 It's always amazed me that ID.me, which you have to use in order to interact w/ the IRS online these days, has a top level domain from the country of Montenegro. Ublock Origin says they're injecting tracking links from Italy's TLD when you login at the irs.gov website. What's next? Cookies from Colombia? AI from Anguilla? 78 comments
 @eb @briankrebs and on top of that Montenegrin IT capabilities can be summed up to a fact that we had major cyberattack in ‘22 that wiped out most of gov services and some of them are not restored as for today :) Had to ask US for a help and so on. So yeah, it’s highly unlikely to be ME operation  @briankrebs @alex I’ve received private disclosure of a potential vulnerability that I have independently verified as still active. I would disclose it as we are a whole year past the responsible disclosure period, but it’s the state of Georgia and incompetent governments don’t take too kindly to this: https://www.theverge.com/2021/10/14/22726866/missouri-governor-department-elementary-secondary-education-ssn-vulnerability-disclosure @eb @briankrebs I’ve seen another subtle hack recently: I suppose CMS haven’t been patched, so all the content on a website had few words in article to be made in links that also point to some shady pharma site. I wonder if it’s possible to check backlinks from Georgia’s site. But referrer check is 👌. So simple, much efficient! @briankrebs @eb oh yeah, there a lot of horror going on and some gov services don’t even have TLS :) But for what it worth .me is (or was, jury is literally still out on this matter: https://m.cdm.me/english/procedure-for-me-domain-starts-from-very-beginning/) operated by joint enterprise with GoDaddy and Identity Digital @briankrebs @eb but I suppose the fact that who operates .me is being disputed doesn’t make you feel any safer 😬 @briankrebs I always felt id [dot] me was one of the worst technology choices ever made by the government even before reading this, but wow @briankrebs While the ccTLDs that make for fun expansions are fun; USGOV entities should never be using them. They should always use .gov exclusively. (or .mil as appropriate.) @briankrebs isn’t login.gov supposed to perform this exact task of providing SSO for government services?? Why are they contracting auth when they have in-house capabilities? Which congresscritters are enriching their tech friends? Edit: found this article from 2 years ago - nothing seem to have changed since then @briankrebs Are Colombian cookies actually baked treats, or slang for something else entirely? @briankrebs Yeah it's amazing, but I'm not sure you'd want anything injected from Montenegro, or have code origin limited to that of the TLD @briankrebs They are also used as an option to verify your identity for VA benefits. So they also have a solid idea of who was in the military or worked for the government at a fine scale. @briankrebs my guess is that US intelligence agencies are prevented from spying on communications that begin and end in the USA, but if they go outside of the US, they can be legally monitored.  @briankrebs how is that not like id.irs.gov.us ? Oh, I forgot, america-centrism so .edu, .gov & .mil are US-centric, which is really a pain,in the ass when U.S. corporations refuse to accept that all students in the world have an email under .edu ...  Welcome to the Great Outsourcing of Public Service Information Technology Governance to Private Vendors... Without beating up on the IRS IT folk (IMHO they have phenomenal people over there trying to change things), this is a story I see every day as a Public CIO. Agencies hand over the keys and accountability for technology solutions to vendors with very little in-house SME or time to dig into what they actually do. Then we act surprised when we find that they do these things @NoRomBasic @briankrebs public funds enriching private pockets while the exact same private pockets yell “government slow! incompetent! more outsourcing!” This. Don't usually do a plug on the Masto but if you haven't read [RE]CODING <AMERICA/> I would highly recommend it I don't want to paint the landscape as a B&W one (it isn't) but there are large portions of goverment where the relationship with tech vendors is an extrodinarily unhealthy one, where there truly is no strategic IT function (for the reasons you mention and more) and the vendors who are entrenched in that vertical are highly motivated to keep it that way  To be clear, I have nothing against private companies or citizens using whatever TLD they want. But we need to stop doing this on important .gov stuff. And I would consider the IRS to easily qualify there. @tychotithonus @briankrebs you want the government to provide services? that's *socialism* /sarcasm oh god please recognize the sarcasm  i point you to the history of the various IRS software upgrades, the various attempts to update the patent office software, etc. that's not even considering the usual govt turf/budget battles, lack of enough GS folks, lobbyists muddying most efforts to clean things up. @tychotithonus @briankrebs You can't have the government in housing work when there are so many private contractors that can do it for at least 20% more, thats communism (this is sarcastic but it does seem to be how it works for a lot of things) How about this? Lawmakers pass a law (gasp!) that says if you're a private company providing services to the entire populace on behalf of .gov, your site will use com/net/org only when it is interacting with the government. Full stop. Probably even the extreme wingnuts in the GOP could get behind this, in a kind of "buy American" way.  @briankrebs US Congress passing laws that universally benefit society? Get outta here with this communist propaganda @briankrebs related angry old man yelling at clouds: why does every government web site ask if they can add marketing cookies or do I just want the ones necessary for this site?  