Data not at risk?
How the fsck would he know?
Where does he bank again?
I'll need his account numbers, PIN and a sample of his signature to verify it.
Barclays Bank appears to have been using no less than the Internet Archive's Wayback Machine as a "content distribution network" to serve up a Javascript file. The bizarre discovery was made by Twitter user @immunda, who discovered on Thursday that the British financial institute was calling JS from the Internet Archive. …
"3/ Use messagelabs and Agari so USA get all messages"
What's that based on? Messagelabs are a UK company, admittedly now owned by Symantec, but to my knowledge even before the buyout they had loads of servers within the UK (since that's where they started as part of Star Internet), plus others all around the globe. Guessing Symantec didn't just bin all that resource when they bought it.
Messagelabs are owned by Broadcom a USA based company and their hosting is with AWS a USA based company that are subject to USA based law they might have had servers but they simply rent now.
No matter what you call a server if the logs and content is subject to USA law then your messages are.
says nothing of issues 1 and 2...
No, in this day and age you admit that a "very small percentage of our customers might have experienced some inconvenience". You then go on to say that, "we will be offering them credit monitoring options via Equifax" and "we reported this to the ICO within the 72 hour timescale permitted".
One thing that I'd actually considered was that they accidentally torpedoed their codebase one day and had to hurriedly reassemble it from whatever scraps they could find on devs' machines etc. (in this fantasy of mine they of course had no backups); and they'd had no luck finding some page code so had to go grab it from the internet archive, forgetting to change one of the script addresses in the rush. Weirder stuff has happened.
I want to cheer for their honesty - even if they missed a few words out:
We want [really really want even though we are unable] to reassure our customers that their data was not at risk as a result of this error. [Luckily we do not have to comment on all the other errors at this time]
If there is something to laugh or cry about it is how much I have lowered my expectations of what counts as an impressive amount of honesty.
"I wonder when "just lie and when caught, lie again" will become an acceptable method of business?"
It has been for decades - in fact it's the norm, alongside five day PowerPoint and pub quiz "qualifications" that get the ignorant hired to positions of responsibility, "compliance" consisting of a bunch of crafted paperwork to fool auditors that don't investigate whether anything actually works, "risk assessment" methods that yield random nonsense, etc., etc.
We had the Stone Age, the Bronze Age and the Iron Age. We're now firmly in the Bullshit Age.
Let's just say posts by AManFromMars1 tend not to be easiest to read, so the theory is they aren't really posts but some hidden data
Perhaps AManFromMars1 is using El Reg posts as a gibberish words based numbers station via teh Interwebz.
Why do backups anyway?
According to leading scientists (*) every bit retains a memory of its previous states, allowing to retrieve them when they are needed...
(*) these scientists don't have any clue about IT subjects, but they are leading scientists in their own fields.
Erm,
Years ago (before ZIP, ARJ and LZW), I wrote a compression utility that would compress any data down to a single byte. Unfortunately I never managed to complete a working decompression method though. Maybe I should resurrect that code now - anyone got a working Vic-20 I can borrow?
Retro Games will release a revamped Vic20 in October, so you won't have long to wait...
But it's their own code, the referral URL is from a stored capture of Barclay's own web site as it was on June 1. So what's going on? Maybe someone is covering their own arse by linking to a file that no longer exists locally, deleted and all, and to ask to restore it would mean raising alarms. Or lazy and didn't want to upload it locally. Or possibly a superior no longer wanted the code in the active site, told the developer to remove it from the servers but Dev still wanted it in and a hyperlink doesn't raise suspicions?
Lots of ideas but we'll have to wait for the admission of guilt. If one ever comes.
Typical canned response by Barclays. I could imagine their email server having simple phrase recognition and sending that reply without any human intervention. It wouldn't surprise me if a third party offered that as a service. Just sign up and direct all emails to them and they will auto reply for you.
Pathetic.
I was once, late nineties, responsible for sending out a monthly newsletter for the organisation I worked for. This was a time when the contact list was just an excel file and it involved copying the addresses into the BCC field of our usual email client. Either the server of the client (I forgot which) couldn't handle more than a few hundred addresses so it involved five or six batches of 250 addresses that I'd copy paste into the BCC field. Among them personal addresses of cabinet ministers, captains of industry, two CEOs of major airports etc. etc. Needless to say, one or two batches were accidentally put into CC instead of BCC and within 20 minutes a shit storm came over us.
