I just ended reading an article that has the hairs of the back of my neck stand up straight. I have seen my share of bungles and botches, but the article ‘Solicitor mistakenly sent girl’s address to father who murdered her‘ (at https://www.theguardian.com/uk-news/2016/sep/12/safe-house-address-of-may-shipstone-murdered-by-father-accidentally-sent-to-him) kind of takes the cake!
The subtitle ‘Case review concludes there is no evidence Yasser Alromisse located daughter’s safe house via accidental disclosures‘, in that regard I wonder what evidence and how thorough things were looked at. We all know that mistakes are made at times. Yet the level of errors, when they are nothing short of reckless endangerment to the life of a child is quite the achievement.
It’s almost like giving a 5 year old an active hedge trimmer asking it to throw it in the air and catch it again. I wonder if the sitting Judge will consider leniency whether the current to that trimmer had been switched on inadvertently. The quote “reported to police that her solicitor had inadvertently disclosed their new address to Alromisse in legal papers” seems to be part of all this. In addition we see “previous addresses or identities were inadvertently given to 46-year-old Alromisse by other bodies, including a bank and the Child Support Agency“, which is one clear reason why I do not bank online. You see, it is not just about this case specifically. The fact that I have been contacted on more than one occasion, whilst the marketeers were clearly selling me things (as marketeers do), based upon information my previous telecom provider had released to them.
Another gasser is the quote “the serious case review concluded that no one could have predicted or prevented the killing, which took place in Northiam, near Rye, East Sussex, on 11th September 2014“, in that regard, the joker in that part of the game should consider “five months earlier Lyndsey Shipstone, who had fled with her daughter to escape domestic abuse and violence“. The fact that this lady needed a safe house might be indicative of the fact that not just her, others too clearly perceived a danger to her life. You see a safe house is not just a place where you hide defected members of the FSB or MOIS, it is also where you could hide a person who prefers not to be beaten to death. #Justsaying
You see, it is not the act that is the issue. The quote “After a thorough independent review, the LSCB concluded, as did the investigating police officers, that the father planned and carried out the killing in a secretive way, using the internet and a range of covert methods to trace the family and obtain the means to carry out the murder“, so there was an online path that lead to the victims. Now, I will accept that if the mother had posted selfies with geotracking on Facebook with texts like ‘Here we now safely are‘, there is a clear case of the mother losing the plot, but that is not it, is it? Apart from legal papers that could have inadvertently contained information (which is still very wrong), it is more the issue that, as stated ‘including a bank and the Child Support Agency‘, I have to ask the question, is this an institutional failure? In addition, when I see the quote “It called for assurances from agencies that systems were in place surrounding information about vulnerable people that should not be revealed”
Which agencies and what systems? Did anyone consider not logging information on something this volatile and currently implied to be non-protective? There is one other part in the article that I find debatable. The quote “there is no evidence this information did actually allow him to track them down. In fact, it was a period of some six months after details had been disclosed to him before the mother raised concern, and in that time there is evidence the father had still been using the internet to try to trace them“.
You see if that is all true then an IT expert could have given loads of Intel on how the address was sought and how it was found. Perhaps after 2 hours of seeking an not finding anything, he might have read the legal paper stating;
Victim A, currently residing at 68 shoot her dead lane, [insert postcode] Northiam. Yes, that made it hard, did it not? And as for the time lag, how many non-law students/professionals do you know that read legal papers to the degree they should? So whilst I see the part at the end where it reads “what we want all agencies to be mindful of, is that social media and powerful internet search engines make it increasingly difficult for families fleeing violence to rely on their whereabouts remaining secret. This needs to be considered as part of safety planning and guidance given to those at risk“, there has been no mention of not entering certain data online and keeping that info off-line in a folder that is in a locked cabinet, with perhaps only a reference number. Is it me or have I oversimplified the issue?
This is what is at the centre of all this, the consideration to remain off-line. You see, when it is offline, the average person cannot accidently reveal that information, and in addition the requesting party would be required to talk to the person that has access to the paper, the person, not some code for access. It is an issue that will be evolving in the near future for many reasons. No matter what excuse Apple used (valid or otherwise), the fact that the breach was a result of vulnerabilities in Apple’s password security system, enabling persistent hackers to guess the passwords and security questions of select users. So what were these ‘persistent’ hackers? How persistent makes for how many guesses? These parts were not given, my guess is, is that it has been likely more than three times. I have seen similar issues with Skype passwords. This goes further than just quality control. It is of course part of it, but the evolution of systems shows now more than ever the need for better security control on applications and more important, on data. The idea that Child services endangered the child is more likely the stuff of nightmares for those working there, but how was it revealed? Without better insight in how things happened, there is no way to tell but the fact that the wrong person got access and accidently revealed it to the wrong person is now more likely than not.
