Dylan lyric goes here

[hirez]

Today we learn that the gummint (Revenue branch) really are a mob of hopeless tossers. Well, when I say learn I mean 'Will be featuring in this week's SANS newsletter, comp.risks (maybe) and many other places where people who profess to know/care about computer security will be able to point, laugh and go 'imagine my surprise...''

On one hand, have these people never heard of leased lines? On the other 'Never underestimate the bandwidth of a Studebaker full of mag tapes'. On the third the likelihood of two gummit organisations being able to exchange data electronically is going to be close to zero, so entrusting the data to TNT is a reasonable alternative. In that context. For very small values of reasonable.

Two CDs, right? Tar and feather the data, encrypt it with gpg and email it to a Google account. How hard's that?

Sadly, I don't believe this will enable me to demand an audit of the Revenue's systems and processes the next time they require their tithe.



Elsewhere, rubbish people do stupid things and blame others. As usual with ML, the comments are the other half of the story, but by jebus you'll want a stiff drink after reading them. Who on earth would suspect that poor behaviour on the internet would affect real lives? (That would be sarcasm.)

Comments

[blue-condition.livejournal.com]

> Sadly, I don't believe this will enable me to demand an audit of the Revenue's systems and processes the next time they require their tithe.

Interesting idea, though. If enough people do it....

[drumiller.livejournal.com]

and I'm waiting for the blame counter to trigger once they proclaim themselves exempt from the data protection law your gummint just passed that penalizes lackwits for impromper data exchange/loss.

"Oh, gosh, we meant, *everyone else*, not civil servants! Imagine, why we'd be accountable and everything! No, that simply won't do, at all."

or

"Mail Service is clearly at fault here, why aren't you persecuting them?/whinge"

[poggs.livejournal.com]

We courier disks around with non-critical information, although it's important.

Transferring 40Gb of data up a 2Mb leased line isn't terribly quick...

[diffrentcolours]

I was impressed that Channel 4 news not only had Phil Booth of NO2ID (looking disturbing in a suit) but also the GPs opposition to the NHS Spine.

In terms of people getting the message across to the Great Unwashed, I had a bit of a rant which I'd like to pimp in your comments section ;)

[diffrentcolours]

Back when I worked for the MoD, we used to courier info between sites at opposite ends of the country - encrypted with $STUPID-bit AES, locked in a case, handcuffed to courier etc. etc. It was a damn sight faster than trying to transfer it over the Hyperblag.

[hirez.livejournal.com]

You'll note that the link to the story points in your direction anyway...

[hirez.livejournal.com]

In the distant past, when I did NHS data-link stuff (aka 'Banging your head on a wall until the nice people take you away and lock you in a rubber room') we had a chap pitch up from GCHQ to instruct us in the ways of doing gummint-standard crypto.

If that sort of service was available in 1992, I fail to see why the Revenue apparently just boshed out a couple of CDs and gave them to the TNT-wallah. Of course it may later turn out that the data was encrypted, but given they've sat on the news for a month I fear I doubt it.

[diffrentcolours]

Whoops, how rude of me. Thanks very much!

[zotz]

BBC:

The chancellor blamed mistakes by junior officials at HMRC, who he said had ignored security procedures when they sent information to the National Audit Office (NAO) for auditing.

Mr Darling told MPs: "Two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT.

The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO."

Password-protected. So, not in plain, but not necessarily significantly obscured either. And in breach of regs. One head has already rolled, and I'm sure more are to come.

[hirez.livejournal.com]

Yes. I just watched Paxo and Ross Anderson give govt-woman a grilling on Newsnight.

[zotz]

Any actually useful information admitted?

[hirez.livejournal.com]

Not really. Woman was banging on about 'lessons learned' and 'procedures in place being ignored' while (prof?) Anderson carefully explained that they'd not got a hope of making it work and throwing technology at the problem would only make it worse.

We can only hope that the data's properly lost. If it's in the hands of the blackhats, it'll be downloadable from a cracked webswerver in the next week or so. I'll keep an eye on the full-disclosure list for the announcement.

[redcountess]

The Making Light page must have some sort of script on it, D's laptop started overheating while I was trying to read it :/

[blue-condition.livejournal.com]

Bright as Anderson is (I've been to several seminars by him and Security Engineering is a book everyone in computing should memorise) he's a chronic self-publicist. ;)

[d-floorlandmine.livejournal.com]

Never underestimate the bandwidth of a Studebaker full of mag tapes
That's a great point.

entrusting the data to TNT is a reasonable alternative
I know people who work/have worked for TNT. They never use TNT. Ever. Nor do they consider it a reasonable solution, unless you want something to "go missing in the post".