The response of my boss was one that I would never forget (and now practice myself). He made sure that from now on I was always responsible for the monthly email because if there was ever someone who would never make this mistake in the future, it would be me. And he was right.
Well, many businesses want someone's head because it's an easy way to make it look like they've done something: "The employee responsible was fired [and therefore the person who should have detected and prevented won't be]". But there's various times when it's the right response. I don't know how or why this particular error happened. However, if it was somehow done intentionally, it's a very obviously bad thing to do. Someone who decides to use a compromisable third party without any guarantee of security or functionality might not be the best coder out there.
Yes, there are lots of things that can fall into that bucket, but this is worse than most of them. For example, although pulling code directly from NPM is similarly dangerous, people at least expect that it happens and do some types of automatic security checks on new releases. Nobody's going to do that for the Internet Archive. Also, most places from which external scripts are retrieved at least expect that to happen and have made statements about keeping their server up. I don't think the Archive has ever indicated they are willing to be used as a CDN and they can delete files or edit them at any time without notice.
So, if you have a sufficiently worrying practice being intentionally used, you have to wonder whether you will catch them if they do something like that again. That isn't necessarily a reason to immediately fire someone, but if you have alternatives, and the current job market means you probably do, it's a thing worth considering. A good company won't fire people for honest accidents, but negligence or intentionally doing something stupid are potentially worth it.
Genuinely curious about the answer to this question, but let's say someone hot-links to a file on your site, and you change the file to do something that users of your site have consented to, but hot-linked site have not, eg generically logging form data and keeping it for 30 days.
Are you liable for what happens to the data of the visitors of the other site?
If someone hot-links to content on your site, without your prior agreement, then they are fair game, and bear the responsibility.
I once had a government department website which linked to an image on one of my sites without my knowledge or consent. I only found out because the traffic levels suddenly shot up on my site.
So I changed the image to show the text "This image does not belong to <website> and they do not have permission to use it". It took over a month before they noticed and took it down.
I agree with you from a moral perspective (and the image example is nice and straightforward) but to take it a step further: if you were to show an inappropriate image, as much as it would be appearing on Barclay's website they are not actually the ones distributing it, the user's browser would be talking directly to your webserver.
If you are collecting data, isn't it the legal responsibility (GDPR and all that) of the organisation collecting the data to make sure they're only collecting what they should be? Yes Barclay's would be in breach of it by directing user traffic to you in the first place, but would that be enough of an excuse for you to not also be "in the wrong"?
If they have hotlinked to your site because you are providing them a service, then there is a terms of service document describing who is responsible and potential penalties in various situations. Under GDPR, your site would be a data processor and both you and the original site would need to ensure legal handling of the data provided to you. If you violated that, data protection authorities can go after you, even if it was through another site that the data came to you.
If they link to you without permission, then you are not responsible. Well, that depends--if you log information you know to be personal information when you know you have no right to it, data protection can still go after you. But for most other things, you don't have any responsibility. If you want to host scripts that nobody else would want on your site, you are allowed to do so. For example, cryptomining scripts are not illegal, so you can put them up if you wish. If someone decides to link to a file and you switch it to a different file, that's their problem. Any liability would be on them because their site, not yours, was the one deciding what the user gets, and it was their choice to include a script their users don't like.
If someone decides to link to a file and you switch it to a different file, that's their problem.
I'm in agreement with you, and on this, unless you switched the file with malicious intent, meaning to cause harm, inconvenience, punishment. Intent, mens rea, is a key component in any potential case against someone and would probably play a part here.
Swapping a linked image to something non-offensive most likely okay; merely embarrassing rather than harmful. move towards obscene language or a porn image and it's riskier though mostly just offensive, kiddie porn and you're in a world of shit.
> For example, cryptomining scripts are not illegal, so you can put them up if you wish. If someone decides to link to a file and you switch it to a different file, that's their problem
I think you'd potentially have issues if you joined the two of these too.
Lets say you were hosting a copy of (say) jQuery. Then, you notice that Barclays have hotlinked it into their own site. If you now come along and stick a crypto-miner into that file, you're opening yourself up for a world of hurt.
Particularly, as it's not really about who's in the legal right - defending a case could still break you financially, and well before you actually get to the point of vindicating yourself (if in fact, you managed).
Particularly if the "victim" is someone large/with resources - if they perceive you've exploited their mistake to harm their customers, they may feel the need to "make an example".
If you notice hot-linking, your best bet is just to block it, and not to start screwing around with what you're serving up.
