From ukcrypto at chiark.greenend.org.uk Tue May 1 08:33:41 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Tue, 01 May 2007 08:33:41 +0100 Subject: MTAS and other NHS web sites In-Reply-To: References: <20070429130102.13884.62125.Mailman@chiark.greenend.org.uk> Message-ID: <4636ED55.7090400@iosis.co.uk> Mary Hawking wrote: >>> Any ideas on damage limitation? >> >> Extend existing contracts by 3 months, or perhaps until the end of >> the year. After all, they are not aligned with the fiscal year, so >> what does it matter when the changeover occurs? >> >> Peter > > Mary Hawking wrote: > > These are *training* posts - and change every 6 months. > Are you suggesting that either the training due in the August intake > rotation should be curtailed by 3 or 5 months, that you (as a > patient) would be happy for future Consultants and GPs to have a block > of their structured training omitted, or that, because of managerial > incompetence the training of all doctors caught in this mess - and > don't forget, some of these are just now finishing their finals, so > don't have a current post - should be prolonged by 6 months? > > The NHS is a large organisation: this suggestion suggests a certain > lack of understanding of the situation and organisation of the NHS: > just hope it isn't universal! The organisation has already been quite seriously disrupted in one area: organising the next set of posts for the affected doctors. It faces continuing damage as junior doctors get moved into the wrong posts, or are unfairly denied posts, or as posts are given to doctors for whom in a fair system there would not be posts at this grade this time. It needs to adapt to minimise the disruption and also ensure fair treatment for the affected doctors. Maybe the process can no longer, in fairness, operate in the same rigid cycle. Sticking plaster for the computer-based system and compensation isn't going to be good enough (in particular financial compensation, i.e. awarding damages, is, in my view, not appropriate). Now it will take some time to resolve the situation, and indeed, if contracts are extended, I accept that there is the problem of doctors coming into the system for the first time (maybe pay them a salary to continue studying; arrange temporary , paid, work experience posts; offer bursaries to study abroad, etc). Offering the continuance of existing contracts is just one part of the solution. And, to take us a little way back to this list's topics, those responsible for the cockup should face major penalties (including those who commissioned a computer system that would be put into operation without full testing for security, function and capacity, in flagrant disregard of govt policy and guidelines - such testing would probably have meant delaying the system's introduction until the next round, but so what?). Only yesterday I was at a meeting between two trade associations with a presence in ICT, one established and the other fairly new, and the general topic of educating the public sector in ways of implementing its own policies was a major item in our discussions. One side said that its a very slow job getting this right; the other has views on how to speed it up, but in this purdah political period before local elections and Welsh and Scottish elections we are all keeping our heads down. Peter From ukcrypto at chiark.greenend.org.uk Thu May 3 09:23:09 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Thu, 3 May 2007 09:23:09 +0100 Subject: MTAS and other NHS web sites In-Reply-To: <002901c78b27$4913d390$1c00a8c0@novatech2800a> References: <002901c78b27$4913d390$1c00a8c0@novatech2800a> Message-ID: <2E97DE0E-BEF6-48AD-AC3E-09CE5136DBB4@uk.fujitsu.com> On 30 Apr 2007, at 13:58, Peter Sommer wrote: > And the only "security" was a > very slightly obscure URL, even though Excel has in built encrytion > facilities. The current statement says ``we are implementing some further recommendations to ensure that it is as secure as we can make it.'' Is that the current government security policy? I had hoped that the requirement would be ``to ensure it is as secure as it needs to be''. But if the bar is lowered to ``get some blokes to do the best job they can, that'll be OK'', that's a bit disturbing. ian From ukcrypto at chiark.greenend.org.uk Thu May 3 09:20:44 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Thu, 3 May 2007 09:20:44 +0100 Subject: MTAS and other NHS web sites In-Reply-To: <4636ED55.7090400@iosis.co.uk> References: <20070429130102.13884.62125.Mailman@chiark.greenend.org.uk> <4636ED55.7090400@iosis.co.uk> Message-ID: <2F4F89A9-488A-401D-AB27-09102CAF9744@uk.fujitsu.com> On 1 May 2007, at 08:33, Peter Tomlinson wrote: > those responsible for the cockup should face major penalties > (including those who commissioned a computer system that would be > put into operation without full testing for security, function and > capacity, in flagrant disregard of govt policy and guidelines - > such testing would probably have meant delaying the system's > introduction until the next round, but so what?). There's a whole world of consultants whose business comes almost entirely from consulting with government over security, and yet in this case a critical government website was both designed and operated in a manner which is both procedurally and technically flawed. Clearly, people who know what they're doing like CESG audit the consultants, and the consultants in turn employ high quality people. I'm neither Fujitsu Services nor Fujitsu Consulting as was, but such FS people who work in the secure government space as I've had dealings with have obviously been at the top of their game. And yet, all that said, we get an amateur-hour incident like MTAS. So what went wrong? I've got a bunch of questions down via my MP about the lessons learnt, but neither I nor her expect an answer of fine detail. Was it that the outsource didn't consider security? Was it that the security had the wrong threat model? Was it that naive assumptions about ``everyone with legitimate access to some data has legitimate access to all data''? This last is the main worry I have about the NHS spine and the Identity Register databases, so it's worrying if it's crept into a high-profile government debacle. ian From ukcrypto at chiark.greenend.org.uk Thu May 3 12:49:27 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Thu, 03 May 2007 12:49:27 +0100 Subject: MTAS and other NHS web sites In-Reply-To: <2E97DE0E-BEF6-48AD-AC3E-09CE5136DBB4@uk.fujitsu.com> References: <002901c78b27$4913d390$1c00a8c0@novatech2800a> Message-ID: <4639DA57.30512.6D275D@localhost> On 3 May 2007 at 9:23, Ian G Batten wrote: > The current statement says ``we are implementing some further > recommendations to ensure that it is as secure as we can make it.'' > > Is that the current government security policy? I had hoped that the > requirement would be ``to ensure it is as secure as it needs to be''. > But if the bar is lowered to ``get some blokes to do the best job they > can, that'll be OK'', that's a bit disturbing. Presumably they get the blokes in who offer the lowest price. I am reminded of the words of a US astronaut, when he was asked what he thought of while sitting at the top of a rocket. Reputedly his reply was something like, "well Sir, I think that this is a government project and every bit of the rocket has been made by the company that submitted the lowest price." -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Thu May 3 20:45:23 2007 From: ukcrypto at chiark.greenend.org.uk (Brian Morrison) Date: Thu, 3 May 2007 20:45:23 +0100 Subject: MTAS and other NHS web sites In-Reply-To: <4639DA57.30512.6D275D@localhost> References: <002901c78b27$4913d390$1c00a8c0@novatech2800a> <4639DA57.30512.6D275D@localhost> Message-ID: <20070503204523.0f8e71f7@peterson.fenrir.org.uk> --Sig_i_50pr3WTgM50gqM3kqEie+ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 03 May 2007 12:49:27 +0100 "David Hansen" wrote: > On 3 May 2007 at 9:23, Ian G Batten wrote: >=20 > > The current statement says ``we are implementing some further =20 > > recommendations to ensure that it is as secure as we can make it.'' > >=20 > > Is that the current government security policy? I had hoped that the > > requirement would be ``to ensure it is as secure as it needs to be''. > > But if the bar is lowered to ``get some blokes to do the best job they > > can, that'll be OK'', that's a bit disturbing. >=20 > Presumably they get the blokes in who offer the lowest price. >=20 > I am reminded of the words of a US astronaut, when he was asked what he=20 > thought of while sitting at the top of a rocket. Reputedly his reply=20 > was something like, "well Sir, I think that this is a government=20 > project and every bit of the rocket has been made by the company that=20 > submitted the lowest price." >=20 >=20 A saying in the USAF goes "Always remember your jet was built by the lowest bidder". --=20 Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." =20 GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --Sig_i_50pr3WTgM50gqM3kqEie+ Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGOjvU9BNjUd4y5cURAsV5AKCVOS2CK0Ws0pgQcYLIdTkFhAlclgCguDSY gSkFxWQkmfNYdFSxBFtObKA= =JCSr -----END PGP SIGNATURE----- --Sig_i_50pr3WTgM50gqM3kqEie+-- From ukcrypto at chiark.greenend.org.uk Thu May 3 20:56:51 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Thu, 03 May 2007 20:56:51 +0100 Subject: Latest Channel4 on MTAS Message-ID: <463A3E83.3090906@iosis.co.uk> Tonight Ch4 News claims to have a copy of the specification for the MTAS system, and further claim that the system cost £6.4M to develop. The spec, they say, requires the site to be secure. They flashed the documents across the screen, but I couldn't take them in quickly enough. Anyone know any more? Peter From ukcrypto at chiark.greenend.org.uk Fri May 4 10:58:36 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Fri, 4 May 2007 10:58:36 +0100 Subject: IT on ID In-Reply-To: <463A3E83.3090906@iosis.co.uk> References: <463A3E83.3090906@iosis.co.uk> Message-ID: On 3 May 2007, at 20:56, Peter Tomlinson wrote: > Tonight Ch4 News claims to have a copy of the specification for the =20= > MTAS system, and further claim that the system cost =A36.4M to = develop. > > The spec, they say, requires the site to be secure. They flashed =20 > the documents across the screen, but I couldn't take them in =20 > quickly enough. Anyone know any more? On a similar note, the Information Tribunal has ruled that the =20 Gateway Reviews for the ID card scheme have to be released within 28 =20 days. This could be interesting. ian From ukcrypto at chiark.greenend.org.uk Fri May 4 13:15:26 2007 From: ukcrypto at chiark.greenend.org.uk (Ross Anderson) Date: Fri, 04 May 2007 13:15:26 +0100 Subject: ATM fraud Message-ID: I understand there is a program on ATM fraud at 8pm - "Tonight with Trevor McDonald". It would have gone out on Monday were it not for the terrorist trial verdict. I hear it's rescheduled for tonight Ross From ukcrypto at chiark.greenend.org.uk Fri May 4 14:26:21 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Fri, 4 May 2007 14:26:21 +0100 Subject: Confused phisher Message-ID: As it's a Friday, I thought I'd share this extract from a phishing email I got this morning; not just illiterate, but they can't make up their mind which bank: "Co-operative bank apologizes for the inconveniences caused by the electronic fraud. Co-operative Bank has increased account security in order to prevent any tipe of fraud. Due to this situation Co-operative Bank recommends visiting.." etc etc [...] "Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Egg Banking account and choose the "Help" link in the footer of any page." -- Roland Perry From ukcrypto at chiark.greenend.org.uk Fri May 4 15:56:30 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Sommer) Date: Fri, 4 May 2007 15:56:30 +0100 Subject: Latest Channel4 on MTAS In-Reply-To: <463A3E83.3090906@iosis.co.uk> Message-ID: <008c01c78e5c$663c45f0$1c00a8c0@novatech2800a> There may be yet another episode on Channel 4 News tonight Friday. 1900 hrs. (and then you can switch channels and see if Ross's ATM feature comes up) Peter Sommer -----Original Message----- From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-admin@chiark.greenend.org.uk] On Behalf Of Peter Tomlinson Sent: 03 May 2007 20:57 To: ukcrypto@chiark.greenend.org.uk Subject: Latest Channel4 on MTAS Tonight Ch4 News claims to have a copy of the specification for the MTAS system, and further claim that the system cost =A36.4M to develop. The spec, they say, requires the site to be secure. They flashed the=20 documents across the screen, but I couldn't take them in quickly enough. Anyone know any more? Peter From ukcrypto at chiark.greenend.org.uk Fri May 4 20:51:37 2007 From: ukcrypto at chiark.greenend.org.uk (Adrian Midgley) Date: Fri, 04 May 2007 20:51:37 +0100 Subject: Latest Channel4 on MTAS In-Reply-To: <008c01c78e5c$663c45f0$1c00a8c0@novatech2800a> References: <008c01c78e5c$663c45f0$1c00a8c0@novatech2800a> Message-ID: <463B8EC9.2010902@defoam.net> Peter Sommer wrote: > There may be yet another episode on Channel 4 News tonight Friday. 