back to article Brit MP Dorries: I gave my staff the, um, green light to use my login

UK MP Nadine Dorries revealed yesterday that she shares her parliamentary login information with her staff. This was an attempt to defend recently resurfaced allegations about porn allegedly found on fellow politician Damian Green's office computer. Tweeting on Saturday, Dorries disputed the assertion that only Green could …

  1. Sean o' bhaile na gleann

    Well, Nadine - that's you out of the running for any meaningful job in parliament. You'll only ever be a lightweight 'talking head', someone to fill a few seconds of dead time on the TV news (Hopefully!).

    Honestly with attitudes like this, how is Joe Public ever to be expected to take security seriously?

    1. Jason Bloomberg Silver badge

      More likely she will be well rewarded for her loyal efforts to defend Green from the accusations he faces.

    2. Anonymous Coward
      Anonymous Coward

      "that's you out of the running for any meaningful job in parliament."

      Really, Why is that? No-one who will have any say in her job prospects will care one little bit - I wish they would. We know how ridiculous it is that everyone in her office that logs onto the government network will be using that same login. The parliament's IT team will be aghast and pulling their hair out.

      However do you really think that any prime minister or chief whip will think - "oh won't touch her, she shares her password". I wish they would, but not a hope. Even the fact that this has only had a few brief mentions and no public outrage shows how little interest there is. Even with known foreign agents actively trying to get into systems - she's just provided easy access via an intern (and publicised the fact, FFS)

      Wait until an MP tries to criticise the NHS for the spread of Malware and then bring it up though.

      1. Prst. V.Jeltz Silver badge

        Too important to ...

        Every single time I have been upstairs to look at a the PC of a person important enough to have a secretary PA, the PA knows the password.

        1. rmason Silver badge

          Re: Too important to ...

          Mirrors my experiences exactly.

          I'm amazed that *anyone* is amazed.

          This happens so frequently, and at so many places it practically standard practice.

      2. tfb Silver badge

        However do you really think that any prime minister or chief whip will think - "oh won't touch her, she shares her password". I wish they would, but not a hope.

        In a world where there are competent people (so, OK, not our world), this would fix itself. If she was to achieve any kind of high office she would need to be security vetted, and she would fail that.

      3. macjules Silver badge

        Wait until Damian Green realises that he can just go into her office, ask an intern for Nadine's username and password and go back to his office and download more porn using her account.

        1. Dave 126 Silver badge

          > Every single time I have been upstairs to look at a the PC of a person important enough to have a secretary PA, the PA knows the password.

          Indeed, and an 'important person' often has staff with access to snail mail and paper files too.

          There is the issue of a constituent having a reasonable expectation of correspondence addressed to an MP only being read by the MP or by a very limited number of others - five or six seems excessive. However, if a topic is really sensitive or confidential, then perhaps seeing the MP in their surgery is a better option. Or, as in one episode of Yes Minister, hiding in the bushes outside their front door.

        2. CustardGannet
          Facepalm

          @ macjules

          "Wait until Damian Green realises that he can just... ask an intern for Nadine's username and password"

          I can probably tell you her password right now, it'll be 'N4d1n3'

          1. Doctor Syntax Silver badge

            Re: @ macjules

            "it'll be 'N4d1n3'"

            Too hard. More likely 'nadine'.

            1. FlamingDeath Bronze badge

              Re: @ macjules

              qwerty12345

    3. Gotno iShit Wantno iShit

      Honestly with attitudes like this, how is Joe Public ever to be expected to take security seriously?

      A great many do take security seriously. Less take backbench MPs nobody ever hears of seriously. Virtually nobody takes I'm a vacuous wannabe 'contestants' seriously.

      1. BebopWeBop Silver badge

        It does not appear to have presented problem for the Foreign Secretary

  2. Anonymous Coward
    Anonymous Coward

    Sends a terrible message.

    Essentially she's saying you can't prove someone is at the keyboard just because they've logged in.

    So should we no longer hold those with access to sensitive/secretive information to account then Nadine? Shall we just give all clinicians a generic log and forego any legal or moral obligation for accurate recording of information?

    Mystifies me why the more senior you are in a role, the less accountable you think you are. You should be setting an example others are held to. She should be fired.

    1. Doctor Syntax Silver badge

      Re: Sends a terrible message.

      "Essentially she's saying you can't prove someone is at the keyboard just because they've logged in."

      Sadly, this is true. If senior managers in business need to have their emails printed out to read them what can you expect of MPs whose only essential skill is chatting up their constituencies' selection committees?

      1. macjules Silver badge

        Re: Sends a terrible message.

        Rubbish. Look at programmes such as Sentinel which use biometric data to record not only your face but also your keyboard 'manner'. Those can certainly be used to set up specific data recording of an individual's actions.

    2. My Alter Ego

      Re: Sends a terrible message.

      Well, the public voted her in so of course she should be more trustworthy than us plebbs. I can't wait for Damien Green to start claiming that it must have been a member of his office, because he too shares his credentials.

    3. Chrissy

      Re: Sends a terrible message.

