Security paranoia
|
It seemed to me,' said Wonko the Sane, 'that any civilization that had so
far lost its head as to need to include a set of detailed instructions for
use in a package of toothpicks, was no longer a civilization in which I
could live and stay sane.'
Douglas Adams, So Long, and Thanks for All the Fish
|
The other day I had to retrieve from my "regional electronic medical record" a couple
of medicine prescriptions my doctor had prepared.
The possibility of retrieving and printing prescription without the need to go to an
appointment at the doctor's is a very good idea indeed.
but ...
To connect to your "regional medical record" you have to login to a website managed
by the Region and to do this
- Originally the Region decided to protect access using a special card reader to
be connected to your computer in which you had to insert your magnetic medical
card
- Later they realized this was too limiting and announced the possibility to use
plain username and password.
- So I went to the ASL Office and with a very quick queue they printed a sealed
sheet with the code ...
- Except that it was the code for the card reader (despite the fact I went there
with the leaflet advertising the possibility of the plain username), and that
the plain username could only be issued by a counter in an hospital (the 800-number
call centre told me that)
- So I got the username and password (which of course you had to change every
so-and-so months).
- As a further security provision, each access is protected by a further
one-time-key sent to you via SMS (I was one of those guys reluctant to have
a cell phone, even now I have a dumb one, and switch it on only when needed).
- About one year ago, the Region announced they would be going to replace their own
username and one-time-key with a "national digital identity" called SPID
(there is even a wikipedia
entry, in Italian)
In principle this could be used as a credential for access to any public
administration service, like e.g. the income tax office (AdE), the national
pension fund (INPS), for which I already had individual credentials, etc.
- For unknown reasons SPID is not issued by a State Authority, but by a collection
of more-or-less private providers. Since they have to "recognize" you
personally in person
for the issue of the credentials, the simplest thing to get an identity without using
a webcam and without paying was to do the thing at a Post Office.
This requires about one hour queue at the post office, and then an online
activation. Also to use the one-time-keys (also SPID "level 2" makes use of
them) via SMS (instead of "via App") there is an extra step (and for some
reasons this gives you a bunch of 8 SMS in a 3-month term).
- Now there is nothing wrong about a delegated authorization. We all use
Eduroam and all scientists visiting
some institution can use their institution credentials, or those of a
national academic federation like IDEM
entering their name.surname@institution credentials.
This works nicely !
- But still they insist on you to change the password every so-and-so
... and the other day was the day
- So I went to the Region home page
clicked on "access"
selected access via SPID
selected the provider
which asked me the username and password (actually the browser fills in that)
and to confirm
Then it asks me to choose between the App and SMS mode
and here requires the new password
there are a number of strict and annoying requirement on the password of the
usual sort, so I had a password like Xyztyyyy[n]:
uppercase and lowercase letters, the year as digits, square brackets as
non-printable characters, and a serial number (guess what, idea mutuated
from the DNS BIND SOA files), with the idea to increase the serial each time
but for the change they say you must change more than one character ...
OK, fine, from 2019 to 2020 is two characters ...
but despite wha they say, this was not enough and gave error
of course after the browser had already saved the new password
So I had to repeat it once, re-typing explicitly the old password
Also since as usual you have to type the new password twice and this is a
hidden field (smart sites, I think e.g. ORCID,
allows you to toggle visibility so you can check what you type), errors are
possible
So I had to re-do it once again after a "new password mismatch"
And finally I got my new password
and then
and then
and then
and then
and then
and then
and then I was redirected to the Region site ...
to discovered that it had timed out !
- So I had to do the login once more again (each of this resulting as a
by-product in a couple of mails sent to me telling "somenody pretending to
be you is trying to access bla bla ..."
- at the end I guess it took me more that it took you to read all the above
And then you wonder it one does not want to move Outside of the Asylum (see quote
on top of this page) !
The next step would be the filling of the DPLU Report
sax.iasf-milano.inaf.it/~lucio/WWW/Noie/securityparanoia.html
:: original creation 2020 gen 16 16:54:56 CET ::
last edit 2020 Jan 16 16:54:56 CET