#Turkish Citizenship Database
Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?
This leak contains the following information for 49,611,709 Turkish citizens: (IN CLEARTEXT)
- National Identifier (TC Kimlik No)
- First Name
- Last Name
- Mother's First Name
- Father's First Name
- Gender
- City of Birth
- Date of Birth
- ID Registration City and District
- Full Address
**Lesson to learn for Turkey:**
- Bit shifting isn't encryption.
- Index your database. We had to fix your sloppy DB work.
- Putting a hardcoded password on the UI hardly does anything for security.
- Do something about Erdogan! He is destroying your country beyond recognition.
**Lessons for the US?** We really shouldn't elect Trump, that guy sounds like he knows even less about running a country than Erdogan does.
[Example Data]
[Download URL]
Right, because Clinton...who ran her own private email server and sent classified information from her house...is much more qualified when it comes to data security?
If you were a voter in 2010, as far as I know. But I don't know if it contains foreign home addresses. Some people say that it was fetched from ysk.gov.tr . Normally MERNİS has more detailed database, so they say that it cannot be MERNİS. MERNİS stands for Central Citizenship Administration Center, it contains even pre-Turkish Republic "citizens", like from Ottoman Empire. YSK stands for Supreme Electoral Council. A friend of mine had access to MERNİS, he once said that the leaked data is not directly from MERNİS.
This makes me so angry. It is good that you show the infrastructure is bad, but how stupid does one have to be to say "do something about Erdogan" to the people who are facing identity theft directly due to one's actions?
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
Maybe they should learn a lesson from here - information that you do not control should not be used for authentication. Especially the one that is in its essence public.
Exactly! This is about as secure as having your first dog's name as a password reset hint. I either already know or can simply ask about the birthday, address and mother's maiden name of practically anyone I know.
I've always hated the mother's maiden name security question because my mother kept her maiden name so it's not exactly a hard thing to figure out in my case.
I think that one will go away sooner than later though, because taking a husband's name is becoming less common in a lot of societies.
The lazy way (which is still arguably better than answering truthfully) is to use the same answer for all the security questions. The better way is to treat each answer as another password and encrypt and store the answers somewhere safe.
Realistically how many people outside (or even inside) HN are going to do that? No matter how you spin it, security questions are a very bad "security pattern" in my opinion and we should get rid of them.
The same way as you keep track of any secure password: either with a password manager like 1Password, etc, or else through some Byzantine scheme that you manage yourself.
I use 1Password for this as well, but I recently had a security questions form (can't remember where) that tried to reject random strings because they didn't look like words.
Luckily, 1Password has a 'correct horse battery staple'-generator these days as well.
If it's only 2 bits, you're assuming the attacker already knows that the formula is "Using someone else's information" and that there are only 4 possible people whose information you would use.
Even knowing that you're using a formula is a bit of information. The type of formula is potentially thousands of bits of information. An attacker doesn't know whether it's a cipher, or a code, or something more complex, and only then can they begin figuring out the parameters to that formula.
Pretty sure lots of people use relatives' info. Very, very few use ciphers in their head.
Friend used to have a car with a keycode door lock. He just used 5555 or whatever. I suggested he use the address where the car was parked, or some hash of that. Wouldn't have to remember it! And it would vary some at least.
Well, sure, 8 bits of entropy isn't going to help you much if your password is "password". Those bits only provide the opportunity for randomness. At the end of the day you still have to apply that entropy effectively by picking something that can't be guessed easily. The point is that there are opportunities for people savvy enough to recognize them.
My aim isn't to guard against the answers being guessed, it is to deny the operator of the service asking those questions from gathering accurate data about me that may later be exposed.
Someone then trying to fraudulently use my identity info, or for any kind of socially engineered attack, would lose out.
E.g. calling some financial service provider and trying to get a password reset based on D.O.B, mother's maiden name, or whatever.
Think of those fields as secondary password fields and act accordingly.
Diceware can also be useful for when they need to be spoken on the phone. With the right amount of words (7 or more) it has reasonably good entropy too.
Thank you for answering the security question Mr. Stavros. I'll accept "Bee" as your dog's name. To which offshore bank did you say you wanted to transfer the money ?
How to companies verify mother's maiden name? I've never used my mothers real maiden name when filling out any kind of account application form and no one has ever batted an eye.
> The only thing that is missing is mother's maiden name.
It's extremely unsafe for known distribution of last names. E.g. in leaked db most frequent 12 last names correspond to 10% share of population, and most frequent 50 names "explain" 20% of population.
Interesting how what once was basic know-how (don't use your real name everywhere on the web) is now almost criminal as Facebook does their best to enforce, legally and otherwise, -real accounts, and way to many sites use Facebook as comments system / login etc or otherwise require you to sign with a full name.
I do not know, but strongly suspect, that my absence from Facebook means I'm rarely mentioned there. Certainly I'm mentioned less than if I had an account.
Even if I am mentioned there, Zuckerberg & friends don't have any account to cross-reference to target me with ads, etc.
So, my absence from Facebook is nonetheless a significant enhancement of my privacy.
It is worth noting that Facebook maintains "ghost" profiles for people who aren't members, but of whom they are aware. I'm having trouble finding a reference, but I remember it came out that when your friends ("friends") give Facebook their email contacts so that they can locate other people using their service, Facebook remembers contacts which do not yet hold accounts. I speculate this information wouldn't be valuable if they didn't attempt to infer that particular posts mentioned these non-member profiles.