      "Essentially she's saying you can't prove someone is at the keyboard just because they've logged in."

      This is the REAL payload of why she said this; she was sent out to perform a diversionary tactic and embed doubt into the public mind .... essentially to implanting the thought "was it really him or one of his staff? I guess we'll never know, lets see what the X Factor result is."

      1. John Brown (no body) Silver badge

        Re: Sends a terrible message.

        "essentially to implanting the thought "was it really him or one of his staff?"

        Hmmm...that should liven up the court cases for so-called online piracy claims. "Well, yer 'onour, everyone knows my password is 123456, so it could have been anyone torrenting all those films." Government ministers and MPs have set the precedent and created the doubt.

        1. Blotto Bronze badge

          Re: Sends a terrible message.

          Hmmm...that should liven up the court cases for so-called online piracy claims. "Well, yer 'onour, everyone knows my password is 123456, so it could have been anyone torrenting all those films." Government ministers and MPs have set the precedent and created the doubt.

          anyone with access to the locked premises who knew the password, unless your going to bolt your monitor and keyboard (or laptop) to the outside of your house with a sign stating free access. i suspect they'll find you negligent though for allowing access to happen on your system without attempting to proper guard against illegal activity.

          1. John Brown (no body) Silver badge

            Re: Sends a terrible message.

            "i suspect they'll find you negligent though for allowing access to happen on your system without attempting to proper guard against illegal activity."

            Are you being criminally negligent if you trust the family you live with and don't treat them like the enemy?

    4. Charlie Clark Silver badge

      Re: Sends a terrible message.

      Essentially she's saying you can't prove someone is at the keyboard just because they've logged in.

      For liability you don't have to: it's negligence.

    5. Lysenko

      Re: Sends a terrible message.

      Essentially she's saying you can't prove someone is at the keyboard just because they've logged in.

      The more charitable (though unlikely) interpretation is that she understands plausible deniability. A highly secure password is a distinct liability if you're doing something nefarious that might be detected. Far better to ensure that the login credentials are as widely circulated as possible in such a scenario.

      1. Charlie Clark Silver badge

        Re: Sends a terrible message.

        The more charitable (though unlikely) interpretation is that she understands plausible deniability

        Depends on the jurisdiction but in general it will leave you liable if not necessarily culpable and possibly even an accessory.

        Cf. the recently withdrawn German law on Störerhaftung (operators of free wifi being held liable for crimes committed using their network. Or anyone outside the US not keeping firearms safely locked up.

        1. Lysenko

          Re: Sends a terrible message.

          Depends on the jurisdiction but in general it will leave you liable if not necessarily culpable and possibly even an accessory.

          Unless you can prove mens rea beyond all reasonable doubt then under English law you're almost certainly looking at a negligence action in tort (civil law) at the most, if you can locate an injured party.

          To establish criminal negligence you would have to prove that the specific consequences of the sloppy security were reasonably foreseeable and, in practice, you almost always need a consequence of death or severe physical injury. There are no "Administrative" offences in English law - you're either a criminal or else someone has to sue you for damages.

          1. Charlie Clark Silver badge

            Re: Sends a terrible message.

            Unless you can prove mens rea beyond all reasonable doubt then under English law you're almost certainly looking at a negligence action in tort (civil law) at the most, if you can locate an injured party.

            There currently is no criminal case but the argument would be over confidentiality, potentially of state secrets in which case the Crown would be the injured party. In such a hypothetical case I don't think that "all my aids know passwords" would wash that well and I suspect Special Branch my already have had words.

    6. The_Idiot

      Re: Sends a terrible message.

      "Essentially she's saying you can't prove someone is at the keyboard just because they've logged in."

      Sadly, true.

      However, it also (to me at least illustrates where biometric _identification_ can serve a purpose. NOT AS A PASSWORD. Oh - and if I didn't shout that loudly enough, NOT as a #%#$%^%^& _PASSWORD_!

      A combination login using the individual's account name, the individual's password _and_a_scan_of_biometric_data_ would potentially help identify whether it was MR/ MRS/ MS MP using his/ her details or some other identifiable individual. And I say 'potentially' and 'help' because I freely accept biometric scans (in their variety of forms) are not unbreakable.

      But it would help. Maybe.

      'Pr0n was downloaded at 11:00, Sarge. Mr MP was logged in, but the fingerprint scan said it wasn't him, it was his PA/ intern/ tea-person.'

      Incidentally, at the risk of sounding paranoid, said biometric scan should be repeated on logout, before logout takes place, and on every 'go to sleep' timeout. That way, you have a chance of knowing it was still the same individual, and not someone using the account they didn't logout of while they went to the washroom, out for a smoke break, off to lunch etc.

      Biometric. Who-I-am. Of course, I'm an Idiot...

      1. Anonymous Coward
        Anonymous Coward

        compulsory one handed typing

        Agreed, a fingerprint reader that requires five fingers to be in contact with the scanner at all times would greatly reduce incidents of this type.

