> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication
process was essentially technically unchanged from EFOs in the recent past. This gives rise
to the question as to whether the problem was a pre-existing one that had gone unnoticed.
> In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.
> Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.
This setup was not initially approved, see 1.7 in the document:
> 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside
the gov.uk network. This is the result of an exemption granted by the Cabinet Office in
2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR
should be granted an exemption from gov.uk in order to meet the requirements of the
Budget Responsibility and National Audit Act. The case for exemption that the OBR made at
the time centred on the need for both real and perceived independence from the Treasury in
the production and delivery of forecasts and other analysis, in particular in relation to the
need to publish information at the right time.
Part of this is a product of the UK's political culture where expenses for stuff like this are ruthlessly scrutinised from within and without.
The idea of the site hosting such an important document running independently on WordPress, being maintained by a single external developer and a tiny in-house team would seem really strange to many other countries.
Everyone is so terrified of headlines like "OBR spends £2m upgrading website" that you get stuff like this.
> The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access
That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.
I would also assume that the upload happened via Wordpress, and not someone manually uploading files via FTP/SFTP or something like that. And in that case it would be entirely non-obvious to users that attaching a file to an unpublished document would put it in a place where it is potentially publicly accessible.
Since at least Drupal 7, the core CMS has included the concept of “private files.” The files are stored in a directory that is not served publicly by the web server. Instead the CMS generates a proxy URL for each file, which is handled by the CMS like a page URL before serving the file by streaming it through PHP. So: it’s a heavier load on the server, but you get full permission management by the CMS.
Wordpress does not have this in core—no surprise. I was surprised to find that it’s not even available as a community plugin. I had to pay a developer to write a custom plugin when building a members-only website in Wordpress.
Some folks downplayed the risk of someone finding and directly accessing the file URL if it wasn’t referenced on a public page. It’s crazy to see it created a national government incident in the UK.
For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.
Technical errors are faults caused by technology, like a software or hardware bug. That's not what happened here. WordPress behaved exactly as it was supposed to.
The true cause is revealed later in the article,
> staff thought they had applied safeguards to prevent early publication, there were two errors in the way in which they were set up
I don't think that's a worthwhile distinction. All software bugs are human errors, since the machine is correctly following the human programmer's incorrect instructions; whether that's at the level of assembly instructing the CPU; or a higher level like Wordpress instructing the PHP interpreter; or an even higher level of a document hosting solution instructing Wordpress.
A well designed system would reduce the risk of human error.
Given the importance of keeping this information confidential, they really ought to have a custom system for releasing it, not just configuring a third party Wordpress plugin.
Yes, it’s getting quite ridiculous now. Labour, for sure, have not done themselves any favours in their first 18 months in charge, but the level of attack and vitriol is exceptional and beyond any reasonable level.
The fact that they were elected as a 'change' government and have barely done anything that really faces up to the scale of the challenge the country faces? If you're below the age of about 55, then the budget did absolutely nothing for you except put taxes up, and not even to improve services.
I appreciate things time but so far the government have enormously walked back their planning reform proposals, which was one of their few pro-growth policies, and haven't really made any dent in anything else substantive. It's been pretty clear since even before the election that they didn't really have a plan, and they got a fairly light scrutiny through the campaign because the Tories were so appalling. Then since they got in they're just scrambling around looking fairly incompetent and the dearth of talent on the cabinet has been pretty plain to see as well. Largely I want Labour to succeed but they're not making it easy to like them.
They have done a lot of sensible, boring things that are objectively positive but are going largely going unnoticed (plus of course a few massive footguns that make the headlines).
I keep recommending r/GoodNewsUK on Reddit. It’s often just a lot of press releases and government announcements, but there seem to be a continual stream of them, and it’s hard to hear about them by any other source.
I largely agree, expect I think my expectations were lower than yours to start with. The ruling class all think alike regardless of party.
They have pushed ahead with the Tories Online Safety Act. Legislation I have looked at or that affect things I know about such as the Children's Wellbeing and Schools Act is terrible.
There is a lot of smoke and mirrors. For example, if you assume the justification for the "mansion tax" is that people who own higher value properties should be taxed more, why does someone with a £50m house not pay more than someone with a £5m house? Its designed to hit the moderately wealthy but not the really rich.
Although I agree it should be proportional to value, a £5M property puts you in the top 1% of property prices in the country. Even within London, it’s also within the top 1% of all but the most expensive boroughs. The average home property sale in the UK is less than £275,000.
A tax on a £5M home is not a tax on the moderately wealthy, it’s a tax on the wealthy.
