[LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Bernard Robertson-Dunn 
If you wish to opt-out of the MyHealthRecord trials you can go to this site.
http://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml

A few clicks takes you to a page where you can fill in identity details

That page asks for name, date of birth and Medicare number and one of
driver licence number
passport number
or immicard number

Would someone please confirm that all this is being done in the clear?
i.e. it's not https

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
email: b...@iimetro.com.au
web:   www.drbrd.com
web:   www.problemsfirst.com
Blog:  www.problemsfirst.com/blog

___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Michael 
I heard this today via an acquaintance (I live in the Blue Mountains pilot
zone and this is getting some discussion). I can confirm it is unencrypted.
Hard to believe that anybody could set up a form requesting driver's
licence, passport numbers, names, addresses etc. without the most basic
level of encryption.
It certainly inspires no confidence in the security of the system more
widely.

Regards,
Michael Skeggs

On 4 April 2016 at 11:12, Bernard Robertson-Dunn  wrote:

> If you wish to opt-out of the MyHealthRecord trials you can go to this
> site.
> http://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml
>
> A few clicks takes you to a page where you can fill in identity details
>
> That page asks for name, date of birth and Medicare number and one of
> driver licence number
> passport number
> or immicard number
>
> Would someone please confirm that all this is being done in the clear?
> i.e. it's not https
>
> --
>
> Regards
> brd
>
> Bernard Robertson-Dunn
> Sydney Australia
> email: b...@iimetro.com.au
> web:   www.drbrd.com
> web:   www.problemsfirst.com
> Blog:  www.problemsfirst.com/blog
>
> ___
> Link mailing list
> Link@mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>
___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Bernard Robertson-Dunn 
On 4/04/2016 11:20 AM, Michael wrote:
> I heard this today via an acquaintance (I live in the Blue Mountains pilot
> zone and this is getting some discussion). I can confirm it is unencrypted.
> Hard to believe that anybody could set up a form requesting driver's
> licence, passport numbers, names, addresses etc. without the most basic
> level of encryption.
> It certainly inspires no confidence in the security of the system more
> widely.

Thanks Michael.

I'm about to let this loose on Twitter
@AFP_Oz #ozmyhrprivacy if anyone is interested.


-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
email: b...@iimetro.com.au
web:   www.drbrd.com
web:   www.problemsfirst.com
Blog:  www.problemsfirst.com/blog

___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Craig Sanders 
On Mon, Apr 04, 2016 at 11:12:03AM +1000, Bernard Robertson-Dunn wrote:
> If you wish to opt-out of the MyHealthRecord trials you can go to this site.
> http://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml
> 
> A few clicks takes you to a page where you can fill in identity details
> 
> That page asks for name, date of birth and Medicare number and one of
> driver licence number
> passport number
> or immicard number
> 
> Would someone please confirm that all this is being done in the clear?
> i.e. it's not https

1. The page is also accessible as
https://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml

Most of the links in the page source seem to be relative links, so
if you enter the site using the https:// url rather than http://
it seems probable that the entire session will be encrypted.

of course, this also means that if you enter the page using the http://
url, everything will be unencrypted.  They really ought to have the web
server redirect http:// requests to the https:// site.

2. the page requires javascript, so i was unable to investigate beyond
the first page.  Later pages may have absolute http:// URLs.  Don't
know.

is there any other way to opt out? preferably one that doesn't require
me to allow the government (and/or whoever they've outsourced the web
site to) to run arbitrary javascript code on my computer. by phone,
perhaps?

3. The page contains several links to https://myhealthrecord.gov.au
hidden behind containers that are revealed by javascript, but the main
"Go back to myhealthrecord.gov.au" link at the top of the page is http
rather than https.  Probably a careless mistake.

craig

-- 
craig sanders 
___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Bernard Robertson-Dunn 
On 4/04/2016 11:33 AM, Hamish Moffatt wrote:
> On 04/04/16 11:12, Bernard Robertson-Dunn wrote:
>> If you wish to opt-out of the MyHealthRecord trials you can go to
>> this site.
>> http://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml
>>
>> A few clicks takes you to a page where you can fill in identity details
>>
>> That page asks for name, date of birth and Medicare number and one of
>> driver licence number
>> passport number
>> or immicard number
>>
>> Would someone please confirm that all this is being done in the clear?
>> i.e. it's not https
>>
>
> It works on https too though.
>
> https://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml
>
>
> So the test is, how did you get to that link in the first place?
> Perhaps this isn't actually much of an issue.