  3. tfb Silver badge
    Mushroom

    I don't understand this

    In most places I've worked in recent history sharing your password would be an escort-you-out-of-the-building offence (OK, I was often a contractor: it might have been only a written-warning offence for employees). These weren't big official-secret type places. (Looking at porn on work computers or networks would have a similar punishment -- there's a reason for the 'NSFW' tag people put on things which are, well, NSFW: quite independently of whether looking at porn is wrong, it is clearly wrong at work.)

    But this is OK if you are an MP, because MPs don't do anything which might be at all sensitive, right? It would not matter at all if some intern sent mail, or posted to Twitter or whatever, from an MP's account. Indeed, it's convenient that they can: 'all those racist comments from my account, those weren't me they were some intern'.

    And these are the people who want to legislate as to whether we can use strong encryption. What the fuck is going on in their minds?

    1. Darth Poundshop
      IT Angle

      Re: I don't understand this

      "And these are the people who want to legislate as to whether we can use strong encryption. What the fuck is going on in their minds?"

      Party politicians don't have 'minds' they have 'hobbyhorses' and 'spin'

      1. Dave 126 Silver badge

        Re: I don't understand this

        MPs can't be sacked in that conventional way because they are appointed by their constituents. If material found on a computer were grounds for an elected MP to be suddenly dismissed then there might be a chilling effect on democracy - it'd be too easy for a motivated party to place such material on the MPs computer if a change of MP suited their ends. They're elected as representatives, not as expert white hats.

        What's insidious about this Green affair is that the copper himself says he can't prove anything - in which case, why even mention it?

        1. disgustedoftunbridgewells Silver badge

          Re: I don't understand this

          What's insidious is that this ex copper kept information he was supposed to destroy, then stole it when he left his job, kept it and eventually publicised it.

          What's his end game? A book deal? Become a talking head? Or is this just to try to bring down a Conservative minister? Nobody will ever employ him in a position of trust again.

          I don't buy the moral outrage line.

          1. Lysenko

            Re: I don't understand this

            What's insidious is that this ex copper kept information he was supposed to destroy, then stole it when he left his job, kept it and eventually publicised it.

            It's been a while since we've had a decent Contempt of Parliament action. I hope Bob the Plod realises that he can be banged up for this by Parliament itself (i.e. without bothering the CPS and the Courts).

        2. tfb Silver badge

          Re: I don't understand this

          That's right. So there should be a proper enquiry to establish how the data got there.

          If it got there because he shared his password then he is clearly a national-scale security risk, since he holds a senior role in government and is presumably therefore party to state secrets, including extremely sensitive ones. We probably do not want people who share their passwords having that kind of position.

          If it got there because he was looking at porn at work, then, well, I'm not sure what the right punishment is. Personally I would not want someone that stupid & distracted at work in my government.

          If it can not be established how it got there then the IT infrastructure that MPs use has catastrophic security problems. This is in most respects the worst outcome, because it means that we should assume a breach.

          1. Nick Ryan Silver badge

            Re: I don't understand this

            Password sharing is one thing, and a measure of both stupidity and contempt of security.

            Looking at porn: fine. MPs are, vaguely, in the most broad sense, sometimes passably human and therefore looking at porn is just fine with me. Of course, the rabid god-botherers, of which there are a number of them in the list of MPs, may feel otherwise but these probably have more "deviant" (in their eyes) porn habits to hide therefore may not shout too loudly just in case. Lithographs of victorian ankles included (thank you, Daily Mash, for this one!)

            Looking at porn on a parliamentary system? The same system which the MP has access to material of national importance and possibly national secrets, is a thoroughly stupid, braindead thing to do. If it's a cache of images and possibly videos then I would be reasonably lenient however it's unlikely to be this and the morons are probably just browsing porn sites, using Internet Explorer. Such sites are likely to be only marginally less targeted by malware than "warez" sites and the click-bait-trash "listicle" and "article" sites which tend to be 85% advert, 12% white space and maybe, just maybe, some content squeezed in there somewhere.

            MPs, and parliamentary staff, are meant to set examples to us all. If we fiddle our expenses we get fired and the tax man and therefore the courts take a very dim view of the situation. If we bribe people or accept bribes it becomes a criminal matter. If we violate security through providing privileged access to those that shouldn't have it we're likely to, at a very minimum, be given a formal verbal or written warning and in some cases, instantly dismissed. If we browse porn on work systems we can expect likewise.

            MPs, on the other hand, seem to feel that they are above all of this and any attempt to make them more accountable, or to enforce more accountability on them (one of the EU's aims) is considered a bad thing. A very bad thing indeed.

            1. Lysenko

              Re: I don't understand this

              If we bribe people or accept bribes it becomes a criminal matter. If we violate....

              If we make statements that are libellous or disregard Court injunctions then we are liable to be prosecuted ... and MP are not ... at least not if the activity takes place inside the Palace of Westminster.

              MPs have several extra rights, privileges and immunities by design. That's why the original raid was controversial since it was, prima facie, potential interference with an MP in the conduct of his duties (which is Contempt of Parliament).

