back to article NHS-backed org reacted to GitHub leak disclosure with legal threats and police call, complains IT pro

IT pro Rob Dyke says an NHS-backed company not only threatened him with legal action after he flagged up an exposed GitHub repository containing credentials and insecure code, it even called the police on him. Dyke, who has previously appeared in this organ, in March said he received letters from lawyers representing the …

  1. Zippy´s Sausage Factory
    Meh

    I have a feeling that some investors might interpret this as management incompetence, and a misuse of company funds summoning lawyers to cover up their incompetence.

    For the benefit of any lawyers listening, I'd like to point out that I am not investor in said company, so such thoughts could not possibly cross my mind, but I can easily imagine there are some corporate entities less charitable than I am that might take that view.

    1. Chris G

      They probably don't have any investors as they are a not for profit but it may put others off of the notion of dealing with them in any way.

      I would be reluctant to engage a company that appears to attemp to cover it's own inadequacy by taking legal action against whoever pointed out said inadequacy.

      As an NFP whose money were they using to pay for their lawyers?

      1. Anonymous Coward
        Anonymous Coward

        Wouldn't a NFP not care too much if they run up a legal bill within their funding model of "as long as we don't make a profit".

        Or is that my simplistic view on it ?

        That wasn't sarcasm btw, but if they publish accounts its just another cost and they might always have legal cost lines in there because they allays react like this to any negative news.

        1. General Purpose

          Not-for-profit basically means you're not for the benefit of shareholders. It doesn't mean you don't want to make a surplus to develop the organisation, repay loans or build up reserves.

          It certainly doesn't mean you've got an unlimited supply of money for paying lawyers. If anything, you're more constrained because you can't opt to pay a smaller dividend this year. Worst case, you're going to have to cut back operations or cancel plans.

        2. Doctor Syntax Silver badge

          Not for profits might not make profits but they can make a surplus.

          They will be funded by somebody. It might be membership if it's something like a user group. It might be by offering services. It might be by some corporate with an interest in what it does - again, a user group is an example, having seen that from the inside, as it were. In this case TFA suggest it might be the NHS.

          It's worth remembering that the salaries, however, large, paid to officers and staff nor payments to outsourced management do not count as profits.

          1. Eclectic Man Silver badge

            'Top Secret info found on train'

            Several years ago someone found a document marked "TOP SECRET STRAP 2" on a train out of London (or into London, I forget which). This was a genuine document detailing UK anti-terrorist information. The person took it anonymously to the BBC and handed it into them. Other documents were handed in to the Independent newspaper.

            http://news.bbc.co.uk/1/hi/uk/7455084.stm

            So maybe news organisations such as the BBC or the Register are the best intermediary?

          2. Anonymous Coward
            Anonymous Coward

            "Not for profits might not make profits but they can make a surplus."

            A reminder of the Nominet story The Register has covered at some length, the "not profit" excess of income over expenditure is used to line the pockets of senior "management".

            Does that apply in the case of Apperta ?

      2. Ochib

        I think the answer to the question "whose money" is our money, via the Dept of Health

        1. Rob Dyke

          Apperta, for those that don't know, was created by NHS England in 2015 and given £500k to support open source projects. At the time Peter Coates, NHS England's Open Source Programme Manager and now a Director of Apperta, told Digital Health News that Apperta would: 'be fully transparent, with information published online regarding where money has come from and where it has gone.'

          See https://www.digitalhealth.net/2015/06/open-source-super-cic-created/

          For some reason NHS England don't want to talk about the funding granted to Apperta: https://www.whatdotheyknow.com/request/the_apperta_foundation_cic_3

          1. Lilly Dillon

            I smell a rat here.....

            Curious.....

            Looking at your FOI request, I see that it was submitted by an Andrew Roberts who you have admitted to being. (that's ethical, right?) Mr Roberts seems to have quite an interest in the financial dealings of Apperta. I did a little digging here (something that the majority of your "supporters" have either been unwilling to do or too trusting to do) There are multiple requests that he has made over the last 2 or so years.

            https://www.whatdotheyknow.com/user/andrew_roberts_3

            Doesn't this seem odd when we move forward to the present and You suddenly find yourself in a legal bind with Apperta over access to their financial data, that you then refused to delete ? I have followed this story with interest and seen mention of Apperta's alleged "vendetta" against you, however, it feels to me that this "vendetta" may originate from you and that you got caught with your fingers in the cookie jar so-to-speak.

            Hmm, and a gofundme too? Amazing how fools and their cash are easily parted when they hear a well spun fairystory.

