Friday 24 January 2014

RIP IDA – Strange Life of Ida

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

In his serious youth DMossEsq read Strange Life of Ivan Osokin: A Novel by PD Ouspensky. Chapter 1 opens with:
ON THE SCREEN a scene at Kursk station in Moscow. A bright April day of 1902. A group of friends, who came to see Zinaida Krutitsky and her mother off to the Crimea, stand on the platform by the sleeping-car. Among them Ivan Osokin, a young man about twenty­-six ...
Chapter 26, The Turn of the Wheel, opens with:.
ON THE SCREEN a scene at Kursk Station in Moscow. A bright April day of 1902. A group of friends who came to see Zinaida Krutitsky and her mother off to the Crimea stand by the sleeping car. Among them is Osokin ...
You get the idea. There's no need to read the intervening chapters. The wheel keeps turning. It's one of hundreds of drearily portentous novels ideal for a certain sort of moody and ignorant teenager. The last words are, predictably:
Osokin looks round, and suddenly an extraordinarily vivid sensation sweeps over him that, if he were not there, everything would be exactly the same.
Profoundly ignorant of course, but not moody enough, DMossEsq had forgotten all about the ghastly Ivan until yesterday, and the publication on the Government Digital Service blog of What is identity assurance? by Janet Hughes.

Here we go again:
Identity assurance is a new service that will give people a secure and convenient way to sign in to government services.
Secure?

Convenient?

The wheel will turn. We know that. Please see Identity assurance. Only the future is certain – doom 1. RIP IDA.

----------

Updated 16:00

PD Ouspensky writes:



Trans:

On her Twitter account Janet Hughes is shown eating a takeaway at what looks like a station.

But which station?

Surely ... no ... it can’t be ... Kursk?

----------

Updated 25.1.14:
"Identity assurance is a new service that will give people a secure and convenient way to sign in to government services", say GDS. Anyone clicking on the link provided by DMossEsq on the word "secure" is taken to his post Hyperinflation hits the unicorn market, which casts doubt on GDS's or anyone else's ability to offer security on the web. It's an attractive object, security, but like unicorns it doesn't exist.

People are well-advised to regard promises of on-line security with scepticism – "We live on a diet of data hacking stories fed to us by the media. Have done for years", says the unicorn post. And anyone clicking on that link is meant to be taken to DMossEsq's list of hacking stories. That list is maintained on http://DematerialisedID.com, an old website of his which, on Thursday, was obliterated by some eHooligan.

It's annoying but in a small way it does sort of make the point, doesn't it? Security?

DMossEsq and his ISP are currently working to resume normal service. In the meantime the list of hacking stories has been moved to here.

Take a look at some of the hacking stories there. Or here. Or take a look at the Home Office's latest attempt to warn people about on-line security. Then ask yourself, how confident are you that GDS can offer security for your personal data stored in their identity assurance system. You be the judge. No-one else will.

Updated 28.1.14:
What is identity assurance? offered "a new service that will give people a secure and convenient way to sign in to government services". Can GDS deliver on that offer?

The question is taken up in a new post today, Security and convenience: Meeting user needs. Security is a user need and "if we don’t fulfil this need, digital services won’t be trustworthy or trusted, so people won’t want to use them". Yes. Obviously.

GDS are due to start testing IDA in the next few weeks with a view to having some services live by the end of the summer with hundreds of thousands of members of the public using them, if not millions. There's not long to go. What are GDS doing about this user need?

Their answer is "we’re trying to stimulate a competitive market for identity assurance as the quickest and most effective way to close the gap between solutions that are convenient and those that provide security ... We expect to see new methods emerge that are more convenient for end users but satisfy the required standards".

IDA goes back to a meeting held on 20 September 2010 if not earlier. Three-and-a-bit years later and they're still "expecting" to see a number of solutions "emerge"? That's the GDS approach to public services?

Good luck with that.

RIP IDA – Strange Life of Ida

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

In his serious youth DMossEsq read Strange Life of Ivan Osokin: A Novel by PD Ouspensky. Chapter 1 opens with:
ON THE SCREEN a scene at Kursk station in Moscow. A bright April day of 1902. A group of friends, who came to see Zinaida Krutitsky and her mother off to the Crimea, stand on the platform by the sleeping-car. Among them Ivan Osokin, a young man about twenty­-six ...
Chapter 26, The Turn of the Wheel, opens with:.
ON THE SCREEN a scene at Kursk Station in Moscow. A bright April day of 1902. A group of friends who came to see Zinaida Krutitsky and her mother off to the Crimea stand by the sleeping car. Among them is Osokin ...
You get the idea. There's no need to read the intervening chapters. The wheel keeps turning. It's one of hundreds of drearily portentous novels ideal for a certain sort of moody and ignorant teenager. The last words are, predictably:
Osokin looks round, and suddenly an extraordinarily vivid sensation sweeps over him that, if he were not there, everything would be exactly the same.
Profoundly ignorant of course, but not moody enough, DMossEsq had forgotten all about the ghastly Ivan until yesterday, and the publication on the Government Digital Service blog of What is identity assurance? by Janet Hughes.

Here we go again:

Wednesday 22 January 2014

GreenInk 10: Private Eye Crook of the Year 2014 awards

(Hat tip: No2ID)

Sadly, there seems to have been no space in the latest edition of Private Eye for the following letter:
From: David Moss
Sent: 10 January 2014 14:05
To: Letters to the editor
Subject: The Gnome Business Awards for 2013, p.32, Eye #1357

Sir

Gnome awards Crook of the Year 2013 to James McCormick. He bought novelty golf ball-finders and sold them as explosives detectors to governments whose gullibility or corruption must also be award-winning.

When it comes to the 2014 awards, perhaps Gnome's panel would like to consider the McCormicks selling mass consumer biometrics technology which is meant to identify us uniquely and verify our identity.

Three world-class experts reviewed the literature and determined that biometrics is "out of statistical control". I.e. it's not a science [1]. By way of a practical example, they cite the charade at the US National Institute of Standards and Technology (NIST).

Under the terms of the USA PATRIOT Act 2001 section 403(c)(1), NIST have to certify all biometrics systems before they are deployed to federal law-enforcement agencies. What the scientists at NIST say in their certificates is: "This evaluation does not certify that any of the systems tested meet the requirements of any specific government application". By issuing certificates, NIST abide by the Act even if the certificates say that they haven't got a clue whether the biometrics systems work.

