The Department for Work and Pensions is still sending out discs containing confidential data together with passwords. This most basic of security failings is no better than Her Majesty's Revenue and Customs sending out the entire UK child benefit database on unecrypted discs. The moronic action was uncovered by the blog Dizzy …
Genius. It's not difficult, really.
1) Generate random password using tool provided by your employer
2) Encrypt data using tool provided by your employer
3) Send data through the post
4) Just bleedin' email the password already. I mean, let's assume the email is intercepted, what are the chances it'll be intercepted by the same person that gets mis-delivered the data? Nil, essentially. If it needs to be more secure, leave off some characters from the beginning or the end and telephone them through. But it doesn't.
We're doomed, doomed I tell you!
Is there any hope?
There's an excellent (but carefully worded) critique of the current Government's approach to data security for ID cards here:
And a superb translation into plain English here:
Now will anyone responsible for this mess actually listen to this sage advice?
Hang on a cotton-pickin minute...
...are you seriously suggesting that there are governmental departments that are employing *incompetent* staff?!?
Honestly, next you will be claiming that people who work in the civil service only do so because they are too stupid to find work in any private sector organisation!
oh wait...erm, nevermind...carry on
It's almost as if...
they were doing it on purpose!
Shome Mishtake Shurely!
Even 'SHE' would know better, methinks.
Transferring the data using a secure communication protocol over a wired connection? You know, maybe like a SSL connection on the transfer and maybe even PGP encryption of the data itself?
I mean, what am I missing here?
I've already started...
... buying large quantities of super glue.
As soon as the National ID database becomes compulsory, i'm getting mine done with a nice big superglue blank on it. They can lose THAT data all they want.
Seriously broken security
So, are we to understand that "government" has no access to fast secure data networks?
Are all the thousands of ID card readers going to receive CDs once a month with updates? After all, the minister did claim that they would not be "online" :-)
Is that so?
A DWP spokeswoman sent us the following statement:
"We take the security of individuals' data extremely seriously".
Well obviosly you don't or this would not have happened. Doh...
My god, some of my hard earned tax goes towards employing these idiotic Civil Servants. What a bunch of low IQ dorks.
They have a new security scheme in place - the password will still be bundled, but will be securely protected with industry standard ROT13 encryption.
Why arn't government departments networked together?
There is no need to send CD's of data to other government departments.
If the excuse is "the departments are located all over the country" so what? Use VPN....
If large companies can do it so can the government.
The sign said...
"Hold stick near centre of its length. Moisten pointed end in mouth. Insert in tooth space, blunt end next to gum. Use gentle in-out motion."
'It seemed to me,' said Wonko the Sane, 'that any civilization that had so far lost its head as to need to include a set of detailed instructions for use in a packet of toothpicks, was no longer a civilization in which I could live and stay sane.'
Well I am afraid the person in charge on DWP should be prosecuted, The sooner a few bosses/CEO's/MP's are made accountable they may think twice about data security and actually ensure at least some data safe guards are in place.
Was going to add something about common sense but seems noone in DWP has any. Sack the whole lot of them and hire someone with half a brain.
It's almost as if
... public key encryption had never been invented!
There's no need for sodding passwords. You encrypt the data using the public key of the recipient, and then not even you can decrypt it never mind the person who intercepts it en route.
The DWP could have an internal database of public keys for those who receive the data, and job done.
but security is work
And having to send discs internally and *then* to send the password means four seconds of thought (I am being generous here) and 20 seconds of physical activity, and both of those just don't happen in government offices. I have been there as a contractor and have seen it.
The AC who said it: could we lay off remarks such as "your data will always be as safe as a faggots arse." It's tiresome that gays are final identifiable group we can be bigoted about. I mean, WTF does that little phrase mean? I assume you are the AC who also denigrates women pretty regularly. Come on, pal, join the grown-ups.
Access to fast secure data networks...
"So, are we to understand that "government" has no access to fast secure data networks?"
The Govt does, but Civil Service monkeys don't.
Course the individuals wont' get fired, if that happened then this govts unemployment numbers would rise back to the tory's times, that's why they employed them all into pointless roles in govt in the first place isn't it?