            1. This post has been deleted by its author

            2. Doctor Syntax Silver badge

              Re: I smell a rat here.....

              So do I. First post, I see.

              1. sev.monster Silver badge
                Joke

                Re: I smell a rat here.....

                This just in, newposter found to be employee of Apperta, news at 11...

                1. Rob Dyke

                  Re: I smell a rat here.....

                  I love the Grifters reference btw, nice one.

                2. Lilly Dillon

                  Re: I smell a rat here.....

                  Oh, so a femaie has an opinion you don't like and she's automatically an imposter? Wow......misogyny is alive and well here. That's no joke... I'll just shuffle on back to the kitchen then, watch this farce play out at a distance and no longer worry my pretty little head about what's right or wrong here.

                  1. John Brown (no body) Silver badge

                    Re: I smell a rat here.....

                    "Oh, so a femaie has an opinion you don't like and she's automatically an imposter?"

                    Since you are new here, at least as a poster, maybe we can forgive you for not realising that there are quite a number of females posting comments, at least some of whom have been posting here for years. In general, they treat everyone based on what they post and in turn are treated the same by the male posters (and those who may not identify as male or female, some may choose to identify as dogs or cats. No one can tell who is who on the interwebs). What you say matters, not who you are or which name you post under.

                    1. sev.monster Silver badge
                      Coat

                      Re: I smell a rat here.....

                      I personally don't give a hoot what someone's gender, sex, dangly bits, or grey matter consist of. If your post is good and the banter is fun then I have no complaints. The person that jumps to the conclusion that something is somehow about gender or race is, in my experience, usually the sexist or racist one in the room...

                      In particular I find it funny that Lilly is assuming that we are assuming their gender, when it was never stated. Assuming "Lilly" is a feminine name is quite offensive for those following the latest in gender theory and politics, right?

                      Also, keep in mind, dear Lilly is not a female, they are femaie. They also did not state their pronouns so do not use "she" unless you are told otherwise! You might hurt them! Don't misgender!!

                  2. low_resolution_foxxes

                    Re: I smell a rat here.....

                    Curious Lilly automatically went for the "so a woman has an opinion.. Blah blah misogyny" route. It was out of context for the responses so far I can read, which also suggests the individual felt caught out with the sock puppet account and wishes to shut down legitimate debate by pulling the old "you're all sexist oppressing me" card. No they were not.

                    To me, this is either manipulative and/or narcissistic behaviour. You can read a lot into someone's mind by reading the words they use.

                  3. Rustbucket

                    Re: I smell a rat here.....

                    Who says you're a female?

                    "On the internet no one knows that you're a dog."

                  4. sev.monster Silver badge

                    Re: I smell a rat here.....

                    FOI requests are there to ensure companies uphold their integrity and dedication to their customers and users, by ensuring that those customers and users are able to inquire about the operations of that company. If the dude wants to ask questions, then what is the harm? If you have legitimate concerns about how the situation was handled, take your evidence to the courts. Otherwise, it's just pointless libel.

                    In any case, it isn't his fault that Apperta left their private repos published in the open on a third-party site. And if he really wanted to do something nefarious, wouldn't it be smarter to... y'know, not admit to keeping the data??

              2. Lilly Dillon

                Re: I smell a rat here.....

                Everyone has to start somewhere, darling :),

                1. Rob Dyke

                  Re: I smell a rat here.....

                  sev.monster is non-discrimantory and pro-equality.

                  sev.monster addresses EVERY first poster like that.

                  sev.monster has a Bronze badge for service.

                  1. sev.monster Silver badge
                    Pint

                    Re: I smell a rat here.....

                    You're god-damn right. Keep up the good work. -------->

            3. Rob Dyke

              Re: I smell a rat here.....

              I told Apperta about the repos promptly after I found them.

              I immediately deleted the repos after being contacted by the lawyers.

              I also provided an inventory of the screenshots and notes made to produce the disclosure.

            4. low_resolution_foxxes

              Re: I smell a rat here.....

              I'm confused. What are you suggesting? What was his interest in apperta

            5. David Glasgow

              Re: I smell a rat here.....

              Most folks smell a company that has shat in its own shoes. Most folks also know that changing isn't enough. It is also important to stop shitting.

      3. Zippy´s Sausage Factory

        I'd totally missed they were an NFP. Clearly I was running a caffeine deficiency that morning.

    2. Caveat Emptor

      Coversely, it is a simple case of company got sick of bitter ex-comrade publically bitching at them for the last few years and decide enough was enough. Some people might even admire Apperta for taking clear action to stop an ongoing unpleasant situation.

