TR citizen here, for the last 10 years only those who are really close to AKP got the government contracts including software like this etc. for stupid amounts of money with no know-how. Therefore this is absolutely normal -at least for us-, only thing that surprised me about this leak is this got into front page of HN.
Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
I'm on that list as well. With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.
Not only there, in other countries in Europe too, in Romania they are prosecuting the boss of the biggest software company we have, he has to sell his paintings and artwork for not being arrested(bail).
The usual opinion is that they all got rich with state contracts building stupid and expensive things that young kids would do in no time for nothing.
As a government agency, of course one would not prefer to hire kids, but these countries, they have good IT persons, they have universities that are struggling with funds and finance(as education is for free there and state universities are way beyond the private factories of diplomas that are known as private universities).
Instead of throwing that money, they could have helped education and develop infrastructure in the same time. Nobody has bloody consciousness any more!
Just a note, it looks like this data comes from Mernis(1), a project with quite bad history, developed in 90's and launched in 2000 and internet access started in 2002.
I know a bit about government IT departments and contractors at the time and I had zero faith in their competence so this breach is no surprise to me. Current government is no different than is predecessors, just business as usual.
It should actually be the other way around. Now that this information is public any kind of link with personally identifiable information should be considered suspect rather than to be used as evidence for wrongdoing without further checking. That information became less valuable with this leak, not more valuable and those things that you could do with that information before should now become harder.
> With that info, a terrorist can buy a SIM card for my name
Well that escalated quickly.. Terrorists wouldn't need this database to supply them with names and addresses as most of that info is public in most countries (white-pages is one place). And I can go to any local shop and get a pre-paid SIM card without any personal info involved.
Also, if your country convicts you merely because someone used your name with no other evidence to tie you to the crime, you have bigger problems.
UPDATE: It turns out the database that was claimed captured by hacking is actually a semi-public data. What's correct is the origin of the source of the database. However that database having limited information about voters are shared by the state agency and distributed to the political parties before the public polls by the mandate of voting laws. The database is actually from 2010 and was not obtained by hacking or anything but leaked by one of the political parties.
When I saw the news I did download the database and searched for myself. My information was not there. Because I am not a registered voter since I live in States. However all my siblings' and parents' information there unfortunately.
There's a fierce political rivalry in Turkey increasingly becoming uglier by day. The story was smelling from the beginning anyway, like implicating president, accusing cronyism and trying to score for some political agenda.
... a tenderpreneur is a person in government who abuses their
political power and influence to secure government tenders and
contracts. The word tenderpreneur is a portmanteau of "tendering"
and "entrepreneur".
> Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
that's great news! sounds like turkey is closer than anyone expected to being a full fledged western member state!
Interesting. In Germany this database does not even exist. Each town keeps its own data and they are not connected. I think the reason for this are the evil uses of data bases by the Gestapo during Nazi times.
The data released contains national identification codes that are confidential.
I believe the Swedish equivalent is the 'personnummer'.
The sites you indicated appear to be regular person search engines, like the US equivalent Whitepages?
Can you show a specific search result, pick any Swedish name you want, that would also list the person's personnummer?
Difference being that in Sweden there is a different requiremnet for causing harm (IE; national ID card or passport - or linked bank account) simply having a social security number and address is not enough for identity theft to occur.
in other countries they treat SSN's as private, thus they are trusted.
As an American with a Swedish wife, I was very surprised to learn about the availability of this data. But something that really turned me around was that it makes verifying strangers much easier. My cousin-in-law was using it to look up the people offering to become au pair to her children. Then also of course, I remembered that we have the same service in the United States, it just costs you ten or fifteen dollars for the information. You can get exactly this information that is up-to-date and accurate by paying for one of those background checks from one of the major providers. Same stuff.
#Turkish Citizenship Database
Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?
This leak contains the following information for 49,611,709 Turkish citizens: (IN CLEARTEXT)
- National Identifier (TC Kimlik No)
- First Name
- Last Name
- Mother's First Name
- Father's First Name
- Gender
- City of Birth
- Date of Birth
- ID Registration City and District
- Full Address
**Lesson to learn for Turkey:**
- Bit shifting isn't encryption.
