[jkire]

Honestly, these replies feel completely unhelfpul. This is exactly how MPs offices have always worked, staff open and respond to letters with little oversight. Now they do the same with email.

Yes, in 2017 we can do a lot better and use delegated access, but adoption of those features doesn't happen overnight. Delegation of access was probably not even a thing when Dorries was first elected?

So the question really is: who is responsible for ensuring that MPs are up to speed with new security measures? Why aren't they dealing with this?

I think we should be lobbying MPs to ensure that they have the support they need to keep up to speed with best security practice, not vilifying them for trying to muddle through the best they can. It sounds like a recipe for disaster to try and get them all to do it themselves.

---

On a tangential note:

> It's alarming to read that Nadine believes criticism of her approach is due to her gender because if ever there was a construct that's entirely gender-unbiased, it's access controls! Giving other people your credentials in a situation such as hers is a bad idea regardless of gender, race, sexuality and any other personal attribute someone may feel discriminated by.

Completely misses the point. Of course security is gender-unbiased, but that doesn't mean she isn't getting a harder time of it simply because she is female. Such bias happens a lot.

To be honest, I think the actual truth is that the papers enjoy reporting on whatever Nadine Dorries says. So yeah, I don't doubt that another MP would have received less flak for saying the same thing, simply because it wouldn't have been reported as widely.

(That doesn't mean we shouldn't talk about security issues, but don't discount the abuse women get just because you happen to disagree with them on a particular point.)

[saulrh]

    This is exactly how MPs offices have always worked, staff
    open and respond to letters with little oversight. Now they
    do the same with email.

This isn't just the email password, nor is it just the password to the "letters from the public" email. The original offense was "downloading porn on a work computer", indicating that this is the core network account, AD or LDAP. And that means that it's granting access to everything, every email and every file. These interns don't need access to every email she sends to another MP. These interns don't need access to the drafts of upcoming legislation. These interns don't need to know what kind of cat pictures she likes. What do you want to bet that the whole "Using personal email for official communications" fiasco over here started when someone said "I need an email that the interns can't read and they won't give me two user accounts"?

[mschuster91]

> What do you want to bet that the whole "Using personal email for official communications" fiasco over here started when someone said "I need an email that the interns can't read and they won't give me two user accounts"?

Possible, but I also guess the reason was along the likes of "I want to be able to send and receive 100MB powerpoint slide decks, but central IT has a 5MB cap"... this one is something I regularly hit with clients back in ye olde freelance time. Record low was a client with 1MB attachment cap and 100MB of quota.

[TeMPOraL]

IT is directly responsible for a lot of those things. In some places, it seems like IT departments try to make their own lives easier by ensuring the infrastructure is so ridiculously constrained that nobody wants to use it (no users = no things broken by users that need fixing!). Users instead will make due in creative ways, which make organizations vulnerable (and people unhappy).

[jpindar]

Of course they'll say it's for security reasons... and indeed, the most secure network is one that no one uses.

[MistahKoala]

> These interns don't need access to every email she sends to another MP

How do you know this? The Members themselves are best placed to determine the type and scope of this. Not all MPs will share and delegate, and not all interns will have such facilities extended to them.

The prescribed way is to have staff undergo vetting, then be assigned network privileges (with whichever delegated rights are specified). But this is the real world, where we know that trusted individuals in teams share credentials.

None of this precludes MPs (at least, those not on Government payroll) from setting up and using third-party accounts for their sole use - which is exactly what MPs do.

[dazc]

'The original offense was "downloading porn on a work computer".......'

There wasn't an original offence, there has been an allegation which has been strongly denied.

[saulrh]

Fair enough. Allow me to rephrase, then, since the choice of refutation is enough to support my argument and I don't need to bring the validity of the accusation into it:

The refutation alone, that nobody would know who had downloaded porn even if it had happened, implies that this is a shared network account and it was being used to log in to desktop sessions.