back to article UK Scouts database 'flaws' raise concerns

Serious concerns have been raised over the security of the Scout Association's database, which holds the contact details of 450,000 young people and volunteer adults, The Register can reveal. A Scout leader contacted the Register to express grave concerns that the association's Compass database is not secure, despite the …

Page:

  1. Alister

    THINK OF THE CHILDREN!

  2. Anonymous Coward
    Anonymous Coward

    UK Scout Database

    I'm Currently a scout leader and all the leaders i know are having major problems with being able to access the new compass system. we keep getting told "It will be sorted" but nothing seems to change. the system i feel is totally floored and they don't seem to care and just keep telling us it will be sorted.

    no a happy Scouter

    1. Baldie
      Facepalm

      Re: UK Scout Database

      Floored or Flawed? This worries me. As does the unpredictability of your shift key.

      no a happy parent

      I think I would be less worried about having my kids' data stored on a system where people could look up their birthdays than putting them in the charge of people with such little command of their language.

      But I do realise I am old fashioned like that.

      1. Terry 6 Silver badge

        Re: UK Scout Database

        @Baldie

        These are volunteer scout leaders. If you worry they may not be up to your standards, then volunteer yourself.

        1. Anonymous Coward
          Anonymous Coward

          Re: UK Scout Database

          > These are volunteer scout leaders. If you worry they may not be up to your standards, then volunteer yourself.

          Or better yet, don't put your kids in a sect.

      2. Anonymous Coward
        Anonymous Coward

        Re: UK Scout Database

        "no a happy parent"

        What does that mean?

        Does it mean that you have very little command of the English language?

        Are you in 'charge' of your kids?

        Should they be taken away from you?

        1. Kubla Cant

          Re: UK Scout Database

          "no a happy parent"

          What does that mean?

          Does it mean that you have very little command of the English language?

          "no a happy parent" is clearly an echo of "no a happy Scouter" in the original post. You should read the whole thread before replying.

      3. RegW

        Re: UK Scout Database

        Would that be: "not a happy parent" ?

        :-)

    2. Zog_but_not_the_first
      Joke

      Re: UK Scout Database

      So, no badge for the developers then?

      1. Tom 13

        Re: So, no badge for the developers then?

        Back when I was a Scout, that would be true.

        In the new improved, self-esteem building Scouts, I think you get the badge just for participating.

    3. Anonymous Coward
      Anonymous Coward

      SCOUT database?

      I'd read Scouse database and couldn't make sense of the article.

  3. Christoph

    Standard response

    If (Users report serious security problems)

    {

    Say "Security is our first concern";

    Say "Our system has been properly tested and is secure";

    Do <null>;

    }

  4. djack

    Probably not allowed to do a full test

    Whoever did the testing (if any) was probably only engaged to look at the underlying Of layer and not the application itself. Or expected to test the system without being permitted to actually log in to the application.

    I am faced with this quite often and am amazed by some customers' opposition to me doing the job properly.

    1. 0laf

      Re: Probably not allowed to do a full test

      They'll have panicked at the though of proper pen testing actually costing money and or the worrying prospect it might find something which would then need to be fixed.

      Far better to get the developer to run an out of date, unlicensed copy of Nessus at it for 10min.

  5. Anonymous Coward
    Anonymous Coward

    Define Accessible...

    "Compass is not a publicly accessible system"

    https://compass.scouts.org.uk

    OK, so you shouldn't be able to sign up without a valid membership number, etc. but given the quality of the some of the data in the system it wouldn't surprise me in the least if some people have logins who shouldn't have...

    1. Tim Jenkins

      Re: Define Accessible...

      "...some people have logins who shouldn't have...."

      and some people are scout leaders who shouldn't be.

      (although my own unfortunate experiences were as a cadet with the St John Ambulance back in the 80s, which seemed to attract an even weirder bunch of 'leaders' than the Scouts did. Something to do with the black paramilitary uniform with silver Maltese Crosses, and the regular bandaging and CPR practice, perhaps. Yuch.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Define Accessible...

        > Something to do with the black paramilitary uniform with silver Maltese Crosses, and the regular bandaging and CPR practice,

        Maybe they misread the bandaging bit?

  6. A Non e-mouse Silver badge
    FAIL

    Data Protection

    "We have engaged highly regarded contractors and security experts to ensure that we comply with data protection legislation."

    "We are looking to remove the ability for our managers to see data that is not directly relevant to their role"

    Someone needs to re-read the basics of UK data protection law: ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/ - and fire their consultants.

    Proper access control is a fundamental part of data protection and should have been baked in at the drawing board.

    1. NogginTheNog
      FAIL

      Re: Data Protection

      I expect the software will have the ability to provide full access control to whomever you wish. The failure will have been during the implementation something along the lines of this:

      Implementers - "Right, we'll need to create access control groups with suitable granular levels of access and carefully audited membership"

      Scouts people - "oh just set up the one group and bung everyone in that, that'll be ok won't it?"