- Index your database. We had to fix your sloppy DB work.
- Putting a hardcoded password on the UI hardly does anything for security.
- Do something about Erdogan! He is destroying your country beyond recognition.
**Lessons for the US?** We really shouldn't elect Trump, that guy sounds like he knows even less about running a country than Erdogan does.
[Example Data]
[Download URL]
This makes me so angry. It is good that you show the infrastructure is bad, but how stupid does one have to be to say "do something about Erdogan" to the people who are facing identity theft directly due to one's actions?
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
Maybe they should learn a lesson from here - information that you do not control should not be used for authentication. Especially the one that is in its essence public.
> The only thing that is missing is mother's maiden name.
It's extremely unsafe for known distribution of last names. E.g. in leaked db most frequent 12 last names correspond to 10% share of population, and most frequent 50 names "explain" 20% of population.
How to companies verify mother's maiden name? I've never used my mothers real maiden name when filling out any kind of account application form and no one has ever batted an eye.
The leak reported to be from YSG [1], organization that manages the election registers.
Software used by them developed by Cybersoft [2]. Cybersoft was part of the system who developed the new identity system in Turkey. The practices used by Cybersoft reported to be horrible. I know someone who worked on that project (about 15 years ago), reportedly they were really bad, playing games on servers where the all identity data of the citizens are stored. I do also know that any employee who was part of the project had access to the query systems, so it was possible to query the database for all citizens of Turkey, not sure how much data it revealed but it revealed the number of people with that name and surname ever born for sure.
Now, I'm not a fan of Erdogan but Cybersoft was developing stuff before Erdogan even got elected. So yes, maybe the government who started to work with Cybersoft was corrupt, maybe the current one is too but let's not just use every single baseless argument to attack Erdogan, it doesn't help anything.
This is the product of self-righteous activism. You'd have to be pretty deluded and starving for attention to think effectively releasing tens of millions
of private individuals' complete identification data is justifiable in some way.
Luckily there’s no really valuable data, other than personnummer. But i am sure with a little bit of digging it would be super easy, during Gezi police had a pwd like 12345
The important thing with the data is national stats, which is super important commercially. And that is for free now. More spam in the mailbox for everyone.
Obviously, for stalkers, sickos, or pedophiles this is an open source to attack. That is another security concern, because there was no db as in Sweden where you can access someone’s address this easy
Some readers have complained about this data being posted here. That's reasonable, but so is the community discussion. So we changed the URL from http://185.100.87.84/ to the least bad news article we could google. If someone has a better URL, we can change it again.
Only a matter of time before the whole US SS/IRS database is dumped into the public domain by political hackers too.
Pieces of it have been liberated by sloppy corporations and medical databases. But not the whole thing from the government.
Checked my girlfriends family. Some of them are army officials and their info is in there as well. With that info you could actually do some serious damage.
Also, based on address info we know this dump is 2-6 years old.
Does the publisher of this leak really think the other politicians are better off in keeping private citizens' information private? S/he must have not heard the Clinton's own email server leak issue. Yeah, yeah, it's a cliché, but it shows exactly how much they care about security.
Clinton's email server didn't leak anything, so far as we know. The emails you've read have been released by the State Department as public government records.
A criminal thief putting personal data online and giving political lessons, shame on you really.
When your true goals are phishing, criminal activities, spamming to robe innocent people, at least be honest and do not make such grandiose statements. /rant
It's interesting that the data doesn't have values with the Turkish dotted or dotless I, ie the one in İstanbul, İbrahim, or Diyarbakır. Seems pretty important to store people's names correctly.
I mean, I suppose skipping a domain means one less company that knows your personal information, but doesn't this mean Voxility[1] can lookup the customer for this IP?
A domain adds another point of failure (we want to take you down, we can just block the domain vs the server). As other have pointed out the abuse report for that hosted is quite terrible, so it might take a while to get taken down.
Also, a domain name costs money, and you get little use of it (just paid $20 for a domain that gets taken offline in a few days). And even if there was a domain name, what should it be? Turkish-citizenship-dump.com? What values does it add if the site only sticks around for a few days?
