oh no!
Quick! Put up Ed Vaizey / Reg Bailey's filtering device so we can't see it!
The UK's Office for National Statistics and Lockheed Martin are racing to check if hacker group LulzSec has got its hands on this year's census data. Such a massive data loss would be embarrassing even for a government with such an amazing record of data protection failures. LulzSec's Twitter page has no mention of the …
This post has been deleted by its author
This post has been deleted by its author
If you get fined a grand what will be funny about that? You might think you can argue your way out of it, but I doubt it. I'm pretty sure it's a strict liability jobby, so your only hope of getting out of the fine if you were prosecuted would be to prove you had filled in the form correctly and sunmitted it.
Arguing (as I suspect you would) that you didn't want your data to be compromised would count for absolutely zero.
You think so? If it is true, I bet the explanation will go something along the lines of:
1. We are sorry (this is an optional step depending on how bad the publicity is at the time)
2. We will make sure lessons are learned (if lessons were so effective they would all be genious by now)
3. It wasn't our fault
4. It didn't matter anyway because (insert implausible excuse of choice)
The end
It's quite startling that you automatically assume a single anonymous and unconfirmed post on PasteBin to be true. The funny thing is your use of the word "incredible". You know what that means right?
Actually that posting reads like it was composed by a 419 scammer. Some bizarre use of the English language there, could that suggest it wasn't typed by a native English speaker?
All hell is gonna break loose and there will be a media frenzy. I really hope not to be perfectly frank. All that this will mean is that the UK will become even more 'Big Brother' and impose even more censorship on the internet. They will see it as another reason to take away any privacy you thought you may have. Lulzsec needs to go down for the good of everyone.
There will be no media outcry if this is true, why should there be?
If you have nothing to hide you have nothing to fear.
What possible value could any body derive from the data? There'll be no information about any significant person on the database, I bet you! Yes, there will be lots of data on us proles but so what? It would be interesting to know what bits and how much of the data has been exposed - if it has. How was the data being held? Has the data been classified and what classification processes were used?
@"All that this will mean is that the UK will become even more 'Big Brother' and impose even more censorship on the internet."
They need to fix their appallingly lax data security rather than clamping down on everyone. But that would mean they need to blame themselves rather than seeking to blame everyone else for their failure to treat security seriously. But like all governments, they will never really want to blame themselves for anything, because in their mind, its always everyone else's fault.
Its a shame they take their own information security so much more seriously than public data security, as it would be interesting to know more leaks about what mistakes and underhanded deals they have been covering up. But like the MP's expenses claims shows, they keep their own data under very strict control. Shame they don't do it for our data, but it clearly shows where their real priorities are.
If they have, surely the government will have to actually do something about data security. No more half hearted measures, no more letting companies off with pitiful fines (if any), and proper hard hitting penalty clauses in contracts with companies who are being given our data by the government.
So everyone was legally required to provide data which has now (possibly) ended up in the wrong hands? Truly inspires confidence. The only positive I can think from all this is that it may trigger strong government intervention to stop this hacking group once and for all.
Wouldn't this sort of thing have national security implications?
We are forced to fill it in, to provide our details to our government. So why was this handled by an American company?
If this is true and the census info is available, then comparisons should be drawn with Sony, so expect a 'welcome back' pack and ID theft cover. HA, like that would ever happen, everyone involved (government, external agencies) should be held accountable with their jobs.
When will our government learn? Why was this data ever on an internet facing server? Surely this information is worth so much it should have been keep on a secure network.
I do hope that anyone with a "...nothing to hide, nothing to fear..." attitude to the census has had a bit of a rethink now -- what with the possibility of us all having credit cards and loans taken out in our names now.
I hope if it is true the people responsible for the decision to take all this personal information on the census are shot as the traitors they are -- after all the already gave us to a foreign company, and now they could have lost our names to every wannabe criminal in the world.
These people told us that we would give our details to a company in the US, or face imprisonment or fines. They told us that the information would be kept completely safe.
I was threatened with financial problems or, even, imprisonment to hand over my details to a US company for processing and whatever the fuck they wanted. Now, it appears, the thugs who demanded my data with menaces may have given it to everyone also.
The people who decided that it was necessary to demand personal details with menaces should be hung, drawn, woken up, and quartered.
Forgive me if I have only hatred for someone who gave my details to a foreign power for the opportunity to have a better career.