The public do not see or agree that they have done well in any areas, hence their appallingly low popularity. And that was before this budget announcement.
It does not take a crystal ball to understand that the British media, which are vitriolic on a good day, will have an absolute free-for-all. It's nothing new.
> The fact that they were elected as a 'change' government and have barely done anything that really faces up to the scale of the challenge the country faces?
They have done a lot. But they haven't even stopped the runaway train yet. And the fundamental mistake they have made is not explaining to people clearly enough, during the election campaign, that it would take the first three years just to stop it.
Then you have the absolutely shameful, racist, nihilistic, fact-free intervention of five MPs that the media thinks will run the country in future so they are getting ten times the airtime of anyone else.
I really don’t agree. Look at the first year of 1997 Labour:
* Good Friday agreement signed and referendum
* Introduction of Minimum Wage
* Human Rights act introduced and passed
* Scottish and Welsh devolution set out, Parliament voted on it, referendums passed
* Bank of England independence
A government coming into a mess of a country on a platform of change cannot just fiddle around with minor things, which is what many of the changes they have done, though positive, are. And at the same time, they’ve also wasted so much political capital on some really stupid things that it’s hard to see where they can go from here.
This is politics so attacks will always follow blunders on either side.
In this case this is an extremely unpopular government to start with that increases taxes across the board while handing out more benefits and claiming that they had no choice because of the state of the public finances, and we learn that they possibly misled the public on that latter point. So, yes, in politics and especially British politics this means a riot against the Chancellor (who was also caught recently having let her house without the required legal licence, btw, after the [now former] Deputy PM was caught dodging taxes on the purchase of a second home...) because everyone "smells blood" but that's the game and it's not completely undeserved, either.
They were elected with 33% of the vote thanks to our FPTP system, the lowest in history. They were unpopular when they were elected and have done nothing to change that.
> It is the worst failure in the 15-year history of the OBR
I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...
Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...
It's still a failure in principle. The effects of this particular instance of the failure were minimal but it was still an accidental leak of (at the time) private information. They just got lucky.
I am not an expert but I think that even trading on a leak is not unlawful as long as that leaked information was indeed made public (e.g. someone leaks to the media and the media then publish it), although it may have been unlawful to leak the information. The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
Yes, I have had the corporate training on leaks and insider trading, too...
Trading on public information is fit and proper (Edit: Indeed, a technical term, but that does not make my statement incorrect, or does it?)
I think you may have skipped the part of leak to whom. If it is a leak to you then it is still not public and indeed insider trading. But if leaked to the public then it is different (and also how do you prevent people from trading on what they see in the media?)
But that's in general as in this case, the OBR admits they released it and, again, anyway once it's on BBC News it's free for all.
I agree. They didn’t intend to publish it, but they did publish it. They might not have advertised its presence yet, but it was freely available to anyone who asked.
If by 'much of the info' you mean policy changes, those are deliberately leaked by the politicians, not civil servants or their family members. They do this to test reactions and frame the debate.
This doesn't seem to have much to do with Wordpress or its plugin ecosystem but rather an oversight since the behavior itself isn't necessarily a bug. I think the "well yeah, why would you use Wordpress?" comments kinda miss that.
It's a ubiquitous practice to serve file uploads from a place outside of webserver middleware. This happens pretty much any time an upload permalink is on a different domain or subdomain, and it's standard on probably 90% of platforms.
Discord and Twitter file upload urls would be an example off the top of my head.
It would have been prevented if the public url used a random UUID, for example. But that's also not the behavior users necessarily want for most uploads.
There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
I'm not clear from the doc which of these scenarios is what they're calling the "leak"
> but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind
The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a plugin was bypassing that and aliasing the "clear" URL to the obfuscated one
It sounds like a combination of the Download Monitor plugin plus a misconfiguration at the web server level resulted in the file being publicly accessible at that URL when the developers thought it would remain private until deliberately published.
The log of events in that document is absolutely hilarious/pitiful. It’s like something lifted directly from an episode of In The Thick Of It.
A honest-to-goodness proper fucking omnishambles.
11:52 - senior OBR and Treasury officials telephoned each other to discuss the breach. These Treasury officials made OBR staff aware of the URL leading to the PDF of the EFO that was accessible.
11:53 - OBR staff and the web developer attempted to pull the PDF from the website, and also to pull the entire website (e.g. via password protection), but struggled to do so initially due to the website being overloaded with traffic.