I love paying taxes so worthless mugs like this can do shit jobs and screw us up in the process :)
Re: but security is work
Thanks Hollerith - that one shouldn't have gone up. I've deleted it. Shan't let through any more like it. It's not cricket.
You get what you pay for
Somewhere I've read that once upon a time, a UK govt minister stated that they wanted the government to be "in the first rank of employers."
Obviously not any more. Instead of hiring a relatively small number of intelligent individuals, they've opted for quantity over quality, pay slave wages so as to hire the requisite number of drones while staying within budget, and...
...get what they've paid for. People who can't find a real job that pays decent money.
It's not the drones' fault; it's management's (and that includes the ministers on whose desks the bucks theoretically stop).
When you're dealing with intellectual retards, you can't expect any performance better than you'd get from children playing in a sandbox.
Whatever Paris's faults and virtues, at least that girl knows how to get paid well.
@ Nomen Publicus
The government does have a secure private network from C&W which connects all the central government authorities, this is being expanded to all 400 or so local govt authorities as we speak (who are generally the recipients of the CD's).
it's actually very well designed and the security standards are very high, will be a good solution once implemented. Sadly the authorities with rubbish IT security won't be allowed to plug in until they sort their problems out - which means they'll just stick to receiving CD's instead.
re: Public Key
Ian Oliver, the only problem with your superb idea..
The DWP could have an internal database of public keys for those who receive the data, and job done.
Internal.. database..oh wait no they lost it.
public public encryption key
...oops have to get back onto my chair now...
Oh well it has been a long week...
DWP staff blunders
Really F---ing Brilliant.
This memo should be handed out to all staffers:
From: Director of IT Security
To: All DWP staff members
"Any staff member who fails to follow previously established procedures for data security; will be subject to a public flogging once a day for a month. Saturdays, Sundays and legal holidays included.
Any staff member, who, after recieving the punishment described above, and commits a second offense WILL BE SHOT"
@"No worries" By Christoph
"They have a new security scheme in place - the password will still be bundled, but will be securely protected with industry standard ROT13 encryption."
And then what's the betting that when they subsequently decide to beef up their security even more, some clown adopts the practice of double ROT13 encryption for extra security.
I've been biting my tongue for too long now...
I work in I.T. for a 'non-departmental public body' which means we're 'sponsored' by a government department (and yes, I am a civil service scum bag BUT I actually take some considerable pride in my work).
Now, the second I read about the big 25million giveaway I started actioning measures to make sure as hell that we're not the next headline and so far they've done the job perfectly, we instantly recalled, held and then encrypted all laptop hard drives and USB devices, disabled CD writing via GP for the great unwashed masses and various other bits and pieces (and all this without a single 'committee meeting' or policy writing process, who'd have thought it eh?).
Now, our HR bod communicates with a single DWP contact various bits of relevant information, and has been doing so for as long as they can remember. We assumed (always a mistake I know) that that practice could continue (short of setting up a secure channel between the two) but OH NO, we get several arsey emails from DWP telling us to STOP sending emails to a long established, single, named contact and to instead burn the companies pensions data onto CD and SEND IT THROUGH THE POST...NNNNNNNNNNNGGGGGGGGGGGGGGGAAAAAAAAAARRRRRRGGGGGGGHHHHHHHHHHHHH
I actually thought it was a joke but apparently they'd produced an entire procedure ordering a stop to all email transfers and a return to post!!!
We instantly froze the transfer of our data to DWP and fought tooth and nail for weeks the various point of rationality, common sense, logic and security to absolutely no avail, they were just not having any of it. Why oh why, in times of heightened data security, would a company revert to a less secure transfer process, nevermind the transfer process that got us all in this mess in the first place?
The current situation is that we created a 'counter-procedure' stating that all data sent to the DWP would be encrypted.
Ahhh, there's nothing quite like the feeling of a freshly deflated spleen :)
I thank you
Just think of the pensions!
Dont forget - these folks that are safeguarding our information are gonna be chilling on clover when they get their fat final salary pension - the only ones left who will. Just screw things up for 20 years then relax into retirement.
Come on...rot13? This is the 21st century, with our new security aware Government.
They would surely use DOUBLE ROT-13 encoding.
IT? logo, 'cos the home sec. doesn't understand where the IT angle is. Ever.
For added security they'll encrypt using double-ROT13...
