Monday, August 14, 2006

A Train Wreck on the Horizon












Not only has Nagin failed miserably in his promise to keep our city safe from crime in the corporeal realm....he's now opened up the city website to a potential cyber attack.

The SSL certificate on the city website has expired. That means that anyone going on the site to pay a parking ticket by entering their credit card number will be entering their financial information on an unsecure system. Cyber theives could be acquiring CC numbers entered on the site en masse, as I write this.

I can see the class action lawsuit unfolding already....just what the city needs at a period when we can't even get our streetlights fixed.

This is just gross incompetence...pure and simple. In his first 100 days he's done nothing but travel around the country selling himself out for speaking engagements at 5k per pop. This is just pathetic.

7 comments:

Pawpaw said...

And yet you guys re-elected him. Amazing.

Anonymous said...

Carpet





Bloggers

Banzai Bill said...

This is unbelieveable.

I would ask why people aren't up-in-arms angry with Nagin and the whole council today about their lack of initiative since May....

I could ask this....

At times, do we all feel that we are so consumed by the "glutony" of so many things in this city that we just shrug our shoulders to Nagin and others and just rationalize that nothing's going to matter anyway?

And I wonder, sometimes, where the saying "The City That Care Forgot" came from....

Dangle 24-7 said...

Off the subject but of great importance…..Clayton James Cubitt http://operationeden.blogspot.com/2006/08/katrina-every-day.html will be here over the next week making portraits of survivors for use in public service announcements highlighting the need to reach out for help when it all gets to be too much. Anyone who would like to participate, contact: travelingmermaid@gmail.com

Anonymous said...

I'm not sure how this gives anyone the ability to gather credit cards from the system. The transport is still encrypted with SSL. The certificate is just expired (the certificate authority signs a certificate with an expiration date). It's about as unsecure as generating your own certificate that you sign yourself. It's still secure, it's just not signed by an independent trusted authority.

The main issue where this is a vulnerability is that you are open to people potentially being confused between the official site and a phisher's site, but that point is really not valid since the certificates on these outsourced service sites end up being tied to these outsourced-style domain names that no one understands anyway (and would look just as dodgy as those a phisher might use). And users would still have to enter their details on the phishing site.

Jason Brad Berry said...

Anon,

thanks for info...my main concern is if they are laxing so much as to let the certificate expire, I worry greatly about the potential for phishers to set up a phony site...and for that matter someone within City IT department to tip off a phisher or do it themselves.

If you were aware of the level of scams that have been committed by people working within our city gov. from school board to RTA to IT, you might be more paranoid about any possibility for theft.

On top of that, if something does happen, the city will immediately be sued....and one more lawsuit against us is pouring salt in the wounds.

Thanks for the rationale and info.

Dambala

Schroeder said...

Hey pawpaw and banzai bill, why don't you help us by sending your protests to the City Council and mayor's office like the rest of us do. We didn't re-elect him (we bloggers, in the majority), and yes, we're furious!

cityofno.org