      I've only seen Dyke's carefully curated screen caps of the legal documents he received and legal fees paid, but none indicated legal action was ever taken against him. Appertas legal documents have draft written on them and are not stamped as court submissions. They appear to have been provided in terms of showing what court submissions would be made if Dyke would not agree to guaranteeing he had deleted the information he had oddly chosen to keep. He's now agreed to that, so legal action won't start.

      Dyke did something silly, with a company he has history doing silly things to. They asked him to stop. He panicked then agreed to stop.

      1. Rob Dyke

        Greetings and welcome to The Register forums.

        I have redacted some screenshots, yes.

        "They appear to have been provided in terms of showing what court submissions would be made if Dyke would not agree to guaranteeing he had deleted the information he had oddly chosen to keep."

        Someone approved the expense and effort in producing 177 pages of evidence, 16 pages of witness statements and 3 court filings despite already having been offered many many confirmations of what I had delted.

      2. John Brown (no body) Silver badge

        This really doesn't seem to be the sort of story to suddenly attract readers to sign up to be able to post and comment on. It's a not a huge story. And yet there seem to be people who joined up in the last 12 hours or so just to comment on this one story, in defence of Appertas. I'm not seeing a sudden influx of new posters for the "other side".

        1. Intractable Potsherd

          Yes, there is something definitely a bit odd going on.

        2. low_resolution_foxxes

          Yeah, the signs are management, legal or PR teams trying to spin a narrative.

          Honestly sounds like clowns all around, if all they want is their data deleted (they are an NHS orh, I can understand they can't let it continue to be public, but perhaps they could have communicated that better?).

          Gofundme's for legal aid make me groan, it's a new thing that the lawyers have adopted enthusiastically. A literal "win win" for client and £200ph lawyerbot.

          1. This post has been deleted by its author

        3. Robert Carnegie Silver badge

          Apparently both sides are commenting on the story, which is of interest to them. I prefer that someone who works for Appertas says so, whether they follow the company line or think they're collectively idiots. Either is unlikely to be welcomed by the employer when not an authorised statement, so pseudonymity is reasonable and doesn't seem to be minded here where "A Man From Mars" appears to be a relatively reasonable voice (but in fact is as mad as a box of frogs).

          An enterprise leaking public individuals' data or its own is a frequent news story at The Register, if it is even news.

          I recently refreshed my BBC forum account where use of your real name is actively discouraged, as is, implicitly, mentioning in public what pseudonym is really yours. So I resist the urge to boast about mine. My name here is my actual name. However, there is more of it than I've revealed.

          Of course, company managers and others who want to identify an anonymous correspondent here can also do that by scientifically comparing the writing word choices to those of people that work for them. So... try not to be recognisable.

  2. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?

    I have to say I'm somewhat unclear as to why he felt the need to keep a copy of the exposed data once it was apparent they'd fixed the issue? After all this seems to have been the only problem with the process and where everything else came from.

    Not taking sides, I'm just hoping someone can clear this up for me.

    1. Sam Crawley

      I get the impression (just from what's in the story) he held on to the copy temporarily in case they simply denied it happened and accused him of making it all up.

      1. Gordon 10

        AND so what if they do? If you are worried about that you send a parallel disclosure to the relevant authorities.

        1. Rob Dyke

          Retained materials

          I told Apprta I had a copy of the repos (encrypted). I deleted the repos when contacted by lawyers.

          I retained the PDF of the security disclosure(s) as a record - with screenshots heavily redacted. I later deleted those and provided confirmtion of the same.

        2. Wayland

          Relevant Authorities? If he has loyalty to his old firm and he is trying to keep them out of trouble then bringing in 'authorities' is the same as dobbing them in. He was trying to be honorable (which turns out to be a mistake) but if he had sent a copy to the 'authorities' should he have asked his old firm first or told them or simply done it in secret?

      2. Rob Dyke

        one hundred percent

        (The post is required, and must contain letters.)

    2. Gordon 10
      Facepalm

      Im still unclear on why he needed to keep ANY data other than a couple of screenshots.

      Using the leaked creds once is technically unauthorised access even if just checking they work. Using them to exfiltrate data (which is what appears to have happened) goes way beyond the pale regardless of how well intentioned he might have been.

      I do think from a technie point of view the company over-reacted but that just human nature and security "researchers" should be aware and prepared for this.

      FWIW I think the guy went from White Hat to Grey Hat when he stopped confining his work to disclosing the hole, and instead appears to have appropriated the data as "evidence" either to avoid the company covering it up, or for academic curiosity. It wasnt his job to investigate the extent of the breach.