The data released contains national identification codes that are confidential.
I believe the Swedish equivalent is the 'personnummer'.
The sites you indicated appear to be regular person search engines, like the US equivalent Whitepages?
Can you show a specific search result, pick any Swedish name you want, that would also list the person's personnummer?
The 'personnummer' is also publicly available, though the sites usually have to limit access in order to comply with Personuppgiftslagen/PuL (Swedish version of the Data Protection Directive).
The mentioned websites contain at least the full name, birthdate, registered address and marital status of every Swedish resident (at least above the age of ~16?), with the exception of a very small percentage of people with protected identity (which you can only get if you're under a "serious and concrete threat"). They get this data straight from the government - it's all public.
Go to e.g. http://www.ratsit.se/, write "Stockholm" under "Var" and hit "Sök" and click on a name for an example.
You won't see the personal identification number ("personnummer") that we use for absolutely everything, however as tednoob mentions you can get access to this by paying for premium access. Or you can call the Swedish Tax Authority. They don't have the right to ask who you are or why you want someone's number.
In Finland even salary and capital gains data is released. Newspapers compile high score lists from it each year. There might be some lower limit to how much you need to earn before your data becomes public.
You can actually access the public tax information for anyone if you visit the tax office or call their free customer service. Newspapers publicise only the top earners, but nothing stops you from finding out how much your neighbour earned last year in income and capital gains, if you really want to (and I guess quite many want, Finland is after all known as the "land of million of enviers" in addition to the more famous "land of thousand lakes".)
It will list the "personnummer", but usually not the last 4 digits. This became a big deal a number of years ago, when they did list the complete numbers, and this was changed so that if the complete number is requested, the party you request information about needs to be informed. However, the complete numbers are still public. Just with that caveat nowadays. (unsure if some still sidestep the "new" legislation, there were some more or less shady companies for a while that still informed you of their full numbers)
I'm not saying there aren't drawbacks, but I can think of two benefits:
1. It makes some forms of investigative journalism easier. For example, there has been a lot of discussion about the potential problems of having most of the influential journalists in Sweden living within a very small "hipster" area in Stockholm.
2. E-commerce companies may decide to only ship to the adress where you are officially registered, making it harder to commit e-commerce fraud.
On the other hand it's trivial to change someone's official address. Just send a certain form by mail to the tax agency. (Not sure if they send a confirmation to the old address; but if they do, the perpetrator only has to pick someone who's on vacation; hello Twitter & Facebook.)
If you have registered an email / phone number they will send a message there about your changed address.
I don't know if they've done this yet but a while ago there were articles about them working on a way to disallow changing your address via the mail form:
I would say there is more issues than gains. But sometimes it's nice, I once found someones wallet and was able to find his phone number with the service. Called the guy, he came and picked up his wallet and gave me 500kr as thanks.
Difference being that in Sweden there is a different requiremnet for causing harm (IE; national ID card or passport - or linked bank account) simply having a social security number and address is not enough for identity theft to occur.
in other countries they treat SSN's as private, thus they are trusted.
I ordered some stuff yesterday and I only had to provide the SSN and it filled out the adress and everything. Then, I specified Klarna and the order was away.
But if you'd tried to get them to ship to a different address than the one they filled in then they would probably refuse. That adds a least a little bit of fraud security.
Actually it is and there have been a couple of cases both in Denmark and Sweden.
The problem is that the CPR is tied to all sorts of information from you credit card to your patient journal. You only need to get access to one of those things before you have the potential of access to all the other places.
Interesting. In Germany this database does not even exist. Each town keeps its own data and they are not connected. I think the reason for this are the evil uses of data bases by the Gestapo during Nazi times.
Most states keep all data in a state-wide database and all registers are electronically connected. This is the reason why you don't need to deregister anymore when moving within Germany, a new registration will suffice.
What there isn't is a single central database and if you want to query data you will need to ask different authorities to get it all.
"Unlike common belief there is no central administration — except for foreigners (see Central Register of Foreign Nationals (Germany)) — the resident registration is run by 5283 local offices throughout Germany."
For passports, I'd guess that there is a different database.
For passports, I'd guess that there is a different database.
OK, so that makes sense. So at the national level, they only have your Meldeort (place of registration), as it appears on your ID card -- but not (in theory) your residential address.
They look at the ID card or passport you present. They may make a record of your entry and may look up whether your ID was stolen or there is a warrant for you.
They certainly don't look up in a database whether you are a citizen. Such an EU-wide thing simply doesn't exist. Heck, even the entry and exit records are not in a common database. At the moment many borders can't even verify the government signature saved on the chip.
That's the same how other government officials determine your German citizenship in most circumstances. Only very few people go through the process of getting definitive proof of their citizenship (Staatsangehörigenausweis) in any point of their life as there is simply no reason to. This process takes quite some time, often including looking at some non-digitized paper documents archived somewhere.
They certainly don't look up in a database whether you are a citizen.
OK, "citizen or valid resident / visa holder / having some other legitimate reason to be holding something that looks like an EU identity card", then.
Whichever -- I was just simplifying. But something tells me that something at major border crossings (e.g. hub airports) has to at least authenticate your right-of-entry -- and that your travel document isn't outright fabricated -- at least a significant portion of the time.
Again, as applies strictly to cases of persons attempting to enter the Shengen area, on the basis of possession of an EU identity card, or a similar travel document asserting current legal residency in one of the member countries. I just don't see how they can (effectively) tell whether the document hasn't been forged or revoked, without comparing against a master list.
