Hire peanuts, paid monkeys
Seems the website is being run by a team of untrained monkeys..
The SSL cert is invalid..
An IT blunder splashed photos of suspected criminals and details of Brits who reported them over the internet, The Register can reveal. The Facewatch website, which allows police and businesses to upload and share evidence of alleged petty crimes, was left wide open thanks to a web-server misconfiguration. The schoolboy error …
LOL. And not just a little bit "Oh we forgot to renew" invalid either!
The certificate is not trusted because it is self-signed.
The certificate is only valid for facewatch-web01.dc2.iomarthosting.com
The certificate expired on 04/09/12 12:24. The current time is 19/06/13 14:16.
FAIL.
Has anyone there explained why the fuck there was DATA on there AT ALL!
The website should be the front window, everything of meaning should be done behind the scenes with the web server making authenticated requests of the back end servers (which is a lot easier to secure than hosting data on a bloody web server).
Who came up with this hokey standard anyway?
Did you knowingly look inside a system you had not been given authorisation to?
I haven't been given any authorization to look at this page - beyond that fact that it is open for me to access it. Which would appear to be the same "authorization" as the offending web site.
And it sounds as though it's not just the directory-listing enabling that is a problem - that just shows a directory listing. If users were then able to actually access the entries on the list then they would still be able to access them with directory listing switched off. They'd have to guess the names - but that's not the point.
I can accept mistakes like this happen. I can accept people attack systems to get what they can out of them. I accept that digital data is not secure.
So why does everyone insist on collecting as much data as possible about everything possible. People wouldnt mind so much data being lost if it didnt identify them.
Were you authorised to look at that material?
Otherwise you're in breach of the Computer Misuse Act 1990.
Computer Law has really got some catching up to do with the realities of the internet.
I think El Reg actually is covered under the various laws that protect journalists, but it would indeed be interesting to know if that's correct.
However, all it takes is the 3rd party showing it to El Reg and there is no longer a risk (and AFAIK El Reg can then protect the source). IANAL, it's an interesting question.
"The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety". "
Really? most of the "security" you see in supermarkets are hardly former elite special forces are they?
And what about the partners, children etc of those staff, does little Timmy at primary school take all necessary precautions after his parent is exposed?
Its fuckwitts like this which give those of us who take data security seriously a bad name, as for the approval of his website, what a joke.
We really need a Terry Fuckwitt icon for people with this guys unique skillset..
"Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court: publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or could ruin their reputation."
You would bloody hope so. Will Gordon be charged and tried though?
"Therefore, any risks in the publication of the email addresses are very unlikely. Our clients are required to post signs confirming that they are using CCTV and that images will be disclosed, many of our clients advertise that they are using the Facewatch system through such signs and by using other means. Therefore, the images of those that the police wish to contact are published with the full knowledge of the individuals concerned."
Many? That's not good enough. It should be all. I certainly would vote with my wallet and take my business elsewhere to an estabilishment that is not their client.
Which part of the DPA do you think they've actually breached?
I'm not convinced about the comment in the article re:defamation and prejudicing a jury either.
It's not defamation if it's true, that's an absolute defence, so CCTV of someone stealing cannot defame them (unless it's done with CGI or identifies the wrong person by name).
And of course it is impossible to prejudice a jury that doesn't exist (legally), until the CPS decides to prosecute (and starts that prosecution) there is no restriction on publishing the details of a crime. For a recent example, see the video of the soldier being stabbed in Woolwich. It was all over the news, along with pictures of the assailants.
Not that this excuses the appalling security of the site, but it does mean that they probably haven't actually committed any crimes as suggested, and may not have even breached the DPA.
The chairman said "We have undertaken penetration testing to ensure that the information stored in the Facewatch systems is secure and can confirm that all personal data are secure and that our systems are secure."
Evidently not as this news item explains. It's like the captain of the Titanic shouting "we are still watertight" as the ship goes down. He should ask his penetration testers for a refund.
I mean - given that it's almost the first thing that gets turned off by any admin with a clue, why does web server software ship with directory listing enabled from the outset? Initial settings should always be secured by default, with admins able to loosen the corset-strings when they need.
Paris, because she's got more clue than some of the people in this business!
I think we should commend Facewatch, it's obvious from their site design that they have invented some kind of temporal displacement device - a time-machine if you will, and gone back to 1997 to contract the work out to a couple of amateur coders.
Web Services and SOA are still a distant dream to these guys, they're probably writing all text data to a csv in the root of the project too!
"And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crime to contact those who reported a crime on their behalf"."
I'm sure there are a few people who committed crimes that would like to "contact" the people who reported them on their behalf...