Just to remind you, some time over the next 168 hours, as promised, we shall see the first ever fruits of the Government Digital Service's identity assurance programme. We shall all be able to amend our tax codes through an on-line connection to HMRC.
Extraordinary, but they won't have the field to themselves.
Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.
At last, new apps to empower us and improve our lifestyles and make the economy grow.
There's not a single mooncalf left in the world who believes that these apps will be free, is there?
Suppose, just for the sake of argument, that the DMossEsq blog is right and that there is no such thing as a secure website.
Then it would be a mistake for any supplier to try to sell you a service on that basis – the secure website sales pitch undermines trust in any supplier using it. At least two of GDS's "identity providers" do just that. Mydex and Verizon both promise you security. That's a mistake. There are no unicorns for them to deliver.
Better, surely, to say that every effort will be made to keep your personal data secure, but security can't be guaranteed.
We have a sad new example of the problem. Experian Sold Consumer Data to ID Theft Service. It should be made clear that Experian didn't mean to sell consumer data to ID thieves and that they're co-operating fully with the police investigations. But it happened.
Experian, like Mydex and Verizon, are UK "identity providers", on whom GDS's identity assurance programme depends.
The best you can hope for is that security breaches will be kept to an affordable minimum. How do you achieve that? Answer, you make the supplier of the on-line service responsible for losses.
How have the UK retail banks managed so well to maintain public trust in on-line banking? By paying – when you are defrauded, the banks have to compensate you.
That works (para.6).
Friday, 25 October 2013
Next week's news
Just to remind you, some time over the next 168 hours, as promised, we shall see the first ever fruits of the Government Digital Service's identity assurance programme. We shall all be able to amend our tax codes through an on-line connection to HMRC.
Extraordinary, but they won't have the field to themselves.
Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.
At last, new apps to empower us and improve our lifestyles and make the economy grow.
Extraordinary, but they won't have the field to themselves.
Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.
At last, new apps to empower us and improve our lifestyles and make the economy grow.
Tuesday, 22 October 2013
Cloud computing and the sizzling Stephen Fry
Mr Fry has made only one appearance on this blog so far. That was in connection with the UK government's vile bid to introduce press regulation.
Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
Utility prices keep going up. Large numbers of people already find themselves in fuel poverty. Now we are promised that it will soon cost £1,500 a year to supply our homes with gas and electricity. What kind of a model is that for cloud computing? Not an attractive one – IT poverty, anyone?
The analogy is inept. When you buy gas, say, you pay money and the gas company supplies gas. Done. With cloud computing, you pay money and you hand over all your data and the cloud computing company supplies some service. You are paying to lose control of your data.
It's a simple point. And irrefutable.
But Databarracks, the cloud computing company, cannot be numbered among the millions of readers of DMossEsq. Because, you won't believe it, they've just scored an unenviable double. Stephen Fry and the cloud computing-utility analogy all in one.
Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
- 27 September 2012: Government Digital Service, G-Cloud, log-rolling, size matters
- 28 September 2012: Whitehall, an apology – they haven't gone mad, they're just lying
- 1 October 2012: Cloud computing and the Gadarene lemmings of Whitehall
- 16 October 2012: GDS – the user experience of misfeasance in public office
- 17 October 2012: Skyscape? Yes? No? Akamai? Maybe? Where is GOV.UK?
- 19 October 2012: Cloud computing turns IT into a utility, and that's a good thing?
- 24 October 2012: HMRC and Skyscape 2
- 8 November 2012: UC soon to be/already is Steve Doverless
- 13 November 2012: Cloud computing, and GDS's fantasy strategy
- 19 December 2012: Cloud computing supplier raises doubts about cloud computing suppliers – "suicidal mission with no exit"
- 1 April 2013: Cloud computing – away with the fairies
- 22 May 2013: Is CloudStore entirely legal?
- 11 September 2013: Public services under a cloud
- 26 September 2013: G-Cloud and lavatory paper
- to name but a few.
Utility prices keep going up. Large numbers of people already find themselves in fuel poverty. Now we are promised that it will soon cost £1,500 a year to supply our homes with gas and electricity. What kind of a model is that for cloud computing? Not an attractive one – IT poverty, anyone?