11:58 - an email was received to the OBR press inbox from a Reuters journalist confirming that Reuters had published details of the EFO and asking for comment.
12:07 - the EFO PDF was renamed by the web developer.
12:07 - the EFO PDF appeared on the Internet Archive. This means it was, at that precise time, visible entirely generally on the open internet via search engines. It is assumed that this happened very briefly in the rush to remove it.
But I still have a few questions. What is WordPress’s default behavior? Does it prevent files uploaded to the media library from having public URLs? Are they only public once they are inserted into a published post? Images make sense because they are embedded, but what about a PDF linked inside a post? My understanding is that media files become publicly accessible as soon as they are uploaded, as long as someone knows or guesses the URL. I mean, the leak could have happened even without the plugin?
"On the reason for the early publication, Prof Martin said it was related to the software the OBR chose to publish to its website, which was more suitable for a small or medium company than a major publication of critical market-sensitive data."
Using WordPress plugins (with the exception of a limited sub-set) is like chewing gum you find on the sidewalk.
This is a reasonable question. I mean yeah it’s supposed to be made public anyway, but evidently there is a non-trivial amount of interest invested in its contents by people who don’t usually qualify when we think of “the public”. Otherwise what would be the big deal?
My guess is that the team responsible for this didn’t anticipate or at worst were not informed of its value to particular groups of people, at least not to a degree that would’ve warranted extra security measures.
In huge org's, doing computer-related stuff the "right" way often involves so many meetings, sign-offs, and miles of red tape that your grandchildren would die of old age before anything actually got done.
Vs. if you just let Will and Pete do it in WordPress (or on Facebook, or such) then needed tasks might actually be accomplished.
I agree, and I also am familiar with how WP Engine's 'GES' (global edge security) works. obr.uk points to two IP addresses held in the name of WP Engine, but they're actually BYOIP with Cloudflare. Cloudflare act as a caching layer, DDOS mitigation and WAF.
Note that GES works a bit different to traditional Cloudflare implementations, HTML requests are basically passed through to the WP Engine NGINX reverse proxy server that's in front of the WordPress site (as opposed to being heavily cached with Cloudflare). Static assets, like a PDF - would indeed be cached with GES.
Either that number was wrong like you say OR (and I am unfamiliar with Bluesky) the URL is loaded via Bluesky's browser (like X) and therefore Bluesky's own server IP was used (instead of the user's).
Edit: Or (and more likely) cached/copies of the original.
They didn’t suffer a breach; they published a market-moving PDF early because they put it on a public WordPress server at a predictable URL with no access control, then acted shocked when someone typed it into a browser. The report dresses this up in solemn language about “pre-publication facilities” and “configuration errors”, but the reality is negligent basics: no authentication, no server-level blocking, blind faith in a plugin they didn’t understand, and not one person running the obvious test of guessing the URL before go-live. Their claim of “independence” just meant running the most sensitive part of their job on an underpowered, misconfigured website while assuming everything else would magically hold together. This wasn’t a cyber incident. It was institutional incompetence wearing a suit.
> A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document.
WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)
The main issue is that there isn't any governance to the plugin store. Once you have a plugin in there, you have free reign to do whatever you want with it. Getting it in there is a PITA though. For example, a library author and I created a plugin, but they wouldn't let me submit it because I wasn't the other author, and they wouldn't let him submit it because he wasn't me. True story.
TBF there is some scrutiny on existing plugins, the team is just extremely understaffed (it’s ran by volunteers after all). I got involved in a plugin that ended up getting de-listed for some minor ToS violations after several years of being “fine”, they re-reviewed the plugin with the same rigor as a new submission.
Kudos to these volunteers, but as long as one single company continues to insist on owning all the resources of the plugin and theme directories, I don't think they deserve to continue profiting from volunteer labor.
> WordPress is a nice piece of software, but the plugin situation is getting worse and worse
The plugin situation is a mess largely because Wordpress isn't a nice piece of software.
It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.
It's not age, it started very, very bad. If they'd fixed the horrible schema and the code a decade and a half ago, plugins would have been a lot easier to write (and a lot safer.)
To an outsider, its entire plugin ecosystem is so odd. Like the conversation about “nulled” plugins, where someone removes license-checking code from GPL-licensed plugins and then redistributes them, and whether that’s moral, or even legal, which of course it is, because that’s the entire point of the GPL.
So is the significance of this news based on what could have leaked if the document was not intended for the public? [1]
Or is the significance of this news based on the advantages that players on the market who caught hold of it early will have? Is it only important to civilians relative to their ability to question who may be benefitting from the 40 minute head start that these players might have gained or (for the conspiracy-minded) been handed through nefarious means?