I clicked on the link on the myhealthrecord.gov.au website. The official
one that many people will use.
The link is  www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml

Here's a screen grab. You can see the link at the bottom.
https://www.privacy.org.au/Campaigns/MyHR/MyHR_opt-out3.jpg

It's an obviously simple link mistake, but really it shouldn't be
possible to even get at a non https version

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
email: b...@iimetro.com.au
web:   www.drbrd.com
web:   www.problemsfirst.com
Blog:  www.problemsfirst.com/blog

___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Michael 
Just for clarity, the main site page, which is https encrypted is here:
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/trials#dont-wantmhr

It links to the http unencrypted opt-out page.
It isn't a case of somebody entering a URL manually, it is the only link
from the main site.

Regards,
Michael Skeggs

On 4 April 2016 at 11:34, Craig Sanders  wrote:

> On Mon, Apr 04, 2016 at 11:12:03AM +1000, Bernard Robertson-Dunn wrote:
> > If you wish to opt-out of the MyHealthRecord trials you can go to this
> site.
> > http://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml
> >
> > A few clicks takes you to a page where you can fill in identity details
> >
> > That page asks for name, date of birth and Medicare number and one of
> > driver licence number
> > passport number
> > or immicard number
> >
> > Would someone please confirm that all this is being done in the clear?
> > i.e. it's not https
>
> 1. The page is also accessible as
> https://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml
>
> Most of the links in the page source seem to be relative links, so
> if you enter the site using the https:// url rather than http://
> it seems probable that the entire session will be encrypted.
>
> of course, this also means that if you enter the page using the http://
> url, everything will be unencrypted.  They really ought to have the web
> server redirect http:// requests to the https:// site.
>
> 2. the page requires javascript, so i was unable to investigate beyond
> the first page.  Later pages may have absolute http:// URLs.  Don't
> know.
>
> is there any other way to opt out? preferably one that doesn't require
> me to allow the government (and/or whoever they've outsourced the web
> site to) to run arbitrary javascript code on my computer. by phone,
> perhaps?
>
> 3. The page contains several links to https://myhealthrecord.gov.au
> hidden behind containers that are revealed by javascript, but the main
> "Go back to myhealthrecord.gov.au" link at the top of the page is http
> rather than https.  Probably a careless mistake.
>
> craig
>
> --
> craig sanders 
> ___
> Link mailing list
> Link@mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>
___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

[LINK] Election hacking

2016-04-03 Thread Jim Birch 
This looks like an interesting read:

How to Hack an Election
AndrĂ©s SepĂșlveda rigged elections throughout Latin America for almost a
decade. He tells his story for the first time.

http://www.bloomberg.com/features/2016-how-to-hack-an-election/

Jim
___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Karl Auer 
On Mon, 2016-04-04 at 11:39 +1000, Roger Clarke wrote:
> However, that isn't conclusive evidence that the contents are
> transmitted in clear.

It''s a bit complicated. The myhealtrecord site does seem to be doing
the right thing; the main page redirects to https and so on. But to opt
out you are shunted to the Medicate page, and Medicare is not doing the
right thing. Once there you can click on various links that are not
relative and that drop you back out to http.

I have a call in to MyHealthRecord trying to tell them about this. It
will be interesting to see if they do actually get back to me.

General note regarding web sites, and government sites in particular:
There used to be a convention that a link at the bottom of a page would
take you to the people responsible for the page, in a technical sense.
That seems to have gone now. It is actually quite difficult to get in
touch with anyone about a technical flaw in a government website.

I rang the Dept of Health on the main contact number. The person there
gave me the MyHealthRecord support line. I explained that I did not
need support, I had a report of a technical fault. That got me through
to someone called Jamie:

 Can you assist me with a technical issue?

 Yes.

 The MyHealthRecord opt-out page is only
 partly protected. The official link does
 not specify HTTPS and even if someone
 does get there with SSL, there are links
 within the site that bounce users back
 out to an unencrypted connection. This is
 a problem because you are collecting
 sensitive information via those pages.

