When it comes to talking about last week's data loss by the HMRC, I was told not to use precious words outlining my feelings of rage and bafflement that a government body can be so cavalier with so much data because, presumably, we all feel the same. So I will simply note, for the record, that my gob has been totally smacked by …
What it costs vs what it costs
I still think you're being generous at £500 ; this also assumes that HMRC don't employ anyone who is a DBA :)
But I think everyone who posts "how much it would cost" might be missing the point - it's obvious to anyone the cost of doing the actual work is peanuts.
Many of these contracts are scams - see Computer Weekly for endless examples of such. Sometimes costs are loaded post completion to get the headline cost or overrun down (as with Capitas CRB deal where endless repeated CRBs are required).
Companies with financial nous get lock in deals which allow them to later milk the public sector at will. PFIs are another example ; companies charge inflated sums for any work not specifically in the contract.
It strikes me as highly likely that this quoted figure is not the actual cost of doing it, but the cost of getting *EDS* to do it - and the reason it is so high is because EDS can more or less charge what they like, because the contracts state that *only* EDS can do it.
Password & encryption
Alistair Darling said on the Today programme that the discs were "password protected but not encrypted". He seemed pretty clear about the distinction.
Why on earth was it posted?
Are they still living in the dark ages? With all the technology available today there are MANY alternatives.
Surely a VPN connection to a DMZ with a 'secure' access area for sensitive file transfer would have been better. Access details sent via an encrypted email. The technology is so simple that any home user can set it up if they put in a bit of effort. The MOD sites have a secure network, couldn't government departments use this, even if they only get access to a DMZ area tagged on the side? The technology is there but why aren't they using it?
Burning disks just does not make sense.
If I had a pound for every time...
Shit! If I got paid that much for chopping up a CSV file...
HMRC IT is outsourced, the outsourcer has to be profitable!
There is no point in thinking that you could offer do the work for £500 unless you offer to do it for CapGemeni ; see: http://www.channelregister.co.uk/2007/11/13/capgemini_job_cuts/
I think that there might be a markup put on your work as well as some overhead of writing the requirements, formulating the demand for extra IT work when costs are being reduced, 5 layers of management to get the request approved after choosing the appropriate budget line, possibly a committee or two to pass through, then the costed proposal from the outsourcer, the quality plan for the work, fully detailed PERT chart, test specifications, approval process, proposed modifications to service level agreements, approval of tea breaks (oops, only kidding) etc. etc. etc.
Techies like you make things sound EASY. ;-))
So it appears
So it appears that the way the child benefit department has a massive database, and they don’t know how to use it.
They have outsourced the management of the database to a company, which is probably owned by some relative of a government minister.
They and only they know how to query the database, which will keep them in a job for a very long time.
They decide how much to charge for one of their employees to do any sort of work on the database. And because said lazy bastard can’t be bothered to do the work they are asked to do, they quote some ridiculous sum.
When asked how they can do it cheaper, for half the price, they will click on export as CFV. Copy said file on a couple of blank CD’s in a password protected zip file……
Excuse my lack of faith in yet another government department.
I think I'll start keeping my cash under the matress, and when i have enough money I'll be off somewhere safe.....
select count(idiot) from HMRC
I'd suggest that the reason that NAO was being sent the data in this format was that it was a format that HMRC already had and was already using internally in some integration or other. Given that the extract contained *all* the data, I'd suspect that this was a copy of the feed to an HMRC data warehouse.
The most likely formats therefore might be an XML file, a CSV file (either of which really isn't going to trouble a black-hat much to figure out the format, given they've probably saved it with a file extension of .xml or .csv) or a database extract. You have to remember the thinking of the numpties might be, "well here's the data, no we don't know how to get it onto your machine, but it is on the disk; oh you'll incur an expense getting it? Sorry, not our problem". But as you say, let's notr discuss it... pointless anyway seeing as I'm sure we can all guess where the "password" protection comes in.
And the Id cards argument from Darling is just hilarious, in a very black way... yes, it would have made it less likely that the NAO would have had to request the data in the first place (bearing in mind that they didn't actually request the data at all) but on the flip side once the idiot with unrestricted access to the dataset sent the whole caboodle through an insecure channel we'd be in an even worse position than we are now. And it doesn't matter how many technical safeguards you try to put into your system, at some level there will be some idiot with too much access who doesn't understand why what they are about to do should qualify them for a red hot poker up the jacksie.
