back to article Barclays Bank appeared to be using the Wayback Machine as a 'CDN' for some Javascript

Barclays Bank appears to have been using no less than the Internet Archive's Wayback Machine as a "content distribution network" to serve up a Javascript file. The bizarre discovery was made by Twitter user @immunda, who discovered on Thursday that the British financial institute was calling JS from the Internet Archive. …

  1. CujoDeSoque

    Data not at risk?

    How the fsck would he know?

    Where does he bank again?

    I'll need his account numbers, PIN and a sample of his signature to verify it.

    1. Anonymous Coward
      WTF?

      Re: Data not at risk?

      Standard company lines:

      "Your data is not at risk."

      "No active exploits have been seen."

      "We apologize for any inconvenience."

      "We have solved the problem."

      Unsaid lines:

      "We are not holding anyone accountable."

      "No, you will not get a refund."

      Same as it ever was.

      1. logicalextreme

        Re: Data not at risk?

        "There is no evidence that…"

        1. robidy
          Coat

          Re: Data not at risk?

          "We were testing disaster recovery...and forgot to switch that back to production".

          1. john.jones.name
            Mushroom

            "issues"

            Adding to Barclays issues list:

            1/ Servers allow client-initiated renegotiation (DOS risk)

            2/ http://Barclays.co.uk not DNSSEC signed (MitM allowed)

            3/ Use messagelabs and Agari so USA get all messages

            (most industries need not care but when your a bank it is a bad thing)

            1. ICL1900-G3 Silver badge
              Headmaster

              Re: "issues"

              'when you're a bank'

            2. Anonymous Coward
              Anonymous Coward

              Re: "issues"

              "3/ Use messagelabs and Agari so USA get all messages"

              What's that based on? Messagelabs are a UK company, admittedly now owned by Symantec, but to my knowledge even before the buyout they had loads of servers within the UK (since that's where they started as part of Star Internet), plus others all around the globe. Guessing Symantec didn't just bin all that resource when they bought it.

              1. Anonymous Coward
                Anonymous Coward

                Re: "issues"

                Messagelabs are owned by Broadcom a USA based company and their hosting is with AWS a USA based company that are subject to USA based law they might have had servers but they simply rent now.

                No matter what you call a server if the logs and content is subject to USA law then your messages are.

                says nothing of issues 1 and 2...

        2. ChrB

          Re: Data not at risk?

          "There is no evidence yet that…" here, ftfy

      2. paulf
        Alert

        Re: Data not at risk?

        "..has affected only a small* number of customers..."

        Where "small" = 0-100%

      3. macjules

        Re: Data not at risk?

        No, in this day and age you admit that a "very small percentage of our customers might have experienced some inconvenience". You then go on to say that, "we will be offering them credit monitoring options via Equifax" and "we reported this to the ICO within the 72 hour timescale permitted".

    2. BrownishMonstr

      Re: Data not at risk?

      Isn't it obvious. They did an investigation using the way back machine to see if anyone retrieved the details.

    3. Hubert Cumberdale Silver badge
      Terminator

      Re: Data not at risk?

      I need your clothes, boots, and motorcycle.

    4. Teiwaz

      Re: Data not at risk?

      Gross incompetence really needs to be added as an offence on the Computer Misuse Act.

      1. LucreLout

        Re: Data not at risk?

        Gross incompetence really needs to be added as an offence on the Computer Misuse Act.

        That's Barclays knackered then; All their good staff left years ago. The only people still sheltering in the bungalow are those without the wits or the talent to escape.

      2. TheVogon

        Re: Data not at risk?

        It's already covered under the DPA and then by GDPR.

    5. SuperGeek

      Re: Data not at risk?

      "I'll need his account numbers, PIN and a sample of his signature to verify it."

      I've got my old pal George Agdgdgwngo on speed dial, I'll get him on the job!

  2. Steve Foster

    404 error?

    A recent feature added to Brave is an option to automatically try the Wayback Machine for 404 errors - could it be that Barclays had "misplaced" their JS and the browser auto-tried to "fix" the 404?

    1. logicalextreme

      Re: 404 error?

      One thing that I'd actually considered was that they accidentally torpedoed their codebase one day and had to hurriedly reassemble it from whatever scraps they could find on devs' machines etc. (in this fantasy of mine they of course had no backups); and they'd had no luck finding some page code so had to go grab it from the internet archive, forgetting to change one of the script addresses in the rush. Weirder stuff has happened.

      1. Blazde Silver badge

        Re: 404 error?