1900 > hrs. (and then you can switch channels and see if Ross's ATM feature > comes up) > > Peter Sommer > > And there you were! Interestingly, at least for me, here I am packing for a trip abroad to an open source software in healthcare conference, where at some point I am almost certain to remark that one of the smaller benefits of a FLOSS approach to procurement for public service software is that you will buy something that actually exists, and that it is rather harder to hide the hole content of the European Community Emmental mountain and then have the secretary of state embarrassed by it in FLOSS than in closed source systems. -- Adrian Midgley en route From ukcrypto at chiark.greenend.org.uk Sat May 5 09:22:23 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Sat, 5 May 2007 04:22:23 -0400 Subject: MTAS and other NHS websites Message-ID: <20070505042223.t00tqhhsthxc0084@www.egypt.com> I've only just stumbled across the list. I am a doctor and a =20 shortlister/interviewer in the present MTAS recruitment round. The /info folder on MTAS had previously contained a series of useful =20 files, including some of the rules for carrying out interviews, =20 competition ratios etc. It was a virtual directory listing, and new =20 files were added to it periodically. It was clearly intended as a way =20 for Deanery and other staff to keep up to date with current =20 information. Someone presumably uploaded some highly confidential data =20 into this folder. A handful of people would have seen it. Unluckily =20 for MTAS, one of those people was Channel 4 News. This was really only a minor breach of security, an act of stupidity, =20 although maybe symptomatic of a general attitude. What is more worrying is why the site has remained off-line for so =20 long. There are two rumours going around the medical world. One theory =20 is that the data has been significantly corrupted or damaged. The =20 second theory is that the data has been sabotaged. These theories are =20 not mutually exclusive. I guess there must also be some fairly heated correspondence going on =20 between the DoH and the IT contractors. ---------------------------------------------------------------- Reserve your free e-mail@egypt.com, http://www.egypt.com Spam free & Virus clean web based mail service Report abuse to abuse@egypt.com From ukcrypto at chiark.greenend.org.uk Sat May 5 11:27:55 2007 From: ukcrypto at chiark.greenend.org.uk (PeteM) Date: Sat, 05 May 2007 11:27:55 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505042223.t00tqhhsthxc0084@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> Message-ID: <463C5C2B.7050206@callnetuk.com> vickyvicky@egypt.com wrote: > I've only just stumbled across the list. I am a doctor and a > shortlister/interviewer in the present MTAS recruitment round. > > The /info folder on MTAS had previously contained a series of useful > files, including some of the rules for carrying out interviews, > competition ratios etc. It was a virtual directory listing, and new > files were added to it periodically. It was clearly intended as a way > for Deanery and other staff to keep up to date with current information. That's very interesting. So they were accustomed to using the directory as a way of distributing non-public information. > Someone presumably uploaded some highly confidential data into this > folder. A handful of people would have seen it. Unluckily for MTAS, one > of those people was Channel 4 News. Oh come on. "Unluckily"? The data was deliberately forwarded to Ch4 News by a doctor, in order to embarrass DH. -- Pete Mitchell From ukcrypto at chiark.greenend.org.uk Sat May 5 10:35:14 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Sat, 5 May 2007 05:35:14 -0400 Subject: MTAS and other NHS websites In-Reply-To: <463C5C2B.7050206@callnetuk.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> Message-ID: <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> > > That's very interesting. So they were accustomed to using the directory > as a way of distributing non-public information. Some of it was public - the Competition Ratios (ie number of people =20 applying for each job) were in a subfolder eg =20 www.mtas.nhs.uk/info/ST_2007_1/CRST3.pdf The main /info folder was used for semi-public information. It wasn't =20 openly advertised, but must have been intended for use by Deaneries =20 and other Interested Parties. The directory could be listed, so it was =20 easy to see when new fles were uploaded. > > >> Someone presumably uploaded some highly confidential data into this =20 >> folder. A handful of people would have seen it. Unluckily for =20 >> MTAS, one of those people was Channel 4 News. > > Oh come on. "Unluckily"? The data was deliberately forwarded to Ch4 > News by a doctor, in order to embarrass DH. Er what I meant was ' it was unlucky for MTAS that a doctor saw it so =20 quickly'. It seems likely that the file was put there on a short-term =20 basis so that it could be quickly disseminated. They might have got =20 away with it. For all I knw, they might have even done it on a =20 regularish basis. Unluckily, they got spotted. > > --=20 > Pete Mitchell ---------------------------------------------------------------- Reserve your free e-mail@egypt.com, http://www.egypt.com Spam free & Virus clean web based mail service Report abuse to abuse@egypt.com From ukcrypto at chiark.greenend.org.uk Sat May 5 12:20:31 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Sat, 05 May 2007 12:20:31 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> Message-ID: <463C687F.90405@iosis.co.uk> vickyvicky@egypt.com wrote: >> That's very interesting. So they were accustomed to using the directory >> as a way of distributing non-public information. > > Some of it was public - the Competition Ratios (ie number of people > applying for each job) were in a subfolder eg > www.mtas.nhs.uk/info/ST_2007_1/CRST3.pdf > > The main /info folder was used for semi-public information. It wasn't > openly advertised, but must have been intended for use by Deaneries > and other Interested Parties. The directory could be listed, so it > was easy to see when new fles were uploaded. > >>> Someone presumably uploaded some highly confidential data into this >>> folder. A handful of people would have seen it. Unluckily for >>> MTAS, one of those people was Channel 4 News. >> >> Oh come on. "Unluckily"? The data was deliberately forwarded to Ch4 >> News by a doctor, in order to embarrass DH. > > Er what I meant was ' it was unlucky for MTAS that a doctor saw it so > quickly'. It seems likely that the file was put there on a short-term > basis so that it could be quickly disseminated. They might have got > away with it. For all I knw, they might have even done it on a > regularish basis. Unluckily, they got spotted. > We really would like to know if the data files with all the applicants' data were completely open to anyone who discovered the URLs, i.e. if they could be viewed (on-line or after download) without logging in, if they could be viewed by everyone who had an account that is password protected (i.e. every doctor registered with the scheme), or if the files were themselves protected by individual passwords or in any other way. Putting it another way, if Channel4 was simply given a URL and nothing else, could they access the data during its window of availability? PeterT From ukcrypto at chiark.greenend.org.uk Sat May 5 11:17:19 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Sat, 5 May 2007 06:17:19 -0400 Subject: MTAS and other NHS websites In-Reply-To: <463C687F.90405@iosis.co.uk> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> <463C687F.90405@iosis.co.uk> Message-ID: <20070505061719.vd7e37k0uh9ckgcc@www.egypt.com> Quoting Peter Tomlinson : > > Putting it another way, if Channel4 was simply given a URL and nothing > else, could they access the data during its window of availability? > > PeterT To the best of my knowledge, the file was placed in the /info folder, so anyone knowing the filename could have downloaded it. They probably could have viewed the filename in the directory listing too. ---------------------------------------------------------------- Reserve your free e-mail@egypt.com, http://www.egypt.com Spam free & Virus clean web based mail service Report abuse to abuse@egypt.com From ukcrypto at chiark.greenend.org.uk Sat May 5 13:19:14 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Sommer) Date: Sat, 5 May 2007 13:19:14 +0100 Subject: MTAS and other NHS websites In-Reply-To: <463C687F.90405@iosis.co.uk> Message-ID: <002d01c78f0f$984c7f20$1c00a8c0@novatech2800a> Peter Tomlinson asks: >Putting it another way, if Channel4 was simply given a URL and nothing >else, could they access the data during its window of availability? The answer is "yes", that is exactly what happened - and there was no password protection on the excel files. It is interesting to learn from Vicky that: > The main /info folder was used for semi-public information. It wasn't > openly advertised, but must have been intended for use by Deaneries > and other Interested Parties. The directory could be listed, so it > was easy to see when new fles were uploaded. This tells me that the MTAS contract was handed out to a bunch of incompetents. Aa you may have seen from the Channel 4 News item yesterday (Friday): DoH/NHS paid very handsomely for what is in essence a very small simple databases service. The junior doctors are p*ssed off at the mess to their career plans - the rest of us angry about the waste of public funds and deep-set incompetence. And when the Ministers say that they have called in security consultants (who after all can only secure an otherwise well-run system) instead of reviewing the entire procurement process, we get even angrier. Peter Sommer From ukcrypto at chiark.greenend.org.uk Sat May 5 13:41:30 2007 From: ukcrypto at chiark.greenend.org.uk (PeteM) Date: Sat, 05 May 2007 13:41:30 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505061719.vd7e37k0uh9ckgcc@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> <463C687F.90405@iosis.co.uk> <20070505061719.vd7e37k0uh9ckgcc@www.egypt.com> Message-ID: <463C7B7A.7040503@callnetuk.com> vickyvicky@egypt.com wrote: > Quoting Peter Tomlinson : >> >> Putting it another way, if Channel4 was simply given a URL and nothing >> else, could they access the data during its window of availability? >> >> PeterT > > To the best of my knowledge, the file was placed in the /info folder, so > anyone knowing the filename could have downloaded it. They probably > could have viewed the filename in the directory listing too. In last night's Ch4 item, they said a doctor only had to change two digits of the URL that pointed to his own data, to get a valid URL for data referring to another doctor. (I think it was two.) -- Pete Mitchell From ukcrypto at chiark.greenend.org.uk Sat May 5 16:06:32 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Sat, 5 May 2007 16:06:32 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> Message-ID: In article <20070505053514.hrtmzk0i0h60oks0@www.egypt.com>, vickyvicky@egypt.com writes >Er what I meant was ' it was unlucky for MTAS that a doctor saw it so >quickly'. It seems likely that the file was put there on a short-term >basis so that it could be quickly disseminated. They might have got >away with it. For all I knw, they might have even done it on a >regularish basis. Unluckily, they got spotted. This is not the sort of thing that should be trusted to luck :( -- Roland Perry From ukcrypto at chiark.greenend.org.uk Sat May 5 17:10:29 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Sat, 5 May 2007 12:10:29 -0400 Subject: MTAS and other NHS websites In-Reply-To: <463C5C2B.7050206@callnetuk.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> Message-ID: <20070505121029.nd2s9zhrmwgos0cs@www.egypt.com> > > That's very interesting. So they were accustomed to using the directory > as a way of distributing non-public information. > Interestingly, the directory listings are still in Googles cache. A google search for site:mtas.nhs.uk info reveals amongst others:- Index of /info/comms Name Last modified Size Description [DIR] Parent Directory 22-Apr-2007 19:31 - [ ] Entering_ST_pp_detai..> 08-Dec-2006 12:30 161k [ ] MTAS_DL.pdf 05-Nov-2006 20:49 856k [ ] ST_updated_interview..> 16-Apr-2007 14:22 119k [ ] Security_guidelines_..> 02-Oct-2006 13:07 39k [ ] general_security_adv..> 02-Oct-2006 13:07 37k [ ] logistics_guide.pdf 08-Dec-2006 12:24 1.5M Apache/1.3.37 Server at www.mtas.nhs.uk Port 80 Index of /info Name Last modified Size Description [DIR] Parent Directory 19-Apr-2007 22:01 - [ ] Interview_booking_se..> 19-Feb-2007 14:29 250k [ ] RG-statement-4-April..> 04-Apr-2007 23:05 18k [ ] Review_Panel_Comms_t..> 09-Mar-2007 22:34 36k [ ] ST_shortlist_scoring..> 12-Feb-2007 11:35 427k [ ] Scotland_letter_2303..> 24-Mar-2007 10:32 74k [DIR] comms/ 16-Apr-2007 14:22 - [TXT] conf_pref.html 20-Apr-2007 08:03 4k [TXT] faq_2303.html 23-Mar-2007 18:56 5k [TXT] letter_2303.html 22-Apr-2007 19:33 4k [TXT] review_panel.html 23-Mar-2007 18:37 3k [TXT] review_panel_1603.html 16-Mar-2007 23:02 4k [TXT] review_panel_2303.html 23-Mar-2007 18:37 5k [DIR] st_2007_1/ 18-Apr-2007 15:57 - [ ] uoa_status.pdf 01-Mar-2007 00:22 17k etc etc. The most interesting file is:- http://www.mtas.nhs.uk/info/comms/general_security_advice.doc. G o o g l e automatically generates html versions of documents as we =20 crawl the web. To link to or bookmark this page, use the following url: =20 http://www.google.com/search?q=3Dcache:LV7P8zN4eu0J:www.mtas.nhs.uk/info/com= ms/general_security_advice.doc+site:mtas.nhs.uk+info/comms/&hl=3Den&ct=3Dcln= k&cd=3D3&gl=3Duk&client=3Dfirefox-a Online Security - what we do Ensuring your online applications are safe and secure We use industry standard security technology and practices, focusing =20 on three key areas - privacy, technology and identification to =20 safeguard against loss, misuse and alteration of the information under =20 our control. However, you too can play your part in protecting your =20 account. Technology We use many layers of security - for obvious reasons we cannot =20 disclose all of them, but the following are typically used: * All our operating systems are immediately updated with the =20 latest security patches * Our anti-virus software is updated regularly * Our systems and networks have firewalls to prevent unauthorised =20 intruders ---------------------------------------------------------------- Reserve your free e-mail@egypt.com, http://www.egypt.com Spam free & Virus clean web based mail service Report abuse to abuse@egypt.com From ukcrypto at chiark.greenend.org.uk Sat May 5 19:46:01 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Sat, 05 May 2007 19:46:01 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505121029.nd2s9zhrmwgos0cs@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505121029.nd2s9zhrmwgos0cs@www.egypt.com> Message-ID: <463CD0E9.6070007@iosis.co.uk> vickyvicky@egypt.com wrote: > The most interesting file is:- > > http://www.mtas.nhs.uk/info/comms/general_security_advice.doc. > > Online Security - what we do > Ensuring your online applications are safe and secure > > We use industry standard security technology and practices, focusing > on three key areas - privacy, technology and identification to > safeguard against loss, misuse and alteration of the information > under our control. However, you too can play your part in protecting > your account. > Technology > > We use many layers of security - for obvious reasons we cannot > disclose all of them, but the following are typically used: > > * All our operating systems are immediately updated with the > latest security patches > * Our anti-virus software is updated regularly > * Our systems and networks have firewalls to prevent unauthorised > intruders Should be public sector standard security... Snake oil is cheap to manufacture. Peter From ukcrypto at chiark.greenend.org.uk Sat May 5 21:43:23 2007 From: ukcrypto at chiark.greenend.org.uk (Brian Morrison) Date: Sat, 5 May 2007 21:43:23 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> Message-ID: <20070505214323.376b8305@peterson.fenrir.org.uk> --Sig_XjNa8UP=u1S=XAZ55+l1AFR Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sat, 5 May 2007 05:35:14 -0400 vickyvicky@egypt.com wrote: > Er what