Feeds

back to article Thousands of fingered crims, informants spaffed in web security COCK-UP

An IT blunder splashed photos of suspected criminals and details of Brits who reported them over the internet, The Register can reveal. The Facewatch website, which allows police and businesses to upload and share evidence of alleged petty crimes, was left wide open thanks to a web-server misconfiguration. The schoolboy error …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Hire peanuts, paid monkeys

Seems the website is being run by a team of untrained monkeys..

The SSL cert is invalid..

8
1
Bronze badge

Re: Hire peanuts, paid monkeys

There's only one this worse than an untrained monkey who doesn't know what he's doing; An untrained monkey who thinks he does know what he is doing.

17
0
Silver badge
FAIL

Re: Hire peanuts, paid monkeys

LOL. And not just a little bit "Oh we forgot to renew" invalid either!

The certificate is not trusted because it is self-signed.

The certificate is only valid for facewatch-web01.dc2.iomarthosting.com

The certificate expired on 04/09/12 12:24. The current time is 19/06/13 14:16.

FAIL.

14
0

Re: Hire peanuts, paid monkeys

and just how many IT projects in general go wrong because of that? Or, maybe more frequently, a "manager" or project "executive sponsor" who can barely spell IT but wants to write the spec?

0
0
Anonymous Coward

Re: Hire peanuts, paid monkeys

Managed to find some semi-stored XSS on there and Google is still indexing the old HTTPS content...

That website is all kinds of broken..

5
0
FAIL

Re: Hire peanuts, paid monkeys

The URL to which you referred us has been closed as this is no longer in use. said the chairman.

Great, so this site allows people to upload potentially sensitive information and they've deliberately closed the SSL site. Un-fucking-believable.

4
1
Coat

Re: Hire peanuts, paid monkeys

Oook!?!

Mine's the one with a Terry Pratchett book in each pocket.

1
0
Bronze badge

Re: Hire peanuts, paid monkeys

this > thing .. oh for an edit.

0
0
Silver badge

Re: Hire peanuts, paid monkeys

I bet it happened like this:

They hired a developer for X weeks

He set up SSL, with self signed certs, intending to replace with signed certs laters.

Management refused to spring for real cert.

Developer leaves

SSL site forgotten about

...

Profit

0
0
Anonymous Coward

Hilarious

They still have the secured by design logo up.

8
0
Silver badge
FAIL

Re: Hilarious

Has anyone there explained why the fuck there was DATA on there AT ALL!

The website should be the front window, everything of meaning should be done behind the scenes with the web server making authenticated requests of the back end servers (which is a lot easier to secure than hosting data on a bloody web server).

Who came up with this hokey standard anyway?

4
0
Anonymous Coward

Re: Hilarious

Has anyone there explained why the fuck there was DATA on there AT ALL!

Exactly my thoughts. I don't know how they work this website, but having this sort of data just one programming error away from disclosure is monumentally stupid, and a massive violation of trust.

1
0
Anonymous Coward

Did you say you looked El Reg?

Isn't that a breach of the Computer Misuse act?

Did you knowingly look inside a system you had not been given authorisation to?

Careful now...Just because the doors not locked, doesn't mean youre allowed to look inside!!

2
2
Bronze badge

Re: Did you say you looked El Reg?

In this case what door? this content was 'published' to the web.

Of course that probably won't stop your average Joe from getting his collar felt.

5
0
Silver badge

Re: Did you say you looked El Reg?

"Of course that probably won't stop your average Joe from getting his collar felt."

It hasn't in the past - and nor has it prevented people being found "guilty"

0
0

Re: Did you say you looked El Reg?

Did you knowingly look inside a system you had not been given authorisation to?

I haven't been given any authorization to look at this page - beyond that fact that it is open for me to access it. Which would appear to be the same "authorization" as the offending web site.

And it sounds as though it's not just the directory-listing enabling that is a problem - that just shows a directory listing. If users were then able to actually access the entries on the list then they would still be able to access them with directory listing switched off. They'd have to guess the names - but that's not the point.

0
0
WTF?

"a previous version of the code" - why on earth would a previous version of the code be found at the server root for https, presumably the server root is the same between https and http as on most other sites. Sounds a likely story to me!

1
0
Linux

It is very much a different DocRoot for HTTP and HTTPS on this website, you get 404 on anything over HTTPS that works fine on HTTP.

0
0
Joke

I wonder...

...if soon they'll have a video of "a man brandishing a stick inside the FaceWatch office in Ipswich" ?

1
0
Gold badge

Name and shame them!

According to that quote, the site was penetration tested. Who by? Chimpanzees?

1
0
Anonymous Coward

Re: Name and shame them!

That was a mistake. They only penetration tested the manager.

1
0
FAIL

Well if you pay peanuts you will get monkeys..

2
1
Anonymous Coward

Cmon learn!

I can accept mistakes like this happen. I can accept people attack systems to get what they can out of them. I accept that digital data is not secure.

So why does everyone insist on collecting as much data as possible about everything possible. People wouldnt mind so much data being lost if it didnt identify them.

1
1

Nebulous Constructions

So yeah...how's that cloud thing working out?