I can assure you that they do not check for positive entry in any database when crossing into Schengen whatsoever. Usually they check if the presented document is marked stolen but even that is sometimes skipped as the database (SIS II) is rather slow. This database contains around 50 million entries which shows that it can't possible hold information on all residents.
There is neither an EU-wide database of citizens, nor of permanent residents. They do have a database of most issued short-term Schengen visa nowadays (VIS) but even that took a lot of effort to implement.
And as said, at the moment they can't even verify all electronic signatures in electronic passports but that should be fixed soon.
I'm not even sure how they would create such a database of citizens as even not the German government has a conclusive list of all citizens and I presume it's similar in other member states.
That check for the right-of-entry is done with the presented document alone. Revocations are checked against and while it's possible to forge the documents it's not easy. But yes, there are known cases of people successfully entering with forged documents.
Yes it does (and this is required by international agreement). The number contains an identifier for the issuing authority (and its name is also printed on the passport) so they know where to look for info if they need to.
I'll tell you something interesting. I crossed from Bulgaria to Turkey without presenting my ID to Bulgarian authorities. I crossed into Bulgaria by just showing my ID to Bulgarian authorities. Turkish side stores detailed records but Bulgaria is not interested where I am. They don't know wheter I'm in Bulgaria or not.
In 2007 they introduced a unique tax number for every natural person.
In fact, assigning these numbers was complicated by the fact that there is no central registration data base. They started from all the local data bases and then filtered this data to remove duplicates.
As an American with a Swedish wife, I was very surprised to learn about the availability of this data. But something that really turned me around was that it makes verifying strangers much easier. My cousin-in-law was using it to look up the people offering to become au pair to her children. Then also of course, I remembered that we have the same service in the United States, it just costs you ten or fifteen dollars for the information. You can get exactly this information that is up-to-date and accurate by paying for one of those background checks from one of the major providers. Same stuff.
You think that if it is not getting posted on HN than nobody will notice it? What would you qualify HN worthy submission? I did not read the URL just read the comments but it was quite entertaining, HN is not responsible about the content of the submission URLs but it is a great place to discuss the subject with other people.
The problem was the creation of the list and the subsequent negligent protection of the data not it being passed to HN after it's been published to the internet.
It's like the Ashely Madison leak - Hacker News discussed it happily as well even though that was a complete dox list of individuals.
No it is not similar to Ashhley Madison nor panama offshore accounts.
It is similar to me dumping all HN users' personal IDs and addresses as well as birth certificates. Or similar to dumping all Irish citizen's driving licenses, addresses and ID info and linking them here on top.
I have seen HN crowd being careful for a single person's privacy just to keep his mood up.
HN did not do that though. Again, we are talking about the dump not executing it. Just because you are not talking about something bad it still exists. I got the Turkish page at least on 3 different channels, yet got the most meaningful comments on HN.
This is the product of self-righteous activism. You'd have to be pretty deluded and starving for attention to think effectively releasing tens of millions
of private individuals' complete identification data is justifiable in some way.
I see your point and I might agree with you (didn't make up my mind yet), but how is this different than disclosing someone else's vulnerability with a "hardcoded" date? In some cases, getting from disclosure to a working exploit is trivial.
If this data was so easy to get, any state actor probably had it for years now. Also powerful criminal organisations.
Wasn't the harm potentially done already and this might trigger a change? Maybe now all those banks will not accept whatever data is in this leak as a way to authenticate a customer. In that scenario we would be in a better situation because of the leak.
Hardly so for Turkey. Important positions in Turkish bureaucracy are being filled by people who have close ties to the ruling party. I guess this is somewhat normal in many countries given that you have some appropriate filters, unfortunately such filters are diminishing every year. Just last week the prime minister announced they would hire 750k long term government employees bypassing the regular procedures and by creating adhoc exams for each position. Regularly Turkey has this nationwide exam called KPSS which you would have to pass to be a government employee, bypassing this exam will even further reduce the government quality. I don't see how people without the necessary qualifications can improve these systems.
It is bad that decision makers can't on their own see that change is needed, but leaks like this could change public opinion, which is what influences politicians and businesses.
Couldn't you say this about every personal data leak ever? I'd say the problem is companies won't take you seriously if you simply say "you have a security hole here". They'll probably report you, maybe fix an immediate bug that covers the exact issue you found and move on.
If they, on the other hand, get thousands of customers complaining and leaving, they'll take security much more seriously in the future. There's also a good chance that affected users will be more careful and proactive about their personal data in the future.
In the immediate, the only thing that can happen, if at all, is for some people to lose their jobs.
I think he is hoping that if the leak is well covered enough by the media, it will be adding oil to the fire of public discontent. Perhaps in a way that would dislodge the current government.
in the end of 199x in Russia a lot of big government databases - incl. individuals' passports, companies' registrations, real estate property data, etc.. got leaked and become widely available. It was very convenient - you could immediately verify all the stuff about people and companies you were dealing with, and such ability is extremely important in the environment when fraud is a normal everyday matter.
