Roundel91 Posted May 22, 2017 Share Posted May 22, 2017 Given the suspicious lack of reason UKARA being down for so damn long the sceptic inside of me reckons their has been a serious data breach. to that end, if theres has been and our personal info has been compromised, what recourse do we have for them failing to keep our info secure? as someone mentioned above, a full name, adress and date of birth is plenty of info for an identity thief to start with. i have sent an email to UKARA expressing my concerns and asking for reassurance that this isnt the case. I cant see them admitting if it if it has happened either. Link to comment Share on other sites More sharing options...
Sacarathe Posted May 22, 2017 Share Posted May 22, 2017 16 minutes ago, Roundel91 said: Given the suspicious lack of reason UKARA being down for so damn long the sceptic inside of me reckons their has been a serious data breach. to that end, if theres has been and our personal info has been compromised, what recourse do we have for them failing to keep our info secure? as someone mentioned above, a full name, adress and date of birth is plenty of info for an identity thief to start with. i have sent an email to UKARA expressing my concerns and asking for reassurance that this isnt the case. I cant see them admitting if it if it has happened either. IIRC the law is pretty tough on data retention and maintenance. Lots online about obligations for holding that kind of data. If their database was taken... Data protection act. Be sure you mention it. Link to comment Share on other sites More sharing options...
Albiscuit Posted May 22, 2017 Share Posted May 22, 2017 Plenty of good points, personally I have got this far without a UKARA number so its not really bothering me, so I suppose your right others must be finding another way too. Link to comment Share on other sites More sharing options...
Roundel91 Posted May 22, 2017 Share Posted May 22, 2017 1 hour ago, Sacarathe said: IIRC the law is pretty tough on data retention and maintenance. Lots online about obligations for holding that kind of data. If their database was taken... Data protection act. Be sure you mention it. Well i have pinged them an email asking for assurance as to the security of my information and voiced my concerns, We'll see what comes back but i doubt theyll fess up if it was true. tbh considering they are the 'industry standard' when it comes to having a valid membership to prove your defense they are doing a crap job. If i were a retailer I wouldn't be affiliating with them again. Link to comment Share on other sites More sharing options...
Roundel91 Posted May 23, 2017 Share Posted May 23, 2017 Well, i got a prompt response from bothe the UKARA admin and Frank from fire support. Dear Jack I understand your concerns, The database is and has been secure, no information has been accessed by unauthorised third parties, the old system had become incompatible with latest server requirements and had to be mothballed while a complete new system is being written using the latest coding. Because we have a great regard for security it took a little time initially to find a programmer we would trust, there are plenty of third world offers for web site and database construction but we were not comfortable with that option. The rewrite is almost finished and has been done by a programmer with military security clearance, so we are confident that the information is and will remain secure. Best Regards UKARA Admin Any advice, comment, or opinion is given purely on the understanding that it has no legal status and UKARA and its representative will not be held responsible. Link to comment Share on other sites More sharing options...
Root Admin proffrink Posted May 23, 2017 Root Admin Share Posted May 23, 2017 Not sure I buy it. You don't deploy a new website by taking down the old one for days first - no 'military clearance programmer' would see that as a viable way to roll out a new project. I can see truth in them migrating it somewhere and that causing issues though. Link to comment Share on other sites More sharing options...
tinkle60 Posted May 23, 2017 Share Posted May 23, 2017 Unless 'not meeting the requirements' also meant not PCI compliant. Link to comment Share on other sites More sharing options...
simonh Posted May 24, 2017 Share Posted May 24, 2017 Why would the ukara DB need to be PCI compliant? it holds no PAN data... Link to comment Share on other sites More sharing options...
tinkle60 Posted May 24, 2017 Share Posted May 24, 2017 You're right, my bad, wrong standard. But there must a standard for complying with the DPA right? Link to comment Share on other sites More sharing options...
warlord Posted May 24, 2017 Share Posted May 24, 2017 25 minutes ago, tinkle60 said: You're right, my bad, wrong standard. But there must a standard for complying with the DPA right? The DPA is the requirement, how you meet that requirement doesn't need a standard. Closest you'd probably have ISO27001 for the IT security side. I "almost" said it would be interesting to see what compliance with any data handling the retailers must meet to be able to request data from the UKARA database though. Then I realised, no - it's not at all "interesting" Link to comment Share on other sites More sharing options...
Wongo Posted May 24, 2017 Share Posted May 24, 2017 9 minutes ago, warlord said: The DPA is the requirement, how you meet that requirement doesn't need a standard. Closest you'd probably have ISO27001 for the IT security side. I "almost" said it would be interesting to see what compliance with any data handling the retailers must meet to be able to request data from the UKARA database though. Then I realised, no - it's not at all "interesting" Getting me hot under the collar with all this policy and procedure talk Link to comment Share on other sites More sharing options...
