The outrage that is ContactPoint under attack
June 22nd, 2007James Meikle
Friday June 22, 2007
The GuardianMisuse of an electronic database holding sensitive information on 11 million children in England could lead to millions of breaches of security each year, it is claimed today. Privacy campaigners and independent schools have warned of the “enormous” potential for abuse of the huge IT system to be launched next year.
In a letter to the Guardian, they appeal to the government to reconsider “this hugely expensive and intrusive scheme”. The Guardian revealed on Monday how the system would be open to at least 330,000 people as part of an effort to prevent deaths such as that of Victoria Climbié by helping children’s services work together.
Critics fear it will breach the right to privacy and are concerned about security. It will be accessible through the internet with a two-part authentication.
But today’s letter, signed by representatives of the Independent Schools Council, Action on Rights for Children, the Foundation for Information Policy Research, the Open Rights Group and Privacy International, says that the problems of “a potentially leaky and inadequate system” must be solved before the plan goes further. It claims that evidence from Leeds NHS trust last year suggested that in one month staff logged 70,000 incidents of inappropriate access. “On the basis of these figures, misuse of the ContactPoint system could run to 1,650,000 incidents a month.”
[…]
My emphasis.
Firstly, these moronic journalists have no idea about how to tell these stories because they are computer illiterates. Only a computer illiterate would use a phrase like ‘two-part authentication’ in this context. The correct phrase is:
‘only a user name and password’
When you use the correct phrase, it is then easy to paint a picture of people sharing usernames and passwords to gain entry into this system, which will be live over the internets.
This means that anyone with the url, a leaked username and password and the intent, can get onto the system, and then start to copy the entries one by one.
In fact, a smart person could write a simple PHP script to scrape the entries one by one over a long period of time, prompting the user for an alternative username and password should the one he is supplied with cease to be useful.
Everyone knows about Bugmenot, the service that supplies you with usernames and passwords to many sites on the internets. I’m sure that the Bugmenot Admins would NEVER allow usernames and passwords to ContactPoint on their system, but what Bugmenot demonstrates is that it is easy to not only share usernames and passwords, but it is possible to automate the sharing of these usernames and passwords.
Of course, none of this is in this article. It is not vivid in even the most simple area, that of using the correct terminology, which everyone is familiar with since most people in the UK have some contact with internet accounts and logging into them with a user name and a password.
Even that journalist must have experience of logging into his email account; how is it that these people cannot make the insight jump to the next logical point in the argument against this?
Because they are THICK AS SHIT.