I think that all of the posters who take this statement at face value ought to read some of the UK government security standards. These definitely exist, and they were not written by people who are security illiterate. See http://www.cesg.gov.uk
The problem is that they are difficult to interpret, and are couched in terms that many IT people don't understand (they talk a lot about data crossing security zones rather than being securely stored), and sometimes it seems like there is no real world help in ensuring that a particular application or solution meets the requirements (government security auditors will often tell you that something is not compliant, but will not offer any advice on how to make it so, nor suggest security mechanisms during system design). Thus implementing a security solution often become an iterative process of attrition with the security people.
When I was last involved, it was even the case that some of the Infosec documentation describing what has to be done is classified as RESTRICTED, which does not help trying to implement what they say.
Generally, it is not a lack of standards that cause this type of data breach, it is implementation (often by companies contracted to supply services), or ignorance of the standards by individuals working on such data. Although there should be safeguards, it often only takes one person to make a mistake to put at risk complete datasets, especially if there is any external route in to the systems implementing the solutions.
You must have filled in a different form to me then. I filled in about a dozen questions most of which could already be gleaned from other public sources. My criticism of the census questions is more along the lines of 'What the hell are they expecting to learn from that?'
There was stuff on there that could be used for evil (DOB for instance) but very little that was 'invasive'. Or do you consider it a national secret that you have gas central heating?
So yeah - not good but hardly the end of the world.
Exactly what I was thinking.
The worst question on the census was something like , "how many kids do you have under 16 at your address and what's their names?", the rest was simply name address, how long have you lived at your address and do you travel to work by train, car or bus?!
The biggest annoyance to me is that all that useful info is now all in one place for the ad scumbags and telephone cold-callers, before they would have to have assembled it themselves from various public registers.
..that I am not praising the census. I think that, for what was asked, it was a fairly large waste of time and money. The previous one from what I remembered asked quite a lot of useful questions many of which could help with infrastructure planning.
Then again the infrastructure I see is generally badly planned and poorly maintained so perhaps it's better this way. At least it took up less of my time :)
"It actually read more like a benefit application form"
Indeed we can draw one of three conclusions from that statement.
1. You didn't actually read the census form.
2. You've never read a benefits application form.
or 3. You've never read either.
Actually there is a fourth, but I'm too polite to mention it here.
True, but you aren't legally required to provide your real name and address on Facebook - and if you do provide those details there are at least some privacy controls that can be used to restrict that data. This release on the other hand will be a mineable resource for evil doers and the evil do that they do do.
Incompetence abound. This, if (when) released, will be a goldmine for scammers, stalkers, 419ers and other brigands. It will also mean that whatever trust is left for personal data security is blown away (which is a good thing in a small way "Can I take your name and address sir" "Not a chance, you'll just loose it!").
Isn't it about time we gave this bunch of pompous tits at LulzSec a massive punch in the face?
I'm so fucking tired of these self-aggrandising little twats hiding behind the fig-leaf of testing security as an excuse for shits and giggles at everyone's expense.
The more this kind of stupid crap goes on, the more of everyones taxes the government will spend on security in an ever escalating arms race and, perhaps more importantly, the less useful stuff can be done with data by legitimate users.
All these bloody fools will achieve is to make everyone poorer, everyone's lives harder and restrict everyone's access to legitimate information, giving goverments and corporations the perfect excuse to be ever more restrictive and opressive.
To defend these oiks in any way would be like blaming yourself when your bicycle gets nicked, because you only used three medium strength locks rather than locking it in a lead-lined bunker behind a 12-tonne door with triple timer-protected dedalocks on 57-digit combinations.
JUST. LEAVE. OTHER. PEOPLE'S. SHIT. THE. FUCK. ALONE.
The takehome lesson here is not 'lulzsec are a bunch of little shits'. It is that net security is so woefully inadequate and the attitude of the people responsible for your information is lax to the point of irresponsibility if not dereliction of duty.
Sure, it sucks that a bunch of juvenile delinquents stole your stuff, but, get this: how on earth did a bunch of juvenile delinquents get to steal your stuff in the first place? If they can do it, so can pretty much anyone. And indeed, there's a pretty big chance that people already have, but because they are serious criminals you won't find out about it til your credit card bill comes.
Regarding bikes? Your metaphor sucks. Its a bit like giving your bike to someone else to keep safe, only to discover they left it locked up on the street with a £5 bit of wire and a 3-digit combination lock and it vanished the moment their back was turned.
You should be grateful that the people who have exposed such incompetence are not more malicious.
"The takehome lesson here is not 'lulzsec are a bunch of little shits'. It is that net security is so woefully inadequate and the attitude of the people responsible for your information is lax to the point of irresponsibility if not dereliction of duty."