I meant was ' it was unlucky for MTAS that a doctor saw it so =20 > quickly'. It seems likely that the file was put there on a short-term =20 > basis so that it could be quickly disseminated. They might have got =20 > away with it. For all I knw, they might have even done it on a =20 > regularish basis. Unluckily, they got spotted. I'm afraid that this sort of language is indicative of the whole problem. For the sake of expediency, you seem prepared to accept an extraordinarily lax standard of security, and more importantly no traceability and a lack of any audit trail. I have to say, if this is the way that the medical profession behaves, then I think I'd like to have much better control over my data and no way of allowing it to be disseminated without my direct authorisation. A good example of the road to hell being paved with good intentions... --=20 Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." =20 GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --Sig_XjNa8UP=u1S=XAZ55+l1AFR Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGPOxr9BNjUd4y5cURAvj9AJ96uVioQ7V7DVL/QIKdEcDqTuxSVgCgt+oS 2y75AxpipSZZ5xR0opey1CI= =SZ/o -----END PGP SIGNATURE----- --Sig_XjNa8UP=u1S=XAZ55+l1AFR-- From ukcrypto at chiark.greenend.org.uk Sat May 5 21:45:19 2007 From: ukcrypto at chiark.greenend.org.uk (PeteM) Date: Sat, 05 May 2007 21:45:19 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505121029.nd2s9zhrmwgos0cs@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505121029.nd2s9zhrmwgos0cs@www.egypt.com> Message-ID: <463CECDF.8000106@callnetuk.com> vickyvicky@egypt.com wrote: > > Interestingly, the directory listings are still in Googles cache. > A google search for site:mtas.nhs.uk info > reveals amongst others:- > > Index of /info/comms > Name Last modified Size Description > But there are no entries for .xls files? -- PeteM From ukcrypto at chiark.greenend.org.uk Sun May 6 02:09:35 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Sun, 6 May 2007 02:09:35 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> Message-ID: On 5 May 2007, at 10:35, vickyvicky@egypt.com wrote: > > > Er what I meant was ' it was unlucky for MTAS that a doctor saw it > so quickly'. It seems likely that the file was put there on a short- > term basis so that it could be quickly disseminated. They might > have got away with it. For all I knw, they might have even done it > on a regularish basis. Unluckily, they got spotted. Are we really expected to be happy that medical profession confidentiality is reduced to ``and I've have got away with it if hadn't been for those pesky kids?'' The act of grouping together all information about a large number of people is itself a security problem, before you then leak it out. A clearance for level X will have a clause in it about not having access to sufficient level X so as to allow the holder to deduce information at level X+1, and that principle should have applied here. ian From ukcrypto at chiark.greenend.org.uk Sun May 6 02:15:49 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Sun, 6 May 2007 02:15:49 +0100 Subject: MTAS and other NHS websites In-Reply-To: <463C7B7A.7040503@callnetuk.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> <463C687F.90405@iosis.co.uk> <20070505061719.vd7e37k0uh9ckgcc@www.egypt.com> <463C7B7A.7040503@callnetuk.com> Message-ID: On 5 May 2007, at 13:41, PeteM wrote: > > In last night's Ch4 item, they said a doctor only had to change two > digits of the URL that pointed to his own data, to get a valid URL > for data referring to another doctor. (I think it was two.) You can see how the conversation went, can't you? A developer pointed out that checking credentials on every transaction will slow things down, both in development and runtime terms. So they opted to just check credentials at the outset, and then bury a tracking number in the URL. That's bad: anyone who gets hold of the URL from a proxy log or the footer of a printout is in free. But the conversation never got on to the problem of the search space. If every number is a valid number, they're screwed. Had they instead hashed them into 128 bit quantities, so that only a tiny fraction of possible numbers were actually valid, they'd have got away with it. [[ Ever stayed in a Formula 1 hotel? They use six-digit pins for access to rooms. Why? Because it's also a pin for the front door, and with 100 rooms it's only equivalent to four digits. ]] ian From ukcrypto at chiark.greenend.org.uk Sun May 6 09:56:14 2007 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Sun, 6 May 2007 09:56:14 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070506065559.2737.94011.Mailman@chiark.greenend.org.uk> References: <20070506065559.2737.94011.Mailman@chiark.greenend.org.uk> Message-ID: <99laKCCugZPGFwPl@tigers.demon.co.uk> >Are we really expected to be happy that medical profession >confidentiality is reduced to ``and I've have got away with it if >hadn't been for those pesky kids?'' The act of grouping together all >information about a large number of people is itself a security >problem, before you then leak it out. A clearance for level X will >have a clause in it about not having access to sufficient level X so >as to allow the holder to deduce information at level X+1, and that >principle should have applied here. > >ian I agree - as a GP I am *not* happy, not only because of the lapse - although that was bad enough - but the underlying attitude that security is *only* important if lack of it gets, embarrassingly, into the public domain - by which time the damage is done! I believe CfH says this work was out-sourced: if so, it would appear that the specifications were poorly drafted - or ignored. Of course, if, as a previous poster suggests, this file was intended as a semi-public file containing documents related to the processes, that would not have been a major problem: is it possible that the problem lay with the confidential files being supposed to be under much greater protection and incompetently uploaded into this particular file? Are there any *fool-proof* (fools exist everywhere ;- to prevent incompetent or malicious uploading to the wrong place? Mind you, the fact that http://www.informatics.nhs.uk/ is still down for, I'm told, a similar problem but with less serious consequences , doesn't inspire confidence! vickyvicky, many thanks for joining the discussion Mary Hawking GP Dunstable -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Sun May 6 11:02:44 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Sun, 6 May 2007 11:02:44 +0100 Subject: MTAS and other NHS websites In-Reply-To: <99laKCCugZPGFwPl@tigers.demon.co.uk> References: <20070506065559.2737.94011.Mailman@chiark.greenend.org.uk> <99laKCCugZPGFwPl@tigers.demon.co.uk> Message-ID: In article <99laKCCugZPGFwPl@tigers.demon.co.uk>, Mary Hawking writes >is it possible that the problem lay with the confidential files being >supposed to be under much greater protection and incompetently uploaded >into this particular file? Yes, that seems to be the problem. >Are there any *fool-proof* (fools exist everywhere ;- to prevent >incompetent or malicious uploading to the wrong place? There are some fairly simple brute-force ways (from the sticking plaster book of web hosting): (1) Only allow [fsvo] trusted people write-permission to those folders at all. (2) Have a separate process constantly running which knows which files have been "passed" as suitable for uploading (with only [fsvo] trusted people allowed to edit that list), and remove any files not on that list into quarantine on a regular basis (eg once every 10 seconds). The maverick uploaders will eventually give up. And at a different level: (3) Turn off the web browser's facility where it lists the filenames in the absence of an index.html file in that folder - or maybe have an index.html that requires a [fsvo] trusted person to edit it when new and approved files are uploaded. Of course, this also begs the question of who writes the procedures, who is "trusted", and what "approved" means. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Sun May 6 11:39:14 2007 From: ukcrypto at chiark.greenend.org.uk (Charles Lindsey) Date: Sun, 06 May 2007 11:39:14 +0100 Subject: MTAS and other NHS websites In-Reply-To: References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> Message-ID: On Sat, 05 May 2007 16:06:32 +0100, Roland Perry wrote: > In article <20070505053514.hrtmzk0i0h60oks0@www.egypt.com>, > vickyvicky@egypt.com writes >> Er what I meant was ' it was unlucky for MTAS that a doctor saw it so >> quickly'. It seems likely that the file was put there on a short-term >> basis so that it could be quickly disseminated. They might have got >> away with it. For all I knw, they might have even done it on a >> regularish basis. Unluckily, they got spotted. > > This is not the sort of thing that should be trusted to luck :( Security by Felicity? -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From ukcrypto at chiark.greenend.org.uk Sun May 6 17:54:58 2007 From: ukcrypto at chiark.greenend.org.uk (steve) Date: Sun, 6 May 2007 16:54:58 +0000 Subject: A5 Cracking Project In-Reply-To: <20070506134101.3778.33796.Mailman@chiark.greenend.org.uk> References: <20070506134101.3778.33796.Mailman@chiark.greenend.org.uk> Message-ID: <20070506165458.GI14844@segfault.net> Hi, we are inviting people to design and build a A5/1 cracking machine. We are security enthusiasts. We started in January 2007 and built a GSM Receiver for 700 USD (http://www.thc.org/gsm). The first alpha version of the GSM receiver is available from our webpage. We are now looking for the next challenge: Cracking A5/1 for real. We put up a public wiki at http://wiki.thc.org/cracking_a5 for anyone to edit and to add information. If you are interested please also subscribe to our mailinglist by sending an email to a5-subscribe@lists.segfault.net Spread the word & happy hacking, steve From ukcrypto at chiark.greenend.org.uk Sun May 6 17:57:49 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Sun, 6 May 2007 12:57:49 -0400 Subject: MTAS and other NHS websites In-Reply-To: <463CECDF.8000106@callnetuk.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505121029.nd2s9zhrmwgos0cs@www.egypt.com> <463CECDF.8000106@callnetuk.com> Message-ID: <20070506125749.zuxfgwauenz4kkks@www.egypt.com> Quoting PeteM : > vickyvicky@egypt.com wrote: >> >> Interestingly, the directory listings are still in Googles cache. >> A google search for site:mtas.nhs.uk info >> reveals amongst others:- >> >> Index of /info/comms >> Name Last modified Size Description >> > > But there are no entries for .xls files? > > > --=20 > PeteM Pete, there aren't any .xls files but presumably Google robot didn't =20 crawl the site at the right time. If you look at the Channel 4 news item on Friday at http://www.channel4.com/news/articles/politics/domestic_politics/nhs+hit+by+= further+it+chaos/497572 then you can see the URL the file was at on-screen. It shows at =20 1min34secs into the film. It is partly obscured but clearly starts =20 www.mtas.nhs.uk/info ---------------------------------------------------------------- Reserve your free e-mail@egypt.com, http://www.egypt.com Spam free & Virus clean web based mail service Report abuse to abuse@egypt.com From ukcrypto at chiark.greenend.org.uk Sun May 6 20:25:39 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Sun, 06 May 2007 20:25:39 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070506125749.zuxfgwauenz4kkks@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <463C5C2B.7050206@callnetuk.com> <20070505121029.nd2s9zhrmwgos0cs@www.egypt.com> <463CECDF.8000106@callnetuk.com> <20070506125749.zuxfgwauenz4kkks@www.egypt.com> Message-ID: <463E2BB3.9010007@iosis.co.uk> vickyvicky@egypt.com wrote: > Quoting PeteM : > >> vickyvicky@egypt.com wrote: >> >>> Interestingly, the directory listings are still in Googles cache. >>> A google search for site:mtas.nhs.uk info >>> reveals amongst others:- >>> >>> Index of /info/comms >>> Name Last modified Size Description >>> >> But there are no entries for .xls files? >> >> -- >> PeteM > > > Pete, there aren't any .xls files but presumably Google robot didn't > crawl the site at the right time. > > If you look at the Channel 4 news item on Friday at > > http://www.channel4.com/news/articles/politics/domestic_politics/nhs+hit+by+further+it+chaos/497572 > > > then you can see the URL the file was at on-screen. It shows at > 1min34secs into the film. It is partly obscured but clearly starts > www.mtas.nhs.uk/info And after the /info there appears to me to be /_??_23_Apr/ and then a filename (the ?? I can't guess at). 