Baby’s Days have fixed the Picture links on the Demo Site!

Hey readers, sorry again about the lack of blog posts this week!  Things are just so insane planning my wedding and working as a childminder; the blog will have to slow right down but there is still plenty of material to cover including a very sensitive issue with the legalities of Childminders using Baby’s Days.  I’m waiting for absolute clarity on this from The Information Commissioners Office before blogging properly but hopefully early next week I will know more.

If you are concerned about this in the interim as many seem to be on Facebook, you should read this and contact the ICO directly; note that you don’t have a contract with Baby’s Days, you accept their T&Cs.  I am more than sure if you approach Baby’s Days you will get their rose tinted view and not the actual facts to say the least, so the impartial link should help with that.

Today’s blog post is a quick one.  A while ago I posted about how individual photos were able to be viewed without any authentication by the person attempting to view them.  Baby’s Days fixed the issue whilst insisting I was a lair, but I proved the loophole was still present in the demo system in a follow up post; which you can read here.

Baby’s Days still insist that I was lying and that all individual photos required validation (which isn’t true as you can read from the comments in the blog, customers reported their photos were not individually password protected), Mark Kahl the director of Baby’s Days insists I am a liar and continues to post comments such as this in the official Baby’s Days Support Group:

Mark-Kahl-calls-me-a-bad childminder againAnyway, the reason for this blog post is because now photos on the demo do require authentication, isn’t that a bit weird.  Why has it suddenly changed?  These are the questions that Baby’s  Days customers should be asking.  Please make sure you  backup your data and don’t record data on any aspect of the system that can not be backed up.

I promise to blog later in the week, I’m going to blog about a company called Orange Moon and also about a childminder who encountered an inspector who was not so keen on Baby’s Days.  I’d also love to hear form anyone that has provided Baby’s Days with any planning records or other intellectual property over the years for another blog post I’m drafting.

Hope you all had a fab easter and that Tuesday doesn’t hurt too much!

Have I found another flaw?

Before I start this post, I should clarify that I’m not a very technical person, I don’t know much about computers beyond basic functions such as web browsing and word processing.  I have a vague idea that programmes are written in code, but beyond that I know no more.  I know that you can look many things up on Google and that wikipedia is a great resource.

Given this complete lack of IT knowledge, it’s a little concerning that I may have found another security flaw on Baby’s Days; to clarify this flaw is on the Demo site and on current customers sites.  You can see if for yourself, it’s not straightforward but I’m happy to talk anyone through it if they would like to see it for themselves.

The flaw is an issue that most IT people would label, “unsecured data at rest”; this means that when the data has been sent to the server securely, it is then stored in an unsecure manner.  The data in question is parent comments.  The parent types the comment in on the photo (I’ve only tested this on diary photo comments), the comments are then sent to the server via encrypted transfer and then they are stored on the server logs in plain text – which sort of makes the encrypted transfer rather redundant in my opinion!

This means that anyone at the server end (ie. Data Centre employees and thirds party contractors and Baby’s Days employees) can read all the comments parents place on diary photographs.  Without getting too complicated, the programme absolutely does not need to be written in this way and Baby’s Days could easily make the storage of parent comments more secure.

Here is a screen shot to give you an idea, the screen shot is from a demo, but this will also happen on your own system.  As you can see I have underlined the parents comments and you can see they are stored in the URL log, which is then sent and stored on the server.  Click on the photo to make it bigger.

Given that Baby’s Days stated I was lying about the last security issue regarding photographs, then I expect this issue will also be swept under the carpet in the same way.  Like the last issue, I emailed Baby’s Days to inform them of the flaw 48 hours before I published my blog.

Ok, so some of you reading this might be thinking, “so what, does it really matter that people can read my parents comments?”

The answer to this will vary from person to person and ultimately I’m only writing about this due to Baby’s Days 100% secure claims, this is another post that suggests it’s not 100% secure.  The way this part of the system has been written appears at best bad practice and and worst unsafe.  Is this the result of using possibly incompetent freelancers?  I would have hoped that freelance developers would be competent at developing secure systems – or at least following some basic best practices which doesn’t seem to be the case here at all.

