back to article Join the gov consultation on net porn ... and have your identity revealed

A parental internet controls consultation document released by the Department for Education yesterday is currently exposing the email addresses, unencrypted passwords and sensitive answers of members of the public who fill in the associated form. Many Register readers have alerted us to the serious security flaw this morning, …

COMMENTS

This topic is closed for new posts.
  1. TRT Silver badge

    I completed the form yesterday

    and had no problems.

    1. djack

      Re: I completed the form yesterday

      Looks like it is probably some form of race condition flaw then. So it would trigger a problem of two or more people tried to submit details at pretty much the same time. It's pretty much pot luck if you notice it. It also means that the more people using the service, the greater chance of there being a problem.

      This sort of flaw is often missed during (inadequate) testing.

      1. Andrew Martin 1

        Re: I completed the form yesterday

        Making web forms that work correctly for >1 user isn't exactly rocket science. If they're rolling their own, and failing, then some developer is clearly having a laugh.

        FOI request to find out how much the e-Consultation system cost?

    2. Anonymous Coward
      Anonymous Coward

      Re: I completed the form yesterday

      So did I - their first FAIL was to email me with my password unencrypted!

      And these are the folks pushing for a opt-out "perverts register", for our own good?

    3. Anonymous Coward
      Anonymous Coward

      Re: I completed the form yesterday

      yes, I watched you complete it

  2. This post has been deleted by its author

  3. LinkOfHyrule
    FAIL

    Firstly - this is a bit of a bitch for those who took part having their details spunked up the internet's walls.

    Secondly - fuck yeah - goventards strike again - where's me popcorn, I think this one's going to produce some very entertaining official statements and random officials talking blatent balls.

    Sorry about all the swearing, but today's my "Fuck-down Friday" - they dont do them in the public sector, they have to make do with "Fuck-up Friday" instead, or at least it seems that way.

    1. BlueGreen

      ...having their details spunked up the internet's walls.

      Yup. Our fucking civic fucking duty dribbling all the way back down again. And after I (and others) urged people to sign the cunt too. And many did.

      Time to throw my weight around again. How basic incompetence can cause human effort to multiply. They shouldn't be allowed computers, shouldn't be allowed around computers, shouldn't make decisions on anything harder than what vintage of port to pour down their fucking incompetent leathery necks.

      1. Anonymous Coward
        Anonymous Coward

        Re: ...having their details spunked up the internet's walls.

        Is it just me that heard that being spoken by Malcom Tucker? (I'm guessing it was intentional)

  4. skipper
    FAIL

    What a brilliant way to ensure those that understand the web don't comment on the consultation

  5. Richard Gadsden

    Now doing it even worse

    I'm seeing someone else's detailed responses if I'm logged in, but not when I'm logged out.

    Looks like there's only one account on the system and we all share it!

    1. Anonymous Coward
      Anonymous Coward

      Re: Now doing it even worse

      Ha ha. Yes, I can see exactly how you'd write a bug like that!

  6. Andrew Martin 1
    Unhappy

    " It was the first the bureaucrats had heard of the problem, apparently, despite users posting comments exposing the issue directly on the site."

    Yes. They got two emails and a web complaints form from me last night. This shows how seriously they take their feedback system.

  7. Anonymous Coward
    Anonymous Coward

    Filled this in yesterday

    Going back there now to see if I have grounds to contact the ICO. What fun!

  8. Suricou Raven

    It wasn't confidential anyway.

    Have you read the first page? They warn that all submissions may be made public at a future date, and even if you tick the 'keep confidential' box they will only take it as a polite request and not legally binding. I do wonder if this is standard procedure on consultations, or if I should invoke a little paranoia and attribute this to an attempt to further bias the study (As if the questions aren't loaded enough) - no-one is going to face a scandal for wanting to protect children, but for a person to ever admit publicly that they believe seeing a little porn isn't going to forever traumatise a child is the type of violation of the social order that could cost someone their job.

    1. Joefish
      FAIL

      Re: It wasn't confidential anyway.

      It is confidential up to the point where they make the decision of what to publish. There are also particular questions which specifically state that the answers given will always remain confidential.

      The information you provide to register as a user of the site itself (not just the survey) should be confidential, but it is re-displayed on the first page of the survey, which can then be exposed to other users.

