I completed the form yesterday
and had no problems.
A parental internet controls consultation document released by the Department for Education yesterday is currently exposing the email addresses, unencrypted passwords and sensitive answers of members of the public who fill in the associated form. Many Register readers have alerted us to the serious security flaw this morning, …
and had no problems.
Looks like it is probably some form of race condition flaw then. So it would trigger a problem of two or more people tried to submit details at pretty much the same time. It's pretty much pot luck if you notice it. It also means that the more people using the service, the greater chance of there being a problem.
This sort of flaw is often missed during (inadequate) testing.
So did I - their first FAIL was to email me with my password unencrypted!
And these are the folks pushing for a opt-out "perverts register", for our own good?
Making web forms that work correctly for >1 user isn't exactly rocket science. If they're rolling their own, and failing, then some developer is clearly having a laugh.
FOI request to find out how much the e-Consultation system cost?
yes, I watched you complete it
Firstly - this is a bit of a bitch for those who took part having their details spunked up the internet's walls.
Secondly - fuck yeah - goventards strike again - where's me popcorn, I think this one's going to produce some very entertaining official statements and random officials talking blatent balls.
Sorry about all the swearing, but today's my "Fuck-down Friday" - they dont do them in the public sector, they have to make do with "Fuck-up Friday" instead, or at least it seems that way.
Yup. Our fucking civic fucking duty dribbling all the way back down again. And after I (and others) urged people to sign the cunt too. And many did.
Time to throw my weight around again. How basic incompetence can cause human effort to multiply. They shouldn't be allowed computers, shouldn't be allowed around computers, shouldn't make decisions on anything harder than what vintage of port to pour down their fucking incompetent leathery necks.
Is it just me that heard that being spoken by Malcom Tucker? (I'm guessing it was intentional)
What a brilliant way to ensure those that understand the web don't comment on the consultation
I'm seeing someone else's detailed responses if I'm logged in, but not when I'm logged out.
Looks like there's only one account on the system and we all share it!
Ha ha. Yes, I can see exactly how you'd write a bug like that!
" It was the first the bureaucrats had heard of the problem, apparently, despite users posting comments exposing the issue directly on the site."
Yes. They got two emails and a web complaints form from me last night. This shows how seriously they take their feedback system.
Going back there now to see if I have grounds to contact the ICO. What fun!
Have you read the first page? They warn that all submissions may be made public at a future date, and even if you tick the 'keep confidential' box they will only take it as a polite request and not legally binding. I do wonder if this is standard procedure on consultations, or if I should invoke a little paranoia and attribute this to an attempt to further bias the study (As if the questions aren't loaded enough) - no-one is going to face a scandal for wanting to protect children, but for a person to ever admit publicly that they believe seeing a little porn isn't going to forever traumatise a child is the type of violation of the social order that could cost someone their job.
It is confidential up to the point where they make the decision of what to publish. There are also particular questions which specifically state that the answers given will always remain confidential.
The information you provide to register as a user of the site itself (not just the survey) should be confidential, but it is re-displayed on the first page of the survey, which can then be exposed to other users.
What is worrying is seeing your own answers over-written by someone with disturbing and extremist views and then having those answers permanently registered against your identity, potentially for future publication. Never mind such people then being able to read my answers along with my name, email and home address.
They warn that all submissions may be made public at a future date
I really don't think they can rely on that for what they've done and will be digging a deeper hole for themselves if they try to.
I think most reasonable people would take it to mean those consulted may have responses and comments they gave made public, not that who made them would be identified or they'd have their email addresses and other personal information handed out to all and sundry willy-nilly.
This doesn't excuse the fact that they are storing people's account passwords in the clear, and exposing them to random site visitors. The security implications have nothing to do with the consultation itself, or how they will use people's responses, and everything to do with exposing the names, email addresses and passwords of people using the site.
I just clicked the link to the site at 10:50am and immediately found myself logged in as someone else. I don't have an account with the e-consulation and this is the very first time I visited the site. Could be cookie related. The cookies I got were CFID=4947952 and CFTOKEN=84546187 so it could be that they aren't using particularly unique identifiers.
At just before 11 it stopped. I must have been one of the last ones to access it. So they were informed some time ago and only just got round to passing the message down the chain to the guy who knows how to do some HTML twiddling.
So allowing personal information to leak out is not such an important thing in their view.
Interesting - I don't recall seeing anything to tell you it's dropping a cookie on you (I may have missed it, wandering off to the signup page and fighting my way back, but there wasn't a specific prompt when I first arrived). Isn't that illegal nowadays too?
If it's necessary for the working of the site you don't have to ask. At least that's what legal is telling us
CFID and CFTOKEN are Coldfusion cookies to store session state. I've never seen a problem in 10+ years with crossover state like that, so I can only assume that their back-end coding is a bit borked.
And yes, by default, CF drops 30 year cookies onto your machine to manage state - even if you HAVE no state management code in the app. It's a bit of a faff to switch it off and do it manually with session-cookies but it can be done.