23rd April was a Monday. PeterT From ukcrypto at chiark.greenend.org.uk Mon May 7 07:34:58 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Mon, 07 May 2007 07:34:58 +0100 Subject: Reorganistion of govt web sites Message-ID: <463EC892.5010601@iosis.co.uk> On the Cabinet Office Transformational Govt page http://www.cio.gov.uk/transformational_government/annual_report2006/index.asp is the January 2007 list of central govt websites to close ("at least 551 of them"). (MTAS isn't in the list) Sadly, on that page the Cabinet Office publicity for the Transformational Government Annual Report 2006 features only the story about 551 web sites to close... Foot in mouth job. The header on every page of the list says: "It is essential to note that the closure of a URL does not imply that the services or information available there are being shut down" etc etc. But the entries on the list don't say where the information will be going. See the January Transformational Govt Press Release at: http://www.cabinetoffice.gov.uk/newsroom/news_releases/2007/070110_ciostrategy.asp?ID=212 One web site on the closure list is the Chief Information Officer Council, but that one is still there. e.g. http://www.cio.gov.uk/transformational_government/strategy/index.asp http://www.cio.gov.uk/transformational_government/annual_report2006/index.asp The trouble with Cabinet Office stuff is that it has little significant influence over the spending depts. Not unless Treasury wields its lever of controlling the money, that is. Peter From ukcrypto at chiark.greenend.org.uk Mon May 7 08:38:13 2007 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Mon, 7 May 2007 08:38:13 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> References: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> Message-ID: >>Are there any *fool-proof* (fools exist everywhere ;- to prevent >>incompetent or malicious uploading to the wrong place? > >There are some fairly simple brute-force ways (from the sticking >plaster book of web hosting): > >(1) Only allow [fsvo] trusted people write-permission to those folders >at all. > >(2) Have a separate process constantly running which knows which files >have been "passed" as suitable for uploading (with only [fsvo] trusted >people allowed to edit that list), and remove any files not on that >list into quarantine on a regular basis (eg once every 10 seconds). This appears to be a website containing information about processes. Is it safe to assume that one would *expect* procedures to be in place to approve documents before they were allowed to be uploaded? >The maverick uploaders will eventually give up. Are you assuming malice rather than accident? If so, this is a different - and very disturbing - scenario. > >And at a different level: > >(3) Turn off the web browser's facility where it lists the filenames in >the absence of an index.html file in that folder - or maybe have an >index.html that requires a [fsvo] trusted person to edit it when new >and approved files are uploaded. > >Of course, this also begs the question of who writes the procedures, >who is "trusted", and what "approved" means. Part of the business plan for that website? Mary Hawking >-- >Roland Perry -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Mon May 7 10:12:02 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Mon, 7 May 2007 10:12:02 +0100 Subject: MTAS and other NHS websites In-Reply-To: References: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> Message-ID: In article , Mary Hawking writes > >>>Are there any *fool-proof* (fools exist everywhere ;- to prevent >>>incompetent or malicious uploading to the wrong place? >> >>There are some fairly simple brute-force ways (from the sticking >>plaster book of web hosting): >> >>(1) Only allow [fsvo] trusted people write-permission to those folders >>at all. >> >>(2) Have a separate process constantly running which knows which files >>have been "passed" as suitable for uploading (with only [fsvo] trusted >>people allowed to edit that list), and remove any files not on that >>list into quarantine on a regular basis (eg once every 10 seconds). > >This appears to be a website containing information about processes. Is >it safe to assume that one would *expect* procedures to be in place to >approve documents before they were allowed to be uploaded? I would expect such procedures for all websites. Especially a government one. [I work with websites that range from "all mine, I do what I want", to "need to submit all changes to a webmaster, who is part of a chain of command, which includes independently checking with corporate style, as well as the need to upload at all".] >>The maverick uploaders will eventually give up. > >Are you assuming malice rather than accident? >If so, this is a different - and very disturbing - scenario. Not malice, but not accidental (it can happen though). No, the scenario I had in mind was "well meaning but misguided" uploading. >>And at a different level: >> >>(3) Turn off the web browser's facility where it lists the filenames >>in the absence of an index.html file in that folder - or maybe have an >>index.html that requires a [fsvo] trusted person to edit it when new >>and approved files are uploaded. >> >>Of course, this also begs the question of who writes the procedures, >>who is "trusted", and what "approved" means. > >Part of the business plan for that website? Part of the security policy for the website - or failing that, a security policy for the organisations involved (both the NHS and the outsourced hoster). -- Roland Perry From ukcrypto at chiark.greenend.org.uk Mon May 7 10:39:53 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Mon, 07 May 2007 10:39:53 +0100 Subject: MTAS and other NHS websites In-Reply-To: References: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> Message-ID: <463EF3E9.7060407@iosis.co.uk> Roland Perry wrote: > In article , Mary Hawking > writes > > > > >> And at a different level: > >> > >> (3) Turn off the web browser's facility where it lists the > >> filenames in the absence of an index.html file in that folder - > >> or maybe have an index.html that requires a [fsvo] trusted person > >> to edit it when new and approved files are uploaded. > >> > >> Of course, this also begs the question of who writes the > >> procedures, who is "trusted", and what "approved" means. > > > > Part of the business plan for that website? > > Part of the security policy for the website - or failing that, a > security policy for the organisations involved (both the NHS and the > outsourced hoster). A policy that is detailed, not just broad brush. Methinks that a lot of people in the public sector who ought to do not know about detailed security policies and processes. But a local health centre ought to have them - and not just about its IT. (A note about data errors: my local health centre has the incorrect spelling for the name of my street - not an alternative, just wrong: there is a letter missing from the name. Asked to correct it, they said they cannot. Will I thus become a non-person when the data gets uploaded to the big database?) Peter From ukcrypto at chiark.greenend.org.uk Mon May 7 12:00:19 2007 From: ukcrypto at chiark.greenend.org.uk (PeteM) Date: Mon, 07 May 2007 12:00:19 +0100 Subject: MTAS and other NHS websites In-Reply-To: <463EF3E9.7060407@iosis.co.uk> References: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> <463EF3E9.7060407@iosis.co.uk> Message-ID: <463F06C3.6060507@callnetuk.com> Peter Tomlinson wrote: > > (A note about data errors: my local health centre has the incorrect > spelling for the name of my street - not an alternative, just wrong: > there is a letter missing from the name. Asked to correct it, they said > they cannot. Will I thus become a non-person when the data gets uploaded > to the big database?) > It will be especially entertaining for people whose Spine records are mistakenly labelled "deceased". Not only will they not be able to get any more NHS treatment, but their demise will be communicated to DWP who will stop their benefits and pensions and cancel their NI cards so that they can't work. DVLA will have to be told, so that their driving licenses can be suspended. HMRC in turn will be informed and will freeze all relevant bank accounts. Their ID cards will of course be cancelled as a matter of routine. After that there won't be any way for them to complain that a mistake has been made, because the National Identity Register system is designed to reject complaints apparently coming from a deceased person. And no-one else can complain on their behalf, because that would be against the Data Protection Act. The unfortunate non-citizen will then have to go and live on roots and berries in the woods. Like Doc Daneeka in "Catch 22". -- Pete Mitchell From ukcrypto at chiark.greenend.org.uk Mon May 7 12:38:37 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Mon, 7 May 2007 12:38:37 +0100 Subject: MTAS and other NHS websites In-Reply-To: <463F06C3.6060507@callnetuk.com> References: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> <463EF3E9.7060407@iosis.co.uk> <463F06C3.6060507@callnetuk.com> Message-ID: In article <463F06C3.6060507@callnetuk.com>, PeteM writes >After that there won't be any way for them to complain that a mistake >has been made, because the National Identity Register system is >designed to reject complaints apparently coming from a deceased person. >And no-one else can complain on their behalf, because that would be >against the Data Protection Act. Although the DPA doesn't apply to dead people (it's framed in terms of "living individuals"). A good yarn apart from that! Although there's a different Catch-22 there, because the individual *is* still living so the DPA would indeed apply - it's just that while HMG thinks they are dead... -- Roland Perry From ukcrypto at chiark.greenend.org.uk Mon May 7 13:52:51 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Mon, 07 May 2007 13:52:51 +0100 Subject: MTAS and other NHS websites In-Reply-To: <463F06C3.6060507@callnetuk.com> References: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> <463EF3E9.7060407@iosis.co.uk> <463F06C3.6060507@callnetuk.com> Message-ID: <463F2123.7020203@iosis.co.uk> PeteM wrote: > Peter Tomlinson wrote: > >> (A note about data errors: my local health centre has the incorrect >> spelling for the name of my street - not an alternative, just wrong: >> there is a letter missing from the name. Asked to correct it, they >> said they cannot. Will I thus become a non-person when the data gets >> uploaded to the big database?) > > It will be especially entertaining for people whose Spine records are > mistakenly labelled "deceased". Not only will they not be able to get > any more NHS treatment, but their demise will be communicated to DWP > who will stop their benefits and pensions and cancel their NI cards so > that they can't work. DVLA will have to be told, so that their driving > licenses can be suspended. HMRC in turn will be informed and will > freeze all relevant bank accounts. Their ID cards will of course be > cancelled as a matter of routine. > > After that there won't be any way for them to complain that a mistake > has been made, because the National Identity Register system is > designed to reject complaints apparently coming from a deceased > person. And no-one else can complain on their behalf, because that > would be against the Data Protection Act. > > The unfortunate non-citizen will then have to go and live on roots and > berries in the woods. Like Doc Daneeka in "Catch 22". Which reminds me of another incident: several years ago my gas supply account was stolen by Scottish Power in the name of a person that I had never heard of and still don't have proof existed. Because I was not Scottish Power's new customer at this address, they were not obliged to take any notice of me. They even claimed that letters to their registered office had not been delivered (I must note that SP's management has changed since then). DTI was worse than useless in unravelling this or even understanding how it could happen. Eventually my account was returned to the existing supplier who had initially been very unhelpful, and SP paid £50. Should have been £1K. The public sector needs to do better in the services that it provides and in the regulation of other services. Peter From ukcrypto at chiark.greenend.org.uk Mon May 7 13:47:30 2007 From: ukcrypto at chiark.greenend.org.uk (Matthew Byng-Maddick) Date: Mon, 7 May 2007 13:47:30 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505042223.t00tqhhsthxc0084@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> Message-ID: <20070507124729.GR17334@colon.colondot.net> On Sat, May 05, 2007 at 04:22:23AM -0400, vickyvicky@egypt.com wrote: > I've only just stumbled across the list. I am a doctor and a > shortlister/interviewer in the present MTAS recruitment round. > > The /info folder on MTAS had previously contained a series of useful > files, including some of the rules for carrying out interviews, > competition ratios etc. It was a virtual directory listing, and new > files were added to it periodically. It was clearly intended as a way > for Deanery and other staff to keep up to date with current > information. Someone presumably uploaded some highly confidential data > into this folder. A handful of people would have seen it. Unluckily > for MTAS, one of those people was Channel 4 News. This is appalling, really. If security by obscurity (of URL) was all that protected, then whether or not Channel 4 News got involved, all it would take is one person looking at the site with Google Toolbar or some other such Google tool, and Google knows to go indexing that because it doesn't already have it. Either a contractor or a webmaster is seriously incompetent under these circumstances. > This was really only a minor breach of security, an act of stupidity, > although maybe symptomatic of a general attitude. Please feel free to tell that to someone whose sexual orientation (not well-known to colleagues) had their data revealed to Channel 4 News. I'm sure they'll agree with you that it was only a "minor breach of security". The question in my mind is now, "if this is only a minor breach of security what do you class as a major breach?". Cheers MBM -- Matthew Byng-Maddick http://colondot.net/ (Please use this address to reply) From ukcrypto at chiark.greenend.org.uk Mon May 7 16:41:03 2007 From: ukcrypto at chiark.greenend.org.uk (PeteM) Date: Mon, 07 May 2007 16:41:03 +0100 Subject: MTAS and other NHS websites In-Reply-To: References: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> <463EF3E9.7060407@iosis.co.uk> <463F06C3.6060507@callnetuk.com> Message-ID: <463F488F.1040607@callnetuk.com> Roland Perry wrote: > In article <463F06C3.6060507@callnetuk.com>, PeteM > writes >> After that there won't be any way for them to complain that a mistake >> has been made, because the National Identity Register system is >> designed to reject complaints apparently coming from a deceased >> person. And no-one else can complain on their behalf, because that >> would be against the Data Protection Act. > > Although the DPA doesn't apply to dead people (it's framed in terms of > "living individuals"). A good yarn apart from that! Although there's a > different Catch-22 there, because the individual *is* still living so > the DPA would indeed apply - it's just that while HMG thinks they are > dead... You have forgotten doublethink, Winston. It is already practiced widely by government departments, especially the tax people. They'd absolutely revel in applying it here: [phone call to HMRC call centre] Caller: "Hello, HMRC? I'm calling on behalf of my husband ..." HMRC: "Sorry, I'm afraid we can't enter into any discussions with third parties because of the Data Protection Act. Your husband must call us himself." Caller: "But you won't take his phone calls, you say you've got him down as deceased." HMRC: "He's deceased is he? Ah, in that case the Data Protection Act doesn't apply and we can speak to you after all. How can we help?" Caller: "You've frozen all his bank accounts." HMRC: "Yes, that's right, we always do that with deceased persons." Caller: "But he's not dead, he's alive." HMRC: "He's alive? Are you sure?" Caller: "Of course I'm sure, he's my husband." HMRC: "Well in that case I'm afraid we can't enter into any discussions with third parties, because of the Data Protection Act. Your husband must call us himself ... " [rinse and repeat] -- Pete Mitchell From ukcrypto at chiark.greenend.org.uk Mon May 7 16:35:36 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Mon, 7 May 2007 11:35:36 -0400 Subject: MTAS and other NHS websites In-Reply-To: <20070507124729.GR17334@colon.colondot.net> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <20070507124729.GR17334@colon.colondot.net> Message-ID: <20070507113536.mdelzgw343dw0cgg@www.egypt.com> Quoting