The analogy is inept. When you buy gas, say, you pay money and the gas company supplies gas. Done. With cloud computing, you pay money and you hand over all your data and the cloud computing company supplies some service. You are paying to lose control of your data.
It's a simple point. And irrefutable.
But Databarracks, the cloud computing company, cannot be numbered among the millions of readers of DMossEsq. Because, you won't believe it, they've just scored an unenviable double. Stephen Fry and the cloud computing-utility analogy all in one.
A treble, really, when you see that they employ the tiredest trick in the marketing armoury, a six-minute history of the world suggesting that the progress of civilisation has been leading ineluctably to this point, where you have to have whatever goods or services the marketing company's client is trying to flog:
Cloud computing and the sizzling Stephen Fry
Mr Fry has made only one appearance on this blog so far. That was in connection with the UK government's vile bid to introduce press regulation.
Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
- 27 September 2012: Government Digital Service, G-Cloud, log-rolling, size matters
- 28 September 2012: Whitehall, an apology – they haven't gone mad, they're just lying
- 1 October 2012: Cloud computing and the Gadarene lemmings of Whitehall
- 16 October 2012: GDS – the user experience of misfeasance in public office
- 17 October 2012: Skyscape? Yes? No? Akamai? Maybe? Where is GOV.UK?
- 19 October 2012: Cloud computing turns IT into a utility, and that's a good thing?
- 24 October 2012: HMRC and Skyscape 2
- 8 November 2012: UC soon to be/already is Steve Doverless
- 13 November 2012: Cloud computing, and GDS's fantasy strategy
- 19 December 2012: Cloud computing supplier raises doubts about cloud computing suppliers – "suicidal mission with no exit"
- 1 April 2013: Cloud computing – away with the fairies
- 22 May 2013: Is CloudStore entirely legal?
- 11 September 2013: Public services under a cloud
- 26 September 2013: G-Cloud and lavatory paper
- to name but a few.
Hyperinflation hits the unicorn market
We live on a diet of data hacking stories fed to us by the media. Have done for years.
There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
When the Department for Business Innovation and Skills, for example, talk about work on their midata initiative and tell us that "this work is still in development by the midata programme participants, but broadly the proposal is that to gain access to their Personal Data Inventory, the customer would have to log-in to a secure website where ..." they might as well advise us to log in to a unicorn.
The suppliers whose business depends on selling us secure websites know this. How are they going to convince us to carry on paying for unicorns?
They've got a tough job.
One approach is to stop talking about mere secure websites and to offer instead super secure websites, as we saw the other day: "Mydex is providing the super secure Personal Data Store (PDS) for identity verification that will ...".
Superunicorns?
That's a bit weak. Either these resources are secure or they're not. It's like being pregnant – indistinguishable from being superpregnant.
But having embarked on that course, there's only one way to go: "The Mydex Trust Framework is a set of legal and technical rules by which members of a network agree to operate in order to achieve trust online. At its core it delivers a trusted digital identity, a hyper secure personal data store and platform from which individuals can connect to each other and organisations for the bi-directional exchange of information in a secure and verified manner".
Hyperunicorns?
What next?
No unicorns, no trust
Judging by that last example, what's next is a thoroughgoing mangling of the concept of trust. Unless you believe in unicorns, when someone offers you a trust framework or a supertrust framework or a hypertrust superframework, be warned. Be superwarned. Be hyperwarned.
----------
Updated 11.4.14
The day before yesterday Murad Ahmed warned us in the Times:
In a crowded field of experts, readers are recommended to believe Bruce Schneier when he says: "On the scale of 1 to 10, this is an 11":
Updated 19.11.14
The CloudStore has been re-written for the second or third time and re-named the Digital Marketplace. No surprise to DMossEsq's millions of readers.
The Government Digital Service (GDS) have written about it on their blog, please see Digital Marketplace: building a digital by default service. They have nothing to say about digital marketplaces.
They just bang on about their digital by default service standard.
That's the standard they were following, presumably, which meant that we now apply to register to vote in the UK using a system which has to work without GDS's identity assurance (IDA).
