Lost data

After all the lost data from government departments WTF was the counsel employee doing with a USB stick in the first place.

Joined up government IT, my Arse.

Make 'em pay

"...the council was unable to process more than 1,800 parking tickets, at an estimated cost of £90,000, libraries lost out on £25,000 in fines and booking fees, council property rent went uncollected, and £14,000 was spent in sorting out delayed housing benefit claims."

Please remit to:

Steven Balmer

1 Microsoft Way

Redmond, WA 98052

"The specific virus hasn't been named...

... but it seems certain that it is Windows."

There, fixinated once again.

Epic Win for IT

So that's lack of virus scanning, lack of security permission lock down, lack of tested backup systems to recover lost data and yet another instance of government fail.

iPod

We recently had a lass who plugged in her iPod to "charge" ...

She didn't realize that it connected as a mass storage device, or realise that it could copy a file from her home machine to "autorun" on one of our "Instrument" PC's ... which unfortuatnely had to be run as administrator.

Fortunately it didn't spread ... but it did mean a reboot into Ubuntu to recover the data and a format and re-install of the disk.

The lass was mortified, USB devices are now disabled as part of the standard system install, autorun is now disabled as part of the standard system install and a nice Email from the director has told people not to do it.

Nice.

Spare capacity.

Further, it implies that Ealing council doesn't have a DR plan - or at least not one that isn't crap and very likely no spare capacity to deal with exceptional circumstances, such as the ability to catch up processing due to earlier downtime.

Of cause they don't have any spare capacity, that got thrown out under the last but one efficiency drive, when the PHB toled them to stop paying for all that unused equipment.

Lost revenue

Do they really mean "lost revenue"?

Sounds a bizarre arrangement.

Sorry, the computer system is down. We'll just cancel your parking ticket.

Sorry, the computer is down. This month's rent is free.

Sorry, the computer is down. You can reserve a book, but we can't charge you the usual fee.

Sorry, the computer system is down. You won't have to pay your library fine next time.

Someone will have to remind the Council how cash works.

Incompetence is incompetence, whether public or private

"One thing is correct in this story, if this had been a private company people would have been sacked: starting with the head of IT who allowed such an amateurish setup in the first place."

Utter rubbish. I work in a company that has been recently affected by Conficker, where (not just IT) business-critical decisions appear to be made based on private agendas and based on whose faces are in favour rather than what is demonstrably best for the business. It is not the only company I have worked in where this is the case.

Incompetence is incompetence, and it's just as likely in the private sector (where it will usually simply get swept under the carpet) as it is in the public sector.

@ Pete 2

Sadly we can only dream of a world where our Government and public sector are as accountable as those of us in the private sector, I wish I could see at one scrap of efficiency, competence or real accountability between the lot of them at least once in my lifetime!

Conficker? Doubt it!

Surely to God it could *NOT* have been Conficker? That patch has been out for *OVER 1 YEAR*.

Come on, Reg, we expect better of you. Or are you saying British IT at all levels is simply rubbish?

Oh, wait...

@Pete 2

All of what you said makes perfect sense but in order to apply it to public sector it will require a Council Tax rise.

Why, I hear you ask. Beacuse public sector never has enough resource to throw at those sort of setups in terms of money and/or manpower. Easy to make those comments if you work in the private sector as they will automatically throw money at the problem to fix it.

Inflated losses?

"the council was unable to process more than 1,800 parking tickets, at an estimated cost of £90,000, libraries lost out on £25,000 in fines and booking fees, council property rent went uncollected"

Library fines and fees I can see being a "collect now or miss the opportunity" thing, but parking tickets and rent? I though the former were issued by the warden-on-the-street's hand held systems, and uploaded to the central system later, while rents would go out whenever the appropriate system ran a batch mailing or similar.

In for both of these they should be able to clear the backlog when the main system's back up. Some extra overheads, but surely not an outright loss of the sums involved?

USB Condoms?

Is there a market?

I remember this.

That is all.

Grrrrr

People still have auto-run enabled. Jesus.

Another fine piece of outsourcing...

This is standard Serco practice - Perimeter defences only.

Re: Make 'em pay.

I'd be looking to remit it to the useless git at the council responsible for ensuring that their A/V definitions are so dated that they're still vulnerable to Conficker.