[1]: Which would lead me to ask why would it belong on a platform typically intended for publishing things in public.
Interestingly, the public discourse in the UK (at least what I have observed, and it was hard not to observe a lot in the last several days) does not focus much (if at all) on the insider trading angle. It's mostly that the chancellor has this important duty to first announce the new budget beofre the Parliament, and if this course of events gets distorted this is very bad for the proper procedure. Now, the sole purpose of OBR is to ensure the proper procedure, so very silly (or "damning") of them to make such a mistake.
At the same time, almost every piece of legislation in recent years has been relentlessly leaked and taken apart way before the official announcement in parliament, so this is a wee bit ridiculous.
It’s just about incompetence really. The budget is meant to be highly secret. And they accidentally published their report early. Which would let some people benefit from in financially, but it’s also just very embarrassing for a government. Sometimes budgets contain info that is more valuable than this.
The contents of market sensitive information critical to the finances of the entire country is behind stored on a damn vulnerable Wordpress server.
It's not even accidental access or a premature push of the button to release the document, but the site was regularly breached over and over and over again likely for insider trading ahead of the budget.
Might as well store the UK nuclear key codes on a large bright yellow Post-It note in Piccadilly Circus.
What a complete joke on the lack of basic security.
The real kicker is in point 1.13:
> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication process was essentially technically unchanged from EFOs in the recent past. This gives rise to the question as to whether the problem was a pre-existing one that had gone unnoticed.
> In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
This is so incompetent.
Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.
> Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.
They weren't in any way attempting to rely on security by obscurity.
They didn't assume nobody would guess the URL.
They did take active steps to ensure the data was only available at the correct time.
But they didn't check that their access control was working, and it wasn't.
This setup was not initially approved, see 1.7 in the document:
> 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside the gov.uk network. This is the result of an exemption granted by the Cabinet Office in 2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR should be granted an exemption from gov.uk in order to meet the requirements of the Budget Responsibility and National Audit Act. The case for exemption that the OBR made at the time centred on the need for both real and perceived independence from the Treasury in the production and delivery of forecasts and other analysis, in particular in relation to the need to publish information at the right time.
Part of this is a product of the UK's political culture where expenses for stuff like this are ruthlessly scrutinised from within and without.
The idea of the site hosting such an important document running independently on WordPress, being maintained by a single external developer and a tiny in-house team would seem really strange to many other countries.
Everyone is so terrified of headlines like "OBR spends £2m upgrading website" that you get stuff like this.
> This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
I think most of the tech world heard about the Nobel Peace Prize award so it doesn't seem that suspicious to me that somebody would just poll urls.
Especially since before the peace prize there have been issues with people polling US economic data.
My point is strictly, knowledge that they should poll a url is not evidence of insider activity.
The report also says a previous report was also accessed 30 mins early.
> The available mitigation is at server level and prevents access to download or file storage directories directly. If configured properly, this will block access to the clear URL and return a ‘forbidden’ message. This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access
That's the main flaw. Wordpress was configured to allow direct access to file, so they did not go through the authentication system. My experience is with Drupal (and a decade or more out of date), but it sounds like this behaves very similar. And this is a giant footgun, the system doesn't behave the way normal people expect if you allow unauthenticated access to files (if you know the URL). I don't understand why you would configure it this way today.
I would also assume that the upload happened via Wordpress, and not someone manually uploading files via FTP/SFTP or something like that. And in that case it would be entirely non-obvious to users that attaching a file to an unpublished document would put it in a place where it is potentially publicly accessible.
Since at least Drupal 7, the core CMS has included the concept of “private files.” The files are stored in a directory that is not served publicly by the web server. Instead the CMS generates a proxy URL for each file, which is handled by the CMS like a page URL before serving the file by streaming it through PHP. So: it’s a heavier load on the server, but you get full permission management by the CMS.
Wordpress does not have this in core—no surprise. I was surprised to find that it’s not even available as a community plugin. I had to pay a developer to write a custom plugin when building a members-only website in Wordpress.
Some folks downplayed the risk of someone finding and directly accessing the file URL if it wasn’t referenced on a public page. It’s crazy to see it created a national government incident in the UK.
That's even worse than I thought. I assumed it is a setting like in Drupal.
To me it really doesn't make any sense to have that kind of giant hole in your permissions system from the start.
> I was surprised to find that it’s not even available as a community plugin.