I'm still trying to figure out who are the bigger set of morons here, the HMRC clowns or the policitcal muppets, it's a difficult choice.
According to yesterday's Telegraph
The NAO (not having a mainframe) then passed the database to KPMG to process.
So the NAO was paying a profit-making business to extract usable data instead of HMRC doing it in-house. A rather convoluted way of auditing a Governemnt department.
Little or no cost saving there.
Part of the problem is that in my experience the goverment either outsource there IT, or due to rates of pay, are not employing the cream of the IT crowd.
It would appear reading between the lines that either there IT staff did not know how to extract the data, or there out sources over complicated the job.
I have come across a couple of firms that when we have asked them for some data from there system it has been a case of:-
1. We need to apoint a project manager.
2. They will write a specification for the job.
3. You must then approve the specification.
4. A programmer will then develop this.
5. This will be test by there testing team.
6. It is then run on the system so we can get the data.
They say they could not subset the data, however, they refer to the current records. Therefore, how did they remove all the old records?
Assuming that for what ever reason that it is impossible to extract just part of the data, there are several tools on the market that allow you to capture the printable output. This can then be convered to a format where they can remove the data that is not needed.
At the end of the day it is all down to lazyness. If they really wanted to only send them the information that they asked for then they could have done.
Worse case they could have told them to come to there office and make the selection. After all they actually one wanted to audit 0.0004% of the records. Again too lazy to send a couple of people to Newcastle.
File format *and* protection...
What popular file format is commonly used by nontechnical people to hold tabular data and offers "password protection" on the files?
Unless things have changed in the past few years then this is just the tip of the iceberg, and after having done some work for them in the past I'm not surprised
Try using personal information from the system to send letters asking for Autographs from the celebs.
Looking up family tax info, and amending them for better tax breaks.
Checking out your mates info.
Causing more hassle for your ex by amending their account for "EXTRA" checks or lower tax breaks.
Chasing up people's addresses at whim.
And these are just some of what HMRC get upto during work hours.... imagine if someone actually did their work instead.
IIRC, you can also search for partial matches on ANY field. And there are lots of fields..... want to know how many people have a HSBC account sure just stick in the first couple of sortcode digits and let it run.
Posted Anonymously from a cafe of course......
In the hands of criminals
HMRC states the data hasn't fallen into the hands of criminals. Yet they admit it has gone to KPMG. Any Private Eye or Register reader knows what that means. At least they haven't admitted that EDS has got hold of it - yet!
The real costs
- about 47 coppers on the ground, doing a fine-combed search of all likely places these disks could be: tens of thousands;
- everybody in the HMRC foodchain working (paid) overtime to cover their ass: tens of thousands;
- spinmeisters employed to deal with pack of bloodhound press: tens of thousands;
- cost to banks and government to "monitor all accounts for suspicious usage": tens of thousands;
- cost for the now inevitable massive HMRC IT overhaul project coming our way, courtesy of [insert random consultancy house full of overpaid paper MCSE's]: millions
- seeing the retards in charge getting away with it all scott free: priceless.
The basic two problems - and the untold story
It's cute to go into such detail, but you're missing the basics so here goes.
(1) The UK government does not have the equivalent of the US American Encryption Standard (AES), a standard encryption technique, open, published and peer reviewed so that it's easy to embed it in anything that needs security across the whole of government. In short - there WAS no crypto that the junior could have used.
(2) The junior defaulted to the 'safe transport' assumption that used to be true for internal government post. The only problem was that it *was* no longer safe as it was outsourced, but the risk management model was never updated to take that into account. So we have an assumption of safety where none exists, aka "false sense of security" (a thing long lost with this goverment, but I digress).
So, ladies and gents, the many smart ones amongst you will thus have already deduced from the above that, despite public statements to the contrary, AFAIK NO PROCEDURES WERE BROKEN. That's right - the chap simply did business-as-usual. Cynics may observe that the results were thus also business as usual, casually endangering the lives of quite a sizable chunk of the population.
I suggest you watch the government twist and turn to avoid admitting that one basic fact because it will be one hell of an indictment for the 'leadership'.
My two cents
If they are anything like our DBAs they will have refused to do any sort of query and just copied one of the overnight backups onto disk.
A company I worked for was charged £2000/day for technical consultants (of which about £200/day went to the worker) so I wouldn't be surprised if the £5K quote was for one days work.
