DMossEsq

Wednesday 5 February 2014

RIP IDA – JFDI security

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

It's that speech again, the speech that won't stop speaking to us, the speech given by Public Servant of the Year ex-Guardian man Mike Bracken CBE to the CfA Summit 2013 on 16 October 2013. Just a 39-second clip this time, starting at 19'35", and the topic is security:

The state needs security, companies and other legal persons need security and so do natural persons, families, individuals, you and me. We're talking about secrecy here, confidentiality, privacy, resilience and control. You need to have control over your bank accounts, for example, it's against your wants, needs and interests for anyone else to have control over them, unless you've gone gaga, in which case let's hope that you've granted an enduring/lasting power of attorney to a relative or a friend with your best interests at heart.

Security is important. If you lack the imagination to understand that in advance, you pretty soon find out the hard way after the event, after security has been breached, as Janet Hughes and Leisa Reichelt were reminding us only the other day, please see Security and convenience: Meeting user needs:

When they’re asked how they feel about security online, people tell us they prioritise security as a need. When we meet people in the lab who’ve had their digital security compromised, they talk about it as a devastating experience.

Security is important. And yet what's that Public Servant of the Year ex-Guardian man Mike Bracken CBE was telling the CfA Summit? You can overdo security. Usability/convenience is much more important. Security ought to be relaxed. Especially for people with a one-month old daughter.

The logic is less than impeccable.

Which is worrying when you remember that Public Servant of the Year ex-Guardian man Mike Bracken CBE is the senior official, the top civil servant on IDA, he is the senior responsible owner of the pan-Government identity assurance programme (RIP).

Janet Hughes and Leisa Reichelt also say that:

People expect registering for government services to be the same as signing up for a social media or shopping account.

Only silly people. Only people who need protecting from themselves. Responsible public servants must realise that and should say it. Remember that word "devastating".

No responsible adult would make the mistake of believing that the experience of signing into your Twitter account is comparable to authorising a payment from your current account on-line. If IDA is heading in that JFDI direction, then the Government Digital Service are being irresponsible.

RIP IDA – JFDI security

more ►

Monday 3 February 2014

JFDI, Agile People

The Government Digital Service (GDS) has everything. Bunting and mascots. Cake and stickers (27'00"-27'20").

Everything except a corporate song.

Until now, when – thanks to the inspiration of Francis Maude's speech at Sprint 14 – that lacuna can at last be filled.

The lyrics below are now ready for beta release. An instance of song as a service (SaaS), it is based on a disco classic of 1978 which sold over 10 million copies when the world still had singles and, who knows, after a few more iterations, perhaps if GDS can sing it with enough gusto and enough pure mindless disco-style enjoyment, maybe they can add the equivalent iAccolade to their already groaning shelvesful of awards:

YMCA (© Victor Willis)

Village People

JFDI

Agile People

Young man, there's no need to feel down.
I said, young man, pick yourself off the ground.
I said, young man, 'cause you're in a new town
There's no need to be unhappy.

Young man, there's a place you can go.
I said, young man, when you're short on your dough.
You can stay there, and I'm sure you will find
Many ways to have a good time.

It's fun to stay at the y-m-c-a.
It's fun to stay at the y-m-c-a.

They have everything for you men to enjoy,
You can hang out with all the boys ...

It's fun to stay at the y-m-c-a.
It's fun to stay at the y-m-c-a.

You can get yourself cleaned, you can have a good meal,
You can do whatever you feel ...

Young man, are you listening to me?
I said, young man, what do you want to be?
I said, young man, you can make real your dreams.
But you got to know this one thing!

No man does it all by himself.
I said, young man, put your pride on the shelf,
And just go there, to the y.m.c.a.
I'm sure they can help you today.

It's fun to stay at the y-m-c-a.
It's fun to stay at the y-m-c-a.

They have everything for you men to enjoy,
You can hang out with all the boys ...

It's fun to stay at the y-m-c-a.
It's fun to stay at the y-m-c-a.

You can get yourself cleaned, you can have a good meal,
You can do whatever you feel ...

Young man, I was once in your shoes.
I said, I was down and out with the blues.
I felt no man cared if I were alive.
I felt the whole world was so tight ...

That's when someone came up to me,
And said, young man, take a walk up the street.
There's a place there called the y.m.c.a.
They can start you back on your way.