              What MPs, or rather Parliament as a whole, consider a bad thing is allowing the Judicial and Executive (i.e. the Police) branches of Government to inquire into the proceedings of the Legislature because it breaches the principle of separation of powers which was essentially the root cause of the Civil War.

        3. macjules Silver badge

          Re: I don't understand this

          MPs can't be sacked in that conventional way

          Then we have to find an unconventional way. Would a lamppost and several yards of hemp do the trick do you think? Thankfully we do still have 650 lampposts in London.

  4. Neil McCauley
    FAIL

    Disturbingly common

    Dorries' shambolic approach to computer security is not exactly uncommon in politics. Things I've personally witnessed in the office of a prominent Scottish politician:

    Admin access given to all staff, including unvetted temps and volunteers.

    "You've brought your own laptop? Great, the wireless password is on the whiteboard."

    PCs left unlocked and unattended in an unlocked office while staff go for lunch.

    1. disgustedoftunbridgewells Silver badge

      Re: Disturbingly common

      So you're saying it was an intern who sold all our gold?

  5. colinb

    Facepalm

    Ah the old he's not a Liar, he's an idiot, like me, defence.

  6. iron Silver badge

    So it is *utterly preposterous* to assume that the user sat at a Parliamentary computer is the user who is logged into it yet that is exactly the kind of assumption made when prosecuting a member of the public because their IP address was used to download MP3s, hack NASA or DDOS Sony. Clearly its one rule for the pigs and another for the rest of the animals.

  7. Darth Poundshop
    Flame

    AAAAAAAAAARGAAAAAAAGAHHH

    ...AAAAAAAAAARAGAAGGAGGGHHH

    THESE PARLIAMENTARY DIPSHITS MAKE LAWS...AND DECISIONS ON NATIONAL SECURITY...AND ARE IN CONTROL OF BILLIONS OF OUR MONEY

    I can't take it any more, we might as well put a President Putin statue up in Trafalgar Square right now

    AAAAAARARARRAGGGH

  8. goodjudge

    Didn't care, won't care

    Remember that this is the same politician who "cares" so much about her constituents that she disappeared from Parliament a few years back to go on I'm A Celebrity... She's pretty much un-embarressable and she represents an unswervingly true-blue part of the country. She knows there'll be no consequences for her.

  9. Anonymous Coward
    Anonymous Coward

    This stupidity aside, I don't understand why so much noise is being made about this. Even if the allegations are true, so fucking what? Just give him a slap on the wrist and move on, there are far more important things to be dealing with.

    1. Anonymous Coward
      Anonymous Coward

      There's two camps. One full of prudes who are shocked and appaled that someone watches porn and one full of balanced individuals who are aware that the police officers behind this story are leaking confidential information for political reasons. It's the second one that shouldn't be brushed under the carpet.

      Did that help?

      1. Anonymous Coward
        Anonymous Coward

        OP here, I totally agree but the media seem to have been focusing on the first one. The raid itself was bad enough, I haven't forgotten the uproar that caused at the time.

    2. Anonymous Coward
      Anonymous Coward

      He's already done too much wrist slapping.

  10. phuzz Silver badge
    Pint

    "Make the card part of their ID card so they are less likely to ‘loan’ it"

    Make it part of whatever ID they have to use to get into the subsidised Commons bar and they'll definitely not share it.

  11. David Gosnell

    According to the Times [usual disclaimers apply]...

    One of the ex-cops embroiled in this insists: "The computer was in Mr Green's office on his desk, logged in, you know, his account, his name. In between browsing pornography he was sending emails from his account, his personal account, reading documents, writing documents and it was just impossible it was exclusive and extensive that, you know, it was ridiculous to suggest that anyone else could have done it."

    You know. Well maybe. I sort of get what he's saying. You know.

    1. HmmmYes Silver badge

      Re: According to the Times [usual disclaimers apply]...

      Im guessing superITcopper has not heard of a multitasking OS?

      Even less spyware that could be downloading pics automagically.

      1. tfb Silver badge

        Re: According to the Times [usual disclaimers apply]...

        If there is spyware on a senior member of the government's computer we have pretty big problems.

    2. Brangdon

      Re: According to the Times [usual disclaimers apply]...

      He said there were thousands of images, and that they were thumbnails. Make me wonder if if clicked some crazy cascading popup thing which he couldn't stop, that downloaded the thumbnails. I gather there were some full-sized images too, but not much has been said about them. It's all about the thousands of thumbnails.

      1. HmmmYes Silver badge

        Re: According to the Times [usual disclaimers apply]...

        Here's a 2x2 pixel donkey porn: .

        Want something more extreme?

        1x1: Osama bin Laden gay orgy: .

    3. disgustedoftunbridgewells Silver badge

      Re: According to the Times [usual disclaimers apply]...

      I'm curious how this copper knows what time he was reading documents.

      I'm also curious what mechanism was supposedly used to recover the deleted browser cache files which retained metadata.

  12. wolfetone Silver badge

    How many would-be terrorists are looking at what she's said and using it as part of their defence?

    "It was a home computer, we all shared the one login, you can't prove I looked at the material because people used my account."

