BrianKrebs
It's always amazed me that ID.me, which you have to use in order to interact w/ the IRS online these days, has a top level domain from the country of Montenegro. Ublock Origin says they're injecting tracking links from Italy's TLD when you login at the irs.gov website. What's next? Cookies from Colombia? AI from Anguilla? 78 comments
yopp
@eb @briankrebs and on top of that Montenegrin IT capabilities can be summed up to a fact that we had major cyberattack in ‘22 that wiped out most of gov services and some of them are not restored as for today :) Had to ask US for a help and so on. So yeah, it’s highly unlikely to be ME operation
BrianKrebs
Evan Boehs
@briankrebs @alex I’ve received private disclosure of a potential vulnerability that I have independently verified as still active. I would disclose it as we are a whole year past the responsible disclosure period, but it’s the state of Georgia and incompetent governments don’t take too kindly to this: https://www.theverge.com/2021/10/14/22726866/missouri-governor-department-elementary-secondary-education-ssn-vulnerability-disclosure
yopp
@eb @briankrebs I’ve seen another subtle hack recently: I suppose CMS haven’t been patched, so all the content on a website had few words in article to be made in links that also point to some shady pharma site. I wonder if it’s possible to check backlinks from Georgia’s site. But referrer check is 👌. So simple, much efficient!
yopp
@briankrebs @eb oh yeah, there a lot of horror going on and some gov services don’t even have TLS :) But for what it worth .me is (or was, jury is literally still out on this matter: https://m.cdm.me/english/procedure-for-me-domain-starts-from-very-beginning/) operated by joint enterprise with GoDaddy and Identity Digital
yopp
@briankrebs @eb but I suppose the fact that who operates .me is being disputed doesn’t make you feel any safer 😬 
Manfred
@briankrebs I always felt id [dot] me was one of the worst technology choices ever made by the government even before reading this, but wow
CharonPDX
@briankrebs While the ccTLDs that make for fun expansions are fun; USGOV entities should never be using them. They should always use .gov exclusively. (or .mil as appropriate.)
James Wu
@briankrebs isn’t login.gov supposed to perform this exact task of providing SSO for government services?? Why are they contracting auth when they have in-house capabilities? Which congresscritters are enriching their tech friends? Edit: found this article from 2 years ago - nothing seem to have changed since then
Rick Hunter
@briankrebs Are Colombian cookies actually baked treats, or slang for something else entirely?
jdrch 🇺🇦
@briankrebs Yeah it's amazing, but I'm not sure you'd want anything injected from Montenegro, or have code origin limited to that of the TLD
Jeremy Tayco
@briankrebs They are also used as an option to verify your identity for VA benefits. So they also have a solid idea of who was in the military or worked for the government at a fine scale.
MatthewChat
@briankrebs my guess is that US intelligence agencies are prevented from spying on communications that begin and end in the USA, but if they go outside of the US, they can be legally monitored.
Kevin Karhan
@briankrebs how is that not like id.irs.gov.us ? Oh, I forgot, america-centrism so .edu, .gov & .mil are US-centric, which is really a pain,in the ass when U.S. corporations refuse to accept that all students in the world have an email under .edu ...
Michael Kohlman
Welcome to the Great Outsourcing of Public Service Information Technology Governance to Private Vendors... Without beating up on the IRS IT folk (IMHO they have phenomenal people over there trying to change things), this is a story I see every day as a Public CIO. Agencies hand over the keys and accountability for technology solutions to vendors with very little in-house SME or time to dig into what they actually do. Then we act surprised when we find that they do these things
James Wu
@NoRomBasic @briankrebs public funds enriching private pockets while the exact same private pockets yell “government slow! incompetent! more outsourcing!”
Michael Kohlman
This. Don't usually do a plug on the Masto but if you haven't read [RE]CODING <AMERICA/> I would highly recommend it I don't want to paint the landscape as a B&W one (it isn't) but there are large portions of goverment where the relationship with tech vendors is an extrodinarily unhealthy one, where there truly is no strategic IT function (for the reasons you mention and more) and the vendors who are entrenched in that vertical are highly motivated to keep it that way
BrianKrebs
To be clear, I have nothing against private companies or citizens using whatever TLD they want. But we need to stop doing this on important .gov stuff. And I would consider the IRS to easily qualify there.
Paul D. Ouderkirk
@tychotithonus @briankrebs you want the government to provide services? that's *socialism* /sarcasm oh god please recognize the sarcasm 
Paul_IPv6
i point you to the history of the various IRS software upgrades, the various attempts to update the patent office software, etc. that's not even considering the usual govt turf/budget battles, lack of enough GS folks, lobbyists muddying most efforts to clean things up.
AJ
@tychotithonus @briankrebs You can't have the government in housing work when there are so many private contractors that can do it for at least 20% more, thats communism (this is sarcastic but it does seem to be how it works for a lot of things)
BrianKrebs
How about this? Lawmakers pass a law (gasp!) that says if you're a private company providing services to the entire populace on behalf of .gov, your site will use com/net/org only when it is interacting with the government. Full stop. Probably even the extreme wingnuts in the GOP could get behind this, in a kind of "buy American" way.
Marcus Hutchins :verified:
@briankrebs US Congress passing laws that universally benefit society? Get outta here with this communist propaganda
aqunt
@briankrebs related angry old man yelling at clouds: why does every government web site ask if they can add marketing cookies or do I just want the ones necessary for this site?
Theodore Painsworth
Why? Because laws were passed that made them. They wouldn't without the laws. Round and round we'll go..
aqunt
@itty53 @briankrebs How about just using cookies needed for the site to work? Not trying to sell our data to private companies while providing government services?