And you've gleaned that from one one unconfirmed posting on PasteBin which appears to be a lie? Well done.
I'm not confirming that this was the mechanism used because I just don't know, but it is reported that Lockheed Martin's internal networks were compromised by the RSA failure reported several weeks back, so it would not surprise me if they used similar technologies for the UK Census.
If you are implementing a solution that relies on a security product that is proved faulty after installation, can the blame be put completely put at your door?
The fact that RSA keyfob one-shot password devices were in use in Lockheed Martin shows that someone was actually thinking about some security. RSA devices are widely used because they were trusted, and that problem has caught many organisations out.
I am not saying that a single security measure is sufficient, but I wonder how many people commenting here have really tried to build a complete infrastructure that a) does not rely on third party security devices, and b) provides the level of security mandated by CESG. I'm sure that some have, but most have not.
I'm not apologising for LM, but like so many things, it's actually much more difficult to do than most people think, and there are serious tradeoffs between security and cost.
When I worked at government agencies in the past, the most secure systems were effectively on air-gapped networks, with multiple networks to each desk. This cost a lot of money, and ultimately meant that remote support was difficult to impossible. As you cut costs, you link things together using security products. This makes the environment vulnerable to third-party security failure. One bank I worked at had multiple security layers, and adjacent security layers could not be provided by the same technology. Very sensible, but also very expensive.
Should slack security be highlighted? Of course it should, publicly and people should be made accountable for it. Is this the right way to go about it? No.
If I see someone in the street who's left their car door open with their wallet on the front seat do I?
a) Point this out to them so they can deal with it
b) Steal the wallet, sell the contents on ebay and then send a link for the completed auction to the owner.
These people have to understand that they're not sticking it to the man here; they're not fighting the power. They're just messing with people's lives.
If this is true then they need to be stopped immediately. It's one thing to attack a big corporation it's another entirely to steal private information on potentially millsions of innocent people and publish it on the internet.
Again if true, this is them crossing the line into severe criminal activity needing harsh punishment.
Of course there will be people suporting them and saying things like "Yeah, stick it to the man, expose those security failings LOL!!!" but how will they feel when it's their credit card details being used by criminals. I've already had my card details stolen like this three times this year from different reputable companies and had to waste time cancelling and re-issuing my cards.
While I'm not a fan of lulzsec and they probably are a bunch of f*cknuts, moaning at them for getting the data is a bit short sighted. Yes they're probably doing it for kicks, but if they can do it so can criminal organisations that wont shout about it and the first thing you know is when the debt collectors come knocking.
By all means think they're muppets, but never complain that people have publicly warned you that your private details are available to any crim with an internet connection.
...they've threatened to publish, for no other reason than for 'lulz'. Totally ridiculous apologism for a criminal act here. Looks like a massive red herring anyway. Maybe it was an experiment to see how many people would defend them, just because they were going against 'the man'...
I was pretty much intending to post almost exactly the same thing but since you covered it quite well I don't think I will - I'll just say good on that man :)
The only thing I would add is that at this stage we don't have any direct confirmation that the census hack itself has happened but the post is just as valid without it.
the moronic nature of the british public, with a 5-second attention span. I've heard people banging on about "da cuts", (look at the ILF, for example) and blaming "da tories" when it turns out they were implemented 18 months before the election.
Anyway, isn't one of the responsibilities of government that what happens on your watch is your fault, irrespective of who actually instigated it ? It's certainly why they claim the jobs are paid so much.
If they did get their hands on the census data... what would that mean for the promises that were made about the security of our census data?
I'll hazard a guess. The contractor gets the blame and nothing changes in government/whitehall... that or 'these evil hackers' are hunted down and burnt at the stake.
Having written to the ONS in January expressing my concerns about the use of Lockheed Martin and the security of my personal data, the stock reply from Helen Bray (2011 Census Stakeholder Management and Communications) had the wholly un-reassuring conclusion,
"I hope you will be reassured by the measures taken to protect the confidentiality of census information".
...oddly enough, I wasn't reassured. But since the incompetents at Lockheed Martin seem to have lost my form anyway, with luck at least my info didn't get leaked.
Is this the same Lockheed Martin that hadn't bother to upgrade access to its VPN two months after it was publicly announced that RSA would have to replace 40 million tokens due to private keys having been stolen from RSA's server?
http://www.pcpro.co.uk/news/security/367723/lockheed-martin-under-fire-over-rsa-breach
>> " ... “Lockheed had slightly over two months from the time that EMC notified them and other RSA SecurID customers about their breach."
and the same Lockheed Martin that that has its traffic intercepted and monitored by the NSA?