I definitely agree. If only a single cryptographer would have been part of the equation, no one would have had a reason to write “Bit shifting isn't encryption” . Looking at my comment again again, I guess it was simply too short to be understood as a cinical “read it with a smile” kind of thing. Just to be sure no one gets me wrong: I surely did not want to hype any of the bad guys, nor make fun of the victims… the innocent Turkish citizens involved. Yet, I can’t help to shake my head that a Turkish governmental agency was stupid enough to use a near to “xor-by-one” snakeoil crypto thingy instead of well-vetted and security proven cryptographic algorithms and protocols. If they would have, there wouldn’t be a problem – just a blob of encrypted data. Which is why I said: “cryptographers 1 – Idiots 0”… which was merely meant to be interpreted as “roll your own crypto, eat your own poison – no cryptographer would have stepped into the stupid pitfall of using home-brew toys instead of well-vetted algos & protocols”. Hope that somewhat is able to explain what I meant with my comment. If my cynical comment was misunderstood due to its minimalism – my bad. Downvotes correctly punished me accordingly for my comment being too short to be understood upon first glimpse – next time, I’ll be sure to be clearer.
Wow I didn't know you put IPs directly in there. If so, it returns back the ownership info of the IP from ARIN. Not quite the same as getting the contact info for a domain name but still quite nifty. Thanks!
Luckily there’s no really valuable data, other than personnummer. But i am sure with a little bit of digging it would be super easy, during Gezi police had a pwd like 12345
The important thing with the data is national stats, which is super important commercially. And that is for free now. More spam in the mailbox for everyone.
Obviously, for stalkers, sickos, or pedophiles this is an open source to attack. That is another security concern, because there was no db as in Sweden where you can access someone’s address this easy
I don't know about other countries but in the US, there are things called Whitepages which list names, addresses and phone numbers of the majority of people/businesses.
Address data is pretty worthless considering how many places you can get such data.
It's 2016 -- forget the Whitepages. Most people publicly update all of this information everyday, multiple times per day, through their social media accounts.
People do opt in. People outside of the tech game don't think of these as making themselves more vulnerable -- they only see convenience (or just blindly click yes to anything).
I had a Twitter app (Tweetcaster?) that had a "show local tweets" option, and was amazed by how I could determine the individual dorm rooms tweets were coming from on a nearby college campus.
> The important thing with the data is national stats
Or just playing with data, xkcd.com/1409 :)
select first, count(*) from citizen group by first order by count(*) DESC limit 10;
first | count
----------+---------
MEHMET | 1172984
FATMA | 1154754
MUSTAFA | 898672
AYSE | 893053
EMINE | 756675
AHMET | 719391
ALI | 663136
HATICE | 659000
HUSEYIN | 521240
HASAN | 487906
A criminal thief putting personal data online and giving political lessons, shame on you really.
When your true goals are phishing, criminal activities, spamming to robe innocent people, at least be honest and do not make such grandiose statements. /rant
It's too late for that. Criminals have access to it already. I would argue we should indeed share it around so that at least average Turkish citizens are aware their data has been stolen.
I mean, I suppose skipping a domain means one less company that knows your personal information, but doesn't this mean Voxility[1] can lookup the customer for this IP?
A domain adds another point of failure (we want to take you down, we can just block the domain vs the server). As other have pointed out the abuse report for that hosted is quite terrible, so it might take a while to get taken down.
Also, a domain name costs money, and you get little use of it (just paid $20 for a domain that gets taken offline in a few days). And even if there was a domain name, what should it be? Turkish-citizenship-dump.com? What values does it add if the site only sticks around for a few days?
Where others see a weakness, I see an opportunity: that's how we could send traffic-tickets straight to policemen's door.
Enjoy watching "Rémi GAILLARD vs POLICE"
http://www.youtube.com/watch?v=bJMLS4RDAzk
Does the publisher of this leak really think the other politicians are better off in keeping private citizens' information private? S/he must have not heard the Clinton's own email server leak issue. Yeah, yeah, it's a cliché, but it shows exactly how much they care about security.
Clinton's email server didn't leak anything, so far as we know. The emails you've read have been released by the State Department as public government records.
I wouldn't put it past Trump to encourage radical christian violence, whether that would be terrorism is in the eye of the beholder.
Erdohan certainly is using the situation to crack down on national opposition and get as many separatists killed while the rest of the world is focusing on the Syrian civil war and its exports of violence. That's simply realpolitik though, not ideology.
That said, the tone and message accompanying this leak is ridiculous.
Yeah but a simple query can add a column, copy the data while parsing it into a native date and then drop the original column. It can all be in a transaction too so that if there is a failure nothing is lost.
I was mainly referring to the high and mighty attitude about fixing their broken db. If you're gonna fix it, it's all or nothing in my book.
TR citizen here, for the last 10 years only those who are really close to AKP got the government contracts including software like this etc. for stupid amounts of money with no know-how. Therefore this is absolutely normal -at least for us-, only thing that surprised me about this leak is this got into front page of HN.
Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
I'm on that list as well. With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.
> With that info, a terrorist can buy a SIM card for my name
Well that escalated quickly.. Terrorists wouldn't need this database to supply them with names and addresses as most of that info is public in most countries (white-pages is one place). And I can go to any local shop and get a pre-paid SIM card without any personal info involved.
Also, if your country convicts you merely because someone used your name with no other evidence to tie you to the crime, you have bigger problems.
Name and maybe address can be found somehow but identity number absolutely can not be found (should not be from now on). Private companies confirm auth with name, surname, X,Y,Zth number of identity number.
You have to provide them name, surname and identity number in order to get a SIM card, in this example.
You don't need to be convicted for anything anymore if someone wants you to go to jail :) They get you in and start writing bill of indictment(?).