A user named testing123123 wrote about the dump on ##crypto, on Freenode. He claimed to be the one who dumped the database. It happened yesterday, on Sunday.
[+] [-] ttn|10 years ago|reply
Those software "companies" take millions of liras, usually for stupid CRUD stuff, develop it in like years and result is goddamn vulnerable, unaesthetic pieces of garbage.
I'm on that list as well. With that info, a terrorist can buy a SIM card for my name, use it to proxy-blow up a goddamn bomb aaaaand I'm in jail.
[+] [-] istoica|10 years ago|reply
The usual opinion is that they all got rich with state contracts building stupid and expensive things that young kids would do in no time for nothing.
As a government agency, of course one would not prefer to hire kids, but these countries, they have good IT persons, they have universities that are struggling with funds and finance(as education is for free there and state universities are way beyond the private factories of diplomas that are known as private universities).
Instead of throwing that money, they could have helped education and develop infrastructure in the same time. Nobody has bloody consciousness any more!
[+] [-] low_battery|10 years ago|reply
I know a bit about government IT departments and contractors at the time and I had zero faith in their competence so this breach is no surprise to me. Current government is no different than is predecessors, just business as usual.
(1)https://en.wikipedia.org/wiki/Turkish_Identification_Number
[+] [-] jacquesm|10 years ago|reply
[+] [-] nacs|10 years ago|reply
Well that escalated quickly.. Terrorists wouldn't need this database to supply them with names and addresses as most of that info is public in most countries (white-pages is one place). And I can go to any local shop and get a pre-paid SIM card without any personal info involved.
Also, if your country convicts you merely because someone used your name with no other evidence to tie you to the crime, you have bigger problems.
[+] [-] n1myls|10 years ago|reply
When I saw the news I did download the database and searched for myself. My information was not there. Because I am not a registered voter since I live in States. However all my siblings' and parents' information there unfortunately.
There's a fierce political rivalry in Turkey increasingly becoming uglier by day. The story was smelling from the beginning anyway, like implicating president, accusing cronyism and trying to score for some political agenda.
[+] [-] seewhat|10 years ago|reply
https://en.wikipedia.org/wiki/Tenderpreneur
Could the meaning be applied here too?[+] [-] nirkrakowski|10 years ago|reply
[+] [-] scotchmi_st|10 years ago|reply
Or, you know, dead. It's a bit optimistic in the current climate to assume they'd arrest you peacefully.
[+] [-] babayega2|10 years ago|reply
[+] [-] artellectual|10 years ago|reply
[+] [-] beachstartup|10 years ago|reply
that's great news! sounds like turkey is closer than anyone expected to being a full fledged western member state!
[+] [-] throwawayturk|10 years ago|reply
[deleted]
[+] [-] staticelf|10 years ago|reply
There is also several sites that provide this information like a search service and it's perfectly legal:
http://www.merinfo.se/ http://www.ratsit.se/
[+] [-] more_original|10 years ago|reply
[+] [-] marinabercea|10 years ago|reply
[+] [-] dijit|10 years ago|reply
in other countries they treat SSN's as private, thus they are trusted.
[+] [-] fapjacks|10 years ago|reply
[+] [-] m00dy|10 years ago|reply
[+] [-] eng_monkey|10 years ago|reply
[+] [-] ponyous|10 years ago|reply
[+] [-] zo1|10 years ago|reply
[+] [-] ZoF|10 years ago|reply
[+] [-] StavrosK|10 years ago|reply
[+] [-] mathetic|10 years ago|reply
This makes me so angry. It is good that you show the infrastructure is bad, but how stupid does one have to be to say "do something about Erdogan" to the people who are facing identity theft directly due to one's actions?
Many companies use date of birth and address for authentication. The only thing that is missing is mother's maiden name, which then would be enough to access confidential information at most banks (though they wouldn't be able to transfer money without authorisation code).
[+] [-] eveningcoffee|10 years ago|reply
Maybe they should learn a lesson from here - information that you do not control should not be used for authentication. Especially the one that is in its essence public.