Not ideal but perhaps just as well since the first public service which incorporates a public test version of IDA seems to be unusable, despite satisfying all 26 criteria of the digital by default service standard. Bad luck DEFRA.
And good luck to all those G-Cloud suppliers who will rely on the Digital Marketplace and to the central and local government departments who try to buy services from them – just look at the logo GDS have chosen.
Updated 23.2.15
Some people never learn.
The media have stories every day about internet security breaches. The latest story that has burrowed through DMossEsq's thick skull concerns the US State Department.
Blomberg report that the State Department's email service was infiltrated several months ago and that, despite the most expert efforts, it remains infiltrated.
If the State Department can't deliver security there is no reason to believe that the UK's chirpy little Government Digital Service can. And yet, refusing to learn, these dinosaurs continue to offer the unicorn of internet security.
If you are tempted to sign up for their GOV.UK Verify identity assurance service (RIP), the first thing GDS tell you is that that it's secure. Who is there left on the planet who might believe that?
"Infallible security"?
This is the sales pitch of an unreconstructed mountebank. It might have worked in the 20th century. It can't work in the 21st.
There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
When the Department for Business Innovation and Skills, for example, talk about work on their midata initiative and tell us that "this work is still in development by the midata programme participants, but broadly the proposal is that to gain access to their Personal Data Inventory, the customer would have to log-in to a secure website where ..." they might as well advise us to log in to a unicorn.
The suppliers whose business depends on selling us secure websites know this. How are they going to convince us to carry on paying for unicorns?
They've got a tough job.
One approach is to stop talking about mere secure websites and to offer instead super secure websites, as we saw the other day: "Mydex is providing the super secure Personal Data Store (PDS) for identity verification that will ...".
Superunicorns?
That's a bit weak. Either these resources are secure or they're not. It's like being pregnant – indistinguishable from being superpregnant.
But having embarked on that course, there's only one way to go: "The Mydex Trust Framework is a set of legal and technical rules by which members of a network agree to operate in order to achieve trust online. At its core it delivers a trusted digital identity, a hyper secure personal data store and platform from which individuals can connect to each other and organisations for the bi-directional exchange of information in a secure and verified manner".
Hyperunicorns?
What next?
No unicorns, no trust
Judging by that last example, what's next is a thoroughgoing mangling of the concept of trust. Unless you believe in unicorns, when someone offers you a trust framework or a supertrust framework or a hypertrust superframework, be warned. Be superwarned. Be hyperwarned.
----------
Updated 11.4.14
The day before yesterday Murad Ahmed warned us in the Times:
How important is that?
Bug puts internet passwords at risk
... Security researchers said they have discovered the “heartbleed bug”, which is a problem in the way the majority of websites encrypt their sensitive data. About 60 per cent of websites use the affected software, known as OpenSSL – a way of protecting information such as names, passwords, messages and financial information as it passes between computers ...
In a crowded field of experts, readers are recommended to believe Bruce Schneier when he says: "On the scale of 1 to 10, this is an 11":
To reiterate. If someone promises you a secure website, remember, whether they know it or not, it's really not in their gift, it doesn't exist, it's a unicorn, be hyperwarned.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
Half a million sites are vulnerable, including my own. Test your vulnerability here.
Updated 19.11.14
The CloudStore has been re-written for the second or third time and re-named the Digital Marketplace. No surprise to DMossEsq's millions of readers.
The Government Digital Service (GDS) have written about it on their blog, please see Digital Marketplace: building a digital by default service. They have nothing to say about digital marketplaces.
They just bang on about their digital by default service standard.
Not ideal but perhaps just as well since the first public service which incorporates a public test version of IDA seems to be unusable, despite satisfying all 26 criteria of the digital by default service standard. Bad luck DEFRA.
And good luck to all those G-Cloud suppliers who will rely on the Digital Marketplace and to the central and local government departments who try to buy services from them – just look at the logo GDS have chosen.
Updated 23.2.15
Some people never learn.
The media have stories every day about internet security breaches. The latest story that has burrowed through DMossEsq's thick skull concerns the US State Department.
Blomberg report that the State Department's email service was infiltrated several months ago and that, despite the most expert efforts, it remains infiltrated.