      Regardless of how egregious the hole discovered making moral judgements about a companies response or potential response is out of the scope of White Hattery and emotionally and corporately naive. You shouldn't be doing this activity for anything more your own satisfaction, and should not be expecting anything more than a grudging acknowledgement and cover up, and if such a thing occurs - unless that breaks a local disclosure law - you dont get to judge.

      1. Rob Dyke

        I no point did I reuse any credentials.

        The portal code allowed registration of new accounts (served over HTTP). This has been independently verified.

        The financial records were in the repo. There was also a third-party SaaS product that had been configured with public read access. The URLs for the SaaS product were in the repo.

        No credential use was necessary.

    3. Boris the Cockroach Silver badge

      More likely is the case

      "I've just found a glaring security hole in e-crappo's discount data storage service.... here's how I did it, heres the data"

      And you store that e.mail (and data) to prove el-crappos is exactly what it says on the tin and to have a reasonable defence in case el-crappo turns around and tells the police

      "he a l33t h4XX0r and hacked our database.... "

      The guy can turn around and say "The root account was 'Admin" and the password was "1234" and it allowed logins from where ever instead of a white list of allowed IP addresses" and heres the proof (and emails I sent them)

      1. Rob Dyke

        close

        If there was badly written code, in, for example, a Registration Form calling the RegistrationController@create(), this wouldn allow someone to create a new user account, login and elevate priviledges.

    4. teknopaul

      This is the point entirely: he found a door open, informed the owner it was open, who promptly shut it.

      Should be end of story but..

      In the mean time he nipped in and took photographs of everything he could see.

      Now he tries to tell people he didn't do that to prove to himself and his mates that he was there. I don't believe that. It is a standard hacker habit to take something to prove that you were there.

      I vwanted to see if you had any unlocked safes in the room I found open is no defense.

      Each country need a responsibile disclosure office. InfoSec bods should have the right to responsibility disclose to the owner and the arbitrator, and no one else.

      Taking stuff from behind an open door is still theft.

      1. Rob Dyke

        I do like you thinking @teknopaul

        According to Apperta's information security policy that I committed to uphold back in 2017 It was my responsibility to alert the Apperta Foundation that I suspected there had been a security breach and to *provide as much information as possible (including the date, time, application ) to enable the Foundation to investigate and take appropriate counter-measures.

        Although no longer a subcommittee member, I followed the procedure and provided as much information as possible about what looked to be a security breach.

      2. onumart

        Why not use CERT as responsibile disclosure office?

        I understand that they have more important work to do .. but they have all necesary competences.

    5. Anonymous Coward
      Anonymous Coward

      All I can say is ffs

      massive overreaction to being told you have left the keys to front door under flowerpot by front door. Has way back machine been told to delete its copy?

      Not surprised usual quality of NHS management (back stabbing suspicious minded ladder climbing shit weasels) means the IT bosses qualifications usually comprise of comprehending 60% of the plot to war games, sneakers, hackers or swordfish (unfortunately the 40% they don't grok is the bit rooted closer to reality if you squint)

      As for why keep the data/repo simple it's called evidence, as its git the history would prove permissions changes, committing author etc. Sure it shouldn't have been made public, but it was made public (probably jnr dev rattled out stack overflow php copy pasta, and wasn't important enough to get the purchase order for a private repo through). This is like claiming theft because you found a wallet and opened it to try and identify the owner, taking photos to prove the state you found it in, returning the wallet then being told to delete the photos which prove you have returned as found because they think you must have stolen from it and the contents of the wallet is private.

      NHS and IT makes you wannacry how they have learnt nothing

    6. Wayland

      Keeping a copy of the data securely was very wise. Telling them so was asking for trouble. If the purpose of keeping the data was an insurance against trouble Rob Dyke blew it.

    7. Anonymous Coward
      Anonymous Coward

      @"why he felt the need to keep a copy"

      Simply because of lawyers/solicitors.

      Not keeping evidence to prove your facts leaves you open to accusations of making it all up, trolling etc and in light of the new laws created to silence whistle blowers and limit freedom of information was exactly what I would have done in the author's place

      Given how the company (manager) published this on the web and now wants to bully those that brought their failure to their attention via legal threats suggests to me that keeping a copy was both prudent and reasonable as the sharks IMHO have been in the water since NFP was notified.

      That this NFP is wasting money of shysters is annoying given their funds were redirected from NHS and sick people and given that this is not the first time that NHS leeches have screwed up their security.