Matthew Byng-Maddick : >> This was really only a minor breach of security, an act of stupidity, >> although maybe symptomatic of a general attitude. > > Please feel free to tell that to someone whose sexual orientation (not > well-known to colleagues) had their data revealed to Channel 4 News. I'm > sure they'll agree with you that it was only a "minor breach of security". > > The question in my mind is now, "if this is only a minor breach of securit= y > what do you class as a major breach?". > Mathew Obviously this is more than a minor breach of security, and I'm not =20 trying to underplay the importance of this to anyone whose personal =20 data was made public. The point that I was trying to make, though, is that this was a =20 one-off goof. A mistake like this would not in itself have led to the =20 site being off line for 10 days. Something more sinister mus be going =20 on as well. ---------------------------------------------------------------- Reserve your free e-mail@egypt.com, http://www.egypt.com Spam free & Virus clean web based mail service Report abuse to abuse@egypt.com From ukcrypto at chiark.greenend.org.uk Mon May 7 18:20:37 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Mon, 07 May 2007 18:20:37 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070507113536.mdelzgw343dw0cgg@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <20070507124729.GR17334@colon.colondot.net> <20070507113536.mdelzgw343dw0cgg@www.egypt.com> Message-ID: <463F5FE5.1060207@iosis.co.uk> vickyvicky@egypt.com wrote: > Quoting Matthew Byng-Maddick : > >>> This was really only a minor breach of security, an act of stupidity, >>> although maybe symptomatic of a general attitude. >> >> Please feel free to tell that to someone whose sexual orientation (not >> well-known to colleagues) had their data revealed to Channel 4 News. I'm >> sure they'll agree with you that it was only a "minor breach of >> security". >> >> The question in my mind is now, "if this is only a minor breach of >> security >> what do you class as a major breach?". > > Mathew > > Obviously this is more than a minor breach of security, and I'm not > trying to underplay the importance of this to anyone whose personal > data was made public. > The point that I was trying to make, though, is that this was a > one-off goof. A mistake like this would not in itself have led to the > site being off line for 10 days. Something more sinister must be > going on as well. > Or an almighty mess. Peter From ukcrypto at chiark.greenend.org.uk Mon May 7 18:28:42 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Mon, 7 May 2007 18:28:42 +0100 Subject: MTAS and other NHS websites In-Reply-To: <463F488F.1040607@callnetuk.com> References: <20070507065850.5850.33070.Mailman@chiark.greenend.org.uk> <463EF3E9.7060407@iosis.co.uk> <463F06C3.6060507@callnetuk.com> <463F488F.1040607@callnetuk.com> Message-ID: In article <463F488F.1040607@callnetuk.com>, PeteM writes >>A good yarn apart from that! Although there's a different Catch-22 >>there, because the individual *is* still living so the DPA would >>indeed apply - it's just that while HMG thinks they are dead... > >You have forgotten doublethink, Winston. No, because what you describe below was exactly what was in my mind when I posted what I did above. >It is already practiced widely by government departments, especially >the tax people. They'd absolutely revel in applying it here: > >[phone call to HMRC call centre] >Caller: "Hello, HMRC? I'm calling on behalf of my husband ..." >HMRC: "Sorry, I'm afraid we can't enter into any discussions with third >parties because of the Data Protection Act. Your husband must call us >himself." >Caller: "But you won't take his phone calls, you say you've got him >down as deceased." >HMRC: "He's deceased is he? Ah, in that case the Data Protection Act >doesn't apply and we can speak to you after all. How can we help?" >Caller: "You've frozen all his bank accounts." >HMRC: "Yes, that's right, we always do that with deceased persons." >Caller: "But he's not dead, he's alive." >HMRC: "He's alive? Are you sure?" >Caller: "Of course I'm sure, he's my husband." >HMRC: "Well in that case I'm afraid we can't enter into any discussions >with third parties, because of the Data Protection Act. Your husband >must call us himself ... " > >[rinse and repeat] -- Roland Perry From ukcrypto at chiark.greenend.org.uk Mon May 7 18:51:07 2007 From: ukcrypto at chiark.greenend.org.uk (Brian Morrison) Date: Mon, 7 May 2007 18:51:07 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070507113536.mdelzgw343dw0cgg@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <20070507124729.GR17334@colon.colondot.net> <20070507113536.mdelzgw343dw0cgg@www.egypt.com> Message-ID: <20070507185107.6d0dfda2@peterson.fenrir.org.uk> --Sig_bKH4uSZ46eC=SCrQtoAssyl Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 7 May 2007 11:35:36 -0400 vickyvicky@egypt.com wrote: > Quoting Matthew Byng-Maddick : >=20 > >> This was really only a minor breach of security, an act of stupidity, > >> although maybe symptomatic of a general attitude. > > > > Please feel free to tell that to someone whose sexual orientation (not > > well-known to colleagues) had their data revealed to Channel 4 News. I'm > > sure they'll agree with you that it was only a "minor breach of securit= y". > > > > The question in my mind is now, "if this is only a minor breach of secu= rity > > what do you class as a major breach?". > > >=20 > Mathew >=20 > Obviously this is more than a minor breach of security, and I'm not =20 > trying to underplay the importance of this to anyone whose personal =20 > data was made public. It's that alright, and the mere fact that it was allowed to happen is utterly shocking. > The point that I was trying to make, though, is that this was a =20 > one-off goof. A mistake like this would not in itself have led to the =20 > site being off line for 10 days. Something more sinister mus be going =20 > on as well. It looks like a major re-engineering job is being carried out, or at least I hope so. Whether the result will be an improvement or not remains to be seen; I for one won't be holding my breath because the state of the system seen already suggests that no one out there has a clue what they are doing. --=20 Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." =20 GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --Sig_bKH4uSZ46eC=SCrQtoAssyl Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGP2cL9BNjUd4y5cURAg6GAKCD30YfSWKiH7xKQK19vktN0ve1KQCff+9V J/bX4SfVRB/6DTdIC+kWM4I= =lorV -----END PGP SIGNATURE----- --Sig_bKH4uSZ46eC=SCrQtoAssyl-- From ukcrypto at chiark.greenend.org.uk Mon May 7 20:48:42 2007 From: ukcrypto at chiark.greenend.org.uk (Ross Anderson) Date: Mon, 07 May 2007 20:48:42 +0100 Subject: MTAS and other NHS websites Message-ID: Roland: > Although the DPA doesn't apply to dead people (it's framed in terms of > "living individuals"). A good yarn apart from that! Although there's a > different Catch-22 there, because the individual *is* still living so > the DPA would indeed apply - it's just that while HMG thinks they are > dead... Many HMG procedures assume that everyone born more than 100 years ago is dead. By default your records are released 100 years after your birth. This was implemented by ONS a short time after the departure of the late Quen Mother, God Bless her soul ... Perhaps, to defend the honour of the Information Commisioner, centenarians should no longer be sent a telegram but a happysleep pill Ross From ukcrypto at chiark.greenend.org.uk Mon May 7 21:09:13 2007 From: ukcrypto at chiark.greenend.org.uk (Mary Hawking) Date: Mon, 7 May 2007 21:09:13 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070507173101.18993.61128.Mailman@chiark.greenend.org.uk> References: <20070507173101.18993.61128.Mailman@chiark.greenend.org.uk> Message-ID: >Peter Tomlinson wrote: >> (A note about data errors: my local health centre has the incorrect >>spelling for the name of my street - not an alternative, just wrong: >>there is a letter missing from the name. Asked to correct it, they >>said they cannot. Will I thus become a non-person when the data gets >>uploaded to the big database?) >> > >It will be especially entertaining for people whose Spine records are >mistakenly labelled "deceased". But there is another problem here: how do records get labelled as "deceased" on the Spine? PDS - which only applies to England and Wales - now contains 72million *live* records - according to the PAC hearings - and the population of England and Wales is considerably less than that! I know that you can be officially or unofficially dead - but the rules *do* seem to be a bit vague for getting on - and off - in the first place! >Not only will they not be able to get any more NHS treatment, but their >demise will be communicated to DWP who will stop their benefits and >pensions and cancel their NI cards so that they can't work. DVLA will >have to be told, so that their driving licenses can be suspended. HMRC >in turn will be informed and will freeze all relevant bank accounts. >Their ID cards will of course be cancelled as a matter of routine. We have been assured that PDS will *not* be linked to other databases: I suspect that, once the PDS situation is examined, social services, DWP and DVLA will flatly refuse to have any cross-linking at all! > >After that there won't be any way for them to complain that a mistake >has been made, because the National Identity Register system is >designed to reject complaints apparently coming from a deceased person. >And no-one else can complain on their behalf, because that would be >against the Data Protection Act. > >The unfortunate non-citizen will then have to go and live on roots and >berries in the woods. Like Doc Daneeka in "Catch 22". > >-- >Pete Mitchell Mary Hawking -- Mary Hawking From ukcrypto at chiark.greenend.org.uk Mon May 7 21:20:15 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Mon, 07 May 2007 21:20:15 +0100 Subject: MTAS and other NHS websites In-Reply-To: References: <20070507173101.18993.61128.Mailman@chiark.greenend.org.uk> Message-ID: <463F89FF.6050700@iosis.co.uk> Mary Hawking wrote: > We have been assured that PDS will *not* be linked to other databases: > I suspect that, once the PDS situation is examined, social services, > DWP and DVLA will flatly refuse to have any cross-linking at all! The current situation appears to be that: - the DWP database is to be progressively cleaned (although I don't know how) and become the reference database for govt - the IND database will concentrate on specific groups of interest, including (of course) those who apply for passports, plus those who apply for entry visas and those from EU countries who become permanently resident I have not heard anything about the medical data, or about DVLA data. Peter From ukcrypto at chiark.greenend.org.uk Tue May 8 07:47:27 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Tue, 08 May 2007 07:47:27 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070505053514.hrtmzk0i0h60oks0@www.egypt.com> References: <463C5C2B.7050206@callnetuk.com> Message-ID: <46402B0F.18326.2E2830@localhost> On 5 May 2007 at 5:35, vickyvicky@egypt.com wrote: > It seems likely that the file was put there on a short-term > basis so that it could be quickly disseminated. Things can be just as quickly disseminated to those who are authorised, without them being available to anyone. All that is necessary is competent designers. Unfortunately much of the public sector is addicted to using well known companies that will charge them a reassuringly large amount of money for simple tasks. The likes of British Telecom. That is one of the reasons IT projects constantly go wrong in the public sector. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Tue May 8 12:41:35 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Tue, 8 May 2007 12:41:35 +0100 Subject: MTAS and other NHS websites In-Reply-To: <463F89FF.6050700@iosis.co.uk> References: <20070507173101.18993.61128.Mailman@chiark.greenend.org.uk> <463F89FF.6050700@iosis.co.uk> Message-ID: In article <463F89FF.6050700@iosis.co.uk>, Peter Tomlinson writes >- the IND database will concentrate on specific groups of interest, >including (of course) those who apply for passports, plus those who >apply for entry visas and those from EU countries who become >permanently resident What about permanent residents from countries outside the EU, but who don't need a Visa? (eg Americans?) There was a rumour that these were to be the first to be issued with UK ID cards. My second question is whether or not such an ID card will allow travel within the EU (without the need to carry their (eg USA) passport. Some European countries have a concept of a "Residency Card", which might be their way of solving this terminological issue. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Tue May 8 13:54:40 2007 From: ukcrypto at chiark.greenend.org.uk (James Davis) Date: Tue, 08 May 2007 13:54:40 +0100 Subject: MTAS and other NHS websites In-Reply-To: <20070507113536.mdelzgw343dw0cgg@www.egypt.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <20070507124729.GR17334@colon.colondot.net> <20070507113536.mdelzgw343dw0cgg@www.egypt.com> Message-ID: <46407310.2060205@ukerna.