        Totally my first thought. I can also imagine the relief at finding a backup on Wayback Machine quickly turning into quiet smugness because they didn't waste time making an apparently unnecessary backup.

      2. Keith Langmead

        Re: 404 error?

        Yep, "That's fixed it for now, we'll download a copy of the files to our web server and repoint things later... anyone fancy a celebratory pint?", and of course "later" never happened.

  3. Will Godfrey Silver badge
    WTF?

    This is just the one that was discovered.

    How many more howlers are lurking in the code?

    I doubt Barclays is worse than the other banks (nor better of course) so it makes me wonder about all the outages that occur and are never properly explained.

  4. steelpillow Silver badge
    Holmes

    Bwahahaha!

    "We want to reassure our customers that their data was not at risk as a result of this error."

    Well, you gotta either laugh or cry and who wants to cry?

    1. Flocke Kroes Silver badge

      Re: laugh or cry

      I want to cheer for their honesty - even if they missed a few words out:

      We want [really really want even though we are unable] to reassure our customers that their data was not at risk as a result of this error. [Luckily we do not have to comment on all the other errors at this time]

      If there is something to laugh or cry about it is how much I have lowered my expectations of what counts as an impressive amount of honesty.

      1. Nick Ryan

        Re: laugh or cry

        Yep, typical weasel words. All too common right now. I wonder when "just lie and when caught, lie again" will become an acceptable method of business? These things are bound to trickle down from government eventually.

        1. Mike 137 Silver badge

          Re: laugh or cry

          "I wonder when "just lie and when caught, lie again" will become an acceptable method of business?"

          It has been for decades - in fact it's the norm, alongside five day PowerPoint and pub quiz "qualifications" that get the ignorant hired to positions of responsibility, "compliance" consisting of a bunch of crafted paperwork to fool auditors that don't investigate whether anything actually works, "risk assessment" methods that yield random nonsense, etc., etc.

          We had the Stone Age, the Bronze Age and the Iron Age. We're now firmly in the Bullshit Age.

  5. Anonymous Coward
    Anonymous Coward

    I'm smarter...

    Because I use Register comments to back up my data. Here's a few pixels from a recent picture of my pet cat, Mr Whiskers:

    ◼︎

    (taken at night, in a dark room).

    A/C, because everyone will want to do this, obvs.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm smarter...

      I know you think you're the first, but if you check amanfromMars posting history you will see landscapes from all over the world as he used ElReg for cheap storage.

      The amusing thing is the number of commentators who replied to his pictures.

      1. steviebuk Silver badge

        Re: I'm smarter...

        Am I missing something? I don't get it?

        1. John Miles

          Re: I'm smarter...

          Let's just say posts by AManFromMars1 tend not to be easiest to read, so the theory is they aren't really posts but some hidden data

          1. paulf
            Black Helicopters

            Re: I'm smarter...

            Perhaps AManFromMars1 is using El Reg posts as a gibberish words based numbers station via teh Interwebz.

          2. NetBlackOps

            Re: I'm smarter...

            You have to use multivalent semiotic analysis to get the multiple meanings. I need serious coffee before even trying.

          3. Anonymous Coward
            Anonymous Coward

            Re: I'm smarter...

            Just look like old style AI bot posts. Hidden markov model trained on register comments perhaps.

    2. David 132 Silver badge

      Re: I'm smarter...

      I hide messages in all my Reg forum postings. Encrypted, of course; I’m no dummy. Quadruple ROT13, to make certain.

      1. sev.monster Silver badge
        Paris Hilton

        Re: I'm smarter...

        Wow, that's four times the encryption! How many years does it take to reverse that with a machine if you don't know the secret??

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm smarter...

          I read once on the internet that if you continue to encrypt and compress then you end up with a single bit that holds all the original information. And if you compress this, you end up with half a bit.

          A/C because being a genius is dangerous. Just ask Trump.

          1. Strahd Ivarius Silver badge
            Trollface

            Re: I'm smarter...

            Why do backups anyway?

            According to leading scientists (*) every bit retains a memory of its previous states, allowing to retrieve them when they are needed...

            (*) these scientists don't have any clue about IT subjects, but they are leading scientists in their own fields.

            1. sev.monster Silver badge
              Devil

              Re: I'm smarter...

              I heard that if you yell (I'm talking spit-flying-from-mouth) at your RAM, it becomes rather forgetful... Jostling it around works too.

          2. greenwood-IT

            Re: I'm smarter...

            Erm,

            Years ago (before ZIP, ARJ and LZW), I wrote a compression utility that would compress any data down to a single byte. Unfortunately I never managed to complete a working decompression method though. Maybe I should resurrect that code now - anyone got a working Vic-20 I can borrow?