Sitye Posted May 24, 2017 Author Share Posted May 24, 2017 Come May 25th 2018, GDPR will replace DPA, and all hell is gonna break loose. But that said, and given that they have clearly communicated that there wasn't a breach, this topic has dissolved into impatience and heresay taking over. UKARA is down because upgrading servers is a nightmare, as i well know, and it's gone a bit wrong, as i know it does well, and it will be a faff to fix, as i can totally understand. So fair enough, but really, to upgrade a live DB is bad practice so i hope they add that to their lessons learned. As a retailer i wouldn't be expecting to pay for the service outage that's for sure, but i'm not one, so not my problem. Link to comment Share on other sites More sharing options...
GiantKiwi Posted May 24, 2017 Share Posted May 24, 2017 23 minutes ago, Sitye said: Come May 25th 2018, GDPR will replace DPA, and all hell is gonna break loose. But that said, and given that they have clearly communicated that there wasn't a breach, this topic has dissolved into impatience and heresay taking over. UKARA is down because upgrading servers is a nightmare, as i well know, and it's gone a bit wrong, as i know it does well, and it will be a faff to fix, as i can totally understand. So fair enough, but really, to upgrade a live DB is bad practice so i hope they add that to their lessons learned. As a retailer i wouldn't be expecting to pay for the service outage that's for sure, but i'm not one, so not my problem. I'm more intrigued as to what "upgrade" caused it to bork. I'm currently doing something similar at the moment for HSE compliance reasons, the old system was running on a version of SQL that received it's last update in 1998, i'm converting it to an up to date alternative. I doubt they have that level of complexity.. Link to comment Share on other sites More sharing options...
rsciw Posted May 24, 2017 Share Posted May 24, 2017 17 hours ago, Roundel91 said: Well, i got a prompt response from bothe the UKARA admin and Frank from fire support. Dear Jack I understand your concerns, The database is and has been secure, no information has been accessed by unauthorised third parties, the old system had become incompatible with latest server requirements and had to be mothballed while a complete new system is being written using the latest coding. Because we have a great regard for security it took a little time initially to find a programmer we would trust, there are plenty of third world offers for web site and database construction but we were not comfortable with that option. The rewrite is almost finished and has been done by a programmer with military security clearance, so we are confident that the information is and will remain secure. Best Regards UKARA Admin Any advice, comment, or opinion is given purely on the understanding that it has no legal status and UKARA and its representative will not be held responsible. What the hell were they running that it became "incompatible with latest server requirements", why wasn't anything done before these upgrades took place to ensure no downtime happened? I would've thought it being one of the primary defence checking mechanisms for retailers, for which retailers pay an annual fee to access, there'd be a form of SLA in place ensuring uptime etc. What does "military security clearance" have to do with anything? Just because a programmer may have such clearance, doesn't mean he will know jack s..t about OS/DB/Web Security... Of course he may, but we can't see the credentials, nor can it necessarily be trusted that those responsible for taking the whole thing down without any checks/safeguards in place beforehand know how / what to look for? Link to comment Share on other sites More sharing options...
rsciw Posted May 24, 2017 Share Posted May 24, 2017 Just now, GiantKiwi said: I'm more intrigued as to what "upgrade" caused it to bork. I'm currently doing something similar at the moment for HSE compliance reasons, the old system was running on a version of SQL that received it's last update in 1998, i'm converting it to an up to date alternative. I doubt they have that level of complexity.. I doubt it's anything complex to begin with. In a nutshell, all it would need to do is match a unique ID number (your Ukara #) to your name/address/DOB and if it's still valid or not, and allow access to third parties (the retailers) through a secure backend (and perhaps some metrics if they want to). Nothing ground shaking or revolutionary really, especially not of the sort requiring a downtime of months. Link to comment Share on other sites More sharing options...
Sitye Posted May 24, 2017 Author Share Posted May 24, 2017 I believe the 'damage was done' when trying to implement a self service portal from the ukara website for players to self register - reducing the admin team/work required to maintain the DB input. That could require significant work to implement, but why it wasn't tested before go live just screams of inexperienced unprofessionalism (from an experience Service Delivery Manager, project manager and former veteran IT Technician's point of view) But whatever, it was always a f*cking farce anyway, a way for a clever group to skim some money off the top of a vague and fear mongering law. Link to comment Share on other sites More sharing options...
warlord Posted May 24, 2017 Share Posted May 24, 2017 If only their were a registration and membership system that could achieve the same sort of thing in something like a forum.... Link to comment Share on other sites More sharing options...
