Are all systems built equally?

So one thing that keeps coming up is thoughts like, “but if someone wants to find a way in they will”.  This is mainly from customers of Baby’s Days who seem to be saying that the 2 security issues I’ve found on the system, one about photos and the other abut parent comments not being stored securely, have come about because I’m “looking for issues”.

The two flaws I’ve posted about, I was not “looking” for; the first a parent told me about after he found it out by accident trying to download his child’s photos in bulk (as parents can not bulk down their children’s photos from their logins).  The second came up after I was looking at URL strings trying to find out if my own photos were stored somewhere on my own laptop in a temporary folder.  Both issues have cropped up quite by accident, there was no looking or probing involved.

Some other customers have also suggested that the same issue could come up with any of the EYFS online software providers and with this post I’m really hoping to clear up that misconception.

Before I continue it I want to make it clear that the issues I am talking about below aren’t necessarily connected to Baby’s Days uniquely, I am talking about computer programming as a whole.

The first question is, “Is it true that a determined “hacker” could get into any internet system if they tried hard enough?”  I’m not really qualified to answer that question with 100% certainty but from briefly reading around this area, it seems that if someone was dedicated enough they would find a way into almost any system.  As I’ve posted before Baby’s Days claims of being 100% secure are ludicrous but obviously some systems are easier to get into that others and some people are better at getting into them than other people.

So does this mean those that claim, “it’s ok that you found these flaws Hayley, anyone can find flaws in anything if they try hard enough” have a valid point?  It is my opinion that these people are missing the point somewhat; whilst their opinion is true it is rather short sighted.  I will try and explain this with a simple analogy.

All houses are houses and if you try hard enough despite the best security systems there will probably always be one clever burglar that could get in if he or she really wanted. If you had a suitcase of cash which house would you put it in?

House 1: The house with every external security system going, it was designed by an award winning architect and the structure is perfect.

House 2: This house has all the same features as house one in terms of external security.  But it was the first house this builder had ever made, and he didn’t quite get all the bricks lined up properly and there are a couple of little cracks here and there.

They are both houses, but you’re going to put your suitcase into house 1 aren’t you?  This is because although both houses carry the risk of getting broken into by some burglar, house 1 carries less risk than house 2.

So yes, “anyone can find flaws in anything if they try hard enough”, but the point is some systems are considerably harder than others to access.  It is deeply unfair on those systems that take time, money and effort to ensure the programme they create is on par with the award winning architect in House 1, to simply shrug issues like this away.

I understand that people don’t need the added stress and worry in life of thinking too much about these things and it’s far more convenient to just hope for the best.  But as a practitioner that should be working in accordance with the Data Protection Act, “well these days shit just happens doesn’t it?” wont curry any favours with the ICO unfortunately.

Please put that new feature of bulk download to good use and download your system to your home computer daily.  You really don’t want to be in the position I am in right now.

 

 

Have I found another flaw?

Before I start this post, I should clarify that I’m not a very technical person, I don’t know much about computers beyond basic functions such as web browsing and word processing.  I have a vague idea that programmes are written in code, but beyond that I know no more.  I know that you can look many things up on Google and that wikipedia is a great resource.

Given this complete lack of IT knowledge, it’s a little concerning that I may have found another security flaw on Baby’s Days; to clarify this flaw is on the Demo site and on current customers sites.  You can see if for yourself, it’s not straightforward but I’m happy to talk anyone through it if they would like to see it for themselves.

The flaw is an issue that most IT people would label, “unsecured data at rest”; this means that when the data has been sent to the server securely, it is then stored in an unsecure manner.  The data in question is parent comments.  The parent types the comment in on the photo (I’ve only tested this on diary photo comments), the comments are then sent to the server via encrypted transfer and then they are stored on the server logs in plain text – which sort of makes the encrypted transfer rather redundant in my opinion!

This means that anyone at the server end (ie. Data Centre employees and thirds party contractors and Baby’s Days employees) can read all the comments parents place on diary photographs.  Without getting too complicated, the programme absolutely does not need to be written in this way and Baby’s Days could easily make the storage of parent comments more secure.

