don't over egg it
> e-mailed the entire database in clear text messages
It's not as sky falling as being made out. The data was protected by the BorkBork cipher whilst in transit.
In a slowly-unfolding scandal in Sweden, it's emerged that the country's transport agency bungled an outsourcing deal with IBM, putting both individuals and national security at risk. Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rik Falkvinge has been working to bring details of the …
I know IBM is the industry whipping boy for stupid mistakes at the moment, but in all honesty, this was setting them up to fail.
Why the hell does a government keep sensitive military and police data in the same bit bucket with normal registration information!? In *ANY* IT system, someone somewhere has the ability to wander in and out of the system at will. By putting all this in one place, you have to accept that at least one person in the chain has the ability to grant access to any or all of the data to an unlimited number of people. The worst part is, you can have a data spill like this not from malicious intent, but (as the article says) from common, garden variety ineptitude.
Pretty much all big business contractors will only work to the contract. If you want something extra that you failed to negotiate for in the original contract, it'll cost you extra. If the Swedish government kept everything in one place like this, and then outsourced the lot without putting some obscene contract terms in to specifically limit where the data gets manipulated, and who has the ability to grant access to it, then this fail is all on them. IBM's involvement was little more than the equivalent of trying to use a bucket of kerosene to put out a bonfire.
@ecofeco wrote: All I had to do was read the title and I knew it was IBM.
It's not IBM's fault:
"[Sweden's] transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it..."
Sweden's transport agency screwed this up! And why is Sweden selling this information to marketeers?
Stories like this sure make me glad that the government is surveilling every aspect of everyone's existence possible and storing it all in huge databases. Of course there's no way that all could leak out as we know that government spy agencies are leak-proof.
I'd love to see another Snowden/Shadow Brokers, but instead of releasing evidence of mass criminal activity or stealing and releasing malware this new person/group would dox congress. I'm talking every filthy little detail down to the lung capacity to the pet budgie owned by the transvestite prostitute that insert-ultra-right-wing-senator-here sees every Friday. That might do something to wake up our garbage legislators and maybe even the private sector to how dangerous this stuff can be.
On the other hand, it probably would just encourage them to surveil more and move on to more important things.
but instead of releasing evidence of mass criminal activity or stealing and releasing malware this new person/group would dox congress.
That will never happen in our lifetimes. I'd assume that's kept in a very deep and dark place, possibly not on computer. After all, the agency has to assure itself of maximum funding in every year's budget and keeping the ones who vote on the budget in line is part of their self-imposed duty.
@DryBones:"There isn't any. That's the point."
The guy made an unnecessarily long-winded statement about the value of dead rats in a tampon factory, possibly in an attempt at being ironic.
Looks like you don't know how to make an ironic comparison either.
Conflating two random things just makes you look stupid, or high. But maybe something was lost in translation...Can any native Swedish speakers comment?
Tampons - furry things with a tail.
Dead rats - furry things with a tail.
That's how I saw it. Made me laugh, but I'm sick.
Rik had fun with a 'mousey' found in a girl's handbag, The Young Ones party episode - a very good one.
@Drybones, I'm with @Snorlax on this one. Round these parts, the construction is more subtle than "as much value as X on a Y", where X and Y bear no relation. Here at least there needs to be almost a relation. So tits on a cow; great, A++, would buy again. They can either get me milk for my coffee or feed my future dinner. Both excellent endeavours. Tits on a bull... not so much.
Maybe something gets lost in translation, and I'm the first to admit that my knowledge about the manufacturing process for tampons is somewhat lacking, but truckloads of dead rats don't seem to have an equivalent that is used in the production. Maybe the word sounds like something, or maybe other parts of the world you can just say whatever you feel like with such a sentence construct. Curious.
Yes, men should be wary of women having access to data like this because there brains are not hormone wired so well for technical security thinking! Also WTF were the database access controls to forbid access to restricted and higher security data, even in a stupidly monolithic database!
No, it doesn't make any sense in swedish either. Just like the multiple violations of laws regarding classified information that the gubbmint itself wantonly have commited for decades now. (this is just the tip of a very large iceberg with regards to how the department in question operaters)
I'd wager Falkvinge was going for something along the lines of rats in a tampon factoryu are utterly useless, misplaced and a sanitary risk. Much like privacy handled by the government.
As no-one else seems to have noticed, I'll point out that it's actually a quote from the very aptly named film, "Top Secret"
Nick: Listen to me, Hillary. I'm not the first guy who fell in love with a woman that he met at a restaurant who turned out to be the daughter of a kidnapped scientist, only to lose her to her childhood lover who she last saw on a deserted island, who then turned out fifteen years later to be the leader of the French underground.
Hillary: I know. It all sounds like some bad movie.
[Long pause. Both look at camera]
This post has been deleted by its author
they only way for us to be truly safe from these data breaches is to have a global data base of people who have had there details leaked. This data base needs to contain things like SS/NI #. home address. Maiden name, drive license detail, bank account details, children and spouse name. Needs to be secured with SHA-0 and hosted by a country with a track record of tight privacy laws. I suggest the United States. To make easy for international police to access this data base I suggest that this data base be accessible by web site. Capita shall be given the contract.