To give a little more context, if you are TR citizen what information you use and should keep private is: 1)Identity Number 2)Your mother's pre-marital surname.
Officials would tell her to use both or she'd have to go to European Court of Human Rights to have that simple right. A woman attorney did go ECHR iirc
How does the private company verify that the identity number is not bogus? Do they have some tamper-proof crypto box that validates a secure hash hidden in the ID or would a case like that only be flagged when the SIM registration is pushed to the government?
In any case, if it is customary to routinely hand the whole number to private companies (I read your description as "full number on registration, some digits on subsequent authentication"), then this leak has made that name/ID tuple only slightly less secret than it was before.
It is actually a grey area since the start. Today they get a zerox copy of your entire ID card which includes Identity Number as well but they should not do that.
The terrorist example I gave came from this grey area in fact. IIRC 2 years ago it was in the news that terrorists open up new SIM cards with regular citizens' information. When I checked it with my info, there was only 1 registered which was mine, when I checked my father however, had 4 SIMs registered and only 2 of them were his.
> And I can go to any local shop and get a pre-paid SIM card without any personal info involved.
You see, the fact that I could go to any shop and buy a pre-paid SIM card in the US was a surprise to me. Don't expect that to hold true anywhere else. Taking Brazil as an example: you need to provide a photo ID.
It is still possible in some countries. For example Ukrainian president was kicked out of office when he tried to make SIM card registration mandatory like in Russia.
That is not true for Spain. Since the attacks on 11-M 2014 in Madrid, it is mandatory to provide in the local shop your National ID card or passport to activate any SIM card. But the verification is done by the shop attendant.
Anyway, I do think it is pointless as there are plenty of ways to get a SIM card anonymously: buy it in other country, steal it, buy it from somebody, clone it...
It should actually be the other way around. Now that this information is public any kind of link with personally identifiable information should be considered suspect rather than to be used as evidence for wrongdoing without further checking. That information became less valuable with this leak, not more valuable and those things that you could do with that information before should now become harder.
I learned this leak through HN not TR media. Forget about front page, it is NOT even mentioned.
It is only mentioned by social media website @DikenComTr who are heavy-opposition to AKP regime -related with a NL journalist Frederike Geerdink, just because you are NL I wanted to mention-. Diken journalists love to spend some time in custody time to time and website gets shut down every once in a while.
Not only there, in other countries in Europe too, in Romania they are prosecuting the boss of the biggest software company we have, he has to sell his paintings and artwork for not being arrested(bail).
The usual opinion is that they all got rich with state contracts building stupid and expensive things that young kids would do in no time for nothing.
As a government agency, of course one would not prefer to hire kids, but these countries, they have good IT persons, they have universities that are struggling with funds and finance(as education is for free there and state universities are way beyond the private factories of diplomas that are known as private universities).
Instead of throwing that money, they could have helped education and develop infrastructure in the same time. Nobody has bloody consciousness any more!
Our government bought two $1M+ websites in the past years.
It's not that the websites would pose as a security risk, or store any valuable information, it's just plain corruption ...
fun fact in general, the corruption consumes 50% of the eu funded government investment in Hungary according to Transparency International, which means 11.6 billion euro currently
Also kinda sounds like Bulgaria. Maybe we should not be thinking in nation-defined terms but rather look for a global, state-independent solution. Bureaucracies tend to be sluggish anyways...
That sounds like Lithuania to me.. One of the largest local IT companies are prosecuted now because of dirty contracts with SODRA (social care stuff)..
The leak reported to be from YSG [1], organization that manages the election registers.
Software used by them developed by Cybersoft [2]. Cybersoft was part of the system who developed the new identity system in Turkey. The practices used by Cybersoft reported to be horrible. I know someone who worked on that project (about 15 years ago), reportedly they were really bad, playing games on servers where the all identity data of the citizens are stored. I do also know that any employee who was part of the project had access to the query systems, so it was possible to query the database for all citizens of Turkey, not sure how much data it revealed but it revealed the number of people with that name and surname ever born for sure.
Now, I'm not a fan of Erdogan but Cybersoft was developing stuff before Erdogan even got elected. So yes, maybe the government who started to work with Cybersoft was corrupt, maybe the current one is too but let's not just use every single baseless argument to attack Erdogan, it doesn't help anything.
Yeah, this is the worst case. If you google "Ali İsmail Korkmaz" you'll see a young protester, beaten to death by police and regime supporter bakery guy.
He was classmate of my gf and he probably was the nicest person you can ever met.
Just a note, it looks like this data comes from Mernis(1), a project with quite bad history, developed in 90's and launched in 2000 and internet access started in 2002.
I know a bit about government IT departments and contractors at the time and I had zero faith in their competence so this breach is no surprise to me. Current government is no different than is predecessors, just business as usual.
> Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
that's great news! sounds like turkey is closer than anyone expected to being a full fledged western member state!
... a tenderpreneur is a person in government who abuses their
political power and influence to secure government tenders and
contracts. The word tenderpreneur is a portmanteau of "tendering"
and "entrepreneur".
UPDATE: It turns out the database that was claimed captured by hacking is actually a semi-public data. What's correct is the origin of the source of the database. However that database having limited information about voters are shared by the state agency and distributed to the political parties before the public polls by the mandate of voting laws. The database is actually from 2010 and was not obtained by hacking or anything but leaked by one of the political parties.
