Woohoo! It's great to hear that the Govt is looking to create a "statutory defense" for researchers to spot and share vulnerabilities. I'm grateful to Security minister Dan Jarvis for hearing the concerns raised by Cyberup! and others that the CMA is not-fit-for-purpose.
Posts by Rob Dyke
31 publicly visible posts • joined 16 Apr 2013
UK finally vows to look at 35-year-old Computer Misuse Act
Major IT outage forces UK emergency call handlers to use 'pen and paper'
Monday 8th August 2022 23:25 GMT
Guaranteed availability lolz
I checked out the gCloud for Advanced's products and oh my
To start "Data is synchronously replicated between the two centres using Microsoft and web technologies including Hyper-V Server virtualisation and SQL Availability Groups. With the technology enabling a real time replica to be created at an alternate location, it provides operational continuity in the unlikely event of a partial or complete failure of either centre."
Then "Data is then in turn backed-up using Dell DR4100 Disk Backup Appliances, de-duped and then replicated in the alternate data centre. A full weekly backup is taken and a daily differential backup, each one being automatically verified with any inconsistencies automatically and immediately flagged to our team of database administrators."
And just in case you are not yet convinced "A combination of the data centres’ significant infrastructures and our active/active operating model therefore delivers a flexible, robust and proven approach to disaster avoidance and resilience and provides a high degree of business continuity"
UK health secretary confirms end for NHS Digital, architect of the GP data grab debacle
NHS-backed org reacted to GitHub leak disclosure with legal threats and police call, complains IT pro
Friday 14th May 2021 21:06 GMT
I do like you thinking @teknopaul
According to Apperta's information security policy that I committed to uphold back in 2017 It was my responsibility to alert the Apperta Foundation that I suspected there had been a security breach and to *provide as much information as possible (including the date, time, application ) to enable the Foundation to investigate and take appropriate counter-measures.
Although no longer a subcommittee member, I followed the procedure and provided as much information as possible about what looked to be a security breach.
Friday 14th May 2021 21:03 GMT
Re: Sorry, Fail - Rob
@shortlegs my rational has been pubic for over a month now
https://robdyke.com/howto-disclose/
Back in 2017 I was part of the group that made NHSbuntu - an open source desktop for the NHS. Apperta made a grant of £30,000 to the project and invited me to join a subcommittee that would oversee development. Subcommittee members have a responsibility to ensure that Apperta policies and procedures are followed and I was provided a copy of the Apperta information security policy when I accepted the invitation.
I found it and re-read it.
It was my responsibility to alert the Apperta Foundation that I suspected there had been a security breach and to provide as much information as possible (including the date, time, application ) to enable the Foundation to investigate and take appropriate counter-measures. Although no longer a subcommittee member, I figured I'd follow the procedure and provide as much information as possible about what looked to be a security breach.
I wrote up what I had discovered, providing screenshots of the repos with notes on the contents of the code and the database dump file, URLs of the third party site, and some notes about published vulnerabilities in the version of Laravel used. It looked something like this (gist and pdf)
I emailed the disclosure to Apperta on 1st March at 12:12hrs. I stated that I would keep the materials used to create the disclosure for 90 days (encrypted) before destroying them. Apperta responded and thanked me. Within the hour the repos were taken down and the portal taken offline. The following day I saw that some of the third-party elements that were referenced in the code (along with API keys!) were still available on public URLs without any authentication. I made a further disclosure and again was thanked by Apperta.
Friday 14th May 2021 16:15 GMT
I no point did I reuse any credentials.
The portal code allowed registration of new accounts (served over HTTP). This has been independently verified.
The financial records were in the repo. There was also a third-party SaaS product that had been configured with public read access. The URLs for the SaaS product were in the repo.
No credential use was necessary.
Friday 14th May 2021 16:05 GMT
Greetings and welcome to The Register forums.
I have redacted some screenshots, yes.
"They appear to have been provided in terms of showing what court submissions would be made if Dyke would not agree to guaranteeing he had deleted the information he had oddly chosen to keep."
Someone approved the expense and effort in producing 177 pages of evidence, 16 pages of witness statements and 3 court filings despite already having been offered many many confirmations of what I had delted.
Friday 14th May 2021 12:54 GMT
Re: Learn from the ransomeware bods...
Although Apperta and I have not always seen things the same way, I had no desire to embarass them or exploit the GitHub leak or the open access fiunancial reports published via Zoho.
I sent a quiet advisory. I didn't name them when I started to speak about the legal threats received in March. It only named Apperta after the decided to report this sorry circumstrance to the police.
Friday 14th May 2021 12:44 GMT
Apperta, for those that don't know, was created by NHS England in 2015 and given £500k to support open source projects. At the time Peter Coates, NHS England's Open Source Programme Manager and now a Director of Apperta, told Digital Health News that Apperta would: 'be fully transparent, with information published online regarding where money has come from and where it has gone.'
See https://www.digitalhealth.net/2015/06/open-source-super-cic-created/
For some reason NHS England don't want to talk about the funding granted to Apperta: https://www.whatdotheyknow.com/request/the_apperta_foundation_cic_3
Oh good. They're looking for an NHSX CTO. Hopefully they'll see off 'snake oil' pushers, says GP
Scumbags cram Make-A-Wish website with coin-mining malware
UK rail lines blocked by unexpected Windows dialog box
NHS deploys Microsoft threat detection service on just 30,000 devices
UK's NHS to pilot 'Airbnb'-style care service in homeowners' spare rooms
Ubuntu 'weaponised' to cure NHS of its addiction to Microsoft Windows
Why hacking and platforms are the future of NHS IT
Tuesday 16th April 2013 21:02 GMT
Re: More openness....
Except of course they have, actually, released code publicly.:
http://www.ehealthopensource.com/codeforge/
Github is not the only code publishing service ... or are you a one true way zealot?
There is plenty more code inside N3 as well ... so I guess it depends on how people choose to define community....
Tuesday 16th April 2013 13:06 GMT
Re: HL7
Having successfullly developed four ITK projects over the last 6 months I can testify to both the complexity and the business value of the ITK. The interoperability promise of the ITK can really help to deliver value and savings to a Trust so its worth getting behind if you want your product to be considered by NHS organisations as more than an another silo.
Tuesday 16th April 2013 13:06 GMT 
More openness....
The NHS is starting the benefit from leading hospitals such at Leeds Teaching Hospital and Kings College Hospital who are developing in-house and then releasing these developments as open source code bases. Examples of these include the Clinical Portal at Leeds and two projects from Kings; Wardware, en electronic observations system, and some recent work around Apache Service Mix for systems integration.
I'm a big fan of Carl. He doesn't brook any nonsense or failure in healthcare IT. NHS Hackday highlights the art of the possible and has successfully produced one system that is (nearly?) in production use at a Trust: CellCountr. See http://www.cellcountr.com/about/.
With the support of commercial organisations like Tactix4, not-for-profit projects like HANDI Health and openGPSoC and with the leadership of these exemplary trusts, opensource is becoming less of a 'perceived risk' for Trusts and is becoming a business decision that Trusts and other Healthcare providers are taking with increased confidence and, most importantly, understanding more often than ever before.
Declaration of interest: I have been at each of the last three NHS Hackdays, led eHealthOpenSource (an industry/NPfIT JV), am co-founder of HANDIHealth and openGPSoC and a Director of Tactix4.
Biting the hand that feeds IT
