The civil service's systems will be subjected to new attacks by independent white hat hackers in a bid to spot weaknesses in government data handling before catastrophic losses occur, it was announced today. The white hat programme is one of a suite of targets, training and scrutiny measures that Cabinet Secretary Gus O'Donnell …
Aside from the general sillyness of the idea in general shouldn't the government hire compitent staff...
I seem to remember the guy who donated some cash, thought the site was a bit dodgy then did a few simple things to see if the server was legit ended up getting screwed sensless by the filth?
Carte blanche to hack UK Gov networks.
First person to post the bank details of the guys involved in each data loss case to wikileaks gets the appreciation of 25 million parents.
Is it a trap?
Didn't they make the tools necessary for this illegal? Or is that just a figment of my deranged imagination?
Gov.uk DEC website
Didn't a guy who was worried about a possible exploit on the DEC website get taken to court and found guilty ?
Mod: This link should appear in the item's 'Related stories' section ...
Well, the most blatant problem is the people
I mean have you ever heard of a government Laptop losing it's owner? Or papers scarpering? Or even a 25,000,000 entry database accidentally being automatically faxed to someone? No.
The people are the problem. Though I do welcome the government's use of white-hats to solve the problem.
You've gotta wonder if they'll just pick them from a list though- "yes, this chap has a 1st in Computing Science! He even builds computers for a hobby! He must be one of these super-hackers!"
Black is white
Call me Mr. Cynical, but I fail to see how the proposed measures will bring about a cultural change. In order for change to take place, the individuals concerned have to first accept that there is a need to change - and I can guarantee that not one of the ministers, or senior civil servants actually believes that this includes them.
I also find it somewhat bizarre that Mr O'Donnell thinks that there is a risk that people will lose trust in the Government - perhaps someone should point out that he is a bit behind the rest of us.
""Yes we have lots of data on individuals," he protested to reporters. "And that is, for individuals, good.""
Did anyone think to ask him to justify that statement - the only thing that I can think of to describe it as good, is that when we all find our ID's have been stolen, it will be obvious where the leak came from.
Technology #1 and People #2
First off, other than porn and tat from eBay no one has ever proven to me that the Internet and associated tech has ever been good for anyone (except software/hardware moguls). Bills were paid in due course before and people seemed a bit less stresses. Maybe it's just me, but I don't think technology is worth anything but the paycheck I get from screwing with it.
Secondly Adam had it correct. The biggest problem with any system is the people - there's an old saying "business would be great if it weren't for the customers" and it applies to just about everything.
Can someone explain this please
"Yes we have lots of data on individuals," he protested to reporters. "And that is, for individuals, good."
How exactly is this good for me?
Helecopters for good old Mr Orwell and his amazing pre-cognative powers
I agree with
Mr Solomon and Mr Coward.
I suppose Mr O'Donnell will be suggesting White Hat hackers ride the Surrey trains from now on, as a means of combating cyber crime and preventing User st00p1dity.
Do you think that all those MPs with ridiculous expense accounts are really going to declare their personal, Bluetooth enabled, mobile phones to their new white hat underlings. Especially when the memory sticks are full of ripped tunes and two naughty pixies ?
I remember a little wine bar that ran a very popular customer loyalty scheme. Customers would bet on which celeb would be next to kick the bucket. Perhaps some hacker at The Reg could knock up something of this ilk on line. Reg readers who collect useful tit bits from Our Overlords Phones (OOPs) could share the experience electronically via a special section, titled, Idiot Alerts or some other supporting an amusing three letter acronym.
"The risk we must counter is that citizens and business lose trust in the Government to handle their data effectively."
What trust? I never had any in the first place.
a litle confused
The minister seems to be under the glaring misapprehension that the public had any trust in the Govt to begin with.
The simple fact is that our Govt and most non-technical people in general are appallingly bad at computer security.
<brief anecdotal example>
My step father won't let me install or modify anything on his windows PC despite the fact that I am a seasoned IT professional. He actually thinks he knows better and yet he continues to use IE as his web browser, has NO firewall setup whatsoever and spends a fortune on anti-virus software. I have offered to backup all their data (they only use their PC for email, downloading photos from a digital camera etc, and web browsing) and install Ubuntu Linux which, in it's default install, will have pretty much all the software they need and will never cost them a penny. But simply because it is unfamiliar they stick with windows and spend stupid amounts of money trying shore up the security holes in what is the software equivalent of swiss cheese.
I, on the other hand, have been using Linux for the last 10 years. I haven't spent a penny on software, never had a crash/virus/malware/been hacked. My machines run flawlessly and securely because I have made my career out of knowing exactly how to do this.
</brief anecdotal example>
The fact is that people are scared of changing their protocols and habits and Govt ministers are renowned for having a a complete inability to take any kind of responsibility for anything. This will not change until we start educating people from the earliest age possible about the necessity of keeping data secure. Simple concepts about encryption and only allowing necessary services to run on ones machines, firewalls and so forth. Until even Joe Public understands the importance of this our Govt hasn't a whelks chance in a supernova of getting computer security right.