If the State Department can't deliver security there is no reason to believe that the UK's chirpy little Government Digital Service can. And yet, refusing to learn, these dinosaurs continue to offer the unicorn of internet security.
If you are tempted to sign up for their GOV.UK Verify identity assurance service (RIP), the first thing GDS tell you is that that it's secure. Who is there left on the planet who might believe that?
Far from helping to prevent identity theft, GOV.UK Verify is more likely to promote it by centralising the entire population's personal information in the databases of just a few "identity providers".
Not only do GDS want to centralise all personal information, they also want you to give up the relative safety of multiple logon IDs and passwords and replace it with a single key to your kingdom.
If against all the odds you pursue this wild goose chase and choose Digidentity as your GDS-sponsored "identity provider", they go even further:
This is the sales pitch of an unreconstructed mountebank. It might have worked in the 20th century. It can't work in the 21st.
Hyperinflation hits the unicorn market
We live on a diet of data hacking stories fed to us by the media. Have done for years.
There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
1st cloud in Skyscape Cloud's sky
Readers will remember the immaculate conception of Skyscape Cloud Services Ltd, the company incorporated on 3 May 2011 which won four government contracts, some of them before the company had submitted its first set of accounts to Companies House.
The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.
Now GDS have parked their harp on another cloud.
Government signs cloud hosting contract with Carrenza for GOV.UK, they tell us in ComputerWorldUK magazine:
The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.
Now GDS have parked their harp on another cloud.
Government signs cloud hosting contract with Carrenza for GOV.UK, they tell us in ComputerWorldUK magazine:
And Carrenza have issued a press release:
The Government Digital Service (GDS) has signed a £100,000, one-year contract with Carrenza to help host the GOV.UK goverment services portal ... The infrastructure-as-a-service (IaaS) contract was awarded via the government's G-Cloud framework ... Carrenza replaces previous suppliers Skyscape and SCC, which provided hosting for GOV.UK over the last 12 months.
Will HMRC, the MOD and the Home Office follow suit?
Carrenza, the award winning UK based cloud services provider, today announced that it had signed a contract with the Government Digital Service (GDS) to be one of the primary suppliers hosting GOV.UK. The Infrastructure as a Service (IaaS) contract was awarded via the G-Cloud iii Framework, created to deliver fundamental changes in the way the public sector procures and operates ICT.
1st cloud in Skyscape Cloud's sky
Readers will remember the immaculate conception of Skyscape Cloud Services Ltd, the company incorporated on 3 May 2011 which won four government contracts, some of them before the company had submitted its first set of accounts to Companies House.
The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.
Now GDS have parked their harp on another cloud.
The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.
Now GDS have parked their harp on another cloud.
Sunday, 20 October 2013
GDS and the Electoral Commission
If so, you may have noticed that, depending on where you live, you can now register on-line via www.elecreg.co.uk. This website is operated by a company called Halarose Ltd, who have contracts with 80 UK local authorities to provide "democracy through technology", as they call it.
The briefest of investigations on the Companies House website suggests that Halarose has a paid-up share capital of 9¼ pence, which looks like the start of an interesting story, but that's not why we're here today.
☠ What follows in this paragraph and the next would be correct if NSLOOKUP was correct ... NSLOOKUP suggests that the IP address of www.elecreg.co.uk is 54.247.162.156 and if you look that up on RIPE you draw a blank. Which is odd, because RIPE is where you'd expect to be able to find the details of a European website.
... but NSLOOKUP isn't correct so, in the event, there's no UK-electoral-rolls-stored-in-the-US story here ... But the electoral rolls of these 80 UK local authorities aren't being stored in Europe. They're being stored in the US, on Amazon servers, according to ARIN, the Regional Internet Registry for North America. That looks like the start of another interesting story but, again, that's not why we're here today. ... please see update below ☠
"You do not have to vote", it says on the back of the form, "but by law you have to give us the information we ask for in this form". It is now a legal requirement to register. That's all to do with the Electoral Registration and Administration Act 2013. Interesting. But not why we're here today.