It's not just the USA. The panel will be spoilt for choice [2]. Governments all over the world are handing over public money to McCormicks talking biometricsballs.

Yours

David Moss

2. http://www.planetbiometrics.com/
If only they had seen ENISA's latest report.

ENISA is the European Union Agency for Network and Information Security and in eID Authentication methods in e-Finance and e-Payment services they say:
6.1 Biometrics adoption related risks
The results of the survey show that very few professionals incorporate biometrics as an eIDA method solution for e-banking. The rationale behind this phenomenon is that institutions must be able to comply with the GDPR. There exist legal issues when dealing with personal information (different legislation for every country). In Europe, a specific authorization from customers is required, which is a difficult task, since the majority of people do not feel comfortable with granting permission on the storage of their biometric information (i.e. personal body patterns). This, in general, is only manageable if a strong juridical base exists and the use is adequate, relevant and not abusive in correspondence with the goals and reasons for biometric data to be collected, used or saved, resulting in an important challenge to be addressed.

Moreover, there exist high associated risks, mainly due to the potential attacks to a centralised data base storage of biometrics parameters. The risk of compromise of the biometric information DB (even if it’s encrypted, hashed, etc.) is real and non-acceptable for CISOs and directors of the e-banking sector. The sensitive nature of biometric information: data is compromised forever (i.e. it’s not possible to change the hand print, Iris, fingerprints, etc.), resulting in both high risk, and great responsibility to be accepted, especially if other eIDA methods are suitable.

Another important factor is the usability, since current technologies do not provide 100% of accuracy at the first try. There are still open issues related to the False Rejection Rate (FRR) and the False Acceptance Rate (FAR), which remain open even in scientific experiments or proof of concepts.

In summary, because of the associated risks, the financial sector is still not prepared to use biometry neither as a unique authentication factor nor a second authentication factor.

Biometry is used in emerging countries, where there are no other means of unique identification of the persons, due to lack of governmentally supported credentials, and also in countries where Personal Data protection is not a priority, like it is in EU.

Specialists are working in finding a solution to the high risk associated to using the biometry, and one solution that is being analysed and starting to be implemented is the local storage of biometric identification profiles. This has three advantages: 1) the responsibility of the storage is transferred to the end user, 2) the chances of a successful threat to steal large amount of biometric information is low, because the threat should be successful on many devices and stores, 3) the biometric identification vector doesn’t have to travel over the network.
If the banks don't think that today's mass consumer biometrics are up to the job, why do governments waste our money on this magical non-technology?

GreenInk 10: Private Eye Crook of the Year 2014 awards

(Hat tip: No2ID)

Sadly, there seems to have been no space in the latest edition of Private Eye for the following letter:
From: David Moss
Sent: 10 January 2014 14:05
To: Letters to the editor
Subject: The Gnome Business Awards for 2013, p.32, Eye #1357

Sir

Gnome awards Crook of the Year 2013 to James McCormick. He bought novelty golf ball-finders and sold them as explosives detectors to governments whose gullibility or corruption must also be award-winning.

When it comes to the 2014 awards, perhaps Gnome's panel would like to consider the McCormicks selling mass consumer biometrics technology which is meant to identify us uniquely and verify our identity.

Three world-class experts reviewed the literature and determined that biometrics is "out of statistical control". I.e. it's not a science [1]. By way of a practical example, they cite the charade at the US National Institute of Standards and Technology (NIST).

Under the terms of the USA PATRIOT Act 2001 section 403(c)(1), NIST have to certify all biometrics systems before they are deployed to federal law-enforcement agencies. What the scientists at NIST say in their certificates is: "This evaluation does not certify that any of the systems tested meet the requirements of any specific government application". By issuing certificates, NIST abide by the Act even if the certificates say that they haven't got a clue whether the biometrics systems work.

It's not just the USA. The panel will be spoilt for choice [2]. Governments all over the world are handing over public money to McCormicks talking biometricsballs.

Yours

David Moss

2. http://www.planetbiometrics.com/
If only they had seen ENISA's latest report.

Tuesday 21 January 2014

RIP IDA – Obama fails to consult Maude

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Last week, the US Identity Ecosystem Steering Group (IDESG) held a three-day conference, 14-16 January 2014 at the Georgia Tech Research Institute. It's all very international and there was a one-hour slot on the Wednesday for An Overview of 2014 Plans for the UK Identity Assurance Program. The talk was given by David Rennie of the Government Digital Service (GDS). The sound recording below is for any Brits who might also be interested in our government's plans for us:



The subject matter is identity assurance (IDA), not everyone's cup of tea, and you don't have to listen to all 55'44". There is a summary appended below.

But you might consider sampling odd snatches. Between 21'10" and 21'35", for example, Mr Rennie states that GDS are working with OIX, the Open Identity Exchange, to draft the rules for the trust framework within which the UK's "identity providers" (IDPs) will have to work.

We hoi polloi need to know that we can trust the IDPs. Otherwise we would be imprudent to use them in our on-line dealings with government. And if we don't, then GDS's digital-by-default initiative is a dead duck (RIP).

Steve Wreyford, Mr Rennie's colleague at GDS, told us about this on 15 April 2013, please see his amusing blog post Delivering Identity Assurance: You must be certified where we are advised to trust IDPs only if they have been certified trustworthy by tScheme.

The millions of readers of the DMossEsq blog are already up to speed on this one but not necessarily so the IDESG conference. How are they supposed to know about tScheme?

So DMossEsq submitted an on-line question to the conference and you can hear the result in the 43 seconds between 29'48" and 30'31". Mr Rennie tells the conference that:
"All the identity providers will have to be certified by tScheme before we go to full live. They're all going through the certification process at the moment.
There are five UK IDPs. Digidentity, Experian, Mydex, the Post Office and Verizon. You can check on the tScheme website – Experian is the only IDP currently certified and Verizon is the only one that has applied for certification.

So is Mr Rennie right when he says that all the IDPs are "going through the certification process at the moment"? There is some doubt there. It looks as though three of them haven't even applied for certification yet.