 Just a minute, I'll try to find someone who
 can assist you.

Someone will call me back. So they say.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4



___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Karl Auer 
On Mon, 2016-04-04 at 12:13 +1000, Karl Auer wrote:
> I have a call in to MyHealthRecord trying to tell them about this. It
> will be interesting to see if they do actually get back to me.

They did. Someone called David rang me, and said that the problem was
already being rectified. He mentioned getting a proper redirect in
place.

Take another look tomorrow, I guess.

I'm pleased that it was possible to get this information into such a
large department. Definitely not as hard as it might have been, so
credit where it's due. Maybe tweet that too, BRD.

Regards, K

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4



___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] Does NBN need a third satellite?

2016-04-03 Thread Jim Birch 
On 2 April 2016 at 13:54, Karl Auer wrote:

"compressed for transmission" means "has had much data discarded".


All digital video is compressed, except maybe the truly lossless "raw"
digital masters at a studio.  These chew up massive bandwidth/storage, and,
contain a lot more information than the human eye can see. Forget it. There
is actually no benefit to the end viewer in using this stuff, it's a
massive waste of resources.

There are two main problems with video compression: overcompression and
poorly optimised compression.  In practice there is a grey dividing line.
Increasing grunt applied to the compression process can produce a vastly
better result with the same bit rate.  Crappy compression is more or less
artlessly mash the "raw" video into to available bandwidth via dropped
frames and pixelation.   This is why Netflix look so great compared to some
crappy youtube video: they might both have the same nominal resolution and
bit rate but Netflix really grind the best possible result out of the
bandwidth. (Netflix do engage in some other dirty tricks like cropping
scenes.)

In this context "compressed for transmission" doesn't mean compressed,
every one does that.  It really means "Sorry mate, we know this has
problems.  We're pushing the bandwidth line and maybe could be doing
smarter compression, and yes, you can see it."
___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] Does NBN need a third satellite?

2016-04-03 Thread Karl Auer 
On Mon, 2016-04-04 at 13:31 +1000, Jim Birch wrote:
> On 2 April 2016 at 13:54, Karl Auer wrote:
> "compressed for transmission" means "has had much data discarded".
> 
> All digital video is compressed, except maybe the truly lossless
> "raw" digital masters at a studio.  These chew up massive
> bandwidth/storage, and, contain a lot more information than the human
> eye can see. Forget it. There is actually no benefit to the end
> viewer in using this stuff, it's a massive waste of resources.

Well, perhaps.That's why video "compression" works, much as mp3 does
with hearing. Fact is though, that anyone who cannot hear the
difference between even a 320Kbps MP3 and the original probably has a
hearing problem.

Depending on the device being used to view it, "compressed" video may
be really great or really bad. I download iView programs and watch them
in a corner of my monitor, and they look really good. I imagine they'd
look great on a phone, too. But if I watch the exact same download on a
big TV screen (or even just full-screen on my monitor), it looks very
patchy.

Real movie-quality photographic film runs at about 5000dpi; digitised,
that's something like 19TB for a feature film. I don't know what
resolution digital film has, but it must not be too dissimilar, because
for display on a cinema screen, you need as much of it as you can get.
You really don't need all that for a television or a phone.

So I'm not knocking video "compression". But I do think people should
know what they are paying for.

> This is why Netflix look so great compared
> to somecrappy youtube video: they might both have the same nominal
> resolution and bit rate but Netflix really grind the best possible 
> result out of the bandwidth.

Of course. My point was simply that people should understand that in
the video world "compression" does not mean what a reasonable person
might think it does. It means data has been discarded. Cleverly,
selectively, but it's still discarded.

> In this context "compressed for transmission" doesn't mean 
> compressed, every one does that.

That doesn't entirely make sense...

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4



___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] Does NBN need a third satellite?

2016-04-03 Thread JanW 
At 01:53 PM 4/04/2016, Karl Auer wrote:

>So I'm not knocking video "compression". But I do think people should
>know what they are paying for. 

Here's a different angle on chosen compression. The new 7Flix channel is using 
MPEG4. My HD tv doesn't do MPEG4, evidently just MPEG2. The racing channel also 
uses MPEG4, so I can't see that video either. I can hear both.

