It's always amazed me that ID.me, which you have to use in order to interact w/ the IRS online these days, has a top level domain from the country of Montenegro. Ublock Origin says they're injecting tracking links from Italy's TLD when you login at the irs.gov website.
What's next? Cookies from Colombia? AI from Anguilla?
How about this? Lawmakers pass a law (gasp!) that says if you're a private company providing services to the entire populace on behalf of .gov, your site will use com/net/org only when it is interacting with the government. Full stop.
Probably even the extreme wingnuts in the GOP could get behind this, in a kind of "buy American" way.
@max No way in hell I would encourage the further use of .us until someone in charge at the GSA or whatever started giving a damn about how the tld is completely overrun with abuse, phishing and spam domains -- in near total contravention to the tld's charter, I might add.
https://krebsonsecurity.com/2023/09/why-is-us-being-used-to-phish-so-many-of-us/
@briankrebs It really should. This is how most scams in third world countries start. 'SMSes like Click on this link to pay your tax/insurance, and the link is of some xyz@shop xyz@corner xyz@taxoffice site.'
Make it a law sooooon, Like before some foreign lobby gets to the GOP wingnuts.
@briankrebs I assume you're half-joking.
But in case not, this will never happen. While those three registry operations are all US-controlled companies, two of which being Verisign, there are numerous registrars for those TLDs located all over the world. Do you also stipulate US-only registrars too? Which ones if so?
Then what about all the other TLDs that are effectively in US control? Any of those OK? Why or why not?
How does this square with all the other goods that may not be entirely US-sourced? Placing a name under a certain TLD has potential consequences, and some are potentially problematic, but it may be a lot more complicated than that.
@jtk @briankrebs I don't think it's a matter of controlling com/net/org from non-US organizations.
If you register a domain in another country's TLD, that country or contractor who runs the registry, can invalidate your domain. Or change SOA and publish different DNS records.
Case in point: gay[.]af Mastodon instance was taken offline when Afghanistan decided the content offended their sensitivities.
Also, less likely to get com/net/org get filtered. For a while, couldn't send a text message to iPhone users if a domain with *.me was included. Some strange filter.
@briankrebs
The nontrivial factor which I know you're aware of but should really be mentioned, is link rot.
Sure, it's not a problem....right now. But in 5 years, if that company goes under and another one moves in, even with 3 years time warning ahead, some random person finds an old document via a search engine that talks about this URL. If it's a .gov address, no prob, 301. But what if it's a domain you just...don't control anymore?
@briankrebs domains is one thing, let's not forget it should also be fully hosted on US soil.
We don't seem to have this problem in Canada but the last big online platform to roll out in Quebec was a monumental fiasco. It also took me a while to even get access as the 2FA emails they send has a text version that has the expected message but a placeholder for the code! I eventually realized I could get it in the HTML version of the email...
@briankrebs I'm also mystified why they didn't just extend the capabilities of login.gov to cover the "check their driver's license" aspects of ID.me, and keep the entire thing in house.
login.gov's design and UX is thoughtfully, expertly executed, is vastly superior to ID.me, and is already under .gov and championed by 18F.
But instead of pushing login.gov everywhere (which was the orignal plan), ID.me materialized and pushed its way into IRS and pay.gov in a way that seemed weirdly pre-emptive of the entire login.gov effort.
@tychotithonus @briankrebs you want the government to provide services? that's *socialism*
/sarcasm oh god please recognize the sarcasm
And FWIW, I generally agree. I consider the public/private partnerships with technology vendors to be a critical part of my technology ecosystem. My agency could not operate without them.
But there is a systemic issue (and TL;DR for a toot) where so many agencies lack the people in the desperately needed roles to check these things and ask these questions. All too often it is a non-IT SME doing the RFP, with the vendor saying "trust us" with regards to cyber.
@NoRomBasic @briankrebs Agreed, and is why leveraging 3rd party validation of NIST standards is key to ensure you are getting what you paid for, assuming their are NIST standards for the service that you buying.