"Important information about how you register to vote", it says on an accompanying sheet of paper, which mentions individual electoral registration (IER), can be found if you trot along to http://www.electoralcommission.org.uk/voter-registration/individual-electoral-registration. Don't bother. You get "Page not found". Boring. And not why we're here today.
That's four topics we're not interested in just at the moment. And there's a fifth. The password – or "security code" as they call it – to log on to www.elecreg.co.uk is printed in plaintext for all to see at the top right corner of the voter registration form. Bad practice, securitywise. To put it mildly. But that's still not why we're here today ...
Working with GDS
... no, the object of interest today is GDS, the Government Digital Service, the "elite team of digital experts" as the Guardian called them, tucked away in the Cabinet Office, where they have "sparked a radical shake-up in the way the government does its business".
"Some of the UK's best designers and developers" are working at GDS according to the Guardian and they have a lot to teach Whitehall. They are busy producing 25 exemplars, and in GDS's own words:
Exemplar #1 is devoted to IER and, it's odd, but the development of this exemplar isn't open, you can't follow GDS's progress, there's no performance data, there are no screenshots, there's no status report and you have no idea how GDS are transforming the electoral registration service, which makes it hard to hold them to account and hard to know if they're making things better.
We are running this programme of continual iteration in the open. You can follow our progress at www.gov.uk/transformation, where we’re regularly publishing information about every exemplar. You’ll see performance data, screenshots and status reports of where each service is at, and we’re going to add more to it as each service progresses ...
It’s important that we continue to publish these updates in public, that we report on the services we’re transforming, and that we blog about our progress. Publishing this means more of our colleagues can see what’s happening and what part they play in the process. It’s also the best way to make sure that we’re accountable for the things we build. As our design principles say, if we make things open, we make things better.
But then, you're just the public.
The Electoral Commission are a different kettle of fish. They've had the pleasure of working with GDS on two pilot exercises to see if matching electoral roll data against the National Insurance Number database, and other databases, would make it easier to compile a complete and accurate roll.
Back to the Electoral Commission website.
In their July 2013 report on the second data-matching/data-mining pilot, they say (p.2 onwards):
Four professors, as we have already seen, found GDS's performance to be less than exemplary. Now GDS have lost the Electoral Commission's vote. And along the way, Francis Maude's faith in data-matching has been undermined. That voter registration form that landed on your doormat has a weighty story to tell.
• There were considerable delays to the original timetable for establishing this pilot. A significant cause of the delays was the lack of capacity and resources within Cabinet Office (and the Government Digital Service (GDS), which is part of Cabinet Office) due to their workload related to the transition to IER ...
• For the national data mining, Cabinet Office’s original intention was that pilot areas should adopt a fairly standardised approach to checking the data received and contacting the individuals identified, to ensure that results were comparable. In practice, however, the nature and extent of follow up work varied widely.
• Much of this variation was caused by practical difficulties, for example the need to spend more time than expected in ensuring the accuracy of the data received. However, some of the variation could have been avoided if there had been fewer delays and a greater level of support provided by Cabinet Office to pilot areas. In particular, a few areas told us they felt unsupported and were unclear about what to do ...
• It is not possible to produce an overall figure for the cost of this pilot. This is because we do not have final costs for all pilot areas or any costs for Cabinet Office (including GDS), who conducted much of the work.
• We are also therefore unable to estimate the cost per new elector registered or the likely cost of any national rollout. Any estimates of these would need to include the cost of coordinating and managing the pilot (the role taken by Cabinet Office in this pilot), as any future work with data mining would require some form of central coordination ...
• The reasons that so many existing electors and ineligible individuals were returned on the data include poor data specifications from Cabinet Office ...
• Inconsistent address formatting and incomplete addresses are likely to have contributed to the significant numbers of existing electors returned in the data (Cabinet Office could not provide the data which would have allowed for a definitive assessment) ...
• In order to answer this question [Is data mining a cost effective way of registering new electors?], we would need to assess the cost benefit of data mining by, for example, calculating the cost per new elector registered. However, we are unable to do this as Cabinet Office could not provide details of their expenditure on the pilot. As they managed the process and conducted much of the matching and data processing, their costs could be significant and are crucial in reaching any realistic assessment of cost effectiveness ...
