Gregory's ServerTo be clear, I have nothing against private companies or citizens using whatever TLD they want. But we need to stop doing this on important .gov stuff. And I would consider the IRS to easily qualify there.
|
36 comments
@tychotithonus @briankrebs you want the government to provide services? that's *socialism* /sarcasm oh god please recognize the sarcasm  i point you to the history of the various IRS software upgrades, the various attempts to update the patent office software, etc. that's not even considering the usual govt turf/budget battles, lack of enough GS folks, lobbyists muddying most efforts to clean things up. @tychotithonus @briankrebs You can't have the government in housing work when there are so many private contractors that can do it for at least 20% more, thats communism (this is sarcastic but it does seem to be how it works for a lot of things)  How about this? Lawmakers pass a law (gasp!) that says if you're a private company providing services to the entire populace on behalf of .gov, your site will use com/net/org only when it is interacting with the government. Full stop. Probably even the extreme wingnuts in the GOP could get behind this, in a kind of "buy American" way.  @briankrebs US Congress passing laws that universally benefit society? Get outta here with this communist propaganda @briankrebs related angry old man yelling at clouds: why does every government web site ask if they can add marketing cookies or do I just want the ones necessary for this site?  Why? Because laws were passed that made them. They wouldn't without the laws. Round and round we'll go.. @itty53 @briankrebs How about just using cookies needed for the site to work? Not trying to sell our data to private companies while providing government services? @itty53 @aqunt @briankrebs The question is why a government site is trying to set marketing cookies, though. @briankrebs What about appropriate country TLDs? (ie, .us for companies providing services to US government + people) @max No way in hell I would encourage the further use of .us until someone in charge at the GSA or whatever started giving a damn about how the tld is completely overrun with abuse, phishing and spam domains -- in near total contravention to the tld's charter, I might add. https://krebsonsecurity.com/2023/09/why-is-us-being-used-to-phish-so-many-of-us/  @briankrebs yeah. A representative. But then again how many bills are drafted by lobbyists and just signed by representatives  @briankrebs I like this, but there might need to be some kind of domain registration price regulation included too. @briankrebs If the company is operating out of a Balkan nation, does making it use a .com domain make it any safer?  @briankrebs  @FritzAdalis @briankrebs ID.me can eat a dick, they refuse to verify my identity. Trying to lock down my ID with the IRS because of my PMI being all over the dark web, and I just can't. They refuse to work with me, it fucking sucks. @briankrebs So you basicly say, governments may not use an external mail/mail tracking service like mailchimp, postmark (what this is) and so on. Not that I am on the other side, but how should a normal user (the stuff at that government) know whats going on behind the scenes? They just use the typical plugin. @briankrebs Alternative idea… a federal CA. All government and proxy sites must use it. @briankrebs Rather than a lock icon for these certs for https in the browser, instead have a lock with… just spitballing here… an Eagle shooting off fireworks while gripping a beer can. Or a flag. Your choice. @briankrebs It really should. This is how most scams in third world countries start. 'SMSes like Click on this link to pay your tax/insurance, and the link is of some xyz@shop xyz@corner xyz@taxoffice site.' Make it a law sooooon, Like before some foreign lobby gets to the GOP wingnuts. @briankrebs I can see it now, generic system services company has to buy .us, .ie, .uk, .es, .ca, .de, .fr, etc, and use the correct domain for each country. (.com is also banned in the EU for being under US control)  @briankrebs Sure, it's not a problem....right now. But in 5 years, if that company goes under and another one moves in, even with 3 years time warning ahead, some random person finds an old document via a search engine that talks about this URL. If it's a .gov address, no prob, 301. But what if it's a domain you just...don't control anymore?  And FWIW, I generally agree. I consider the public/private partnerships with technology vendors to be a critical part of my technology ecosystem. My agency could not operate without them. But there is a systemic issue (and TL;DR for a toot) where so many agencies lack the people in the desperately needed roles to check these things and ask these questions. All too often it is a non-IT SME doing the RFP, with the vendor saying "trust us" with regards to cyber. yeah... something.irs.gov sure seems like the more correct solution... lots more control of DNSSEC, registry/registrars, auth name servers, etc.  @briankrebs I really wish everyone in general, and government institutions in particular, would take to heart the hierarchical nature of domains. (Putting aside the preferential nature of .gov being US only, and not for all government) Give us irs.federal.gov, legislature.wa.gov, etc! I should be able to trust at a glance that something is the product of my state government based on the domain. @briankrebs Realistically, the government wouldn't be using anything but the .gov tld to avoid trickery.  @briankrebs Whatever future decision the .gov's make will no doubt be announced on their existing 3rd party social media dumpster fire account owned by a totally non-biased stable and honest genius.. :-/ @briankrebs it’s not just the IRS. Somehow, even the VA uses them for authentication and verification of VA benefit entitlement. It’s a shitshow. |
@briankrebs I'm also mystified why they didn't just extend the capabilities of login.gov to cover the "check their driver's license" aspects of ID.me, and keep the entire thing in house.
login.gov's design and UX is thoughtfully, expertly executed, is vastly superior to ID.me, and is already under .gov and championed by 18F.
But instead of pushing login.gov everywhere (which was the orignal plan), ID.me materialized and pushed its way into IRS and pay.gov in a way that seemed weirdly pre-emptive of the entire login.gov effort.
@briankrebs I'm also mystified why they didn't just extend the capabilities of login.gov to cover the "check their driver's license" aspects of ID.me, and keep the entire thing in house.
login.gov's design and UX is thoughtfully, expertly executed, is vastly superior to ID.me, and is already under .gov and championed by 18F.