  13. Andytug

    Yet if any other civil servant did this

    it would be a disciplinary offence!

    It's actually far worse for an MP to do this, because they have confidential correspondence with constituents, lawyers etc that is supposed to be protected by Parliamentary privilege (in case of whistleblowing, etc).

    1. Darth Poundshop

      Re: Yet if any other civil servant did this

      Exactly - I've know people fired from the NHS for this.

      The cat that Dorries has let out of the bag is the admission that when you write to your MP regarding anything from matters of national security to fighting extradition to medical matters - anything - it could be read by absolutely bleeding anybody they've shared their password with, or anybody they in turn have shared the password with and so on. And they all think it's OK!!!

      It's astounding...I think we all know it goes on, but to hear the sheer flippancy of the MP buffoons is jaw dropping

      1. phuzz Silver badge

        Re: Yet if any other civil servant did this

        "...when you write to your MP [...] it could be read by absolutely bleeding anybody"

        I'm pretty sure my MP doesn't read every single letter/email sent to them, only the ones that their staff bring to their attention.

      2. Doctor Syntax Silver badge

        Re: Yet if any other civil servant did this

        "sheer flippancy"

        I think you may be doing her too much credit. Flippancy requires some comprehension.

  14. Anonymous Coward
    Anonymous Coward

    Nadine Dorries : Why do people vote for her?

    She's an interesting character, originally a council estate scouser. Her expenses history is interesting, she's pro-life and likes to unsuccessfully introduce bills designed to chip away at women's right to decide on Abortion. Not a fan of same sex marriage, I'm afraid. She loves employing her family to work for her, according to wikipedia, her daughter earns 40-45K working as her office manager, despite living 96 miles away from the office. Her sister is one of her secretaries, on 30-35K. She seems a little defensive about it : when a Sunday Mirror journo asked her about her employment practices, she twitterd in his direction..... "Be seen within a mile of my daughters and I will nail your balls to the floor... using your own front teeth. Do you get that?". She's clearly naturally charming and eloquent.

    Back to the story. A while back, she actually sat on the science and technology select committee. More accurately, she was appointed, but didn't actually sit : she failed to attend a single session. Perhaps she'd have more of a clue about tech stuff if she had made the effort.

    1. james_smith

      Re: Nadine Dorries : Why do people vote for her?

      She's "affectionately" known as Mad Nad by most MPs, including the ones in her same political party.

      1. Nick Ryan Silver badge

        Re: Nadine Dorries : Why do people vote for her?

        Why? Because the country is full of idiots who vote for the same party that they've always voted for regardless of the corruption, lies and stupid things (policies) that the politicians representing that party carry out. Party politics is pretty much an anathema of democracy.

    2. goodjudge

      Re: Nadine Dorries : Why do people vote for her?

      A few years ago there was a lot of research done on her by a certain blogger, which it seems you may have have read - I recall a fair bit about her 'main residence' for the purpose of parliamentary expenses. But I won't mention his name as for some totally unconnected reason he became the target of a long-running smear campaign.

      Anyway, why do people vote for her? Because she represents part of Bedfordshire and they'll vote for anything with a blue rosette stuck to it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nadine Dorries : Why do people vote for her?

        "Because she represents part of Bedfordshire and they'll vote for anything with a blue rosette stuck to it."

        Yeah, but seriously? I'm not stopping them from voting Conservative (although tbh, I'd like to but it's a bit impractical) but are there no better candidates than this? What does a sitting Tory MP need to do to be de-selected? I mean, what if they abandoned their constituents, and buggered off to Australia to appear on a TV programme where you have to eat witchetty grubs and things. Surely that'd be enough?

    3. Doctor Syntax Silver badge

      Re: Nadine Dorries : Why do people vote for her?

      "She loves employing her family to work for her, according to wikipedia, her daughter earns 40-45K working as her office manager, despite living 96 miles away from the office. Her sister is one of her secretaries, on 30-35K."

      That's a relief. She's just sharing her password with family so of course they can be trusted.

  15. ShortLegs

    The baby white elephant in the room

    ... is what happened to the web proxy and web-blocking system that was installed in Parliament, to prevent users from surfing pornography?

    or was it quietly removed - at the insistence of 'users' [MP's] who objected that it stopped them googling areas in Scunthorpe and Middlesex...

    1. rh587 Bronze badge

      Re: The baby white elephant in the room

      or was it quietly removed - at the insistence of 'users' [MP's] who objected that it stopped them googling areas in Scunthorpe and Middlesex...

      To be fair, that would be a legitimate problem if you were the MP for Scunthorpe...

      1. Anonymous Coward
        Anonymous Coward

        Re: The baby white elephant in the room

        >To be fair, that would be a legitimate problem if you were the MP for Scunthorpe...

        Why would the MP for Scunthorpe be Googling areas of Middlesex?

      2. Dave Bell

        Re: The baby white elephant in the room

        That's Nic Dakin, who shows himself to be at least adequate in computer matters.

        The Workington constituency includes Cockermouth, while ther's also the Penistone and Stocksbridge constituency.

