back to article Brit MP Dorries: I gave my staff the, um, green light to use my login

UK MP Nadine Dorries revealed yesterday that she shares her parliamentary login information with her staff. This was an attempt to defend recently resurfaced allegations about porn allegedly found on fellow politician Damian Green's office computer. Tweeting on Saturday, Dorries disputed the assertion that only Green could …

Page:

  1. Sean o' bhaile na gleann

    Well, Nadine - that's you out of the running for any meaningful job in parliament. You'll only ever be a lightweight 'talking head', someone to fill a few seconds of dead time on the TV news (Hopefully!).

    Honestly with attitudes like this, how is Joe Public ever to be expected to take security seriously?

    1. Jason Bloomberg Silver badge

      More likely she will be well rewarded for her loyal efforts to defend Green from the accusations he faces.

    2. Anonymous Coward
      Anonymous Coward

      "that's you out of the running for any meaningful job in parliament."

      Really, Why is that? No-one who will have any say in her job prospects will care one little bit - I wish they would. We know how ridiculous it is that everyone in her office that logs onto the government network will be using that same login. The parliament's IT team will be aghast and pulling their hair out.

      However do you really think that any prime minister or chief whip will think - "oh won't touch her, she shares her password". I wish they would, but not a hope. Even the fact that this has only had a few brief mentions and no public outrage shows how little interest there is. Even with known foreign agents actively trying to get into systems - she's just provided easy access via an intern (and publicised the fact, FFS)

      Wait until an MP tries to criticise the NHS for the spread of Malware and then bring it up though.

      1. Prst. V.Jeltz Silver badge

        Too important to ...

        Every single time I have been upstairs to look at a the PC of a person important enough to have a secretary PA, the PA knows the password.

        1. rmason

          Re: Too important to ...

          Mirrors my experiences exactly.

          I'm amazed that *anyone* is amazed.

          This happens so frequently, and at so many places it practically standard practice.

      2. Anonymous Coward
        Anonymous Coward

        However do you really think that any prime minister or chief whip will think - "oh won't touch her, she shares her password". I wish they would, but not a hope.

        In a world where there are competent people (so, OK, not our world), this would fix itself. If she was to achieve any kind of high office she would need to be security vetted, and she would fail that.

      3. macjules

        Wait until Damian Green realises that he can just go into her office, ask an intern for Nadine's username and password and go back to his office and download more porn using her account.

        1. Dave 126 Silver badge

          > Every single time I have been upstairs to look at a the PC of a person important enough to have a secretary PA, the PA knows the password.

          Indeed, and an 'important person' often has staff with access to snail mail and paper files too.

          There is the issue of a constituent having a reasonable expectation of correspondence addressed to an MP only being read by the MP or by a very limited number of others - five or six seems excessive. However, if a topic is really sensitive or confidential, then perhaps seeing the MP in their surgery is a better option. Or, as in one episode of Yes Minister, hiding in the bushes outside their front door.

        2. CustardGannet
          Facepalm

          @ macjules

          "Wait until Damian Green realises that he can just... ask an intern for Nadine's username and password"

          I can probably tell you her password right now, it'll be 'N4d1n3'

          1. Doctor Syntax Silver badge

            Re: @ macjules

            "it'll be 'N4d1n3'"

            Too hard. More likely 'nadine'.

            1. FlamingDeath Silver badge

              Re: @ macjules

              qwerty12345

    3. Gotno iShit Wantno iShit

      Honestly with attitudes like this, how is Joe Public ever to be expected to take security seriously?

      A great many do take security seriously. Less take backbench MPs nobody ever hears of seriously. Virtually nobody takes I'm a vacuous wannabe 'contestants' seriously.

      1. BebopWeBop

        It does not appear to have presented problem for the Foreign Secretary

    4. Anonymous Coward
      Anonymous Coward

      Wonder if she still shares her passwords about?

  2. Anonymous Coward
    Anonymous Coward

    Sends a terrible message.

    Essentially she's saying you can't prove someone is at the keyboard just because they've logged in.

    So should we no longer hold those with access to sensitive/secretive information to account then Nadine? Shall we just give all clinicians a generic log and forego any legal or moral obligation for accurate recording of information?

    Mystifies me why the more senior you are in a role, the less accountable you think you are. You should be setting an example others are held to. She should be fired.

    1. Doctor Syntax Silver badge

      Re: Sends a terrible message.

      "Essentially she's saying you can't prove someone is at the keyboard just because they've logged in."

      Sadly, this is true. If senior managers in business need to have their emails printed out to read them what can you expect of MPs whose only essential skill is chatting up their constituencies' selection committees?

      1. macjules

        Re: Sends a terrible message.

