No, I don’t suppose that is the first thing you are going to tell a perfect stranger now is it? How about someone who has just called to your door? More unlikely still.

The Rant:
Which is why it really annoys me that some web applications insist on vanity tags displaying to the world what software system you are using, and worse still, sometimes it shows what version you are using!

Just what is required to execute a zero-day attack on your poor little website. Or indeed make it far too easy for evil minded people to find sites running out of date software.

Is it on your site?
Examine the source code of your web page. It will be between the “head” tags at the top of the page. Take for example the screenshot of the html code on a blog I visited the other day. You can clearly see from the generator meta tag that not only is the blog powered by WordPress, but it is running version 2.5.1. In this example, the blogger is probably fine. There are a couple of security fixes released since WordPress 2.5.1 was out in July, but none that I would rate as vital. But is it really a good idea to let the world know:
a) what web application you are running?
b) what exact version you have installed?

The cure
Now, I was going to go into a big rant about just how pointless I thought the generator meta tag was anyway, but I have to decided to bite my tongue and concentrate on the real evil: including the version number.

This is just plain old bad idea. I was really annoyed to see it creep back into the WordPress blogs I manage recently as the location has been switched from the wordpress header template file to the WordPress internals (from WordPress 2.5 on). So even if you thought you had removed it, if you upgraded to 2.5 or later, it might be back in there again!

There is a relatively easy way to remove it again however, and this should be permanent unless they change this again in a future major version release.
Add the following line to the functions.php file of your WordPress theme:
remove_action('wp_head', 'wp_generator');
(within the php code tags)

For other web applications, you may need to check the documentation or search the support forums for answers on how to remove the generator tag.

So when I became a blood donor 5 years ago I didn’t think that one day my records would be stolen in a mugging in New York [1].
I doubt most people did. I don’t recall seeing a check box saying, “tick here to opt out of the IBTS giving your personal data away to organisations in foreign countries as and when we decide to upgrade our software”.

Such is the world we live in.
Frankly I’m surprised the loss of the data was such a physical one, rather than a hack.

So here are my main issues with the Irish Blood Transfusion Service:

1. I really do not think you have the right to simply dish out my personal information (including what communicable diseases I may or may not have) to just anyone as and when you like to.
2. There is no excuse, not one, for sending across 170,000 patient records. For any kind of “upgrade” or “testing”. Quite frankly if this was to run testing, then there is no reason except for sheer laziness for the data not to have been scrubbed, removing personal information. It isn’t that hard. The last time I did it for a project involving confidential patient information, it took about 2 hours. Including a cup of tea.
3. The IBTS chief executive says the data is encrypted. He says the odds of decrypting the data are the same as winning the Euromillions jackpot 10 weeks in a row. You are either wrong, still misinformed or just lying Andrew Kelly. The certainty of it being decrypted is 100%. The only variables are how long and how much resources you want to throw at the AES-256 encryption. And of course, the encryption passphrase, which is probably “IBTS” or “Password01″.

But it is great to know that the IBTS and the New York Blood Centre are both “deeply concerned” about the loss of the data.
Frankly, I’m concerned at the lack of blood flow to the brains in charge of the IBTS.

[1] Irish Times news report