It must all be getting a bit tense. GDS want to start Beta-testing IDA behind closed doors "in the next few weeks" (9'00") with a view to going live "at the end of the summer":
  • What happens if the certification process hasn't finished by that time?
  • Suppose that one or more of the IDPs fail their certification. What happens then?
  • What's the point of doing IDA tests with IDPs who might fail to get their tScheme certification?
  • Wouldn't it be better for them to be certified before the tests start?
  • Better still if they were certified before they were appointed as IDPs in the first place.
  • Eight IDPs had been appointed by 16 January 2013. What happened to the other three (Cassidian, Ingeus and PayPal)? Why did they pull out of IDA?
  • What have Digidentity, Mydex and the Post Office been doing all year? Why haven't they even applied to tScheme yet?
  • And are there really five IDPs left or only two?
That last is a question raised by Charlotte Jee's article Beta launch for identity assurance this year on the government computing news website – "an official from the IDA programme ... explained that the first two identity providers will start supporting the scheme from the end of November ...".

Her article was published on 22 October 2013, when November 2013 was still in the future and it made sense to have two IDPs supporting IDA. In the event, there was no IDA to support in November. Or December. What happened? Why were the tests postponed to January or February 2014? Have three more IDPs pulled out? Which three? Why?

We don't know. There has been no explanation. Attendees at Code for America's CfA Summit 2013 conference are going to be pretty surprised. Ex-Guardian man Mike Bracken CBE, the executive director of GDS, told them on 16 October 2013 that "the first [IDA] services run out with our tax system this month". He also told them that "we have about eight or nine companies already providing identity to us". Take your pick – 2, 5, 8, 9, ...


There is a danger here that the Americans are being misled by GDS. The British public, too – we could be being misled.

But that's not all. It seems possible that GDS are misleading themselves. They have two IDA tests coming up in the next few weeks and at 15'25" Mr Rennie calls that having IDA "up and running" and says that GDS have achieved "real live delivery". Only for very low values of "up", "running", "real", "live" and "delivery".

Is misleading themselves becoming endemic?

That seems unfortunately to be entirely possible. Unfortunately, because GDS are in the trust framework as well, not just the IDPs and the public.

The earlier IDA test with Warwickshire County Council which Mr Rennie referred to at 18'05" was reviewed by OIX and was severely criticised. Words like "significant barrier", for example, and "shortcomings" were used. "Considerably more thought needs to be applied", the OIX report said and carried on with "convoluted process", "reluctant", "struggled", "not clear" and "annoying".

And how does Mr Rennie describe the same IDA test? He says it showed that "identity assurance will support the move to digital by default, simplify and improve the customer experience and make service providers more efficient.  In short, a virtuous circle of reduced effort, reduced cost and improved customer satisfaction".

And then a kind correspondent sent a link to an extraordinary article in the Huffington Post. Like ex-Guardian man Mike Bracken CBE telling CfA last October to be more like GDS if they want to get on in this world, his political boss Francis Maude has some diplomatic advice for Obama himself:
Cabinet Office Minister Francis Maude Decries 'Old Style' Obamacare Insurance Website
The Huffington Post UK | By Paul Vale
Posted: 09/01/2014 02:43 GMT | Updated: 09/01/2014 03:47 GMT

Speaking on Wednesday, the Cabinet Office minister said that the American government should have learned from the British approach to providing online access to public services, and in particular the success of the UK government's digital programme, including the gov.uk site ...

The minister added that his department had not been consulted by the Obama administration but suggested that they "probably should" get in touch due to the global interest in the British government's IT roll-out ...

"This is something that is a problem for countries that do not have an ID card system and a national ID database," he said. "So it is an issue for countries like ourselves and the UK. The US is going down the same path as we are, but they are some distance behind."
----------

Summary of the points made in David Rennie's talk to IDESG
and of the subsequent question and answer session:

David Rennie's talk
"In the next few weeks", two applications will be used to test IDA. Initially, the tests will be "private Betas" (9'00"), the Betas will go public some time in the summer of 2014 (10'25"), the services will go live at the end of the summer and in the next 12 months or so GDS expect IDA to have about 600,000 people on it.

Application #1 will be an on-line record of people's driving licence endorsements (11'40"), with the data available to DVLA, drivers and insurance companies. Application #2 will be a facility for people to amend their tax code (12'40"), with the data available to HMRC and taxpayers.

In the terminology of IDA, DVLA and HMRC are so-called "relying parties" (RPs). They rely on the so-called "identity providers" (IDPs) -- the Post Office, Digidentity, Experian, Mydex, and Verizon -- to assert that you are the driver or taxpayer that you say you are. There are different Levels of Assurance (LoAs), some services will require a high level (4) and others can get by with a lower one (1). The RPs, IDPs, drivers, insurance companies and taxpayers are all linked by GDS's so-called "ID hub" in the confines of a national "trust framework".

GDS hope that, a long way down the line, we will be able to access our health records via IDA (14'20").

GDS are assisted by OIX, the Open Identity Exchange, in developing IDA:
  • OIX publish white papers on IDA matters, including for example the IDA test conducted with Warwickshire County Council (18'05").
  • OIX is the forum where GDS are considering upgrading the ID hub (18'55") to become an "attribute exchange", e.g. the hub should be able to answer questions like "is person X entitled to a Blue Badge, yes/no?".
  • OIX are investigating the involvement of the mobile phone companies (20'30").
  • And OIX is the place where the rules of the trust framework are agreed (21'10").
Question and answer session
Rules of engagement for IDPs (23'10"): the ID hub is entirely GDS's work (24'05") and is built using SAML 2.0; negotiating contracts with the IDPs was difficult (26'20") but the outcome is that they have to agree their procedures with GDS in advance.

Identifiers, e.g. email addresses (28'00"): any identifiers can be used, it's up to the IDPs, as long as they can authenticate who you are and as long as they follow GDS's security standards.

Trust framework (29'50"): it is true that only one of the IDPs currently has tScheme certification (30'20") but all five will eventually have to achieve that standard and they have all begun the process to achieve it.

Existing credentials (30'35"): GDS tried to get the banks to act as IDPs, they were too busy but may yet agree to join the trust framework. Meanwhile, it's up to the IDPs and not GDS to find reliable credentials and to register people.

Business users (32'45"): citizens dealing with government already discussed, for businesses dealing with government GDS plan to provide APIs (33'30"), e.g. there should be an API that allows a new business that has gone through the process of setting up a bank account to be able to use that when registering with Companies House and HMRC, and maybe an API that allows you to start the process of applying for a new passport while booking your summer holiday.