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 vickyvicky@egypt.com wrote: > The point that I was trying to make, though, is that this was a one-off > goof. A mistake like this would not in itself have led to the site being > off line for 10 days. It's difficult to understand how it can be described as a "one-off goof" when the problem, solution, and risk is obvious to anyone with a small amount of experience in the field. > Something more sinister mus be going on as well. It's very easy to hypothesis about something which we have no evidence for. http://imgs.xkcd.com/comics/conspiracy_theories.png :-) James - -- James Davis +44 1235 822 229 PGP: 0xC7C92EB7 JANET-CERT 0870 850 2340 (+44 1235 822 340) Atlas Centre, Chilton, Didcot, Oxfordshire, OX11 0QS -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQHMQIle3s8fJLrcRAiXNAJ9cuRSLzM3L8dTqQyyUQV1LoW5yhACeOLAT q9zCjyLTbMqJCdLZXxM3n08= =ZoEF -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Tue May 8 17:48:47 2007 From: ukcrypto at chiark.greenend.org.uk (Charles Lindsey) Date: Tue, 08 May 2007 17:48:47 +0100 Subject: MTAS and other NHS websites In-Reply-To: References: <20070507173101.18993.61128.Mailman@chiark.greenend.org.uk> <463F89FF.6050700@iosis.co.uk> Message-ID: On Tue, 08 May 2007 12:41:35 +0100, Roland Perry wrote: > In article <463F89FF.6050700@iosis.co.uk>, Peter Tomlinson > writes >> - the IND database will concentrate on specific groups of interest, >> including (of course) those who apply for passports, plus those who >> apply for entry visas and those from EU countries who become >> permanently resident > > What about permanent residents from countries outside the EU, but who > don't need a Visa? (eg Americans?) I think an American needs a Visa if his residence is to be "permanent". -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 From ukcrypto at chiark.greenend.org.uk Tue May 8 17:58:09 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Fairbrother) Date: Tue, 08 May 2007 17:58:09 +0100 Subject: ... wireless pickpocketing era Message-ID: "Smartcard heralds cashfree era" http://money.guardian.co.uk/saving/banks/story/0,,2074949,00.html Basically a contactless smartcard a la oyster for payments up to =A310. But afaict there is no user action at all required to authorise a payment, so unnoticeable on-the-street remote attacks may be possible* ... and "every s= o often it will ask for your PIN", but it is your credit card too, and presumbly uses the same PIN for higher-value transactions ... sometimes I wish I was a criminal, they make it so easy :( *this isn't much use for Oyster cards as you can only use then to buy tube travel immediately, but if you can get cash ... --=20 Peter Fairbrother From ukcrypto at chiark.greenend.org.uk Tue May 8 22:53:29 2007 From: ukcrypto at chiark.greenend.org.uk (Ian Mason) Date: Tue, 8 May 2007 22:53:29 +0100 Subject: MTAS and other NHS websites In-Reply-To: References: <20070507173101.18993.61128.Mailman@chiark.greenend.org.uk> <463F89FF.6050700@iosis.co.uk> Message-ID: On 8 May 2007, at 17:48, Charles Lindsey wrote: > On Tue, 08 May 2007 12:41:35 +0100, Roland Perry > wrote: > >> In article <463F89FF.6050700@iosis.co.uk>, Peter Tomlinson >> writes >>> - the IND database will concentrate on specific groups of >>> interest, including (of course) those who apply for passports, >>> plus those who apply for entry visas and those from EU countries >>> who become permanently resident >> >> What about permanent residents from countries outside the EU, but >> who don't need a Visa? (eg Americans?) > > I think an American needs a Visa if his residence is to be > "permanent". > Roland would know, Jennifer is an alien from the USA. That just leaves us to figure out which planet Roland is from. :-) Ian From ukcrypto at chiark.greenend.org.uk Tue May 8 22:58:37 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Tue, 8 May 2007 22:58:37 +0100 Subject: MTAS and other NHS websites In-Reply-To: References: <20070507173101.18993.61128.Mailman@chiark.greenend.org.uk> <463F89FF.6050700@iosis.co.uk> Message-ID: In article , Charles Lindsey writes >> What about permanent residents from countries outside the EU, but who >>don't need a Visa? (eg Americans?) > >I think an American needs a Visa if his residence is to be "permanent". That may be the case today, but I'm not even sure of that. In past times what they needed was called a "letter of consent" issued a bit like a visa, but not called a visa. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed May 9 00:36:40 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Wed, 9 May 2007 08:36:40 +0900 Subject: MTAS and other NHS websites In-Reply-To: <46407310.2060205@ukerna.ac.uk> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <20070507124729.GR17334@colon.colondot.net> <20070507113536.mdelzgw343dw0cgg@www.egypt.com> <46407310.2060205@ukerna.ac.uk> Message-ID: <31E1803C-F169-4A6B-92BE-C084D8EC15B9@uk.fujitsu.com> On 8 May 2007, at 21:54, James Davis wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > vickyvicky@egypt.com wrote: > >> The point that I was trying to make, though, is that this was a >> one-off >> goof. A mistake like this would not in itself have led to the site >> being >> off line for 10 days. > > It's difficult to understand how it can be described as a "one-off > goof" > when the problem, solution, and risk is obvious to anyone with a small > amount of experience in the field. You and I know that one-off goofs are no such thing, but are evidence of deeper process failure. You and I know that behind a security incident that gets found by a third party there are a hundred that went unseen, and should have been followed up as `near misses' but rarely are. But you're talking to the profession that has resisted clinical audit for generations, and is only in recent years waking up to the idea that you can't just dismiss things as one-off goofs. Vickyvicky would presumably have sat in meetings in Bristol and said ``one-off goof'' of each child that didn't make it. Or if s/he wouldn't, perhaps s/he could explain why this case is any less of an example of a deeper failure. ian From ukcrypto at chiark.greenend.org.uk Wed May 9 00:41:35 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Wed, 9 May 2007 08:41:35 +0900 Subject: ... wireless pickpocketing era In-Reply-To: References: Message-ID: On 9 May 2007, at 01:58, Peter Fairbrother wrote: > "Smartcard heralds cashfree era" > > http://money.guardian.co.uk/saving/banks/story/0,,2074949,00.html > > Basically a contactless smartcard a la oyster for payments up to =A310. I paid for my coffee yesterday evening with my Suica card, which does =20= Oyster-like jobs for JR trains in and around Tokyo, and as of last =20 month (hooray!) also replaced Passnet on buses and subways (although =20 for that your Suica card is a special case of a Pasmo card). There's =20= a huge number of shops that take Suica. I don't know what the limit =20 on transactions is. Moreover, I've paid for two meals now with no authorisation on my =20 credit card: hand it over, they pop it in a machine and hand it =20 back. There's some C&P, which amazingly interworks (or is ignored: I =20= didn't think to type a wrong PIN to check), but I couldn't convince a =20= Shinkasen ticket machine that claimed to do C&P to take my cards last =20= night at Shinagawa station, so I'm off today to find some cash to buy =20= them with --- I don't fancy negotiating buying a train ticket in very =20= broken English. ian From ukcrypto at chiark.greenend.org.uk Wed May 9 04:37:40 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Fairbrother) Date: Wed, 09 May 2007 04:37:40 +0100 Subject: ... wireless pickpocketing era In-Reply-To: Message-ID: Ian G Batten wrote: >=20 > On 9 May 2007, at 01:58, Peter Fairbrother wrote: >=20 >> "Smartcard heralds cashfree era" >>=20 >> http://money.guardian.co.uk/saving/banks/story/0,,2074949,00.html >>=20 >> Basically a contactless smartcard a la oyster for payments up to =A310. >=20 > I paid for my coffee yesterday evening with my Suica card, which does > Oyster-like jobs for JR trains in and around Tokyo, and as of last > month (hooray!) also replaced Passnet on buses and subways (although > for that your Suica card is a special case of a Pasmo card). There's > a huge number of shops that take Suica. I don't know what the limit > on transactions is. >=20 > Moreover, I've paid for two meals now with no authorisation on my > credit card: hand it over, they pop it in a machine and hand it > back. There's some C&P, which amazingly interworks (or is ignored: I > didn't think to type a wrong PIN to check), but I couldn't convince a > Shinkasen ticket machine that claimed to do C&P to take my cards last > night at Shinagawa station, so I'm off today to find some cash to buy > them with --- I don't fancy negotiating buying a train ticket in very > broken English. I'm not in Japan :), and I'm a little confused - they pop it in a machine? then it isn't a contactless card, I guess. I had envisaged pickpockets in a crowd with their seconds (I don't know the correct word, but they tend to work in pairs as a minimum) buying cigarette= s on a radio-linked card, with the crowd man just scarfing cards in the peopl= e in the crowd. The crowd and person would not notice - and three or four transactions woul= d get them their next fix. The needed electronics are almost disposable - the tech knowledge to adapt them little more so. - no physical contact, no exchange of possession, and therefore .. no thef= t ? - abstraction? Don't think it's fraud - Nick? --=20 Peter Fairbrother From ukcrypto at chiark.greenend.org.uk Wed May 9 05:50:41 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Wed, 09 May 2007 05:50:41 +0100 Subject: ... wireless pickpocketing era In-Reply-To: References: Message-ID: <46415321.2080308@iosis.co.uk> Peter Fairbrother wrote: > Ian G Batten wrote: > > > On 9 May 2007, at 01:58, Peter Fairbrother wrote: > > > >> "Smartcard heralds cashfree era" > >> > >> http://money.guardian.co.uk/saving/banks/story/0,,2074949,00.html > >> > >> Basically a contactless smartcard a la oyster for payments up to > >> £10. > > > > I paid for my coffee yesterday evening with my Suica card, which > > does Oyster-like jobs for JR trains in and around Tokyo, and as of > > last month (hooray!) also replaced Passnet on buses and subways > > (although for that your Suica card is a special case of a Pasmo > > card). There's a huge number of shops that take Suica. I don't > > know what the limit on transactions is. > > > > Moreover, I've paid for two meals now with no authorisation on my > > credit card: hand it over, they pop it in a machine and hand it > > back. There's some C&P, which amazingly interworks (or is ignored: > > I didn't think to type a wrong PIN to check), but I couldn't > > convince a Shinkasen ticket machine that claimed to do C&P to take > > my cards last night at Shinagawa station, so I'm off today to find > > some cash to buy them with --- I don't fancy negotiating buying a > > train ticket in very broken English. > > I'm not in Japan :), and I'm a little confused - they pop it in a > machine? then it isn't a contactless card, I guess. > > I had envisaged pickpockets in a crowd with their seconds (I don't > know the correct word, but they tend to work in pairs as a minimum) > buying cigarettes on a radio-linked card, with the crowd man just > scarfing cards in the people in the crowd. > > The crowd and person would not notice - and three or four > transactions would get them their next fix. The needed electronics > are almost disposable - the tech knowledge to adapt them little more > so. > > - no physical contact, no exchange of possession, and therefore .. no > theft ? - abstraction? Don't think it's fraud - Nick? > Note the information about the rules: £10 max per transaction, need the PIN every 10 transactions. That's supposed to convince us that the limit of exposure is £90. Peter From ukcrypto at chiark.greenend.org.uk Wed May 9 12:05:22 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Wed, 09 May 2007 12:05:22 +0100 Subject: ... wireless pickpocketing era In-Reply-To: <46415321.2080308@iosis.co.uk> References: Message-ID: <4641B902.16921.297541@localhost> On 9 May 2007 at 5:50, Peter Tomlinson wrote: > Note the information about the rules: £10 max per transaction, need the > PIN every 10 transactions. That's supposed to convince us that the limit > of exposure is £90. Indeed. Even if it was £90 that is still a lot of money for many people. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Wed May 9 12:52:18 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Fairbrother) Date: Wed, 09 May 2007 12:52:18 +0100 Subject: ... wireless pickpocketing era In-Reply-To: <4641B902.16921.297541@localhost> Message-ID: David Hansen wrote: > On 9 May 2007 at 5:50, Peter Tomlinson wrote: >=20 >> Note the information about the rules: =A310 max per transaction, need the >> PIN every 10 transactions. That's supposed to convince us that the limit >> of exposure is =A390. Yes - just wait till he inputs a pin, then scarf the card again ... and worse, it's not as if it's always every ten transactions, so he might ahve = a chance of noticing, it might be after two or three transactions because the card has been used in a manner which the Bank thinks is suspicious, under a= n arcane set of rules which they won't tell us about for "security reasons" Or, suppose your kids get hold of it ... when it stops working, they put it back until Mummy or Daddy enters the pin which makes it work again .. > Indeed. Even if it was =A390 that is still a lot of money for many > people. Yes. The real difficulty however is, how do you prove it? You _were_ walking dow= n Oxford Street that day, may even have made some purchases in the shop next door, so the fact that you didn't buy that =A39.99 bottle of gin/CD/DVD is going to be _very_ hard to prove ... especially a month or more later ... I'm not getting one. YMMV. --=20 Peter Fairbrother From ukcrypto at chiark.greenend.org.uk Wed May 9 09:29:25 2007 From: ukcrypto at chiark.greenend.org.uk (Sergei Lewis) Date: Wed, 09 May 2007 09:29:25 +0100 Subject: ... wireless pickpocketing era In-Reply-To: <20070509065605.2546.76421.Mailman@chiark.greenend.org.uk> References: <20070509065605.2546.76421.Mailman@chiark.greenend.org.uk> Message-ID: >Moreover, I've paid for two meals now with no authorisation on my >credit card: hand it over, they pop it in a machine and hand it >back. I've seen tube and train ticket machines around London that work like this too. >I couldn't convince a Shinkasen ticket machine that claimed to do >C&P to take my cards last night at Shinagawa station All the post office machines are happy with a Cirrus C&P card. Don't know whether they're actually doing C&P or fallback to magstripe though. >I'm not in Japan :), and I'm a little confused - they pop it in a machine? >then it isn't a contactless card, I guess. It's contactless - you're supposed to touch it to a pad, like Oyster, but it can be read through a wallet. Don't know what the transaction limit is, but a lot of shops have Suica pads and the top-up machines have menu options for adding the equivalent of several tens of pounds to it. Presumably the transaction limit is low enough to make "you're not paying for what you think you're paying for" attacks not be worthwhile, or we'd be seeing some by now. -- Sergei Lewis (who gets digests, so has probably been beaten to saying all that by other people and hasn't seen it yet) From ukcrypto at chiark.greenend.org.uk Wed May 9 13:11:24 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 9 May 2007 13:11:24 +0100 Subject: ... wireless pickpocketing era In-Reply-To: <4641B902.16921.297541@localhost> References: <46415321.2080308@iosis.co.uk> <4641B902.16921.297541@localhost> Message-ID: In article <4641B902.16921.297541@localhost>, David Hansen writes >> Note the information about the rules: £10 max per transaction, need the >> PIN every 10 transactions. That's supposed to convince us that the limit >> of exposure is £90. > >Indeed. Even if it was £90 that is still a lot of money for many >people. No-one is forced to get a card. The maximum you can put on an Oyster is