You do realize that some journalist reading the above will assume you are being serious and at least 10 persons (all experts, as we all know non-experts have no access to comment here!) agreed with you. That's the idea, right?
So, to enhance your original idea I propose to also store details of those who have not been leaked yet, in the same database. With a bool field to tell whether or not details have been leaked yet. By default set to true, and with validity constraint that the only allowed value is true.
the transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it
Why are marketers, private organisations, receiving a feed of the entire government vehicle database, irrespective of whether it's encrypted or not?
I understand that the government probably uses private marketing agencies to do it's own mass-mailouts, but in that case only the necessary information for that particular mass mailout should be being sent to the specific marketers.
I guess any PI's or re-possession agents or similar, or foreign intelligence gathering, need to cultivate contacts in marketing firms to get registration details. They don't need to bother with trying to subvert someone in the police or the Swedish DMV-equivalent.
Why are marketers, private organisations, receiving a feed of the entire government vehicle database, irrespective of whether it's encrypted or not?
It's semi-public data. Anyone can go to the transportstyrelsen website, punch in a reg number, and not only get details of the vehicle but have the name and address of the previous three owners sent to them by email or SMS.
Organisations that are interested can get the dataset and scan it for particular types of vehicles, ownership changes, etc. So buy a used car, and in a few days you get letters from insurance companies giving you offers, local dealerships offering you servicing, etc etc.
"The DVLA does it too. Why? It's a nice source of money."
The DVLA doesn't do quite the same thing. It will supply vehicle details with no keeper details and it will supply rough vehicle description with registered keeper geographic location anonymised to one of 1,000 vehicles and 300 households.
They also do one-off keeper details for those intending to pursue legal action (in theory, but it doesn't check very hard) and a multiple request process for parking enforcement cowboys.
And they bulk feed law enforcement.
What they won't do is supply keeper details in bulk to the general public.
A classic screw up, an inept government agency (an oxymoron I know) and I've Been Moved (aka Itty Bitty Morons) to make a complete hash of this. Combined with outsourcing to other countries, not verifying if the people with access should have access, what else could go wrong?
I'm not quite sure you understand what an Oxymoron is. An Oxymoron is two words which when put together dont make sense - a light darkness, a cloudy sun, or a small giant. In this case a "competent government agency", would be an Oxymoron. An inept government agency is the norm - at least when it comes to IT and data...
That's just one application of the word, but in general an oxymoron is a description that is self-contradictory. Such as "a regular abnormality" (since something abnormal, by definition, can't be regular) or a "squared circle" (since a circle, by definition, has no corners).
"A truckload of dead rats in a tampon factory". Unless a Google translate "feature" one has to assume it's a comparison between rats in a sausage factory and rats in a tampon factory claiming they are more easily detected among tampons. Or perhaps it's just a silly thing to say.
Just so you know about Love Canal...
It was a clay sealed chem dump that met all the standards of the time and place.
It was donated to the city/school district for putting a school on top of only and was NOT supposed to be dug down into.
Some greedy wanker in the city/school saw all that wonderful vacant land sitting there and figured they could make a ton of money selling it off for housing lots.
The builders dug down through the clay seal and put in basements and VOILA! chemicals leaking into everything!
Raise a big stink any way you want, but the original canal served its purpose as originally constructed and if not dug into would still be sealed up tight today with none of the problems. The property should have been permanently noted on title transfer as being a former chem dump. I don't know if that happened or not and what subsequent "cleansing" of the records may have happened for the sales to progress. And yes, it sucked for those who bought property there.
"The leak seems to have happened over email after the transport agency e-mailed the entire database in clear text messages to marketers that subscribe to it – and when the error was discovered, the agency merely sent a new list and told subscribers to delete the old list themselves."
#headshake #rolleyes
As others have mentioned, 'Cloud' is simply a marketing term - the fabric of still is made up of servers residing within datacentres with fibre connecting them.
Considering the sensitive nature of the data contained in the mentioned database, has IBM even got a datacentre in Sweden, or were the Swedes happy for it to reside in Norway?
Most probably an intern going like :
"Here's your [censored™] database in cleartext since we can't be arsed to figure out how this encryption doohicky works.
Hakuna Matata. Nobody'll intercept it anyway. And if they do, they'll read the bit at the end of the email which will ask them nicely to delete it if it is not intended for them."
We need an Alfred E Neumann icon.
As far as I know, IT service providers like IBM are bound by confidentiality agreements and their employess are bound, too.
If there's any leakage by IBM, is it somehow proven and documented?
I think the biggest mistake was on Swedish customer side (in design of the database missing encryption of sensitive data fields - content not needed to be seen by DB admins + in low contractual requirements on confidentiality/certification of security standards on provider side etc.)
When the scandal hits political floor and journalists are digging in it, facts are becoming less and less important.
In Czech newspapers one could read, that Swedish government crisis because of Czech employees of IBM ... it could have been Belarus, Bangalore, ... any other IT service provision site in the world whom could have the customer contracted.