back to article Scouts take down database due to 'security vulnerabilities'

The Scouts Association has taken down its Compass database, which holds the records of nearly half-a-million young people and adult volunteers, after discovering a "potential security vulnerability," The Register can reveal. In a letter seen by El Reg and addressed to members this morning, the association said the decision was …

  1. Anonymous Coward
    Stop

    "There is no evidence at all to suggest that there have any breaches in security."

    Granted we haven't looked, but pretty sure nothing has happened.

    To be pedantic if someone, even accidentally, went to a page they shouldn't of had access to, then there is a breach right there.

  2. vonBureck
    Joke

    I expect someone tried to enter a new scout

    Little Bobby Tables, we call him...

    1. Anonymous Coward
      Anonymous Coward

      Re: I expect someone tried to enter a new scout

      The son of Bad-end Pown-all?

  3. Keith 21
    FAIL

    Do the honourable thing...

    Come on Scouts UK HQ do the honourable thing - scrap the abomination that is Compass, and use OSM instead - you know, like the majority (95%+) of your Scout leaders already do, and like several national and international groups already do.

    But then again, that would involve using something which was Not Invented Here, and would involve scrapping some VERY expensive contracts to your mates, wouldn't it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Do the honourable thing...

      "and would involve scrapping some VERY expensive contracts to your mates, wouldn't it?"

      Not to mention the jobs for the boys going on with the project management team, too many cooks comes to mind.

      But hey, its only charitable money you're playing with.

    2. Anonymous Coward
      Anonymous Coward

      Re: Do the honourable thing...

      It was obviously the beginning of the end when leaders started getting instructions that referred to their 'line managers', that and a growth in the number of managers... And it really has got worse and worse ( judging as the partner of a successful leader of 15 years who along with several colleagues has abandoned a once enjoyable voluntary activity that consumed a day a week)

  4. codejunky Silver badge

    One source told us: "If these bugs are being found by regular users, I am pretty sure the vulnerability assessment or code checking was poor."

    It is always possible that someone found the problem through sheer weight in numbers. For some reason this explanation doesnt seem to come out too often but quite simply everything has its flaws and the more complex the more flaws. Just as the theory exists to do with monkeys and the entire works of Shakespeare, the same applies to a lot of discoveries in life.

    As in most development work you try to make it fool proof, knowing full well there is always a bigger fool.

    1. Destroy All Monsters Silver badge
      Holmes

      It is always possible that someone found the problem through sheer weight in numbers.

      Only if these "numbers" were all testers. Consider:

      1) Most people would only do the "expected thing", thus not proceeded into fresh, wild areas of the state space

      2) Most people wouldn't know what they were looking at if a problem occurred, neither would they detect that it is a security problem

      3) Most people upon encountering a problem would just say "DUH" and click on the back button, maybe reboot the PC

      4) Most people wouldn't even bother to tell anyone about IT weirdness

      This leaves people who know about IT, perform new operations, know what they are looking at with enough time on their hands (or are foolish enough, considering how these things may pan out) to tell somebody.

      1. codejunky Silver badge

        @ Destroy All Monsters

        You have had some very tame users then. In every system I have seen or been involved with the users have always done unexpected things which cause them to pick up on little bugs to odd conditions but maybe I am used to suitably big projects to have them. Most software has various little bugs and larger problems and the more users/complexity the more problems there will be. And of course a serious security flaw can happen. And users do report them, at least the users I have had to deal with. I would think especially if they thought someone might be able to see their private information.

    2. Arklight

      "As in most development work you try to make it fool proof"

      I think the issue was with the fools doing the proofing internally.

  5. Mark 85

    Common Sense?

    . It is good to see that common sense prevailed in the end to properly test this high-profile high-risk database.

    I doubt it was "common sense". Given all the bad press over the Scouts worldwide, I'm suspecting this was first and foremost a knee-jerk reaction. I'm hoping I'm wrong and it really was concern and not fear of the media this time.

  6. Anonymous Coward
    Anonymous Coward

    Nomenclature

    I don't think they should be talking of "in depth penetration testing" and "member access" given all the recent publicity they've had on other issues.

  7. Strangelove

    Probably a good job we didn't actually follow instructions (again)

    We were actually instructed by TSA (The Scout Association) to destroy all paper copies of youngsters records, such as addresses, medical detail like allergies, religion etc, once we had it all typed into the Compass system (which would have been a mammoth task if it wasn't already in OSM and therefore reduced to a bit of cut/paste and a few hand edits for things like telephone area codes which it needed in its own funny format.)

    Luckily, perhaps, I don't think anyone in our group at least actually did so, which is as well, as it looks like we will need to go back to what we did before, at least for a while.

    Not to mention the fiasco that is the loss and confusion of leader training records ;-)

  8. chrubb

    timescales

    To clarify things - COMPASS (aka COMPOST...) was taken down a couple of months ago and is not likely to be up again before the new year according to the latest bulletin.

    It has been a complete laughable fiasco from the get go. So much so that i can only think the project mangers (if indeed there are any!) involved must have been subbed in from a recent MOD project team?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like