Multiple IDs, pseudonymity, anonymity (35'40"): it's up to the IDPs to decide what satisfies them and it's up to the RPs, too; there are different LoAs, at LoA1 (self-certification) you can use any name you like.

Unobservability (41'10"): GDS is advised on key-signing by GCHQ; the ID hub is designed so that IDPs don't know which RP is asking for identity assurance and RPs don't know which IDP has responded; thanks to No2ID/BBW/PI/...; it's hard to explain to users how the ID hub handles privacy (45'00") but one day it may be possible for them to barter privacy for utility.

OIX (46'15"): the rôle of OIX includes liaising with other national schemes -- US, Canada, Australia, New Zealand; there is an international committee for trust frameworks (54'10").

Trust elevation (52'00"): requirements for LoA3 will be published by the end of the year; a document-checking service will be provided (passports and driving licences) for IDPs.

RIP IDA – Obama fails to consult Maude

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Last week, the US Identity Ecosystem Steering Group (IDESG) held a three-day conference, 14-16 January 2014 at the Georgia Tech Research Institute. It's all very international and there was a one-hour slot on the Wednesday for An Overview of 2014 Plans for the UK Identity Assurance Program. The talk was given by David Rennie of the Government Digital Service (GDS). The sound recording below is for any Brits who might also be interested in our government's plans for us:



The subject matter is identity assurance (IDA), not everyone's cup of tea, and you don't have to listen to all 55'44". There is a summary appended below.

But you might consider sampling odd snatches. Between 21'10" and 21'35", for example, Mr Rennie states that GDS are working with OIX, the Open Identity Exchange, to draft the rules for the trust framework within which the UK's "identity providers" (IDPs) will have to work.

We hoi polloi need to know that we can trust the IDPs. Otherwise we would be imprudent to use them in our on-line dealings with government. And if we don't, then GDS's digital-by-default initiative is a dead duck (RIP).

Thursday 16 January 2014

"The cloud is a giant security and reliability disaster waiting to happen"

Computer Weekly magazine:
Banks should never use the cloud

By Karl Flinders on January 15, 2014 2:44 PM

I have been working on a feature today and going through my interviews have found some interesting stuff.

This one comes from an unnamed source within banking IT. This is what he said when asked about the cloud's role in banking.

"None at all hopefully. The cloud is a giant security and reliability disaster waiting to happen. Banks should keep their systems safely locked away in their own data centres and do all they can to protect the infrastructure and physical security. I hope the cloud is only used for holiday snaps and music. Banks should not go there. We have to remember there are bad guys out there trying to crack into these systems millions of times a day around the world. And they only have to get it right once to cause a major disaster! I would not bank with a firm using the cloud to operate my account or hold my details."

So that's pretty clear then.

I recently wrote this article after an event about the cloud in banking: Is cloud computing almost too good to be true for banks?.
So who should use the cloud? For whom doesn't it matter that the cloud is a giant security and reliability disaster waiting to happen?

"The cloud is a giant security and reliability disaster waiting to happen"

Computer Weekly magazine:
Banks should never use the cloud

By Karl Flinders on January 15, 2014 2:44 PM

I have been working on a feature today and going through my interviews have found some interesting stuff.

This one comes from an unnamed source within banking IT. This is what he said when asked about the cloud's role in banking.

"None at all hopefully. The cloud is a giant security and reliability disaster waiting to happen. Banks should keep their systems safely locked away in their own data centres and do all they can to protect the infrastructure and physical security. I hope the cloud is only used for holiday snaps and music. Banks should not go there. We have to remember there are bad guys out there trying to crack into these systems millions of times a day around the world. And they only have to get it right once to cause a major disaster! I would not bank with a firm using the cloud to operate my account or hold my details."

So that's pretty clear then.

I recently wrote this article after an event about the cloud in banking: Is cloud computing almost too good to be true for banks?.
So who should use the cloud? For whom doesn't it matter that the cloud is a giant security and reliability disaster waiting to happen?

Tuesday 14 January 2014

Whitehall schizophrenia – the cartoon

We have noted before that Whitehall is at one and the same time advising individuals and businesses (a) that the web is dangerous and (b) that we should put all our personal data on-line in the cloud. Please see The on-line safety of the mooncalves, 4 July 2013.

Six months later and it's happening again.

The nice Dr Jekyll at the Home Office issued a press release the other day, New campaign urges people to be 'Cyber Streetwise':
A new campaign to change the way people protect themselves from falling victim to cyber criminals has been launched by the government.

The ‘Cyber Streetwise’ campaign aims to change the way people view online safety and provide the public and businesses with the skills and knowledge they need to take control of their cyber security. The campaign includes a new easy-to-use website and online videos.
Meanwhile, thanks to all the nasty Mr Hydes, Whitehall departments are shunting their systems into the cloud as fast as possible with our data in them. No more efficient way of losing control of our data has yet been discovered.

We're used to the schizophrenia.

That's now been joined by infantilism.

We already have a grown-up website giving us advice how to protect ourselves on the web, Get Safe Online. The new website seems to have been designed for children, Cyber Streetwise.

What did we do in our previous lives to deserve this:


----------

Updated 14.2.14

It transpires that the National Cyber Security Programme is spending £4 million on the Cyber Streetwise campaign, which is said to "look like a site aimed at children rather than adults and business owners". The Office of Cyber Security & Information Assurance (OCSIA) whose campaign it is comes under Francis Maude.

Whitehall schizophrenia – the cartoon

We have noted before that Whitehall is at one and the same time advising individuals and businesses (a) that the web is dangerous and (b) that we should put all our personal data on-line in the cloud. Please see The on-line safety of the mooncalves, 4 July 2013.

Six months later and it's happening again.

The nice Dr Jekyll at the Home Office issued a press release the other day, New campaign urges people to be 'Cyber Streetwise':
A new campaign to change the way people protect themselves from falling victim to cyber criminals has been launched by the government.

The ‘Cyber Streetwise’ campaign aims to change the way people view online safety and provide the public and businesses with the skills and knowledge they need to take control of their cyber security. The campaign includes a new easy-to-use website and online videos.
Meanwhile, thanks to all the nasty Mr Hydes, Whitehall departments are shunting their systems into the cloud as fast as possible with our data in them. No more efficient way of losing control of our data has yet been discovered.

