GCHQ - A plaintext offender

[KIA]

As long as there is no financial info involved who cares? Unless you are stupid enough to use the same password for everything.

Many people do.

 

[arctine]

Because the previous page you were asking what the problem was, in a sarcastic manner, saying how it was over your head, sarcastically.

Now it appears it IS over your head, ironically

No no, the sarcasm exists only in your head.

The questions I've asked are as sincere as the statements I've made.

My issue has only ever been with you suggesting that this somehow indicates a lack of competency from GChQ and I maintain that it does not.

 

[Judgeneo]

Financial data isn't the only thing that should be protected. I'm not sure what information will be associated with the account, but name, parental info, and passport number/NI number are all possible.


Aside from that, its just simply bad practise. When the top security guys in the UK apply for a job there, and get their password sent back to them in plain text, what do you think their impression will be?

 

[kwerk]

Many people do.

Why?

Oh no Russian hackers are going to packet sniff my plain text password and hack in to my GCHQ account.

 

[Mr^B]

It suggests a general lack of awareness of data protection principles.

OK, so that might not spread elsewhere within the organisation, but it's still awful practice, no matter what the company or organisation involved.

 

[Judgeneo]

^Precisely.

 

[dfarrall]

Aside from that, its just simply bad practise. When the top security guys in the UK apply for a job there, and get their password sent back to them in plain text, what do you think their impression will be?

Exactly the reason i didn't follow through with my application.

They did reply after this became big news, saying that it was a 'legacy' site and would be undergoing changes soon.
The reply was to softpedia though, not myself.
http://news.softpedia.com/news/UK-s-GCHQ-Stores-Passwords-Without-Encrypting-Them-340510.shtml

So basically they fobbed it off till it became something worth stressing about.

Dont forget just a month or so ago we admitted to not being ready to defend against cyber terrorism.

 

[arctine]

OK, so that might not spread elsewhere within the organisation, but it's still awful practice, no matter what the company or organisation involved.

Precisely, the fact that its a recruitment website for GCHQ is largely irrelevant.

 

[KIA]

Why?

Oh no Russian hackers are going to packet sniff my plain text password and hack in to my GCHQ account.

Least of your worries if you reuse passwords.

 

[Biohazard]

Hmmmm

 

[Redrum]

Clearly this is way over some of GD's heads.

I think most of the people in GD are not in a technical field so the fact that they don't get it is not something you should take personally. What I find more surprising is how sites like Softpedia and ZDNet are mis-reporting what you've found.

Instead, it contained the password in clear text, which means that this is how the intelligence agency stores the information in its databases.

No, Softpedia, it doesn't. It means we know they are storing it in a format that can be converted back to plain text. Whether that is plain text or encrypted, we don't know.

Although even if they are encrypted, it's still poor, and you'd expect better from the GCHQ. Even if they didn't build the site, they should have noticed flaws like that and had it changed.

For those saying it doesn't matter because it's only their job site, bear in mind two thing. Firstly, it sounds like there is ample information in people's profiles on the site for identity theft. Secondly, whether it's stupid or not, many people do reuse the same passwords over many sites/systems, so any site holding passwords for users has a duty to protect those passwords.

 

[dfarrall]

I think most of the people in GD are not in a technical field so the fact that they don't get it is not something you should take personally.

No i agree, it was more the barrage of useless messages immediately after that was frustrating.

For those saying it doesn't matter because it's only their job site, bear in mind two thing. Firstly, it sounds like there is ample information in people's profiles on the site for identity theft. Secondly, whether it's stupid or not, many people do reuse the same passwords over many sites/systems, so any site holding passwords for users has a duty to protect those passwords.

Not only that, it's government agents, theirs easy potential for espionage with the details obtained.
And the way they handled it, e.g. ignoring till it was publicized was just shoddy.

 

[arctine]

I think most of the people in GD are not in a technical field

Surely you're nt suggesting that anyone who doesn't have a working knowledge of password encryption cannot be in a 'technical field'?

 

[Herman Gelmet]

Update. GCHQ representatives have responded to our inquiry.

“The current applicant tracking system used by GCHQ is a legacy system and we are currently in the process of changing it,” a GCHQ spokesperson said.

“Only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data.”
http://news.softpedia.com/news/UK-s-GCHQ-Stores-Passwords-Without-Encrypting-Them-340510.shtml

 

[Wink]

Exactly the reason i didn't follow through with my application.

They did reply after this became big news, saying that it was a 'legacy' site and would be undergoing changes soon.
The reply was to softpedia though, not myself.
http://news.softpedia.com/news/UK-s-GCHQ-Stores-Passwords-Without-Encrypting-Them-340510.shtml

So basically they fobbed it off till it became something worth stressing about.

Dont forget just a month or so ago we admitted to not being ready to defend against cyber terrorism.

I am sorry but that is a ridiculous reason to say you did not progress an application.

This has little reflection on the work the GCHQ does and you would be daft not to want to work there if you are interested in the field.

 

[dfarrall]

I am sorry but that is a ridiculous reason to say you did not progress an application.

This has little reflection on the work the GCHQ does and you would be daft not to want to work there if you are interested in the field.

It's not the only of course, but it certainly put me off.

 

[Redrum]

Surely you're nt suggesting that anyone who doesn't have a working knowledge of password encryption cannot be in a 'technical field'?

Well it was perhaps a poor choice of words, because by technical field I meant IT specifically. I think people in most professions within IT should at least be aware that it's not a great idea to be emailing passwords, and a lot of them should also understand about passwords not being reversible. You don't need to know about encryption to know that.

 

[gettothechopper]

pssh you could find more info on their staff by looking on linkedin than that cv upload site

 

[arctine]

Well it was perhaps a poor choice of words, because by technical field I meant IT specifically. I think people in most professions within IT should at least be aware that it's not a great idea to be emailing passwords, and a lot of them should also understand about passwords not being reversible. You don't need to know about encryption to know that.

Ok but I don't think anyone will argue with you about it not being a good idea to send plain text passwords via email, IT professional or otherwise.

 

[dfarrall]

pssh you could find more info on their staff by looking on linkedin than that cv upload site

Have you ever seen a current employee's linkedin?

It's undisclosed at undisclosed..