TR citizen here, for the last 10 years only those who are really close to AKP got the government contracts including software like this etc. for stupid amounts of money with no know-how. Therefore this is absolutely normal -at least for us-, only thing that surprised me about this leak is this got into front page of HN.
Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
I'm on that list as well. With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.
Not only there, in other countries in Europe too, in Romania they are prosecuting the boss of the biggest software company we have, he has to sell his paintings and artwork for not being arrested(bail).
The usual opinion is that they all got rich with state contracts building stupid and expensive things that young kids would do in no time for nothing.
As a government agency, of course one would not prefer to hire kids, but these countries, they have good IT persons, they have universities that are struggling with funds and finance(as education is for free there and state universities are way beyond the private factories of diplomas that are known as private universities).
Instead of throwing that money, they could have helped education and develop infrastructure in the same time. Nobody has bloody consciousness any more!
Also kinda sounds like Bulgaria. Maybe we should not be thinking in nation-defined terms but rather look for a global, state-independent solution. Bureaucracies tend to be sluggish anyways...
That sounds like Lithuania to me.. One of the largest local IT companies are prosecuted now because of dirty contracts with SODRA (social care stuff)..
Our government bought two $1M+ websites in the past years.
It's not that the websites would pose as a security risk, or store any valuable information, it's just plain corruption ...
fun fact in general, the corruption consumes 50% of the eu funded government investment in Hungary according to Transparency International, which means 11.6 billion euro currently
Just a note, it looks like this data comes from Mernis(1), a project with quite bad history, developed in 90's and launched in 2000 and internet access started in 2002.
I know a bit about government IT departments and contractors at the time and I had zero faith in their competence so this breach is no surprise to me. Current government is no different than is predecessors, just business as usual.
It should actually be the other way around. Now that this information is public any kind of link with personally identifiable information should be considered suspect rather than to be used as evidence for wrongdoing without further checking. That information became less valuable with this leak, not more valuable and those things that you could do with that information before should now become harder.
I learned this leak through HN not TR media. Forget about front page, it is NOT even mentioned.
It is only mentioned by social media website @DikenComTr who are heavy-opposition to AKP regime -related with a NL journalist Frederike Geerdink, just because you are NL I wanted to mention-. Diken journalists love to spend some time in custody time to time and website gets shut down every once in a while.
> With that info, a terrorist can buy a SIM card for my name
Well that escalated quickly.. Terrorists wouldn't need this database to supply them with names and addresses as most of that info is public in most countries (white-pages is one place). And I can go to any local shop and get a pre-paid SIM card without any personal info involved.
Also, if your country convicts you merely because someone used your name with no other evidence to tie you to the crime, you have bigger problems.
Name and maybe address can be found somehow but identity number absolutely can not be found (should not be from now on). Private companies confirm auth with name, surname, X,Y,Zth number of identity number.
You have to provide them name, surname and identity number in order to get a SIM card, in this example.
You don't need to be convicted for anything anymore if someone wants you to go to jail :) They get you in and start writing bill of indictment(?).
To give a little more context, if you are TR citizen what information you use and should keep private is: 1)Identity Number 2)Your mother's pre-marital surname.
Officials would tell her to use both or she'd have to go to European Court of Human Rights to have that simple right. A woman attorney did go ECHR iirc
How does the private company verify that the identity number is not bogus? Do they have some tamper-proof crypto box that validates a secure hash hidden in the ID or would a case like that only be flagged when the SIM registration is pushed to the government?
In any case, if it is customary to routinely hand the whole number to private companies (I read your description as "full number on registration, some digits on subsequent authentication"), then this leak has made that name/ID tuple only slightly less secret than it was before.
It is actually a grey area since the start. Today they get a zerox copy of your entire ID card which includes Identity Number as well but they should not do that.