also £90 I think (and maximum auto-topup £40) -- Roland Perry From ukcrypto at chiark.greenend.org.uk Wed May 9 13:14:02 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Fairbrother) Date: Wed, 09 May 2007 13:14:02 +0100 Subject: ... wireless pickpocketing era In-Reply-To: Message-ID: Sergei Lewis wrote: >> I'm not in Japan :), and I'm a little confused - they pop it in a machine? >> then it isn't a contactless card, I guess. > > It's contactless - you're supposed to touch it to a pad, like Oyster, > but it can be read through a wallet. Presumably it also works through a coat? > Don't know what the transaction > limit is, but a lot of shops have Suica pads and the top-up machines > have menu options for adding the equivalent of several tens of pounds > to it. I guess it's a top-up card then, like an electronic cash card - if you lose it, it's considered lost. The new ones here are credit (and debit) cards though, and afaict you will only know you have been robbed when the monthly bill comes. > Presumably the transaction limit is low enough to make "you're > not paying for what you think you're paying for" attacks not be > worthwhile, or we'd be seeing some by now. It's "you are paying for something when you didn't even know you were paying at all" attacks that mostly concern me. -- Peter Fairbrother From ukcrypto at chiark.greenend.org.uk Wed May 9 13:24:03 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Fairbrother) Date: Wed, 09 May 2007 13:24:03 +0100 Subject: ... wireless pickpocketing era In-Reply-To: Message-ID: Roland Perry wrote: > In article <4641B902.16921.297541@localhost>, David Hansen > writes >>> Note the information about the rules: =A310 max per transaction, need the >>> PIN every 10 transactions. That's supposed to convince us that the limi= t >>> of exposure is =A390. >>=20 >> Indeed. Even if it was =A390 that is still a lot of money for many >> people. >=20 > No-one is forced to get a card. That's a bit disingenuous - peer pressure, convenience in shops etc, pressure from the banks (if you want a credit card it will be this type of card - not now, but potentially) and so on can be potent forces. --=20 Peter Fairbrother From ukcrypto at chiark.greenend.org.uk Wed May 9 16:10:59 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Wed, 09 May 2007 16:10:59 +0100 Subject: ... wireless pickpocketing era In-Reply-To: References: <4641B902.16921.297541@localhost> Message-ID: <4641F293.18016.10A5BCA@localhost> On 9 May 2007 at 13:11, Roland Perry wrote: > No-one is forced to get a card. Nobody is forced to pay bills by direct debit, in theory. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Wed May 9 16:13:24 2007 From: ukcrypto at chiark.greenend.org.uk (David Hansen) Date: Wed, 09 May 2007 16:13:24 +0100 Subject: ... wireless pickpocketing era In-Reply-To: <20070509115551.D0B4CD797F@liszt-08.lumison.net> References: <4641B902.16921.297541@localhost> Message-ID: <4641F324.21982.10C9072@localhost> On 9 May 2007 at 12:52, Peter Fairbrother wrote: > Or, suppose your kids get hold of it ... when it stops working, they put > it back until Mummy or Daddy enters the pin which makes it work again .. Hadn't thought of that, but a good point. > The real difficulty however is, how do you prove it? You _were_ walking > down Oxford Street that day, may even have made some purchases in the > shop next door, so the fact that you didn't buy that £9.99 bottle of > gin/CD/DVD is going to be _very_ hard to prove ... especially a month or > more later ... Especially as no-doubt, as with chip and pin (and indeed previous card schemes) the banks will assert that their engineering is infallible and it will be very difficult to prove otherwise. -- David Hansen, Edinburgh I will *always* explain revoked encryption keys, unless RIP prevents me http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54 From ukcrypto at chiark.greenend.org.uk Wed May 9 18:01:57 2007 From: ukcrypto at chiark.greenend.org.uk (Nicholas Bohm) Date: Wed, 09 May 2007 18:01:57 +0100 Subject: ... wireless pickpocketing era In-Reply-To: References: Message-ID: <4641FE85.2020701@ernest.net> Peter Fairbrother wrote: > Ian G Batten wrote: > >> On 9 May 2007, at 01:58, Peter Fairbrother wrote: >> >>> "Smartcard heralds cashfree era" >>> >>> http://money.guardian.co.uk/saving/banks/story/0,,2074949,00.html >>> >>> Basically a contactless smartcard a la oyster for payments up to £10. >> I paid for my coffee yesterday evening with my Suica card, which does >> Oyster-like jobs for JR trains in and around Tokyo, and as of last >> month (hooray!) also replaced Passnet on buses and subways (although >> for that your Suica card is a special case of a Pasmo card). There's >> a huge number of shops that take Suica. I don't know what the limit >> on transactions is. >> >> Moreover, I've paid for two meals now with no authorisation on my >> credit card: hand it over, they pop it in a machine and hand it >> back. There's some C&P, which amazingly interworks (or is ignored: I >> didn't think to type a wrong PIN to check), but I couldn't convince a >> Shinkasen ticket machine that claimed to do C&P to take my cards last >> night at Shinagawa station, so I'm off today to find some cash to buy >> them with --- I don't fancy negotiating buying a train ticket in very >> broken English. I thought your English was OK last time we spoke. > I'm not in Japan :), and I'm a little confused - they pop it in a machine? > then it isn't a contactless card, I guess. > > > I had envisaged pickpockets in a crowd with their seconds (I don't know the > correct word, but they tend to work in pairs as a minimum) buying cigarettes > on a radio-linked card, with the crowd man just scarfing cards in the people > in the crowd. > > The crowd and person would not notice - and three or four transactions would > get them their next fix. The needed electronics are almost disposable - the > tech knowledge to adapt them little more so. > > - no physical contact, no exchange of possession, and therefore .. no theft > ? - abstraction? Don't think it's fraud - Nick? It's the sort of fraud consisting of deceiving a machine, which UK fraud notions used to find difficult to accommodate; but they are supposed to have been fixed by the Fraud Act 2006 (which I haven't yet had time to read). Nick -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285 (+44 1279 870285) Mobile 07715 419728 (+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From ukcrypto at chiark.greenend.org.uk Wed May 9 20:45:51 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Wed, 09 May 2007 20:45:51 +0100 Subject: ... wireless pickpocketing era In-Reply-To: References: <20070509065605.2546.76421.Mailman@chiark.greenend.org.uk> Message-ID: <464224EF.5090203@iosis.co.uk> Sergei Lewis wrote: >> Moreover, I've paid for two meals now with no authorisation on my >> credit card: hand it over, they pop it in a machine and hand it >> back. > > I've seen tube and train ticket machines around London that work like > this too. When I use those machines in London, they need a PIN. Peter From ukcrypto at chiark.greenend.org.uk Wed May 9 21:30:52 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Wed, 9 May 2007 21:30:52 +0100 Subject: ... wireless pickpocketing era In-Reply-To: <464224EF.5090203@iosis.co.uk> References: <20070509065605.2546.76421.Mailman@chiark.greenend.org.uk> <464224EF.5090203@iosis.co.uk> Message-ID: <4FnpBYW89iQGFAUc@perry.co.uk> In article <464224EF.5090203@iosis.co.uk>, Peter Tomlinson writes >>> Moreover, I've paid for two meals now with no authorisation on my >>> credit card: hand it over, they pop it in a machine and hand it >>> back. >> >> I've seen tube and train ticket machines around London that work like >>this too. > >When I use those machines in London, they need a PIN. I've bought train tickets in the last few months from a C&P enabled "National Rail" machine that didn't ask for a PIN for my no-chip credit card. The same is also very common for machines paying for parking at airports. Of course, the "marginal cost" of what they are selling me in these sorts of transaction is effectively zero, so perhaps they can afford to take the risk. ps My recently renewed Amex Charge Card now has C&P, which is probably a good excuse to send it back, as it has lost its essential and useful differentiation from most of my other cards. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Thu May 10 08:28:37 2007 From: ukcrypto at chiark.greenend.org.uk (Ian G Batten) Date: Thu, 10 May 2007 16:28:37 +0900 (JST) Subject: Wireless Pickpocketing: Portmanteau Answer Message-ID: <40572.192.150.140.27.1178782117.squirrel@www.ftel.co.uk> > I'm not in Japan :), and I'm a little confused - they pop it in a machine? > then it isn't a contactless card, I guess. SOrry, it was late, and I was wittering. What I was saying was that I have been using two cards: * My Suica card is the same as an Oyster, using equivalent if not identical technology. It's contactless, it'll work through a wallet but not much further. It does Oyster type jobs, but the ecosystem of shops that will take it for small value transactions is much larger, and extends to most food places I've been in Tokyo, Shinagawa and Kawasaki this week. There's a limit on the maximum amount you can have on it, which I think is about fifty quid. Interestingly there doesn't seem to be an obvious way to top it up from a credit card: it's cash only at the machines. * My Standard UK Mastercard. What I was remarking on is that I found: - Places that take it, with a signature - Places that take it, with a PIN - Places that take it, with nothing --- two meals each costing about fifteen quid. >From this I was speculating that the overall attitude to might be different in a low-crime society. Certainly, spending my days shepherding a UK compliance team from one of our customers through our Japanese development centre's security policies I'm seeing some cultural disconnects! > I had envisaged pickpockets in a crowd with their seconds > (I don't know the correct word, but they tend to work in pairs > as a minimum) buying cigarettes on a radio-linked card, This is the question, which I don't think we ever got to the bottom of, of if you can read an RFID tag from an extended distance by using an aerial with some forward gain (to get power out to the device you're querying) and some receive gain (to pull the low-powered omni response up out of the noise floor). If that became possible, the fixes aren't hard for those that are worried about it. And one can easily imagine a card that only works when squeezed slightly... > I thought your English was OK last time we spoke. I wish. Only a week of having to modify my English to recognise the fact that I speak no Japanese, and I should therefore be grateful for the limited American English available from those around me, and I feel myself becoming increasingly incoherent. You try limiting your spoken English to simple structures with no intervening connversations with native speakers and see how you feel after a while. > All the post office machines are happy with a Cirrus C&P card. Don't > know whether they're actually doing C&P or fallback to magstripe though. Apparently, according to my Japanese colleagues, the JPN ATM position is a shambles anyway, with almost no machines that work universally even for domestic banks. The Post Office is apparently the only wide-spread network that handles international card, as indeed if did perfectly happily here in the outskirts of Kawasaki. There's supposed to be some machines that will do international trsnsactions in major railway stations, but as I couldn't find one in Shinagawa or Tokyo, it's hard to think where `major' means. As of July 11th, 7/11 stores (do you see what they did there?) will be doi ng international funds withdrawls too. Which will be handy: they're easier to find than Post Offices. Railway fans will be interested to know that I selected my weekend tourist destination on the basis that 4 hours on a train there and four hours back was the limit for a weekend. 3hr59 turns out to get you 880km. ian -- I'm currently in Japan, so I am most likely to respond to any work email between 0100 and 0900 BST. I am reading my private email until 1400 BST. From ukcrypto at chiark.greenend.org.uk Thu May 10 11:01:00 2007 From: ukcrypto at chiark.greenend.org.uk (Nicholas Bohm) Date: Thu, 10 May 2007 11:01:00 +0100 Subject: ... wireless pickpocketing era In-Reply-To: <464224EF.5090203@iosis.co.uk> References: <20070509065605.2546.76421.Mailman@chiark.greenend.org.uk> <464224EF.5090203@iosis.co.uk> Message-ID: <4642ED5C.6010001@ernest.net> Peter Tomlinson wrote: > Sergei Lewis wrote: > >>> Moreover, I've paid for two meals now with no authorisation on my >>> credit card: hand it over, they pop it in a machine and hand it >>> back. >> >> I've seen tube and train ticket machines around London that work like >> this too. > > When I use those machines in London, they need a PIN. But not if you're using a Chip & Signature card! Nicholas -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285 (+44 1279 870285) Mobile 07715 419728 (+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From ukcrypto at chiark.greenend.org.uk Thu May 10 16:34:16 2007 From: ukcrypto at chiark.greenend.org.uk (David Biggins) Date: Thu, 10 May 2007 16:34:16 +0100 Subject: Instructing spiders/crawlers Message-ID: This is a multi-part message in MIME format. ------_=_NextPart_001_01C79318.A86445EA Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable There are currently three standardised mechanisms for instructing spiders and crawlers. The ROBOTS.TXT file=20 http://www.robotstxt.org/wc/norobots.html http://www.w3.org/TR/1998/REC-html40-19980424/appendix/notes.html#h-B.4. 1 The "ROBOTS" meta tag http://www.w3.org/Search/9605-Indexing-Workshop/ReportOutcomes/Spidering .txt http://www.w3.org/TR/1998/REC-html40-19980424/appendix/notes.html#h-B.4. 1 (yes, that's the same link as the ROBOTS.TXT one). And the XML sitemap. http://www.google.com/support/webmasters/bin/answer.py?answer=3D40318&ctx= =3D sibling http://www.sitemaps.org/protocol.php Right now, it's increasingly advisable to use all three, though I expect the sitemap will eventually substantially dominate because it is by far the most powerful. =20 If anyone were to mistake obscurity for security and leave data in a folder not linked by other pages but without other protection, it's worth pointing out that adding the folder to the ROBOTS.TXT or the sitemap is of course merely creating a signpost to it. Dave. ------_=_NextPart_001_01C79318.A86445EA Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Instructing spiders/crawlers

There are currently three standardised = mechanisms for instructing spiders and crawlers.