  7. A Non e-mouse Silver badge
    FAIL

    CRB

    Every adult using the system will have been thoroughly vetted via a criminal records disclosure check

    1 - It hasn't been called CRB for several years. It's now DBS. (Disclosure and Barring Service) Something the Scouts should plainly know.

    2 - A clean CRB/DBS check does NOT mean the person is not a ne'er do well. All it means is that the person hasn't been noticed and recorded by the authorities yet. Ian Huntley anyone...?

    1. Terry 6 Silver badge

      Re: CRB

      Absolutely, I've never though of CRB/DBS/Whatever they will call it next as being anything but a protection for the authorities, not the kids, other than as a by product of the main purpose. Which is the usual one of the people with suits making sure that they don't get blamed for stuff that goes wrong.

      All DBS/... means is that the person hasn't been caught yet.

      It's a good idea to have background checks. But these are really no more than a minimum.

      1. Lusty

        Re: CRB

        It has nothing to do with protecting the authorities, the authorities would do just fine with or without the checks. The purpose of the checks is to allow the service (scouts, schools, whatever) to continue functioning after a bunch of morons get in the papers saying "something MUST be done!" without fully thinking through the practicality and privacy issues of actually doing something. These checks are as far as you could go without being overly invasive and costing so much as to shut down the whole system - they do, however, nicely deal with responding to those whose words would otherwise close everything down.

        The reality is that some people will always get into positions they shouldn't ideally get into. There is nothing practical that can be done to stop that aside from a weak deterrent. Our society is full of such weak deterrents - CCTV for instance, or the locks on your front door/windows at home. Neither stops the crime, they just deter the less determined from trying.

    2. Anonymous Coward
      Anonymous Coward

      Re: CRB

      Every adult using the system will have been thoroughly vetted via a criminal records disclosure check

      1 - It hasn't been called CRB for several years. It's now DBS. (Disclosure and Barring Service) Something the Scouts should plainly know.

      1.1 - They never called it "CRB"? It hasn't been called "I'm a pompous pedant" for several years either. Something the Scouts should plainly know.

    3. Anonymous Coward
      Anonymous Coward

      Re: CRB

      > A clean CRB/DBS check does NOT mean the person is not a ne'er do well.

      And whether it is or not is a rubbish predictor of how good or bad they might be at working with children. I can think of a couple excellent parents and educators I know of with criminal records the size of a small library. Their experience¹ is something that children can learn from too.

      ¹ Well, some bits of their experience. Preferably not the parts about dodgy cheques or fake driving licences; although then again, you never know when that might come in handy.

    4. Anonymous Coward
      Anonymous Coward

      Re: CRB

      Ian Huntley had been noticed and recorded, its just the dumb asses at a succession of Cop shops didn't bothered to a) share their concerns or b) bother to check the PNC

  8. Anonymous Coward
    Anonymous Coward

    Where are Capita when you need them?

    they'd sort this out

  9. Xpositor

    Scout's Motto?

    I always thought the Scouting movement's motto was "Be Prepared"?

  10. Pen-y-gors

    No shit sherlock!

    "UK Scouts database 'flaws' raise concerns - System holds records of ALL scouts in the country"

    Wow, how could that be allowed to happen? Next we'll hear that the Upper Chudleigh Campanology Society database holds records on all members of the Upper Chudleigh Campanology Society. Shameful!

    Out of interest, what would be the point of a UK Scouts database that DIDN'T hold records for all UK scouts?

    1. edge_e
      Boffin

      Re: No shit sherlock!

      Out of interest, what would be the point of a UK Scouts database that DIDN'T hold records for all UK scouts?

      You're asking the wrong question.

      The correct one is:-

      Why does there need to be a UK scout database that holds the records for all UK scouts.

      1. TallPaul

        Re: No shit sherlock!

        Quite so, that's the question that I've been asking myself. Historically groups held their own records, on paper. All headquarters required was an annual head count as they charged a capitation fee for providing their services to the groups. Seemed to work out OK for everyone.

        1. rnorman345

          Re: The way we used to do it ....

          I agree that by far the most secure way was when we used to keep records locally and only completed the census with numbers and no details; then HQ started to ask for names etc. I refused for years citing lack of security but it was inevitable as soon as OSM (OnLine Scout (and Guide) Manager) started up that the little green eyes at HQ would see their opportunity. As to testing: I am sure that the contractors hated it but we leaders were involved though I am not sure that results/suggestions, even from pros were taken into account. The testing process was flawed as was, I guess, the design. In the final analysis 'they' tried to do too much too soon; a 'start simple' system (and KISS) would have been better - say a membership system and then add the badges and then, if that works, link the two? Big smile.

    2. Anonymous Coward
      Anonymous Coward

      Re: No shit sherlock!

      "System holds records of ALL scouts in the country"

      Oh, does it list the Baden-Powell Scouts, Pathfinder Scouts Association (among other independent groups) then?

      though "...records of ALL Scout Association scouts", would be a bit of a clumsy phrase

  11. Anonymous Coward
    Anonymous Coward

    Its horrid

    It probably was secure on the day they did the security testing - it was probably in it's usual broken state and therefore inaccessible.

