I just logged into my CEFA account and it asked for a password change. All right, that’s somewhat standard practice to rotate them from time to time.
What’s insane is that after doing so, I received this email:
I would have thought that an EU agency would know better than 1) obviously storing passwords and 2) emailing them back to the user ..
Couldn’t this be a GDPR violation? By e-mailing your password back to you in the clear, they are obviously not taking seriously their responsibility to protect your data.
That’s obviously significantly bad practice.
But why do we always have to call for immediately penalties (like GDPR) the someone makes a mistake ( and of course complain loudly if authorities call for penalties if a pilot makes a mistake)?
A nice email to the data protection officer of Eurocontrol would solve the situation within minutes …
Malibuflyer wrote:
But why do we always have to call for immediately penalties (like GDPR) the someone makes a mistake ( and of course complain loudly if authorities call for penalties if a pilot makes a mistake)?
Because this is not a “mistake”. It is gross incompetence.
Malibuflyer wrote:
A nice email to the data protection officer of Eurocontrol would solve the situation within minutes
I replied and offered my services :-)
That’s almost as good as this.
If some private business did this, and somebody got properly upset, they would be crucified. State bodies are immune…
The GDPR stuff has made internet users very sensitive and “reactive”. The exact provisions are also widely misunderstood.
But yes it is dreadful Eurocontrol is storing passwords and not password hashes. They are about 15 years behind in what is established good (and very obviously desirable) practice. Their programmers must be living in a hole in the ground. It is not that there is anything valuable in their site (IMHO their horrible site should not even need a login!); the problem is that most people use the same password for multiple sites, and the programmers are probably incompetent in lots of other ways so you can assume their server has been hacked by everybody already…
I’m flabbergasted. I can only channel Jean-Luc at this stage.
Airborne_Again wrote:
Because this is not a “mistake”. It is gross incompetence.
As it is “gross incompetence” when pilots violate airspaces – so?
Why do we always call for proportion when a pilot does something wrong but for penalties when administration does? Why does “just culture” not apply to all parts of the aviation ecosystem but only to us?
There is a German proverb: “How you shout into the woods, the same way it comes back” (which imho is much nicer than the English “What Comes around goes around”)
Peter wrote:
State bodies are immune…
No, they are not! It’s actually quite likely that some people lose their job if someone prosecutes this. As operations for these kinds of services are often outsourced mot likely staff at some private Company, but nonetheless Eurocontrol is not immune.
The only thing that can’t be solved in principle: As such state bodies can only generate income from tax and fees, if they get a fine (like any other Institution/Company would), the only way they can pay it is to collect more money from citizens.
Malibuflyer wrote:
As it is “gross incompetence” when pilots violate airspaces – so?
It could be, but not usually not.
Why do we always call for proportion when a pilot does something wrong but for penalties when administration does? Why does “just culture” not apply to all parts of the aviation ecosystem but only to us?
The situations when you make a decision in the air and sitting behind a desk designing a password system are entirely different. In the latter you can take any time you want to consider and compare different alternatives. In the air you have to make a quick decision and once you’ve done that, you can’t undo it.
If you compare flight planning on the ground with software design, then there are similarities. I would say planning a flight that e.g. crosses the Heathrow CTR without realising that you need a clearance is indeed gross incompetence.
Also, storing unhashed passwords is the equivalent of flying straight across Heathrow without clearance, and sending them out in open email is the equivalent of orbiting it a few times to have a good look.