Is there no UK data that ultimately ends up in the hands of the US Govt?
The NSA doesn't need to bother snooping. Thanks to the Patriot Act, any data held on American soil is fair game for examination.
The question here isn't about LulzSec or a red-herring hack post, but more WTFingF is the British government doing handing sensitive data on its citizens (even if the questions are boring, you can infer a hell of a lot from that much data) to a FOREIGN company where it will almost certainly be of interest to the FOREIGN government. If the British government does not feel competent to manage the census collection and collation, and there is no single British organisation capable, then the answer is bloody obvious - skip it. Wait until it can be coped with. Nationally, within the borders of the country concerned.
Fail icon, because the British government is a laughing stock. Whatever LulzSec may or may not have done, the data is far out of their (the govt's) control by now. Congratulations.
Just because a US contractor is working on a project does not mean that the data is being stored on US soil. I don't know about the Census, but I do know about the DVLA, where the contractors are IBM and Fujitsu, and I can tell you that there is no wholesale storage of your car or license data anywhere outside of Swansea and Salford (although the D90 mainframe in Salford should have been decomissioned by now). That's where the servers are, and that is where the contractors work.
There was simply no method of moving the data onto either IBM's or Fujitsu's corporate networks, and severe penalties (including prosecution) to for anybody who did. This was understood, and is drummed into all people working on the contract on a monotonously regular basis.
In case you hadn't noticed, there are very few companies prepared to work on large government bids that are not mutinationals.
according to source ive been relibale informed that the data hasnt been processed by the government yet. so there isnt anything for lulsec to steal.
i hope he is right, otherwise this is a massive loss for the government, and it could be a massive issue for everyone in england and wales
Not significant - there are probably more damaging leaks of my data from other places - e.g. websites with my credit card details, medical history from my doctor's office, than from the census, which, when it comes down to it lists my name and address (in the phone book, with my phone number), my date of birth (not hard to find), my vocation and salary (as I work for a publically funded organisation it's a matter of open record) and very little else.
I do hope though, that the ICO fines the holders of this data a significant sum.
Per record, of course.
Look, if you want to f--k around and piss off a few companies and 'for teh lulz' then, even if I don't think it's funny, I won't care that much.
However, if it's gotten to the point that the private information of every UK citizen is stolen and made available for anyone who wants it....that's just going too far. You're now putting peoples' lives at risk, in many different ways, not just from over-the-top fancies like terrorism (yeah yeah) but more from the risk that people will be able to find others who have had to make themselves lost for their own protection.
Those of us who considered our jobs might put at risk from "over-the-top fancies like terrorism (yeah yeah)" lied about our jobs, earnings and anything else vaguely related.
When asked what my role was, I wrote something along the lines of "paperwork and stuff".
Call me cynical, psychic or whatever but I kinda saw something like this happening.
Wouldn't want to be someone who'd admitted to being UK Govt in NI though!
They're just bloody useless, the lot of them. Even the ones that aren't in control (oh wait, that's all of them)
What we need is a benevolent dictatorship.
My wife has been practicing her skills at running an almost benevolent dictatorship at our home for years. I'd say she's up to the task by now.
This post has been deleted by its author
I note that its now being claimed that an alleged 'ringleader' for Lulzsec has now been arrested. In Essex.
If any of this proves actually proves to be true, then it may at least serve some useful purpose - to expose the utter idiocy of our government in entrusting personal data regarding UK subjects to a commercial organisation in the US,
No doubt the US will go for extradition -
'We want your citizen to stand trial in our country for stealing your data'.
By pretty much any of us who understand the real magnitude of what may have happened in RSA if the seed files *were indeed compromised/leaked*.
At a BBQ last Sunday someone asked me about how secure did I think our census data was.....well I suspect when this hits the press they'll be shitting themselves.
Great so now anyone with an axe to grind against anyone who is or has been a member of the military is now eagerly awaiting a target list containing names and addresses of said current and former service people and their families, opening the possibility of getting leverage over someone with security clearance or simply planting a car bomb or similar.
Hmm perhaps I should make a rather rapid house move or better still move overseas.