A linked issue could be seen in the Sydney Morning Herald (at http://www.smh.com.au/digital-life/consumer-security/massively-negligent-childrens-photos-audio-recordings-released-after-toymaker-vtech-breach-20151201-glc7ps.html), where ‘children’s photos, audio recordings released after toymaker VTech breach‘. The article being useful in more than one way I might add. The quote “A breach of almost 4,854,209 parents and 6,368,509 kids’ online accounts” should scare any parent senseless. The article which was published on December 1st 2015 gives way to more parts. In one instance is the April 20th article (at http://www.smh.com.au/business/banking-and-finance/banks-fret-data-breach-law-will-stir-fear-about-digital-economy-20160419-goai8n.html), which is about the quote “Banks have warned the federal government that a proposed law requiring mandatory notification of serious data breaches risks stirring up fear about the nation’s transition towards a digital economy“, which starts the story, with mentions that there are issues with the situation as a whole. The banks make various valid cases, yet when we get to “the proposed law as being convoluted and warns it could dampen public confidence in the digital economy that the government wants to encourage“, you should consider that there are various online issues and the banks are currently losing the cyberwar, not winning it. Now, there might not be direct threat to life in this case, yet the fact that criminals are getting better at getting to your money and there is too much unclear regarding issues like the responsibility of the users regarding safeguarding passwords. There are issues all over the board and the fact that more and more applications are using shared libraries on desktop and mobile, which does not guarantee added security, far from it. One flaw is all that is needed to get multiple access to data sets. And as you might have noticed, there have been way too many flaws in IOS, Android and Windows (although I personally believe that the amount of windows flaws have grown exponential to the sum of both IOS and Android flaws. There is an additional problem, as there is a time lag between finding the flaw and fixing it. When the development teams find them it is one thing, when they act reactively because a third party had found them it becomes another matter. Now, the reality is, is that not all flaws are about personal details or data matters, but some are!
So was this mere an institutional failure through personal actions, or was it a cyber and IT issue? The issue would be easier if the report was available, but let’s take a look.
You see, The East Sussex LSCB is at http://www.eastsussexlscb.org.uk/, which looks ok, but when you take a simple deeper look (at http://www.eastsussexlscb.org.uk/index.html), we see the Parallels Plesk Panel, with the text “To log in to your Parallels Plesk Panel, visit https://www.eastsussexlscb.org.uk:8443“, now this does not give away the farm, but it raises questions, on why the page is there in the first place. Ah, but the plot thickens!
You see (at https://www.youtube.com/watch?v=LTpmZvcIZIM), there is a video on how to exploit the zero day exploit, and the video was published on 5th Sep 2014, 6 days before the murder! It shows precisely how to get into the system and how to get the information out of such a system. Now we have ourselves a ballgame, don’t we?
No matter when it was fixed, this video gives the goods to get access to the system, meaning that other children could have been and even might be in danger. So what does the report (at http://www.eastsussexlscb.org.uk/wp-content/uploads/SCR-Child-P-Overview-Report-Published-March-.16.pdf) say?
The report gives some of the goods at 3.5, where we see: “Child P’s address and important details of her mother’s circumstances were inadvertently disclosed by a number of public and private bodies during the period covered by the review, though there is no evidence that this is what enabled her father to locate her“, the intended outcome is “Agencies have in place good systems which identify information about vulnerable service users that should not be disclosed. Staff in all agencies are trained to use the agencies system and to understand the significance of this issue“, which sounds decent, but the zero day exploit their own web system has shown a flaw meaning that these systems are not to be trusted. If even one person has shared login and passwords, the security in there is pretty much null and void.
There is an important element in , here we see “It is also now believed that the father had accessed information about Child P and her mother from Facebook. This may have included information that the mother had a new partner and that Child P had been baptised in her local village church“, which is beyond belief! So, you need a safe house, but casually place your actions on Facebook? I am shaking my head in disbelief! Still, the point was added, yet when did these events take place? Is there any evidence that the father accessed those records? In addition, the fact that the flaws of the IT system did not make it into the report, especially in light that the video shows a step by step guide on how to get into such a system is equally a failure on the investigating body of the LSCB. I will agree that this was not the most likely intrusion, especially in light of given information on Facebook. Yet, especially in regards to items 22 and 23 on page 63 gave realisation of the fear of finding out, which places some issues with item  aforementioned and who placed what information exactly and on which Facebook account?
What does seem to be the case is that the death of Child P is a slightly bigger mess than either the Guardian or the BBC give vision to. I think that the failure was larger and due to the missing IT part more of an institutional failure than most realise, the fact that no clear guidance of non-social media actions might be in play as supportive evidence to that view.
As I see it, it was a preventable loss and the ‘defence’ “Although the review is clear that professionals could not have prevented this death“, is one I personally cannot agree with.