I found this one https://wordpress.org/plugins/prevent-direct-access/
For those of you not closely following UK politics: the Office for Budget Responsibility (OBR) mistakenly published their Economic and Fiscal Outlook (EFO) document 40 minutes early, pre-empting the announcements by the Chancellor.
This is being treated as an incredibly big deal here: https://www.bbc.co.uk/news/articles/cd74v35p77jo
> which it blamed on a "technical error"
It's not a technical error at all!
Technical errors are faults caused by technology, like a software or hardware bug. That's not what happened here. WordPress behaved exactly as it was supposed to.
The true cause is revealed later in the article,
> staff thought they had applied safeguards to prevent early publication, there were two errors in the way in which they were set up
The problem was the staff. It's a human error.
I don't think that's a worthwhile distinction. All software bugs are human errors, since the machine is correctly following the human programmer's incorrect instructions; whether that's at the level of assembly instructing the CPU; or a higher level like Wordpress instructing the PHP interpreter; or an even higher level of a document hosting solution instructing Wordpress.
Eh, I think the distinction is broken tool vs improper use of the tool or in this case, the wrong tool all together
A well designed system would reduce the risk of human error.
Given the importance of keeping this information confidential, they really ought to have a custom system for releasing it, not just configuring a third party Wordpress plugin.
In the popular press it’s been sidelined because it would distract from the continuous attacks on the chancellor
Yes, it’s getting quite ridiculous now. Labour, for sure, have not done themselves any favours in their first 18 months in charge, but the level of attack and vitriol is exceptional and beyond any reasonable level.
It makes me wonder what exactly is driving this.
The fact that they were elected as a 'change' government and have barely done anything that really faces up to the scale of the challenge the country faces? If you're below the age of about 55, then the budget did absolutely nothing for you except put taxes up, and not even to improve services.
I appreciate things time but so far the government have enormously walked back their planning reform proposals, which was one of their few pro-growth policies, and haven't really made any dent in anything else substantive. It's been pretty clear since even before the election that they didn't really have a plan, and they got a fairly light scrutiny through the campaign because the Tories were so appalling. Then since they got in they're just scrambling around looking fairly incompetent and the dearth of talent on the cabinet has been pretty plain to see as well. Largely I want Labour to succeed but they're not making it easy to like them.
They have done a lot of sensible, boring things that are objectively positive but are going largely going unnoticed (plus of course a few massive footguns that make the headlines).
I keep recommending r/GoodNewsUK on Reddit. It’s often just a lot of press releases and government announcements, but there seem to be a continual stream of them, and it’s hard to hear about them by any other source.
I largely agree, expect I think my expectations were lower than yours to start with. The ruling class all think alike regardless of party.
They have pushed ahead with the Tories Online Safety Act. Legislation I have looked at or that affect things I know about such as the Children's Wellbeing and Schools Act is terrible.
There is a lot of smoke and mirrors. For example, if you assume the justification for the "mansion tax" is that people who own higher value properties should be taxed more, why does someone with a £50m house not pay more than someone with a £5m house? Its designed to hit the moderately wealthy but not the really rich.
Although I agree it should be proportional to value, a £5M property puts you in the top 1% of property prices in the country. Even within London, it’s also within the top 1% of all but the most expensive boroughs. The average home property sale in the UK is less than £275,000.
A tax on a £5M home is not a tax on the moderately wealthy, it’s a tax on the wealthy.
I don’t disagree with any of that, but the vitriol doesn’t match the disappointment imho. Especially as they’ve done pretty well in other areas.
I realise “it’s the economy, stupid”, but still it feels like outsized outrage.
The public do not see or agree that they have done well in any areas, hence their appallingly low popularity. And that was before this budget announcement.
It does not take a crystal ball to understand that the British media, which are vitriolic on a good day, will have an absolute free-for-all. It's nothing new.
> The fact that they were elected as a 'change' government and have barely done anything that really faces up to the scale of the challenge the country faces?
They have done a lot. But they haven't even stopped the runaway train yet. And the fundamental mistake they have made is not explaining to people clearly enough, during the election campaign, that it would take the first three years just to stop it.
Then you have the absolutely shameful, racist, nihilistic, fact-free intervention of five MPs that the media thinks will run the country in future so they are getting ten times the airtime of anyone else.
> They have done a lot.
I really don’t agree. Look at the first year of 1997 Labour:
* Good Friday agreement signed and referendum * Introduction of Minimum Wage * Human Rights act introduced and passed * Scottish and Welsh devolution set out, Parliament voted on it, referendums passed * Bank of England independence
A government coming into a mess of a country on a platform of change cannot just fiddle around with minor things, which is what many of the changes they have done, though positive, are. And at the same time, they’ve also wasted so much political capital on some really stupid things that it’s hard to see where they can go from here.