Just how big is a database of 25 million records? Our database is 250 MB and I wouldn't call it a big database. Can you get 25 million records on a couple of DVDs?
What really happened
The cost of getting custom reports done by EDS is so high that a few years ago, they got a data export routine done that drops all the data into an MS Access file every month or so. Unfortunately the office junior on work experience who set up the MS Access reports has long since left and the departmental server was requisitioned so now the staff just make up a couple of CDs and pass them around so they can work on copies of the data on their own laptops. None of the staff actually know much of anything about MS Access or what's possible so when the NAO request came in they just burnt a couple more copies of the last set and mailed them off. Because some of the PCs in use are *old* this is also a pretty old version of MS Access. So when somebody claims it's password protected, what they really mean is that it uses one of Microsoft's laughable Office password schemes that can be broken in seconds.
Go on. Tell me that's not what really happened.
That's all very nice
But the public don't read El Reg - if you've been smacking your gob over this go join you local No2ID branch, hassle the public on a few flyering sessions and make sure next time it's not 60 million records lost.
Ah, the joys of outsourcing :-)
This 'subsetting' could have been done in no time at all had it not been outsourced to one of them there big consultancies. Insisting on sending someone data that they have expressly said they don't need is just plain wrong, wrong, wrong.
It should be possible to release at least some information on the file encryption...
... as it should be secure enough that, for all practical purposes, it wouldn't matter. But I doubt that it was. Hence they aren't saying or, more to the point, daren't. Not to mention WTH are they doing sending it on CD's at all? Have they really not heard of telecommunications?
What we do know is EDS provided the extracts and they were stored as 100 Zips. As far as I'm concerned that is encrypted despite what all these idiots are saying publicly. The protocol was the discs were sent without passwords. The recipient would ring up/email upon arrival and the sender would then email the password. This is consistent with my experience of HMRC. They were using this dataset because they couldn't get approval to spend money to get only what they needed. This is of course the enormous price you pay for outsourcing. What you could do in a couple of hours previously, now is almost impossible because of all of the layers of bureaucracy that snowball out of control once you get the likes of EDS, Capgemini, Accenture involved. It seems the single mistake here is the HMRC bods didn't imagine the enormous downside of the rather low probability risk they were taking.
And while you're at it, extract 100 tuples at random...
I know that there are reasons that the NAO (as people who should have some stats abilities) might want the whole 25 million lines so that they could check the sampling method for bias when taking their 100 samples; they don't just want the first hundred in the table, might wish to apply weightings to the selection for some reason and so on.
But having said that, it does seem overkill to ship a 25 million record database when the recipient is only going to use around 100 records. Even simply extracting every thousandth line would have probably given a useable sample to sample...
I'd guess on .mdb. Basic fomats like XML and CSV don't have passwords, and I can't see HMRC bothering to use an external programme to wrap them up. As for Excel - it's not possible to password the whole workbook without using encryption (though the default isn't very good). .mdb has a file password but doesn't use encryption.
Valid points well laid out.
Passwords and encryption.
I wonder if the term "password protected" is merely spin implying that the account details by themselves are not sufficient to access bank accounts and that a password is used. That is the password is used by the banks and nothing to do wth the data.
As regards encryption. RSA is not used for bulk encryption. A symmetric algorithm such as AES or triple DES is typically used with a random transport key. It is that key which may be encrypted using RSA or derived from a password.
Lies or simply ignorance?
Firstly, in several reports (including Newsnight's) HMRC stated clearly that the "the data was password protected but not encrypted". As Mark Whitehorn's piece implies, it is difficult to know precisely what the government spokesperson means by "password protected" because they evidently don't understand what they are dealing with - however, I think we can rely on "not encrypted" to mean, er, the data content of the files was not RSA encrypted.
Secondly, I too wonder what sort of database it is that cannot be queried by row or column or other defined field. The answer may be found in various reports mid-week and is alluded to above: the HMRC database is actually administrated by EDS. So it is EDS who decide what can or can't be done and at what cost.
If my experience of EDS's work for national quangos such as the former UKCC (the nursing regulator) is anything to go by, a sizeable floor area of the HMRC's publicly-owned building probably houses a motley crew of EDS doids who are contractually (and, no doubt, technically) the only people who can admin and manipulate the data - and, boy, does EDS charge for that work!
As an aside, I found similar Spanish practices when, many years ago, I investigated the disasterous EDS Child Support Computer System (CSCS).