The terrorist example I gave came from this grey area in fact. IIRC 2 years ago it was in the news that terrorists open up new SIM cards with regular citizens' information. When I checked it with my info, there was only 1 registered which was mine, when I checked my father however, had 4 SIMs registered and only 2 of them were his.
> And I can go to any local shop and get a pre-paid SIM card without any personal info involved.
You see, the fact that I could go to any shop and buy a pre-paid SIM card in the US was a surprise to me. Don't expect that to hold true anywhere else. Taking Brazil as an example: you need to provide a photo ID.
It is still possible in some countries. For example Ukrainian president was kicked out of office when he tried to make SIM card registration mandatory like in Russia.
That is not true for Spain. Since the attacks on 11-M 2014 in Madrid, it is mandatory to provide in the local shop your National ID card or passport to activate any SIM card. But the verification is done by the shop attendant.
Anyway, I do think it is pointless as there are plenty of ways to get a SIM card anonymously: buy it in other country, steal it, buy it from somebody, clone it...
UPDATE: It turns out the database that was claimed captured by hacking is actually a semi-public data. What's correct is the origin of the source of the database. However that database having limited information about voters are shared by the state agency and distributed to the political parties before the public polls by the mandate of voting laws. The database is actually from 2010 and was not obtained by hacking or anything but leaked by one of the political parties.
When I saw the news I did download the database and searched for myself. My information was not there. Because I am not a registered voter since I live in States. However all my siblings' and parents' information there unfortunately.
There's a fierce political rivalry in Turkey increasingly becoming uglier by day. The story was smelling from the beginning anyway, like implicating president, accusing cronyism and trying to score for some political agenda.
... a tenderpreneur is a person in government who abuses their
political power and influence to secure government tenders and
contracts. The word tenderpreneur is a portmanteau of "tendering"
and "entrepreneur".
Yeah, this is the worst case. If you google "Ali İsmail Korkmaz" you'll see a young protester, beaten to death by police and regime supporter bakery guy.
He was classmate of my gf and he probably was the nicest person you can ever met.
> Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
that's great news! sounds like turkey is closer than anyone expected to being a full fledged western member state!
Interesting. In Germany this database does not even exist. Each town keeps its own data and they are not connected. I think the reason for this are the evil uses of data bases by the Gestapo during Nazi times.
Most states keep all data in a state-wide database and all registers are electronically connected. This is the reason why you don't need to deregister anymore when moving within Germany, a new registration will suffice.
What there isn't is a single central database and if you want to query data you will need to ask different authorities to get it all.
They look at the ID card or passport you present. They may make a record of your entry and may look up whether your ID was stolen or there is a warrant for you.
They certainly don't look up in a database whether you are a citizen. Such an EU-wide thing simply doesn't exist. Heck, even the entry and exit records are not in a common database. At the moment many borders can't even verify the government signature saved on the chip.
That's the same how other government officials determine your German citizenship in most circumstances. Only very few people go through the process of getting definitive proof of their citizenship (Staatsangehörigenausweis) in any point of their life as there is simply no reason to. This process takes quite some time, often including looking at some non-digitized paper documents archived somewhere.
They certainly don't look up in a database whether you are a citizen.
OK, "citizen or valid resident / visa holder / having some other legitimate reason to be holding something that looks like an EU identity card", then.
Whichever -- I was just simplifying. But something tells me that something at major border crossings (e.g. hub airports) has to at least authenticate your right-of-entry -- and that your travel document isn't outright fabricated -- at least a significant portion of the time.
Again, as applies strictly to cases of persons attempting to enter the Shengen area, on the basis of possession of an EU identity card, or a similar travel document asserting current legal residency in one of the member countries. I just don't see how they can (effectively) tell whether the document hasn't been forged or revoked, without comparing against a master list.
I can assure you that they do not check for positive entry in any database when crossing into Schengen whatsoever. Usually they check if the presented document is marked stolen but even that is sometimes skipped as the database (SIS II) is rather slow. This database contains around 50 million entries which shows that it can't possible hold information on all residents.