When I saw the news I did download the database and searched for myself. My information was not there. Because I am not a registered voter since I live in States. However all my siblings' and parents' information there unfortunately.
There's a fierce political rivalry in Turkey increasingly becoming uglier by day. The story was smelling from the beginning anyway, like implicating president, accusing cronyism and trying to score for some political agenda.
285 comments
[ 4.0 ms ] story [ 284 ms ] threadhttps://www.youtube.com/watch?v=7AN76IBkVf4
what is the deal with email, anyways:)
Are the implications of the National identifier similar to an SSN in the US?
This makes me so angry. It is good that you show the infrastructure is bad, but how stupid does one have to be to say "do something about Erdogan" to the people who are facing identity theft directly due to one's actions?
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
Maybe they should learn a lesson from here - information that you do not control should not be used for authentication. Especially the one that is in its essence public.
I think that one will go away sooner than later though, because taking a husband's name is becoming less common in a lot of societies.
Luckily, 1Password has a 'correct horse battery staple'-generator these days as well.
For other questions I use answers that 'belong' to a friend or relative. My secret key is the formula for figuring out who that is.
Even knowing that you're using a formula is a bit of information. The type of formula is potentially thousands of bits of information. An attacker doesn't know whether it's a cipher, or a code, or something more complex, and only then can they begin figuring out the parameters to that formula.
Friend used to have a car with a keycode door lock. He just used 5555 or whatever. I suggested he use the address where the car was parked, or some hash of that. Wouldn't have to remember it! And it would vary some at least.
Someone then trying to fraudulently use my identity info, or for any kind of socially engineered attack, would lose out.
E.g. calling some financial service provider and trying to get a password reset based on D.O.B, mother's maiden name, or whatever.
Diceware can also be useful for when they need to be spoken on the phone. With the right amount of words (7 or more) it has reasonably good entropy too.
"Your superhero name is your first pet's name, your mother's maiden name, and the street you grew up on - mine is Muffy Hitler Queen, what's yours?"
If the information is "compromised" by being looked up in a publicly available database, what are you going to do? Change your birthday?
Who does? I've seen them used as part of the signup process for some services but never as standalone authentication.
It's extremely unsafe for known distribution of last names. E.g. in leaked db most frequent 12 last names correspond to 10% share of population, and most frequent 50 names "explain" 20% of population.
You don't have much choice in the data your government loses about you.
Interesting how what once was basic know-how (don't use your real name everywhere on the web) is now almost criminal as Facebook does their best to enforce, legally and otherwise, -real accounts, and way to many sites use Facebook as comments system / login etc or otherwise require you to sign with a full name.
Privacy isn't transactional, it's environmental.
Even if I am mentioned there, Zuckerberg & friends don't have any account to cross-reference to target me with ads, etc.
So, my absence from Facebook is nonetheless a significant enhancement of my privacy.
There is also several sites that provide this information like a search service and it's perfectly legal:
http://www.merinfo.se/ http://www.ratsit.se/
Go to e.g. http://www.ratsit.se/, write "Stockholm" under "Var" and hit "Sök" and click on a name for an example.
You won't see the personal identification number ("personnummer") that we use for absolutely everything, however as tednoob mentions you can get access to this by paying for premium access. Or you can call the Swedish Tax Authority. They don't have the right to ask who you are or why you want someone's number.
Here's some select tidbits from the data in English: http://yle.fi/uutiset/who_are_finlands_top_earners/8427787
1. It makes some forms of investigative journalism easier. For example, there has been a lot of discussion about the potential problems of having most of the influential journalists in Sweden living within a very small "hipster" area in Stockholm.
2. E-commerce companies may decide to only ship to the adress where you are officially registered, making it harder to commit e-commerce fraud.
I don't know if they've done this yet but a while ago there were articles about them working on a way to disallow changing your address via the mail form:
http://www.dn.se/ekonomi/sa-ska-id-kapningar-forhindras/
In one country giving someone a pair of shoes is seen as a nice present, in another it is considered a grave insult.
What you grow up with as a kid can have a big influence on what you consider acceptable.
In my personal view as long as the rules apply the same to all then that's the largest problem solved.
EDIT: fixed typo
I am not joking when I worked for a Telco they used this scenario to empathize whey you should not do favours for friends and lookup peoples address.
in other countries they treat SSN's as private, thus they are trusted.
Of course, for things that really matter, you need an ID.
The problem is that the CPR is tied to all sorts of information from you credit card to your patient journal. You only need to get access to one of those things before you have the potential of access to all the other places.
It's that stupidly built.
Even if you only share them with people or merchants that you really, really trust, the sharing increases the risk of a leak.
What there isn't is a single central database and if you want to query data you will need to ask different authorities to get it all.
IBM leased them the machines and sold them the punched cards. And then sold them the census data they had collected across Europe during the 1930s.
http://www.ibmandtheholocaust.com/
That seems highly doubtful. How do the EU countries know you're a citizen, then, when you cross the border?
"Unlike common belief there is no central administration — except for foreigners (see Central Register of Foreign Nationals (Germany)) — the resident registration is run by 5283 local offices throughout Germany."
For passports, I'd guess that there is a different database.
OK, so that makes sense. So at the national level, they only have your Meldeort (place of registration), as it appears on your ID card -- but not (in theory) your residential address.
They certainly don't look up in a database whether you are a citizen. Such an EU-wide thing simply doesn't exist. Heck, even the entry and exit records are not in a common database. At the moment many borders can't even verify the government signature saved on the chip.
