App for a Smartphone or Ipad to Scan Barcodes and Enter Into MyOps...?

Started by Luis R. Ramos, May 26, 2016, 06:56:32 PM

0 Members and 1 Guest are viewing this topic.

Check Pilot/Tow Pilot

Quote from: JeffDG on May 29, 2016, 04:19:48 PM
Quote from: Starfleet Auxiliary on May 29, 2016, 02:12:17 AM
No, it is my opinion that accessing government systems with unaudited software will do that. I'm fairly certain that you've not done a code review of the software or a packet analysis to make sure that the app in question is only doing what it says it does.

Put it differently, you've given this software permission to interact with a website that has my PII in it. I'm not ok with that.
You've done a code-review and packet audit of IE and Chrome then?

Because those are just as much "third party applications" as IMS or anything else.
And all of the Add-in's and Extensions for Chrome and Firefox. Humm, for me that would be all the extensions that I use for my Managed Service Provider business, Web Development and SEO: So Firebug, Lastpass, ChromeDev, MozBar, WooRank, PageLoadTime, Wappalyzer, TeamViewer oh and my GMT clock

JeffDG

Quote from: Mission/Tow Pilot on May 29, 2016, 05:07:48 PM
Quote from: JeffDG on May 29, 2016, 04:19:48 PM
Quote from: Starfleet Auxiliary on May 29, 2016, 02:12:17 AM
No, it is my opinion that accessing government systems with unaudited software will do that. I'm fairly certain that you've not done a code review of the software or a packet analysis to make sure that the app in question is only doing what it says it does.

Put it differently, you've given this software permission to interact with a website that has my PII in it. I'm not ok with that.
You've done a code-review and packet audit of IE and Chrome then?

Because those are just as much "third party applications" as IMS or anything else.
And all of the Add-in's and Extensions for Chrome and Firefox. Humm, for me that would be all the extensions that I use for my Managed Service Provider business, Web Development and SEO: So Firebug, Lastpass, ChromeDev, MozBar, WooRank, PageLoadTime, Wappalyzer, TeamViewer oh and my GMT clock
Not to mention you can download the source code for the Chromium project, make whatever changes you want and create your own build.  I'd bet good money that WMIRS will let you browse anything you like with such a build.

Lastpass feeds my CAPID and password into WMIRS all the time!

Check Pilot/Tow Pilot

Quote from: JeffDG on May 29, 2016, 05:54:46 PM
Quote from: Mission/Tow Pilot on May 29, 2016, 05:07:48 PM
Quote from: JeffDG on May 29, 2016, 04:19:48 PM
Quote from: Starfleet Auxiliary on May 29, 2016, 02:12:17 AM
No, it is my opinion that accessing government systems with unaudited software will do that. I'm fairly certain that you've not done a code review of the software or a packet analysis to make sure that the app in question is only doing what it says it does.

Put it differently, you've given this software permission to interact with a website that has my PII in it. I'm not ok with that.
You've done a code-review and packet audit of IE and Chrome then?

Because those are just as much "third party applications" as IMS or anything else.
And all of the Add-in's and Extensions for Chrome and Firefox. Humm, for me that would be all the extensions that I use for my Managed Service Provider business, Web Development and SEO: So Firebug, Lastpass, ChromeDev, MozBar, WooRank, PageLoadTime, Wappalyzer, TeamViewer oh and my GMT clock
Not to mention you can download the source code for the Chromium project, make whatever changes you want and create your own build.  I'd bet good money that WMIRS will let you browse anything you like with such a build.

Lastpass feeds my CAPID and password into WMIRS all the time!

Or you can download any of the myriad browsers on multiple platforms to access WMIRS or eServices.

Love Lastpass!

JeffDG

Quote from: Starfleet Auxiliary on May 29, 2016, 12:15:55 AM
Quote from: Mission/Tow Pilot on May 28, 2016, 09:38:21 PM


Show me the regulation the prohibits this.

