Tuesday, November 27, 2007

HMRC fiasco and risks

so i've heard two unbelievably ignorant comments by senior politicians in the wake of the fiasco where HMRC accidentally "lost" 2 CDs with 25M people's children names, addresses and parents bank account details

1. biometrics wont have this problem
ok so what if the passport office accidentally released the database with 60M people's biometric data? well, according to experts, it is crypted doing a 1 way function so you can't reverse engineer someone's Iris or fingerprint from the data.
But what if there is 1 single bug in the way they'v done this? just 1. d it can.
everyone's biometric is compromised, once and for all and for ever. game over. doh.

2. encryption would have meant the problem with the 2 CDs wasnt a problem.

ok so how was the NAO (or KPMG) going to read the data? magic? no, they had to have the leys (and password) too. SO how were those sent? securely? do we know they aren't the same key and password as are used for loads of other data bases inside HMG's various termianly ICT challenged departments? no we dont, nor do they.

anyhow, both these are irrelevant - the fact that junior (and therefore large numebrs) of staff have access to the entire database means that it is effectively open to all and sundry (as with polis databases) who can afford to find any bribably or blackmailable or just careless person in a large population of junioer clerks.

"all the eggs in one basket" appears to be a phrase that wasn't part of Darling's education (or browns).

No comments:

Blog Archive

About Me

My photo
misery me, there is a floccipaucinihilipilification (*) of chronsynclastic infundibuli in these parts and I must therefore refer you to frank zappa instead, and go home