There is neither an EU-wide database of citizens, nor of permanent residents. They do have a database of most issued short-term Schengen visa nowadays (VIS) but even that took a lot of effort to implement.
And as said, at the moment they can't even verify all electronic signatures in electronic passports but that should be fixed soon.
I'm not even sure how they would create such a database of citizens as even not the German government has a conclusive list of all citizens and I presume it's similar in other member states.
That check for the right-of-entry is done with the presented document alone. Revocations are checked against and while it's possible to forge the documents it's not easy. But yes, there are known cases of people successfully entering with forged documents.
Yes it does (and this is required by international agreement). The number contains an identifier for the issuing authority (and its name is also printed on the passport) so they know where to look for info if they need to.
I'll tell you something interesting. I crossed from Bulgaria to Turkey without presenting my ID to Bulgarian authorities. I crossed into Bulgaria by just showing my ID to Bulgarian authorities. Turkish side stores detailed records but Bulgaria is not interested where I am. They don't know wheter I'm in Bulgaria or not.
"Unlike common belief there is no central administration — except for foreigners (see Central Register of Foreign Nationals (Germany)) — the resident registration is run by 5283 local offices throughout Germany."
For passports, I'd guess that there is a different database.
For passports, I'd guess that there is a different database.
OK, so that makes sense. So at the national level, they only have your Meldeort (place of registration), as it appears on your ID card -- but not (in theory) your residential address.
In 2007 they introduced a unique tax number for every natural person.
In fact, assigning these numbers was complicated by the fact that there is no central registration data base. They started from all the local data bases and then filtered this data to remove duplicates.
The data released contains national identification codes that are confidential.
I believe the Swedish equivalent is the 'personnummer'.
The sites you indicated appear to be regular person search engines, like the US equivalent Whitepages?
Can you show a specific search result, pick any Swedish name you want, that would also list the person's personnummer?
The mentioned websites contain at least the full name, birthdate, registered address and marital status of every Swedish resident (at least above the age of ~16?), with the exception of a very small percentage of people with protected identity (which you can only get if you're under a "serious and concrete threat"). They get this data straight from the government - it's all public.
Go to e.g. http://www.ratsit.se/, write "Stockholm" under "Var" and hit "Sök" and click on a name for an example.
You won't see the personal identification number ("personnummer") that we use for absolutely everything, however as tednoob mentions you can get access to this by paying for premium access. Or you can call the Swedish Tax Authority. They don't have the right to ask who you are or why you want someone's number.
In Finland even salary and capital gains data is released. Newspapers compile high score lists from it each year. There might be some lower limit to how much you need to earn before your data becomes public.
You can actually access the public tax information for anyone if you visit the tax office or call their free customer service. Newspapers publicise only the top earners, but nothing stops you from finding out how much your neighbour earned last year in income and capital gains, if you really want to (and I guess quite many want, Finland is after all known as the "land of million of enviers" in addition to the more famous "land of thousand lakes".)
It will list the "personnummer", but usually not the last 4 digits. This became a big deal a number of years ago, when they did list the complete numbers, and this was changed so that if the complete number is requested, the party you request information about needs to be informed. However, the complete numbers are still public. Just with that caveat nowadays. (unsure if some still sidestep the "new" legislation, there were some more or less shady companies for a while that still informed you of their full numbers)
The 'personnummer' is also publicly available, though the sites usually have to limit access in order to comply with Personuppgiftslagen/PuL (Swedish version of the Data Protection Directive).
Difference being that in Sweden there is a different requiremnet for causing harm (IE; national ID card or passport - or linked bank account) simply having a social security number and address is not enough for identity theft to occur.
in other countries they treat SSN's as private, thus they are trusted.
I ordered some stuff yesterday and I only had to provide the SSN and it filled out the adress and everything. Then, I specified Klarna and the order was away.