Hmm well if any Lulzsec member is resident in the US or UK they now (hopefully) might be on the receiving end of terror charges namely "supplying information of use to a terrorist" (or charges similarly worded)
No matter your thoughts on the governments foreign policy desires, this puts individual service people needlessly at risk
Says one lulzsec document 'Together we can defend ourselves so that our privacy is not overrun by profiteering gluttons'. I understand that this is not a centralized movement and that this statement is hence hardly a manifesto, but irony aside isn't this information likely to be of enormous use to profiteering gluttons, ie marketing agencies? Or does nothing have to make sense as long as it's done for teh lulz?
I hope the data doesn't contain actual addresses and names, that would be a blow to every person in the UK. The data would be marketing companies dream come true. Imagine all the crappy marketing calls and letters we'd receive. It's bad enough as it is now.
Like Helen Bray's for example.
As for "according to source ive been relibale informed that the data hasnt been processed by the government yet. so there isnt anything for lulsec to steal." I guess the data that people entered online just went to a big printer to be printed out and re-entered by hand, rather than being stored somewhere. I think your source is as relibale as your spelling.
There's way too much jumping to conclusions here.
For starters, this was posted to PasteBin, jeez!
It's probably that kid in Essex doing it for a prank and being mistaken for a Lulz ringleader.
Secondly, the poster of the PasteBin item suggests they're going to re-format the dataset before releasing it anyway (if even true), so why would it be damaging to any individual?
The only entities it will be damaging to will be Lockheed Martin and the bubble that is UK government.
Get back to your Mail's, tch
Watch for "lessons learned", "trust exercise", "public reassurance" in any news about it.
They lost 25 million records that were far more useful to ID theft people and the good people of the UK who mostly post anything and everything to facebook collectively shrugged and probably tutted, yet not one of them did anything.
If we were to *do* anything, for instance publicly demonstrate with a million person march on whitehall, we would tagged and bagged as troublemakers, a few people would be assaulted by the police and the whole thing would be mostly ignored by policy makers.
Alternatively you could've just not fill it in... there was plenty of scope for excuses;- lost in the post, i wasn't living here on that day, I live in my second duck house on a moat...
...and I'd be quite surprised if they've got round to processing all the paper forms yet.
Would raw data from processed paper forms ever make it into an online database anyway?
I can understand hacking the data of those who submitted their census online might be easier, but given that Lockheed Martin are a large defence firm, and hence are presumably quite good at managing really secure data (the "if I told you I'd have to kill you" kind), you'd hope they could keep census data secure.
Why was British secure information entrusted to a foreign company, especially one whose government is open about its legal rights, over its commerce, to copy all information? Especially one with a long track record of damaging Britain, e.g. IRA support, restrictive trade practices against British firms, extradition of British citizens without proper evidence?
Why does a census require so much information that is not needed to count the number and distribution of heads? If we are all British, is it not a dubious practice to demand what "race" or "colour" we think we are? What religion we profess? I may be wrong about these demands. I left the country for another European one that still has the original meaning for the word, "free". So I never saw the form.
Why are Reg. writers and readers writing ever more in American English ("gotten", USA misspellings) while purporting to be UK based? Often while complaining about the USA and definitely (perhaps I should say, hopefully) being much more careful with their technical programming as a compiler or interpreter is not forgiving? Does not our native language merit some care? Or does their technical ability not extend to finding the British dictionary in their chosen word processing programme and they are too careless or badly educated to notice?
I was with you on the first paragraph. Then about a quarter of the second.
The rest is just stupid fluff.
"Does not our native language merit some care?" no, not really. Languages change. Get used to it.
I could very well ask why you refer to cow meat as beef. That's a Normanism. Our Saxon language needs protecting. To which the Britons in the back will cry 'hang on a minute!'*
*Actually I can't pronounce what they'd cry.
"We are aware of the suggestion that census data has been accessed. We are working with our security advisers and contractors to establish whether there is any substance to this"
I'd speak to people who know what they're doing, if these guys were any good, it wouldnt have happened in the first place.
But on the plus side spam 419 emails should effectively stop when this is released on piratebay
Who are these muppets? Apart from the census, the followup census survey was incredibly irritating. The guy was told no I don't want to take part and still proceeded to come back 3 times. All this despite two complaints to the ONS. I guess his manager had a performance target to hit...
I see everyone running around, getting their knickers in a twist.
All that we *do* know, for real, is that somoene has posted a message to Pastebin saying that someone has gotten their hands on the data.
If I said that I had my hands on Pippa Middleton's bum, it would (unfortunately) not make it true.
Let's just wait and see what the lulzboat tweets...
...then again... their feed has been quite quiet this morning.
a) Stealing and publishing the entire census data.
b) Posting a claim to have done so on irc and pastebin?