That's the same how other government officials determine your German citizenship in most circumstances. Only very few people go through the process of getting definitive proof of their citizenship (Staatsangehörigenausweis) in any point of their life as there is simply no reason to. This process takes quite some time, often including looking at some non-digitized paper documents archived somewhere.
OK, "citizen or valid resident / visa holder / having some other legitimate reason to be holding something that looks like an EU identity card", then.
Whichever -- I was just simplifying. But something tells me that something at major border crossings (e.g. hub airports) has to at least authenticate your right-of-entry -- and that your travel document isn't outright fabricated -- at least a significant portion of the time.
Again, as applies strictly to cases of persons attempting to enter the Shengen area, on the basis of possession of an EU identity card, or a similar travel document asserting current legal residency in one of the member countries. I just don't see how they can (effectively) tell whether the document hasn't been forged or revoked, without comparing against a master list.
There is neither an EU-wide database of citizens, nor of permanent residents. They do have a database of most issued short-term Schengen visa nowadays (VIS) but even that took a lot of effort to implement.
And as said, at the moment they can't even verify all electronic signatures in electronic passports but that should be fixed soon.
I'm not even sure how they would create such a database of citizens as even not the German government has a conclusive list of all citizens and I presume it's similar in other member states.
That check for the right-of-entry is done with the presented document alone. Revocations are checked against and while it's possible to forge the documents it's not easy. But yes, there are known cases of people successfully entering with forged documents.
Just wondering. Thanks for the cool info.
On the other hand they know my fingerprints.
In fact, assigning these numbers was complicated by the fact that there is no central registration data base. They started from all the local data bases and then filtered this data to remove duplicates.
Source: https://de.wikipedia.org/wiki/Steuerliche_Identifikationsnum... (sorry, German only)
Something that doesn't dox random people, for starters.
It's like the Ashely Madison leak - Hacker News discussed it happily as well even though that was a complete dox list of individuals.
It is similar to me dumping all HN users' personal IDs and addresses as well as birth certificates. Or similar to dumping all Irish citizen's driving licenses, addresses and ID info and linking them here on top.
I have seen HN crowd being careful for a single person's privacy just to keep his mood up.
Whoeves did this is an utter idiot, a profoundly inconsiderate hacktivist, whatever that shall be.
If this data was so easy to get, any state actor probably had it for years now. Also powerful criminal organisations.
Wasn't the harm potentially done already and this might trigger a change? Maybe now all those banks will not accept whatever data is in this leak as a way to authenticate a customer. In that scenario we would be in a better situation because of the leak.
If they, on the other hand, get thousands of customers complaining and leaving, they'll take security much more seriously in the future. There's also a good chance that affected users will be more careful and proactive about their personal data in the future.
In the immediate, the only thing that can happen, if at all, is for some people to lose their jobs.
I think he is hoping that if the leak is well covered enough by the media, it will be adding oil to the fire of public discontent. Perhaps in a way that would dislodge the current government.
Way I see it though, that's quite a long shot :)
> Which server is this? A Whois lookup returned nothing.
The whois command works on domain names, not IP addresses.
To get the DNS name associated with an IP address you can try a reverse lookup:
Unfortunately that only works if the the reverse record has been set up and it hasn't in this case.You can still see where the server is located via tracepath:
So most likely the server is hosted on voxility.com which looks like an IaaS provider.$ whois 185.100.87.84
Abuse contact info: abuse@flokinet.is
inetnum: 185.100.87.0 - 185.100.87.255 netname: FlokiNET-Romania descr: FlokiNET ehf country: RO admin-c: KW2732-RIPE tech-c: KW2732-RIPE status: ASSIGNED PA mnt-by: FlokiNET created: 2015-12-15T13:52:42Z last-modified: 2016-02-05T18:53:56Z source: RIPE
person: FlokiNET ehf address: P.O. Box No 4 address: 121 address: Reykjavík address: ICELAND phone: +3544150300 nic-hdl: KW2732-RIPE mnt-by: is-flokinet-1-mnt created: 2015-05-13T15:26:09Z last-modified: 2016-02-01T06:46:24Z source: RIPE
route: 185.100.87.0/24 descr: FlokiNET ehf origin: AS200651 mnt-by: FlokiNET created: 2016-02-05T18:52:09Z last-modified: 2016-02-05T18:52:09Z source: RIPE
---start quote---
Luckily there’s no really valuable data, other than personnummer. But i am sure with a little bit of digging it would be super easy, during Gezi police had a pwd like 12345
The important thing with the data is national stats, which is super important commercially. And that is for free now. More spam in the mailbox for everyone.
Obviously, for stalkers, sickos, or pedophiles this is an open source to attack. That is another security concern, because there was no db as in Sweden where you can access someone’s address this easy
---end quote---
Address data is pretty worthless considering how many places you can get such data.
I had a Twitter app (Tweetcaster?) that had a "show local tweets" option, and was amazed by how I could determine the individual dorm rooms tweets were coming from on a nearby college campus.
Or just playing with data, xkcd.com/1409 :)
When your true goals are phishing, criminal activities, spamming to robe innocent people, at least be honest and do not make such grandiose statements. /rant
I mean, I suppose skipping a domain means one less company that knows your personal information, but doesn't this mean Voxility[1] can lookup the customer for this IP?