Show me where common sense says to let third party unaudited applications access government systems. But start with CAPR 110-1 discussing following all applicable .gov domain guidelines, then go through those guidelines for the answer to your question.

In short, don't give third party applications that aren't approved access to government systems. It is a security risk. You are putting the .gov domain registration at risk by doing so.


A short article outlining the risks you are exposing CAP to:
https://www.veracode.com/blog/2015/10/third-party-application-security-risks-modern-companies-sw

Trend Micro with the same advice and IRL risks that have occurred:

http://blog.trendmicro.com/trendlabs-security-intelligence/the-hidden-dangers-in-third-party-app-sites/

Add in just how many phones are compromised these days due to a lack of antivirus on phones and updates for security issues being pushed to phones... This is a high risk.
So, is that a "No, I can't cite a rule that would result in CAP losing their .gov access"

Hell, I interfaced my TurboTax with the IRS this year to file my taxes.  That's a "third-party, unaudited" system that has a helluva lot more PII than a volunteer created app to make WMIRS actually functional.

Check Pilot/Tow Pilot

Quote from: JeffDG on May 29, 2016, 07:10:16 PM
Quote from: Starfleet Auxiliary on May 29, 2016, 12:15:55 AM
Quote from: Mission/Tow Pilot on May 28, 2016, 09:38:21 PM


Show me the regulation the prohibits this.

Show me where common sense says to let third party unaudited applications access government systems. But start with CAPR 110-1 discussing following all applicable .gov domain guidelines, then go through those guidelines for the answer to your question.

In short, don't give third party applications that aren't approved access to government systems. It is a security risk. You are putting the .gov domain registration at risk by doing so.


A short article outlining the risks you are exposing CAP to:
https://www.veracode.com/blog/2015/10/third-party-application-security-risks-modern-companies-sw

Trend Micro with the same advice and IRL risks that have occurred:

http://blog.trendmicro.com/trendlabs-security-intelligence/the-hidden-dangers-in-third-party-app-sites/

Add in just how many phones are compromised these days due to a lack of antivirus on phones and updates for security issues being pushed to phones... This is a high risk.
So, is that a "No, I can't cite a rule that would result in CAP losing their .gov access"

Hell, I interfaced my TurboTax with the IRS this year to file my taxes.  That's a "third-party, unaudited" system that has a helluva lot more PII than a volunteer created app to make WMIRS actually functional.
I just realized that I use CAPFlightPro to enter W&B and e104 info in WMIRS and it has not gone through a code review either 😔

Holding Pattern

Quote from: Mission/Tow Pilot on May 30, 2016, 04:25:28 PM
Quote from: JeffDG on May 29, 2016, 07:10:16 PM
Quote from: Starfleet Auxiliary on May 29, 2016, 12:15:55 AM
Quote from: Mission/Tow Pilot on May 28, 2016, 09:38:21 PM


Show me the regulation the prohibits this.

Show me where common sense says to let third party unaudited applications access government systems. But start with CAPR 110-1 discussing following all applicable .gov domain guidelines, then go through those guidelines for the answer to your question.

In short, don't give third party applications that aren't approved access to government systems. It is a security risk. You are putting the .gov domain registration at risk by doing so.


A short article outlining the risks you are exposing CAP to:
https://www.veracode.com/blog/2015/10/third-party-application-security-risks-modern-companies-sw

Trend Micro with the same advice and IRL risks that have occurred:

http://blog.trendmicro.com/trendlabs-security-intelligence/the-hidden-dangers-in-third-party-app-sites/

Add in just how many phones are compromised these days due to a lack of antivirus on phones and updates for security issues being pushed to phones... This is a high risk.
So, is that a "No, I can't cite a rule that would result in CAP losing their .gov access"

Hell, I interfaced my TurboTax with the IRS this year to file my taxes.  That's a "third-party, unaudited" system that has a helluva lot more PII than a volunteer created app to make WMIRS actually functional.
I just realized that I use CAPFlightPro to enter W&B and e104 info in WMIRS and it has not gone through a code review either 😔

Excellent. I'll use all of these examples as methods to follow in building CAP technology and discard my previous comments.