        All of these places have had problems with poorly-designed internet filters. Surely Parliament can cope with English placenames?

        1. TRT Silver badge

          Re: Surely Parliament can cope with English placenames?

          The filter was designed by that company with the HQ on Gropecunt Lane.

  16. chivo243 Silver badge
    Trollface

    I would hate to shake hands

    with one of these wankers... really, that's all they do is shake hand with people...

  17. Anonymous Coward
    Anonymous Coward

    What's the password?

    It's secret

    No, what's the password?

    I said, it's secret!

    Why won't you tell me?

    I have

    (This may have happened in an office I worked at, not by me mind)

    1. Kevin Johnston

      Re: What's the password?

      .n one of my many (but brief) sojourns on the HellDesk I has a user call who had forgotten their password. After going through the relevant process to validate they were who they said they were (like I could really prove it one way or the other), I told them their password was changed....cue the loop and a quiet word from the team leader that while amusing it was not good form to wind up the users.

  18. Anonymous Coward
    Anonymous Coward

    Plod should not be revealing what they found. It wasn't pertinent to the investigation of 2008. That way lies a police state.

    Need a few people who understand law here.

    1. disgustedoftunbridgewells Silver badge

      He didn't even do it as a plod. He did it as a private citizen who stole police documents when he left his job.

      1. Anonymous Coward
        Anonymous Coward

        It was wrong and likely is illegal though I am glad he did it.

        1. disgustedoftunbridgewells Silver badge

          Why?

          If police raid your house because they wrongly believe you are a criminal, should they hold any non-illegal but embarrassing material? Should police officers refuse orders to destroy the data, steal it when they leave their jobs and publish it to destroy your career nine years later?

          It's outrageous.

      2. Gorak

        Re: Stolen police documents

        How do you know any documents were stolen?

        Everything the former-fuzz have revealed could have come from memory and I'm not sure how you're supposed to delete those when you leave the job. Could you get blackout drunk and charge it to the security budget?

        1. disgustedoftunbridgewells Silver badge

          Re: Stolen police documents

          I'm 99% sure he admitted stealing it ( took that specific notebook only )

  19. JimmyPage Silver badge
    Mushroom

    “trolling” by computer nerds.

    Pesky experts, eh ?

  20. Anonymous Coward
    Anonymous Coward

    Template letter for your MP

    Dear <insert name>

    following recent revelations from an MP regarding computer usage, could I ask for confirmation that any personal data I may exchange with your office is held in full accordance with current UK data protection legislation.

    many thanks in advance

    <your name>

    If you use https://www.writetothem.com/ then your request will be tracked.

    1. Nick Ryan Silver badge

      Re: Template letter for your MP

      Unfortunately the actions of government are excluded from the DPA / GDPR.

      On the other hand, they may not know this... :)

  21. Mike Scott 1

    But MP's are very special don't you know...

    Apparently - and I'm sure someone will be along to clarify in a moment - staff in Westminster are governed by Civil Services rules around security etc. MPs are not, because they are 'special'. It's all none sense. If I were a Westminster staffer I would be refusing to use anyone else's login to check mail or whatever, and have the IT team give a system that enabled proper, traceable and secure handling of internal and external messages - I'm sure such a thing must be avialable... Geez, the amount of money spent of government IT and they can't manage that.

  22. MeetCleaver
    Thumb Down

    Crispin Blunt too

    Conservative MP Crispin Blunt also said he shares his Parliamentary login with his staff when defending Damian Green on Friday’s Channel 4 News.

    I would be reluctant to tell my MP anything confidential given that ignoring manadatorty ICT security rules seems to be common practice in Parliament.

  23. J J Carter Silver badge
    Facepalm

    Figures

    These are the same clueless MPs who rubber-stamped the GDPR legislation omnishambles.

  24. 0laf Silver badge
    FAIL

    MPs will be data controllers in their own right so I wonder if the ICO will be investigating this blatant failure to comply with Principle 7 of the DPA.

    I suppose MPs are too important to be bothered to follow the infosec awareness training they will have been provided. But then will access to some of the UK's most sensitive information it's not like they'd be a target or anything. It's not like Damien Green's alleged porn habits might have been used by a less scrupulous foreign government to blackmail him.

    Noooo sure;y nothing like that would ever happen

  25. ukgnome Silver badge

    Others have said it before - it's thumbnails bot actual photo's on Greens laptop

    So many reasons on how this happened.

    As for Doris - I, like so many others have reminded her on twatter what privacy is. I really don't think she gets it. Fair enough some might say, it's not like she has anything official or secret. THAT'S NOT THE POINT

    it really boils my piss that an elected MP cares so little about privacy

    1. Nick Ryan Silver badge

      it really boils my piss that an elected MP cares so little about privacy

      It's probably more accurately: it really boils my piss that an elected MP cares so little about non-politician's privacy

  26. JimmyPage Silver badge
    Megaphone

    MPs are not, because they are 'special'.

    But it should be an absolute cast iron principle of law that a constituents correspondence with their MP is covered by the concept in principle and law, of privilege.

