Posts by Rob Dyke

Re: Attorney fail

Exactly. My two disclosures were promptly acknowledged with thanks. I thought nothing further of it until the Apperta's lawyer got in touch

I do like you thinking @teknopaul

According to Apperta's information security policy that I committed to uphold back in 2017 It was my responsibility to alert the Apperta Foundation that I suspected there had been a security breach and to *provide as much information as possible (including the date, time, application ) to enable the Foundation to investigate and take appropriate counter-measures.

Although no longer a subcommittee member, I followed the procedure and provided as much information as possible about what looked to be a security breach.

Re: Sorry, Fail - Rob

@shortlegs my rational has been pubic for over a month now

https://robdyke.com/howto-disclose/

Back in 2017 I was part of the group that made NHSbuntu - an open source desktop for the NHS. Apperta made a grant of £30,000 to the project and invited me to join a subcommittee that would oversee development. Subcommittee members have a responsibility to ensure that Apperta policies and procedures are followed and I was provided a copy of the Apperta information security policy when I accepted the invitation.

I found it and re-read it.

It was my responsibility to alert the Apperta Foundation that I suspected there had been a security breach and to provide as much information as possible (including the date, time, application ) to enable the Foundation to investigate and take appropriate counter-measures. Although no longer a subcommittee member, I figured I'd follow the procedure and provide as much information as possible about what looked to be a security breach.

I wrote up what I had discovered, providing screenshots of the repos with notes on the contents of the code and the database dump file, URLs of the third party site, and some notes about published vulnerabilities in the version of Laravel used. It looked something like this (gist and pdf)

I emailed the disclosure to Apperta on 1st March at 12:12hrs. I stated that I would keep the materials used to create the disclosure for 90 days (encrypted) before destroying them. Apperta responded and thanked me. Within the hour the repos were taken down and the portal taken offline. The following day I saw that some of the third-party elements that were referenced in the code (along with API keys!) were still available on public URLs without any authentication. I made a further disclosure and again was thanked by Apperta.

Re: I smell a rat here.....

sev.monster is non-discrimantory and pro-equality.

sev.monster addresses EVERY first poster like that.

sev.monster has a Bronze badge for service.

Re: I smell a rat here.....

I love the Grifters reference btw, nice one.

I no point did I reuse any credentials.

The portal code allowed registration of new accounts (served over HTTP). This has been independently verified.

The financial records were in the repo. There was also a third-party SaaS product that had been configured with public read access. The URLs for the SaaS product were in the repo.

No credential use was necessary.

Re: Go to court

I have not heard anything since providing a signed undertaking and statement at the end of April.

I have not received any confirmation that Apperta consider the matter closed.

one hundred percent

(The post is required, and must contain letters.)

Greetings and welcome to The Register forums.

I have redacted some screenshots, yes.

"They appear to have been provided in terms of showing what court submissions would be made if Dyke would not agree to guaranteeing he had deleted the information he had oddly chosen to keep."

Someone approved the expense and effort in producing 177 pages of evidence, 16 pages of witness statements and 3 court filings despite already having been offered many many confirmations of what I had delted.

Re: I smell a rat here.....

I told Apperta about the repos promptly after I found them.

I immediately deleted the repos after being contacted by the lawyers.

I also provided an inventory of the screenshots and notes made to produce the disclosure.

Re: Go to court

If you can GoFundMe @steamnut.... https://www.gofundme.com/f/responsible-rob

Re: Learn from the ransomeware bods...

Although Apperta and I have not always seen things the same way, I had no desire to embarass them or exploit the GitHub leak or the open access fiunancial reports published via Zoho.

I sent a quiet advisory. I didn't name them when I started to speak about the legal threats received in March. It only named Apperta after the decided to report this sorry circumstrance to the police.

close

If there was badly written code, in, for example, a Registration Form calling the RegistrationController@create(), this wouldn allow someone to create a new user account, login and elevate priviledges.

Retained materials

I told Apprta I had a copy of the repos (encrypted). I deleted the repos when contacted by lawyers.

I retained the PDF of the security disclosure(s) as a record - with screenshots heavily redacted. I later deleted those and provided confirmtion of the same.

Apperta, for those that don't know, was created by NHS England in 2015 and given £500k to support open source projects. At the time Peter Coates, NHS England's Open Source Programme Manager and now a Director of Apperta, told Digital Health News that Apperta would: 'be fully transparent, with information published online regarding where money has come from and where it has gone.'

See https://www.digitalhealth.net/2015/06/open-source-super-cic-created/

For some reason NHS England don't want to talk about the funding granted to Apperta: https://www.whatdotheyknow.com/request/the_apperta_foundation_cic_3

Re: Not a *buntu fan, but more power to 'em!

Thanks!

We thought about using an rpm base, but NHSdora didn't sound as good as NHSbuntu.

Re: Good luck.

Our 80/20 operational/clinical split has been validated by many a CIO.

Re: Good luck.

Could not have put it better myself.

Re: HL7

Having successfullly developed four ITK projects over the last 6 months I can testify to both the complexity and the business value of the ITK. The interoperability promise of the ITK can really help to deliver value and savings to a Trust so its worth getting behind if you want your product to be considered by NHS organisations as more than an another silo.