back to article Thousands of fingered crims, informants spaffed in web security COCK-UP

An IT blunder splashed photos of suspected criminals and details of Brits who reported them over the internet, The Register can reveal. The Facewatch website, which allows police and businesses to upload and share evidence of alleged petty crimes, was left wide open thanks to a web-server misconfiguration. The schoolboy error …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Hire peanuts, paid monkeys

    Seems the website is being run by a team of untrained monkeys..

    The SSL cert is invalid..

    1. Parax

      Re: Hire peanuts, paid monkeys

      There's only one this worse than an untrained monkey who doesn't know what he's doing; An untrained monkey who thinks he does know what he is doing.

      1. billse10

        Re: Hire peanuts, paid monkeys

        and just how many IT projects in general go wrong because of that? Or, maybe more frequently, a "manager" or project "executive sponsor" who can barely spell IT but wants to write the spec?

        1. Anonymous Coward
          Anonymous Coward

          Re: Hire peanuts, paid monkeys

          Managed to find some semi-stored XSS on there and Google is still indexing the old HTTPS content...

          That website is all kinds of broken..

      2. Parax

        Re: Hire peanuts, paid monkeys

        this > thing .. oh for an edit.

    2. David Hicks
      FAIL

      Re: Hire peanuts, paid monkeys

      LOL. And not just a little bit "Oh we forgot to renew" invalid either!

      The certificate is not trusted because it is self-signed.

      The certificate is only valid for facewatch-web01.dc2.iomarthosting.com

      The certificate expired on 04/09/12 12:24. The current time is 19/06/13 14:16.

      FAIL.

      1. Evan Essence
        FAIL

        Re: Hire peanuts, paid monkeys

        The URL to which you referred us has been closed as this is no longer in use. said the chairman.

        Great, so this site allows people to upload potentially sensitive information and they've deliberately closed the SSL site. Un-fucking-believable.

        1. Tom 38

          Re: Hire peanuts, paid monkeys

          I bet it happened like this:

          They hired a developer for X weeks

          He set up SSL, with self signed certs, intending to replace with signed certs laters.

          Management refused to spring for real cert.

          Developer leaves

          SSL site forgotten about

          ...

          Profit

    3. NorthernCoder
      Coat

      Re: Hire peanuts, paid monkeys

      Oook!?!

      Mine's the one with a Terry Pratchett book in each pocket.

  2. Anonymous Coward
    Anonymous Coward

    Hilarious

    They still have the secured by design logo up.

    1. Sir Runcible Spoon
      FAIL

      Re: Hilarious

      Has anyone there explained why the fuck there was DATA on there AT ALL!

      The website should be the front window, everything of meaning should be done behind the scenes with the web server making authenticated requests of the back end servers (which is a lot easier to secure than hosting data on a bloody web server).

      Who came up with this hokey standard anyway?

      1. Anonymous Coward
        Anonymous Coward

        Re: Hilarious

        Has anyone there explained why the fuck there was DATA on there AT ALL!

        Exactly my thoughts. I don't know how they work this website, but having this sort of data just one programming error away from disclosure is monumentally stupid, and a massive violation of trust.

  3. Anonymous Coward
    Anonymous Coward

    Did you say you looked El Reg?

    Isn't that a breach of the Computer Misuse act?

    Did you knowingly look inside a system you had not been given authorisation to?

    Careful now...Just because the doors not locked, doesn't mean youre allowed to look inside!!

    1. Parax

      Re: Did you say you looked El Reg?

      In this case what door? this content was 'published' to the web.

      Of course that probably won't stop your average Joe from getting his collar felt.

      1. Alan Brown Silver badge

        Re: Did you say you looked El Reg?

        "Of course that probably won't stop your average Joe from getting his collar felt."

        It hasn't in the past - and nor has it prevented people being found "guilty"

    2. Gordon 11

      Re: Did you say you looked El Reg?

      Did you knowingly look inside a system you had not been given authorisation to?

      I haven't been given any authorization to look at this page - beyond that fact that it is open for me to access it. Which would appear to be the same "authorization" as the offending web site.

      And it sounds as though it's not just the directory-listing enabling that is a problem - that just shows a directory listing. If users were then able to actually access the entries on the list then they would still be able to access them with directory listing switched off. They'd have to guess the names - but that's not the point.

  4. Tom 101
    WTF?

    "a previous version of the code" - why on earth would a previous version of the code be found at the server root for https, presumably the server root is the same between https and http as on most other sites. Sounds a likely story to me!

    1. Anonymous Coward
      Linux

      It is very much a different DocRoot for HTTP and HTTPS on this website, you get 404 on anything over HTTPS that works fine on HTTP.

  5. Anonymous Coward
    Joke

    I wonder...

    ...if soon they'll have a video of "a man brandishing a stick inside the FaceWatch office in Ipswich" ?

  6. I ain't Spartacus Gold badge

    Name and shame them!

    According to that quote, the site was penetration tested. Who by? Chimpanzees?

    1. Anonymous Coward
      Anonymous Coward

      Re: Name and shame them!

      That was a mistake. They only penetration tested the manager.

  7. Rono666
    FAIL

    Well if you pay peanuts you will get monkeys..

  8. Anonymous Coward
    Anonymous Coward

    Cmon learn!

    I can accept mistakes like this happen. I can accept people attack systems to get what they can out of them. I accept that digital data is not secure.

    So why does everyone insist on collecting as much data as possible about everything possible. People wouldnt mind so much data being lost if it didnt identify them.

  9. IT Hack

    Nebulous Constructions

    So yeah...how's that cloud thing working out?

