THINK OF THE CHILDREN!
UK Scouts database 'flaws' raise concerns
Serious concerns have been raised over the security of the Scout Association's database, which holds the contact details of 450,000 young people and volunteer adults, The Register can reveal. A Scout leader contacted the Register to express grave concerns that the association's Compass database is not secure, despite the …
COMMENTS
-
Friday 23rd January 2015 11:43 GMT Anonymous Coward
UK Scout Database
I'm Currently a scout leader and all the leaders i know are having major problems with being able to access the new compass system. we keep getting told "It will be sorted" but nothing seems to change. the system i feel is totally floored and they don't seem to care and just keep telling us it will be sorted.
no a happy Scouter
-
Friday 23rd January 2015 11:52 GMT Baldie
Re: UK Scout Database
Floored or Flawed? This worries me. As does the unpredictability of your shift key.
no a happy parent
I think I would be less worried about having my kids' data stored on a system where people could look up their birthdays than putting them in the charge of people with such little command of their language.
But I do realise I am old fashioned like that.
-
-
Friday 23rd January 2015 12:13 GMT djack
Probably not allowed to do a full test
Whoever did the testing (if any) was probably only engaged to look at the underlying Of layer and not the application itself. Or expected to test the system without being permitted to actually log in to the application.
I am faced with this quite often and am amazed by some customers' opposition to me doing the job properly.
-
Friday 23rd January 2015 12:16 GMT 0laf
Re: Probably not allowed to do a full test
They'll have panicked at the though of proper pen testing actually costing money and or the worrying prospect it might find something which would then need to be fixed.
Far better to get the developer to run an out of date, unlicensed copy of Nessus at it for 10min.
-
-
Friday 23rd January 2015 12:17 GMT Anonymous Coward
Define Accessible...
"Compass is not a publicly accessible system"
https://compass.scouts.org.uk
OK, so you shouldn't be able to sign up without a valid membership number, etc. but given the quality of the some of the data in the system it wouldn't surprise me in the least if some people have logins who shouldn't have...
-
Friday 23rd January 2015 13:56 GMT Tim Jenkins
Re: Define Accessible...
"...some people have logins who shouldn't have...."
and some people are scout leaders who shouldn't be.
(although my own unfortunate experiences were as a cadet with the St John Ambulance back in the 80s, which seemed to attract an even weirder bunch of 'leaders' than the Scouts did. Something to do with the black paramilitary uniform with silver Maltese Crosses, and the regular bandaging and CPR practice, perhaps. Yuch.)
-
-
Friday 23rd January 2015 12:18 GMT A Non e-mouse
Data Protection
"We have engaged highly regarded contractors and security experts to ensure that we comply with data protection legislation."
"We are looking to remove the ability for our managers to see data that is not directly relevant to their role"
Someone needs to re-read the basics of UK data protection law: ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/ - and fire their consultants.
Proper access control is a fundamental part of data protection and should have been baked in at the drawing board.
-
Friday 23rd January 2015 13:15 GMT NogginTheNog
Re: Data Protection
I expect the software will have the ability to provide full access control to whomever you wish. The failure will have been during the implementation something along the lines of this:
Implementers - "Right, we'll need to create access control groups with suitable granular levels of access and carefully audited membership"
Scouts people - "oh just set up the one group and bung everyone in that, that'll be ok won't it?"
-
-
Friday 23rd January 2015 12:22 GMT A Non e-mouse
CRB
Every adult using the system will have been thoroughly vetted via a criminal records disclosure check
1 - It hasn't been called CRB for several years. It's now DBS. (Disclosure and Barring Service) Something the Scouts should plainly know.
2 - A clean CRB/DBS check does NOT mean the person is not a ne'er do well. All it means is that the person hasn't been noticed and recorded by the authorities yet. Ian Huntley anyone...?
-
Friday 23rd January 2015 12:36 GMT Terry 6
Re: CRB
Absolutely, I've never though of CRB/DBS/Whatever they will call it next as being anything but a protection for the authorities, not the kids, other than as a by product of the main purpose. Which is the usual one of the people with suits making sure that they don't get blamed for stuff that goes wrong.
All DBS/... means is that the person hasn't been caught yet.
It's a good idea to have background checks. But these are really no more than a minimum.
-
Friday 23rd January 2015 12:59 GMT Lusty
Re: CRB
It has nothing to do with protecting the authorities, the authorities would do just fine with or without the checks. The purpose of the checks is to allow the service (scouts, schools, whatever) to continue functioning after a bunch of morons get in the papers saying "something MUST be done!" without fully thinking through the practicality and privacy issues of actually doing something. These checks are as far as you could go without being overly invasive and costing so much as to shut down the whole system - they do, however, nicely deal with responding to those whose words would otherwise close everything down.
The reality is that some people will always get into positions they shouldn't ideally get into. There is nothing practical that can be done to stop that aside from a weak deterrent. Our society is full of such weak deterrents - CCTV for instance, or the locks on your front door/windows at home. Neither stops the crime, they just deter the less determined from trying.
-
-
Friday 23rd January 2015 13:26 GMT Anonymous Coward
Re: CRB
Every adult using the system will have been thoroughly vetted via a criminal records disclosure check
1 - It hasn't been called CRB for several years. It's now DBS. (Disclosure and Barring Service) Something the Scouts should plainly know.
1.1 - They never called it "CRB"? It hasn't been called "I'm a pompous pedant" for several years either. Something the Scouts should plainly know.