My Kogan STB manages7Flix, so I can watch via that and/or record on it. But if 
I want to record some other channel and watch 7Flix on my TV, I can't.

So why did 7 network choose this? I know I'm not alone. I found out that it 
wasn't by reading the Whirlpool thread on it.

Bottom line: not all compression is created equal.

Jan


I write books. http://janwhitaker.com/?page_id=8

Melbourne, Victoria, Australia
jw...@janwhitaker.com
Twitter: JL_Whitaker
Blog: www.janwhitaker.com 

Sooner or later, I hate to break it to you, you're gonna die, so how do you 
fill in the space between here and there? It's yours. Seize your space. 
~Margaret Atwood, writer 

_ __ _
___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] MyHealthRecord opt-out Site

2016-04-03 Thread Bernard Robertson-Dunn 
On 4/04/2016 12:43 PM, Karl Auer wrote:
> On Mon, 2016-04-04 at 12:13 +1000, Karl Auer wrote:
>> I have a call in to MyHealthRecord trying to tell them about this. It
>> will be interesting to see if they do actually get back to me.
> They did. Someone called David rang me, and said that the problem was
> already being rectified. He mentioned getting a proper redirect in
> place.
>
> Take another look tomorrow, I guess.

The link from
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/trials#dont-wantmhr

has been fixed.

However, the
http://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml

link still works.
> I'm pleased that it was possible to get this information into such a
> large department. Definitely not as hard as it might have been, so
> credit where it's due. Maybe tweet that too, BRD.

I'll think about it. My first reaction is not to give credit to someone
for not doing something they shouldn't have done in the first place.

What worries me is the fact that it could even happen.
This is an enterprise class application. Have they never heard of SDLC
processes:
Architecture, requirements setting, requirements management, design,
testing acceptance testing, migration into production?

The most important NFRs here being "all communications should be
encrypted" along with "unencrypted communication should not be possible"

The Medicare CIO should be ashamed of running a department with such
amateurish development practices. This isn't a dumb, read only web page,
there's important and sensitive data involved. Getting it wrong erodes
what little trust people have in government IT.

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
email: b...@iimetro.com.au
web:   www.drbrd.com
web:   www.problemsfirst.com
Blog:  www.problemsfirst.com/blog

___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link

Re: [LINK] Does NBN need a third satellite?

2016-04-03 Thread Bernard Robertson-Dunn 
On 4/04/2016 2:04 PM, JanW wrote:
> At 01:53 PM 4/04/2016, Karl Auer wrote:
>
>> So I'm not knocking video "compression". But I do think people should
>> know what they are paying for. 
> Here's a different angle on chosen compression. The new 7Flix channel is 
> using MPEG4. My HD tv doesn't do MPEG4, evidently just MPEG2. The racing 
> channel also uses MPEG4, so I can't see that video either. I can hear both.
>
> My Kogan STB manages7Flix, so I can watch via that and/or record on it. But 
> if I want to record some other channel and watch 7Flix on my TV, I can't.
>
> So why did 7 network choose this? I know I'm not alone. I found out that it 
> wasn't by reading the Whirlpool thread on it.

This month's Silicon Chip (April) has an article on the subject. You
could possibly read it in your local newsagent (if you still have one)
or library.

:
MPEG-4 is not new; far from it. The MPEG-4 version 10 compression
standard was approved for worldwide use in 2005 and New Zealand has used
MPEG-4 for all of their TV broadcasts. In Australia, we have had digital
TV since 2001 but using the less efficient MPEG-2 compression.

The root of the chaos lies in Australian Standard AS 4933.1-2010 Digital
Television - requirements for receivers - VHF/UHF DVB-T Television
broadcasts.

This standard made MPEG-4 reception optional, saying that broadcasters
may use it and so importers and retailers do not have to comply. If the
standard had made MPEG-4 compulsory back in 2010, nearly all TVs,
personal video recorders and set top boxes would now have been able to
receive MPEG-4 signals.


-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
email: b...@iimetro.com.au
web:   www.drbrd.com
web:   www.problemsfirst.com
Blog:  www.problemsfirst.com/blog

___
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link