Category Archives: Information Commissioner

The Failures of Ofsted’s Sarah Canto and Jo Fisher, Director of Hertfordshire Children’s Services

Posted on by
2
Jo Fisher

Jo Fisher, the Executive Director of Children’s Services at Hertfordshire County Council, has achieved a supposed, ‘Outstanding’ for her department on a recent Ofsted inspection … but is it deserved, or have systemic problems been missed by the regulator?

In modern public life, it has become all too clear that there are two sorts of public services that achieve, “Outstanding” ratings on regulatory inspections. Those which are actually delivering a good service, and those which simply hide failures and conceal problems, including abuse. For example, a hospital for the vulnerable known as Whorlton Hall received a CQC rating of, ‘good’ until it was exposed by BBC Panorama as an institution in which staff systematically, cruelly, abused disabled adults (archive). A clue as to which sort Hertfordshire County Council (HCC) is can be found in a Local Government and Social Care Ombudsman (LGSCO) report from 2021, reported in the Herts Advertiser that, “Herts Council has ‘pattern of mishandling children’s services complaints'” (archive). At the time, the Hertfordshire County Council, Director of Children and Young People was Jo Fisher. MHN has been horrified recently to identify similar and ongoing problems, some of which have now been admitted, which have not been picked up in a recent Ofsted inspection of the authority. The circumstances raise questions about the leadership and suitability of Jo Fisher, Sarah Canto from Ofsted who recently inspected Hertfordshire County Council Children’s Services and also Amanda Spielman, Chief Inspector at Ofsted. Weak leadership and weak procedures risk enabling abuse. In my opinion, Hertfordshire County Council and Ofsted have both.

Hertfordshire County Council Safeguarding Times

Hertfordshire County Council safeguarding times … could be improved … if this output from its system is to be believed, showing a child safeguarding referral open for around 20 months. Screenshot anonymised and taken on 11 April 2023.

How long should it take a council to deal with a safeguarding concern? A week, two weeks? A month? Baby P did not even live two years, and he spent much of it experiencing horrific abuse (archive) before his tragic death at 17 months. The question is not rhetorical. I made three child protection referrals about a family (who have been anonymised here), via the Hertfordshire County Council system and the first is still showing as, ‘Open’ after nearly two years. Reading the referral screen, I was concerned that at best, the council workflow system is insufficiently robust. At worst the case was ignored.

Child protection matters in the UK are rightly highly confidential. I would not expect much response as the result of a referral. I would have expected, however, the state to change from, ‘open’ to, ‘triaged’ or ‘reviewed’. In fact, until a recent complaint, I have never had anything from the council beyond an automated email acknowledgement to show these reports were submitted. It is clear, however, that something happened with the more recent ones due to what seems to be a subsequent breach of confidence by the council.

Continue reading

Share Button

2000 Trees and James Scarlett to be Sued, Bankrupted?

Posted on by
1
Will this post ruin James Scarlet's Career?

This post by the 2000 Trees Festival could ruin James Scarlet’s career forever, and leave him personally bankrupt.

I have just been asked to look at a case of what may be appalling abuse and misconduct by a music festival operator, James Scarlett. James is the organiser of the 2000 Trees music festival, which is operated by the Real Festival Company Limited. It appears that online allegations were made about abuse by a band member. The band member denies the allegations, and as far as I can determine so far has never been convicted or even invited for questioning by police. The festival, having seen the allegations, dropped him with a statement that appears to contain the false imputation that there was a meaningful investigation with an adverse outcome finding the allegations upheld. The festival then invited further comment from random members of the public. In effect, inviting gossip and speculation on the official 2000 Trees Facebook, whilst apparently deleting exculpatory posts. MHN is considering extending pro-bono support to the band. If the firm running the festival, the Real Festival Company Limited, is bankrupted that could affect its ability to pay acts – and the reputations of those associated with the firm or James. Other acts may need to consider whether they will stay on the line-up for the at-risk festival.

For those of you who do not know me, perhaps coming from 2000 Trees fansite or wherever, I am a law blogger. I have passed a Master’s Degree in Law (Legal Practice) with the solicitor’s exams (LL.M LPC) but not sought to practice as a solicitor. I do help people in court as a McKenzie Friend at the highest level – only ever for charity. For example, I was praised in Parliament helped a vulnerable woman accused of lacking mental capacity obtain a court declaration she had capacity and therefore retain her autonomy and her children (link to Parliament).