    Of course they could have just arranged to come to a suitable arrangement with the system that the vast majority of Scouters use called OSM (built by scouters with a IT background for scouters) and had them add the extra functions the association wanted much like some other countries have. Instead they went and spent vast sums of time and money starting from scratch to create something that nobody I've spoken to likes.

  12. hatti

    Dib dib dib

    Whoever set up php bb did not have their sql injection or xss badges.

  13. rob_leady

    Re: Dib dib dib

    I think you meant to say DYB DYB DYB...

    1. Owain 1

      Re: Dib dib dib

      I'd been a cub assistant leader for about 8 years before I realised that 'dib dib dib' should be 'dyb dyb dyb' and it stands for 'Do Your Best'. I assume the response was 'dob dob dob'. Note, this short term isn't used any more in Scouting. At our starting ceremony the leading cub shouts out "Cubs do your Best!". Then the Cubs all shout out "We Will do our best!"

      1. Anonymous Coward
        Anonymous Coward

        Re: Dib dib dib

        WDOB! then

      2. David Nash Silver badge

        Re: Dib dib dib

        "Note, this short term isn't used any more"

        And hasn't been for quite some time. I left cubs in about 1980 and we were saying the "new" version even then.

        1. Allan George Dyer

          Re: Dib dib dib

          I joined cubs in 1971, and it wasn't used then.

          I think it went out with Wolf Cubs, and the old-style salute (two fingers on each hand in a V, held to the sides of the head - wolf ears, right. I wonder why they dropped that one…)

          1. rnorman345

            Re: Dib dib dib

            DYB and DOB 1966 (APR) and all that, :-)

  14. Valerion

    Data Aquisition

    We recently got sent a form from Cubs that we had to fill in with out son's and our details on it. I presume it was to get the data into this database.

    The form itself was ridiculous. Mainly because instead of allowing space to write a Title, they had a list of titles that you had to pick from when frankly "Mr/Mrs/Ms" would have done. I have never seen such a huge list of titles, ever*

    For the record, I selected myself as a Rear Admiral and my wife as a Duchess. It will be interesting to see if we get any correspondence addressed as such.

    *And yet they missed out Sheik.

    1. Peter Simpson 1
      Happy

      Re: Data Aquisition

      Funny about title choices on forms -- we went on a cruise recently. My son paid for his own cabin, and consequently, filled out his own form. Being of a certain nature (wonder where he got that from?), and noticing that one option for title was "Captain" (and having been a Captain in the Army), he selected that. All his mails from the cruise company were addressed to "Captain..."

      1. Anonymous Coward
        Anonymous Coward

        Re: Data Aquisition

        BT has Captain as a choice for your phone bill, but not any other rank.

  15. rcoombe

    "Compass is not a publicly accessible system"

    Er.. I think it is... https://compass.scouts.org.uk/login/User/Login

    Somebody probably pointing metasploit at it right now.

    1. the spectacularly refined chap

      Re: "Compass is not a publicly accessible system"

      Somebody probably pointing metasploit at it right now.

      So it isn't publicly accessible then. Entrance to our offices is protected by swipe card and/or getting past the receptionist if she buzzes you in. That's enough for us to generally consider the place not publicly accessible, the fact that anyone on the street outside can physically wander up as far as the front door does not alter that.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Compass is not a publicly accessible system"

        Publicly accessible in IT terms means the system can be interacted with by any member of the public. Whether the interaction requires a login to proceed further is irrelevant in this regard. The system is publicly accessible for attacking which may provide access to the secure area.

        A system that is not publicly accessible is not contactable in any way online, it is hosted on a private network behind firewalls.

        To go with your analogy, in IT terms, your building is publicly accessible because the public can walk up to it and attempt to social engineer your receptionist or exploit your door access system. Were you in a truly private building - think underground military bunker with armed guards at a gate far from the door security systems and receptionist (the firewall), then you could consider your building private.

  16. Lyndon Hills 1

    details of 450,000 young people and volunteer adults,

    Where can I volunteer to be an adult?

    1. Peter Simpson 1
      Happy

      Re: details of 450,000 young people and volunteer adults,

      Where can I volunteer to be an adult?

      Don't bother, it's no fun...better to remain a kid as long as you can :-)

      1. rnorman345

        Re: details of 450,000 young people and volunteer adults,

        One of my ex ACSLs used to say of me 'you are a 9 year old Cub that just allows a few other 9 year olds to join in your game'; I am now 71 - just led my last meeting as BSL:( going deaf and it was not fair on the others; BP was a 9 year old Cub and he lived to 84; something in this Cubbing. :-)

    2. rnorman345

      Re: details of 450,000 young people and volunteer adults,

      In Scouting? any time anywhere - we need more leaders rather like 'Be a lert' we need more lerts. :-)

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like