Here is a screen shot to give you an idea, the screen shot is from a demo, but this will also happen on your own system.  As you can see I have underlined the parents comments and you can see they are stored in the URL log, which is then sent and stored on the server.  Click on the photo to make it bigger.

Given that Baby’s Days stated I was lying about the last security issue regarding photographs, then I expect this issue will also be swept under the carpet in the same way.  Like the last issue, I emailed Baby’s Days to inform them of the flaw 48 hours before I published my blog.

Ok, so some of you reading this might be thinking, “so what, does it really matter that people can read my parents comments?”

The answer to this will vary from person to person and ultimately I’m only writing about this due to Baby’s Days 100% secure claims, this is another post that suggests it’s not 100% secure.  The way this part of the system has been written appears at best bad practice and and worst unsafe.  Is this the result of using possibly incompetent freelancers?  I would have hoped that freelance developers would be competent at developing secure systems – or at least following some basic best practices which doesn’t seem to be the case here at all.

But at any rate, in my opinion that’s not really the question you should be asking. I think the more important question here is; “If a childminder with no knowledge of computer programming can find 2 security issues with the system, how many could someone with more experience find?”

 

Baby’s Days newest release.

If you are a Baby’s Days customer you may have been lucky enough to have had your system updated with the latest release.  Not all customers are eligible for all system updates so there may be some people missing out on this upgrade, if you haven’t received it contact Advertising Standards as they may be able to help as Baby’s Days clearly advertise monthly updates when you take out the subscription.

Anyway, the newest upgrade is a really cool looking bulk download feature.  I like to think I’m responsible for this newest upgrade after I pointed out in a blog post that it’s very difficult to back up your data.  This is probably why so many people thought it wasn’t necessary to back up data and there wasn’t a single mention of backing up in any the 100s of training videos.

But now at least all customers have the ability to backup their data more easily which is fantastic news.  This means that (providing you back up regularly) Baby’s Days will never be able to hold your data to ransom as they have with me – excellent news!

Just be very careful with how you are storing your data once you have downloaded it your end.  Memory sticks are easily lost or broken and computers can suddenly implode.  If I were still using Baby’s Days I would back up the data to my laptop and then store it on Drop Box or similar before eventually moving it to memory sticks when a child leaves.  You may need to update your parent permissions to assess the changes on where exactly the data is being stored.

If you want more info on Drop Box and what it does pop back tomorrow when I will be blogging about how I use Drop Box to manage my paperwork now I no longer use Baby’s Days.

This week I’ll also be blogging about some handy tips that have been published in the Baby’s Days Support Group, as well as providing you with an update on the ICO situation and some details about other online EYFS providers and how they can’t be tarred with the same brush as Baby’s Days  / Sys IQ Ltd / Mark Kahl.

 

 

Baby’s Days isn’t ISO27001 Accredited.

A reader has sent me a message through the blog asking me if Baby’s Days are ISO27001 accredited as it seems to suggest they are on their webpage.  Here is the message I was sent:

“You’ll notice on the babydays website they show the ISO 27001 accreditation logo. I’m pretty sure (from my brief checks) that they don’t have accreditation – and are falsely claiming so by use of the logo. I don’t have time but hope you might be able to look into this?”

So are Baby’s Days ISO27001 Accredited is the question?  No is the answer.  Read on if you want to hear the long version…

For those that don’t know, ISO27001 is a certificate given to companies to add credibility to their data handling and demonstrates that a product or service meets the expectations of customers.  It essentially shows that a company has information security risks under control.  The Data Centre that Baby’s Days use has this accreditation, but Baby’s Days / Sys IQ itself do not even though the logo appears on their website.

