I completed the form yesterday
and had no problems.
A parental internet controls consultation document released by the Department for Education yesterday is currently exposing the email addresses, unencrypted passwords and sensitive answers of members of the public who fill in the associated form. Many Register readers have alerted us to the serious security flaw this morning, …
Looks like it is probably some form of race condition flaw then. So it would trigger a problem of two or more people tried to submit details at pretty much the same time. It's pretty much pot luck if you notice it. It also means that the more people using the service, the greater chance of there being a problem.
This sort of flaw is often missed during (inadequate) testing.
This post has been deleted by its author
Firstly - this is a bit of a bitch for those who took part having their details spunked up the internet's walls.
Secondly - fuck yeah - goventards strike again - where's me popcorn, I think this one's going to produce some very entertaining official statements and random officials talking blatent balls.
Sorry about all the swearing, but today's my "Fuck-down Friday" - they dont do them in the public sector, they have to make do with "Fuck-up Friday" instead, or at least it seems that way.
Yup. Our fucking civic fucking duty dribbling all the way back down again. And after I (and others) urged people to sign the cunt too. And many did.
Time to throw my weight around again. How basic incompetence can cause human effort to multiply. They shouldn't be allowed computers, shouldn't be allowed around computers, shouldn't make decisions on anything harder than what vintage of port to pour down their fucking incompetent leathery necks.
Have you read the first page? They warn that all submissions may be made public at a future date, and even if you tick the 'keep confidential' box they will only take it as a polite request and not legally binding. I do wonder if this is standard procedure on consultations, or if I should invoke a little paranoia and attribute this to an attempt to further bias the study (As if the questions aren't loaded enough) - no-one is going to face a scandal for wanting to protect children, but for a person to ever admit publicly that they believe seeing a little porn isn't going to forever traumatise a child is the type of violation of the social order that could cost someone their job.
It is confidential up to the point where they make the decision of what to publish. There are also particular questions which specifically state that the answers given will always remain confidential.
The information you provide to register as a user of the site itself (not just the survey) should be confidential, but it is re-displayed on the first page of the survey, which can then be exposed to other users.
What is worrying is seeing your own answers over-written by someone with disturbing and extremist views and then having those answers permanently registered against your identity, potentially for future publication. Never mind such people then being able to read my answers along with my name, email and home address.
They warn that all submissions may be made public at a future date
I really don't think they can rely on that for what they've done and will be digging a deeper hole for themselves if they try to.
I think most reasonable people would take it to mean those consulted may have responses and comments they gave made public, not that who made them would be identified or they'd have their email addresses and other personal information handed out to all and sundry willy-nilly.
This doesn't excuse the fact that they are storing people's account passwords in the clear, and exposing them to random site visitors. The security implications have nothing to do with the consultation itself, or how they will use people's responses, and everything to do with exposing the names, email addresses and passwords of people using the site.
I just clicked the link to the site at 10:50am and immediately found myself logged in as someone else. I don't have an account with the e-consulation and this is the very first time I visited the site. Could be cookie related. The cookies I got were CFID=4947952 and CFTOKEN=84546187 so it could be that they aren't using particularly unique identifiers.
At just before 11 it stopped. I must have been one of the last ones to access it. So they were informed some time ago and only just got round to passing the message down the chain to the guy who knows how to do some HTML twiddling.
So allowing personal information to leak out is not such an important thing in their view.
Interesting - I don't recall seeing anything to tell you it's dropping a cookie on you (I may have missed it, wandering off to the signup page and fighting my way back, but there wasn't a specific prompt when I first arrived). Isn't that illegal nowadays too?
CFID and CFTOKEN are Coldfusion cookies to store session state. I've never seen a problem in 10+ years with crossover state like that, so I can only assume that their back-end coding is a bit borked.
And yes, by default, CF drops 30 year cookies onto your machine to manage state - even if you HAVE no state management code in the app. It's a bit of a faff to switch it off and do it manually with session-cookies but it can be done.
Getting my coat as I've just exposed the fact that I'm a Coldfusion dev and not a 'real programmer'.