We're used to the schizophrenia.

That's now been joined by infantilism.

Seven professors and a virtuous circle

Interoperability between central and local government identity assurance schemes

The project highlighted the issue of accurate data matching, specifically the matching of names and addresses originating from different sources. (p.9)

The complexity of data matching may present a significant barrier to implementation by Service Providers. (p.10)

The project has highlighted shortcomings in the user journey arising from the technical implementation of the IDA Scheme. (p.10)

... considerably more thought needs to be applied in this area [stepping up from LoA1 to LoA2] if it is to become a viable proposition going forward. (p.10)

... at the time of this project, the functionality required to deliver user data directly within the IDA Scheme [to create a new account] had yet to be developed ... The consequence is that the user is faced with a convoluted process when using the IDA Scheme for the first time. (p.11)

User experience testing was performed in a laboratory environment and involved 5 [sic] users on a one-to-one basis with an experienced research facilitator provided by GDS. Each user had extensive experience of online services including internet banking, government services and social media such as Facebook and Twitter ... The feedback from the small sample of users was generally fairly consistent. (p.12)

Most users would be very reluctant to use their social media accounts with a government site, the prevailing view being that their social life is distinctly separate to doing “business” with government. The issue of privacy and the feeling that government would be able to “see my social life”, or that government transactions would appear in their social media profiles, was of concern. (p.12)

The Hub ... users often struggled as they sought to understand how this method of signing in to government services worked. The Hub service provided the user with a link to a video clip that described the scheme and its purpose ... (pp.12-3)

Users were not clear why private sector companies were being used to carry out identity assurance on behalf of government. (p.13)

Some aspects of the registration processes proved annoying to the users ... (p.13)
GDS, the Government Digital Service, used Warwickshire County Council to alpha test IDA, the identity assurance system they have been putting together for some years now.

The alpha was reported on by OIX, the Open Identity Exchange. A selection of their findings is reproduced alongside.

Certain words and phrases stand out. "Significant barrier", for example, and "shortcomings". "Considerably more thought needs to be applied", "convoluted process", "reluctant" and "struggled". "Not clear" and "annoying".

The alpha was also reported on by David Rennie, a member of GDS, in Steering Collaboration, 26 November 2013. He says:
The alpha project was used to test integration between identity providers and the identity assurance hub and provides insights about how users of local authority services respond to the concept. The alpha found that identity assurance will support the move to digital by default, simplify and improve the customer experience and make service providers more efficient. In short, a virtuous circle of reduced effort, reduced cost and improved customer satisfaction.
You wouldn't know he was talking about the same test, would you?

The disconnect is total.

What's going on?

In their book The Blunders of Our Governments Professors Anthony King and Ivor Crewe talk about several of the causes of failure in government projects. Among them, group-think, which they blame for the Poll Tax, for example.

Group-think was given its first academic treatment apparently by Irving J Janis, a US psychology professor. Messrs King and Crewe have this to say about it (pp.255-6):

According to Janis, whose views are now almost universally accepted, group-think is liable to occur when the members of any face-to-face group feel under pressure to maintain the group's cohesion or are anyway inclined to want to do that.

It is also liable to occur when the group in question feels threatened by an outside group or comes, for whatever reason, to regard one or more outside individuals or groups as alien or hostile.

Group-think need not always, but often does, manifest itself in pathological ways. A majority of the group's members may become intolerant of dissenting voices within the group and find ways, subtle or overt, of silencing them. Individual group members may begin to engage in self-censorship, suppressing any doubts they harbour about courses of action that the group seems intent on adopting. Latent disagreements may thus fail to surface, one result being that the members of the group come to believe they are unanimous when in reality they may not be.

Meanwhile, the group is likely to become increasingly reluctant to engage with outsiders and to seek out information that might run counter to any emerging consensus. If unwelcome information does happen to come the group's way it is likely to be discounted or disregarded. Warning signs are ignored. The group at the same time fails to engage in rigorous reality-testing, with possible alternative courses of action not being realistically appraised.

Group-think is also, in Janis's view, liable to create “an illusion of invulnerability, shared by most or all the members, which creates excessive optimism and encourages taking extreme risks”. Not least, those indulging in group-think are liable to persuade themselves that the majority of their opponents and critics are, if not actually wicked, then at least stupid, misguided and probably self-interested.

It's not just the Warwickshire County Council alpha test. Once you've got the group-think idea in your head, the examples start to multiply.

For example, it is a year now since four professors published their draft review of GDS's digital strategy. They were not impressed. GDS's response? They have ignored the professors' criticisms. They have "discounted or disregarded" them.

Is that a problem? Or is it a "virtuous circle of reduced effort, reduced cost and improved customer satisfaction"?

Seven professors and a virtuous circle

Interoperability between central and local government identity assurance schemes

The project highlighted the issue of accurate data matching, specifically the matching of names and addresses originating from different sources. (p.9)

The complexity of data matching may present a significant barrier to implementation by Service Providers. (p.10)

The project has highlighted shortcomings in the user journey arising from the technical implementation of the IDA Scheme. (p.10)

... considerably more thought needs to be applied in this area [stepping up from LoA1 to LoA2] if it is to become a viable proposition going forward. (p.10)

... at the time of this project, the functionality required to deliver user data directly within the IDA Scheme [to create a new account] had yet to be developed ... The consequence is that the user is faced with a convoluted process when using the IDA Scheme for the first time. (p.11)

User experience testing was performed in a laboratory environment and involved 5 [sic] users on a one-to-one basis with an experienced research facilitator provided by GDS. Each user had extensive experience of online services including internet banking, government services and social media such as Facebook and Twitter ... The feedback from the small sample of users was generally fairly consistent. (p.12)

Most users would be very reluctant to use their social media accounts with a government site, the prevailing view being that their social life is distinctly separate to doing “business” with government. The issue of privacy and the feeling that government would be able to “see my social life”, or that government transactions would appear in their social media profiles, was of concern. (p.12)

The Hub ... users often struggled as they sought to understand how this method of signing in to government services worked. The Hub service provided the user with a link to a video clip that described the scheme and its purpose ... (pp.12-3)

Users were not clear why private sector companies were being used to carry out identity assurance on behalf of government. (p.13)

Some aspects of the registration processes proved annoying to the users ... (p.13)
GDS, the Government Digital Service, used Warwickshire County Council to alpha test IDA, the identity assurance system they have been putting together for some years now.