It's fun to stay at the y-m-c-a.
It's fun to stay at the y-m-c-a.

They have everything for you men to enjoy,
You can hang out with all the boys ...

Y-m-c-a ... you'll find it at the y-m-c-a.

Young man, young man, there's no need to feel down.
Young man, young man, get yourself off the ground.

Y-m-c-a ... you'll find it at the y-m-c-a.

Young man, young man, there's no need to feel down.
Young man, young man, get yourself off the ground.

Y-m-c-a ... just go to the y-m-c-a.

Young man, young man, are you listening to me?
Young man, young man, what do you wanna be?

Stand up, there's no need to sit down.
We say, stand up, get ourselves to the wall.
We say, stand up, 'cause we're in a new world
There's no need to have a meeting.

Users, they all have their own needs.
We say, users, time for discovery.
We can alpha, even beta test too
And then go live within budget.

It's fun to iterate j-f-d-i.
It's fun to iterate j-f-d-i.

We have everything, twenty-five exemplars,
We can cut code, we’re the world’s best ...

It's fun to iterate j-f-d-i.
It's fun to iterate j-f-d-i.

We can transform the world, make it transition now,
Without fail deliver the goods ...

Pivot, revolution is here
We say, pivot, paradigm shift has come
We say, pivot, Whitehall stand on your head.
All because of Martha Lane Fox

All code has to be open source
We use github, post-it notes and short sprints
And then dashboards, from our wow factory
There’s just nothing that can stop us

It's fun to iterate j-f-d-i.
It's fun to iterate j-f-d-i.

We have everything, twenty-five exemplars,
We can cut code, we’re the world’s best ...

It's fun to iterate j-f-d-i.
It's fun to iterate j-f-d-i.

We can transform the world, make it transition now,
Without fail deliver the goods ...

G-Cloud, data under control.
IDAP surely, no-one doubts that it works.
We can route round any problems we find
Security convenience ...

We have bunting, and cake on Fridays,
We have mascots, stickers we had designed,
We use Apple so we always have fun

We’re all digital by default.

It's fun to iterate j-f-d-i.
It's fun to iterate j-f-d-i.

We have everything, twenty-five exemplars,
We can cut code, we’re the world’s best ...

J-F-D-I ... just iterate it j-f-d-i.

Shout out, shout out, there's no need to write apps.
Stand up, stand up, with your mobile device.

J-f-d-i ... just iterate it j-f-d-i.

Shout out, shout out, there's no need to write apps.
Stand up, stand up, with your mobile device.

J-f-d-i ... just iterate j-f-d-i.

Recast, recast, for the coming new world
Whitehall, Whitehall, what do you wanna be?

JFDI, Agile People

more ►

Sunday 2 February 2014

Francis Maude: "We’re the JFDI school of government"

Last week saw a major congregation of central government computer persons at the London Film Museum.

Computing isn't that exciting. There's not a lot of news. You'd expect this event – Sprint 14 – to have been covered by all the computer media.

It wasn't.

You can read Government showcases digital exemplars at Sprint 14 or Government showcases digital services at Sprint 14 or Government unveils online voter registration system or Government websites on rise again despite cull, and that's about it.

Odd.

You wouldn't expect the generalist media to cover the event, of course, but that's odd, too – because Sprint 14 was more political than you might expect.

Rt Hon Francis Maude MP, Cabinet Office minister, was there and gave a speech.

Sir Jeremy Heywood, the Cabinet Secretary, was there. He didn't speak but Treasury minister David Gauke did, as did Greg Clark, minister for Cities and the Constitution, Mike Parsons, chief operating officer at the Home Office, Oliver Morley, chief executive of the Driver and Vehicle Licensing Agency and Jeremy Wright, minister for prisons and rehabilitation.

And Martha-now-Lady Lane Fox was there, which usually guarantees several column inches, but no – nothing in the Times, the Telegraph or the Guardian.

Mr Maude assured the audience that "SMEs are engines of growth in our economy" and promised that government would spend more and more money with small and medium-sized enterprises, rather than giving it to the oligopoly of big IT suppliers. The oligopoly, that is, who keep wasting billions of pounds of public money – your money and mine – on failed IT projects. "This is a massive vote of confidence in the role [the SMEs] are playing to help Britain compete and win in the global race", he said.