And which is more likely?
If you're panicking about this already then I have some truly excellent tinfoil hats you can buy for a one-off knock-down price of six easy-pay installments of ONLY £99.99 see press for details not available in the shops all stock must go.
One of the worst effects of this - besides the leaking of everyone's data and the fact that the government are likely to target the hackers rather than sorting themselves the fuck out - is that compromising the security of census data will massively discourage people from participating fully in the census. Census data is enormously useful for all sorts of things that benefit everybody, and this sort of shit will ruin it. If this turns out to be true, shame on LH and the government for their abysmal approach to security, and shame on Lulzsec for not taking the implications into account.
and it's a big if, I'd expect Lockheed to be fined within an inch of their lives for this breach of the DPA, but I doubt that will happen either. They'll just claimn they haven't got any money and get a small slap on the wrists.
But, you know that the current Gov probably won't give two shits about the company since they can distance themselves from the contract, the previous boss signed that one so they may just screw them to the wall for the political points.
Either way, the blue touch paper has been lit all we can do is sit back and watch the show....
"But, you know that the current Gov probably won't give two shits about the company since they can distance themselves from the contract, the previous boss signed that one so they may just screw them to the wall for the political points."
Even if this turns out not to be true the current governnment can use it to score points off the previous administration. It seems that today a lot more people are aware that their census data went to a foreign company than were aware of that yesterday. And a lot of people are outraged by that even more than the possibility that the posting of pastebin was genuine. A government minister worth his salt should be able to make Mr Bean very unconfortable questioning him about his party's tendency to give contracts to US companies. After all that's not just about security, there's also the issue of taxpayers money going offshore and employment going offshore too. All of that even though the labour government made a big deal about spending locally.
Indeed I should think that the government could use this to make a strong case for ringfencing similar contracts to British or at least EU contractors. The US seem to make damn sure all their government contracts stay in the US (no problem there) lets stop that being a one way street.
stop and think!
if a rag tag group of people likely scattered around the world can pull this off from homes/public wifi what could a group organized & supported by a state pull off (think China).
The difference is by announcing it to all the world it draws attention to the problem where as i would wager that any thing they are targeting has probably been probed and cataloged by much more sinister groups then lulz merchants
... to check if hacker group LulzSec has gotten its hands on this year's census data."
If they had got hold of that much data they would be able to tell from the electricity bill!
Although this probably never happened, would anyone be really surprised if it had?
Unless you've been ex-directory for a couple of decades and made your electoral roll data private then all the information that anybody needs to steal your identity is already easily available. If you've done any social networking at all and if anybody in your extended family has signed up to one of these dreary genealogy websites then there's even more online. With your full name and access to Pipl, I could probably have filled in your census form on your behalf then phoned your bank and cancelled your direct debit to the Donkey Rescue Society.
If your identity was worth stealing then somebody would already have stolen it. And now that The Bad Guys (allegedly) have access to tens of millions of handy identities in one place, yours is worth even less.
Seeing as you asked
"Unless you've been ex-directory for a couple of decades"
Yup
"and made your electoral roll data private"
Yup
"If you've done any social networking at all and if anybody in your extended family has signed up to one of these dreary genealogy websites then there's even more online."
No on both.
"With your full name and access to Pipl, I could probably have filled in your census form on your behalf then phoned your bank and cancelled your direct debit to the Donkey Rescue Society."
I doubt it. I can't find me on Pipl and I know everything about me, on account of being me.
"If your identity was worth stealing then somebody would already have stolen it. And now that The Bad Guys (allegedly) have access to tens of millions of handy identities in one place, yours is worth even less."
That is not the point. If everyone's info is available, then anyone could pretend to be anyone else or anyone could find enough info to victimise anyone else.
That's a major headache for everyone.
This post has been deleted by its author
The government willl label it a terrorist attack, rush a bunch of new laws through parliament on the back of that to further restrict our freedoms, including resurrecting the idea of compulsory biometric id cards for all UK citizens.
Two month later, they'll leave the nations DNA records on a train.
Don't you realise that the whole ID card thing was nothing to do with this government or the last one for that matter. It was the civil cervix who were behind that. The trouble was that the last government had an incredible talent for letting the big wigs within the civil service control them. Sir Humphry would have been so proud. If he was real. The civil service have over the last few years developed an obsession with the idea that a big database will solve any problem (somebody proabably went on a data mining course) and they managed to convince theBlair government of that. The Brown government didn't really count since it spent its tenure flapping around like a flappy thing.