            1. Korev Silver badge
              Alien

              Re: I'm smarter...

              Retro Games will release a revamped Vic20 in October, so you won't have long to wait...

            2. Ian Entwistle

              Re: I'm smarter...

              I've got two in the garage along with the tape deck ( old style square one that put tapes into orbit when ejected )

            3. mtp

              Re: I'm smarter...

              Just look for your data in PI - it is in there somewhere then store the index and size for ultimate compression

  6. Sandgrounder

    Whoops

    Whilst not very clever, this is just their brochure site. Their online banking is somewhat more stringent and is (wasl setup to not allow connection to any other 3rd party sites. Hell, it wasnt long ago that their main site didn't use https.

    1. mark l 2 Silver badge

      Re: Whoops

      It may only be a brochure site, but this fail could have resulting in their site being pawned by someone who could alter the JS on wayback to add a fake link to their secure online banking for a nice phisiing attack on barclays customers.

    2. Snake Silver badge

      Re: Whoops

      But it's their own code, the referral URL is from a stored capture of Barclay's own web site as it was on June 1. So what's going on? Maybe someone is covering their own arse by linking to a file that no longer exists locally, deleted and all, and to ask to restore it would mean raising alarms. Or lazy and didn't want to upload it locally. Or possibly a superior no longer wanted the code in the active site, told the developer to remove it from the servers but Dev still wanted it in and a hyperlink doesn't raise suspicions?

      Lots of ideas but we'll have to wait for the admission of guilt. If one ever comes.

  7. AndrueC Silver badge
    Mushroom

    Typical canned response by Barclays. I could imagine their email server having simple phrase recognition and sending that reply without any human intervention. It wouldn't surprise me if a third party offered that as a service. Just sign up and direct all emails to them and they will auto reply for you.

    Pathetic.

    1. Strahd Ivarius Silver badge
  8. aregross

    Someone is now looking for a job...!

    1. BrownishMonstr

      Why is that? So the person who learnt the lesson can now take it to another company?

      I don't understand why we always want a person's head when it's a single mistake made public. It's warranted sometimes, but not all.

      1. Anonymous Coward
        Anonymous Coward

        I was once, late nineties, responsible for sending out a monthly newsletter for the organisation I worked for. This was a time when the contact list was just an excel file and it involved copying the addresses into the BCC field of our usual email client. Either the server of the client (I forgot which) couldn't handle more than a few hundred addresses so it involved five or six batches of 250 addresses that I'd copy paste into the BCC field. Among them personal addresses of cabinet ministers, captains of industry, two CEOs of major airports etc. etc. Needless to say, one or two batches were accidentally put into CC instead of BCC and within 20 minutes a shit storm came over us.

        The response of my boss was one that I would never forget (and now practice myself). He made sure that from now on I was always responsible for the monthly email because if there was ever someone who would never make this mistake in the future, it would be me. And he was right.

        1. Anonymous Coward
          Anonymous Coward

          "...and that evening I went home and registered MailChimp.com" is how I was hoping that would end

        2. Chris 239

          You should have left the image and logged the traffic and after a while presented them with an invoice for the service. Could have made a killing!

      2. doublelayer Silver badge

        Well, many businesses want someone's head because it's an easy way to make it look like they've done something: "The employee responsible was fired [and therefore the person who should have detected and prevented won't be]". But there's various times when it's the right response. I don't know how or why this particular error happened. However, if it was somehow done intentionally, it's a very obviously bad thing to do. Someone who decides to use a compromisable third party without any guarantee of security or functionality might not be the best coder out there.

        Yes, there are lots of things that can fall into that bucket, but this is worse than most of them. For example, although pulling code directly from NPM is similarly dangerous, people at least expect that it happens and do some types of automatic security checks on new releases. Nobody's going to do that for the Internet Archive. Also, most places from which external scripts are retrieved at least expect that to happen and have made statements about keeping their server up. I don't think the Archive has ever indicated they are willing to be used as a CDN and they can delete files or edit them at any time without notice.

        So, if you have a sufficiently worrying practice being intentionally used, you have to wonder whether you will catch them if they do something like that again. That isn't necessarily a reason to immediately fire someone, but if you have alternatives, and the current job market means you probably do, it's a thing worth considering. A good company won't fire people for honest accidents, but negligence or intentionally doing something stupid are potentially worth it.