  3. Adair Silver badge

    'Someone in Dyke’s position in future may be better off asking a trusted organisation or confidante to disclose a security hole on his behalf rather than doing it personally, ...'

    This seems the key bit of good sense. Is there/are there already 'official' bodies willing/able to take this role formally, so that everyone knows where to go, and things are handled reliably and consistently?

    1. Anonymous Coward
      Anonymous Coward

      Im sure St Julian would oblige, if it came with an opportunity to be a publicity whore.

    2. Anonymous Coward
      Anonymous Coward

      I think in this case there probably were channels available via national NHS tech organisations e.g. NHS Digital.

      How easy those are to find and engage with are maybe a different story.

    3. Wayland

      Trusted bodies? Yeah right. You can't even trust the people you're helping so why should you trust one of the cover up agencies? Talk about wet behind the ears. This is a division of the NHS, the most sacred of all our institutions, beyond criticism and must be worshipped on Thursday nights. The loyalty of NHS staff is beyond reproach, their loyalty is to the NHS and screw the patients. Same goes for any threat even to the feelings of this corporate conglomerate. Every part of the NHS is on full defensive alert, shields are up. The trusted bodies are allies of the NHS.

  4. tiggity Silver badge

    Don't shoot the messenger

    When companies do this, it sends a bad message to people who do the right thing & responsibly reporting vulnerabilities.

    .. especially when lots of companies don't offer bug bounties, or they are pitifully small (compared to what's on offer from the "bad guys" for decent exploits (this one sounded like it was a real "keys of the kingdom" exposure) so doing the right thing is usually a matter of being a good citizen, it typically is a less financially attractive option than going the dark side route.

    1. Cliffwilliams44 Silver badge

      Re: Don't shoot the messenger

      Lawyers will always shoo the messenger!

  5. Peter Prof Fox
    Trollface

    Learn from the ransomeware bods...

    Step 1 : Find security cockup (Document but don't retain data.)

    Step 2 : Inform lax organisation "I've found a whopping hole in your system. £5,000 for more info."

    1. Rob Dyke

      Re: Learn from the ransomeware bods...

      Although Apperta and I have not always seen things the same way, I had no desire to embarass them or exploit the GitHub leak or the open access fiunancial reports published via Zoho.

      I sent a quiet advisory. I didn't name them when I started to speak about the legal threats received in March. It only named Apperta after the decided to report this sorry circumstrance to the police.

      1. Pascal Monett Silver badge

        My 2 cents

        Stop bothering with Apperta.

        Let them fuck up as large as they feel they can't be bothered to care.

        1. Wayland

          Re: My 2 cents

          They are part of the NHS so let's hope they go broke along with the rest of the steaming pile of shit that is our health system.

      2. Anonymous Coward
        Anonymous Coward

        Re: Learn from the ransomeware bods...

        @Rob Dyke

        I agree with you in general but he kept a copy of the info. We would also have reported him for that reason only.

        Just because if I am stupid enough to leave a door to my house wide open, it does not give anyone the right to take stuff does it?

        1. eionmac

          Re: Learn from the ransomeware bods...

          Um! House door and software are very different fish.

          I pinch your chair. (No chair left for you to use, sole unique thing)

          I copy a publicly accessible data stream, also in archive files. Very different You made it available. No theft, you still have original data.

          Just your carelessness, of a very different thing from a house door.

          1. Anonymous Coward
            Anonymous Coward

            Re: Learn from the ransomeware bods...

            Let's try a different analogy. Instead of taking the chair I let myself in and read your bank statements, any personal letters, and your diary? I then take photographs.

            You still have access to them but your privacy was needlessly violated.

            The correct action is to advise the company that they made a mistake and give them the directions to show how they can verify your statement. You do not need to download a copy of the data and tell the company that you are keeping that data for 90 days.

            If he'd deleted the data when asked there would not have been any problem. However, it took court action for him to do so.

            1. dajames

              Re: Learn from the ransomeware bods...

              You do not need to download a copy of the data and tell the company that you are keeping that data for 90 days.

              No ... because you could copy the data and say nothing.

              Methinks Rob Dyke should perhaps be commended for his honesty and openness.

            2. Adrian 4

              Re: Learn from the ransomeware bods...

              It's normal to keep records of an action for some months in order to ensure it is completely over. There is even a fixed (minimum) time for financial records, and it's a lot longer than that.

              If he were trying to steal the data, he wouldn't have told you he had a copy.

              If he had only kept screenshots, how could he prove what else he had had temporary access to?

              What if you came back in a few months and accused him of stealing and using some data, and there was ambiguity over whether it was in the repository ?