The ROBOTS.TXT file

http://www.robotstxt.org/wc/norobots.html

http://www.w3.org/TR/1998/REC-html40-19980424/appendix/not= es.html#h-B.4.1

The "ROBOTS" meta tag

http://www.w3.org/Search/9605-Indexing-Workshop/ReportOutc= omes/Spidering.txt

http://www.w3.org/TR/1998/REC-html40-19980424/appendix/not= es.html#h-B.4.1  (yes, = that's the same link as the ROBOTS.TXT one).

And the XML sitemap.

http://www.google.com/support/webmasters/bin/answer.py?ans= wer=3D40318&ctx=3Dsibling
http://www.sitemaps.org/protocol.php

Right now, it's increasingly advisable = to use all three, though I expect the sitemap will eventually = substantially dominate because it is by far the most powerful.  =

If anyone were to mistake obscurity for = security and leave data in a folder not linked by other pages but = without other protection, it's worth pointing out that adding the folder = to the ROBOTS.TXT or the sitemap is of course merely creating a signpost = to it.

Dave.


------_=_NextPart_001_01C79318.A86445EA-- From ukcrypto at chiark.greenend.org.uk Thu May 10 17:37:19 2007 From: ukcrypto at chiark.greenend.org.uk (James Davis) Date: Thu, 10 May 2007 17:37:19 +0100 Subject: Instructing spiders/crawlers In-Reply-To: References: Message-ID: <46434A3F.70604@ukerna.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Biggins wrote: > Right now, it's increasingly advisable to use all three, though I expect > the sitemap will eventually substantially dominate because it is by far > the most powerful. XML sitemaps and robots.txt aren't equivalent. XML sitemaps tell spiders what pages are available to index but don't provide instruction on where it's forbidden to look for pages. James - -- James Davis +44 1235 822 229 PGP: 0xC7C92EB7 JANET-CERT 0870 850 2340 (+44 1235 822 340) Atlas Centre, Chilton, Didcot, Oxfordshire, OX11 0QS -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQ0o/Ile3s8fJLrcRAvEzAJ4pDpGw6O1KOrIXUmQXPNNukQyQAACgvzmH 87+HrIHl1nwYQtX/rnD/CKM= =L+up -----END PGP SIGNATURE----- From ukcrypto at chiark.greenend.org.uk Thu May 10 09:37:39 2007 From: ukcrypto at chiark.greenend.org.uk (Tony Naggs) Date: Thu, 10 May 2007 09:37:39 +0100 Subject: Wireless Pickpocketing: Portmanteau Answer Message-ID: Ian Batten wrote: >* My Suica card is the same as an Oyster, using equivalent if not >identical technology. It's contactless, it'll work through a wallet but >not much further. It does Oyster type jobs, but the ecosystem of shops >that will take it for small value transactions is much larger, and extends The range for Oyster or similar card readers is around 5cm, this can be doubled, or so, with fine tuning AND where there are no other card readers nearby. The readers will be unreliable if they are picking up the RF carrier generated by other readers. In Japan the Felicia contactless technology is included in some mobile phones from DoCoMo. These phones include a 'wallet' application that can view the transaction history of debits & top-ups. >This is the question, which I don't think we ever got to the bottom of, of >if you can read an RFID tag from an extended distance by using an aerial >with some forward gain (to get power out to the device you're querying) As far as I understand the antenna size needs to be quite large (e.g. 1m) to get a range measured in metres. In a scenario where people are moving (e.g. station concourse) you would probably have difficulty maintain communication with specific card. It would also be is easy to detect the carrier from the RFID equipment. Whilst I believe the RFID cards used for this kind of application generally use proprietary technlogies I also understand that they use cryptographic protocols. I don't know how strong the crypto is. >and some receive gain (to pull the low-powered omni response up out of the >noise floor). If that became possible, the fixes aren't hard for those >that are worried about it. And one can easily imagine a card that only >works when squeezed slightly... A metal case, such as one used for carrying business cards would be a pretty good protection. Regards, Tony From ukcrypto at chiark.greenend.org.uk Wed May 9 07:28:48 2007 From: ukcrypto at chiark.greenend.org.uk (Mark Lomas) Date: Wed, 9 May 2007 07:28:48 +0100 Subject: ... wireless pickpocketing era In-Reply-To: References: Message-ID: On 09/05/07, Ian G Batten wrote: > Moreover, I've paid for two meals now with no authorisation on my > credit card: hand it over, they pop it in a machine and hand it > back. There's some C&P, which amazingly interworks (or is ignored: I > didn't think to type a wrong PIN to check), but I couldn't convince a > Shinkasen ticket machine that claimed to do C&P to take my cards last > night at Shinagawa station, so I'm off today to find some cash to buy > them with --- I don't fancy negotiating buying a train ticket in very > broken English. I visit Japan quite often as my wife is Japanese. I have tried a number of C&P devices and concluded that the places where interoperability would be most useful don't work, but sometimes you get a pleasant surprise. For example many banks won't accept foreign debit cards even though they display logos such as Visa or Mastercard. However I found that the Japanese Post Office accepts foreign Visa cards. Somebody in the security department of NTT told me that the phone company deliberately turned off compatibility with foreign cards after finding that they accounted for a disproportionate amount of fraud. It may be that JR had a similar experience. Mark From ukcrypto at chiark.greenend.org.uk Sat May 12 20:33:22 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Sat, 12 May 2007 20:33:22 +0100 Subject: MTAS and other NHS websites In-Reply-To: <31E1803C-F169-4A6B-92BE-C084D8EC15B9@uk.fujitsu.com> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <20070507124729.GR17334@colon.colondot.net> <20070507113536.mdelzgw343dw0cgg@www.egypt.com> <46407310.2060205@ukerna.ac.uk> <31E1803C-F169-4A6B-92BE-C084D8EC15B9@uk.fujitsu.com> Message-ID: <46461682.6040802@iosis.co.uk> Ian G Batten wrote: > > On 8 May 2007, at 21:54, James Davis wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > > vickyvicky@egypt.com wrote: > > > >> The point that I was trying to make, though, is that this was a > >> one-off goof. A mistake like this would not in itself have led to > >> the site being off line for 10 days. > > > > It's difficult to understand how it can be described as a "one-off > > goof" when the problem, solution, and risk is obvious to anyone > > with a small amount of experience in the field. > > You and I know that one-off goofs are no such thing, but are evidence > of deeper process failure. You and I know that behind a security > incident that gets found by a third party there are a hundred that > went unseen, and should have been followed up as `near misses' but > rarely are. > > But you're talking to the profession that has resisted clinical audit > for generations, and is only in recent years waking up to the idea > that you can't just dismiss things as one-off goofs. Vickyvicky > would presumably have sat in meetings in Bristol and said ``one-off > goof'' of each child that didn't make it. Or if s/he wouldn't, > perhaps s/he could explain why this case is any less of an example of > a deeper failure. > There is a lot about MTAS at http://ferretfancier.blogspot.com/. It appears to be rotten through and through. The post at http://ferretfancier.blogspot.com/search/label/MTAS%20point%20what comments on the 10th May state of the MTAS web site. Peter From ukcrypto at chiark.greenend.org.uk Fri May 11 13:00:57 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Fri, 11 May 2007 13:00:57 +0100 Subject: Wireless Pickpocketing: Portmanteau Answer Message-ID: >> A metal case, such as one used for carrying business cards would be a pretty good protection. Or a personal RFID firewall See: http://www.rfidguardian.org/index.html This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC.Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised and regulated by the Financial Services Authority. From ukcrypto at chiark.greenend.org.uk Mon May 14 12:05:49 2007 From: ukcrypto at chiark.greenend.org.uk (Matthew Pemble) Date: Mon, 14 May 2007 12:05:49 +0100 Subject: Wireless Pickpocketing: Portmanteau Answer In-Reply-To: References: Message-ID: <4648428D.402@pemble.net> george.french@barclays.com wrote: >>>A metal case, such as one used for carrying business cards would be a pretty good protection. >>> >>> >Or a personal RFID firewall See: http://www.rfidguardian.org/index.html > > Passive protection, if it gives the same level of attenuation, is generally more appropriate than active - these seem reasonable - http://www.difrwear.com/products.shtml - although you will beep when you go through the airport metal detectors :) Matthew From ukcrypto at chiark.greenend.org.uk Mon May 14 11:37:35 2007 From: ukcrypto at chiark.greenend.org.uk (ken) Date: Mon, 14 May 2007 11:37:35 +0100 Subject: Wireless Pickpocketing: Portmanteau Answer In-Reply-To: References: Message-ID: <46483BEF.6050302@bbk.ac.uk> Tony Naggs wrote: > A metal case, such as one used for carrying business cards would be a > pretty good protection. A business opportunity? Faraday cage wallets? From ukcrypto at chiark.greenend.org.uk Mon May 14 12:58:01 2007 From: ukcrypto at chiark.greenend.org.uk (Roland Perry) Date: Mon, 14 May 2007 12:58:01 +0100 Subject: Wireless Pickpocketing: Portmanteau Answer In-Reply-To: <46483BEF.6050302@bbk.ac.uk> References: <46483BEF.6050302@bbk.ac.uk> Message-ID: In article <46483BEF.6050302@bbk.ac.uk>, ken writes >> A metal case, such as one used for carrying business cards >would be a >> pretty good protection. > >A business opportunity? > >Faraday cage wallets? Already suggested by many as a 'solution' to USA rfid-equipped passports. Interestingly, I have seen several notices at passport control offices around Europe saying that people should "remove passports from wallets" before presenting them to staff. -- Roland Perry From ukcrypto at chiark.greenend.org.uk Mon May 14 13:22:37 2007 From: ukcrypto at chiark.greenend.org.uk (Peter Tomlinson) Date: Mon, 14 May 2007 13:22:37 +0100 Subject: Wireless Pickpocketing: Portmanteau Answer In-Reply-To: References: <46483BEF.6050302@bbk.ac.uk> Message-ID: <4648548D.5010207@iosis.co.uk> Roland Perry wrote: > In article <46483BEF.6050302@bbk.ac.uk>, ken > writes > > >> A metal case, such as one used for carrying business cards > > would be a pretty good protection. > > > > A business opportunity? > > > > Faraday cage wallets? > > Already suggested by many as a 'solution' to USA rfid-equipped > passports. Interestingly, I have seen several notices at passport > control offices around Europe saying that people should "remove > passports from wallets" before presenting them to staff. A single layer of metal or metallised material should suffice. Recent tests of 'traditional' holographic film as used for overlays on some security documents showed that it severely affected the performance of contactless smart cards when applied to them. Non-metallic holographic film is now available for use where smart cards or chip-embedded documents have to have security overlays. Peter From ukcrypto at chiark.greenend.org.uk Tue May 15 00:59:59 2007 From: ukcrypto at chiark.greenend.org.uk (ukcrypto@chiark.greenend.org.uk) Date: Mon, 14 May 2007 19:59:59 -0400 Subject: MTAS and other NHS websites In-Reply-To: <46461682.6040802@iosis.co.uk> References: <20070505042223.t00tqhhsthxc0084@www.egypt.com> <20070507124729.GR17334@colon.colondot.net> <20070507113536.mdelzgw343dw0cgg@www.egypt.com> <46407310.2060205@ukerna.ac.uk> <31E1803C-F169-4A6B-92BE-C084D8EC15B9@uk.fujitsu.com> <46461682.6040802@iosis.co.uk> Message-ID: <20070514195959.6ye9854reasgggk8@www.egypt.com> >> You and I know that one-off goofs are no such thing, but are evidence >> of deeper process failure. You and I know that behind a security >> incident that gets found by a third party there are a hundred that >> went unseen, and should have been followed up as `near m