        Rubbish. Look at programmes such as Sentinel which use biometric data to record not only your face but also your keyboard 'manner'. Those can certainly be used to set up specific data recording of an individual's actions.

    2. My Alter Ego

      Re: Sends a terrible message.

      Well, the public voted her in so of course she should be more trustworthy than us plebbs. I can't wait for Damien Green to start claiming that it must have been a member of his office, because he too shares his credentials.

    3. Chrissy

      Re: Sends a terrible message.

      "Essentially she's saying you can't prove someone is at the keyboard just because they've logged in."

      This is the REAL payload of why she said this; she was sent out to perform a diversionary tactic and embed doubt into the public mind .... essentially to implanting the thought "was it really him or one of his staff? I guess we'll never know, lets see what the X Factor result is."

      1. John Brown (no body) Silver badge

        Re: Sends a terrible message.

        "essentially to implanting the thought "was it really him or one of his staff?"

        Hmmm...that should liven up the court cases for so-called online piracy claims. "Well, yer 'onour, everyone knows my password is 123456, so it could have been anyone torrenting all those films." Government ministers and MPs have set the precedent and created the doubt.

        1. Blotto Silver badge

          Re: Sends a terrible message.

          Hmmm...that should liven up the court cases for so-called online piracy claims. "Well, yer 'onour, everyone knows my password is 123456, so it could have been anyone torrenting all those films." Government ministers and MPs have set the precedent and created the doubt.

          anyone with access to the locked premises who knew the password, unless your going to bolt your monitor and keyboard (or laptop) to the outside of your house with a sign stating free access. i suspect they'll find you negligent though for allowing access to happen on your system without attempting to proper guard against illegal activity.

          1. John Brown (no body) Silver badge

            Re: Sends a terrible message.

            "i suspect they'll find you negligent though for allowing access to happen on your system without attempting to proper guard against illegal activity."

            Are you being criminally negligent if you trust the family you live with and don't treat them like the enemy?

    4. Charlie Clark Silver badge

      Re: Sends a terrible message.

      Essentially she's saying you can't prove someone is at the keyboard just because they've logged in.

      For liability you don't have to: it's negligence.

    5. Lysenko

      Re: Sends a terrible message.

      Essentially she's saying you can't prove someone is at the keyboard just because they've logged in.

      The more charitable (though unlikely) interpretation is that she understands plausible deniability. A highly secure password is a distinct liability if you're doing something nefarious that might be detected. Far better to ensure that the login credentials are as widely circulated as possible in such a scenario.

      1. Charlie Clark Silver badge

        Re: Sends a terrible message.

        The more charitable (though unlikely) interpretation is that she understands plausible deniability

        Depends on the jurisdiction but in general it will leave you liable if not necessarily culpable and possibly even an accessory.

        Cf. the recently withdrawn German law on Störerhaftung (operators of free wifi being held liable for crimes committed using their network. Or anyone outside the US not keeping firearms safely locked up.

        1. Lysenko

          Re: Sends a terrible message.

          Depends on the jurisdiction but in general it will leave you liable if not necessarily culpable and possibly even an accessory.

          Unless you can prove mens rea beyond all reasonable doubt then under English law you're almost certainly looking at a negligence action in tort (civil law) at the most, if you can locate an injured party.

          To establish criminal negligence you would have to prove that the specific consequences of the sloppy security were reasonably foreseeable and, in practice, you almost always need a consequence of death or severe physical injury. There are no "Administrative" offences in English law - you're either a criminal or else someone has to sue you for damages.

          1. Charlie Clark Silver badge

            Re: Sends a terrible message.

            Unless you can prove mens rea beyond all reasonable doubt then under English law you're almost certainly looking at a negligence action in tort (civil law) at the most, if you can locate an injured party.

            There currently is no criminal case but the argument would be over confidentiality, potentially of state secrets in which case the Crown would be the injured party. In such a hypothetical case I don't think that "all my aids know passwords" would wash that well and I suspect Special Branch my already have had words.

    6. The_Idiot

      Re: Sends a terrible message.

      "Essentially she's saying you can't prove someone is at the keyboard just because they've logged in."

      Sadly, true.

      However, it also (to me at least illustrates where biometric _identification_ can serve a purpose. NOT AS A PASSWORD. Oh - and if I didn't shout that loudly enough, NOT as a #%#$%^%^& _PASSWORD_!

      A combination login using the individual's account name, the individual's password _and_a_scan_of_biometric_data_ would potentially help identify whether it was MR/ MRS/ MS MP using his/ her details or some other identifiable individual. And I say 'potentially' and 'help' because I freely accept biometric scans (in their variety of forms) are not unbreakable.

      But it would help. Maybe.

      'Pr0n was downloaded at 11:00, Sarge. Mr MP was logged in, but the fingerprint scan said it wasn't him, it was his PA/ intern/ tea-person.'

