A secure democratic Net is a fundamental right

okay

very stupid to say so, hope nobody wants to proof otherwise

we have seen hacks passing for

* walloon governmental portal

* french community

* websites sponsered or set up by the Flemish government

* cities and other instances

we see for example a certain number of cities and other instances who have

* a login page (even for EID services) without any ssl (or not properly installed)

* very old webaccessable infrastructure linked to a famous port in Flanders

do we have to go on..... (about EID and *censored* maybe :) )

we didn't do any scanning for this, just looked things up in public or private databases online who do that for the whole world

so, still a very stupid thing to say

everything is allright, no problem here, it is only in Holland, let us continue to do the work we are doing the way we are doing it, don't bother us with your questions,.... (what is what happened in Holland, trust us - don't test us)

it is a god damn crisis and you say,  'crisis what crisis' (song of supertramp)

As there is no automatic auto-update and no obligation in all applications that use EID and so on (you may call it the Firefox update-process) it will be a problem for network administrators to keep their EID middleware updated in an organised manner. There is talk that this would be integrated into the windows update process and that would be a good thing (and by the way, give the whole management of the code to Microsoft so they can implement their Secure Development Lifecycle and information processes around it)

The limited description of the updates does give few reasons to update for securityreasons by as security is treated Applewise by the EIDpeople (don't talk about it untill it hits you right in your face for everyone to see) there are maybe hidden securityfixes (DLL injection anyone ?).

You can find the patch here

http://eid.belgium.be/nl/Achtergrondinfo/De_eID_technisch/

By the way your EID is not a bank card - the securitystandards, technologies and support and monitoring are two totally different worlds. Using your EID as a bank card is like buying an electronic device that hasn't been tested and certified. Do it at your own risk.

And that your EID may hold information about your shopping, medical situation and more without additional certified encryption and protection of the data on the card and during the way they travel with and in EID enabled online applications is something you should be informed about. Do it at your own risk.

They have been saying in the beginning that there was no reason to think that we should use the EID for banks, for payments, for social security and medical information. It would only be used for identification and authentification - so why are you making such a fuzz about the total lack of procedure, governance and oversight ? Because it will be used for other means as well.

The minister responsable for Economy has visited (and so he is supporting) the firms that want to make it useful for payment and soon banking.

There was the announcement that the social security card will be stopped and that we will use the EID in our pharmacy (instead of this card).

Another firm wants to use it for loyality points.

So with one card I will know

* your bank information

* your medical information

* your shopping information

* your egov information

* your personal addresses

* your access to all EID enabled access points

* in many cases your access at your local networks or EID protected systems

So stop calling all those with doubts about all of this rushing in unknown fields as paranoïds. It is not because it didn't happen that it can't happen. And if it can happen on paper than there are possibilities that it may happen. And the more information and uses you add to the EID, the higher the risk because the more it becomes a lucrative target.

Noboby thought in the US that the number of the social security was risky as identification untill it now has been the number one method of ID theft.

I will have more trust if

* there are public penetration and security tests

* there are public cerfitications and controls and published norms

* there are yearly tests

* there is an automated obliged upgrade process for the software

* every expansion is accompanied with new tests and obligations

* all code is made only available for 'certified EID developers'. Anyone can fuzz it now.

And don't say in a few years, I didn't know. Those who know don't want to do anything about it and those who can do anything about it don't seem to be interested and those who can report this want to wait untill something spectacular happens (and it is too late)

by the way

did you know that the software of the EID had probably some DLL injection vulnerabilities. I suppose they are fixed in the new update because I informed the CERT about it. I hope this is the case as the description of the updates is scarce.

You have to earn trust or you can lose it in a snap.