      What is worrying is seeing your own answers over-written by someone with disturbing and extremist views and then having those answers permanently registered against your identity, potentially for future publication. Never mind such people then being able to read my answers along with my name, email and home address.

    2. Jason Bloomberg Silver badge
      Thumb Down

      Re: It wasn't confidential anyway.

      They warn that all submissions may be made public at a future date

      I really don't think they can rely on that for what they've done and will be digging a deeper hole for themselves if they try to.

      I think most reasonable people would take it to mean those consulted may have responses and comments they gave made public, not that who made them would be identified or they'd have their email addresses and other personal information handed out to all and sundry willy-nilly.

    3. mangobrain
      Facepalm

      Re: It wasn't confidential anyway.

      This doesn't excuse the fact that they are storing people's account passwords in the clear, and exposing them to random site visitors. The security implications have nothing to do with the consultation itself, or how they will use people's responses, and everything to do with exposing the names, email addresses and passwords of people using the site.

  9. The Axe
    FAIL

    Still not working

    I just clicked the link to the site at 10:50am and immediately found myself logged in as someone else. I don't have an account with the e-consulation and this is the very first time I visited the site. Could be cookie related. The cookies I got were CFID=4947952 and CFTOKEN=84546187 so it could be that they aren't using particularly unique identifiers.

    1. The Axe
      FAIL

      NOW stopped working

      At just before 11 it stopped. I must have been one of the last ones to access it. So they were informed some time ago and only just got round to passing the message down the chain to the guy who knows how to do some HTML twiddling.

      So allowing personal information to leak out is not such an important thing in their view.

    2. Joefish
      Devil

      Cookie law? (was Re: Still not working)

      Interesting - I don't recall seeing anything to tell you it's dropping a cookie on you (I may have missed it, wandering off to the signup page and fighting my way back, but there wasn't a specific prompt when I first arrived). Isn't that illegal nowadays too?

      1. John G Imrie Silver badge

        Re: Cookie law? (was Still not working)

        If it's necessary for the working of the site you don't have to ask. At least that's what legal is telling us

    3. GrumpyJoe
      Coat

      Re: Still not working

      CFID and CFTOKEN are Coldfusion cookies to store session state. I've never seen a problem in 10+ years with crossover state like that, so I can only assume that their back-end coding is a bit borked.

      And yes, by default, CF drops 30 year cookies onto your machine to manage state - even if you HAVE no state management code in the app. It's a bit of a faff to switch it off and do it manually with session-cookies but it can be done.

      Getting my coat as I've just exposed the fact that I'm a Coldfusion dev and not a 'real programmer'.

    4. Dennis
      Facepalm

      Re: Still not working

      "The cookies I got were CFID=4947952 and CFTOKEN=84546187 so it could be that they aren't using particularly unique identifiers."

      These are the values in the URL given by eL Reg in the original article.

  10. Anonymous Coward
    Anonymous Coward

    just went down 10:56am Friday 29/06/2012

    Service Unavailable

    The service is temporarily unavailable. Please try again later.

    I email notified those people who's details I saw

    1. defiler Silver badge

      Service unavailable

      I put it down to submitting "wrong" answers...

  11. wowfood

    Site down?

    Either that or I'm clicking a bad link, but I can't get to the consultations area at all.

    get a 500 error so they've either taken it down, or something is blocking it from appearing.

    1. wowfood

      Re: Site down?

      Just posting this here to remind myself more than anything, a few facts I wanted to point out when I comment, if anyone can figure out which sites have the exact percentages let me know.

      First was that roughly 30% of households in the UK will have children present. Meaning that there are only 30% of people who would be directly affected by this.

      In round about terms, that means that they're pandering to the minority rather than the majority. Not to mention that additional burden of constantly updating lists of banned sites ISPs would have to go through, which would mean additional costs which always get passed down to the consumer.

      The government woudl be better off doing it as an actual opt in system, so you opt in for filtered internet. OR doing something which is probably smarter and easier, and making it a ruling that ISPs have to provide smut blocking software, giving instructions on how to set it up etc.

      Personally I just set up openDNS with the adult material blocking so kids can't get through to a lot of sites on a DNS level. Add some smut blocking software on the PC side and dun-dun-dun you've probably got more protection now than if the ISP were to block it all itself.