Getting my coat as I've just exposed the fact that I'm a Coldfusion dev and not a 'real programmer'.
"The cookies I got were CFID=4947952 and CFTOKEN=84546187 so it could be that they aren't using particularly unique identifiers."
These are the values in the URL given by eL Reg in the original article.
just went down 10:56am Friday 29/06/2012
The service is temporarily unavailable. Please try again later.
I email notified those people who's details I saw
I put it down to submitting "wrong" answers...
Either that or I'm clicking a bad link, but I can't get to the consultations area at all.
get a 500 error so they've either taken it down, or something is blocking it from appearing.
Just posting this here to remind myself more than anything, a few facts I wanted to point out when I comment, if anyone can figure out which sites have the exact percentages let me know.
First was that roughly 30% of households in the UK will have children present. Meaning that there are only 30% of people who would be directly affected by this.
In round about terms, that means that they're pandering to the minority rather than the majority. Not to mention that additional burden of constantly updating lists of banned sites ISPs would have to go through, which would mean additional costs which always get passed down to the consumer.
The government woudl be better off doing it as an actual opt in system, so you opt in for filtered internet. OR doing something which is probably smarter and easier, and making it a ruling that ISPs have to provide smut blocking software, giving instructions on how to set it up etc.
Personally I just set up openDNS with the adult material blocking so kids can't get through to a lot of sites on a DNS level. Add some smut blocking software on the PC side and dun-dun-dun you've probably got more protection now than if the ISP were to block it all itself.
All most parents need is some simple instructions, we don't need a blanket ban for any and everyone.
"All most parents need is some simple instructions, we don't need a blanket ban for any and everyone."
Could not Bletchley Park host a site with such instructions and appropriate open source software? It's memorable enough that with a modicum of promotion there would be few who did not know where to obtain advice and protection.
If they can balls up the consultation form can anyone really trust them with the data they will get after passing the Communications Data Bill .....
>It was the first the bureaucrats had heard of the problem, apparently,
>despite users posting comments exposing the issue directly on the site.
Well, if they aren't going to read the comments, what makes us think they are going to read the consulation?
It's put out by the DfE and is presented as a survey for parents, carers, young persons and members of the ISP industry. But it's far beyond that in scope, assuming to curtail and censor the freedom of all UK citizens.
There is one question somewhere in the middle asking if any default restriction should apply to all households or just those with children. This is not for the people they're supposed to be consulting to decide; it's hiding a nasty power-grab attempt to censor everyone.
I started filling in their questionnaire for a bit of fun yesterday - after having been identified as at least two different people by the site. Half way though submitting the questionnaire (page 3 or thereabouts), I started seeing the question boxes already filled in from another punter.
I have to say that I agreed with the punter's sentiments exactly* and I couldn't be arsed to carry on monkeying about with that site, so I jacked it in.
* The usual stuff about safeguarding kids being the parents' responsibility, being stupid if you have blind faith in automatic filtering etc. i.e. exactly the kind of stuff that would be likely to confuse a Daily Fail reader.
oh yes, the ICO, I'm sure they'll get together for a cup of tea from the trolley and decide it was just one of those things outside anyone's control
... in which case they will ream £325k from some hapless regional trust.
"Unless it involves the NHS obviously...
... in which case they will ream £325k from the taxpayers in the county of that hapless regional trust.
There, corrected that for you...
They're going to have to scrap all the on-line submissions received, apologise profusely, and start again.
Many of the entries will have been corrupted by someone else overwriting them (I know - I did that to some unfortunate yesterday, not realising that it wasn't just a fancy way of providing anonymous submission).
So what they have they can't trust, especially as (pointed out by Joefish above) a person's submission may now contain views that are totally contrary to the original.
Total, utter Fail.
Nah...they'll "re-establish congruity within the data sets by readjusting out of scope data by implementing a heuristically designed method allowing automated re-alignment."
Pint coz I feel dirty
Incidentally - the consultation was just one of many which were accessible via the same route, and all are now unavailable.
Which begs the question : has this cock-up affected all current consultations? Really bad if it has, because I think some of the other topics were even more sensitive than this one.
Oddly, my comment on the original story exposing the issue, and another separate one just saying 'click here to fill it in' have both been removed.
Did El Reg get trigger happy ?
Interesting. Do the comments still appear in your "My Posts" page? Just wondering about the technicalities of it.
How the hell did they mess this up? I've seen systems written by complete novices with two weeks PHP under their belt that don't mistakes as massive as that! Do they even test this stuff?
Our tax money at work I guess...
I'm guessing they do test it... with a single user-session at a time.
I can't help wonder if they used the same IT consultancy as RBS...
Clearly the development budget was blown on those resizeable text boxes...
"systems written by complete novices with two weeks PHP under their belt" -- but enough about menshn.com....
this is fucking shit
So is the consultation over?
Yes - It turns out they're not competent enough to have anything to do with the internet and have decided to leave it well enough alone. Yes, I know, Porco Rosso, clear to taxi, runway zero-niner...