The current government are against the whole idea of the ID card scheme, but not for the reasons you'd hope. They are against it because they realise that it would cost an absolute fortune to set up and would not be anywhere near cost effective. If it would save money in the medium term they would be right on it,. It won't so they aren't.
Well hopefully the damned government and private sector will stop shipping in cheap IT Resource from India in the hope of lowering wages, while at the same time shipping out our data overseas. Don't forget the DVLA lost a load of data that was sent to the US for processing.
It's about time that Lulzsec caused some MAJOR financial problems at the banks and retail companies and outsourcing companies so that they finally understand that scrimping on IT people is NOT the way to save money in the long term. Pay for good people...get good infrastructure and software. None of this bloody outsourcing lark
And I say this as an Asian guy..so none of that racist stuff thank you...
I think the point that everyone is spectacularly missing is that the entire IT industry needs to rapidly get its shit together.
The recent spate of high profile security breeches just prove what many of us have suspected for a long time - the entire framework upon which online security is based is fundamentally flawed and its high time the big brains out there came up with a radical new approach to protecting networked systems, and I don't just mean employing increasingly illegible "Captcha" boxes.
the *IT* industry needs to get it's act together ??????
No, matey. The *management* industry needs to get it's act together. I am sure the number of IT managers who have managed to implement encryption and secure networking access policies are far outweighed by the bosses who dish out unencrypted laptops and memory sticks, and think an Excel spreadsheet is somehow "protected".
Apologies - should really have tracked these down on El Reg.
http://www.lockheedmartin.com/news/press_releases/2008/0828_lmuk-2011-census.html
http://blogs.computerworld.com/17995/rsa_securid_hacked_2fa_fob_and_software_compromise
http://www.cioinsight.com/c/a/Latest-News/RSA-Will-Replace-SecurID-Tokens-in-Response-to-Lockheed-Martin-Attack-409915/
How grateful and justified I now feel in not completing most of the census form. I wasn't the only person concerned about the processing of this data by Lockheed Martin and how it might be used.
The Government bleated on batting aside all the concerns as if they were irrelevant. Who's right now? Bunch of incompetent tossers. Hacked by a bloody 19 year old....
If there are still any people out there who hate gays, they will be delighted by the tickbox for "Same-sex civil partner".
Likewise, I'm sure some people will be pleased to have a database matching "country of birth", "ethnic group", "language", and (if they're lucky) "religion" with names, addresses, and phone numbers.
It's kind of amusing how many people here start their posts with "If this is true..." and then work up a huge head of indignation based on that rather big IF.
Calm down guys, at least until we have some sort of confirmation that some data has actually been leaked. It all suggests to me that there are a lot of people out there in internet land just looking for something to get worked up about.
...but I wish people would stop referring to script-kiddies and black-hats as "hackers".
Hacker: A person who enjoys exploring the details of programmable systems and stretching their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
http://www.catb.org/jargon/html/H/hacker.html
The terms hack, hacker and hacking are older than their use to describe activities with computer code.
You've lost that battle already. Language evolves. At one time "hacker" meant what you say it means. Before that it meant something else, and before that something else again. Linguistic purists could whinge about the word "hack" being used in your context because that's not what the definition was at their chosen point in time.
And that's the thing about people who draw these pointless lines in the linguistic sand. It's not that they believe in the purity of language. It's just that they can't move with the times. They need to understand that their preferred dictionary merely documents the use of language at a given point in time.
Check the definition of AINDERBY QUERNHOW in The Meaning of Liff. Except that probably means something else as well now.
exactly.
I don't understand why you purists cant just invent a new word to mean "A person who enjoys exploring the details of programmable systems and stretching their capabilities"
here's a few:
1. aspie
2. dick-hole
3. trainspotter
etc
Just kidding, honestly! I enjoy "exploring the details of programmable systems" too, but I'm not such a massive asshole that I have to go around DEMANDING that people call me a specific word, and never use that word for anything else, because I SAID SO.
In fact, people who enjoy programmable systems tend to have a higher than average intelligence. And those with a higher than average intelligence tend not to care what they are called. Sticks and stones... Don't throw the PCB out with the etching solution.
"In fact, people who enjoy programmable systems tend to have a higher than average intelligence. And those with a higher than average intelligence tend not to care what they are called. "
True enough, but they also probably tend to suffer from more than the average number of disorders too.
The worst part of all of this is you can't opt out of the Census in the interest of privacy - because it would negate the value of the Census - but nobody can offer 100% security, yet they fine you for not completing the Census. Your privacy has a value, it's £1000.