      All most parents need is some simple instructions, we don't need a blanket ban for any and everyone.

      1. David Pollard

        Bletchley Park

        "All most parents need is some simple instructions, we don't need a blanket ban for any and everyone."

        Quite.

        Could not Bletchley Park host a site with such instructions and appropriate open source software? It's memorable enough that with a modicum of promotion there would be few who did not know where to obtain advice and protection.

  12. yossarianuk
    FAIL

    Government should NOT be trusted with our data (Communications Data Bill)

    If they can balls up the consultation form can anyone really trust them with the data they will get after passing the Communications Data Bill .....

  13. Robert E A Harvey

    >It was the first the bureaucrats had heard of the problem, apparently,

    >despite users posting comments exposing the issue directly on the site.

    Well, if they aren't going to read the comments, what makes us think they are going to read the consulation?

  14. Joefish
    Stop

    Disingenuous survey anyway.

    It's put out by the DfE and is presented as a survey for parents, carers, young persons and members of the ISP industry. But it's far beyond that in scope, assuming to curtail and censor the freedom of all UK citizens.

    There is one question somewhere in the middle asking if any default restriction should apply to all households or just those with children. This is not for the people they're supposed to be consulting to decide; it's hiding a nasty power-grab attempt to censor everyone.

  15. Mike Bell
    FAIL

    Big Fail

    I started filling in their questionnaire for a bit of fun yesterday - after having been identified as at least two different people by the site. Half way though submitting the questionnaire (page 3 or thereabouts), I started seeing the question boxes already filled in from another punter.

    I have to say that I agreed with the punter's sentiments exactly* and I couldn't be arsed to carry on monkeying about with that site, so I jacked it in.

    * The usual stuff about safeguarding kids being the parents' responsibility, being stupid if you have blind faith in automatic filtering etc. i.e. exactly the kind of stuff that would be likely to confuse a Daily Fail reader.

  16. Anonymous Coward
    Anonymous Coward

    oh yes, the ICO, I'm sure they'll get together for a cup of tea from the trolley and decide it was just one of those things outside anyone's control

    1. Anonymous Coward
      Anonymous Coward

      Unless it involves the NHS obviously...

      ... in which case they will ream £325k from some hapless regional trust.

      1. Anonymous Coward
        Thumb Up

        Re: Unless it involves the NHS obviously...

        "Unless it involves the NHS obviously...

        ... in which case they will ream £325k from the taxpayers in the county of that hapless regional trust.

        "

        There, corrected that for you...

  17. Anonymous Coward
    FAIL

    Reboot

    They're going to have to scrap all the on-line submissions received, apologise profusely, and start again.

    Many of the entries will have been corrupted by someone else overwriting them (I know - I did that to some unfortunate yesterday, not realising that it wasn't just a fancy way of providing anonymous submission).

    So what they have they can't trust, especially as (pointed out by Joefish above) a person's submission may now contain views that are totally contrary to the original.

    Total, utter Fail.

    1. IT Hack
      Pint

      Re: Reboot

      Nah...they'll "re-establish congruity within the data sets by readjusting out of scope data by implementing a heuristically designed method allowing automated re-alignment."

      Pint coz I feel dirty

  18. Anonymous Coward
    Anonymous Coward

    Bigger Fail?

    Incidentally - the consultation was just one of many which were accessible via the same route, and all are now unavailable.

    Which begs the question : has this cock-up affected all current consultations? Really bad if it has, because I think some of the other topics were even more sensitive than this one.

  19. Tom Chiverton 1
    Unhappy

    Oddly, my comment on the original story exposing the issue, and another separate one just saying 'click here to fill it in' have both been removed.

    Did El Reg get trigger happy ?

    1. Anonymous Coward
      Anonymous Coward

      Interesting. Do the comments still appear in your "My Posts" page? Just wondering about the technicalities of it.

  20. This post has been deleted by its author

  21. tkioz
    FAIL

    How the hell did they mess this up? I've seen systems written by complete novices with two weeks PHP under their belt that don't mistakes as massive as that! Do they even test this stuff?

    Our tax money at work I guess...

    1. Suricou Raven

      I'm guessing they do test it... with a single user-session at a time.