This is politics so attacks will always follow blunders on either side.
In this case this is an extremely unpopular government to start with that increases taxes across the board while handing out more benefits and claiming that they had no choice because of the state of the public finances, and we learn that they possibly misled the public on that latter point. So, yes, in politics and especially British politics this means a riot against the Chancellor (who was also caught recently having let her house without the required legal licence, btw, after the [now former] Deputy PM was caught dodging taxes on the purchase of a second home...) because everyone "smells blood" but that's the game and it's not completely undeserved, either.
Money.
They were elected with 33% of the vote thanks to our FPTP system, the lowest in history. They were unpopular when they were elected and have done nothing to change that.
> It is the worst failure in the 15-year history of the OBR
I'm not sure publishing some information 3 hours early was really their biggest failure in 15 years...
Especially when much of the info was already public because hundreds of civil servants involved in making these decisions told their family members who told the press...
It's still a failure in principle. The effects of this particular instance of the failure were minimal but it was still an accidental leak of (at the time) private information. They just got lucky.
> The effects of this particular instance of the failure were minimal
the effects are not minimal
if you're crooked: getting this sort of information early is potentially extremely lucrative
(why crooked? because trading on UPSI is illegal)
Surely it was no longer UPSI (Unpublished Price Sensitive Information) after the OBR published it?
I wouldn't be betting my freedom on the regulator agreeing with that logic
the regulations specifically go into great detail about official publications and formal circulation
would a reasonable person consider this a leak? then it's UPSI
The OBR admits that they published it too early.
I am not an expert but I think that even trading on a leak is not unlawful as long as that leaked information was indeed made public (e.g. someone leaks to the media and the media then publish it), although it may have been unlawful to leak the information. The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
> I am not an expert
I have had regulatory training on this exact matter, and it covers unintended leaks explicitly
and there is no way I would trade
> The point is that insider trading is not allowed. It is no insider trading if the information is available to everyone.
no, it isn't the point
the regulator cares that participants are seen to be clean, practicing "fit and proper" behaviour
if a reasonable person would think it was dodgy, they'll have your head (and your certification to practice)
regardless of whether or not it was illegal
Yes, I have had the corporate training on leaks and insider trading, too...
Trading on public information is fit and proper (Edit: Indeed, a technical term, but that does not make my statement incorrect, or does it?)
I think you may have skipped the part of leak to whom. If it is a leak to you then it is still not public and indeed insider trading. But if leaked to the public then it is different (and also how do you prevent people from trading on what they see in the media?)
But that's in general as in this case, the OBR admits they released it and, again, anyway once it's on BBC News it's free for all.
> Yes, I have had the corporate training on leaks and insider trading, too...
by a regulated investment firm? specifically on UPSI?
"fit and proper" is a technical term in the FCA manual
I would not risk my regulator not considering me as such by trading on this information
if you would: provide your reference number, and we can ask them if they agree!
I agree. They didn’t intend to publish it, but they did publish it. They might not have advertised its presence yet, but it was freely available to anyone who asked.
If by 'much of the info' you mean policy changes, those are deliberately leaked by the politicians, not civil servants or their family members. They do this to test reactions and frame the debate.
This doesn't seem to have much to do with Wordpress or its plugin ecosystem but rather an oversight since the behavior itself isn't necessarily a bug. I think the "well yeah, why would you use Wordpress?" comments kinda miss that.
It's a ubiquitous practice to serve file uploads from a place outside of webserver middleware. This happens pretty much any time an upload permalink is on a different domain or subdomain, and it's standard on probably 90% of platforms.
Discord and Twitter file upload urls would be an example off the top of my head.
It would have been prevented if the public url used a random UUID, for example. But that's also not the behavior users necessarily want for most uploads.
There's a couple of passing mentions of Download Monitor, but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
I'm not clear from the doc which of these scenarios is what they're calling the "leak"
> but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded
A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind
The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a plugin was bypassing that and aliasing the "clear" URL to the obfuscated one
> in order to report as soon as it was live
We don't actually know that, it's just that the report did hit Reuters pretty swiftly.
https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl... 5.pdf
Not hard to guess really. Wouldn't they know this was likely and simply choose a less obvious file name?
Turn out, no. Not they would not.