That is why it is being claimed by government that it was too expensive to select the data as requested by the NAO. What they actually mean is that EDS would have charged through the nose.
As to the idea of electronically transfering the data over a WAN or the internet, that misses the point - it was NOT necessary and not desirable for the whole database to go anywhere! The subsetting and random selection should have been done in situ at HMRC, Washington. If necessary, that could have been done by an NAO staffmember (and for £5,000 he could have been flown up first class) then the resulting anonymised subset should have been RSA encrypted for secure transfer in the personal charge of the official to wherever it was to be audited.
My conclusion is that the public sector has yet to understand digital data; and that no government department (nor most of its outsourced 'partners') is competent to securely process digital data. This incident and its many predecessors demonstrate that just about every one of the government's and civil service's assumptions and policies and procedures relating to data handling and data security are flawed, misguided, based on ignorance or simply careless and ill-thought-through.
Furthermore, we (as taxpayers) are being royally ripped off by sharks - IT consultants, IT contactors and IT service-providers.
Whichever way you look at the current situation, it's a bloody shambles and a complete disgrace.
Is Database 101 ...
in any way related to Orwell's Room 101 ...?
Requirements and Specification
For any significant system,software and the surrounding (human) environment, there must be a statement of requirements, prepared by the potential users before commencement,and a specification, the implementers' commitment as to what they will produce. Either of both of these may be updated as the work of implemetation progresses.
The statement of requirements should address questions such as the levels of security required,ease of extractability of information fields, and much much more,
without reference to specific details of implementation, since these are within the competence of the implementers, not that of the potential users.
What we need to see is is the statement of requirements and the statement as to the extent to which these have been met, but not how, in the implementation.
Such an examination will clearly reveal the level of human responsibility.
For example, if there is no adequate statement od requirements.....!!
IQ test - 101
You can Trust your government
Your data is Safe
There has been no infraction of the data protection act
ID cards are a safe and efficient step forwards in combating crime
Outsourcing is clever
The Postal Service is reliable
One of these statements is true.
emails reveal more....
think the emails released by ministers reveal that
1. they were very likely multiple password protected zips
2. the db extract was already done for another internal purpose (in whatever format) so sending a copy of that required no IT cost - hence was the path of least resistance.
Agree with Ray that getting even half a day's IT spend approved is going to involve a mass of bureaucracy.
The Frightening Thing About ID Cards
Watching David Davis on TV this morning brought it home to me. ID cards are a very bad thing.
These CD's being stolen (or just lost is more likely IMHO) is bad enough because you have something of value. But what about a situation where a terrorist organisation wanted to get access to somewhere? Stealing someone's fingerprints or DNA isn't really a choice.
However, what would happen if said terrorists REPLACED your data with their own, proving that that person was actually you? From that point forward you wouldn't be able to buy a loaf of bread in Tesco's. And government wouldn't want to correct the data because you clearly aren't who you are pretending to be.
That for me is the big danger with ID cards - giving the terrorist community the facility to masquerade as someone else very easily. That simply couldn't be done so easily if they had to produce a gas bill with a driving license.
Re In the hands of criminals
"Yet they admit it has gone to KPMG."
The NAO admitted that later. No reason at all for HMRC to know what the NAO did with the disks.
Whatever it takes to gets to get to the top of the Civil Service, it isn't an understanding of data security.
I'll see your £500
and do it for a couple of pints over lunch whilst it runs ...
cut -d\, -f 1-2,4,6 db.csv > NAOout.csv
your delimiters may vary ...
Until recently I worked at a government agency (the RPA) as a consultant. I got yelled at a few times for doing things that should have been done by the contracted "IS partner" organisation, via the nebulous ever-changing, extraordinarily complex 'change process'.
But we knew, from painful experience, that something that would take me maybe two hours would take maybe four months and cost no less that £30,000 done the 'proper' way - and in actuality would not get done at all because there were other things it was more rational to spend £30,000 on.
Mostly I feel sorry for the 'Junior Official' at HMRC who was just trying to do what he'd been told to do - trying to do the job properly and with appropriate security would have meant never getting it done at all, and probably being regarded as simultaneously useless and trying to operate outside ones grade by 'management'.
Oh, and I feel sorry for the farmers. I never, ever, EVER want to work in government again.
The other main problem (other than EDS costs) is the GSI, where you can't use encryption (firewalls require to be able to read all attachments to virus check them) and there is no PKI available. Of course the NAO are not on the GSI so only low grade material can be sent to them electronically.