    2. Anonymous Coward
      Anonymous Coward

      Re: Learn from the ransomeware bods...

      @Peter Prof Fox

      Step 2 Inform us "I've found a whopping hole in your system. £5,000 for more info."

      Our response "Thanks for telling us, we will find it ourselves now we are aware. Your 5.000 quid? Fuck off. We don't respond well to blackmail"

      1. Brewster's Angle Grinder Silver badge
        Pirate

        £5000 all in? Cheaper than £7000/day!

        It's not blackmail. Such a distasteful word. No, I am a legitimate security consultant and that is merely my proposed consultation fee to ensure you have properly found and fixed the issue.

        Blackmail would be if I threatened to leak details to hackers unless I was engaged as a consultant. Which, to be clear, I am absolutely 100% in no way threatening to do.

        [Ref for title https://news.sky.com/story/coronavirus-gove-defends-7-000-day-rate-for-test-and-trace-consultants-12107394]

  6. Doctor Syntax Silver badge

    It sounds as if, apart from learning a few much needed lessons about IT security, Apperta need to have a word with Ms Streisand.

  7. steamnut

    Go to court

    I think he should have gone the whole way into court. Apart from exposing the ungrateful way he was treated after informing them of the security hole, some case law could have been established as to the best way to go about telling a company that they have cocked up. After all, less scrupulous individuals could have done real harm with no conscience at all and from a foreign country where the law would not reach them.

    1. Rob Dyke

      Re: Go to court

      If you can GoFundMe @steamnut.... https://www.gofundme.com/f/responsible-rob

      1. Anonymous Coward
        Anonymous Coward

        Re: Go to court

        Are they still pursuing you legally?

        1. Rob Dyke

          Re: Go to court

          I have not heard anything since providing a signed undertaking and statement at the end of April.

          I have not received any confirmation that Apperta consider the matter closed.

    2. Adr

      Re: Go to court

      Only if the court was with him. If it wasn't, the bill for their costs would be pretty horrific, plus his own costs, plus any damages.

      I think he's have had a reasonable prospect (assuming his account is accurate), but it's by no means a forgone conclusion.

      1. Stork Silver badge

        Re: Go to court

        And would it be worth the stress and hassle?

  8. Aaiieeee
    Thumb Down

    The passwords / API keys were not supposed to be public; by keeping a copy you are creating the possibility of holding them to ransom for their private data in future, to which they reacted quite understandably.

    AKA:

    "I noticed you forgot to lock your house before going on holiday so I went and checked it out. Be grateful I am telling you. By the way I am keeping these compromising photo that I found; don’t worry, I only need them in case you deny your mistake."

    1. Anonymous Coward
      Anonymous Coward

      Not in the house

      More posted in the noticeboard at the front gate.

      So, not letting in.

      No?

    2. ibmalone

      "The passwords / API keys were not supposed to be public; by keeping a copy you are creating the possibility of holding them to ransom for their private data in future, to which they reacted quite understandably."

      Not true, as it assumes the researcher is the only person who accessed this publicly accessible data. The assumption should be an unknown number of people with much shadier intentions also grabbed it and kept it without being courteous enough to notify the organisation of their actions. The minimum response should be to change the keys against that eventuality (which apparently was done), at which point that information cannot be used for ransom any more.

    3. Wayland

      I think at that stage the data is in the public domain. Rob may have kept the data securely in private but since it was on the Internet you can say it was public. Lots of people would have copies and spreading it around.

  9. SsiethAnabuki
    Facepalm

    Not a good look

    As much as there were things done wrong by both parties here, I can't help but feel that the real take-home here is that you are far safer just anonymously dumping vulnerability data into public spaces and forcing the hand of corporate entities than you are actually acting responsibly.

    Responsible disclosure so often results in a hostile response or complete indifference to the vulnerability disclosed

    (and for the lawyers reading this - I'm not advocating anything, just pointing out some inferences that can be made from the behaviour in this case and many others)

  10. Plest Silver badge

    To quote the the TV show Frasier...

    "Oh let someone else worry about it!"

    "What an appalling attitude! Suppose everyone thought like that? Where would we be then?"

    "Everyone does think like that!"

    Yes, your conscience might tell you to do the right thing, to be the good citizne and sometimes you simply need to listen to your common sense and just walk on by...

  11. ShortLegs

    Sorry, Fail - Rob

    @Rob Dyke the second you stepped over the line was when you downloaded and stored the repos. Encrypted or not, that was a step too far.