The alpha was reported on by OIX, the Open Identity Exchange. A selection of their findings is reproduced alongside.

Certain words and phrases stand out. "Significant barrier", for example, and "shortcomings". "Considerably more thought needs to be applied", "convoluted process", "reluctant" and "struggled". "Not clear" and "annoying".

The alpha was also reported on by David Rennie, a member of GDS, in Steering Collaboration, 26 November 2013. He says:
The alpha project was used to test integration between identity providers and the identity assurance hub and provides insights about how users of local authority services respond to the concept. The alpha found that identity assurance will support the move to digital by default, simplify and improve the customer experience and make service providers more efficient. In short, a virtuous circle of reduced effort, reduced cost and improved customer satisfaction.
You wouldn't know he was talking about the same test, would you?

The disconnect is total.

What's going on?

In their book The Blunders of Our Governments Professors Anthony King and Ivor Crewe talk about several of the causes of failure in government projects. Among them, group-think, which they blame for the Poll Tax, for example.

Group-think was given its first academic treatment apparently by Irving J Janis, a US psychology professor. Messrs King and Crewe have this to say about it (pp.255-6):

According to Janis, whose views are now almost universally accepted, group-think is liable to occur when the members of any face-to-face group feel under pressure to maintain the group's cohesion or are anyway inclined to want to do that.

It is also liable to occur when the group in question feels threatened by an outside group or comes, for whatever reason, to regard one or more outside individuals or groups as alien or hostile.

RIP IDA – Warwickshire County Council

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

"Happy new you", says Steve Wreyford.

He's the Government Digital Service man (GDS), you'll remember, the sexton, digging the grave for IDA, GDS's identity assurance programme.

"Identity Assurance gets closer to market", he told us over 18 months ago, on 25 May 2012. Four days later we learned from him that "Identity Assurance goes to Washington", which is all very well, but was IDA coming to the UK?

The answer wasn't clear but, next best thing, OIX – "Cabinet Office joins the Open Identity Exchange". That was 14 June 2012. Then there were months of silence before Mr Wreyford claimed that IDA was "Less About Identity, More About Trust" (4 October 2012). Our privacy would be respected by IDA and we would be in control of our data. How? No answer.

Roll forward to 14 November 2012. "Identity assurance – Stepping Up A Gear". And about time too. After all, at this stage, the promise was that IDA would be ready for 21 million benefit claimants by March 2013. Anyway, at least Mr Wreyford now had seven "identity providers" (IDPs), with the promise of an eighth one coming soon. And indeed, only two months later, on 17 January 2013, PayPal joined the IDP fold, "To Identity and Beyond".

But what's this we read? "Of course, this is just the beginning of the process. The real work of realising our ambitions for identity assurance services can now begin." Were the 21 million benefit claimants going to get IDA by March?

No.

Instead, GDS went off to South Yorkshire "to test the theory that if you make it easy for people to establish their identity when accessing digital public services, people will choose to access them digitally rather than pick up the phone or go to a branch", please see "Identity Alphas", 12 March 2013.

Three people are believed to have taken part in that test, although the figure was later revised upwards to 15. But not to 21 million.

Sextons need a sense of humour and on 15 April 2013 Mr Wreyford wrote "Delivering Identity Assurance: You must be certified", in which he answered the question how do we members of the public know if we can trust a digital service. Answer, the supplier will be certified by tScheme, an organisation that claims to have worked out how to measure trust. But how do you know if you can trust tScheme?

Further, as one fusspot commenting on Mr Wreyford's post said: "Possibly a silly question – and I may not be reading the article correctly – but shouldn't the [identity] providers be certified *before* being appointed?".

Public performers know how to handle this sort of contumely. Quick as a flash, Mr Wreyford organised the "Digital Identity Summit", 15 October 2013, where GDS were joined by "Australia, Canada, Denmark, Japan, New Zealand and Sweden (sadly the United States were unable to join us due to the shutdown)".

Which may be why there was no time to conduct the HMRC PAYE on-line trial which had been promised for October 2013.

Luckily, while he was busy with the summit, CESG helped by producing "Good Practice Guide 46", 18 October 2013, which good practice may or may not have been implemented in the ID hub which appeared from nowhere on 30 October 2013, "A hub is born", which, in turn, brings us, finally, to "Happy new you", where we started: "Before the end of this year [2014] you’ll be able to use our service to prove that you are who you say you are online. A whole new you, if you like".

We've heard that before, of course. IDA was meant to be live in 2013. And in 2012. Will 2014 be any better? Is there a whole new Steve Wreyford, perhaps? A whole new sexton?

It's wrong to concentrate on Steve Wreyford. He's just the sexton. The senior responsible owner of the graveyard is ex-Guardian man Mike Bracken CBE.

He's the one who said all those years ago on 1 March 2012 that: "GDS has been working closely with DWP to revise the OJEU and agree it with other Departments. In the first instance, IDA digital services will be used to support Universal Credit and the Personal Independence Payment, which from 2013 will replace DWP’s current benefit system". That was in "Identity: One small step for all of Government". In the event, DWP missed their deadline. So did GDS.

And he's the one who, on 16 October 2013, gave the Code for America Summit 2013 the impression that IDA already provides proof of identity to 45 million users.

Is there any reason to believe that 2014 will be the year?

We don't know what happened in the South Yorkshire trial. That can't give us any hope. We know that relations with DWP are rocky. Also with the Electoral Commission. We know that the HMRC trial planned for October 2013 didn't take place. And we know that CloudStore keeps falling over ever since GDS took charge of it – we can't have the ID hub falling over, life would stop.

There is one other potential source of hope.

Warwickshire.