Continue reading

Share Button

With Spectacular Incompetence, Brand New Tube Republishes Customer Identity Documents

Posted on by
8

You literally could not make it up. Last month the troubled video sharing site BrandNewTube.com (BNT) was hacked. As a result of the hack it emerged that Brand New tube had been retaining customer identity documents such as driving licenses since 2020 and publishing them online with no security or password needed to view them. The documents were finally taken down by BNT earlier this week. Today, I have been tipped off that with Baldrick like incompetence, BNT have republished them. I was tipped off three times, once by a fellow blogger, once by a whistleblower, and finally by a lengthy and profane post on the hackers’ web-forum, which is open for the world to see. Regardless, it is true. They have actually done it. Brand New Tube, under its CEO Muhammad Butt, has republished the user driving licenses. The hackers have used a third party page freezing / escrow service archive.ph to freeze a record of the URLs. It is incontrovertible. I think the Information Commissioner needs to terminate their business.

A profane but informative out post on the hackers' forum. Offensive portions and some links redacted by MHN.

A profane but informative post on the hackers’ forum. Offensive portions and some links redacted by MHN.

In his bizarre official statement today, Muhammad Butt looked far greyer than he did only two years ago.

In his bizarre official statement yesterday, Muhammad Butt, Brand New Tube CEO, looked far greyer than he did only two years ago. Picture used for the purposes of criticism of the video. Also, are those pictures in the painting behind him meant to be content creators or stolen user driving licenses?

Share Button

Brand New Tube CEO Muhammad Butt in Bizarre Statement: Time Travelling Predators Involved in Hack of Website

Posted on by
1

In a bizarre video statement today, Brand New Tube CEO Muhammad Butt tried to link the recent hack of his video sharing website BrandNewTube.com (BNT) to a disclosure made after the hack. A reminder for readers – at some point this year, no later than 14 August 2022, Brand New Tube was hacked. The hackers posted a thread online on their website that day and then defaced Brand New Tube to redirect to it. The hack was allegedly done the same way as an earlier hack of BNT in 2020, using a vulnerability that had not been fixed, involving ‘nulled’ (pirate) software installed by BNT on its servers. It later emerged that a large number of user identity documents uploaded by BNT customers had been negligently published to the world at large for the past two years on Brand New Tube’s Content Delivery Network (CDN). Bizarrely, Butt’s statement sought to link the hack to a disclosure of VIP abuse made 11 days after the hack on 25 August 2022 – meaning a predator not only with powerful friends but the ability to time travel.

In his bizarre official statement today, Muhammad Butt looked far greyer than he did only two years ago.

In his bizarre official statement today, Muhammad Butt, Brand New Tube CEO, looked far greyer than he did only two years ago. Picture used for the purposes of criticism of the video.

Earlier this week, Brand New Tube tweeted (archive) that the controversial and troubled site would be returning at 6pm today. It has not. Instead there was a bizarre statement by Muhammad Butt about, essentially, two things.

The first was an allegation that on 25 August 2022 Mr Butt received an allegation against a politician by a woman. Assuming that is true, (and it sounds disturbingly like Exaro News) that can have no bearing on the hack. The woman is said to claim she was abused by a man she feared had powerful friends. Even if true, it is unclear how the politician could find about this and then travel back in time to early August to arrange the hack of Brand New Tube. In short it is an irrelevant red herring.

The second remark was that Muhammad and Sonia had been libelled on blogs. It was also alleged that hackers had uploaded documents that Brand New Tube had never possessed. I do hope Muhammad is not denying that Brand New Tube negligently published driving licenses of customers on its CDN because the whistle-blower who contacted MHN had archives. MHN has provided those archive to the Office of the Information Commissioner. Perhaps Muhammad needs to think again.

There was no answer on the allegations of use of nulled software (pirate software illegally hacked to remove the copy protection), a sidelong allusion to passwords being compromised, and no answer to the allegation that Brand New Tube had been failing to fix security bugs it was notified of for two years – only vague allegations of death threats and blackmail – and an assertion police are involved. Of course, Sonia and Muhammad have often complained of death threats, but Sonia’s allegations have often seemed far less sinister under scrutiny. MHN challenges Sonia and Muhammad to publish the alleged threats so the public can make up their own mind.