      Incidentally, at the risk of sounding paranoid, said biometric scan should be repeated on logout, before logout takes place, and on every 'go to sleep' timeout. That way, you have a chance of knowing it was still the same individual, and not someone using the account they didn't logout of while they went to the washroom, out for a smoke break, off to lunch etc.

      Biometric. Who-I-am. Of course, I'm an Idiot...

      1. Anonymous Coward
        Anonymous Coward

        compulsory one handed typing

        Agreed, a fingerprint reader that requires five fingers to be in contact with the scanner at all times would greatly reduce incidents of this type.

  3. Anonymous Coward
    Mushroom

    I don't understand this

    In most places I've worked in recent history sharing your password would be an escort-you-out-of-the-building offence (OK, I was often a contractor: it might have been only a written-warning offence for employees). These weren't big official-secret type places. (Looking at porn on work computers or networks would have a similar punishment -- there's a reason for the 'NSFW' tag people put on things which are, well, NSFW: quite independently of whether looking at porn is wrong, it is clearly wrong at work.)

    But this is OK if you are an MP, because MPs don't do anything which might be at all sensitive, right? It would not matter at all if some intern sent mail, or posted to Twitter or whatever, from an MP's account. Indeed, it's convenient that they can: 'all those racist comments from my account, those weren't me they were some intern'.

    And these are the people who want to legislate as to whether we can use strong encryption. What the fuck is going on in their minds?

    1. Darth Poundshop
      IT Angle

      Re: I don't understand this

      "And these are the people who want to legislate as to whether we can use strong encryption. What the fuck is going on in their minds?"

      Party politicians don't have 'minds' they have 'hobbyhorses' and 'spin'

      1. Dave 126 Silver badge

        Re: I don't understand this

        MPs can't be sacked in that conventional way because they are appointed by their constituents. If material found on a computer were grounds for an elected MP to be suddenly dismissed then there might be a chilling effect on democracy - it'd be too easy for a motivated party to place such material on the MPs computer if a change of MP suited their ends. They're elected as representatives, not as expert white hats.

        What's insidious about this Green affair is that the copper himself says he can't prove anything - in which case, why even mention it?

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't understand this

          What's insidious is that this ex copper kept information he was supposed to destroy, then stole it when he left his job, kept it and eventually publicised it.

          What's his end game? A book deal? Become a talking head? Or is this just to try to bring down a Conservative minister? Nobody will ever employ him in a position of trust again.

          I don't buy the moral outrage line.

          1. Lysenko

            Re: I don't understand this

            What's insidious is that this ex copper kept information he was supposed to destroy, then stole it when he left his job, kept it and eventually publicised it.

            It's been a while since we've had a decent Contempt of Parliament action. I hope Bob the Plod realises that he can be banged up for this by Parliament itself (i.e. without bothering the CPS and the Courts).

        2. Anonymous Coward
          Anonymous Coward

          Re: I don't understand this

          That's right. So there should be a proper enquiry to establish how the data got there.

          If it got there because he shared his password then he is clearly a national-scale security risk, since he holds a senior role in government and is presumably therefore party to state secrets, including extremely sensitive ones. We probably do not want people who share their passwords having that kind of position.

          If it got there because he was looking at porn at work, then, well, I'm not sure what the right punishment is. Personally I would not want someone that stupid & distracted at work in my government.

          If it can not be established how it got there then the IT infrastructure that MPs use has catastrophic security problems. This is in most respects the worst outcome, because it means that we should assume a breach.

          1. Nick Ryan Silver badge

            Re: I don't understand this

            Password sharing is one thing, and a measure of both stupidity and contempt of security.

            Looking at porn: fine. MPs are, vaguely, in the most broad sense, sometimes passably human and therefore looking at porn is just fine with me. Of course, the rabid god-botherers, of which there are a number of them in the list of MPs, may feel otherwise but these probably have more "deviant" (in their eyes) porn habits to hide therefore may not shout too loudly just in case. Lithographs of victorian ankles included (thank you, Daily Mash, for this one!)

            Looking at porn on a parliamentary system? The same system which the MP has access to material of national importance and possibly national secrets, is a thoroughly stupid, braindead thing to do. If it's a cache of images and possibly videos then I would be reasonably lenient however it's unlikely to be this and the morons are probably just browsing porn sites, using Internet Explorer. Such sites are likely to be only marginally less targeted by malware than "warez" sites and the click-bait-trash "listicle" and "article" sites which tend to be 85% advert, 12% white space and maybe, just maybe, some content squeezed in there somewhere.

