Scouts take down database due to 'security vulnerabilities' The Scouts Association has taken down its Compass database, which holds the records of nearly half-a-million young people and adult volunteers, after discovering a "potential security vulnerability," The Register can reveal. In a letter seen by El Reg and addressed to members this morning, the association said the decision was …
Come on Scouts UK HQ do the honourable thing - scrap the abomination that is Compass, and use OSM instead - you know, like the majority (95%+) of your Scout leaders already do, and like several national and international groups already do.
But then again, that would involve using something which was Not Invented Here, and would involve scrapping some VERY expensive contracts to your mates, wouldn't it?
It was obviously the beginning of the end when leaders started getting instructions that referred to their 'line managers', that and a growth in the number of managers... And it really has got worse and worse ( judging as the partner of a successful leader of 15 years who along with several colleagues has abandoned a once enjoyable voluntary activity that consumed a day a week)
One source told us: "If these bugs are being found by regular users, I am pretty sure the vulnerability assessment or code checking was poor."
It is always possible that someone found the problem through sheer weight in numbers. For some reason this explanation doesnt seem to come out too often but quite simply everything has its flaws and the more complex the more flaws. Just as the theory exists to do with monkeys and the entire works of Shakespeare, the same applies to a lot of discoveries in life.
As in most development work you try to make it fool proof, knowing full well there is always a bigger fool.
It is always possible that someone found the problem through sheer weight in numbers.
Only if these "numbers" were all testers. Consider:
1) Most people would only do the "expected thing", thus not proceeded into fresh, wild areas of the state space
2) Most people wouldn't know what they were looking at if a problem occurred, neither would they detect that it is a security problem
3) Most people upon encountering a problem would just say "DUH" and click on the back button, maybe reboot the PC
4) Most people wouldn't even bother to tell anyone about IT weirdness
This leaves people who know about IT, perform new operations, know what they are looking at with enough time on their hands (or are foolish enough, considering how these things may pan out) to tell somebody.
You have had some very tame users then. In every system I have seen or been involved with the users have always done unexpected things which cause them to pick up on little bugs to odd conditions but maybe I am used to suitably big projects to have them. Most software has various little bugs and larger problems and the more users/complexity the more problems there will be. And of course a serious security flaw can happen. And users do report them, at least the users I have had to deal with. I would think especially if they thought someone might be able to see their private information.
. It is good to see that common sense prevailed in the end to properly test this high-profile high-risk database.
I doubt it was "common sense". Given all the bad press over the Scouts worldwide, I'm suspecting this was first and foremost a knee-jerk reaction. I'm hoping I'm wrong and it really was concern and not fear of the media this time.
We were actually instructed by TSA (The Scout Association) to destroy all paper copies of youngsters records, such as addresses, medical detail like allergies, religion etc, once we had it all typed into the Compass system (which would have been a mammoth task if it wasn't already in OSM and therefore reduced to a bit of cut/paste and a few hand edits for things like telephone area codes which it needed in its own funny format.)
Luckily, perhaps, I don't think anyone in our group at least actually did so, which is as well, as it looks like we will need to go back to what we did before, at least for a while.
Not to mention the fiasco that is the loss and confusion of leader training records ;-)
To clarify things - COMPASS (aka COMPOST...) was taken down a couple of months ago and is not likely to be up again before the new year according to the latest bulletin.
It has been a complete laughable fiasco from the get go. So much so that i can only think the project mangers (if indeed there are any!) involved must have been subbed in from a recent MOD project team?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