– The addresses appeared to be more complete than those held in other national databases but a poor data specification from Cabinet Office meant that the format was inconsistent ...
The findings from this pilot do not justify the national roll out of data mining ...
In addition, there were numerous issues in this pilot with the communication and support provided by Cabinet Office ...
• Cabinet Office need to ensure that they maintain good communication between themselves, the data holding organisations and EROs [electoral registration officers] throughout the process, including after data from the national databases has been returned to EROs ...
----------
☠ Update 21 October 2013
Halarose contacted DMossEsq today and asserted that, contrary to the suggestion in the post above, their UK electoral registration service is hosted in the EU, as it is legally required to be, and not in the US.
Normal people will fall asleep reading the following paragraphs but as long as they wake up understanding that DMossEsq accepts Halarose's assertion and that this update is intended to make amends for his mistake, then all will be well.
How did the mistake arise?
Let's take it that RIPE and ARIN are correct and that 54.247.162.156 is the IP address of a website on some Amazon server in the US. Why did DMossEsq think that it was the IP address of http://www.elecreg.co.uk?
Ask most responsible adults how you find out what the IP address of a website is and they'll head for the door.
Quite right, too.
Of the remainder, some will say "PING it" and others "use NSLOOKUP". If you enter "PING www.elecreg.co.uk" or "NSLOOKUP www.elecreg.co.uk" at the command prompt, you'll be told that the IP address is 54.247.162.156. Try it. You'll see. DMossEsq didn't make the whole thing up.
The trouble is that PING and NSLOOKUP are wrong.
If you browse www.elecreg.co.uk and you use Chrome to "View page info", then click on the "Connection" tab, then click on "Certificate information", then click on the "Details" tab and then click on the "Subject Alternative Name" field, you'll find that there are eight names for the certified website – electorregistration.co.uk, www.electorregistration.co.uk, www.elecreg.co.uk, www.herainteractive.co.uk, www.halarosews.co.uk, elecreg.co.uk, herainteractive.co.uk and halarosews.co.uk.
PING all eight names, and eight times you're told that the IP address is 54.247.162.156. Ditto if you use NSLOOKUP. Now you've got 16 pieces of evidence pointing one way and one communication from Halarose pointing the other.
So you look for an alternative to PING and NSLOOKUP. And you find NetworkSolutions. And what do they say?
They say that:
- the IP address of both elecreg.co.uk and www.elecreg.co.uk is 213.166.13.58
- the IP address of both electorregistration.co.uk and www.electorregistration.co.uk is 213.166.13.40
- the IP address of herainteractive.co.uk, www.herainteractive.co.uk, halarosews.co.uk and www.halarosews.co.uk, all four of them, is our old friend 54.247.162.156, in the US
Given that NetworkSolutions can, why can't PING and NSLOOKUP get their IP addresses right? No idea. Infuriating.
Updated 23.11.13:
GDS continue to provide IER with all the help they can, see Reaching all our users:
Our project is aimed at around 47 million people who are eligible to vote in UK elections ... I put up two large, colourful banners to attract attention.
GDS and the Electoral Commission
If so, you may have noticed that, depending on where you live, you can now register on-line via www.elecreg.co.uk. This website is operated by a company called Halarose Ltd, who have contracts with 80 UK local authorities to provide "democracy through technology", as they call it.
The briefest of investigations on the Companies House website suggests that Halarose has a paid-up share capital of 9¼ pence, which looks like the start of an interesting story, but that's not why we're here today.
☠ What follows in this paragraph and the next would be correct if NSLOOKUP was correct ... NSLOOKUP suggests that the IP address of www.elecreg.co.uk is 54.247.162.156 and if you look that up on RIPE you draw a blank. Which is odd, because RIPE is where you'd expect to be able to find the details of a European website.
... but NSLOOKUP isn't correct so, in the event, there's no UK-electoral-rolls-stored-in-the-US story here ... But the electoral rolls of these 80 UK local authorities aren't being stored in Europe. They're being stored in the US, on Amazon servers, according to ARIN, the Regional Internet Registry for North America. That looks like the start of another interesting story but, again, that's not why we're here today. ... please see update below ☠