  10. Anonymous Coward
    Anonymous Coward

    "Secure by design"

    If it genuinely was it wouldn't be on the fucking public Internet.

  11. Spoonsinger
    Coat

    Re :- include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationc

    (Ok going to go for it.)

    But Shirely Lloyds also runs a nationwide chain of betting shops????

    1. Anonymous Custard

      Re: Re :- include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationc

      At least with Ladbrokes you have an actual chance to walk out richer than when you went in.

      The only people at Lloyds who do that are their much beloved bankers, not we bail-out mugs.

  12. Crisp
    Trollface

    El Reg was able to look through almost 5,000 records

    Were you authorised to look at that material?

    Otherwise you're in breach of the Computer Misuse Act 1990.

    Computer Law has really got some catching up to do with the realities of the internet.

    1. Anonymous Coward
      Anonymous Coward

      Re: El Reg was able to look through almost 5,000 records

      I think El Reg actually is covered under the various laws that protect journalists, but it would indeed be interesting to know if that's correct.

      However, all it takes is the 3rd party showing it to El Reg and there is no longer a risk (and AFAIK El Reg can then protect the source). IANAL, it's an interesting question.

    2. Anonymous Coward
      Anonymous Coward

      Re: El Reg was able to look through almost 5,000 records

      "Were you authorised to look at that material?"

      Were you authorised to read this article? What's the difference?

  13. veganhead
    Facepalm

    Change of name maybe?

    Facewatch? More like facepalm.

    1. I ain't Spartacus Gold badge
      Trollface

      Re: Change of name maybe?

      Dubious coding practices and giving away scads of private data. Facepalm? I think not. They should rename it to Facebook.

  14. nsld
    FAIL

    What?

    "The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety". "

    Really? most of the "security" you see in supermarkets are hardly former elite special forces are they?

    And what about the partners, children etc of those staff, does little Timmy at primary school take all necessary precautions after his parent is exposed?

    Its fuckwitts like this which give those of us who take data security seriously a bad name, as for the approval of his website, what a joke.

    We really need a Terry Fuckwitt icon for people with this guys unique skillset..

    1. Anonymous Coward
      Anonymous Coward

      Re: this guys unique skillset..

      Unfortunately I don't think it's unique

  15. Down not across
    Thumb Down

    "Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court: publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or could ruin their reputation."

    You would bloody hope so. Will Gordon be charged and tried though?

    "Therefore, any risks in the publication of the email addresses are very unlikely. Our clients are required to post signs confirming that they are using CCTV and that images will be disclosed, many of our clients advertise that they are using the Facewatch system through such signs and by using other means. Therefore, the images of those that the police wish to contact are published with the full knowledge of the individuals concerned."

    Many? That's not good enough. It should be all. I certainly would vote with my wallet and take my business elsewhere to an estabilishment that is not their client.

  16. Alan Brown Silver badge

    I'm surprised

    That the ICO hasn't ordered an emergency shutdown.

    How large will the fine be this time?

    1. Flywheel
      Thumb Down

      Re: I'm surprised

      > How large will the fine be this time?

      As much as the taxpayer can stand, +10%

    2. Steve 13
      Thumb Down

      Re: I'm surprised

      Which part of the DPA do you think they've actually breached?

      I'm not convinced about the comment in the article re:defamation and prejudicing a jury either.

      It's not defamation if it's true, that's an absolute defence, so CCTV of someone stealing cannot defame them (unless it's done with CGI or identifies the wrong person by name).

      And of course it is impossible to prejudice a jury that doesn't exist (legally), until the CPS decides to prosecute (and starts that prosecution) there is no restriction on publishing the details of a crime. For a recent example, see the video of the soldier being stabbed in Woolwich. It was all over the news, along with pictures of the assailants.

      Not that this excuses the appalling security of the site, but it does mean that they probably haven't actually committed any crimes as suggested, and may not have even breached the DPA.

  17. nuked
    Pint

    This is brilliant.

  18. Will Godfrey Silver badge

    Curious

    I can't find any mention of this in the 'meeja'

  19. Anonymous Coward
    Anonymous Coward

    More dodgy IT

    The chairman said "We have undertaken penetration testing to ensure that the information stored in the Facewatch systems is secure and can confirm that all personal data are secure and that our systems are secure."

    Evidently not as this news item explains. It's like the captain of the Titanic shouting "we are still watertight" as the ship goes down. He should ask his penetration testers for a refund.

  20. Jon Green
    Paris Hilton

    Some blame belongs to the web server software writers

    I mean - given that it's almost the first thing that gets turned off by any admin with a clue, why does web server software ship with directory listing enabled from the outset? Initial settings should always be secured by default, with admins able to loosen the corset-strings when they need.

    Paris, because she's got more clue than some of the people in this business!

  21. Anonymous Coward
    Facepalm

    I think we should commend Facewatch, it's obvious from their site design that they have invented some kind of temporal displacement device - a time-machine if you will, and gone back to 1997 to contract the work out to a couple of amateur coders.

    Web Services and SOA are still a distant dream to these guys, they're probably writing all text data to a csv in the root of the project too!

    1. Jess--

      try entering your name as Fred,Bloggs and check the csv in the root idea

      1. Anonymous Coward
        Facepalm

        Wow, do I really have to explain to you that, that was a joke?

  22. JonP

    heh

    "And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crime to contact those who reported a crime on their behalf"."

    I'm sure there are a few people who committed crimes that would like to "contact" the people who reported them on their behalf...

This topic is closed for new posts.

Other stories you might like