-
Saturday 24th January 2015 03:13 GMT Anonymous Coward
Re: CRB
> A clean CRB/DBS check does NOT mean the person is not a ne'er do well.
And whether it is or not is a rubbish predictor of how good or bad they might be at working with children. I can think of a couple excellent parents and educators I know of with criminal records the size of a small library. Their experience¹ is something that children can learn from too.
¹ Well, some bits of their experience. Preferably not the parts about dodgy cheques or fake driving licences; although then again, you never know when that might come in handy.
-
-
Friday 23rd January 2015 12:47 GMT Pen-y-gors
No shit sherlock!
"UK Scouts database 'flaws' raise concerns - System holds records of ALL scouts in the country"
Wow, how could that be allowed to happen? Next we'll hear that the Upper Chudleigh Campanology Society database holds records on all members of the Upper Chudleigh Campanology Society. Shameful!
Out of interest, what would be the point of a UK Scouts database that DIDN'T hold records for all UK scouts?
-
-
Friday 23rd January 2015 14:24 GMT TallPaul
Re: No shit sherlock!
Quite so, that's the question that I've been asking myself. Historically groups held their own records, on paper. All headquarters required was an annual head count as they charged a capitation fee for providing their services to the groups. Seemed to work out OK for everyone.
-
Saturday 18th April 2015 09:02 GMT rnorman345
Re: The way we used to do it ....
I agree that by far the most secure way was when we used to keep records locally and only completed the census with numbers and no details; then HQ started to ask for names etc. I refused for years citing lack of security but it was inevitable as soon as OSM (OnLine Scout (and Guide) Manager) started up that the little green eyes at HQ would see their opportunity. As to testing: I am sure that the contractors hated it but we leaders were involved though I am not sure that results/suggestions, even from pros were taken into account. The testing process was flawed as was, I guess, the design. In the final analysis 'they' tried to do too much too soon; a 'start simple' system (and KISS) would have been better - say a membership system and then add the badges and then, if that works, link the two? Big smile.
-
-
-
-
Friday 23rd January 2015 12:47 GMT Anonymous Coward
Its horrid
It probably was secure on the day they did the security testing - it was probably in it's usual broken state and therefore inaccessible.
Of course they could have just arranged to come to a suitable arrangement with the system that the vast majority of Scouters use called OSM (built by scouters with a IT background for scouters) and had them add the extra functions the association wanted much like some other countries have. Instead they went and spent vast sums of time and money starting from scratch to create something that nobody I've spoken to likes.
-
-
Friday 23rd January 2015 13:17 GMT Owain 1
Re: Dib dib dib
I'd been a cub assistant leader for about 8 years before I realised that 'dib dib dib' should be 'dyb dyb dyb' and it stands for 'Do Your Best'. I assume the response was 'dob dob dob'. Note, this short term isn't used any more in Scouting. At our starting ceremony the leading cub shouts out "Cubs do your Best!". Then the Cubs all shout out "We Will do our best!"
-
-
Friday 23rd January 2015 13:26 GMT Valerion
Data Aquisition
We recently got sent a form from Cubs that we had to fill in with out son's and our details on it. I presume it was to get the data into this database.
The form itself was ridiculous. Mainly because instead of allowing space to write a Title, they had a list of titles that you had to pick from when frankly "Mr/Mrs/Ms" would have done. I have never seen such a huge list of titles, ever*
For the record, I selected myself as a Rear Admiral and my wife as a Duchess. It will be interesting to see if we get any correspondence addressed as such.
*And yet they missed out Sheik.
-
Friday 23rd January 2015 14:56 GMT Peter Simpson 1
Re: Data Aquisition
Funny about title choices on forms -- we went on a cruise recently. My son paid for his own cabin, and consequently, filled out his own form. Being of a certain nature (wonder where he got that from?), and noticing that one option for title was "Captain" (and having been a Captain in the Army), he selected that. All his mails from the cruise company were addressed to "Captain..."
-
-
-
Friday 23rd January 2015 15:26 GMT the spectacularly refined chap
Re: "Compass is not a publicly accessible system"
Somebody probably pointing metasploit at it right now.
So it isn't publicly accessible then. Entrance to our offices is protected by swipe card and/or getting past the receptionist if she buzzes you in. That's enough for us to generally consider the place not publicly accessible, the fact that anyone on the street outside can physically wander up as far as the front door does not alter that.
-
Saturday 24th January 2015 10:35 GMT Anonymous Coward
Re: "Compass is not a publicly accessible system"
Publicly accessible in IT terms means the system can be interacted with by any member of the public. Whether the interaction requires a login to proceed further is irrelevant in this regard. The system is publicly accessible for attacking which may provide access to the secure area.
A system that is not publicly accessible is not contactable in any way online, it is hosted on a private network behind firewalls.
To go with your analogy, in IT terms, your building is publicly accessible because the public can walk up to it and attempt to social engineer your receptionist or exploit your door access system. Were you in a truly private building - think underground military bunker with armed guards at a gate far from the door security systems and receptionist (the firewall), then you could consider your building private.
-
-
-
-
-
Saturday 18th April 2015 09:16 GMT rnorman345
Re: details of 450,000 young people and volunteer adults,
One of my ex ACSLs used to say of me 'you are a 9 year old Cub that just allows a few other 9 year olds to join in your game'; I am now 71 - just led my last meeting as BSL:( going deaf and it was not fair on the others; BP was a 9 year old Cub and he lived to 84; something in this Cubbing. :-)
-
-