Hmm, except that
a) As mentioned previously, uk.gov are currently engaged in a spirited attempt to make the typical "white hat" tool chain illegal (at least to distribute, although IIRC there is some fuzziness as to the definition of this)
and of course
b) The people that you actually need to do this properly, particularly on such a large scale are :
i) few and far between.
ii) extremely unlikely under normal circumstances to have the sort of squeaky clean history that would enable them to gain a DV clearance, which would ordinarily be required for this type of work.
In fact, I'd go so far as to say that all the people who combine the skills, experience and ability to not raise a red flag during the six month DV clearance process are already working at GCHQ, CESG, and the MoD.
OK, there may be a few strays, but certainly not enough to go around, which means that the bowler hats, in order to get themselves an adequate number of "white hats", are going to find themselves in a position where they have to relax their strict (almost the strictest, in fact) security policy.
Not enforcing security policy was what put them here in the first place, wasn't it ?
Stand and Deliver !
"He claimed the response from outsourcing firms to the new rules had been positive"
That's probably because they will be supplying the software/hardware to do so at the usual 200% mark up more than you can buy it from the manufacturer will apply, plus constultancy, meetings and correcting the initial feck'ed up install !
Paris, becuase I love her, she loves me too, but doesn't know it yet
A Cabinet Office spokesman writes...
Gordon Pryra (26 June, 08:49): How exactly is this good for me?
In the statement he gave to reporters yesterday, the Cabinet Secretary gave a few examples of the benefits of storing and sharing information:
"The Government does not compel or request the data of citizens for its own sake. It is done to enable us to deliver better the services citizens pay for in tax. Let me give you some examples. A single department, the Department for Work and Pensions, has 20 million customers. It undertakes some 13 million payments every week.
"Efficient, electronic use of personal data is good for citizens. Each week the police and courts services make 4,500 enquiries to the secure online Drivers Database, reducing the number of case adjournments by 80% and saving police officers up to two hours of paperwork every time they carry out a roadside check. By joining up the data held by MOT garages, the insurance industry and the DVLA allowed 7.5 million people to renew their car tax online in 06/07. By December 07 this number had risen to almost 10 million, and the majority of applications are outside office hours.
"Within HMRC itself there were 3 million online filings of self-assessment tax forms in 2006/07, increasing efficiency and slashing the amount of paper used.
"The Tell Us Once initiative we are currently pursuing will take this further. It will join up public agencies so, for example, you only need to inform one department or agency if, for example, a relative dies, rather than more than 30 who currently need to be told."
@ The Other Steve
There are a number of 'white hats' or 'ethical hackers' already in existence. DV clearance is not a pre-requisite. The clearance a person needs is driven by the sensitivity of the data that they are required to work with. DV is only necessary to access TOP SECRET. A v v small proportion of all Gumment data is TS.
The extant 'white hats' or 'ethical hackers' are called Health Check penetration testers.
It is ALREADY HMG POLICY TODAY that ALL Infomation Systems for 'official purposes' are subjected to a Health Check penetration test.
This guff from O'Donnel is just ignorant polictician twaddle as noted by so many previous commenters on this story
As I have previously opined, the problem is four-fold and the technical aspect of the "four pillars of stupidty" is actually the easiest to solve. HC pen testing does not and cannot change the culture in HMG departments. Hence the "where's the IT?" logo.
Oh my, they'll be making scissors illegal then?
These can, of course, be used to open envelopes to get at the data CDs held securely inside....
Typical linux fanbio, using Ubuntu to solve a problem that isn't there. That computer does not belong to you, it belongs to your pop so you have no right to install a different OS on it just because you prefer it.
I am sick of people who install firefox without asking the person who owns the computer. I use FF on my computer and I recommend it to others but it's their computer and not mine so they can do as they please with it. It seems that although you think you know more about computers than your dad; you have a lot to learn about people.
You clearly don't *get* the vetting process. If you are up front with past misdemenours then it's perfectly possible to to get clearance to quite a high level. Clearance is all about having your cards on the table with them. In the most basic vetting questionnaire they ask you if you have any dirty little secrets that would mean people would could put pressure on you. If you are up front with the skeletons in your closet then they are normally OK with it, but if you don't disclose then you can kiss that clearance goodbye if they ever find out (and they will).
--- Mars Bars ---
“You clearly don’t *get* the vetting process. If you are up front with past misdemenours then it’s perfectly possible to to get clearance to quite a high level."
In the movie I was watching someone forgot to show up in person, and fsck'd the whole thing up.
"All passwords have been changed, networks redesigned, operations modified.
Now also multiple fake password databases in place.
W00!" said the public enemy.
At the end of the movie the viewer was left to realize that for such an operation to end on a good note, in person conversation with the bitch was required.
What a waste of resources, for something so simple.
It does make the viewer wonder, what is the motivation here?