[1] koolba's comment: https://news.ycombinator.com/item?id=11420959
Also, a domain name costs money, and you get little use of it (just paid $20 for a domain that gets taken offline in a few days). And even if there was a domain name, what should it be? Turkish-citizenship-dump.com? What values does it add if the site only sticks around for a few days?
Erdohan certainly is using the situation to crack down on national opposition and get as many separatists killed while the rest of the world is focusing on the Syrian civil war and its exports of violence. That's simply realpolitik though, not ideology.
That said, the tone and message accompanying this leak is ridiculous.
investbank.ae - https://news.ycombinator.com/item?id=11424606
I was mainly referring to the high and mighty attitude about fixing their broken db. If you're gonna fix it, it's all or nothing in my book.
Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
I'm on that list as well. With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.
Well that escalated quickly.. Terrorists wouldn't need this database to supply them with names and addresses as most of that info is public in most countries (white-pages is one place). And I can go to any local shop and get a pre-paid SIM card without any personal info involved.
Also, if your country convicts you merely because someone used your name with no other evidence to tie you to the crime, you have bigger problems.
You have to provide them name, surname and identity number in order to get a SIM card, in this example.
You don't need to be convicted for anything anymore if someone wants you to go to jail :) They get you in and start writing bill of indictment(?).
In any case, if it is customary to routinely hand the whole number to private companies (I read your description as "full number on registration, some digits on subsequent authentication"), then this leak has made that name/ID tuple only slightly less secret than it was before.
The terrorist example I gave came from this grey area in fact. IIRC 2 years ago it was in the news that terrorists open up new SIM cards with regular citizens' information. When I checked it with my info, there was only 1 registered which was mine, when I checked my father however, had 4 SIMs registered and only 2 of them were his.
Which I gather is fully on-topic as you're a Turk writing from Turkey, right?
You see, the fact that I could go to any shop and buy a pre-paid SIM card in the US was a surprise to me. Don't expect that to hold true anywhere else. Taking Brazil as an example: you need to provide a photo ID.
It is still possible in some countries. For example Ukrainian president was kicked out of office when he tried to make SIM card registration mandatory like in Russia.
Anyway, I do think it is pointless as there are plenty of ways to get a SIM card anonymously: buy it in other country, steal it, buy it from somebody, clone it...
Yes, we do! And that is why leaks like this are especially harmful.
It is only mentioned by social media website @DikenComTr who are heavy-opposition to AKP regime -related with a NL journalist Frederike Geerdink, just because you are NL I wanted to mention-. Diken journalists love to spend some time in custody time to time and website gets shut down every once in a while.
Your type of comments show how clueless you are and can't grasp personal privacy attacks from politics bullshit.
The usual opinion is that they all got rich with state contracts building stupid and expensive things that young kids would do in no time for nothing.
As a government agency, of course one would not prefer to hire kids, but these countries, they have good IT persons, they have universities that are struggling with funds and finance(as education is for free there and state universities are way beyond the private factories of diplomas that are known as private universities).
Instead of throwing that money, they could have helped education and develop infrastructure in the same time. Nobody has bloody consciousness any more!
500k only for the planing and teaching how to use $1,2M total, for a site what is essentially a video sharing website: https://hu.wikipedia.org/wiki/Korm%C3%A1nysz%C3%B3viv%C5%91....
$1,7M for the new site of the chamber of agriculture http://index.hu/gazdasag/2016/02/03/agrarkamara/
fun fact in general, the corruption consumes 50% of the eu funded government investment in Hungary according to Transparency International, which means 11.6 billion euro currently
Well, at least we still have good weather.
Software used by them developed by Cybersoft [2]. Cybersoft was part of the system who developed the new identity system in Turkey. The practices used by Cybersoft reported to be horrible. I know someone who worked on that project (about 15 years ago), reportedly they were really bad, playing games on servers where the all identity data of the citizens are stored. I do also know that any employee who was part of the project had access to the query systems, so it was possible to query the database for all citizens of Turkey, not sure how much data it revealed but it revealed the number of people with that name and surname ever born for sure.
Now, I'm not a fan of Erdogan but Cybersoft was developing stuff before Erdogan even got elected. So yes, maybe the government who started to work with Cybersoft was corrupt, maybe the current one is too but let's not just use every single baseless argument to attack Erdogan, it doesn't help anything.
[1] http://www.ysk.gov.tr/ysk/faces/Anasayfa.jspx
[2] http://www.cs.com.tr/TR/
Or, you know, dead. It's a bit optimistic in the current climate to assume they'd arrest you peacefully.
I know a bit about government IT departments and contractors at the time and I had zero faith in their competence so this breach is no surprise to me. Current government is no different than is predecessors, just business as usual.
(1)https://en.wikipedia.org/wiki/Turkish_Identification_Number
that's great news! sounds like turkey is closer than anyone expected to being a full fledged western member state!
https://en.wikipedia.org/wiki/Tenderpreneur
Could the meaning be applied here too?When I saw the news I did download the database and searched for myself. My information was not there. Because I am not a registered voter since I live in States. However all my siblings' and parents' information there unfortunately.
There's a fierce political rivalry in Turkey increasingly becoming uglier by day. The story was smelling from the beginning anyway, like implicating president, accusing cronyism and trying to score for some political agenda.
1. Governments can't keep this kind of data secure.
2. Massive troves of information that identify individuals are a very tempting target.
This sort of breach argues against big centralized (e.g. NSA's "sniff it all") data stores. They're just too easy to get into the wrong hands.