But if you'd tried to get them to ship to a different address than the one they filled in then they would probably refuse. That adds a least a little bit of fraud security.
Actually it is and there have been a couple of cases both in Denmark and Sweden.
The problem is that the CPR is tied to all sorts of information from you credit card to your patient journal. You only need to get access to one of those things before you have the potential of access to all the other places.
As an American with a Swedish wife, I was very surprised to learn about the availability of this data. But something that really turned me around was that it makes verifying strangers much easier. My cousin-in-law was using it to look up the people offering to become au pair to her children. Then also of course, I remembered that we have the same service in the United States, it just costs you ten or fifteen dollars for the information. You can get exactly this information that is up-to-date and accurate by paying for one of those background checks from one of the major providers. Same stuff.
I would say there is more issues than gains. But sometimes it's nice, I once found someones wallet and was able to find his phone number with the service. Called the guy, he came and picked up his wallet and gave me 500kr as thanks.
I'm not saying there aren't drawbacks, but I can think of two benefits:
1. It makes some forms of investigative journalism easier. For example, there has been a lot of discussion about the potential problems of having most of the influential journalists in Sweden living within a very small "hipster" area in Stockholm.
2. E-commerce companies may decide to only ship to the adress where you are officially registered, making it harder to commit e-commerce fraud.
On the other hand it's trivial to change someone's official address. Just send a certain form by mail to the tax agency. (Not sure if they send a confirmation to the old address; but if they do, the perpetrator only has to pick someone who's on vacation; hello Twitter & Facebook.)
If you have registered an email / phone number they will send a message there about your changed address.
I don't know if they've done this yet but a while ago there were articles about them working on a way to disallow changing your address via the mail form:
#Turkish Citizenship Database
Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?
This leak contains the following information for 49,611,709 Turkish citizens: (IN CLEARTEXT)
- National Identifier (TC Kimlik No)
- First Name
- Last Name
- Mother's First Name
- Father's First Name
- Gender
- City of Birth
- Date of Birth
- ID Registration City and District
- Full Address
**Lesson to learn for Turkey:**
- Bit shifting isn't encryption.
- Index your database. We had to fix your sloppy DB work.
- Putting a hardcoded password on the UI hardly does anything for security.
- Do something about Erdogan! He is destroying your country beyond recognition.
**Lessons for the US?** We really shouldn't elect Trump, that guy sounds like he knows even less about running a country than Erdogan does.
[Example Data]
[Download URL]
Right, because Clinton...who ran her own private email server and sent classified information from her house...is much more qualified when it comes to data security?
This makes me so angry. It is good that you show the infrastructure is bad, but how stupid does one have to be to say "do something about Erdogan" to the people who are facing identity theft directly due to one's actions?
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
Maybe they should learn a lesson from here - information that you do not control should not be used for authentication. Especially the one that is in its essence public.
Exactly! This is about as secure as having your first dog's name as a password reset hint. I either already know or can simply ask about the birthday, address and mother's maiden name of practically anyone I know.
I've always hated the mother's maiden name security question because my mother kept her maiden name so it's not exactly a hard thing to figure out in my case.
I think that one will go away sooner than later though, because taking a husband's name is becoming less common in a lot of societies.
The lazy way (which is still arguably better than answering truthfully) is to use the same answer for all the security questions. The better way is to treat each answer as another password and encrypt and store the answers somewhere safe.
Realistically how many people outside (or even inside) HN are going to do that? No matter how you spin it, security questions are a very bad "security pattern" in my opinion and we should get rid of them.
The same way as you keep track of any secure password: either with a password manager like 1Password, etc, or else through some Byzantine scheme that you manage yourself.
I use 1Password for this as well, but I recently had a security questions form (can't remember where) that tried to reject random strings because they didn't look like words.
Luckily, 1Password has a 'correct horse battery staple'-generator these days as well.