      3. Mike 137 Silver badge

        firing

        It's usually someone's head (not always, depending on their rank in the hierarchy) because it cheers up the stockholders, recovering any downturn from the incident publicity. Vengeance is seen as a sign of being in control.

  9. Blackjack Silver badge

    Once Flash finally dies

    It should be Javascript for Web turn.

    I already block most scripts by default to be safe, JS is definitely more dangerous nowadays that Flash is.

    1. Will Godfrey Silver badge
      Meh

      Re: Once Flash finally dies

      Well yes, but it's not the tool in the box you need to worry about, it's the tools that put it in the box.

    2. Adam 1

      Re: Once Flash finally dies

      Well just make sure you're sitting down before you Google wasm.

    3. To Mars in Man Bras!
      Facepalm

      Re: Once Flash finally dies

      (less, more, bigger, smaller, faster, slower... etc) "that"

      the latest American fuckwittism to go endemic.

      "THAN" - fer feck's sake - "THAN"!

      1. Snorlax Silver badge

        Re: Once Flash finally dies

        Keep your hair on. It’s probably just autocorrect messing things up.

        1. To Mars in Man Bras!
          Headmaster

          Re: Once Flash finally dies

          That's why the Preview button was invented. And the concept of proof-reading.

          1. Alumoi Silver badge
            Trollface

            Re: Once Flash finally dies

            Proof-reading? Pops, it's the 21st century! There's autocorrect everywhere and it's always right, right?

            And don't get me started on grammer nazis. One tiny misspell and presto! Proof-reading for free!

            1. MCMLXV
              Headmaster

              Re: Once Flash finally dies

              "grammer Nazis"

              1. Alumoi Silver badge

                Re: Once Flash finally dies

                See, I was wright!

  10. MatthewSt Silver badge

    Liability

    Genuinely curious about the answer to this question, but let's say someone hot-links to a file on your site, and you change the file to do something that users of your site have consented to, but hot-linked site have not, eg generically logging form data and keeping it for 30 days.

    Are you liable for what happens to the data of the visitors of the other site?

    1. Alister

      Re: Liability

      If someone hot-links to content on your site, without your prior agreement, then they are fair game, and bear the responsibility.

      I once had a government department website which linked to an image on one of my sites without my knowledge or consent. I only found out because the traffic levels suddenly shot up on my site.

      So I changed the image to show the text "This image does not belong to <website> and they do not have permission to use it". It took over a month before they noticed and took it down.

      1. MatthewSt Silver badge

        Re: Liability

        I agree with you from a moral perspective (and the image example is nice and straightforward) but to take it a step further: if you were to show an inappropriate image, as much as it would be appearing on Barclay's website they are not actually the ones distributing it, the user's browser would be talking directly to your webserver.

        If you are collecting data, isn't it the legal responsibility (GDPR and all that) of the organisation collecting the data to make sure they're only collecting what they should be? Yes Barclay's would be in breach of it by directing user traffic to you in the first place, but would that be enough of an excuse for you to not also be "in the wrong"?

      2. Snorlax Silver badge

        Re: Liability

        I would change the image to Goatse man and wait to see how long it took to be un-hotlinked.

    2. doublelayer Silver badge

      Re: Liability

      If they have hotlinked to your site because you are providing them a service, then there is a terms of service document describing who is responsible and potential penalties in various situations. Under GDPR, your site would be a data processor and both you and the original site would need to ensure legal handling of the data provided to you. If you violated that, data protection authorities can go after you, even if it was through another site that the data came to you.

      If they link to you without permission, then you are not responsible. Well, that depends--if you log information you know to be personal information when you know you have no right to it, data protection can still go after you. But for most other things, you don't have any responsibility. If you want to host scripts that nobody else would want on your site, you are allowed to do so. For example, cryptomining scripts are not illegal, so you can put them up if you wish. If someone decides to link to a file and you switch it to a different file, that's their problem. Any liability would be on them because their site, not yours, was the one deciding what the user gets, and it was their choice to include a script their users don't like.

      1. Jason Bloomberg Silver badge

        Re: Liability

        If someone decides to link to a file and you switch it to a different file, that's their problem.

        I'm in agreement with you, and on this, unless you switched the file with malicious intent, meaning to cause harm, inconvenience, punishment. Intent, mens rea, is a key component in any potential case against someone and would probably play a part here.

        Swapping a linked image to something non-offensive most likely okay; merely embarrassing rather than harmful. move towards obscene language or a porn image and it's riskier though mostly just offensive, kiddie porn and you're in a world of shit.