But at any rate, in my opinion that’s not really the question you should be asking. I think the more important question here is; “If a childminder with no knowledge of computer programming can find 2 security issues with the system, how many could someone with more experience find?”


Baby’s Days isn’t ISO27001 Accredited.

A reader has sent me a message through the blog asking me if Baby’s Days are ISO27001 accredited as it seems to suggest they are on their webpage.  Here is the message I was sent:

“You’ll notice on the babydays website they show the ISO 27001 accreditation logo. I’m pretty sure (from my brief checks) that they don’t have accreditation – and are falsely claiming so by use of the logo. I don’t have time but hope you might be able to look into this?”

So are Baby’s Days ISO27001 Accredited is the question?  No is the answer.  Read on if you want to hear the long version…

For those that don’t know, ISO27001 is a certificate given to companies to add credibility to their data handling and demonstrates that a product or service meets the expectations of customers.  It essentially shows that a company has information security risks under control.  The Data Centre that Baby’s Days use has this accreditation, but Baby’s Days / Sys IQ itself do not even though the logo appears on their website.

Baby’s Days software ie. your actual person Baby’s Days domain, is not ISO accredited, so where the Baby’s Days website says,

“This certification means that you can rest easy, knowing your system and confidential data is being managed to a rigorous set of standards, processes and industry best-practices which are regularly reviewed to ensure ongoing compliance and improvement.”Source

it’s not totally accurate.  What is should say is that your system and confidential data is being managed by the data centre to a rigorous set of standards.  It’s no confirmation or guarantee it’s being handled using best practices by Sys IQ Ltd / Baby’s Days themselves, so it’s a bit misleading to feel like you can, “rest easy” in my opinion.

It is also important for people to be aware that the actual system itself, or how Sys IQ Ltd store and process your data is not covered by the data centres ISO certification or nor is it offered by any other guarantee or certificate for that matter.  The actual data could be in the safest place on the planet (and in fairness they do use a very secure storage site, just like many other EYFS software companies do), but if data is accessed via your system (as I showed last week photos could be accessed without a password) itself then where the data is being stored is irrelevant.

So, to summarise, am I saying the system is unsafe?  No.  Am I saying they should be accredited?  No.

I am clarifying the (in my opinion vague) information from Baby’s Days website so that readers are aware of how unregulated this area is and I’m saying that SYS IQ / Baby’s Days are not accredited and do not necessarily follow best practice guidelines regarding security risks as set out in ISO27001.  I am also saying that this is no certificate/accreditation to ensure your actual system is 100% secure as the website claims.

You can check a companies accreditation certificates by clicking here.


Are Baby’s Days denying that photos could be accessed without a password?

The short answer to this is that yes they are denying it, even though many people commented on the blog and messaged me on Facebook to say they could see photos without needing a password.

I’ve frequently contacted Baby’s Days to ask if they want to comment on any blog posts and they always ignore me.  They know how to contact me if they do want to clear up any possible discrepancy I may have posted.  Yet they have never contacted me to clarify the content of anything I have posted.

This is because everything posted is 100% accurate. 

Some of his supporters believe that I am able to make up “lies” under free speech rights, but free speech doesn’t give you the right to lie. The reason I can continue to post these things that reflect badly on Baby’s Days is because they are all true and I can prove they are.

So as I say, until Wednesday there has been radio silence from Mark Kahl director of Baby’d Days regarding the factual content of this blog.  During my recent posts I’ve pointed out that photos could be accessed without a password.  Did Mark Kahl contact me to clarify issues on my latest post? No.  Did he issue a statement detailing how safe and secure his system is? No.

Instead he chose to post in the Facebook support group essentially calling me a liar.  Bear in mind a good portion of his customers have been banned from this group run by Kel Thomas so for their benefit here is what Mark Kahl, director of Sys IQ Ltd had to say about my latest blog post and how he has gone about reassuring you all that your data is “100% secure”.

1 2 3 4I’ve edited the post so you can just see the posts made by Mark Kahl, but if you would like to read the entire conversation between group members then click here.