The public are invited to remember the old saying that, “no answer is an answer”, and to never, ever, use Brand New Tube.

Share Button

Driving License / Identity Document Breach Quietly Closed by Brand New Tube but No Apology from Muhammad Butt or Answer Over Pirate Software Allegations

Posted on by
Reply

Brand New Tube has finally removed the collection of customer personal identity documents – some as old as 2020 – it had accidentally posted online. The controversial site has announced a planned return on Tuesday at 6pm. Those users unwise enough to remain members will likely be hoping there are no further security breaches. Key questions remain unanswered by the usually irrepressible Muhammad Butt.

Muhammad Butt seen giving an update from his car, about his low rent video sharing website. Whilst Mr Butt has been prominent seen 2020, he has yet to actually set out a clear answer on the 'pirate software' issue. Image used for the purposes of criticism and review of the video and Brand New Tube.

Muhammad Butt seen giving an update from his car, about his low rent video sharing website. Whilst Mr Butt has been prominent since 2020, he has yet to actually set out a clear answer on the ‘pirate software’ issue. Image used for the purposes of criticism and review of the video and Brand New Tube.

Although the site is returning, there has been no apology nor admission by Muhammad Butt as to the breach of personal documents. There has also been no response to allegations by the hackers and by users (archive) that Brand New Tube they were using ‘nulled’, that is pirate, hacked components. As well as being illegal risk, such alleged practises (if true) create a security risk to the site and its users.

Mr Butt is usually a plain spoken man. In his strange, low-rent but blunt video above from 2020, Mr Butt was happy to engage stridently with critics. So, Muhammad, why no answers? Why have you not clearly disclosed the personal identity document breach publicly? Was Brand New Tube using, ‘nulled’ scripts?

Share Button

Explosive: More Brand New Tube Revelations – List of Security Warnings Since 2020 Revealed – Driving Licenses Still Online!

Posted on by
4

Yesterday, MHN revealed information provided by a whistleblower. In a shocking development to the Brand New Tube story it has emerged that up to thousands of identity documents of Brand New Tube users, including passports, were published online without the knowledge or consent of those users (and indeed, likely without incompetent Brand New Tube’s knowledge). In a shocking update today, a different source has provided a publicly available list of reported bugs on Brand New Tube that have largely gone unfixed since 2020!

The list of errors can be found on a public bug bounty site called www.openbugbounty.org (archive).

Brand New Tube Bugs List From OpenBugBounty.org

A list of Brand New Tube vulnerabilities reported on OpenBugBounty.org. These have gone unpatched in some cases for nearly two years after being reported.

MHN texts BNT lawyer Jeffrey Smele, Partner at Simons Muirhead and Burton

MHN has now had to go so far as texting BNT lawyers on the weekend about the scale of the breach. Click for full size.

This only fuels concern as to Brand New Tube’s poor security policies. Tests today reveal that Brand New Tube are still publishing unsecured identity documents online. Nothing has changed since the MHN article yesterday.

[UPDATE 15:05 27 August 2022] In light of the breached personal identity document still being online, MHN has contacted Muhammad Butt’s and Brand New Tube’s lawyers by text, to warn them and to create evidence of their negligence.

MHN will be posting daily call-outs until the personal identity documents are removed.

Brand New Tube’s negligence is shocking.

Share Button

Explosive! All Brand New Tube User Identity Documents Available Online … and ICO is Failing

Posted on by
1

The Information Commmissioner’s Office (ICO) and Brand New Tube (https://brandnewtube.com, BNT) face questions after whistleblowing information revealed damning new information about the scale of BNT’s recent data breach. British video sharing website Brand New Tube was hacked in 2020, and again earlier this month by a different group. The hackers emailed users and posted some details online. However, based on information MHN received from a whistle-blower last night, BNT’s disclosures on the scale of its security problems and the recent hack are seriously incomplete. Right now, if you have ever uploaded an identity document to BNT for monetisation, it is likely available online. Disturbingly, it has been quite hard to get the ICO to do something about this. The poor communications and processes reflect badly on Head of Communications Tim Bowden and Chief Executive John Edwards, albeit not as badly as on Brand New Tube CEO Muhammad Butt.