"Lets say you were hosting a copy of (say) jQuery. Then, you notice that Barclays have hotlinked it into their own site. If you now come along and stick a crypto-miner into that file, you're opening yourself up for a world of hurt."
If I want to make a script on my page with a cryptominer, I am allowed to do so. If I call that file JQuery.js, I am allowed to do that. If I edit JQuery, I am allowed to do that (MIT license). So the only way they would have a legal claim is if I agreed to host it for them. Otherwise, I have never made any guarantee that the file would remain what they saw at one point. I can argue that I did not know they were linking to the file, and they would have no proof that I knew that. I can argue that they were violating my terms of service by linking to the file, and if I did edit my ToS accordingly I would have a better case than they would. I don't need to claim either of those things in order to have the right.
The issue of a powerful place using legal might to harm people they don't like, even when they have no legal basis to their attacks, is accurate. However, it's also possible for them to do this for anything else. If they hotlinked to a file and I changed it to indicate they used without permission, they could get angry. If I blocked their request, they could similarly get angry. If they felt the need, they could have their lawyers sue me for breaking their service. However, if I blocked, edited to print a string, or edited to introduce a miner, I have the same rights to do what I have done and they have no basis to win the case.
> So the only way they would have a legal claim is if I agreed to host it for them.... So the only way they would have a legal claim is if I agreed to host it for them.
You seem far more focused on right and wrong than on reality.
What you mean here, is *in your opinion* the only way they could win, is if you agreed to host it. Anyone can make a claim about *anything*, and it'll cost you to defend it if there's any possibility of it being found against you.
If you host a file called "jquery.js", notice Barclays are hotlinking and deliberately change it to include a crypto-miner, then you're very likely to going to end up paying to defend an action. It doesn't really matter if you would have won it if you go bust before you reach that point, does it?
> I can argue that they were violating my terms of service by linking to the file,
You can, but it's going to cost you money, time and stress to do so.
> If they hotlinked to a file and I changed it to indicate they used without permission, they could get angry. If I blocked their request, they could similarly get angry. If they felt the need, they could have their lawyers sue me for breaking their service. However, if I blocked, edited to print a string, or edited to introduce a miner, I have the same rights to do what I have done
The other side would argue that those are not the same thing. In fact, they'd argue that instead of introducing a miner, you could (and should) have blocked access, or even put a harmless change in to note it was being used without permission (as well as could have contacted them etc). Instead, you went for the path of most harm - and they'll claim that that was a wilful act and why you should have to make reparation.
> I have the same rights to do what I have done and they have no basis to win the case.
The very fact you've written "and they have not basis to win the case" strongly suggests you don't know how court cases *actually* proceed.
You won't find a lawyer who'll tell you a case is a dead-cert - they'll tell you that you potentially have a strong case (or the claims *seem* without basis), but that *anything* can happen once you reach court, and it's impossible to predict outcomes. In fact, a good lawyer will probably advise you to try and settle the case.
And all of this, is stuff that could be avoided by just not being a clever dick, and blocking access rather than willfully trying to screw up their users. There are an awful lot of things that you're allowed to do, that change with context and intent and suddenly aren't permitted.
I do not claim that I am guaranteed a victory, or that they will accept one outcome over another. Any group with money can decide to use the law to cause pain to someone else. I am well aware of this. You are correct that I focused instead on right and wrong, or rather I concern myself with what is legal or illegal. To me, that was the relevant question, rather than what lawyers can do if they feel vindictive. Since lawyers can be used vindictively in a number of circumstances, it seemed to be supposition and rather useless supposition at that.
Anything you did in this theoretical situation could cause a litigious organization to go after you. Introducing a cryptominer: "Causing harm to our users". Changing the script to write "The site you're using didn't code properly and is pulling data from another possibly insecure site": "Defaming the organization". Blocking the script, meaning the page doesn't load right: "Deliberately impeding the functioning of the system". And those are ignoring the high likelihood that they might try to argue that making any change counts as tampering with their computer system. The only solution unlikely to anger someone is to call them and request they change it back. Which will almost certainly anger nobody as you won't get anyone to answer your call.
In a situation where I discover that someone's doing this, I'm not going to insert a cryptominer. I'm too lazy for that. It's not because I'm worried about their lawyers. As I see it, their lawyers are basically as likely to go after me no matter what I do.