If it's only 2 bits, you're assuming the attacker already knows that the formula is "Using someone else's information" and that there are only 4 possible people whose information you would use.
Even knowing that you're using a formula is a bit of information. The type of formula is potentially thousands of bits of information. An attacker doesn't know whether it's a cipher, or a code, or something more complex, and only then can they begin figuring out the parameters to that formula.
Pretty sure lots of people use relatives' info. Very, very few use ciphers in their head.
Friend used to have a car with a keycode door lock. He just used 5555 or whatever. I suggested he use the address where the car was parked, or some hash of that. Wouldn't have to remember it! And it would vary some at least.
Well, sure, 8 bits of entropy isn't going to help you much if your password is "password". Those bits only provide the opportunity for randomness. At the end of the day you still have to apply that entropy effectively by picking something that can't be guessed easily. The point is that there are opportunities for people savvy enough to recognize them.
My aim isn't to guard against the answers being guessed, it is to deny the operator of the service asking those questions from gathering accurate data about me that may later be exposed.
Someone then trying to fraudulently use my identity info, or for any kind of socially engineered attack, would lose out.
E.g. calling some financial service provider and trying to get a password reset based on D.O.B, mother's maiden name, or whatever.
Think of those fields as secondary password fields and act accordingly.
Diceware can also be useful for when they need to be spoken on the phone. With the right amount of words (7 or more) it has reasonably good entropy too.
Thank you for answering the security question Mr. Stavros. I'll accept "Bee" as your dog's name. To which offshore bank did you say you wanted to transfer the money ?
> The only thing that is missing is mother's maiden name.
It's extremely unsafe for known distribution of last names. E.g. in leaked db most frequent 12 last names correspond to 10% share of population, and most frequent 50 names "explain" 20% of population.
How to companies verify mother's maiden name? I've never used my mothers real maiden name when filling out any kind of account application form and no one has ever batted an eye.
The leak reported to be from YSG [1], organization that manages the election registers.
Software used by them developed by Cybersoft [2]. Cybersoft was part of the system who developed the new identity system in Turkey. The practices used by Cybersoft reported to be horrible. I know someone who worked on that project (about 15 years ago), reportedly they were really bad, playing games on servers where the all identity data of the citizens are stored. I do also know that any employee who was part of the project had access to the query systems, so it was possible to query the database for all citizens of Turkey, not sure how much data it revealed but it revealed the number of people with that name and surname ever born for sure.
Now, I'm not a fan of Erdogan but Cybersoft was developing stuff before Erdogan even got elected. So yes, maybe the government who started to work with Cybersoft was corrupt, maybe the current one is too but let's not just use every single baseless argument to attack Erdogan, it doesn't help anything.
I've been working for Cybersoft for the last 20 years, and I know we have not developed that system, whatever system is in question. We never had contracted work for either the NVI - Nufus Vatandaslik Isleri (General Directorate of Civil Registration and Nationality http://www.nvi.gov.tr/English,En_Html.html), the owner of the data on Turkish citizens, or the YSK - Yuksek Secim Kurulu (Directorate of Elections http://www.ysk.gov.tr/ - they lack content on the English page) the state organizer for elections, and a client of NVI for voter information.
As far as I know, development of the NVI system for "Central Population Management System (MERNİS), Identity Share System and Address Registration System" was contracted to and is still maintained by Kale Yazilim (http://www.kaleyazilim.com.tr/EN/Pages/Haberler.aspx). Likewise the development of the YSK system was contracted to and still maintained by HAVELSAN (http://www.havelsan.com.tr/ENG/Main/urun/2321/the-supreme-el...). Both projects were contracted when AKP was ruling, though I'm not sure why we are discussing this aspect. If the software leaked information, it is the usual suspect: the Turkish government awards contracts on price-point and the easy way to build cheap software is to forgo testing and quality assurance. As Murphy's law states: "Never forget that your weapon was made by the lowest bidder." You get what you payed for.