        1. Ben Tasker

          Re: Liability

          > For example, cryptomining scripts are not illegal, so you can put them up if you wish. If someone decides to link to a file and you switch it to a different file, that's their problem

          I think you'd potentially have issues if you joined the two of these too.

          Lets say you were hosting a copy of (say) jQuery. Then, you notice that Barclays have hotlinked it into their own site. If you now come along and stick a crypto-miner into that file, you're opening yourself up for a world of hurt.

          Particularly, as it's not really about who's in the legal right - defending a case could still break you financially, and well before you actually get to the point of vindicating yourself (if in fact, you managed).

          Particularly if the "victim" is someone large/with resources - if they perceive you've exploited their mistake to harm their customers, they may feel the need to "make an example".

          If you notice hot-linking, your best bet is just to block it, and not to start screwing around with what you're serving up.

          1. doublelayer Silver badge

            Re: Liability

            "Lets say you were hosting a copy of (say) jQuery. Then, you notice that Barclays have hotlinked it into their own site. If you now come along and stick a crypto-miner into that file, you're opening yourself up for a world of hurt."

            If I want to make a script on my page with a cryptominer, I am allowed to do so. If I call that file JQuery.js, I am allowed to do that. If I edit JQuery, I am allowed to do that (MIT license). So the only way they would have a legal claim is if I agreed to host it for them. Otherwise, I have never made any guarantee that the file would remain what they saw at one point. I can argue that I did not know they were linking to the file, and they would have no proof that I knew that. I can argue that they were violating my terms of service by linking to the file, and if I did edit my ToS accordingly I would have a better case than they would. I don't need to claim either of those things in order to have the right.

            The issue of a powerful place using legal might to harm people they don't like, even when they have no legal basis to their attacks, is accurate. However, it's also possible for them to do this for anything else. If they hotlinked to a file and I changed it to indicate they used without permission, they could get angry. If I blocked their request, they could similarly get angry. If they felt the need, they could have their lawyers sue me for breaking their service. However, if I blocked, edited to print a string, or edited to introduce a miner, I have the same rights to do what I have done and they have no basis to win the case.

            1. Ben Tasker

              Re: Liability

              > So the only way they would have a legal claim is if I agreed to host it for them.... So the only way they would have a legal claim is if I agreed to host it for them.

              You seem far more focused on right and wrong than on reality.

              What you mean here, is *in your opinion* the only way they could win, is if you agreed to host it. Anyone can make a claim about *anything*, and it'll cost you to defend it if there's any possibility of it being found against you.

              If you host a file called "jquery.js", notice Barclays are hotlinking and deliberately change it to include a crypto-miner, then you're very likely to going to end up paying to defend an action. It doesn't really matter if you would have won it if you go bust before you reach that point, does it?

              > I can argue that they were violating my terms of service by linking to the file,

              You can, but it's going to cost you money, time and stress to do so.

              > If they hotlinked to a file and I changed it to indicate they used without permission, they could get angry. If I blocked their request, they could similarly get angry. If they felt the need, they could have their lawyers sue me for breaking their service. However, if I blocked, edited to print a string, or edited to introduce a miner, I have the same rights to do what I have done

              The other side would argue that those are not the same thing. In fact, they'd argue that instead of introducing a miner, you could (and should) have blocked access, or even put a harmless change in to note it was being used without permission (as well as could have contacted them etc). Instead, you went for the path of most harm - and they'll claim that that was a wilful act and why you should have to make reparation.

              > I have the same rights to do what I have done and they have no basis to win the case.

              The very fact you've written "and they have not basis to win the case" strongly suggests you don't know how court cases *actually* proceed.

              You won't find a lawyer who'll tell you a case is a dead-cert - they'll tell you that you potentially have a strong case (or the claims *seem* without basis), but that *anything* can happen once you reach court, and it's impossible to predict outcomes. In fact, a good lawyer will probably advise you to try and settle the case.

              And all of this, is stuff that could be avoided by just not being a clever dick, and blocking access rather than willfully trying to screw up their users. There are an awful lot of things that you're allowed to do, that change with context and intent and suddenly aren't permitted.

              1. doublelayer Silver badge

                Re: Liability

                I do not claim that I am guaranteed a victory, or that they will accept one outcome over another. Any group with money can decide to use the law to cause pain to someone else. I am well aware of this. You are correct that I focused instead on right and wrong, or rather I concern myself with what is legal or illegal. To me, that was the relevant question, rather than what lawyers can do if they feel vindictive. Since lawyers can be used vindictively in a number of circumstances, it seemed to be supposition and rather useless supposition at that.