2
0
Anonymous Coward

"Secure by design"

If it genuinely was it wouldn't be on the fucking public Internet.

2
1
Bronze badge
Coat

Re :- include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationc

(Ok going to go for it.)

But Shirely Lloyds also runs a nationwide chain of betting shops????

6
0
Silver badge

Re: Re :- include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationc

At least with Ladbrokes you have an actual chance to walk out richer than when you went in.

The only people at Lloyds who do that are their much beloved bankers, not we bail-out mugs.

1
1
Silver badge
Trollface

El Reg was able to look through almost 5,000 records

Were you authorised to look at that material?

Otherwise you're in breach of the Computer Misuse Act 1990.

Computer Law has really got some catching up to do with the realities of the internet.

0
3
Anonymous Coward

Re: El Reg was able to look through almost 5,000 records

I think El Reg actually is covered under the various laws that protect journalists, but it would indeed be interesting to know if that's correct.

However, all it takes is the 3rd party showing it to El Reg and there is no longer a risk (and AFAIK El Reg can then protect the source). IANAL, it's an interesting question.

0
0
Anonymous Coward

Re: El Reg was able to look through almost 5,000 records

"Were you authorised to look at that material?"

Were you authorised to read this article? What's the difference?

0
1
Facepalm

Change of name maybe?

Facewatch? More like facepalm.

12
0
Gold badge
Trollface

Re: Change of name maybe?

Dubious coding practices and giving away scads of private data. Facepalm? I think not. They should rename it to Facebook.

6
0
Bronze badge
FAIL

What?

"The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety". "

Really? most of the "security" you see in supermarkets are hardly former elite special forces are they?

And what about the partners, children etc of those staff, does little Timmy at primary school take all necessary precautions after his parent is exposed?

Its fuckwitts like this which give those of us who take data security seriously a bad name, as for the approval of his website, what a joke.

We really need a Terry Fuckwitt icon for people with this guys unique skillset..

6
0
Anonymous Coward

Re: this guys unique skillset..

Unfortunately I don't think it's unique

0
0
Bronze badge
Thumb Down

"Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court: publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or could ruin their reputation."

You would bloody hope so. Will Gordon be charged and tried though?

"Therefore, any risks in the publication of the email addresses are very unlikely. Our clients are required to post signs confirming that they are using CCTV and that images will be disclosed, many of our clients advertise that they are using the Facewatch system through such signs and by using other means. Therefore, the images of those that the police wish to contact are published with the full knowledge of the individuals concerned."

Many? That's not good enough. It should be all. I certainly would vote with my wallet and take my business elsewhere to an estabilishment that is not their client.

0
0
Silver badge

I'm surprised

That the ICO hasn't ordered an emergency shutdown.

How large will the fine be this time?

1
0
Thumb Down

Re: I'm surprised

> How large will the fine be this time?

As much as the taxpayer can stand, +10%

0
0
Thumb Down

Re: I'm surprised

Which part of the DPA do you think they've actually breached?

I'm not convinced about the comment in the article re:defamation and prejudicing a jury either.

It's not defamation if it's true, that's an absolute defence, so CCTV of someone stealing cannot defame them (unless it's done with CGI or identifies the wrong person by name).

And of course it is impossible to prejudice a jury that doesn't exist (legally), until the CPS decides to prosecute (and starts that prosecution) there is no restriction on publishing the details of a crime. For a recent example, see the video of the soldier being stabbed in Woolwich. It was all over the news, along with pictures of the assailants.

Not that this excuses the appalling security of the site, but it does mean that they probably haven't actually committed any crimes as suggested, and may not have even breached the DPA.

0
0
Bronze badge
Pint

This is brilliant.

0
0
Silver badge

Curious

I can't find any mention of this in the 'meeja'

0
0
Anonymous Coward

More dodgy IT

The chairman said "We have undertaken penetration testing to ensure that the information stored in the Facewatch systems is secure and can confirm that all personal data are secure and that our systems are secure."

Evidently not as this news item explains. It's like the captain of the Titanic shouting "we are still watertight" as the ship goes down. He should ask his penetration testers for a refund.

0
0
Bronze badge
Paris Hilton

Some blame belongs to the web server software writers

I mean - given that it's almost the first thing that gets turned off by any admin with a clue, why does web server software ship with directory listing enabled from the outset? Initial settings should always be secured by default, with admins able to loosen the corset-strings when they need.

Paris, because she's got more clue than some of the people in this business!

0
0
Facepalm

I think we should commend Facewatch, it's obvious from their site design that they have invented some kind of temporal displacement device - a time-machine if you will, and gone back to 1997 to contract the work out to a couple of amateur coders.

Web Services and SOA are still a distant dream to these guys, they're probably writing all text data to a csv in the root of the project too!

0
0

try entering your name as Fred,Bloggs and check the csv in the root idea

0
1
Facepalm

Wow, do I really have to explain to you that, that was a joke?

0
0

heh

"And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crime to contact those who reported a crime on their behalf"."

I'm sure there are a few people who committed crimes that would like to "contact" the people who reported them on their behalf...

0
0
This topic is closed for new posts.