The person who discovered that the child abuse reporting mechanism on the website of the Child Exploitation and Online Protection Centre was insecure has reacted with anger to suggestions from the agency that the flaw had only affected surfers visiting the site from either Facebook or Google. He says that contrary to CEOP's …
Re only affected surfers visiting the site from either Facebook
Considering the fuss CEOP made about panic buttons on Facebook why do they say "only" and describe those reporting possible perverts as "surfers"?
who posted via BT or virgin had thier entire submission stored in the http accellerator caches for the PFYs to scan, download and sell to the papers. This will have the ACPO in an uproar as selling "breaking" info to the press is one of thier revenue streams.
Considering how much of a song and dance CEOP made about getting the fb panic button added, im amazed not to have heard them release any figures about how many children have been "saved" by its very presence...
Call me cynical, but could that be because the number is so close to zero that it would be embarrasing for them to admit that it WAS the waste of time everyone told them it would be? Hmmm...
Number of incident reportsed through the CEOP reporting website
6,291 intelligence reports have been received by the CEOP Centre – a culmination of reports through the public
‘ClickCEOP’ reporting mechanism, from the online and mobile industries and law enforcement partners in the UK
Page 11 http://www.ceop.police.uk/Documents/CEOP_AnnualReview_09-10.pdf
Not very good with hyperlinks in general
I noticed this on one of their advertised jobs: the two hyperlinks in the listing are to CEOP's own Outlook Web Access site, rather than to www.ceop.police.uk or the mailto: link intended. Copy/paste job gone wrong? (http://www.ceop.police.uk/Recruitment/Vacancies/Head-of-Behavioural-Analysis-SG2-/ )
Clicking on the OWA link shows that there is no current SSL cert installed on that site either. Now, if it were for their GSI email then you could argue that its on a secure network, but this is for their non-GSI mail, accessible outside of the secure Government network and therefore theoretically at risk of interception.
owa.ceop.gov.uk uses an invalid security certificate.
The certificate expired on 25/09/2010 00:59. The current time is 03/05/2011 12:47.
(Error code: sec_error_expired_certificate)
not so much
Just because it's expired doesn't mean it's not secure.
All it means is they've not paid for a new one. They don't magically switch off when a date passes.
but not exactly best practise?
Part of the security offered by SSL is that not only the link is encrypted, but you know that the site you're sending your confidential information to is who it says it is.
CEOP's internal users become used to ignoring security warnings - and lo, they're trying to pickup email in a hotel lobby at a conference for Paedofinders General and someone's hijacked the wifi and spoofing CEOP's webmail. Perhaps not very likely, but possible.
Anyway, we have organisation that can't be bothered to check the links in a job posting on their public website and can't be bothered to renew their SSL certs. An organisation that doesn't secure their report-a-paedo web pages. No wonder industry players were so loathe to take instruction from them on how to build web services.
CEOP haven't a clue
Hit the useless totcdanglers* hard Terry!
*Think Of The Children Danglers
a "technically advanced" hacker
CEO-speak for "anybody who can actually do more than just PowerPoint"
the lack of https use is not great, but it is to their credit that they at least fixed it quickly once they were told about it. They should have run SSL from the start, but realistically I do assume the "man in the middle" is much more likely to be looking for credit card numbers and bank account info than looking for use of CEOP web site.
On the other hand, saying it was only unencrypted when coming from Facebook or Google is a flat-out lie, and that is pretty inexcusable.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- Microsoft: Don't listen to 4chan ... especially the bit about bricking Xbox Ones
- Shivering boffins nail Earth's coldest spot
- Exploits no more! Firefox 26 blocks all Java plugins by default