A driving license of a BNT user available from BNT CDN servers this morning, anonymised by MHN.

A driving license of a BNT user available from BNT CDN servers this morning, anonymised by MHN.

Obviously, you would expect the ICO to do something about this pretty promptly. I got in touch this morning with their press office by email. I got a boilerplate message back. Now, just to explain the ICO are embarrassed because last week they wrongly told MHN in writing that Brand New Tube had not disclosed the hack. This was wrong and the ICO had to withdraw it. However, the story has moved on and they need to actually read inquiries. So I called them up and had a few words. I sent in a further inquiry. I just got another boilerplate, “We have nothing further to add to our statement”. As opposed to, for example, “thank you for this new information – we confirm it has been passed urgently to the relevant team to see what can be done and will be looked at today”.

Based on the information from the whistle-blower, Brand New Tube has failed to disclose the fact that it has never deleted user documents, and never put them, y’know, behind a password. It appears that they can all be downloaded. This morning, multiple bloggers and journalists have downloaded multiple identity documents – taking appropriate records for evidence.

The passport above was downloaded this morning. There was no hacking. I just typed in the URL to a BNT server. They have published these peoples’ documents to the world. Then I forwarded it to the ICO. I have anonymised it for this article, and before processing the data, I considered the Editor’s Code and MHN’s policies in accordance with the Data Protection Act 2018 (DPA). I consider it reasonable and in the public interest to process this document to report it to the ICO. I consider it reasonable and in the public interest to process it in anonymised form in the article in order to give a concrete example of BNT’s failure to appreciate or disclose the scale of the breach, and of their security issues. Others are doing the same. There are thousands of ID documents. Anyone who has ever monetised at BNT as far as we can tell. All available online without so much as a password prompt.

Continue reading

Share Button

Whistleblower Sends Evidence BNT Held Personal Identity Document for Years

Posted on by
2

It is late, and I was only up watching TV. I have just received a whistleblower email making an incredibly serious allegation about Brand New Tube, the troubled online video sharing website hacked in 2020 and again earlier this month, that hosts controversial fringe content like ‘journalist’ Sonia Poulton. This is bad stuff.

I had to check a couple of things because I frankly did not believe it and I needed to check some HTML quickly from a third party site. I will need to call the ICO in the morning. I can say this goes way beyond passwords and emails. Full details tomorrow but there is incontrovertible proof that a lot of data was held that Brand New Tube did not declare as breached.

Share Button

Could the UK High Court Case of Smith v Baker Determine the Delaware Case of Twitter v Musk et al and the Fate of Twitter’s Vijaya Gadde?

Posted on by
2
Vijaya Gadde at a Fortune Event

Vijaya Gadde at a Fortune Brainstorm Tech event. Would she be such a popular speaker if she was properly no-platformed due to her allowing vile stalking and racism against a child rape victim as well as anti-Semitism? Picture by Photograph by Kevin Moloney/Fortune Brainstorm TECH. (NC License here).

On 4 April 2020, I published the article, “Twitter’s Del Harvey / Alison Shea and Vijaya Gadde Openly Back Child Rape Stalker and Anti-Semite Racist”. Multiple parties, including Twitter, threatened lawsuits. Twitter did not make good on their threats. Esther Baker attempted to do so. The lawsuit over the article, brought by Esther Baker in the High Court in London, was commenced in 2020 (before the Twitter purchase was proposed) and determined in my favour last week. The lawsuit has the potential to harm Twitter’s reputation. So, did Twitter know about it, and did they disclose it to Elon Musk when they formed the purchase agreement between Twitter and Musk currently being litigated in Delaware in the United States? Did Twitter notify Musk of the legal risks arising from the matters in this article – “Labour’s Secret Deal with Twitter and Facebook to Surveil its own members”? The article ended with an express threat to draw it to the attention of the relevant regulatory law enforcement body.