    I shudder to think how many vulnerable people might have contacted their MP with very sensitive details of ongoing civil and criminal cases that will now have to worry that the wrong person has seen it.

    FGS, it's be shown that you can't trust the police with access to such data.So what's the hope for a bunch of poorly (or un) paid interns slaving away for an MP ???? Especially when they (now) know they won't be caught.

  27. Blotto Bronze badge

    Its up to the Data Controller to govern sharing of your data

    its really naive to expect your MP to open every piece of correspondence or email and personally respond.

    like the police, your doctors HR or whoever that are meant to be treating your correspondence confidentially, there is no reason why they can't share that information amongst their trusted colleagues & staff members in order to provide their service to you. While the MP's have said they share their passwords amongst their staff, don't forget the information is still held on password protected systems. Someone walking in off the street can't just open the machine and access the data. If the machine was stolen, without a password just powering the machine on won't reveal its contents, and no I have no idea if the data is encrypted at rest but given how easy bit-locker is to enable it all should be encrypted now.

    I share the sky PIN with my Mrs and others that stay.

    I share my wifi password with visitors

    I share bits of my password with strangers on the phone when I phone them and they ask me

    I share my Credit card details when i phone for a takeaway

    I know parents and friends pins & passwords for their phones and PC's from when they ask me to fix stuff for them.

    At work we do have shared last resort 1 time passwords (of course they are changed often) as per pci/dss/sox procedures.

    At work I only know my personal passwords not those of colleagues.

    it looks like many commentators here are fixated by the need for a confidential password and don't actually understand what the password is there for.

    For the MP's, the password is really there to safeguard the information from being accessed by unauthorised individuals. The staff are authorised by the MP to look at the MP's information. Authorisation given by shareing of teh MP's password.

    Yes a better system of sharing the MP's info between staff should be implemented, a system that ensures accountability for individuals accessing the info, but at the moment the system is no worse than the MP printing everything off and shoving it in a filing cabinet in the office where all with access to the office (yes including maintenance, cleaners and security) could rifle through it, in fact its better than that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Its up to the Data Controller to govern sharing of your data

      @Blotto You worked at HPE and you are that clueless about login passwords, password security and the consequences of sharing passwords.

      My opinion about HPE has also been affected by your comments - if you think this is similar to sharing your Sky PIN or your credit card number you are idiotic.

      1. Blotto Bronze badge

        Re: Its up to the Data Controller to govern sharing of your data

        @Blotto You worked at HPE and you are that clueless about login passwords, password security and the consequences of sharing passwords.

        i've never worked at HP, no idea where you got that from.

        the point being made is that people share credentials all the time with little regard. My sky pin can be used to purchase stuff from sky, my credit card allows several months wages to be spent in 1 go.

        i'm sorry my comments have dimmed your view on HPE, i have no idea why though, as again, i've never worked there, maybe your just an idiot?

        1. Anonymous Coward
          Anonymous Coward

          Re: Its up to the Data Controller to govern sharing of your data

          @Blotto Your previous posting seemed to show you worked at HP but I can see now it was a poorly formatted quote from another poster. It did seem strange that someone with so little grasp of the reason behind password security was important could have ever had any kind of IT role at a major company.

          It makes sense now and a little bit of faith in HPE is returned, phew.

          Interesting you seem to still equate your credit card or sky PIN as similar - you still don't get it. Try this for an analogy - your sky pin or credit card is like giving someone keys to your house, sharing your login password is like copying your security pass and giving them out to unauthorised people, but worse as that special security pass also makes everyone who sees it think the person holding it is actually you (including security, the media, friends and family, etc)

    2. Doctor Syntax Silver badge

      Re: Its up to the Data Controller to govern sharing of your data

      @Blotto

      Some of what you say is quite true but you seem to have overlooked that the net of who's being trusted here seems to have been spread a good deal wider than those corresponding with her might have expected.

      Also, right there at the start of your 2nd para you list the police amongst those to be trusted. Well, there's one (ex-)policeman who evidently can't.

      1. Blotto Bronze badge

        Re: Its up to the Data Controller to govern sharing of your data

        Also, right there at the start of your 2nd para you list the police amongst those to be trusted. Well, there's one (ex-)policeman who evidently can't.

        like the police, your doctors, HR or whoever that are meant to be treating your correspondence confidentially, there is no reason why they can't share that information amongst their trusted colleagues & staff members in order to provide their service to you.

        While we should be able to trust the police, they continue to do things to make us question that trust.

    3. Anonymous Coward
      Anonymous Coward

      Re: Its up to the Data Controller to govern sharing of your data

      "While the MP's have said they share their passwords amongst their staff, don't forget the information is still held on password protected systems. Someone walking in off the street can't just open the machine and access the data."

      Passwords in a business don't protect 'a machine' they protect the network. By giving out your password you have now potentially allowed access to the network resources, the e-mail, shared drives, digital signatures, encrypted drives etc.