Interoperability between central and local government identity assurance schemes

The project highlighted the issue of accurate data matching, specifically the matching of names and addresses originating from different sources. (p.9)

The complexity of data matching may present a significant barrier to implementation by Service Providers. (p.10)

The project has highlighted shortcomings in the user journey arising from the technical implementation of the IDA Scheme. (p.10)

...  considerably more thought needs to be applied in this area [stepping up from LoA1 to LoA2] if it is to become a viable proposition going forward. (p.10)

... at the time of this project, the functionality required to deliver user data directly within the IDA Scheme [to create a new account] had yet to be developed ... The consequence is that the user is faced with a convoluted process when using the IDA Scheme for the first time. (p.11)

User experience testing was performed in a laboratory environment and involved 5 [sic] users on a one-to-one basis with an experienced research facilitator provided by GDS. Each user had extensive experience of online services including internet banking, government services and social media such as Facebook and Twitter ... The feedback from the small sample of users was generally fairly consistent. (p.12)

Most users would be very reluctant to use their social media accounts with a government site, the prevailing view being that their social life is distinctly separate to doing “business” with government. The issue of privacy and the feeling that government would be able to “see my social life”, or that government transactions would appear in their social media profiles, was of concern. (p.12)

The Hub ... users often struggled as they sought to understand how this method of signing in to government services worked. The Hub service provided the user with a link to a video clip that described the scheme and its purpose ... (pp.12-3)

Users were not clear why private sector companies were being used to carry out identity assurance on behalf of government. (p.13)

Some aspects of the registration processes proved annoying to the users ... (p.13)
Warwickshire County Council conducted a trial of IDA – a very limited, primitive trial:

  • They worked with GDS and three of GDS's IDPs – Mydex, PayPal and Verizon (p.7). We don't know when this trial took place. It must have been some time before 3 September 2013 when we learned that PayPal are no longer in the IDA "framework", they've pulled out. One other thing we know is that none of these three is certified by tScheme – as Steve Wreyford has warned us, they are therefore not to be trusted.
  • P.5 of OIX's report on the trial says: "The IDA Scheme will eventually support the four recognized levels of identity assurance (as set out in GPG45). In most cases in local government, online services will require a Level of Assurance 1 or 2 (LoA1, LoA2). ... LoA2 is significant in that it is a level of assurance that would be expected to stand up in a Civil Court of Law in England and Wales, but not in a Criminal Court". That's all they tested. This trial can tell us nothing about IDA being proof against fraud, a criminal offence, obviously.
  • There is some mention of privacy (p.6) but the extent to which users can be confident that they are in control of their own data was not tested. In the absence of any such test users would be well advised to assume that they can have no confidence on that score.
  • "The principle [sic] areas of investigation were ... Users’ acceptance of social media IDs as a means of obtaining personal information for transactions requiring low levels of trust" (p.8). As anyone could have predicted, the sensible people of Warwickshire weren't having any of that nonsense.
  • The idea was to see what happens if users try to use IDA to avail themselves of services provided by (a) Warwickshire County Council and (b) DVLA, the Driver and Vehicle Licensing Agency. But not the real Warwickshire County Council and not the real DVLA: "The project utilised two Service Providers. The first was a mocked-up central government agency, the Driver and Vehicle Licensing Agency (DVLA) and the second a mocked-up WCC site". Again, the results of the trial must be of limited value.
And what were those results?

They are shown in the sidebar alongside. And they are not flattering to IDA.

The Cabinet Office has had since at least 20 September 2010 to work on IDA. Over three years. And there's clearly a long way to go still, before they have a product.

Not a shining example of agile software engineering.

Nor of the "simpler, clearer, faster" motto of GOV.UK – not if users have to stop and watch a video before they can use the ID hub. "The feedback from the small sample of users was generally fairly consistent", we learn. Consistently what? Hostile? Baffled? Incredulous?

Would the Major Projects Authority give IDA an amber/red rating? Or would they go straight to red?

What is it with GDS and data-matching? Why can't they do it? That was one of the problems they had working with the Electoral Commission.

Warwickshire County Council were hoping that IDA would help them to save money, in view of the cuts being made to local government budgets. In the event, they can have no idea how much IDA would cost to operate. For all they know after this trial, it might be cheaper for DWP staff, for example, to visit people at home.

"Cuts in numbers and pay restraints have combined with mounting evidence of unfitness, for example in commissioning and contracting, together with the profound unwillingness of serving civil servants to think outside the Whitehall box – which increasingly resembles a coffin". That was David Walker writing in the Guardian yesterday.

Coffin?

We've got just the man.


RIP IDA – Warwickshire County Council

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

"Happy new you", says Steve Wreyford.

He's the Government Digital Service man (GDS), you'll remember, the sexton, digging the grave for IDA, GDS's identity assurance programme.

"Identity Assurance gets closer to market", he told us over 18 months ago, on 25 May 2012. Four days later we learned from him that "Identity Assurance goes to Washington", which is all very well, but was IDA coming to the UK?

The answer wasn't clear but, next best thing, OIX – "Cabinet Office joins the Open Identity Exchange". That was 14 June 2012. Then there were months of silence before Mr Wreyford claimed that IDA was "Less About Identity, More About Trust" (4 October 2012). Our privacy would be respected by IDA and we would be in control of our data. How? No answer.

Sunday 12 January 2014

Agile is the opposite of waterfall – no

The Iguazu Falls (healthy/agile)
The Department for Work and Pensions have written off millions of pounds spent on developing IT for Universal Credit and we expect the write-off to rise into the hundreds of millions.

How can we stop intelligent organisations from wasting money like this?

Over and over again we are told that the answer is "agile".

Use "agile" software engineering methods and the waste will be minimised.

How? What problem is "agile" solving?

Over and over again we are told that "agile" is to be contrasted with "waterfall". Waste is endemic in "waterfall" software engineering methods. That's the problem. And "agile" will solve it – that's the suggestion.

That's the suggestion made by ex-Guardian man Mike Bracken CBE, for example, when he was over in the US telling the Americans how to do government IT last October:
What is your reaction to HealthCare.gov and what you're reading and seeing regarding failures of what was meant to be an Expedia shopping for health coverage?