As a reference system we developed, check out the General Directorate of Revenues' automation for its 1000+ tax offices and the 2003 ComputerWorld Honors winning Internet Tax Office.
This is the product of self-righteous activism. You'd have to be pretty deluded and starving for attention to think effectively releasing tens of millions
of private individuals' complete identification data is justifiable in some way.
Couldn't you say this about every personal data leak ever? I'd say the problem is companies won't take you seriously if you simply say "you have a security hole here". They'll probably report you, maybe fix an immediate bug that covers the exact issue you found and move on.
If they, on the other hand, get thousands of customers complaining and leaving, they'll take security much more seriously in the future. There's also a good chance that affected users will be more careful and proactive about their personal data in the future.
In the immediate, the only thing that can happen, if at all, is for some people to lose their jobs.
I think he is hoping that if the leak is well covered enough by the media, it will be adding oil to the fire of public discontent. Perhaps in a way that would dislodge the current government.
in the end of 199x in Russia a lot of big government databases - incl. individuals' passports, companies' registrations, real estate property data, etc.. got leaked and become widely available. It was very convenient - you could immediately verify all the stuff about people and companies you were dealing with, and such ability is extremely important in the environment when fraud is a normal everyday matter.
Hardly so for Turkey. Important positions in Turkish bureaucracy are being filled by people who have close ties to the ruling party. I guess this is somewhat normal in many countries given that you have some appropriate filters, unfortunately such filters are diminishing every year. Just last week the prime minister announced they would hire 750k long term government employees bypassing the regular procedures and by creating adhoc exams for each position. Regularly Turkey has this nationwide exam called KPSS which you would have to pass to be a government employee, bypassing this exam will even further reduce the government quality. I don't see how people without the necessary qualifications can improve these systems.
It is bad that decision makers can't on their own see that change is needed, but leaks like this could change public opinion, which is what influences politicians and businesses.
I see your point and I might agree with you (didn't make up my mind yet), but how is this different than disclosing someone else's vulnerability with a "hardcoded" date? In some cases, getting from disclosure to a working exploit is trivial.
If this data was so easy to get, any state actor probably had it for years now. Also powerful criminal organisations.
Wasn't the harm potentially done already and this might trigger a change? Maybe now all those banks will not accept whatever data is in this leak as a way to authenticate a customer. In that scenario we would be in a better situation because of the leak.
Luckily there’s no really valuable data, other than personnummer. But i am sure with a little bit of digging it would be super easy, during Gezi police had a pwd like 12345
The important thing with the data is national stats, which is super important commercially. And that is for free now. More spam in the mailbox for everyone.
Obviously, for stalkers, sickos, or pedophiles this is an open source to attack. That is another security concern, because there was no db as in Sweden where you can access someone’s address this easy
> The important thing with the data is national stats
Or just playing with data, xkcd.com/1409 :)
select first, count(*) from citizen group by first order by count(*) DESC limit 10;
first | count
----------+---------
MEHMET | 1172984
FATMA | 1154754
MUSTAFA | 898672
AYSE | 893053
EMINE | 756675
AHMET | 719391
ALI | 663136
HATICE | 659000
HUSEYIN | 521240
HASAN | 487906
I don't know about other countries but in the US, there are things called Whitepages which list names, addresses and phone numbers of the majority of people/businesses.
Address data is pretty worthless considering how many places you can get such data.
It's 2016 -- forget the Whitepages. Most people publicly update all of this information everyday, multiple times per day, through their social media accounts.
People do opt in. People outside of the tech game don't think of these as making themselves more vulnerable -- they only see convenience (or just blindly click yes to anything).
I had a Twitter app (Tweetcaster?) that had a "show local tweets" option, and was amazed by how I could determine the individual dorm rooms tweets were coming from on a nearby college campus.
