam in the mailbox for everyone.
Obviously, for stalkers, sickos, or pedophiles this is an open source to attack. That is another security concern, because there was no db as in Sweden where you can access someone’s address this easy
Or just playing with data, xkcd.com/1409 :)
select first, count(*) from citizen group by first order by count(*) DESC limit 10;
first | count
MEHMET | 1172984
FATMA | 1154754
MUSTAFA | 898672
AYSE | 893053
EMINE | 756675
AHMET | 719391
ALI | 663136
HATICE | 659000
HUSEYIN | 521240
HASAN | 487906
Address data is pretty worthless considering how many places you can get such data.
I had a Twitter app (Tweetcaster?) that had a "show local tweets" option, and was amazed by how I could determine the individual dorm rooms tweets were coming from on a nearby college campus.
Not to include it the comment, especially since we always include the previous url in a comment, would have invited accusations of suppression, which would only call more attention to it.
Also, based on address info we know this dump is 2-6 years old.
> Which server is this? A Whois lookup returned nothing.
The whois command works on domain names, not IP addresses.
To get the DNS name associated with an IP address you can try a reverse lookup:
$ dig -x 18.104.22.168
You can still see where the server is located via tracepath:
$ tracepath 22.214.171.124
12: lon-tel-01c.voxility.net 86.537ms asymm 16
13: buc-ird-01c.voxility.net 147.516ms asymm 17
14: buc-ird-27sw.voxility.net 136.914ms asymm 18
15: buc-ird-46sw.voxility.com 149.699ms asymm 18
16: 126.96.36.199 143.626ms reached
$ whois 188.8.131.52
Abuse contact info: firstname.lastname@example.org
inetnum: 184.108.40.206 - 220.127.116.11
descr: FlokiNET ehf
status: ASSIGNED PA
person: FlokiNET ehf
address: P.O. Box No 4
descr: FlokiNET ehf
When your true goals are phishing, criminal activities, spamming to robe innocent people, at least be honest and do not make such grandiose statements. /rant
I was mainly referring to the high and mighty attitude about fixing their broken db. If you're gonna fix it, it's all or nothing in my book.
You don't have much choice in the data your government loses about you.
Interesting how what once was basic know-how (don't use your real name everywhere on the web) is now almost criminal as Facebook does their best to enforce, legally and otherwise, -real accounts, and way to many sites use Facebook as comments system / login etc or otherwise require you to sign with a full name.
Privacy isn't transactional, it's environmental.
Even if I am mentioned there, Zuckerberg & friends don't have any account to cross-reference to target me with ads, etc.
So, my absence from Facebook is nonetheless a significant enhancement of my privacy.
I mean, I suppose skipping a domain means one less company that knows your personal information, but doesn't this mean Voxility can lookup the customer for this IP?
 koolba's comment: https://news.ycombinator.com/item?id=11420959
Also, a domain name costs money, and you get little use of it (just paid $20 for a domain that gets taken offline in a few days). And even if there was a domain name, what should it be? Turkish-citizenship-dump.com? What values does it add if the site only sticks around for a few days?
1. Governments can't keep this kind of data secure.
2. Massive troves of information that identify individuals are a very tempting target.
This sort of breach argues against big centralized (e.g. NSA's "sniff it all") data stores. They're just too easy to get into the wrong hands.
Log: http://pastebin.com/EgKhCj6z (Time is EEST, UTC +3)
Are the implications of the National identifier similar to an SSN in the US?
By the way, why the heck is this in ASCII?
Guys, tell me, please: If I add this base and create UI for find people to search by Name, birth date, etc. Is it legally?
Erdohan certainly is using the situation to crack down on national opposition and get as many separatists killed while the rest of the world is focusing on the Syrian civil war and its exports of violence. That's simply realpolitik though, not ideology.
That said, the tone and message accompanying this leak is ridiculous.
To any Turk that may read this: Ne Mutlu Kürdüm Diyene (Happy is he who says I am a Kurd :)