    The doubt that is in my mind regarding your motives, is that you have been asked several times /why/ you did this.... and each time you have avoided answering.

    1. Rob Dyke

      Re: Sorry, Fail - Rob

      @shortlegs my rational has been pubic for over a month now

      https://robdyke.com/howto-disclose/

      Back in 2017 I was part of the group that made NHSbuntu - an open source desktop for the NHS. Apperta made a grant of £30,000 to the project and invited me to join a subcommittee that would oversee development. Subcommittee members have a responsibility to ensure that Apperta policies and procedures are followed and I was provided a copy of the Apperta information security policy when I accepted the invitation.

      I found it and re-read it.

      It was my responsibility to alert the Apperta Foundation that I suspected there had been a security breach and to provide as much information as possible (including the date, time, application ) to enable the Foundation to investigate and take appropriate counter-measures. Although no longer a subcommittee member, I figured I'd follow the procedure and provide as much information as possible about what looked to be a security breach.

      I wrote up what I had discovered, providing screenshots of the repos with notes on the contents of the code and the database dump file, URLs of the third party site, and some notes about published vulnerabilities in the version of Laravel used. It looked something like this (gist and pdf)

      I emailed the disclosure to Apperta on 1st March at 12:12hrs. I stated that I would keep the materials used to create the disclosure for 90 days (encrypted) before destroying them. Apperta responded and thanked me. Within the hour the repos were taken down and the portal taken offline. The following day I saw that some of the third-party elements that were referenced in the code (along with API keys!) were still available on public URLs without any authentication. I made a further disclosure and again was thanked by Apperta.

      1. Wzrd1 Silver badge

        Re: Sorry, Fail - Rob

        Had I been involved with the response, I'd suggest to counsel that your individually retaining such evidence retains some risk and suggest third party, representing the researcher's interests be mutually retained as custodian of the sensitive data, to be destroyed upon a mutually agreed upon date and assurance that no litigation would ensue from the matter.

        We'd help fund the custodian, the data would remain secure and an agreement mutually found. It'd have a side effect of burning less billable hours for all parties and all concerned interests would be protected.

        Then, have counsel and the researcher write a paper on the incident, response and their effects.

        Everyone wins, I get my revised code audit and enhanced security and the world + dog learns how to responsibly manage such an incident and remain under budget.

    2. Robin Bradshaw

      Re: Sorry, Fail - Rob

      Yeah how dare you *checks notes* clone a repo from github.

      Dont you know everything on github is a private secret not meant to be cloned by the public.

      Some of the responses are making me wonder how many people here are keeping private photos on imgur.com and are going to act all shocked pikachu when they find out everyone can see them.

    3. Wayland

      Re: Sorry, Fail - Rob

      Letting them know he had access was the step too far. How can he prove he did not download the data? Whether he did or not is irrelevant to him staying out of trouble. Fuck the morality, if he wanted to let them know of the problem he should have done so anonymously. Him playing Rob Dyke the hero means he gets the kick in the balls he deserves. The only reason he would put his name to this was so they could thank him personally. You don't need thanks if you simply want to do what's right.

  12. This post has been deleted by its author

  13. Anonymous Coward
    Anonymous Coward

    El Reg> "We're told the repository ... was left visible to the public for so long that the Internet Archive mirrored a copy of it,"

    If true, what happened to that?

    1. Rob Dyke

      Others have found it and validated my description of the contents.

      https://twitter.com/sickcodes/status/1385218039734423565?lang=en

  14. MachDiamond Silver badge

    Attorney fail

    It's all about billable hours for (blood sucking) attorneys. If they can get a go ahead from a client and a budget, they'll confer, consult and file until they've exhausted the funds. If they think there could be more funds made available, they'll leave some loose ends to tug on later.

    This whole thing could have been cleared up with a 10 minute phone call and some follow up agreements. The problem is that £60 for the ten minutes is barely enough for any bottle of wine an attorney might deign to purchase. There has to be enough in it for at least 6 months of lease payments on the 7 series BMW.

    1. Rob Dyke

      Re: Attorney fail

      Exactly. My two disclosures were promptly acknowledged with thanks. I thought nothing further of it until the Apperta's lawyer got in touch

      1. Wzrd1 Silver badge

        Re: Attorney fail

        And the failure is an unnecessary conflict, based upon your version of events and a vacuum from the opposing side.

        It's predicated upon two concepts that interlock in IS and organizational duties that are paramount.

        Due care and due diligence.

        If you showed me that my castle door keys were openly available and you're retaining a copy to protect your interests, I'd not have a warm and fuzzy feeling of comfort, as I have no idea if your security is any better than our own!