[+] [-] xorcist|10 years ago|reply
[+] [-] driverdan|10 years ago|reply
Who does? I've seen them used as part of the signup process for some services but never as standalone authentication.
[+] [-] ssh42|10 years ago|reply
It's extremely unsafe for known distribution of last names. E.g. in leaked db most frequent 12 last names correspond to 10% share of population, and most frequent 50 names "explain" 20% of population.
[+] [-] pmorici|10 years ago|reply
[+] [-] gkya|10 years ago|reply
[+] [-] throwawayturk|10 years ago|reply
Software used by them developed by Cybersoft [2]. Cybersoft was part of the system who developed the new identity system in Turkey. The practices used by Cybersoft reported to be horrible. I know someone who worked on that project (about 15 years ago), reportedly they were really bad, playing games on servers where the all identity data of the citizens are stored. I do also know that any employee who was part of the project had access to the query systems, so it was possible to query the database for all citizens of Turkey, not sure how much data it revealed but it revealed the number of people with that name and surname ever born for sure.
Now, I'm not a fan of Erdogan but Cybersoft was developing stuff before Erdogan even got elected. So yes, maybe the government who started to work with Cybersoft was corrupt, maybe the current one is too but let's not just use every single baseless argument to attack Erdogan, it doesn't help anything.
[1] http://www.ysk.gov.tr/ysk/faces/Anasayfa.jspx
[2] http://www.cs.com.tr/TR/
[+] [-] marinabercea|10 years ago|reply
[+] [-] dmitriid|10 years ago|reply
---start quote---
Luckily there’s no really valuable data, other than personnummer. But i am sure with a little bit of digging it would be super easy, during Gezi police had a pwd like 12345
The important thing with the data is national stats, which is super important commercially. And that is for free now. More spam in the mailbox for everyone.
Obviously, for stalkers, sickos, or pedophiles this is an open source to attack. That is another security concern, because there was no db as in Sweden where you can access someone’s address this easy
---end quote---
[+] [-] dang|10 years ago|reply
[+] [-] peter303|10 years ago|reply
[+] [-] koolba|10 years ago|reply
> Which server is this? A Whois lookup returned nothing.
The whois command works on domain names, not IP addresses.
To get the DNS name associated with an IP address you can try a reverse lookup:
Unfortunately that only works if the the reverse record has been set up and it hasn't in this case.You can still see where the server is located via tracepath:
So most likely the server is hosted on voxility.com which looks like an IaaS provider.[+] [-] accommodavid|10 years ago|reply
Also, based on address info we know this dump is 2-6 years old.
[+] [-] devy|10 years ago|reply
[+] [-] eli|10 years ago|reply
[+] [-] diminish|10 years ago|reply
When your true goals are phishing, criminal activities, spamming to robe innocent people, at least be honest and do not make such grandiose statements. /rant
[+] [-] whalesalad|10 years ago|reply
[+] [-] return0|10 years ago|reply
[+] [-] rmc|10 years ago|reply
[+] [-] aorth|10 years ago|reply
https://en.wikipedia.org/wiki/Dotted_and_dotless_I
[+] [-] amingilani|10 years ago|reply
I mean, I suppose skipping a domain means one less company that knows your personal information, but doesn't this mean Voxility[1] can lookup the customer for this IP?
[1] koolba's comment: https://news.ycombinator.com/item?id=11420959
[+] [-] Matt3o12_|10 years ago|reply
Also, a domain name costs money, and you get little use of it (just paid $20 for a domain that gets taken offline in a few days). And even if there was a domain name, what should it be? Turkish-citizenship-dump.com? What values does it add if the site only sticks around for a few days?
[+] [-] zwarag|10 years ago|reply
[+] [-] bediger4000|10 years ago|reply
1. Governments can't keep this kind of data secure.
2. Massive troves of information that identify individuals are a very tempting target.
This sort of breach argues against big centralized (e.g. NSA's "sniff it all") data stores. They're just too easy to get into the wrong hands.
[+] [-] eatsfoobars|10 years ago|reply
Log: http://pastebin.com/EgKhCj6z (Time is EEST, UTC +3)