It is worth recapping for new readers. In 2020 I was covering a significant amount of what, in my opinion, was wrongdoing by Twitter. The Labour Party head office team had been using an in-house application that used their database of member emails, cross-referenced with privileged access to the Twitter API, to scan their members’ tweets for statements warranting disciplinary action. It is unclear if members’ consent was ever clearly sought for this by either the Labour Party or Twitter, or whether they were told about it. It is likely that would have been a legal requirement for processing to be compliant with the General Data Protection Regulation (GDPR).

The second issue was Twitter’s inconsistent handling of complaints of breaches of its rules. Esther Baker, had, at the time, been made subject to two restraining orders by UK courts. One was for libel and the other was for, in the words of His Honour Judge Gargan, “particularly malevolent” and “racist” stalking. One of her supporters, Alan Goodwin, had made plainly anti-Semitic posts including gratuitous, utterly baseless, speculation that a senior British government minister had conspired with Mossad to cover up child abuse. The actions of Esther Baker (@Esther9982) and her supporter Alan Goodwin (@Ciabaudo), followed by Twitter lawyer Vijaya Gadde’s failure to deal with them even after being thoroughly put on notice, were the subjects of my 4 April article.

Around 8pm on 1 May 2020, I received a letter from UK lawyers Bristows telling me that my article was libellous and there was, “no conceivable chance of defending” it as truth or honest opinion and saying it should be, “removed immediately”. I refused, and published the relevant section of the letter and mocked them in this article. I then requested further information under UK pre-action rules. Much as Elon Musk complains, Twitter were curiously reluctant to answer my questions and backed off as I detailed in my later article, “Twitter and Bristows in Humiliating Libel Climb Down”.

Extract from Bristows' Email of 6 May 2020

Bristows now claim they were never threatening to sue me on behalf of Twitter. That letter they sent me late on a Friday night was just abstract information shootin’ the breeze.

Bristows are a proper libel law firm and therefore know better than to test me in court. I stand by the article. Vijaya and her colleagues have in effect supported the actions of Esther Baker and Alan Goodwin by not banning / permanently suspending them from Twitter, when others have been banned without recourse for far lesser wrongdoing. In fact Twitter did not even remove the tweets that were the actus re of the stalking, just made them inaccessible in the UK.

Continue reading

Share Button

Statement on Brand New Tube Hack – Long Video Coming Soon

Posted on by
3

I have had a number of people contact me about an alleged hack of Brand New Tube (‘BNT’) last week. They are concerned about their data security. I covered a previous hack of the platform in 2020 and made a video. Readers may rely on that video, because BNT supremo Muhammad Butt sued me in the High Court using expensive lawyers. I defended myself and won, he lost – filing notice of discontinuance and throwing in the towel. Today the ICO have confirmed that Brand New Tube has failed to notify it of the data breach. If true, they have breached data protection law once again. [UPDATE 23 August 2022 – The ICO have corrected themselves. Their initial email was wrong. Brand New Tube did in fact report the incident by 17 August. However, all the other criticisms in this article remain unchanged. In particular, Brand New Tube have failed to answer whether they received concerns in December 2021 about the website’s security.]

ICO Press Officer Rashana Confirms No Mandatory Report was Made

The ICO confirms no report was made. The ICO was asked very specific questions and given My Media World’s registration number. The ICO initially said no report was received. It now admits this was wrong.

I want to confirm to supporters that I am preparing a lengthy video on this. However, I have already verified certain facts. Brand New Tube has been hacked – their Twitter account confirmed it on 14 August 2022 (archive). The hackers claim to have obtained the database including SHA-1 password hashes, and to have been able to extract the passwords. They claim to have extracted over 200,000 customer passwords (it is possible to de-hash unsalted hashed passwords using tools such as rainbow tables). If true, this would only be possible due to negligence of a very serious kind.

In the UK, it is a mandatory legal requirement to report breaches to the ICO. The hackers and Brand New Tube customers on Twitter (archive) allege that BNT was warned months ago and failed to take action. That means at the latest the website operator should have disclosed to the ICO by Wednesday 17 August 2022. The ICO confirms they have not. [The ICO now confirms this was wrong and their initial email above was incorrect.] I also put the allegations to Brand New Tube via their lawyers on Friday and I can confirm that they have not denied being warned of a security breach in December 2021. The ICO was given My Media World Limited’s registration number and the website URL, and was asked very specific questions.

Continue reading

Share Button