The latest blog post was brought to my attention by a parent via the comments section of this blog, you can see the comment here.  After checking with some technical friends, I was informed that other parents could in theory access data in the way described by the parent, if the system was set up in the same way as it was at this nursery.  I then asked some blog readers that still use Baby’s Days to send me links to their photos so I could see if I could view them without their passwords.  Only after checking this information did I publish what the parent had mentioned.

It is 100% accurate to say that individual photos were able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, could have been able to determine and view anyone’s images on the system without ever needing to log in to babysdays.

How they can publicly deny this happened and call me a liar when everything points to the contrary is beyond me.  They are obviously just counting on their customers blind faith and assumptions that this company wouldn’t put their data at risk.  Obviously I am seeking legal advice as both Kel Thomas and Mark Kahl are publicly defaming me.

Given that Baby’s Days refused to update my system after advertising monthly updates, then terminated my account with no legal justification and then (maybe?  They wont confirm) deleted parts/all of my data illegally and in direct contradiction of the Data Protection Act and the advice of the Information Commissioners Office is surprises me enormously that anyone can believe a word that comes out of Mark Kahl’s keyboard!?

My message is clear.  Make sure ALL of your data is backed up, your documents, your notes, you dairies, registers, photos, the lot.  Use this company with your eyes wide open or you may find yourself in the same position as me unfortunately.

Am I making it up?

No I am not.  It’s a fact that individual photos are able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, would be able to determine and view anyone’s images on the system without ever needing to log in to babysdays.

This is a short simple post.  Apparently I am making this all up (so the parent that noticed it and the email Sys IQ sent him doesn’t exist then?) and there is no problem with the photos.  I will be posting in more detail tomorrow night but for now, do this if you are a Baby’s Days user and you think I’m on a Witch Hunt you can try the following and see for yourself.

Go to a photo in your diary section.

Right click your mouse button.

You will see something that says something like, “copy image URL”.  Copy the URL into Notepad or Word or similar.


Log out of Baby’s Days.

Paste the URL back into your browser (ie. Firefox or Chrome) and it will load the photo.  You will be able to see the photo even though you are not logged into baby’s days.

With some manipulation of the URL some people will be able to navigate to other children’s photos.  (The following was added at 23.41 on the 18th Feb after a few messages from people still confused)  The parent who informed me of this is using a Baby’s Days system that has the directory listing feature of Apache turned on.  This enables people to navigate through the directory structure of all images if they have one URL.  Hopefully this makes more sense?

Parents have the URL for their own children’s photos so they already know the URL for their own child’s photo.  Even if the directory feature is turned off, a parent can still gain access; they would need to alter the URL to access a different child’s photo.  That’s why a parent made this discovery, not just a random person (Thankfully!)  If you wanted you could write a computer programme to generate all the possible URL combinations and you would have access to every photo.  It’s not a simple as changing a digit there and here, the URL includes a JPG name that is random and also possibly a time and date stamp.  It wouldn’t be very easy to guess it, but it is possible.  Each individual photo should really be password protected.

If you log in as a parent and look for yourself as Mark Kahl has advised customers (to reassure you all it’s nice and safe), of course you will only be able to access your own child’s photos.  As I said, it’s a code problem, not a simple navigation front end error.  It is to do with the authentication of the code that has been used and the way in which the photos are named and dated as they are uploaded to the server.

The individual URLS for each child’s photo can, with some skill, not just by anyone, be second guessed and certainly can be easily guessed by a programme made for this purpose, it’s called image harvesting.  And because you don’t need to log in to see links to photos anyone can access anyone else’s photos.

Hope that clears it up.

Sorry I had to post this explicit set of instructions, which I omitted form the first post for security reasons.  I hope it doesn’t effect anyone’s business, but I will not be called a liar by Mark Kahl and this is the only way to prove that what I am saying is true unfortunately.

Edited at 2pm on Thursday 19th Feb.  I downloaded a demo, I uploaded a photo, here is a link to the photo.

You can see my photo even though you are not logged into my demo site.  Individual photos do not have a password, this is what I’m tryng to explain.  No doubt they are going to try and say “it’s different security bexause it’s only the demo site”, but that’s not true.