In this case, NIST has 800-53-3 and an independent validation organization by way of the Kantara Initiative. If an organization is looking into leveraging verified identities, finding a supplier who implements the standard and has that implementation validated by Kantara should be codified into the RFP, along with criterion surrounding pass rates, preverified rates, and fraud.
@briankrebs I really wish everyone in general, and government institutions in particular, would take to heart the hierarchical nature of domains.
(Putting aside the preferential nature of .gov being US only, and not for all government)
Give us irs.federal.gov, legislature.wa.gov, etc!
I should be able to trust at a glance that something is the product of my state government based on the domain.
The governor of Missouri is threatening a news outlet after it reported that a state-run site freely returned pages that included teachers’ SSNs. Governor Parson has called it “hacking” and involved the county prosecutor.
@briankrebs @eb oh yeah, there a lot of horror going on and some gov services don’t even have TLS :)
But for what it worth .me is (or was, jury is literally still out on this matter: https://m.cdm.me/english/procedure-for-me-domain-starts-from-very-beginning/) operated by joint enterprise with GoDaddy and Identity Digital
@briankrebs isn’t login.gov supposed to perform this exact task of providing SSO for government services?? Why are they contracting auth when they have in-house capabilities? Which congresscritters are enriching their tech friends?
Edit: found this article from 2 years ago - nothing seem to have changed since then
https://www.theverge.com/2022/2/22/22946108/irs-login-gov-id-me-tax-season-facial-recognition
The IRS has announced that it will switch to government-run authentication service Login.gov as a verification provider for taxpayers, although ID.me’s human video review service will still be used ahead of the 2022 tax filing deadline.
But how are private companies supposed to funnel obscene amounts of tax dollars to their owners if you just let the government perform a valuable public service‽‽ That sounds like SoCiaLISm to me!
@briankrebs how is that not like id.irs.gov.us ?
Oh, I forgot, america-centrism so .edu, .gov & .mil are US-centric, which is really a pain,in the ass when U.S. corporations refuse to accept that all students in the world have an email under .edu ...
Welcome to the Great Outsourcing of Public Service Information Technology Governance to Private Vendors...
Without beating up on the IRS IT folk (IMHO they have phenomenal people over there trying to change things), this is a story I see every day as a Public CIO. Agencies hand over the keys and accountability for technology solutions to vendors with very little in-house SME or time to dig into what they actually do. Then we act surprised when we find that they do these things
This.
Don't usually do a plug on the Masto but if you haven't read [RE]CODING <AMERICA/> I would highly recommend it
I don't want to paint the landscape as a B&W one (it isn't) but there are large portions of goverment where the relationship with tech vendors is an extrodinarily unhealthy one, where there truly is no strategic IT function (for the reasons you mention and more) and the vendors who are entrenched in that vertical are highly motivated to keep it that way
We're witnessing the decline of civilization in real time
As they freak out about China all the usgov websites are loaded with malware because our leaders are in their 80's and all their advisers and underlings are lobbyists on the payroll of any and every dark money slush fund
@briankrebs The domain postmark.it is for sale.
Should i worry? Or maybe try to buy it?
postmark.it seem to be hosted in canada....
Phil
BrianKrebs
Max Burke 🇺🇦
Allan Chow
royal
Fritz Adalis
Mirco Blitz
the_afflicted11
John Kristoff
hal8999
dango🍡
Oggie
Thomas Guyot-Sionnest
Royce Williams
Paul D. Ouderkirk
AJ
Michael Kohlman
Damon Becknel
Philip Mallegol-Hansen
Evan B🥥ehs
yopp
CharonPDX
James Wu
Covidiocracy
nemoest
Rick Hunter
Do NOT Fear|🇺🇸🇺🇦🐊🦉🌊💙
Jeremy Tayco
Steven Hugg
Kevin Karhan 
Lamp
Tim Hergert
Sterling
Winfried is Anti Fascism 🏳️🌈
Job Destroyer
dragonfrog
mc.fly
Mark Krueger
Samhain Night