    2. IT Hack

      I can't help wonder if they used the same IT consultancy as RBS...

    3. Joefish
      Holmes

      Re: How the hell did they mess this up?

      Clearly the development budget was blown on those resizeable text boxes...

    4. Rufo

      "systems written by complete novices with two weeks PHP under their belt" -- but enough about menshn.com....

  22. The Alpha Klutz

    shocked

    this is fucking shit

  23. Anonymous Coward
    Anonymous Coward

    So is the consultation over?

    1. Anonymous Coward
      Anonymous Coward

      Re: So is the consultation over?

      Yes - It turns out they're not competent enough to have anything to do with the internet and have decided to leave it well enough alone. Yes, I know, Porco Rosso, clear to taxi, runway zero-niner...

      1. Anonymous Coward
        Anonymous Coward

        Re: So is the consultation over?

        Upvoted for referencing "Porco Rosso"

        1. Anonymous Coward
          Anonymous Coward

          Re: So is the consultation over?

          And a possible downvote for forgetting that he doesn't use a runway..?

    2. Anonymous Coward
      Anonymous Coward

      Consultation over?

      No, it's not over - they're just taking it in-house so Joe Public can't rig it by submitting the wrong replies.

    3. Graham Marsden
      Big Brother

      Re: So is the consultation over?

      It was probably over before it began because it looks like they've already decided what answers they want and have "structured" the survey to generate those...

  24. Anonymous Coward
    Anonymous Coward

    And now...

    "The site is temporarily closed for maintenance."

    I'll bet it is! (oh, and even that page is invalid HTML...)

    If you go to Direct Gov, there's a page that lists 40 different government consultations websites. Wonder if they're all equally as good.

    Perhaps the Government Digital Service could so something actually useful and sort this lot out.

    Oh, I forgot, they're not about delivering stuff; their role is all about fucking over other government departments

  25. Anonymous Coward
    Anonymous Coward

    http://www.whatdotheyknow.com/request/consultation_security_breach_par/new

    1. Anonymous Coward
      Anonymous Coward

      Nice

      Since you're in to these, you could also ask who decided that a consultation on censoring the entire nation's internet access by default should only need to seek consultation from the 30% (accuracy?) of British households with children.

  26. Christoph Silver badge

    Problem? What problem?

    "It was the first the bureaucrats had heard of the problem"

    Look, you're the fiftieth person we've told today, we've never heard of this problem before!

  27. Brian Morrison
    FAIL

    Astonishing incompetence....

    ....even for government and government IT.

    Maybe I was one of the few people that was able to complete the survey without seeing anyone else's submissions, but now I will be asking some direct and awkward questions about this debacle.

    How do these people get allowed out of their sheltered accommodation, let alone be employed at our expense?

    1. Anonymous Coward
      Anonymous Coward

      Re: Astonishing incompetence....

      Orrrrrr... maybe you're one of the few people who didn't use the 'previous' button to see if your answers on a previous page were still your own..?

  28. The Alpha Klutz
    Thumb Up

    you will be wanking so hard your frenulum will snap off and bounce around the room

    and then you'll wish the government had blocked porn

  29. John Smith 19 Gold badge
    Joke

    The infomation the CCDP will collect will be *much* more securely held.

    After all if PI's *allegedly* working for News International publications (since shut down) could get hold of it *without* needing to pay them off how would they supplement their incomes? UK civil service pay is not that generous and the cost of living in Cheltenham is shocking.

    No way will *anyone* have copy or search privileges to the *whole* database and dump it to say a Lady Gaga CD for example.

    That would just be stupid.

  30. Eion MacDonald

    only this HMG site?

    On HMRC site they get sort codes to bank addresses wrong. This in their payment procedures. They say enter account number and sort code with warning check if bank below is correct , then instead of showing the bank branch ( which is tied to sort code) they show a back office regional centre the account holder probably never has known.

    1. Anonymous Coward
      Anonymous Coward

      Re: only this HMG site?

      Ah, but HMRC are true masters of incompetence. It's unfair to the others to make comparisions, really.

  31. Semaj
    WTF?

    TR-WTF

    So it's not really related but I want to know why this is even going through the DoE. WTF has it got to do with them? Surely it should be DoJ or similar?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019