Yeah ... I'll say this with no sense of enjoyment whatsoever, but it feels a bit like Groundhog Day to where we were three or four years ago. Hundreds of millions of dollars, large-scale IT enterprise technology, no real user testing, no real focus on end users, all done behind a black box, and not in an agile way but in a big waterfall way, which is a software methodology. And basically not proven good value, and I'm afraid to say I've got example after example in the U.K. in the past where we've had that experience. So it looks just like one of those.
As a further example, that's the suggestion in Richard Bacon MP and Christopher Hope's Conundrum: Why every government gets things wrong and what we can do about it, pp.240-1:
The traditional approach to software development is often known as 'waterfall' development: that is, you plan, build, test, review and then deploy, in a relentless cascade. But some IT industry players regard this practice as the chief problem ...A rather different answer which has emerged in the last ten to fifteen years has been what are called 'Agile Systems', perhaps best described as a philosophical movement in action within the software industry.
Niagara Falls, January 2014 (unhealthy/DWP)
The suggestion is nonsense. There's nothing wrong with the "waterfall" method. You can't get away from the "waterfall" method. All the "waterfall" method says is that you can't deploy a system until you've coded and tested it and you can't code and test it until you've designed it and you can't design it until you've analysed the requirements.

If you reject the "waterfall" method, you must believe that you should start designing a system before you know what's required and if you believe that then you're no use to the benefit claimants who need Universal Credit.

All that its proponents tell us about "agile" is that it's not "waterfall". But the "waterfall" method is right. It's the only method there is. It must be. There it is right bang in the middle of the "agile" method professed by ex-Guardian man Mike Bracken CBE's Government Digital Service – first you have a discovery phase, then an alpha and a beta, then you go live. That's a waterfall.

You can iterate, of course. You can have one release/deployment after another as the system is maintained and enhanced. But what you're iterating is a waterfall. There is no escape from the waterfall. And no need to escape from it. What would you be escaping from? From the belief that you must analyse before you design? But that's madness.

Madness won't solve DWP's problems. And those problems are not diagnosed simply by saying "waterfall" as though that's all bad and "agile", whatever it is, as though that's all good.

This distinction being touted between "agile" and "waterfall" is false.

----------

The picture of Mr Boehm's spiral has been added, as have the hyperlinks in the four citations at the end. but otherwise unchanged here's an extract from someone's essay written 12 years ago in February 2002 as part of his MSc in software engineering taken after 25 years of doing the job. For what it's worth:

Waterfall

... After that, it is pleasant to come back to the chirpy school magazine style of Requirenautics Quarterly [[1]]. There is not a megalomaniac or religious fanatic in sight and it is packed with sensible articles: a quick review by Ian Alexander of Barry Boehm's WinWin including a copy of every IT man's favourite cartoon; a long article by Ralph Young on how to help everyone; a good contrarian contribution by Richard Veryard in praise of scope creep; some helpful thoughts on abstraction and scenario-building by Ian Alexander; and a long series of book reviews contributed by the same man.

One of the book reviews covers Ralph Young's book, Effective Requirements Practices. The review is witty, sensible, fair and acute but there is one sore thumb sticking out of it. Quite out of the blue, Mr Alexander writes (p.12):

... Something that they both agree on [Michael Jackson and Ralph Young] is that the waterfall model is inadequate: engineering development certainly does not follow a straight line path.
Why does he say this? It adds nothing to his review. It is gratuitous cruelty. The waterfall model is like some unfortunate dog that no-one can pass without kicking. Some people will even go to the trouble of crossing the road just so that they can kick it: Mr Alexander, for example; and Messrs Bowen and Hinchey in their Ten Commandments of Formal Methods [[2]] – you would think that they had enough on their plate but, no (8th commandment):

... System development is by no means a straight-forward one-pass process. Royce's 'Waterfall' model of system development [[3]] was abandoned because of the simplistic view it held of system development ....
People have been kicking it for years; kicking it seems to be an 11th commandment; but there's something funny about this dog – it's still there, it's always there, it doesn't matter how much you kick it, it just won't go away. Why?

The waterfall method is supposed to be all wrong. How silly to think that a specification can ever be finished or that development can ever end! Well, yes, it is silly, but who ever thought that? The merest charwoman knows that she must dust over and over again, the dust keeps coming and she must keep dusting it away.

Are we to suppose that once upon a time, in some dark age or some foreign country, users and system developers didn't realise this, unlike charwomen, and thought that requirements could be fixed finally and forever? Show me one of these system developers. Introduce me to one of these mythical users who would sign off a specification and then wait patiently and confidently for six years to have the perfect system delivered. I don't think they ever existed. Attacks on the waterfall method are attacks on an Aunt Sally.

"What about Government contracts, then", you may ask? "They always insist on quoting a fixed fee for a fixed specification." Do they? Show me. I'd be interested. I've never seen a government contract. Perhaps they are as stupid as you suggest. Silly old government. But perhaps they aren't. Perhaps the contracts do allow for change.

If you attack the waterfall method, does that mean that you think that you shouldn't analyse and design before you start coding? No, it is generally recognised that actually that is a rather sensible order to perform these tasks in.

You can play games with the topology, of course:

·  You can say that the evolutionary method is better than the waterfall method. But all you've done then is to string out system development into a long series of ... waterfall cycles, each iteration with a bit of requirements capture followed by a bit of design followed by a bit of implementation and, yes, we'd probably better have a spot of acceptance testing before going into production. You're still using the waterfall method and, frankly, it would be surprising if you weren't.

·  Alternatively, if you really can't stand straight lines, spirals may be more your bag, with quick access from one iteration to the next, optionally cutting out a few phases of the waterfall cycle. But you're still actually acknowledging that the waterfall model is there, wrapped up in one of Mr Boehm's spirals. You can't get away from it and there is no reason to try.

What does this achieve? It reinforces the point that all the processes involved in system development have to be performed iteratively and that progress is incremental. That should always have been clear anyway. It doesn't add anything to the original model and it doesn't make the original model wrong.

So, I think that it may be time now for us to stop kicking the poor old dog. We should give it a shower, start feeding it properly and take it out for walks with us. The waterfall model should be treated as the long-suffering, worthy and faithful member of the software engineering family that it has always been. This dog deserves our warm regard and respect.

After 30 years of this sort of vilification Mr Royce, the dog's breeder, has probably suffered his own Darkness At Noon [[4]] and brain-washed himself into believing that the waterfall model is a legitimate target for any passing boot. He should be rehabilitated.



[1] Requirenautics Quarterly, BCS RESG, Issue 24, July 2001.
[2]Bowen, Jonathan P. & Hinchey, Michael G., Ten Commandments of Formal Methods.
[3]Royce, W.W., "Managing the Development of Large Software Systems", Proc. WESTCON'70, August 1970.
[4]Koestler, Arthur, Darkness At Noon, Jonathon Cape, 1940.
__________________________________________________________________