Little attention is being given to the fact that some civil servant has _unresticted_ access to the entire database. With access controls like that you may as well assume that multiple copies of the database (of various accuracies) are floating around government departments all the time. Now that is worrying...
As for the use of the post, I guess that both sites have network firewalls installed and the necessary procedure to establish a secure network connection between the two was just too complex :-)
Re:File format *and* protection...
Excel is limited to something stupid like 65k rows (16 bit int size) so I doubt it was in Excel. That would mean approx 385 worksheets!
MDB - maybe - but PW protection is a pain in access and easily circumvented - what with MDA files and the like.
My money is on a huge csv (we regulary load in csvs up to 11 mill records so it is done) that was then zipped and spanned across disks; with the zip providing the much vaunted "password protection".
@ Sceptical Bastard, Anonymous (pirate) Coward and James Joy
You guys - collectively - have the reasons laid out: no one did anything "wrong", but things DID fall through the cracks.
The issue behind this whole mess is that NAO needed a representative, random subset of the data for their processing.
The usual method for doing this is to use (a) a random SELECT function that grabs X rows randomly, (b) a statistically tuned SELECT function that grabs X rows randomly that match the overall demographics of the database itself, (c) a complete database extract that is then analyzed by several methods and the appropriate subset extracted.
In my past work doing this sort of thing for a variety of customers (including the US Internal Revenue Service) the key to the extract is getting an unbiased extract based on the criteria of the auditing group. This *USUALLY* involves having a tech member of the audit group visit the source group on-site and supervise (or perform) the extract to insure that the unbiased extract is obtained. The data is then remanded into the possession of the auditor and removed personally by them to their location.
Sceptical Bastard and James Joy hit the main point here: for (a) or (b) above, you send someone up to the source site and have them get the data. If you can't do that, you do (c) - exactly what caused this problem in the first place.
Anonymous (pirate) Coward got the rest of the story: the SOP for (c) is to extract the whole database and send it to the NAO for their analysis. Inter-office mail is expected to be REASONABLY secure - after all, paycheques and HR info is routinely sent through this channel with no issue.
The one piece of data that's missing in all the press stories is the loss rate of the inter-office mail system itself. I'll be that the loss of this particular package is consistent with the overall losses in the system - this one just happened to contain a "political bomb".
Back when I worked in banking, we had a robotic inter-office mail system installed at our huge processing facility out in Brea, CA, USA. This consisted of little electric boxes about .5X.3X.2M that ran on a computerized "train track" through the entire building. The track was designed so that the little boxes could transit vertically between floors and up-side-down to negotiate other building obstructions.
Soon after the installation and operation of the system, a "scandal" developed when pay cheques failed to arrive in many departments after being consigned to the robot delivery system. An investigation was started, pay cheques were delayed pending "apprehension of the criminals", and all Hell broke loose.
Finally someone decided to check the bottoms of the vertical shafts and the plenum runs that the robots ran through upside-down. Lo and behold, the bundles of cheques were found, dusty but intact, at the bottom of one of the shafts, along with a lot of other "missing" stuff.
It turned out that the lid catch on several of the robot boxes had been damaged, allowing a heavy load to fall out. Once empty, the lid would latch again - no one the wiser. Paycheque bundles were "heavy" loads, as were computer tapes, six-packs of Coca-cola and several other items that were routinely sent between departments.
Several people were fired over this, mostly those sending soft drinks through the mails...
Yes, those disks are GONE for good...probably stuck in a crack in the back of the sorter...
Security should be discussed!
> Of course, "they" won't tell us and, in fairness, they shouldn't.
This is a dangerous and outdated view of computer security. It is well understood that how systems are secured MUST be the subject of public discussion and review. The security of live systems should rely on few well understood secrets (like keys or passwords), and not ignorance of the security architecture.
This is key to the development of the fields of cryptography, and security engineering that are taught and discussed in public, as well as the security of free source software that is open for all to inspect.
The government is clearly trying to say as little as possible on the matter, with good *political*, not security, reasons. It is unclear why IT journalists should play along with this strategy instead of asking for the full requirements, specifications, and even security audits of the systems that were involved in the data leaks. Making such documents public should not make the system more vulnerable, if it is engineered with security in mind.
PS The idea that ignorance of the database format, or even the encrypted archive format, would slow down even an amateur attacker from retrieving the data is particularly silly.