@Pete 2

It's easy to list all the things that /should have/ been done, but Council's do not have the resources required to a) create the infrastructure you describe and b) employ staff skilled and competent enough to operate it without them leaving for better paid jobs.

Having said that, Windows' overall crapness - starting with the staggeringly stupid Autorun facility - cannot be blamed on a lack of Council money.

Anti-virus? No thanks - that costs money!

Or am I being totally cynical?

Let's get it right

Local councils are a mess IT wise at least.

My wife works for a council and when they were going to get computers in, they were trained on Macs at a local school. They ended up getting Windows PCs. So that was a waste.

Then they got told to manually update the McAfee VirusScan software on their own machines manually once every week. This was despite the fact that the software can do automatic updates if the option is switched on. It wasn't.

I asked about this lack of IT skill being a IT engineer myself and I found out that the local IT person in charge of a large area of central Scotland was a Librarian. So go figure.

I had to laugh when this happened:

One of the PCs needed a new CR2032 battery fitted as it flashed it up on BIOS startup.

What were the staff told to do by the local council IT dept?

Phone the English PC hardware repair company which were located 200 miles away and ask them to come and fit it.

Needless to say, they didn't come up and posted a battery to them. Then the girls in the office had to try to fit the battery and course as you'd expect, they didn't know how.

So I did it unofficially for them.

The PC repair company charged the Council £25 (+VAT) for a £2 battery they could have bought down the road. Total down time was 4 days for a BIOS battery.

This is how this Council works. They have no money, and therefore no skilled IT professionals. They try to do everything on the cheap.

Councils have no idea how to set-up modern IT security. They still believe Security is just closing a door and putting a padlock on the door.

Linking between parking and libraries, etc?

It's not that the systems will be linked - that's highly unlikely that you'd have one app/DB sharing two systems - but what is likely is that the library and the parking DB were on scabby, 5Mb fiber links that were saturated by traffic, rendering them useless - or VPN'd ADSL links, or similar, low capacity, single-point-of-failure connections.

Council management much rather spending money on stuff they can see, like couches in meeting rooms and HD projectors, rather than redundant data links.

@ anon 13.21

This isn't about money or manpower, it's about basic housekeeping.

In my experience, both in the public and private sectors, IT departments consider it *way* beneath them to take care of the basics. There is nothing remotely exciting about tape archive management, trial restorations, AV and patch management and the like.

It is much better for your CV and for your credibility in general if you can talk about your strategy for leveraging the innovative power and opportunities of a hybrid virtualised storage infrastructure making best use of both private and hosted cloud architectures.

Come on, be honest, which would you rather impress the ladies with in the pub tonight? OK, neither I know, but you catch my drift.

Autorun

Am I the only one who rather liked this gizmo (esp. on DVDs!), and misses it now it's disabled? :'-(

Of course I'm (hopefully) savvy enough to not let anything infected anywhere near my boxes...

not so mysterious I guess ..

Come off it, John Leyden, no prizes for guessing the Operating System this "sophisticated virus" runs on?

"Like many other organisations, Ealing Council’s computer and telephone network was attacked by a sophisticated virus"

I'm running Portable Apps of a USB device here, on a local authority PC that's totally secure, as in right-click is disabled and the desktop is locked, except it really isn't, else how would I be able to run Portable Apps. Where are they getting their 'technical' staff lately ..

Else use a bootable USB running something like Ubuntu on a pendrive. Have the drive identify itself to the network before access is granted. Case closed ....

http://www.pendrivelinux.com/usb-x-ubuntu-610/

so let me get this straight,

They can't issue parking fines or library fines to the deserving but they can still catch up house benefraud payments to the thoroughly undeserving?

Great fucking country we live in

disable USB drive for security

"After all the lost data from government departments WTF was the counsel employee doing with a USB stick in the first place", John G Imrie

Look, the presence or absence of a USB drive does nothing what-so-ever to increase/decrease security. If I can get you to visit a certain web site or open a certain attachment, I can own your computer ...

Disable Autorun ....

Disable Autorun ... save half a million quid. That's a quarter of a million pints ( more because I'm sure there'd be bulk order discount ).

Utlimate blame rests with whoever enabled Autorun in the first place, and we know who does that to make all our lives "easier".