Baby’s Days software ie. your actual person Baby’s Days domain, is not ISO accredited, so where the Baby’s Days website says,

“This certification means that you can rest easy, knowing your system and confidential data is being managed to a rigorous set of standards, processes and industry best-practices which are regularly reviewed to ensure ongoing compliance and improvement.”Source

it’s not totally accurate.  What is should say is that your system and confidential data is being managed by the data centre to a rigorous set of standards.  It’s no confirmation or guarantee it’s being handled using best practices by Sys IQ Ltd / Baby’s Days themselves, so it’s a bit misleading to feel like you can, “rest easy” in my opinion.

It is also important for people to be aware that the actual system itself, or how Sys IQ Ltd store and process your data is not covered by the data centres ISO certification or nor is it offered by any other guarantee or certificate for that matter.  The actual data could be in the safest place on the planet (and in fairness they do use a very secure storage site, just like many other EYFS software companies do), but if data is accessed via your system (as I showed last week photos could be accessed without a password) itself then where the data is being stored is irrelevant.

So, to summarise, am I saying the system is unsafe?  No.  Am I saying they should be accredited?  No.

I am clarifying the (in my opinion vague) information from Baby’s Days website so that readers are aware of how unregulated this area is and I’m saying that SYS IQ / Baby’s Days are not accredited and do not necessarily follow best practice guidelines regarding security risks as set out in ISO27001.  I am also saying that this is no certificate/accreditation to ensure your actual system is 100% secure as the website claims.

You can check a companies accreditation certificates by clicking here.

 

New Year New Blog!

Hey everyone, I hope you all had a fab Xmas and New Year!?  Mine was very hectic with a house move, my birthday and redecorating a playroom all on the agenda – and I’m getting married this year to, so busy busy!

Anyway with most of you off work I decided not to update the blog over the festive period, I know a lot of people are anxious for me to get going again with the total visitor count now at 27,231 – how amazing is that!  Even thought I am super busy (like most other childminders) I’m hoping to update the blog once a day every week day.

Why did you change the blog?
The blog now has a new domain name which means that it will become higher in Google search results.  So now when people Google “Baby’s Days review” this blog will pop up in the results.  With the old address the blog would never have reached high in the results.

Also as this domain in controlled by me, not Google, posts wont just disappear because someone reported them to Google as “possibly” illegal.  Posts will only be removed if I remove them or a judge asks me to remove them.  If people want their names removed from the blog they can contact me directly to discuss this.

So this post will be about the new look and tomorrow I’ll be cracking on with more Baby’s  Days stuff and the post about the Data Centre that I’ve had ready for weeks now, worried it might be a bit of an anti-climax now!  So anyway, some questions and answers you might have about the new blog below.  Maybe you can test it out by leaving me a Happy New Year message?

Can I still post Anon?
Yes you can.  Just fill out the reply section at the bottom of each post, it’s underneath any other comments that have already been left.  Put Name as Anon, email as Anon@anon.com

Can I still see all you old posts?
Yes on the left there is an Archive.  This is the first time I have ever had a blog so this is all new to me but over the next week I will do my best to get this blog to look as much like the old blog as possible.  You can also search for posts or use the categories or tags option.

Have you heard any more from Baby’s Days Solicitors?
No nothing.  They last sent me a letter that I blogged about here, and I have heard nothing since.  I have contacted them via their solicitors to ask where my data is, what they are planning to do with it, if it has been destroyed etc; they haven’t responded.

The Information Commissioners Office wrote to them regarding their withholding of my data.  Baby’s Days were supposed to respond to the ICO by Dec 22nd but they didn’t.  The ICO send a second letter on the 22nd, “reminding them of their obligations”.  The ICO will be calling me about this tomorrow and I will update when I know more.

The Advertising Standards Agency are writing to Baby’s Days this week following their on going claims that “all customers” receive updates.  Which we all know is untrue.  Again I will update next week if Baby’s Days bother to reply to them.

Is there an ongoing Legal Case as someone on Facebook is claiming?
No, there isn’t.  The lady that keeps saying this obviously has been misinformed by Baby’s Days.

Ok, I think that covers it.  Anything else just drop me a comment, all subscribers to the old blog are subscribed to this one too.  See you tomorrow for the Data Centre post.