Have you not heard of eGif standards?
It mandates XML format.
This whole fiasco is the result (imho) of a pervasive problem in modern management "theory": the idea that it doesn't matter who does the work, that workers are all just interchangeable cogs, and are totally fungible. This theory is never stated explicitly, afaik, but holders of MBA degrees demonstrate its existence (and widespread application) daily.
The net effect of this theory is the devaluation of experience, expertise, intelligence, education, and inborn ability. Among other specific results, you end up with call centers with employees whose accents are too thick to be understood, convicted criminals having access to confidential financial data, workers who are simply unqualified to do the work at hand, and the surrender of control over important data to consulting firms.
Applied widely and indiscriminately, the theory of worker fungibility has a great many other consequences -- corollaries to the theory, if you will. Identifying these corollaries and relating them to the details of the HMRC data loss disaster is left as an exercise for the reader.
Ah, yes & no.
We don't know the disks have been stolen - we do know claims have been made about loss or non-receipt and so criminal activities are still speculation.
We don't know what service was to be provided for the cost quoted - we do know that it appears to be practically extortionate given what appears to have been asked for.
This was a blunder waiting to happen - its just the scale and consequence that are outstanding.
Electronic Data is not currently (and cannot be) "safe" in the hands of either government or its IT contractors with the current systems and procedural models and practices. It is not, systematically, possible.
Every time there is a blunder the taxpayer pays. Even if it is made by an IT contractor. We are the only people who can pay. We are the "customer".
If a regular company blundered on this scale then it's likely that they would either go out of business due to loss of custom or would end up in court and paying punitive fines. Certainly, customer sanctions and legal processes could/would be applied. What chance here?
This blunder will not deflect the government one degree from ID cards because ID cards are a panacea for security ills. This blunder is not a "security problem" it is a "data processing problem". I've just written this and I don't understand it either!
The government need not care because there is no choice. It is, like its IT contractors, a monopoly provider. It may say it cares, it may say it will change - many partner-abusers do. Evidence is all. To others who know - do they change?
Let's see what happens when/if the status of the two disks is confirmed.
re Root Causes
I have to agree with RW. In my experience most companies pretty much despise their techies , boffins and propellor heads.Hence the mad rush to outsource IT because the managers hate having people working for them who are more intelligent, more honest and more sensible than them.
Most organisations that are not run by the person who actually owns the organisation are run by idiots who have no respect for any kind of specialist ability beit artistic, scientific or technical. (because if they actually had any entrepreneurial ability they would own their own company). You can see this in so many organisations - for example the recent farce over the privatisation of Qinetiq where the people who made the big money are those who wouldn't know one end of a rail gun from the other.
Ah well, at least when this civilisation falls apart my descendants will know which end of an antelope thigh bone to use to hunt down those wildebeest. And how to make fire without a GANTT chart (unless its to provide kindling).
I'll get my coat (well anorak).
It is simply no IT problem
and no problem of EDS, CG or any other outsourcer as well.
Sorry for me stepping in here rudely from germany, but after reading this, the problem was again the human factor. The HMRC guy who replied to the NAO: "You asked for all the data initially" brings it to the point: Why do you NAO guys bother me at all?
As far as i know, the NAO (or their alikes in other countries) do not have a fan club in the public sector, so pushing back on them is "natral" behaviour i guess.
This whole problem would definitely happened as well with an insourced IT department which would only have to be badly enogh aligned with the "business" .
What made me wonder though is: I have not heard about anything like this in germany, does that mean we never loose data / notebooks etc ????
It is interesting to see that everyone of the technical commentators here have made one serious error, that there is some degree of professionalism in the civil? service and the out sources they use.
As regards most of the civil? servants I have met , they without exception feel put upon when asked top do anything that is not part of their normal routine. I can sympathise as having to put down your tea to process some work means when you pick it up again it has cooled down past it's optimum drinking temperature thus spoiling it and necessitating having to go and make another one. Further, when looking at outsources, they have to compete for the work and tender for their contracts at much lower rates than they would like, this in turn means that to maximise profits they are `forced´ to use cheaper labour. The old saying about paying peanuts comes into force. Professionalism is something rare nowadays, it does still exist but not in government offices, the people there generally look down on the population at large as THEM the moaners and the mob that doesn't appreciate civil? servants so don't expect things to get better other than the the ability to cover up. The only answer to cock ups like this is better training and management, something you will never get as long as the structure of the civil? service is as it is. Time for a decent revolution I would say.