@AC - Make 'em pay

Yeah, very logical of you indeed. It's a shame that not everybody is as l33t / ahead of the curve (delete to suit fanboyism) as you are.

I suppose I could try to come up with an analogy about not using some other product properly, getting burned in some way, then blaming the vendor to show how deeply flawed your logic is, but what's the use?

On behalf of myself and all "windoze" users in the world, I would like to apologise for not being as truly brilliant as you are. We really would mend our ways if we could, but you should realise just how incredibly better than everyone else you are. It'd take us millenia to catch up.

Council Security

AC 'Let's get it right' said that "Councils have no idea how to set-up modern IT security. They still believe Security is just closing a door and putting a padlock on the door."

I thought it was well-established that you put the sensitive stuff downstairs "in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'."

@AC - 14:22

Don't tar us all with the same brush please. The district council I work for has a sophisticated and modern IT infrastructure. We have a staff of 27 in the IT department, which is not bad for the small council we are.

Our council is rated 'excellent' and I think we're very good IT wise. We've were one of the first areas in the UK to use WiMax for our remote sites/users, and we are currently trying to innovate with VDI-powered agile working projects in the pipeline.

Oh, and we change our own BIOS batteries.

About the article - sounds to me like this was either a 0-day threat, or they have no desktop on-access anti-virus! I hope for their sakes it was the former, but still I'm amazed at the damage and amount it cost them to recover.

@AC 15:02

I'm glad you and the other lusers have finally realised the true situation. If its really going to take you & the others millenia to catch up, I suggest you refrain from using a computer until that day.

Huh

CONFIG_USB_STORAGE=n

That was easy, wasn't it?

Which part of "do not compile anything into your kernel that you really don't need" do people not get?

Re: not so mysterious I guess

Your link points to a guide which covers Ubuntu 6.10! The support for that expired last year!

Still probably a darn sight more secure than Windows 2000!

You can do the same with Ubuntu 9.04 by booting from the CD, sticking in the USB stick and using the USB Stick creator.

Rob

*Upgrading* to XP????

Let me guess. They're running a mix of Windows 95/98? :)

Upgrading to XP? Are you kidding me?

And *please*, please don't tell me they're currently running Windows 2000 because that's a great OS even today, and an errant virus wouldn't require an upgrade from 2000 to XP!

They do understand XP has been end-of-lifed, right? As in the only copies available are sitting in a warehouse somewhere? Good luck finding 1800 of them...

Microsoft doesn't even allow you to downgrade Vista to XP at this point.

Besides, if they are running 95/98 they *can't* upgrade to XP. The hardware won't take it.

So we're looking at a situation where Windows 2000 machines don't *need* to be upgraded OR we're looking at Win 95/98 machines that *can't* be.

If they have to replace the machines anyway, hold off till they can get Win 7 machines!

Which will include MS's free AV program.

British IT must be rubbish indeed. Either that or someone's been reading too much BOFH...

Dumb management

Windows 2000? I guess all of their PC's have all of the latest patches? ROFL

Either the IT Director is responsible or the CFO who wouldn't let him have the money to keep their systems up to date.

Gov at its best.....

and not alone in the utter incompetance. Watched in awe at how the "Environment" Agency came up with a backup solution for 4 laptops (which were all being used as a desktop through docks, monitor, keyboard, shared printer etc)...they got two companies, one 150 miles away, and another 200 miles away to come and install a backup server. In comes company number one delivering a rack...a 42U comms rack. Next day in comes server company with a 1U rack machine....oops, it no fit. So they sit around for a week before the rack suppliers come, take the comms rack outside, and shoves it in a skip. Installs a new 42U rack. Server company returns and has now "scraped" *cough* the 1U rack server, and brought out a 2nd hand minitower. Shove it in the bottom of the rack, and give it a dog ancient DAT1 drive. The lil minitower gets a little toasty in the bottom of the rack, and bleeps away like a good one so out they come the rack people again and scrap the second 42U rack and replace it this time with a 24U fully air conned rack with all the trimmings...and still slap the minitower server in the bottom. Total cost of the job? £23k!!!! for a fecking backup system for 4 laptops?!

The amount of waste caused, the amount of insane travelling, the amount of cash for a job you could of done for peanuts is utterly disgraceful. Nice to see the gov knows how to use tax payers money well isn't it!