Spaceman3750

Quote from: Starfleet Auxiliary on May 30, 2016, 10:02:08 PM
Quote from: Mission/Tow Pilot on May 30, 2016, 04:25:28 PM
Quote from: JeffDG on May 29, 2016, 07:10:16 PM
Quote from: Starfleet Auxiliary on May 29, 2016, 12:15:55 AM
Quote from: Mission/Tow Pilot on May 28, 2016, 09:38:21 PM


Show me the regulation the prohibits this.

Show me where common sense says to let third party unaudited applications access government systems. But start with CAPR 110-1 discussing following all applicable .gov domain guidelines, then go through those guidelines for the answer to your question.

In short, don't give third party applications that aren't approved access to government systems. It is a security risk. You are putting the .gov domain registration at risk by doing so.


A short article outlining the risks you are exposing CAP to:
https://www.veracode.com/blog/2015/10/third-party-application-security-risks-modern-companies-sw

Trend Micro with the same advice and IRL risks that have occurred:

http://blog.trendmicro.com/trendlabs-security-intelligence/the-hidden-dangers-in-third-party-app-sites/

Add in just how many phones are compromised these days due to a lack of antivirus on phones and updates for security issues being pushed to phones... This is a high risk.
So, is that a "No, I can't cite a rule that would result in CAP losing their .gov access"

Hell, I interfaced my TurboTax with the IRS this year to file my taxes.  That's a "third-party, unaudited" system that has a helluva lot more PII than a volunteer created app to make WMIRS actually functional.
I just realized that I use CAPFlightPro to enter W&B and e104 info in WMIRS and it has not gone through a code review either [emoji17]

Excellent. I'll use all of these examples as methods to follow in building CAP technology and discard my previous comments.

If you're in a position to build CAP technology I have some suggestions...

Check Pilot/Tow Pilot

Quote from: Starfleet Auxiliary on May 30, 2016, 10:02:08 PM
Excellent. I'll use all of these examples as methods to follow in building CAP technology and discard my previous comments.

Great we are going to only allow IE with .NET and ActiveX with 2-Factor authentication while using the Cone of Silence  ::) ::)

Just remember to assess what is the risk of a data breach and note that Higher Security usually means Lower Usability.

Is there anything more than Names and Phone numbers as PII in WMIRS and eServices? Oh yes my date of promotion to Lt Col :)

Holding Pattern

Quote from: Mission/Tow Pilot on May 30, 2016, 11:01:01 PM
Quote from: Starfleet Auxiliary on May 30, 2016, 10:02:08 PM
Excellent. I'll use all of these examples as methods to follow in building CAP technology and discard my previous comments.

Great we are going to only allow IE with .NET and ActiveX with 2-Factor authentication while using the Cone of Silence  ::) ::)

Just remember to assess what is the risk of a data breach and note that Higher Security usually means Lower Usability.

Is there anything more than Names and Phone numbers as PII in WMIRS and eServices? Oh yes my date of promotion to Lt Col :)

As I've said, I'm using your guidance now. Thank you, and have a nice holiday.

etodd

Quote from: Spaceman3750 on May 30, 2016, 10:22:10 PM

If you're in a position to build CAP technology I have some suggestions...

Building the technology is the easy part. Getting an agency run like the gov't does to adopt it means you'll be dead and gone first. LOL
"Don't try to explain it, just bow your head
Breathe in, breathe out, move on ..."

kwe1009

Quote from: etodd on May 31, 2016, 01:54:33 AM
Quote from: Spaceman3750 on May 30, 2016, 10:22:10 PM

If you're in a position to build CAP technology I have some suggestions...

Building the technology is the easy part. Getting an agency run like the gov't does to adopt it means you'll be dead and gone first. LOL

Or whatever technology that you developed has become obsolete by the time it is "govt approved."