It sounds like a combination of the Download Monitor plugin plus a misconfiguration at the web server level resulted in the file being publicly accessible at that URL when the developers thought it would remain private until deliberately published.
The log of events in that document is absolutely hilarious/pitiful. It’s like something lifted directly from an episode of In The Thick Of It.
A honest-to-goodness proper fucking omnishambles.
11:52 - senior OBR and Treasury officials telephoned each other to discuss the breach. These Treasury officials made OBR staff aware of the URL leading to the PDF of the EFO that was accessible.
11:53 - OBR staff and the web developer attempted to pull the PDF from the website, and also to pull the entire website (e.g. via password protection), but struggled to do so initially due to the website being overloaded with traffic.
11:58 - an email was received to the OBR press inbox from a Reuters journalist confirming that Reuters had published details of the EFO and asking for comment.
12:07 - the EFO PDF was renamed by the web developer.
12:07 - the EFO PDF appeared on the Internet Archive. This means it was, at that precise time, visible entirely generally on the open internet via search engines. It is assumed that this happened very briefly in the rush to remove it.
Ok, it was the Download Monitor plugin.
But I still have a few questions. What is WordPress’s default behavior? Does it prevent files uploaded to the media library from having public URLs? Are they only public once they are inserted into a published post? Images make sense because they are embedded, but what about a PDF linked inside a post? My understanding is that media files become publicly accessible as soon as they are uploaded, as long as someone knows or guesses the URL. I mean, the leak could have happened even without the plugin?
Correct. Files uploaded get stored in the wp-content/uploads folder and are public.
"WordPress plugin quirk" AKA human error (as usual).
Yes, the human error was using WordPress.
Why are government organisations which handle sensitive information using Wordpress?
There's not anything obviously wrong with using WordPress for publishing documents like this - they are meant to be public after all.
The problem was essentially that, through a misconfiguration, they published it early.
"On the reason for the early publication, Prof Martin said it was related to the software the OBR chose to publish to its website, which was more suitable for a small or medium company than a major publication of critical market-sensitive data."
Using WordPress plugins (with the exception of a limited sub-set) is like chewing gum you find on the sidewalk.
A technical oversight fail at multiple levels.
This is a reasonable question. I mean yeah it’s supposed to be made public anyway, but evidently there is a non-trivial amount of interest invested in its contents by people who don’t usually qualify when we think of “the public”. Otherwise what would be the big deal?
My guess is that the team responsible for this didn’t anticipate or at worst were not informed of its value to particular groups of people, at least not to a degree that would’ve warranted extra security measures.
There's a UK government policy to try and use open source, they even have a github profile https://github.com/alphagov
It's not sensitive information. It's public information.
Before it’s been released I would consider it sensitive for many reasons.
In huge org's, doing computer-related stuff the "right" way often involves so many meetings, sign-offs, and miles of red tape that your grandchildren would die of old age before anything actually got done.
Vs. if you just let Will and Pete do it in WordPress (or on Facebook, or such) then needed tasks might actually be accomplished.
And now the chair of the OBR has had to resign over it https://www.theguardian.com/politics/live/2025/dec/01/keir-s...
Should have used S3 and a datetime-based access policy. Eg
>During that period, it was accessed 43 times by 32 unique IP addresses
I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.
I agree, and I also am familiar with how WP Engine's 'GES' (global edge security) works. obr.uk points to two IP addresses held in the name of WP Engine, but they're actually BYOIP with Cloudflare. Cloudflare act as a caching layer, DDOS mitigation and WAF.
Note that GES works a bit different to traditional Cloudflare implementations, HTML requests are basically passed through to the WP Engine NGINX reverse proxy server that's in front of the WordPress site (as opposed to being heavily cached with Cloudflare). Static assets, like a PDF - would indeed be cached with GES.
Possibly copies of the document rather than the original URL?
Either that number was wrong like you say OR (and I am unfamiliar with Bluesky) the URL is loaded via Bluesky's browser (like X) and therefore Bluesky's own server IP was used (instead of the user's).
Edit: Or (and more likely) cached/copies of the original.
I feel like those 32 unique IP addresses may very well be Cloudflare or CloudFront ones.
Maybe it was cached somewhere and most people were hitting the cache?
They didn’t suffer a breach; they published a market-moving PDF early because they put it on a public WordPress server at a predictable URL with no access control, then acted shocked when someone typed it into a browser. The report dresses this up in solemn language about “pre-publication facilities” and “configuration errors”, but the reality is negligent basics: no authentication, no server-level blocking, blind faith in a plugin they didn’t understand, and not one person running the obvious test of guessing the URL before go-live. Their claim of “independence” just meant running the most sensitive part of their job on an underpowered, misconfigured website while assuming everything else would magically hold together. This wasn’t a cyber incident. It was institutional incompetence wearing a suit.