Surely the cost of deleting the relevant data fields must be less that the cost of a train ticket to Newcastle and a day's time for a NAO junior auditor. Otherwise they would have sent someone down to do the sample selection on site. Therefore, pretty cheap. But the cost to the government? Maybe five years in power...
I've seen this set up before a few times. It is usually someone junior who's fouled up but this is invariably caused by the leader not caring about proper control systems (e.g. Chancellors who care more about results than how you got there...)
re re re
The only reason I can see for using TNT over the Royal Mail is to track the letters - but the silly people didn't! What's that about?
As Anonymous Coward (Sunday 25th November 2007 11:03 GMT) said, the default principle is that internal mail is safe - that's why it's worth paying for real employees to wheel carts around your buildings, and make night runs between your buildings with vans.
The default should be that it's not necessary to register internal post - seal it, because there's no point tempting people, but you don't need to register it because the mail room does that, and as they're delivering it anyway...
Can anyone tell me what's left to outsource in the British gov?
Not the royal family, that was sold to Hanover some time ago; not the PM - outsourced to Scotland...
AES - American Encryption Standard?
Since when has the AES been the American Encryption Standard? Whilst the algorithm's competition was run by the US the A stands for Advanced, not American and A is not for Apple.
Re: Security should be discussed!
George Danezis makes an excellent point about good, well designed security systems. As he says “Making such documents public should not make the system more vulnerable, if it is engineered with security in mind.” I agree.
In general, the less you know about a security system, the more difficult it is to break. However if, as George suggests, a system is well engineered with security in mind, it possible that some information about the architecture can be revealed without compromising the system.
But the converse is also true. Some badly designed systems rely on the fact that the architecture is hidden to provide some of the security. I’m not suggesting that this should be the case, merely that sometimes it is so.
For example, imagine a physical security system that includes a wire on top of a wall. If you know nothing about the wire or the signal it may carry, you risk detection if you cut it. On the other hand, if you know that it carries a very simple signal that can only detect a complete break you can happily use a jumper wire to avoid detection. (I don’t write from experience here, but I have watched innumerable spy movies).
Now it is clear (painfully, excruciatingly clear) that the system under discussion was not well-designed. Had it been, we would not be discussing it. And given that it was poorly designed, it may be that some measure of protection might still be afforded if the remaining details of the ‘architecture’ are not revealed.
I agree that ignorance of the database format or even the encrypted archive format will not appreciably slow down professionals. How much it would slow down or stop amateurs would depend upon their level of expertise – which is unknown.
Clearly there is a spectrum of risk here. Some information (the file names) is very low risk, other information (the password) carries a somewhat greater risk. Exactly where the line should be drawn is tricky but the government is wise to err on the side of caution. Doing otherwise has the potential to further compromising security to an unknown degree.
>The government is clearly trying to say as little as possible on the matter,
> with good *political*, not security, reasons.
I agree. Given that the government has, in the past, shown very little concern about protecting this data (hence the leak) there is every reason to believe that it is currently more concerned with the politics than security. But the motivation of the government and the morally correct course of action are not linked as cause and effect. In other words, just because the government has a hidden agenda for wishing not to discuss the details of the security does not mean that those details should be discussed.
>It is unclear why IT journalists should play along with this strategy
>instead of asking for the full requirements, specifications…
I don’t agree that we are playing along with a strategy. I think that journalists face the same choice as the government (but without the political pressure) and, for the reasons outlined above, should make the same decision.
I suspect that if we were ‘playing along’ with some government strategy, we wouldn’t be highlighting the absurdity of that same government using pseudo-technical arguments for political ends.
ID cards, Unique Identifiers.
So ID cards make data easier to tie together because they use a unique identifier, eh? What a spiffing idea. Especially as i've already got one of those. It's called a "National Insurance Number". In fact, i have another unique identifier. It's called a "National Health Number". Now i'm going to get a "National Dupe Number" too?
i'm leaving this farce of a country as soon as i have the wherewithal.
There seem to be some other points, namely UK Govt security procedures for information that is not National Security related. Do these exist? Is there a classification regime? Is there policy that relates privacy requirments to security classification and associated procedures? Are there handling procedures covering the requirements for the different media and each classification level? A simple and reasonably pragmatic example is at http://www.gcio.nsw.gov.au/documents/Labelling_Sensitive_Info.pdf