> Introducing a cryptominer: "Causing harm to our users". Changing the script to write "The site you're using didn't code properly and is pulling data from another possibly insecure site": "Defaming the organization". Blocking the script, meaning the page doesn't load right: "Deliberately impeding the functioning of the system".
The difference is their perception of it, and the level of motivation each act gives for them to pursue it.
If you block the page and their site stops loading, they'll be a little embarrassed.
If they've had customers contact them complaining of high cpu/battery usage and they discover it's because you inserted a crypto-miner, then it may be they want your scalp to show their customers.
Sure, they could launch a case claiming you impeded their site by blocking the script, but they'd likely realise that they come off looking bad, plus they'd recognise you can robustly defend a decision not to serve something.
Someone mentioning "computer misuse act" and pointing out you've used their user's CPUs "with one of those scripts crooks use"? Joe average is going to be shocked if it comes out they let it pass.
> It's not because I'm worried about their lawyers. As I see it, their lawyers are basically as likely to go after me no matter what I do.
For avoidance of doubt, the correct solution to that feeling of rock-and-hard place is never to go for the path of most-harm, particularly if your only defence is "it's my file, I can edit whatever I want into it"
Are you a lawyer?
You're presenting legal arguments, but it is far from clear you actually are qualified or experienced.
Proof of intent is not absolutely required - that's what Means, Motive and Opportunity is for.
As owner of the site and script, you automatically have Means.
Changing the script after the linking: unless you were particularly sneaky about it, the discovery process will show that you were, in fact, aware of who was linking. This can range from Chrome logs to the linker's logs. This constitutes Opportunity.
And the fact that a cryptominer script was inserted = personal gain = Motive.
IANAL but I do a lot of work involving cyber criminal forensics...
Yes, you can switch an image in such a way that you are in the wrong. It's not because you switched the image. It's because the image you switched to is illegal, meaning you are guilty of possessing an illegal image and of trying to distribute it. You can claim maliciousness on any switch, but the fact remains that it's not their image to retrieve. It does not matter what it was or what it switched to; they have no legal claim.
For example, let's consider part of your comment:
"unless you switched the file with malicious intent, meaning to cause harm, inconvenience, punishment."
The most open of those words is inconvenience. The problem is that, although anything I change is inconvenient, they don't have any right to convenience on that basis. They are using my bandwidth without permission. It is similar to if they ran their corporate network off my WiFi from next door without permission. If I found out and changed the password, they would be inconvenienced. However, they would not have the right to recompense for that because the inconvenience they received was a direct result of their doing something they do not have a right to do. I did not guarantee that I would keep my WiFi up, nor did I guarantee that my server would stay up, nor did I guarantee that I wouldn't change files.
The same argument applies to harm. If they connected a device to my WiFi that would cause harm if it lost network connection, and when I changed the password it did cause harm, that is not my responsibility. They exposed the victim to harm by making it rely on something they didn't have a right to use. That is, at the very least, negligence. I don't think most courts would stop there either.
"mens rea, is a key component in any potential case"
Unless of course what your change does falls foul of the Computer Misuse Act, whereupon on mens rea could be irrelevant as the offence may be strict liability - specifically crypto mining as that would probably be construed as changing the content of a computer system without authority.
Pretty much this. You can't be held accountable for someone else's actions if you are entirely unaware of them.
Someone was doing this to me once, they also ran a competing e-commerce store, they decided they liked my custom JS which worked perfectly for my store and did some nifty things.
They didn't take into account a couple of things though:
- My script was specific for my store
- You need the corresponding custom PHP code in order for half the functions to work (API)
- Their store will break in several places with that script.
None the less, they were using it. I was amused when I attempted a few of the functions on their website and saw it simply fail (as expected).
So, I simply moved the file repeatedly, they followed it for a while, but eventually gave up hotlinking as the file seemed to move daily and they only had access to the "min.js" version.
Either way though, from a legal point of view they held no ground because I never agreed to host or provide this file as a service for their store. As such, never heard a thing from them.
If so, then it would be possible for someone to maliciously hotlink to your site and then get you into trouble. That seems perverse, so I imagine that a court would let you off and instead suggest to the prosecutor that the hotlinker is the one who has violated the law by wilfully failing to maintain control over the processing of their own customers' data.
But, as you can probably tell from my "That seems perverse, so..." sentence, IANAL.
Aha! I think you might have nailed it. It's was their "go faster" button — just switch the link and watch the site speed up.