                Anything you did in this theoretical situation could cause a litigious organization to go after you. Introducing a cryptominer: "Causing harm to our users". Changing the script to write "The site you're using didn't code properly and is pulling data from another possibly insecure site": "Defaming the organization". Blocking the script, meaning the page doesn't load right: "Deliberately impeding the functioning of the system". And those are ignoring the high likelihood that they might try to argue that making any change counts as tampering with their computer system. The only solution unlikely to anger someone is to call them and request they change it back. Which will almost certainly anger nobody as you won't get anyone to answer your call.

                In a situation where I discover that someone's doing this, I'm not going to insert a cryptominer. I'm too lazy for that. It's not because I'm worried about their lawyers. As I see it, their lawyers are basically as likely to go after me no matter what I do.

                1. Anonymous South African Coward Silver badge

                  Re: Liability

                  An accidental delete star dot star?

                  "ach whoopsy, I dinna have any backup either..."

                2. Ben Tasker

                  Re: Liability

                  > Introducing a cryptominer: "Causing harm to our users". Changing the script to write "The site you're using didn't code properly and is pulling data from another possibly insecure site": "Defaming the organization". Blocking the script, meaning the page doesn't load right: "Deliberately impeding the functioning of the system".

                  The difference is their perception of it, and the level of motivation each act gives for them to pursue it.

                  If you block the page and their site stops loading, they'll be a little embarrassed.

                  If they've had customers contact them complaining of high cpu/battery usage and they discover it's because you inserted a crypto-miner, then it may be they want your scalp to show their customers.

                  Sure, they could launch a case claiming you impeded their site by blocking the script, but they'd likely realise that they come off looking bad, plus they'd recognise you can robustly defend a decision not to serve something.

                  Someone mentioning "computer misuse act" and pointing out you've used their user's CPUs "with one of those scripts crooks use"? Joe average is going to be shocked if it comes out they let it pass.

                  > It's not because I'm worried about their lawyers. As I see it, their lawyers are basically as likely to go after me no matter what I do.

                  For avoidance of doubt, the correct solution to that feeling of rock-and-hard place is never to go for the path of most-harm, particularly if your only defence is "it's my file, I can edit whatever I want into it"

            2. c1ue

              Re: Liability

              Are you a lawyer?

              You're presenting legal arguments, but it is far from clear you actually are qualified or experienced.

              Proof of intent is not absolutely required - that's what Means, Motive and Opportunity is for.

              As owner of the site and script, you automatically have Means.

              Changing the script after the linking: unless you were particularly sneaky about it, the discovery process will show that you were, in fact, aware of who was linking. This can range from Chrome logs to the linker's logs. This constitutes Opportunity.

              And the fact that a cryptominer script was inserted = personal gain = Motive.

              IANAL but I do a lot of work involving cyber criminal forensics...

        2. Snorlax Silver badge

          Re: Liability

          Intent, mens rea, is a key component in any potential case...

          Good luck proving intent.

          1. Ben Tasker

            Re: Liability

            You might want to go and have a read of what the Computer Misuse Act says about Mens Rea and think about just what a broad brush that is ;)

        3. stiine Silver badge
          Devil

          Re: Liability

          What's the largest image online? Probably something at NASA JPL. Just link your linked image there.

        4. doublelayer Silver badge

          Re: Liability

          Yes, you can switch an image in such a way that you are in the wrong. It's not because you switched the image. It's because the image you switched to is illegal, meaning you are guilty of possessing an illegal image and of trying to distribute it. You can claim maliciousness on any switch, but the fact remains that it's not their image to retrieve. It does not matter what it was or what it switched to; they have no legal claim.

          For example, let's consider part of your comment:

          "unless you switched the file with malicious intent, meaning to cause harm, inconvenience, punishment."

          The most open of those words is inconvenience. The problem is that, although anything I change is inconvenient, they don't have any right to convenience on that basis. They are using my bandwidth without permission. It is similar to if they ran their corporate network off my WiFi from next door without permission. If I found out and changed the password, they would be inconvenienced. However, they would not have the right to recompense for that because the inconvenience they received was a direct result of their doing something they do not have a right to do. I did not guarantee that I would keep my WiFi up, nor did I guarantee that my server would stay up, nor did I guarantee that I wouldn't change files.

          The same argument applies to harm. If they connected a device to my WiFi that would cause harm if it lost network connection, and when I changed the password it did cause harm, that is not my responsibility. They exposed the victim to harm by making it rely on something they didn't have a right to use. That is, at the very least, negligence. I don't think most courts would stop there either.