        I'm a bit more reasonable, at a cost of billable hours in seeking a mutually agreed upon common ground for a secure data custodian, who will represent your interests, upon mutually agreed upon common interests grounds. And add, in my jurisdiction, said data is evidence and needs to be protected from all, including us and our concerned parties and only the courts may access said data, pending an order from said courts.

        What I'd try to avoid, from the company side is exposure, potential blackmail or compromise of now secured data.

        Once mutually agreed upon, we'd move forward and avoid the courts and we'd happily ensure a trust is established to secure the data - outside of either of our controls, save if the trust fails and then, we have a common problem.

        In my jurisdiction, you've committed a crime. You willfully destroyed evidence in a matter presented to the court. It is the matter of contention and controversy, hence, evidence.

        Due care and due diligence requires I expend the least resources for the maximum gain.

        So, securing the data is paramount. I'd have an olive branch in reserve, a joint paper on how to protect data, ensure organizational security and serve common cause via said paper.

        Everyone wins.

        Currently, the organization has a huge black eye and you have legal bills, as does the organization. Any victory from that is Pyrrhic indeed!

        1. Wayland

          Re: Attorney fail

          Locking the Castle Door after the horse has bolted. Why would you have a warm fussy feeling? The fact that Rob Dyke has a copy of your data is the least of your problems. I bet there are people who spend all their time creating a mirror of everything on github. They have a lot of hard drive space and are desperate for something to store on it. Data Hording is a known fetish.

  15. FlamingDeath Silver badge

    Sociopaths, that’s what I reckon

    The reaction is classic behaviour

    Losing is unbearable

    Winning is everything

  16. Mike 125

    >NHS-backed company not only threatened him with legal a

    NHS and related managament hate whistleblowers. It's instinctive. They just can't help themselves.

    1. Adrian 4

      ftfy

      English lacks unambiguous rules for precedence. I think that should be read as

      (NHS and related) managament hate whistleblowers. It's instinctive. They just can't help themselves.

      and not as

      NHS and (related managament) hate whistleblowers. It's instinctive. They just can't help themselves.

      1. Mike 125

        Re: ftfy

        Yep- indeed. I vaguely sensed that as I posted it. Getting lazy. Thanks.

      2. SCP

        Re: ftfy

        The humble hyphen can be your friend in these sort of cases:

        "NHS and related-managament [sic] hate whistleblowers ..."

        [Oblig software connection: "Missing hyphen Mariner 1 Failure"]

        [Oblig Pedantry: It was actually a missing over bar]

    2. Wayland

      The NHS are arrogant and incompetent. This combination makes them very defensive. They can't admit mistakes and so spend a huge effort covering up. PALS, one of their complaints departments, acts as /dev/null with the occasional bit of feedback to make you think it's being looked into.

  17. Adr

    It's tricky

    Purely from a legal perspective, he's processing the data so he could run into a ton of GDPR complications depending what he hoovered up (even inadvertently).

    Equally it was a result of their data breach, so their response is heavy handed at best and entirely disproportionate. I'd say he'd have had a reasonable chance of having the claim dismissed as wholly without merit.

  18. Wzrd1 Silver badge

    The very moment that I revceive a filing

    Is the moment that the data retained becomes evidence and I'll not be the one to willfully destroy evidence.

    That evidence will then be presented to the courts and become public record.

    At least, that's how the courts and laws operate within the US. The evidence would be presented on discovery and presented to the court, thereby becoming public record and likely, subject to the Streisand Effect.

    The demand to unlawfully destroy the presented evidence would also be submitted, which will likely draw some crossed brows from the jurist.

  19. Ray 4

    So the thank Dyke gets for helping them is legal threat. He should have reported it to the ICO directly and let them get fined instead.

    1. 2460 Something

      Requirement to report the breach doesn't stop just because they have fixed the problem. If there was a breach that required the ICO to be informed, they are legally required to inform ICO within the set timescales.

    2. Wayland

      They deserve it. However the NHS is a sacred cow and the ICO would probably prosecute Dyke.

  20. Arthur Daily

    Getting nastly with the bearer of bad news

    Costing a security researcher for reporting bad news and sicking lawyers upon is plain wrong. There will be consequences.

    Next time it will be a 6pm news exclusive, naming the committer. As for copies, you would need to audit the downloads, which is probably spidered anyways.

    I would as a software firm for a 'bug scan' on the existing collections. It is SO easy to point to poor code and identify careless coders as well as identifying the excellent ones. This creates a lot of friction, and allows the removal of non thinking drones.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like