Published: 08 March 2017
It concerns me that so many governmental, quasi-governmental, and commercial organisations prove so often to be ignorant or negligent in their approach to security whist claiming to protect us from the dangers found on the internet, so often they don’t get even the basics right.
Not so long ago I found that Jeremy Hunt’s training enterprise was sending passwords in the clear. While endangering users data and potentially threatening their livelihoods, Hotcourses did at least respond to my criticisms, apologised and upgraded their systems.
Trainers do at least have the option of not using Hotcourses, even if the site does dominate that particular market place, this may not be the case organisations conducting DBS checks (formerly CRB checks). With DBS checks many people are obliged to engage and pay for the privilege if they wish to continue in employment.
One such organisation on this particular gravy train is Voluntary Norfolk, a registered charity that is an approved supplier to the National Council for Voluntary Organisation but which also provides back office services to commercial enterprises.
Voluntary Norfolk operate a web site called "charitybackroom.org.uk" which together with payroll and HR services carries out DBS checks. To do this the applicant has to submit personal data, compete a questionnaire and upply documentation proving both their identity and places of residence.This data is presumably collated with that gathered from the local police, the police national computer, the Department of Education, the Independent Safeguarding Authority and whatever other agencies are deemed to be relevant.
In order to protect this data, the applicant is issued with a user login name and a password. The password and login name are sent together, by email in plain readable text, "in the clear" as us computer buffs call it. This means that anyone with access to the computer systems either at Voluntary Norfolk or at the applicants home or office, or at the ISP where the mail is stored can read it. If anyone can be bothered to sniff on the wires that carry the message between the user and Voluntary Norfolk they also can see the login and password and have access to the account. The point at which it becomes laughable is when they provide "additional security" with a confirmatory question and response. Both the question and answer are also sent to the user, by email, in the clear.
Everyone can sleep easier in their beds knowing that the authorities are in control and taking care of us.
Beer and biscuits
- Ludlow Blondes
- Ilkley Summer
- Midnight Owl
- Dancing Duck
- Bass in the Chestnut
- Harvest Pale
- Slap in the Face
- Elsie Mo
- Green King IPA
- The Famous Grouse
- Snowhite Pale
- Electric Dreams
- Theakston's Old Peculiar
- Bass - King's Head
- Speculation Ale
- Summer Storm
- Black Sheep
- Citra - The Embankment
- Butcombe Original
- Oakham Citra
- Catch the Rain
- Modern Love
- Postcode Envy
- Shipstones' Goldstar
- American IPA
- Brother Rabbit
- La Dame Aux Camilias - Alexandre Dumas
- Turn of the Screw - Henry James
- The Beast in the Jungle - Henry James (1903)
- Alice's Adventures in Wonderland - Lewis Caroll 1807
- Man and Maid - Elinor Glyn (1922)
- The Hollow Needle - Maurice Leblanc = 1909
- Montpelier Parade - Karl Geary
- Five Run Away Together. - Enid Blyton
- Dracula - Bram Stoker - 1897
- Days Without End - Sebastion Barry (2016)
- The Witch Finders's Sister
- A Week in December - Sebastian Faulks
- The Devil and Miss Prym - Paul Coelho - 2000
- The Long and Winding Road - A Memoir (Alan Johnson 2016)
- William (Richmal Crompton 1929)