Love.Law.Robots. is moving!

You're browsing the original version of the Love.Law.Robots. Check out the new site. It's prettier and packs loads of new features!

Implementing a Login

Featured Image `

Home servers have really come a long way. In the past, setting up a home server meant pulling out an old computer, connecting it to a LAN, install Linux, read reams of documentation and then testing it (for the benefit of no one but Mr Tech at home).

Today, even Network Attached Storage devices can pretend to be servers. I bought a Synology DS216J on the cheap and found that you could install “Apps” like running a web server and a git server by just clicking on them. I am really getting my hands dirty on this one.

One of the things I am curious about is setting up a LDAP server to manage logins. This might have no purpose in the past when computers were truly personal. However, given the proliferation of devices and how they are interconnected these days, I am curious as to what is possible when every device knows “who” you are.

There are other reasons why user management is a “must-have” feature for any system or application, especially if it contains or processes personal data. The most obvious reason is that it allows one to have better management of the rights a user can have to a system. Someone who is not authorised to access the data should not be allowed to login in the first place. It may also be worth considering giving different reading or writing rights to different classes of users based on their need to know.

For various reasons (or excuses), an app or system might have none at all. In the Singapore Personal Data Protection Commission decision of Re JP Pepperdine Group [2017] SGPDPC 2 , anyone could access the personal data of a member of a Company’s loyalty program by entering random text into a search bar on a webpage. The Company was directed to pay a fine of $10,000.

Furthermore, having a computer system in place is not sufficient. In the Singapore Personal Data Protection Commission decision of Re K Box Entertainment Group Pte Ltd and another [2016] SGPDPC 1, the password of the admin account was “admin” and it was suspected that an unauthorised user had “guessed” the password and gained access to the system. Furthermore, the accounts of staff who had left the company were not removed from the system, which meant that it was possible that an ex-employee (disgruntled one maybe?) could have accessed the system without authorization. The Company in _Re K Box Entertainment Group Pte Ltd _was given a financial penalty of $50,000, the highest penalty meted out by the Singapore Personal Data Protection Commission so far.

All this might seem laughable and ridiculous, but it is easy to see how it could have happened. There could be a rush to implement a feature. Perhaps someone had delegated this to a contractor and expected that their problems were all solved then. Maybe it was just purely disregard of the problems or consequences of having such a login system. Given the ease to install or run apps and the like these days, it is easy to overlook such problems.

Whatever it is, the effects of a data breach are real and embarrassing and do not inspire confidence in your customer, to say nothing about the trouble you might run into with the authorities. Take some time and study your processes, and you could be saving yourself a lot of time and face.