Why? Because laws were passed that made them. They wouldn't without the laws. Round and round we'll go.. @itty53 @briankrebs How about just using cookies needed for the site to work? Not trying to sell our data to private companies while providing government services? @itty53 @aqunt @briankrebs The question is why a government site is trying to set marketing cookies, though. @briankrebs What about appropriate country TLDs? (ie, .us for companies providing services to US government + people) @max No way in hell I would encourage the further use of .us until someone in charge at the GSA or whatever started giving a damn about how the tld is completely overrun with abuse, phishing and spam domains -- in near total contravention to the tld's charter, I might add. https://krebsonsecurity.com/2023/09/why-is-us-being-used-to-phish-so-many-of-us/  @briankrebs yeah. A representative. But then again how many bills are drafted by lobbyists and just signed by representatives  @briankrebs I like this, but there might need to be some kind of domain registration price regulation included too. @briankrebs If the company is operating out of a Balkan nation, does making it use a .com domain make it any safer?  @briankrebs  @FritzAdalis @briankrebs ID.me can eat a dick, they refuse to verify my identity. Trying to lock down my ID with the IRS because of my PMI being all over the dark web, and I just can't. They refuse to work with me, it fucking sucks. @briankrebs So you basicly say, governments may not use an external mail/mail tracking service like mailchimp, postmark (what this is) and so on. Not that I am on the other side, but how should a normal user (the stuff at that government) know whats going on behind the scenes? They just use the typical plugin. @briankrebs Alternative idea… a federal CA. All government and proxy sites must use it. @briankrebs Rather than a lock icon for these certs for https in the browser, instead have a lock with… just spitballing here… an Eagle shooting off fireworks while gripping a beer can. Or a flag. Your choice. @briankrebs It really should. This is how most scams in third world countries start. 'SMSes like Click on this link to pay your tax/insurance, and the link is of some xyz@shop xyz@corner xyz@taxoffice site.' Make it a law sooooon, Like before some foreign lobby gets to the GOP wingnuts. @briankrebs I can see it now, generic system services company has to buy .us, .ie, .uk, .es, .ca, .de, .fr, etc, and use the correct domain for each country. (.com is also banned in the EU for being under US control)  @briankrebs Sure, it's not a problem....right now. But in 5 years, if that company goes under and another one moves in, even with 3 years time warning ahead, some random person finds an old document via a search engine that talks about this URL. If it's a .gov address, no prob, 301. But what if it's a domain you just...don't control anymore? And FWIW, I generally agree. I consider the public/private partnerships with technology vendors to be a critical part of my technology ecosystem. My agency could not operate without them. But there is a systemic issue (and TL;DR for a toot) where so many agencies lack the people in the desperately needed roles to check these things and ask these questions. All too often it is a non-IT SME doing the RFP, with the vendor saying "trust us" with regards to cyber. yeah... something.irs.gov sure seems like the more correct solution... lots more control of DNSSEC, registry/registrars, auth name servers, etc.  @briankrebs I really wish everyone in general, and government institutions in particular, would take to heart the hierarchical nature of domains. (Putting aside the preferential nature of .gov being US only, and not for all government) Give us irs.federal.gov, legislature.wa.gov, etc! I should be able to trust at a glance that something is the product of my state government based on the domain. @briankrebs Realistically, the government wouldn't be using anything but the .gov tld to avoid trickery.  @briankrebs Whatever future decision the .gov's make will no doubt be announced on their existing 3rd party social media dumpster fire account owned by a totally non-biased stable and honest genius.. :-/ @briankrebs it’s not just the IRS. Somehow, even the VA uses them for authentication and verification of VA benefit entitlement. It’s a shitshow.    As they freak out about China all the usgov websites are loaded with malware because our leaders are in their 80's and all their advisers and underlings are lobbyists on the payroll of any and every dark money slush fund  @briankrebs Did they have a proper cookie warning? Italy is a GDPR country so if the cookie really comes from something italy there should be a GDPR warning. @mcfly far as I can tell they're just using a trendy tracking service whose domain ends in .it ("postmark it"). @briankrebs The domain postmark.it is for sale. Should i worry? Or maybe try to buy it? postmark.it seem to be hosted in canada....  @briankrebs I spent more than an hour trying to get in touch with customer service with ID.me recently. I needed a replacement card but couldn’t order one on the automated system without my card number. Sorry not sorry, but if my taxes are paying for a government system, then I deserve being able to talk to my government about it.   I'm sure you've done your due diligence, but I'd find a different way to log into the IRS. They can't even answer a phone or even discuss the problem on their Facebook timeline. When I had problems, they acted like a company with 3 employees and only one employee worked in a part time position. That employee was excellent at telling me they'd look into the problem and call me back. ID.me never called me back.  @briankrebs I propose a law that bars third party data brokers from any site or interaction which directly or indirectly requires government ID per law. KYC and tax are two examples. Any related data should be tainted as "fruit of the ID Tree" and restricted from outside the authority collecting it. @briankrebs What's worse is that this is for a US government website. You would think they would have access to their own domain names or something. |
Gregory's Server
@briankrebs The US is in a position of power where I don't think a country would consider hijacking domains it uses. Not to defend this, but