But but but they ‘have a limited budget’ (repeated multiple times for effect in the article)
I think you mean "no one got paid to vet the wordpress plugins"
And the news just now is that the chair of the OBR has resigned because of this [1]
[1] https://www.bbc.co.uk/news/live/cly147rky81t
What was the quirk?
> A feature known as the Download Monitor plug-in created a webpage with the clear URL which provided a link to the live version, which bypassed the need for authentication. This rendered the protections on the ‘future’ function of WordPress redundant as it bypassed the required authentication needed to gain access to the pre-uploaded document.
WordPress is a nice piece of software, but the plugin situation is getting worse and worse. (Too many pending updates, premium features and constant upselling, selling of plugins to new sketchy owners...)
The main issue is that there isn't any governance to the plugin store. Once you have a plugin in there, you have free reign to do whatever you want with it. Getting it in there is a PITA though. For example, a library author and I created a plugin, but they wouldn't let me submit it because I wasn't the other author, and they wouldn't let him submit it because he wasn't me. True story.
TBF there is some scrutiny on existing plugins, the team is just extremely understaffed (it’s ran by volunteers after all). I got involved in a plugin that ended up getting de-listed for some minor ToS violations after several years of being “fine”, they re-reviewed the plugin with the same rigor as a new submission.
Kudos to these volunteers, but as long as one single company continues to insist on owning all the resources of the plugin and theme directories, I don't think they deserve to continue profiting from volunteer labor.
There's also the fact that Matt Mullenweg (the guy who owns automattic) has made hostile takeovers of plugin pages before
> WordPress is a nice piece of software, but the plugin situation is getting worse and worse
The plugin situation is a mess largely because Wordpress isn't a nice piece of software.
It's popular, and functionally it's great, but the codebase is really showing its age. Wordpress has never properly rearchitected because it would break plugins on a scale that would endanger its dominance.
There's a whole industry of people selling solutions to WordPress's failings, all of whom have strong incentives for it not be properly improved.
> the codebase is really showing its age.
It's not age, it started very, very bad. If they'd fixed the horrible schema and the code a decade and a half ago, plugins would have been a lot easier to write (and a lot safer.)
My favorite current plugin woe is where it completely changes what it does but keeps the same name and it's all a part of its 'update'
To an outsider, its entire plugin ecosystem is so odd. Like the conversation about “nulled” plugins, where someone removes license-checking code from GPL-licensed plugins and then redistributes them, and whether that’s moral, or even legal, which of course it is, because that’s the entire point of the GPL.
> which provided a link to the live version
Even if that is the case, the backend must validate.
[dead]
So is the significance of this news based on what could have leaked if the document was not intended for the public? [1]
Or is the significance of this news based on the advantages that players on the market who caught hold of it early will have? Is it only important to civilians relative to their ability to question who may be benefitting from the 40 minute head start that these players might have gained or (for the conspiracy-minded) been handed through nefarious means?
[1]: Which would lead me to ask why would it belong on a platform typically intended for publishing things in public.
Interestingly, the public discourse in the UK (at least what I have observed, and it was hard not to observe a lot in the last several days) does not focus much (if at all) on the insider trading angle. It's mostly that the chancellor has this important duty to first announce the new budget beofre the Parliament, and if this course of events gets distorted this is very bad for the proper procedure. Now, the sole purpose of OBR is to ensure the proper procedure, so very silly (or "damning") of them to make such a mistake.
At the same time, almost every piece of legislation in recent years has been relentlessly leaked and taken apart way before the official announcement in parliament, so this is a wee bit ridiculous.
It’s just about incompetence really. The budget is meant to be highly secret. And they accidentally published their report early. Which would let some people benefit from in financially, but it’s also just very embarrassing for a government. Sometimes budgets contain info that is more valuable than this.
What the f____?
The contents of market sensitive information critical to the finances of the entire country is behind stored on a damn vulnerable Wordpress server.
It's not even accidental access or a premature push of the button to release the document, but the site was regularly breached over and over and over again likely for insider trading ahead of the budget.
Might as well store the UK nuclear key codes on a large bright yellow Post-It note in Piccadilly Circus.
What a complete joke on the lack of basic security.
Quirk? Surely a bug?
It's not a bug if it's the expected behaviour
It's not a bug - it's a feature.
[dead]