Has UK gov lost the census to Lulzsec? The UK's Office for National Statistics and Lockheed Martin are racing to check if hacker group LulzSec has got its hands on this year's census data. Such a massive data loss would be embarrassing even for a government with such an amazing record of data protection failures. LulzSec's Twitter page has no mention of the …
Incompetence abound. This, if (when) released, will be a goldmine for scammers, stalkers, 419ers and other brigands. It will also mean that whatever trust is left for personal data security is blown away (which is a good thing in a small way "Can I take your name and address sir" "Not a chance, you'll just loose it!").
Isn't it about time we gave this bunch of pompous tits at LulzSec a massive punch in the face?
I'm so fucking tired of these self-aggrandising little twats hiding behind the fig-leaf of testing security as an excuse for shits and giggles at everyone's expense.
The more this kind of stupid crap goes on, the more of everyones taxes the government will spend on security in an ever escalating arms race and, perhaps more importantly, the less useful stuff can be done with data by legitimate users.
All these bloody fools will achieve is to make everyone poorer, everyone's lives harder and restrict everyone's access to legitimate information, giving goverments and corporations the perfect excuse to be ever more restrictive and opressive.
To defend these oiks in any way would be like blaming yourself when your bicycle gets nicked, because you only used three medium strength locks rather than locking it in a lead-lined bunker behind a 12-tonne door with triple timer-protected dedalocks on 57-digit combinations.
JUST. LEAVE. OTHER. PEOPLE'S. SHIT. THE. FUCK. ALONE.
The takehome lesson here is not 'lulzsec are a bunch of little shits'. It is that net security is so woefully inadequate and the attitude of the people responsible for your information is lax to the point of irresponsibility if not dereliction of duty.
Sure, it sucks that a bunch of juvenile delinquents stole your stuff, but, get this: how on earth did a bunch of juvenile delinquents get to steal your stuff in the first place? If they can do it, so can pretty much anyone. And indeed, there's a pretty big chance that people already have, but because they are serious criminals you won't find out about it til your credit card bill comes.
Regarding bikes? Your metaphor sucks. Its a bit like giving your bike to someone else to keep safe, only to discover they left it locked up on the street with a £5 bit of wire and a 3-digit combination lock and it vanished the moment their back was turned.
You should be grateful that the people who have exposed such incompetence are not more malicious.
"The takehome lesson here is not 'lulzsec are a bunch of little shits'. It is that net security is so woefully inadequate and the attitude of the people responsible for your information is lax to the point of irresponsibility if not dereliction of duty."
And you've gleaned that from one one unconfirmed posting on PasteBin which appears to be a lie? Well done.
I'm not confirming that this was the mechanism used because I just don't know, but it is reported that Lockheed Martin's internal networks were compromised by the RSA failure reported several weeks back, so it would not surprise me if they used similar technologies for the UK Census.
If you are implementing a solution that relies on a security product that is proved faulty after installation, can the blame be put completely put at your door?
The fact that RSA keyfob one-shot password devices were in use in Lockheed Martin shows that someone was actually thinking about some security. RSA devices are widely used because they were trusted, and that problem has caught many organisations out.
I am not saying that a single security measure is sufficient, but I wonder how many people commenting here have really tried to build a complete infrastructure that a) does not rely on third party security devices, and b) provides the level of security mandated by CESG. I'm sure that some have, but most have not.
I'm not apologising for LM, but like so many things, it's actually much more difficult to do than most people think, and there are serious tradeoffs between security and cost.
When I worked at government agencies in the past, the most secure systems were effectively on air-gapped networks, with multiple networks to each desk. This cost a lot of money, and ultimately meant that remote support was difficult to impossible. As you cut costs, you link things together using security products. This makes the environment vulnerable to third-party security failure. One bank I worked at had multiple security layers, and adjacent security layers could not be provided by the same technology. Very sensible, but also very expensive.
Should slack security be highlighted? Of course it should, publicly and people should be made accountable for it. Is this the right way to go about it? No.
If I see someone in the street who's left their car door open with their wallet on the front seat do I?
a) Point this out to them so they can deal with it
b) Steal the wallet, sell the contents on ebay and then send a link for the completed auction to the owner.
These people have to understand that they're not sticking it to the man here; they're not fighting the power. They're just messing with people's lives.
If this is true then they need to be stopped immediately. It's one thing to attack a big corporation it's another entirely to steal private information on potentially millsions of innocent people and publish it on the internet.
Again if true, this is them crossing the line into severe criminal activity needing harsh punishment.
Of course there will be people suporting them and saying things like "Yeah, stick it to the man, expose those security failings LOL!!!" but how will they feel when it's their credit card details being used by criminals. I've already had my card details stolen like this three times this year from different reputable companies and had to waste time cancelling and re-issuing my cards.
While I'm not a fan of lulzsec and they probably are a bunch of f*cknuts, moaning at them for getting the data is a bit short sighted. Yes they're probably doing it for kicks, but if they can do it so can criminal organisations that wont shout about it and the first thing you know is when the debt collectors come knocking.
By all means think they're muppets, but never complain that people have publicly warned you that your private details are available to any crim with an internet connection.
...they've threatened to publish, for no other reason than for 'lulz'. Totally ridiculous apologism for a criminal act here. Looks like a massive red herring anyway. Maybe it was an experiment to see how many people would defend them, just because they were going against 'the man'...