      And don't forget, once you have control over someone's e-mail you may have the ability to access almost any other system that has that e-mail as part of the signup/login process. If you think that a foreign power meddling is done by planting some fake news stories, just think what can be achieved if they had e-mail access and could send messages to journalists as though they are a sitting MP.

    4. rh587 Bronze badge

      Re: Its up to the Data Controller to govern sharing of your data

      Yes a better system of sharing the MP's info between staff should be implemented

      It has been. PICT uses O365. Delegating access to e-mail (for instance) is a couple of clicks away.

      And when that exchange student leaves, they don't walk away know the access creds. Their individual account is closed and they are locked out.

      The fact that an MP or their office manager is too ignorant or lazy to call PICT and get assistance is not an excuse.

  28. Anonymous Coward
    Anonymous Coward

    Sounds like an ideal replacement for Amber Rudd in due course, given their similar technical nous.

  29. Ilsa Loving

    Not surprising

    As horrific as this is, it doesn't surprise me.

    Politicians are are still people. And for years the general accepted rules for password management have encouraged ridiculous policies that virtually guaranteed that these kinds of issues would occur.

    Even the original author (sorry forgot his name now...) has gone so far as to apologize for his original recommendations because they've done overwhelmingly more harm than good.

    What this story tells me is that their IT policies desperately need an update. Preferably one that doesn't require people to change their passwords every 30 days, and focus on longer but more easily typeable and memorable passwords.

  30. Arachnoid
    Mushroom

    Talking of Passwords

    I wonder how many U.S. Politicians share their keys to the Nuclear deterant?

    1. Anonymous Coward
      Anonymous Coward

      Re: Talking of Passwords

      I know it already.. it'll be GREAT TRUMP

  31. JimC Silver badge

    Its convenience

    so long as its quicker and easier to give the temp your password than it is to get support to set up a new account with all the correct shared access this will continue to happen. Bashed my head against that wall so many times I ended up with no hair and semi-permanent migraines...

  32. Mike Richards Silver badge

    'But everyone knows the password to my computer'

    Rather sound like a lot of MPs are getting excuses in early for when they are found to have oceans of eyewatering porn on their PCs.

  33. Anonymous Coward
    Anonymous Coward

    Login's are simple.

    The individual is responsible for what happens under their login. No exceptions.

    What really bothers me is how it wasn't picked up by the security that is supposed to be in place to protect government data.

    In the interests of balance, how were the police able to copy confidential data to their personal accounts?

  34. Marketing Hack Silver badge
    Go

    Hey, some politicians are actually decent people!

    And they need some video instruction on how to properly screw over the public if they ever want to make it to the front bench! :)

  35. Cederic

    Simple answer

    Surely the simple answer is to disable the accounts of Nadine and her office staff on the UK parliamentary network and require them to complete basic information security training before allowing them back on.

    Then monitoring them and banning the illiterate cunts if Nadine's account is active while she's speaking in the House.

  36. Dave Bell

    In the old days

    It used to be, in the days of paper, that somebody had a secretary, and maybe other staff, who handled correspondence. And if you got a reply to the letter, it might be signed "per procurationem", an identified person sending a reply on behalf of the boss. Nothing was being hidden.

    It was so standard a practise that it is incredible to me that this situation has developed. Though some of what I have seen on Twitter involves some Olympic-level jumping to conclusions.

    The rest of today's news is inclining me toward interpreting some MP's Tweet as stupidity, rather than merely being ambiguously laconic. Why are we trusting this shower of incompetents?

  37. TrumpSlurp the Troll Silver badge

    One thing not mentioned so far

    If someone leaves, you normally close their account.

    If temps and interns leave, do you think they change the password on the shared account every time?

    If they do, they may have a pragmatic process for sharing an account. If not, however.....

  38. Twanky

    Executive/PA working

    Much has already been said about the foolishness of MP's sharing passwords and the criminality of retaining data from a possibly illegal search by a plod leaving the service. Can't add anything to that.

    The IT 'problems' associated with Executive/PA working are not new and there are many methods available to address them. These clearly are not being applied in Ms Dorries' and other MP's offices.

    So why not? Almost certainly because it is easier for the MP to just get on with the job (as they see it) by giving people they trust their password.

    It seems to me that the Palace of Westminster IT function has not made it easy enough for their Users to do things the right way.

  39. Anonymous Coward
    Anonymous Coward

    reminds me of numerous occasions @work, one of the most memorable below.

    Lvl4 ECA for biomedical IVD product manufacture (full face masks, latex gloves, hairnets (yes even for beardage), white romper suits, ban on paper and anything with particulates) false atmosphere, etc etc.

    In the middle of an FDA audit/ECA inspection with auditor next to them, the operators whipped out paper notebooks to look at their passwords to log in. About the only other thing they could have made it worse, was pissing in a bucket in the corner.

    This was after months of ranting to HR about knowing the practises going on in there....which fell on deaf ears until lessons learned session where moi, IT, ranted for eons!

    A dismissable offence.....and they are still with us.

    I could hear the auditors screams upstairs in my office......and we failed the audit btw.

    AC for good reason ;)

  40. Nickckk

    Red

    Red light surely, ed?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019