        5. Mike 137 Silver badge

          Re: Liability

          "mens rea, is a key component in any potential case"

          Unless of course what your change does falls foul of the Computer Misuse Act, whereupon on mens rea could be irrelevant as the offence may be strict liability - specifically crypto mining as that would probably be construed as changing the content of a computer system without authority.

    3. Snorlax Silver badge

      Re: Liability

      Are you liable for what happens to the data of the visitors of the other site?

      Of course not.

      You had no idea that anybody was hotlinking to your site, did you?

      1. Anonymous Coward
        Anonymous Coward

        Re: Liability

        Pretty much this. You can't be held accountable for someone else's actions if you are entirely unaware of them.

        Someone was doing this to me once, they also ran a competing e-commerce store, they decided they liked my custom JS which worked perfectly for my store and did some nifty things.

        They didn't take into account a couple of things though:

        - My script was specific for my store

        - You need the corresponding custom PHP code in order for half the functions to work (API)

        - Their store will break in several places with that script.

        None the less, they were using it. I was amused when I attempted a few of the functions on their website and saw it simply fail (as expected).

        So, I simply moved the file repeatedly, they followed it for a while, but eventually gave up hotlinking as the file seemed to move daily and they only had access to the "min.js" version.

        Either way though, from a legal point of view they held no ground because I never agreed to host or provide this file as a service for their store. As such, never heard a thing from them.

    4. Ken Hagan Gold badge

      Re: Liability

      If so, then it would be possible for someone to maliciously hotlink to your site and then get you into trouble. That seems perverse, so I imagine that a court would let you off and instead suggest to the prosecutor that the hotlinker is the one who has violated the law by wilfully failing to maintain control over the processing of their own customers' data.

      But, as you can probably tell from my "That seems perverse, so..." sentence, IANAL.

  11. Anonymous Coward
    Anonymous Coward

    Wandering what effect this had on page load time - browsing the ‘barely warm’ archive is not exactly speedy. Mind you, given the parlours state of banks’ IT infrastructure it might represent a performance boost...

    1. logicalextreme

      Aha! I think you might have nailed it. It's was their "go faster" button — just switch the link and watch the site speed up.

      Now they have to invent another one thanks to the party-poopers on Twitter with their whiny little snowflake concerns about "security" and "not putting a nonprofit organisation under unnecessary strain" and "doing things with even the barest semblance of quality".

      1. logicalextreme

        It's was?! Definitely should have gone to bed a long time ago.

        1. Anonymous Coward
          Anonymous Coward

          Ditto my “wandering” and “parlours”. Oops.

  12. TRT

    I've now got a hankering...

    to pop off for a Barclays myself.

  13. spellucci

    Good code control practice

    To be fair, the Internet Archive is especially designed for managing versions.

  14. Boris the Cockroach Silver badge

    This puzzles

    Me (as well as feeds my well founded paranoia about using on-line banking)

    Why cant the bank host all the scripts/data its website needs? surely thats a more secure way of doing things than what seems like downloading random scripts from some archive.

    Download the scripts data to your testing servers, check them out... run the tests, shift to production.

    Or am I being too simple ?

    1. Julz

      Re: This puzzles

      That's not the Devops way.

    2. Steve Graham

      Re: This puzzles

      The archived script was hosted by the bank at some time, which is how it ended up in the archive.

      Maybe the current version on Barclay's own server broke some functionality which a "clever" developer got working again by using an older version. Hosted on some random machine on the internet.

      1. mathew42
        Facepalm

        Re: This puzzles

        I wonder if the issue was identified during a change window and this solution was the quick fix to avoid rolling back. It might just be that the approval for the proper fix hasn't gone through the change process.

      2. ComputerSays_noAbsolutelyNo Silver badge

        Re: This puzzles

        Hmm, if someone could come up with a way, a piece of software if you like, to archive current and old versions of important scripts ... such that every git can get an old version back with a few commands without resorting to acts of desperation such as pulling the script from the WaybackMachine.

    3. Mike 137 Silver badge

      Re: This puzzles

      "Why cant the bank host all the scripts/data its website needs?"

      For the same reason that a well known security-related organisation distributed a supposed link to an important document by email, the link being to a local asset on the sender's private cloud. Of course nobody could use the link.

      The reason? Absence of thought and failure to verify. Nobody is paying sufficient attention even to realise they're not paying attention.

  15. volsano

    Tat for Tit

    Dear Bank Manager

    Thank you for reporting that an account fully managed by you in my name has become "overdrawn".

    I take our responsibility to protect the contents of your accounts extremely seriously and it is a top priority.