Albiscuit Posted May 24, 2017 Share Posted May 24, 2017 5 minutes ago, warlord said: If only their were a registration and membership system that could achieve the same sort of thing in something like a forum.... Is posting on here pics and info of games I have attended not a 'Defense'??? Link to comment Share on other sites More sharing options...
Sitye Posted May 24, 2017 Author Share Posted May 24, 2017 19 minutes ago, Albiscuit said: Is posting on here pics and info of games I have attended not a 'Defense'??? Well by definition, there is no definition of what is classed as a 'valid defence' so essentially, it's only what is commonly accepted by retailers. "I am an airsofter, not a knobend" is my defence, i may even get it on a little laminated card. Link to comment Share on other sites More sharing options...
Albiscuit Posted May 24, 2017 Share Posted May 24, 2017 That was my point. My local shops knows I play, they sell to me without a UKARA... Otherwise I get someone with a number to get it for me Link to comment Share on other sites More sharing options...
Sitye Posted May 24, 2017 Author Share Posted May 24, 2017 37 minutes ago, Albiscuit said: That was my point. My local shops knows I play, they sell to me without a UKARA... Otherwise I get someone with a number to get it for me And how daft is that, that a single number can or could be used to buy as many as you like, with no questions asked, and then distributed by that person to whoever they feel fit to carry one. Why don't they just admit what it boils down to, chav/pikey/tw4ts buying RIFs that fire broken yellow bb's down the market, pulling one out in mcdonalds and getting a boot in the neck from PC Plod so the papers can put it on the front page to sell another rag and make our sport out to be some kind of basement dwelling psychopathic wet dream for every daily fail reader to sh1t themselves about. The VCRA has done nothing to reduce violent crime, nor has it given the police any more power than they already had, it's so vague in definition, all it's done is harm honest and professional retailers, and players of the sport, and meant that the markets had to hide their mooty goods in a box under the table (because i've still seen plenty of RIF pistols in windows by the sea side and on tables at sunday markets for any tw4t to purchase with their pocket money) and put airsoft in the eyes of the legislators for what they can get out of it, ie, making it licensed or banned entirely a likelihood as time goes on - and i will say it's thanks to the UKARA team for defending the sport as it stands, so hats off to them for that. This is my last rant on the subject now and forever. So hope you enjoyed it Link to comment Share on other sites More sharing options...
Root Admin proffrink Posted May 24, 2017 Root Admin Share Posted May 24, 2017 Well, although there's been a recent spike in violent crime since the end of 2016 to the start of 2017, it's still at the lowest point in recorded history. We could argue whether VCRA has or hasn't had much to do with that, but it's worth noting that there's never been a safer time to live (by these metrics at least). Link to comment Share on other sites More sharing options...
rsciw Posted May 24, 2017 Share Posted May 24, 2017 2 hours ago, Albiscuit said: That was my point. My local shops knows I play, they sell to me without a UKARA... Otherwise I get someone with a number to get it for me Yes, they know you, they know you play airsoft, that's enough of a defence really. As long as you can prove in one way or another you will use the purchased goods to play toy soldier at an airsoft field / event, it should be enough for defence cases. UKARA just happens to be the most widely one used, based off its creation when the VCRA was coming along. I don't have an active UKARA membership either, expired last year September, yet I can still buy stuff as my local shop knows me quite well, since we also play together they know it's not for a bellend wanting to cause issues /edit: Quickly to add: I am not a lawyer, or affiliated with UKARA. just speaking from experience and what has been told to me too by other players and retail folks. Link to comment Share on other sites More sharing options...
Albiscuit Posted May 25, 2017 Share Posted May 25, 2017 My last comment was tongue in cheek. But It is such a stupid system with huge gaps and easy ways to step around it. But it is currently the only one we have so we ave to live with it unless one of us clever sods comes up with a new agreed way of doing things! Link to comment Share on other sites More sharing options...
Sacarathe Posted May 25, 2017 Share Posted May 25, 2017 9 minutes ago, Albiscuit said: It is such a stupid system with huge gaps and easy ways to step around it. But it is currently the only one we have so we ave to live with it unless one of us clever sods comes up with a new agreed way of doing things! Ownership register would be so much simpler. However it would arguably require significantly more [valuable] data retention for much longer and govt involvement. And the govt to make it an offence to own a realistic initiation firearm - or an initiation firearm readily convertible into a RIF (all painball/airsoft guns) for longer than say 2 weeks without registering. And make it an offence to sell a RIF or IF to someone within the UK if they are not on the register. Make sales face to face too and support retailers by blocking 2nd distance trading. A new definition of IF would be required for nerf guns and the like though. Requirements for registering £10 to be added and £10 to be removed. Please don't poke holes in this, it's just speculation and has not had thought put in worth of serious critique. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.