            MPs, and parliamentary staff, are meant to set examples to us all. If we fiddle our expenses we get fired and the tax man and therefore the courts take a very dim view of the situation. If we bribe people or accept bribes it becomes a criminal matter. If we violate security through providing privileged access to those that shouldn't have it we're likely to, at a very minimum, be given a formal verbal or written warning and in some cases, instantly dismissed. If we browse porn on work systems we can expect likewise.

            MPs, on the other hand, seem to feel that they are above all of this and any attempt to make them more accountable, or to enforce more accountability on them (one of the EU's aims) is considered a bad thing. A very bad thing indeed.

            1. Lysenko

              Re: I don't understand this

              If we bribe people or accept bribes it becomes a criminal matter. If we violate....

              If we make statements that are libellous or disregard Court injunctions then we are liable to be prosecuted ... and MP are not ... at least not if the activity takes place inside the Palace of Westminster.

              MPs have several extra rights, privileges and immunities by design. That's why the original raid was controversial since it was, prima facie, potential interference with an MP in the conduct of his duties (which is Contempt of Parliament).

              What MPs, or rather Parliament as a whole, consider a bad thing is allowing the Judicial and Executive (i.e. the Police) branches of Government to inquire into the proceedings of the Legislature because it breaches the principle of separation of powers which was essentially the root cause of the Civil War.

        3. macjules

          Re: I don't understand this

          MPs can't be sacked in that conventional way

          Then we have to find an unconventional way. Would a lamppost and several yards of hemp do the trick do you think? Thankfully we do still have 650 lampposts in London.

  4. Neil McCauley
    FAIL

    Disturbingly common

    Dorries' shambolic approach to computer security is not exactly uncommon in politics. Things I've personally witnessed in the office of a prominent Scottish politician:

    Admin access given to all staff, including unvetted temps and volunteers.

    "You've brought your own laptop? Great, the wireless password is on the whiteboard."

    PCs left unlocked and unattended in an unlocked office while staff go for lunch.

    1. Anonymous Coward
      Anonymous Coward

      Re: Disturbingly common

      So you're saying it was an intern who sold all our gold?

  5. colinb

    Facepalm

    Ah the old he's not a Liar, he's an idiot, like me, defence.

  6. iron Silver badge

    So it is *utterly preposterous* to assume that the user sat at a Parliamentary computer is the user who is logged into it yet that is exactly the kind of assumption made when prosecuting a member of the public because their IP address was used to download MP3s, hack NASA or DDOS Sony. Clearly its one rule for the pigs and another for the rest of the animals.

  7. Darth Poundshop
    Flame

    AAAAAAAAAARGAAAAAAAGAHHH

    ...AAAAAAAAAARAGAAGGAGGGHHH

    THESE PARLIAMENTARY DIPSHITS MAKE LAWS...AND DECISIONS ON NATIONAL SECURITY...AND ARE IN CONTROL OF BILLIONS OF OUR MONEY

    I can't take it any more, we might as well put a President Putin statue up in Trafalgar Square right now

    AAAAAARARARRAGGGH

  8. goodjudge

    Didn't care, won't care

    Remember that this is the same politician who "cares" so much about her constituents that she disappeared from Parliament a few years back to go on I'm A Celebrity... She's pretty much un-embarressable and she represents an unswervingly true-blue part of the country. She knows there'll be no consequences for her.

  9. Anonymous Coward
    Anonymous Coward

    This stupidity aside, I don't understand why so much noise is being made about this. Even if the allegations are true, so fucking what? Just give him a slap on the wrist and move on, there are far more important things to be dealing with.

    1. Anonymous Coward
      Anonymous Coward

      There's two camps. One full of prudes who are shocked and appaled that someone watches porn and one full of balanced individuals who are aware that the police officers behind this story are leaking confidential information for political reasons. It's the second one that shouldn't be brushed under the carpet.

      Did that help?

      1. Anonymous Coward
        Anonymous Coward

        OP here, I totally agree but the media seem to have been focusing on the first one. The raid itself was bad enough, I haven't forgotten the uproar that caused at the time.

    2. Anonymous Coward
      Anonymous Coward

      He's already done too much wrist slapping.

  10. phuzz Silver badge
    Pint

    "Make the card part of their ID card so they are less likely to ‘loan’ it"

    Make it part of whatever ID they have to use to get into the subsidised Commons bar and they'll definitely not share it.

  11. David Gosnell

    According to the Times [usual disclaimers apply]...

    One of the ex-cops embroiled in this insists: "The computer was in Mr Green's office on his desk, logged in, you know, his account, his name. In between browsing pornography he was sending emails from his account, his personal account, reading documents, writing documents and it was just impossible it was exclusive and extensive that, you know, it was ridiculous to suggest that anyone else could have done it."

    You know. Well maybe. I sort of get what he's saying. You know.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like