We take <put in major f***up area here> very seriously
No. You f***ing don't.
Nor do the numerous government deparments and corporations, who take "security seriously", or "customer feedback seriously", or "safety seriously" or "whatever s**t seriously".
If you did, you wouldn't be in this s**t. Nor would my personal data be at risk.
Ever tried counting the number of instances per week of these "taking stuff seriously" stetements issued by the droids? Can't the PR dummies come up with something better? Do they really think they can just say those magic words and I will feel perfectly safe?
It's not the thumb that I'm pointing upwards - El Reg better take your icons seriously and "come up with the appropriate finger".
End rant again.
What moron came up with the separate password policy?!
Look, you don't need to mail passwords to have data security. Establish a position in each department responsible for receiving data and create a PGP key for that position. Place each key on a keyserver (either public or privately maintained, doesn't matter), and sign each one with a master key owned by some controlling entity (government director of security or something) to establish trust among all of the keys that are to be used.
The policy is then simple: Whenever you ship data you encrypt it for a) all recipients, and b) always for the master controlling entity.
You are then free to ship the hard drive without any password information, since only the intended recipients with their private keys can actually read it. Additionally, should any recipient key be lost the master controlling entity can recover it since they are always a recipient.
PGP has been able to create and manage such a structure for years now. When I read about people mailing passwords it just cracks me up. How incompetent and clueless are the IT folk?
Is this REALLY such a surprise?
Ask yourself this, what kind of creature sets out to become an HMRC employee?
Is it a normal, rounded english citizen who believes that people want to get on with life, and that the government couldn't spend money well if it tried, OR is it the kind of officious authoritative jerk who got a taste for power when the teacher let them keep tabs on how many exercise books there were in the cupboard. And who believes that all problems can be solved by keeping lists of names. and saying "umm I'm telling".
You've got laugh, or cry. I don't remember which anymore.
An example to us all.
The various Government bodies need to start making examples of civil-serpents who permit or encourage such follies.
I'd suggest reinstating the twice-monthly public hangings of offenders at Tyburn, 'pour encourager les autres'.
[And if this is introduced, they should auction the pay-per-view TV rights on a per-event basis to recover costs. I'm happy to act as intermediary between interested parties. For a cut of course.]
Just when is someone going to get prosecuted for this.
There is no repeat NO need for any data to be shipped around this country on disc.
remove all cd/dvd writers and employ people who can use computers properly.....
If they are unable to do this simple task i will gladly come and show them how too.
Hehe, I know of one Govt Dept that, until I came along, was using Clamwin AV as their desktop AV solution.
You know, that crappy app that doesn't actually have a realtime scanner, but is free...
No-one realised the risk involved, it seems, of having daily scans being set to happen at 2am. When all the PCs were off.
Suffice to say I have changed that since....
Anon as my bosses [who I gave a severe verbal bollocking to in private] read this....hi guys...
@ AC (who works as a Civil Servant)
Good on you, mate. Now please try and get other departments and organizations in ".gov" to act similarly or replace those who won't with competent employees.
@By call me scruffy
You almost had it right! They were the people who dreamt about being the person that counted the jotters, but alas they couldn't even spell "jotters"! If only the Remedial Teacher could have spent more time with them then they would have left school able to add, count and spell.
You can't send encrypted files between government departments because the firewalls are set to block encrypted traffic; it could be a virus apparently. It takes months to get approval for a secure channel over the GSI or to a non-GSI body and these data losses seem to be once a year, big rush jobs (Audit etc.). Who has a £100k budget to send them anything?
I think they should use floppies. Fewer new PCs have floppy drives than CD drives so that should improve security. It's also more difficult to loose a crate of floppies than a single CD.
It's all bollocks
The DWP employ well meaning people, they are just a bit thick though, as can be deduced by their hourly rate of pay.
As stated earlier, most Govt. minions, like Job Centre counter officials, have been drafted from the queue on the other side of the counter, at basic wages and the result is as you'd expect.
The rot (13 or otherwise) goes all the way to the top with dickheads like the Prime Minister taking no notice of his advisers, anymore than do minions in the Home Office, or any other "Govt. Office".
I mean the whole lot of 'em are either corrupt or stupid.