Zimmie
@itty53 @aqunt @briankrebs The question is why a government site is trying to set marketing cookies, though.
Max Burke 🇺🇦
@briankrebs What about appropriate country TLDs? (ie, .us for companies providing services to US government + people)
BrianKrebs
@max No way in hell I would encourage the further use of .us until someone in charge at the GSA or whatever started giving a damn about how the tld is completely overrun with abuse, phishing and spam domains -- in near total contravention to the tld's charter, I might add. https://krebsonsecurity.com/2023/09/why-is-us-being-used-to-phish-so-many-of-us/ 
Allan Chow
@briankrebs yeah. A representative. But then again how many bills are drafted by lobbyists and just signed by representatives 
royal
@briankrebs I like this, but there might need to be some kind of domain registration price regulation included too. 
GMcGath
@briankrebs If the company is operating out of a Balkan nation, does making it use a .com domain make it any safer? 
Fritz Adalis
@briankrebs 
The Psychotic Network Ferret
@FritzAdalis @briankrebs ID.me can eat a dick, they refuse to verify my identity. Trying to lock down my ID with the IRS because of my PMI being all over the dark web, and I just can't. They refuse to work with me, it fucking sucks. 
Lindworm
@briankrebs So you basicly say, governments may not use an external mail/mail tracking service like mailchimp, postmark (what this is) and so on. Not that I am on the other side, but how should a normal user (the stuff at that government) know whats going on behind the scenes? They just use the typical plugin. 
Timothy Jasionowski
@briankrebs Alternative idea… a federal CA. All government and proxy sites must use it.
Timothy Jasionowski
@briankrebs Rather than a lock icon for these certs for https in the browser, instead have a lock with… just spitballing here… an Eagle shooting off fireworks while gripping a beer can. Or a flag. Your choice.
the_afflicted11
@briankrebs It really should. This is how most scams in third world countries start. 'SMSes like Click on this link to pay your tax/insurance, and the link is of some xyz@shop xyz@corner xyz@taxoffice site.' Make it a law sooooon, Like before some foreign lobby gets to the GOP wingnuts.
dango🍡:02lurk:
@briankrebs I can see it now, generic system services company has to buy .us, .ie, .uk, .es, .ca, .de, .fr, etc, and use the correct domain for each country. (.com is also banned in the EU for being under US control)
Oggie
@briankrebs Sure, it's not a problem....right now. But in 5 years, if that company goes under and another one moves in, even with 3 years time warning ahead, some random person finds an old document via a search engine that talks about this URL. If it's a .gov address, no prob, 301. But what if it's a domain you just...don't control anymore?
Michael Kohlman
And FWIW, I generally agree. I consider the public/private partnerships with technology vendors to be a critical part of my technology ecosystem. My agency could not operate without them. But there is a systemic issue (and TL;DR for a toot) where so many agencies lack the people in the desperately needed roles to check these things and ask these questions. All too often it is a non-IT SME doing the RFP, with the vendor saying "trust us" with regards to cyber. 
Paul_IPv6
yeah... something.irs.gov sure seems like the more correct solution... lots more control of DNSSEC, registry/registrars, auth name servers, etc. 
Philip Mallegol-Hansen
@briankrebs I really wish everyone in general, and government institutions in particular, would take to heart the hierarchical nature of domains. (Putting aside the preferential nature of .gov being US only, and not for all government) Give us irs.federal.gov, legislature.wa.gov, etc! I should be able to trust at a glance that something is the product of my state government based on the domain. 
Karsten Johansson
@briankrebs Realistically, the government wouldn't be using anything but the .gov tld to avoid trickery. 
unixjunk1e 🌵
@briankrebs Whatever future decision the .gov's make will no doubt be announced on their existing 3rd party social media dumpster fire account owned by a totally non-biased stable and honest genius.. :-/
Clay Knight
@briankrebs it’s not just the IRS. Somehow, even the VA uses them for authentication and verification of VA benefit entitlement. It’s a shitshow.  
🇵🇸 damaged gods 🇺🇦
As they freak out about China all the usgov websites are loaded with malware because our leaders are in their 80's and all their advisers and underlings are lobbyists on the payroll of any and every dark money slush fund 
mc.fly
@briankrebs Did they have a proper cookie warning? Italy is a GDPR country so if the cookie really comes from something italy there should be a GDPR warning.
BrianKrebs
@mcfly far as I can tell they're just using a trendy tracking service whose domain ends in .it ("postmark it").
mc.fly
@briankrebs The domain postmark.it is for sale. Should i worry? Or maybe try to buy it? postmark.it seem to be hosted in canada....
Samhain Night
@briankrebs I spent more than an hour trying to get in touch with customer service with ID.me recently. I needed a replacement card but couldn’t order one on the automated system without my card number. Sorry not sorry, but if my taxes are paying for a government system, then I deserve being able to talk to my government about it. 
TopKnot
I'm sure you've done your due diligence, but I'd find a different way to log into the IRS. They can't even answer a phone or even discuss the problem on their Facebook timeline. When I had problems, they acted like a company with 3 employees and only one employee worked in a part time position. That employee was excellent at telling me they'd look into the problem and call me back. ID.me never called me back.
Victor S Sigmoid
@briankrebs I propose a law that bars third party data brokers from any site or interaction which directly or indirectly requires government ID per law. KYC and tax are two examples. Any related data should be tainted as "fruit of the ID Tree" and restricted from outside the authority collecting it.
Christie Dudley
@briankrebs What's worse is that this is for a US government website. You would think they would have access to their own domain names or something. |
Gregory's Server
@briankrebs The US is in a position of power where I don't think a country would consider hijacking domains it uses. Not to defend this, but