Some readers have complained about this data being posted here. That's reasonable, but so is the community discussion. So we changed the URL from http://185.100.87.84/ to the least bad news article we could google. If someone has a better URL, we can change it again.
Taking it out of the story link was the important thing. At that point HN was no longer broadcasting it.
Not to include it the comment, especially since we always include the previous url in a comment, would have invited accusations of suppression, which would only call more attention to it.
Only a matter of time before the whole US SS/IRS database is dumped into the public domain by political hackers too.
Pieces of it have been liberated by sloppy corporations and medical databases. But not the whole thing from the government.
Wow I didn't know you put IPs directly in there. If so, it returns back the ownership info of the IP from ARIN. Not quite the same as getting the contact info for a domain name but still quite nifty. Thanks!
Checked my girlfriends family. Some of them are army officials and their info is in there as well. With that info you could actually do some serious damage.
Also, based on address info we know this dump is 2-6 years old.
Does the publisher of this leak really think the other politicians are better off in keeping private citizens' information private? S/he must have not heard the Clinton's own email server leak issue. Yeah, yeah, it's a cliché, but it shows exactly how much they care about security.
Clinton's email server didn't leak anything, so far as we know. The emails you've read have been released by the State Department as public government records.
A criminal thief putting personal data online and giving political lessons, shame on you really.
When your true goals are phishing, criminal activities, spamming to robe innocent people, at least be honest and do not make such grandiose statements. /rant
Yeah but a simple query can add a column, copy the data while parsing it into a native date and then drop the original column. It can all be in a transaction too so that if there is a failure nothing is lost.
I was mainly referring to the high and mighty attitude about fixing their broken db. If you're gonna fix it, it's all or nothing in my book.
Interesting how what once was basic know-how (don't use your real name everywhere on the web) is now almost criminal as Facebook does their best to enforce, legally and otherwise, -real accounts, and way to many sites use Facebook as comments system / login etc or otherwise require you to sign with a full name.
I do not know, but strongly suspect, that my absence from Facebook means I'm rarely mentioned there. Certainly I'm mentioned less than if I had an account.
Even if I am mentioned there, Zuckerberg & friends don't have any account to cross-reference to target me with ads, etc.
So, my absence from Facebook is nonetheless a significant enhancement of my privacy.
It is worth noting that Facebook maintains "ghost" profiles for people who aren't members, but of whom they are aware. I'm having trouble finding a reference, but I remember it came out that when your friends ("friends") give Facebook their email contacts so that they can locate other people using their service, Facebook remembers contacts which do not yet hold accounts. I speculate this information wouldn't be valuable if they didn't attempt to infer that particular posts mentioned these non-member profiles.
It's too late for that. Criminals have access to it already. I would argue we should indeed share it around so that at least average Turkish citizens are aware their data has been stolen.
It's interesting that the data doesn't have values with the Turkish dotted or dotless I, ie the one in İstanbul, İbrahim, or Diyarbakır. Seems pretty important to store people's names correctly.
Then again -- if they can't figure out how to index their databases... then most likely they probably can't out how to do locales and character sets properly, either.
I mean, I suppose skipping a domain means one less company that knows your personal information, but doesn't this mean Voxility[1] can lookup the customer for this IP?
A domain adds another point of failure (we want to take you down, we can just block the domain vs the server). As other have pointed out the abuse report for that hosted is quite terrible, so it might take a while to get taken down.
Also, a domain name costs money, and you get little use of it (just paid $20 for a domain that gets taken offline in a few days). And even if there was a domain name, what should it be? Turkish-citizenship-dump.com? What values does it add if the site only sticks around for a few days?
A user named testing123123 wrote about the dump on ##crypto, on Freenode. He claimed to be the one who dumped the database. It happened yesterday, on Sunday.
Where others see a weakness, I see an opportunity: that's how we could send traffic-tickets straight to policemen's door.