Hope someone accuses Lulzsec members of rape soon, I'm getting tired of this.
Point 1) The most telling part of this is LM "checking" to see if this has any legitimacy. That means it could have happened, even if it hasn't already, which means they need a rocket up their arses come what may of their investigation.
Point 2) All this crap is going to lead to is more draconian Internet law. That's a government's fix for everything: We can't be wrong using such an open platform for sensitive data so we'll just slap those with a clue of how to use it and level the playing field. Soon enough you won't be able to use anything but port 80 and approved DNS without some goon knocking your door off its hinges. Bye bye, open platform.
huh, would you prefer that they didn't check?
dave: hey george your house is on fire
george: i don't want to check, because that would lend legitimacy to your claim. i will just sit here and see if i get burned alive.
Quite frankly I expect more from the Reg than to blindly copy and paste the same story all the worthless news outlets are peddling today.
There is absolutely no proof or even any credible suggestion that the census data has been taken.
Someone has posted on Pastebin using the Lulzsec ascii and vaguely convincing wording that they have done so. Lulzsec have denied the hack, and all of the other hacks that they have carried out they've claimed responsibility for on their Twitter feed.
I could log on to Pastebin right now and post a vaguely convincing fake Lulzsec post.. Jesus christ guys, how stupid are you?
The census data is EXTREMELY secure. I doubt it's even hosted on a database connected to a network, let alone the internet.
This post has been deleted by its author
The data capture system was on the Internet, but that does not follow that the main DB server is. They could have (although probably didn't) written each census record to tape, and then bulk-loaded it into a completely standalone database system.
Most internet facing systems are a combination of an internet attached web server of some form, with only enough storage to hold transient data, together with a significant number of security layers, some of which may take part in the transaction, and one or more database servers.
Thus, the database system is only indirectly attached to the Internet, and cannot be directly attacked. One bank I worked at had more than 10 different security zones between the front-end web servers and the systems holding the databases.
The internet facing web server gathers your data, then commits it through secure protocols and intermediate systems to the backend, and then deletes the transient copy.
Normally, the gathering system has no way of bulk-loading data back from the database machine. It may be able to get individual forms back (in order to allow you to edit them), but this needs to be done on an individual basis, and often the security checking is done off of the internet facing box.
This means that even if the Web facing system is hacked, without some authentication information for each address, it will not be able to load data from the database.
This is large web application design 101.
It is normal for there to be multiple security zones, such that it is not possible at to use, at each boudary, any other protocol than the allowed one to get further into the network (implicit deny, explicit allow).
Much more likely is that if there really was a breach, it would have been one of the routes that are used for remote system administration, and once in, a path to export the data was constructed, although even this has problems.
As far as I can tell, there are around 25,000,000 residential addresses in the UK. If the census form could be encoded in 8KB, this would make an approximate size of raw data of around 200GB. This is not a huge amount of data as things stand today, but I would not be wanting to squirt it through a SSH tunnel over the Internet!
Why in the name of anything holy was our national census data being processed by a defence contractor in the USA?
No defence contractor anywhere should have access to the raw information far less one that is legally obliged by US law to submit it to the FBI, CIA, NSA, RIAA and any other criminal group you care to name.
Even if it was done by a defence contractor, WTF was it done in the USA where they consider our weak attempts at data protection to be some sort of immoral restraint upon trade?
Are there not enough underemployed people with keyboard skills in the UK where there is at least the concept of trying to keep my PID out of reach of commercial enterprises unless I want to give it?
I am sure that Lulz could have nicked it from an insecure system in this country just as easily. At least the company responsible might have got in trouble. How much will this hurt Lockheed Martin?
Answer - not much.
Principle 8 of the Data Protection Act says "Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.".
Looks like that didn't happen, as so many times before...
Either you didn't read the previous comments before venting your moronic spleen, or you didn't read the Reg's own follow up story "Lulzsec Disavows Census Hack". or you did and choose to ignore them.
Either way you're a moron. Your precious, precious information about how old you are, what GCSE's you have and where you live (which nobody is in the least bit interested in anyway) is perfectly safe.
How much will this hurt Lockheed Martin? if by "this" you mean irresponsible journalists blindly writing stories without checking any facts, then not much.
They will have to prove that nobody has accessed the Census records without proper authorisation. This will take some poor sysadmin a few hours at worst. Then his boss will ask him to DOUBLE check and TRIPLE check since, because so many news agencies are reporting it, it MUST HAVE HAPPENED, RIGHT?
I fucking hate you people.