Just posting this here to remind myself more than anything, a few facts I wanted to point out when I comment, if anyone can figure out which sites have the exact percentages let me know.
First was that roughly 30% of households in the UK will have children present. Meaning that there are only 30% of people who would be directly affected by this.
In round about terms, that means that they're pandering to the minority rather than the majority. Not to mention that additional burden of constantly updating lists of banned sites ISPs would have to go through, which would mean additional costs which always get passed down to the consumer.
The government woudl be better off doing it as an actual opt in system, so you opt in for filtered internet. OR doing something which is probably smarter and easier, and making it a ruling that ISPs have to provide smut blocking software, giving instructions on how to set it up etc.
Personally I just set up openDNS with the adult material blocking so kids can't get through to a lot of sites on a DNS level. Add some smut blocking software on the PC side and dun-dun-dun you've probably got more protection now than if the ISP were to block it all itself.
All most parents need is some simple instructions, we don't need a blanket ban for any and everyone.
"All most parents need is some simple instructions, we don't need a blanket ban for any and everyone."
Quite.
Could not Bletchley Park host a site with such instructions and appropriate open source software? It's memorable enough that with a modicum of promotion there would be few who did not know where to obtain advice and protection.
It's put out by the DfE and is presented as a survey for parents, carers, young persons and members of the ISP industry. But it's far beyond that in scope, assuming to curtail and censor the freedom of all UK citizens.
There is one question somewhere in the middle asking if any default restriction should apply to all households or just those with children. This is not for the people they're supposed to be consulting to decide; it's hiding a nasty power-grab attempt to censor everyone.
I started filling in their questionnaire for a bit of fun yesterday - after having been identified as at least two different people by the site. Half way though submitting the questionnaire (page 3 or thereabouts), I started seeing the question boxes already filled in from another punter.
I have to say that I agreed with the punter's sentiments exactly* and I couldn't be arsed to carry on monkeying about with that site, so I jacked it in.
* The usual stuff about safeguarding kids being the parents' responsibility, being stupid if you have blind faith in automatic filtering etc. i.e. exactly the kind of stuff that would be likely to confuse a Daily Fail reader.
They're going to have to scrap all the on-line submissions received, apologise profusely, and start again.
Many of the entries will have been corrupted by someone else overwriting them (I know - I did that to some unfortunate yesterday, not realising that it wasn't just a fancy way of providing anonymous submission).
So what they have they can't trust, especially as (pointed out by Joefish above) a person's submission may now contain views that are totally contrary to the original.
Total, utter Fail.
Incidentally - the consultation was just one of many which were accessible via the same route, and all are now unavailable.
Which begs the question : has this cock-up affected all current consultations? Really bad if it has, because I think some of the other topics were even more sensitive than this one.
This post has been deleted by its author
"The site is temporarily closed for maintenance."
I'll bet it is! (oh, and even that page is invalid HTML...)
If you go to Direct Gov, there's a page that lists 40 different government consultations websites. Wonder if they're all equally as good.
Perhaps the Government Digital Service could so something actually useful and sort this lot out.
Oh, I forgot, they're not about delivering stuff; their role is all about fucking over other government departments
....even for government and government IT.
Maybe I was one of the few people that was able to complete the survey without seeing anyone else's submissions, but now I will be asking some direct and awkward questions about this debacle.
How do these people get allowed out of their sheltered accommodation, let alone be employed at our expense?
After all if PI's *allegedly* working for News International publications (since shut down) could get hold of it *without* needing to pay them off how would they supplement their incomes? UK civil service pay is not that generous and the cost of living in Cheltenham is shocking.
No way will *anyone* have copy or search privileges to the *whole* database and dump it to say a Lady Gaga CD for example.
That would just be stupid.
On HMRC site they get sort codes to bank addresses wrong. This in their payment procedures. They say enter account number and sort code with warning check if bank below is correct , then instead of showing the bank branch ( which is tied to sort code) they show a back office regional centre the account holder probably never has known.