Enjoy watching "Rémi GAILLARD vs POLICE"
http://www.youtube.com/watch?v=bJMLS4RDAzk
If you were a voter in 2010, as far as I know. But I don't know if it contains foreign home addresses. Some people say that it was fetched from ysk.gov.tr . Normally MERNİS has more detailed database, so they say that it cannot be MERNİS. MERNİS stands for Central Citizenship Administration Center, it contains even pre-Turkish Republic "citizens", like from Ottoman Empire. YSK stands for Supreme Electoral Council. A friend of mine had access to MERNİS, he once said that the leaked data is not directly from MERNİS.
If a structural engineer builds a bridge that collapses and kills someone, they are liable in one way or another. What if the same was applied to software engineering. That would sure change how seriously you take PII.
New attack vectors come out every day. The one they used may have not even been related to THE application that someone built for this. If you built something 4 years ago for the gov't to use and they didn't keep the server patched how is that your fault as a software engineer?
I wouldn't put it past Trump to encourage radical christian violence, whether that would be terrorism is in the eye of the beholder.
Erdohan certainly is using the situation to crack down on national opposition and get as many separatists killed while the rest of the world is focusing on the Syrian civil war and its exports of violence. That's simply realpolitik though, not ideology.
That said, the tone and message accompanying this leak is ridiculous.
This is a hoax. I looked at the torrent file, the hash for every part is 7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6, which is the sha1sum of 2MiB of zero bytes. I told Transmission to verify local data, and it now thinks it has the whole file.
On the behalf of all Kurds worldwide, I would like to congratulate the wonderful people who did this hack and released the information. You guys are just like those who opposed Nazi Germany. We Kurds shall be forever grateful to you.
To any Turk that may read this: Ne Mutlu Kürdüm Diyene (Happy is he who says I am a Kurd :)
I definitely agree. If only a single cryptographer would have been part of the equation, no one would have had a reason to write “Bit shifting isn't encryption” . Looking at my comment again again, I guess it was simply too short to be understood as a cinical “read it with a smile” kind of thing. Just to be sure no one gets me wrong: I surely did not want to hype any of the bad guys, nor make fun of the victims… the innocent Turkish citizens involved. Yet, I can’t help to shake my head that a Turkish governmental agency was stupid enough to use a near to “xor-by-one” snakeoil crypto thingy instead of well-vetted and security proven cryptographic algorithms and protocols. If they would have, there wouldn’t be a problem – just a blob of encrypted data. Which is why I said: “cryptographers 1 – Idiots 0”… which was merely meant to be interpreted as “roll your own crypto, eat your own poison – no cryptographer would have stepped into the stupid pitfall of using home-brew toys instead of well-vetted algos & protocols”. Hope that somewhat is able to explain what I meant with my comment. If my cynical comment was misunderstood due to its minimalism – my bad. Downvotes correctly punished me accordingly for my comment being too short to be understood upon first glimpse – next time, I’ll be sure to be clearer.
You think that if it is not getting posted on HN than nobody will notice it? What would you qualify HN worthy submission? I did not read the URL just read the comments but it was quite entertaining, HN is not responsible about the content of the submission URLs but it is a great place to discuss the subject with other people.
The problem was the creation of the list and the subsequent negligent protection of the data not it being passed to HN after it's been published to the internet.
It's like the Ashely Madison leak - Hacker News discussed it happily as well even though that was a complete dox list of individuals.
No it is not similar to Ashhley Madison nor panama offshore accounts.
It is similar to me dumping all HN users' personal IDs and addresses as well as birth certificates. Or similar to dumping all Irish citizen's driving licenses, addresses and ID info and linking them here on top.
I have seen HN crowd being careful for a single person's privacy just to keep his mood up.
HN did not do that though. Again, we are talking about the dump not executing it. Just because you are not talking about something bad it still exists. I got the Turkish page at least on 3 different channels, yet got the most meaningful comments on HN.
Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
I'm on that list as well. With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.