The Job Centre wonks lie about your entitlement to Income Support, Benefits Agency Medical Examiners are constantly finding disabled folks who are fit and can work for their benefits, County Councillors are having Double Yellow lines painted and Resident Only Parking signs erected in areas where residents are too poor to own a fucking car, and in Oxford, a shit for brains city executive countermands a policy decision and orders beautiful and loved, city centre trees to be cut down, just because "he" personally didn't like the trees in the scale drawings he saw.
As far as cannabis is concerned, I'm surprised they haven't made it a Capitol Offence, just so's they can get rid of free thinking idiots like me, who, bye the way, also give away music on my web server, you know, music that's not been created by famous or rich people, and I wouldn't ever vote for any of these Social Tinkerers.
How did they get their jobs ?
Get a grip people. If they don't listen to their leaders, why the hell should you ?
PS. I've got a goldfish with more security nowse.
It would never send unencrypted eMail or other fishes data on a CD in the post.
Face it guys...
... 99% of users are too stupid to live.
The 1% who aren't are living breathing examples of 'A little knowledge is dangerous'.
And when you have that mix, run by the sort of imbiceles that have risen to the top under our current administration (5hit floats) - this is what you get.
Who'd be in IT?
I am currently working with a government agency, and given the amount of guidance being given about securing data at the moment, there must be some real idiots out there if they can ignore it.
We had to transfer some anonymisied test data from one test system to another over internal networks seperated by one hop, and we had to assure the powers-that-be that the useless (to anybody but the testers) data was encrypted as it passed across the network. It would have been anyway but getting the authorisation took a week!
We are told to use encryption as much as possibe, not send info across public networks or by normal mail if we can avoid it, and send it in multiple small batches if it contains any personal information. Any large amounts of information or sensitive personal information must be sent via secure courier. Also, we are told that if we have any doubt, to check with the data or security controllers. Perfectly sensible advice, and completely clear.
@call me scruffy and AC Friday 9th May 2008 20:50
Let me guess - you're the kind of people who call help lines and then hold the person on the other end of the phone personally responsible for whatever your problem happens to be.
By the way the article is about the DWP not HMRC.
When the govt ask for data, refuse on grounds of data protection. For instance, when applying for a council house - data rape isn't in it.
If I've got a contract with a firm then the person on the end of the phone is responsible for the fuck up and the firm can't hide behind the "but we just employ numpties" argument. It's called customer service, and yes, I've been on the sharp end of it sometimes.
Difference between HMRC / DWP and a commercial firm? The govt thinks we owe them a living (viz. political parties being funded from taxes). Oh, and the govt thinks it's there to tell us what to do.
The person at the other end of the phone isn't personally responsible, but they represent the company/department that is. If Said Numpty decides that your guarantee is void for some reason, or that you are not entitled to something or other, or you have not in fact been overcharged, then they have to have the authority of representing the company/department to do so. Otherwise we may as well grab a random person and demand satisfaction.
Screaming and shouting at the person on the other end of the phone however, is counter productive. Honey catches more flies than vinegar, and politely requesting to speak to someone higher up is usually more effective.
Who sent me these CDs?
Fuxake...what's with POSTING discs through the post?!?!? No need for any of it!
It's Access isn't it?
I just *know* it's f*~n Access - last time a fellow employee b'd off leaving no passwords his Access DB's (hah!) came to me. I'm an idle sob so I spent $16 of my own money for a cracker program. It took 35 seconds - and it was a *very good* password!
So yea, send the pw by email, that should be OK.
If a company screws me over and I've ascertained that they are not going to admit it or compensate me, I make it my business to be as obnoxious, belittling and insulting as possible for as long as possible without giving them an excuse to end the conversation.
If we all do this, then the people working the phones will hate their job and no-one will want to work for that company.
Also, when you're dealing with someone who is willing to lie to you or completely contradict themselves because they can only read what's on the script and thinks that you are too stupid to spot it, then they deserve some abuse.
I have actually had someone tell me that it was policy to assume that documents had been delivered to me after admitting that proof of postage is not proof of delivery - so I told them that I *had* filled out the paperwork and returned it as they asked. Apparently the policy is not to accept assumptions made by the public.
If you are going to make me put up with Kafka-esque crap like that, you can expect me to hand you your arse.