I was pretty much intending to post almost exactly the same thing but since you covered it quite well I don't think I will - I'll just say good on that man :)
The only thing I would add is that at this stage we don't have any direct confirmation that the census hack itself has happened but the post is just as valid without it.
the moronic nature of the british public, with a 5-second attention span. I've heard people banging on about "da cuts", (look at the ILF, for example) and blaming "da tories" when it turns out they were implemented 18 months before the election.
Anyway, isn't one of the responsibilities of government that what happens on your watch is your fault, irrespective of who actually instigated it ? It's certainly why they claim the jobs are paid so much.
If they did get their hands on the census data... what would that mean for the promises that were made about the security of our census data?
I'll hazard a guess. The contractor gets the blame and nothing changes in government/whitehall... that or 'these evil hackers' are hunted down and burnt at the stake.
Having written to the ONS in January expressing my concerns about the use of Lockheed Martin and the security of my personal data, the stock reply from Helen Bray (2011 Census Stakeholder Management and Communications) had the wholly un-reassuring conclusion,
"I hope you will be reassured by the measures taken to protect the confidentiality of census information".
...oddly enough, I wasn't reassured. But since the incompetents at Lockheed Martin seem to have lost my form anyway, with luck at least my info didn't get leaked.
Is this the same Lockheed Martin that hadn't bother to upgrade access to its VPN two months after it was publicly announced that RSA would have to replace 40 million tokens due to private keys having been stolen from RSA's server?
http://www.pcpro.co.uk/news/security/367723/lockheed-martin-under-fire-over-rsa-breach
>> " ... “Lockheed had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach."
and the same Lockheed Martin that that has its traffic intercepted and monitored by the NSA?
Is there no UK data that ultimately ends up in the hands of the US Govt?
The NSA doesn't need to bother snooping. Thanks to the Patriot Act, any data held on American soil is fair game for examination.
The question here isn't about LulzSec or a red-herring hack post, but more WTFingF is the British government doing handing sensitive data on its citizens (even if the questions are boring, you can infer a hell of a lot from that much data) to a FOREIGN company where it will almost certainly be of interest to the FOREIGN government. If the British government does not feel competent to manage the census collection and collation, and there is no single British organisation capable, then the answer is bloody obvious - skip it. Wait until it can be coped with. Nationally, within the borders of the country concerned.
Fail icon, because the British government is a laughing stock. Whatever LulzSec may or may not have done, the data is far out of their (the govt's) control by now. Congratulations.
Just because a US contractor is working on a project does not mean that the data is being stored on US soil. I don't know about the Census, but I do know about the DVLA, where the contractors are IBM and Fujitsu, and I can tell you that there is no wholesale storage of your car or license data anywhere outside of Swansea and Salford (although the D90 mainframe in Salford should have been decomissioned by now). That's where the servers are, and that is where the contractors work.
There was simply no method of moving the data onto either IBM's or Fujitsu's corporate networks, and severe penalties (including prosecution) to for anybody who did. This was understood, and is drummed into all people working on the contract on a monotonously regular basis.
In case you hadn't noticed, there are very few companies prepared to work on large government bids that are not mutinationals.
according to source ive been relibale informed that the data hasnt been processed by the government yet. so there isnt anything for lulsec to steal.
i hope he is right, otherwise this is a massive loss for the government, and it could be a massive issue for everyone in england and wales
Not significant - there are probably more damaging leaks of my data from other places - e.g. websites with my credit card details, medical history from my doctor's office, than from the census, which, when it comes down to it lists my name and address (in the phone book, with my phone number), my date of birth (not hard to find), my vocation and salary (as I work for a publically funded organisation it's a matter of open record) and very little else.
I do hope though, that the ICO fines the holders of this data a significant sum.
Per record, of course.
Look, if you want to f--k around and piss off a few companies and 'for teh lulz' then, even if I don't think it's funny, I won't care that much.
However, if it's gotten to the point that the private information of every UK citizen is stolen and made available for anyone who wants it....that's just going too far. You're now putting peoples' lives at risk, in many different ways, not just from over-the-top fancies like terrorism (yeah yeah) but more from the risk that people will be able to find others who have had to make themselves lost for their own protection.
Those of us who considered our jobs might put at risk from "over-the-top fancies like terrorism (yeah yeah)" lied about our jobs, earnings and anything else vaguely related.
When asked what my role was, I wrote something along the lines of "paperwork and stuff".
Call me cynical, psychic or whatever but I kinda saw something like this happening.
Wouldn't want to be someone who'd admitted to being UK Govt in NI though!
They're just bloody useless, the lot of them. Even the ones that aren't in control (oh wait, that's all of them)
What we need is a benevolent dictatorship.
My wife has been practicing her skills at running an almost benevolent dictatorship at our home for years. I'd say she's up to the task by now.
This post has been deleted by its author
I note that its now being claimed that an alleged 'ringleader' for Lulzsec has now been arrested. In Essex.
If any of this proves actually proves to be true, then it may at least serve some useful purpose - to expose the utter idiocy of our government in entrusting personal data regarding UK subjects to a commercial organisation in the US,
No doubt the US will go for extradition -
'We want your citizen to stand trial in our country for stealing your data'.
By pretty much any of us who understand the real magnitude of what may have happened in RSA if the seed files *were indeed compromised/leaked*.
At a BBQ last Sunday someone asked me about how secure did I think our census data was.....well I suspect when this hits the press they'll be shitting themselves.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