Now they have to invent another one thanks to the party-poopers on Twitter with their whiny little snowflake concerns about "security" and "not putting a nonprofit organisation under unnecessary strain" and "doing things with even the barest semblance of quality".
Me (as well as feeds my well founded paranoia about using on-line banking)
Why cant the bank host all the scripts/data its website needs? surely thats a more secure way of doing things than what seems like downloading random scripts from some archive.
Download the scripts data to your testing servers, check them out... run the tests, shift to production.
Or am I being too simple ?
The archived script was hosted by the bank at some time, which is how it ended up in the archive.
Maybe the current version on Barclay's own server broke some functionality which a "clever" developer got working again by using an older version. Hosted on some random machine on the internet.
Hmm, if someone could come up with a way, a piece of software if you like, to archive current and old versions of important scripts ... such that every git can get an old version back with a few commands without resorting to acts of desperation such as pulling the script from the WaybackMachine.
"Why cant the bank host all the scripts/data its website needs?"
For the same reason that a well known security-related organisation distributed a supposed link to an important document by email, the link being to a local asset on the sender's private cloud. Of course nobody could use the link.
The reason? Absence of thought and failure to verify. Nobody is paying sufficient attention even to realise they're not paying attention.
Dear Bank Manager
Thank you for reporting that an account fully managed by you in my name has become "overdrawn".
I take our responsibility to protect the contents of your accounts extremely seriously and it is a top priority.
I want to reassure my banker that their money was not at risk as a result of this error.
Only a tiny minority of customer accounts are affected by this situation.
Make everything internal, take the minor hit on page load times / traffic and remove one potential attack vector.
As for archive.org being the CDN - I expect some idiot release engineer or programmer just cut and pasted the url in without realising what they were doing.
This sort of thing, and much worse, is probably rife. It's likely that cyber criminals are stealing vast sums of money, but if the banks went public they would only scare their customers, so instead they simply reimburse the money and no one is any the wiser.
They are able to do this because they can basically 'magic up' money from thin air. That's the crazy truth at the heart of the banking system, which very few people seem to realise or maybe just can't bring themselves to believe.
If you buy a house, you (would usually) borrow the money from a bank. The bank then presses some buttons on a computer. Over the years, you pay them back actual money. Ok, it didn't start out like that but that's how it works now (i.e. the money is all just numbers on computers). Despite all that, if they somehow do manage to go titsup, they get bailed out anyway, as they're 'too big to [be allowed to] fail'.
Client: "Oi, who removed XYZ.pdf from the website?"
Me: Checks past job tickets, "you did, said it was to be deleted, no longer required"
Client: "Well put it back, immediately!"
Me: "Raise a new ticket and send me a copy of XYZ.pdf please"
Client: "Haven't got a copy" (supposed to have backup in RM system)
Me: "OK, leave it with me..."
Hosted locally of course.
By pulling it from the wayback machine, they've also made it so they can scupper the site themselves. See, there's a keyword in robots.txt that allows a site operator to block archiving. If you add it to an already-archived site, the WM blocks access to the entire archive of the site until you remove it.
This actually belongs in "Who, Me?".... from the programmer/developer's perspective...
"so here we were, the Bossly Unit FUBAR'd our main Java store, and in a flash of inspiration, I checked on the Wayback Machine if they had a copy of our Java, and as luck would have it...."
The rest, as they usually say, is history.
Last week the Barclays Bank site stopped working properly with WaterFox Classic 2020.06 (64-bit). It would login and show the general expected screen - except instead of account details there was a line of text saying "invalid request".
A few minutes ago I tried again. It seems to accept the login details - then shows a totally blank page. With the indicated URL of https://bank.barclays.co.uk/olb/balances/PersonalFinancialSummary.action#/pfsactions
FireFox 77.0.1 64bit works ok.
That's three suppliers now where various browsers won't render their pages usefully. Barclays, British Gas, BT. The latter was the worst as it took weeks to find a browser that would allow me to verify a change in the billing email address.
> Barclays, British Gas, BT. The latter was the worst as it took weeks to find a browser that would allow me to verify a change in the billing email address.
Hammer in in marble. Three copies of course. That might make them listen.
https://en.wikipedia.org/wiki/Asterix_and_the_Normans#Other_themes
I can sort of understand a possible chain of events that led to this:
An emergency, need to roll back, don't understand the SCM or maybe it's down. I know: to the Wayback machine!
But at that point, why not download it over the local copy?
The real problem is why does that person have the authority to deploy to live?