So one thing that keeps coming up is thoughts like, “but if someone wants to find a way in they will”. This is mainly from customers of Baby’s Days who seem to be saying that the 2 security issues I’ve found on the system, one about photos and the other abut parent comments not being stored securely, have come about because I’m “looking for issues”.
The two flaws I’ve posted about, I was not “looking” for; the first a parent told me about after he found it out by accident trying to download his child’s photos in bulk (as parents can not bulk down their children’s photos from their logins). The second came up after I was looking at URL strings trying to find out if my own photos were stored somewhere on my own laptop in a temporary folder. Both issues have cropped up quite by accident, there was no looking or probing involved.
Some other customers have also suggested that the same issue could come up with any of the EYFS online software providers and with this post I’m really hoping to clear up that misconception.
Before I continue it I want to make it clear that the issues I am talking about below aren’t necessarily connected to Baby’s Days uniquely, I am talking about computer programming as a whole.
The first question is, “Is it true that a determined “hacker” could get into any internet system if they tried hard enough?” I’m not really qualified to answer that question with 100% certainty but from briefly reading around this area, it seems that if someone was dedicated enough they would find a way into almost any system. As I’ve posted before Baby’s Days claims of being 100% secure are ludicrous but obviously some systems are easier to get into that others and some people are better at getting into them than other people.
So does this mean those that claim, “it’s ok that you found these flaws Hayley, anyone can find flaws in anything if they try hard enough” have a valid point? It is my opinion that these people are missing the point somewhat; whilst their opinion is true it is rather short sighted. I will try and explain this with a simple analogy.
All houses are houses and if you try hard enough despite the best security systems there will probably always be one clever burglar that could get in if he or she really wanted. If you had a suitcase of cash which house would you put it in?
House 1: The house with every external security system going, it was designed by an award winning architect and the structure is perfect.
House 2: This house has all the same features as house one in terms of external security. But it was the first house this builder had ever made, and he didn’t quite get all the bricks lined up properly and there are a couple of little cracks here and there.
They are both houses, but you’re going to put your suitcase into house 1 aren’t you? This is because although both houses carry the risk of getting broken into by some burglar, house 1 carries less risk than house 2.
So yes, “anyone can find flaws in anything if they try hard enough”, but the point is some systems are considerably harder than others to access. It is deeply unfair on those systems that take time, money and effort to ensure the programme they create is on par with the award winning architect in House 1, to simply shrug issues like this away.
I understand that people don’t need the added stress and worry in life of thinking too much about these things and it’s far more convenient to just hope for the best. But as a practitioner that should be working in accordance with the Data Protection Act, “well these days shit just happens doesn’t it?” wont curry any favours with the ICO unfortunately.
Please put that new feature of bulk download to good use and download your system to your home computer daily. You really don’t want to be in the position I am in right now.