събота, 24 май 2014 г.

Bulgarian state institutions - a home for slackers and incompetents.

I am writing this material reluctantly. Unfortunately, in Bulgaria people that work in important state institutions are mostly illiterate and irresponsible. Yesterday I was shocked by a criminal negligence. Ministry of Education and Science is maintaining a web site service , located at this url: http://www2.mon.bg/adminrhe2/. In the question url, user can checks whether there are any university diploma on his behalf. Me, who last year defended a thesis in SULSIT as an upgrade over professional bachelor, did check that I have been in the register and noticed something that made me 'amazed' (I'm a web developer with years of experience). It's that uniform civil numbers of the users are sent to the system for inspection, using uncoded Protocol (http). This means that each route to a question asp script (http://www2.mon.bg/adminrhe2/default.asp), eg ISP user can access and capture sensitive personal information. This information is confidential and extremely important for the user. The screenshot below shows how easy it is to be caught this element of the request. I hid only the last digits of my number to protect my safety.
That so called "technical support", which takes place within the project "Information and telecommunication technologies in education" or ICT in Education (BG051PO001/3.1-01), is implemented by the Bulgarian company AdminSoft. Who knows how much money had been sunk into this project, which obviously was made by incompetents. My wife wrote this into a facebook group 'Marketing and Webmastering' and there was immediate reaction by an internet blogger, who wrote an article, explaining the importance of HTTPS and where were given another examples of the government institutions websites, which also don't have encryption.
The story has a sequel. I sent a complaint to the Bulgarian Commission of Protection of Personal Data, and after six months I received a response from them. I'm attaching here the document received by them only hiding my address and theirs documentation numbers. This document confirms that there was indeed a problem and it was resolved after intervention by the Commission.