    I want to reassure my banker that their money was not at risk as a result of this error.

    Only a tiny minority of customer accounts are affected by this situation.

  16. DrXym

    Banks shouldn't really use any CDN

    Make everything internal, take the minor hit on page load times / traffic and remove one potential attack vector.

    As for archive.org being the CDN - I expect some idiot release engineer or programmer just cut and pasted the url in without realising what they were doing.

  17. matthewdjb

    It's really simple. Some drone from cognizent/infosys/tech Mahindra or whatever muppet outfit they've outsourced to, googled for the resource, found it at the archive and used that. Because they're like that furniture retailer - Sofa Kingdom.

  18. USER100

    Banks are not secure but

    This sort of thing, and much worse, is probably rife. It's likely that cyber criminals are stealing vast sums of money, but if the banks went public they would only scare their customers, so instead they simply reimburse the money and no one is any the wiser.

    They are able to do this because they can basically 'magic up' money from thin air. That's the crazy truth at the heart of the banking system, which very few people seem to realise or maybe just can't bring themselves to believe.

    If you buy a house, you (would usually) borrow the money from a bank. The bank then presses some buttons on a computer. Over the years, you pay them back actual money. Ok, it didn't start out like that but that's how it works now (i.e. the money is all just numbers on computers). Despite all that, if they somehow do manage to go titsup, they get bailed out anyway, as they're 'too big to [be allowed to] fail'.

  19. Winkypop Silver badge
    Facepalm

    I've used the wayback machine a few times

    Client: "Oi, who removed XYZ.pdf from the website?"

    Me: Checks past job tickets, "you did, said it was to be deleted, no longer required"

    Client: "Well put it back, immediately!"

    Me: "Raise a new ticket and send me a copy of XYZ.pdf please"

    Client: "Haven't got a copy" (supposed to have backup in RM system)

    Me: "OK, leave it with me..."

    Hosted locally of course.

  20. Ochib

    wayback machine

    Who here secretly wants them to remote this file from their archive and watch the kaos unfold

  21. Anonymous Coward
    Anonymous Coward

    Back to when they had good staff

    Maybe we shouldn’t laugh, but then again maybe they shouldn’t outsource the work.

    Still they could hire employees on “Zero Right Contracts” for real cheap now thanks to HMRC new regime.

  22. Steve the Cynic

    It gets worse

    By pulling it from the wayback machine, they've also made it so they can scupper the site themselves. See, there's a keyword in robots.txt that allows a site operator to block archiving. If you add it to an already-archived site, the WM blocks access to the entire archive of the site until you remove it.

    1. rmacd

      Re: It gets worse

      Not quite following what you're saying here.

      But if you're referring to Wayback blocking archiving depending on a site's robots.txt, as far as I know this 'feature' was removed in 2018.

  23. Anonymous South African Coward Silver badge

    This actually belongs in "Who, Me?".... from the programmer/developer's perspective...

    "so here we were, the Bossly Unit FUBAR'd our main Java store, and in a flash of inspiration, I checked on the Wayback Machine if they had a copy of our Java, and as luck would have it...."

    The rest, as they usually say, is history.

  24. Anonymous Coward
    Anonymous Coward

    Last week the Barclays Bank site stopped working properly with WaterFox Classic 2020.06 (64-bit). It would login and show the general expected screen - except instead of account details there was a line of text saying "invalid request".

    A few minutes ago I tried again. It seems to accept the login details - then shows a totally blank page. With the indicated URL of https://bank.barclays.co.uk/olb/balances/PersonalFinancialSummary.action#/pfsactions

    FireFox 77.0.1 64bit works ok.

    That's three suppliers now where various browsers won't render their pages usefully. Barclays, British Gas, BT. The latter was the worst as it took weeks to find a browser that would allow me to verify a change in the billing email address.

    1. Jou (Mxyzptlk) Silver badge

      > Barclays, British Gas, BT. The latter was the worst as it took weeks to find a browser that would allow me to verify a change in the billing email address.

      Hammer in in marble. Three copies of course. That might make them listen.

      https://en.wikipedia.org/wiki/Asterix_and_the_Normans#Other_themes

  25. Anonymous Coward
    Facepalm

    I can sort of understand a possible chain of events that led to this:

    An emergency, need to roll back, don't understand the SCM or maybe it's down. I know: to the Wayback machine!

    But at that point, why not download it over the local copy?

    The real problem is why does that person have the authority to deploy to live?

  26. Screwed
    Joke

    How about Barclays making a decent donation to Wayback?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like