Kuwait has been promoting the e-Government at least since I was in college. How every thing is going to be electronic, and how the services will be all available online. In the past few years, several advancements have been made. In the MOI, you can view your speeding tickets and pay them online, see passport status, driving license, see if you have any travel prevention, gun license. In terms of jobs, and through the Civil Service Commission, you can apply for government jobs online, see the vacancies and specify your desires as well. You can request a sick leave, go to Dr. next day and he will print and fill the form. No need to consult your job location first. This is really great, and we definitely want more of it, BUT…
Online services is something that needs planning, stable implementation and rounds and rounds of testing. The way I see it, Government seems to have cut things short and ignored some critical parts. To begin with, we have the privacy and security of the systems. How can a person authenticate him self as the specific individual who is allowed to see the data, and how can we make sure no intruder or outsider gets also access to this data. The way it’s done right now is mostly depending on the person’s Civil ID number. We all know that this kind of information is not confidential. It’s something that identifies you, but it does not authenticate who you are. For example, the guy in the bank has access to thousands of Civil IDs. I was working in Kuwait University and I had access to hundreds of thousands as well. My employer has that kind of information. Many people just have it. It’s not something I can hide from the world. So imagine that by knowing my Civil ID number, you can see if I have speeding tickets, if I have gun license, my passport information, who I am ensuring, and lots of more information. It actually happened to me once as well. My uncle told my father you have a speeding ticket. Why should they know that? Maybe I don’t want them to know it.
Say this is not enough? The MOI it self posted sometime back with a flashy sign an excel sheet with the full list of eligible voters with their civil ID. So pick your name from here and paste it there. It’s that simple! This is in regard of the MOI. For the Civil Service Commission, it gets even worse. Someone could be driving your future without you knowing it. You must sign there to specify your jobs. The only authentication again is your Civil ID. Provide it and you are good to go. Then you can see your information, available vacancies for you, and alter the jobs you want to apply for. Most these windows open inside an IFRAME. Open the IFRAME it self in a new window and you will see this:
My first program example “Hello World”. For non-programmers, Hello World tends always to be the first program you write. Just a dummy program to print this message. It seems the programmers were in a rush and just left the title as it is. Now as for the security, let’s say that soon the authentication model is changed, and a password is applied. Does that mean we are safe? Not without a thorough testing and revamp of the current security model implementation, No. You know why? Because if you open one of the IFRAME windows in a new screen, you will see this is the URL:
http://www.csc.net.kw:8888/csc/SpecialNeed.jsp?kk=13&cv_id=<civil_id>
Where <civil_id> is your civil ID number. Change it to any other person number and you got it. So it’s a matter of passing parameter only. This is one of the oldest tricks in the book. I can’t say now they missed it because Civil ID is already the mechanism of authentication so it’s the same thing anyways. But at least make it not that obvious and a bit future ready.
Again, as I said before, things are moving forward. I just knew you can pay your speeding tickets online. Something many people would like to do. However I don’t see it moving in the right way. Specialists must be following up with the implementation and ensuring the security and integrity of the data. The ultimate solution in hope for is one secured login credential for all government services and sites. Not a walk in the park I know. But unless this security issue is addressed right now, more and more services will come and reside on the existing weak model implementation.
Popularity: 74% [?]
Loading ...