That was after he'd already said that "digital is one of the major contributions to reducing the deficit and encouraging growth in the British economy ... As the Chancellor highlighted recently, every part of the public sector will continue to need to face up to the challenge of reduced budgets for some time to come ... And we know much more money can be saved – staggering savings potentially – while actually improving quality online".

Which, in turn, came after this hostage to fortune: "We’re changing things by doing them, not by talking about them. We’re the JFDI school of government".

It was 29 October 2013 when Public Servant of the Year ex-Guardian man Mike Bracken CBE published GDS goes to Cabinet. He is the executive director of the Government Digital Service (GDS), part of the Cabinet Office, championed by Mr Maude, and he was allowed to make a presentation to the full Cabinet.

That doesn't normally happen and DMossEsq raised the question at the time whether the government are considering making the alleged successes of GDS a plank of their election strategy. Now, with Sprint 14, the question arises again.

Let's hope for their sake that they don't try it. By the time of the next general election, May 2015, there will be five years of National Audit Office reports providing ammunition for the opposition to shoot down the claim that this government succeeds with IT where others fail.

We have recently had the example of the Ministry of Defence recruitment system and Capita's failure to get it right. There will be the on-going tragedy of the Department for Work and Pensions Universal Credit system. And by May 2015, who knows what else.

The government are unlikely to be able to make themselves heard, against the gales of laughter and scorn, if they try to make the point that those failures are failures of the oligopoly whereas the government successes are successes of GDS. But if they do manage to present their case, the laughter and the scorn will just start all over again – what are the successes of GDS?

So far, none.

Lots of big promises. Nothing big delivered.

Mr Maude and the government are making a politically fatal mistake if they believe GDS's over-enthusiastic salesmanship.

GDS are in no position to take on the oligopoly. They have no experience of analysing, designing, implementing, deploying and supporting large-scale government IT systems. The cocky profanity* of "we’re the JFDI school of government" is ridiculous.

If the government picks a serious fight with the oligopoly without having an alternative to replace them, the machinery of Whitehall will stop.

That's a tremendous platform if you're standing for election in the anarchists interest. But Mr Maude, presumably, isn't.

You can just about see how the computer press might fail to report that point. But RTFM** – the generalist media should have spotted it.

----------

* JFDI = just fucking do it
** read the fucking manual

Francis Maude: "We’re the JFDI school of government"

Last week saw a major congregation of central government computer persons at the London Film Museum.

Computing isn't that exciting. There's not a lot of news. You'd expect this event – Sprint 14 – to have been covered by all the computer media.

It wasn't.

Odd.

more ►

Friday 24 January 2014

RIP IDA – Strange Life of Ida

ON THE SCREEN a scene at Kursk station in Moscow. A bright April day of 1902. A group of friends, who came to see Zinaida Krutitsky and her mother off to the Crimea, stand on the platform by the sleeping-car. Among them Ivan Osokin, a young man about twenty-six ...

Chapter 26, The Turn of the Wheel, opens with:.

ON THE SCREEN a scene at Kursk Station in Moscow. A bright April day of 1902. A group of friends who came to see Zinaida Krutitsky and her mother off to the Crimea stand by the sleeping car. Among them is Osokin ...

You get the idea. There's no need to read the intervening chapters. The wheel keeps turning. It's one of hundreds of drearily portentous novels ideal for a certain sort of moody and ignorant teenager. The last words are, predictably:

Osokin looks round, and suddenly an extraordinarily vivid sensation sweeps over him that, if he were not there, everything would be exactly the same.

Profoundly ignorant of course, but not moody enough, DMossEsq had forgotten all about the ghastly Ivan until yesterday, and the publication on the Government Digital Service blog of What is identity assurance? by Janet Hughes.

Here we go again:

Identity assurance is a new service that will give people a secure and convenient way to sign in to government services.

Secure?

Convenient?

The wheel will turn. We know that. Please see Identity assurance. Only the future is certain – doom 1. RIP IDA.

----------

Updated 16:00

PD Ouspensky writes:

Trans:

On her Twitter account Janet Hughes is shown eating a takeaway at what looks like a station.

But which station?

Surely ... no ... it can’t be ... Kursk?

----------

Updated 25.1.14:
"Identity assurance is a new service that will give people a secure and convenient way to sign in to government services", say GDS. Anyone clicking on the link provided by DMossEsq on the word "secure" is taken to his post Hyperinflation hits the unicorn market, which casts doubt on GDS's or anyone else's ability to offer security on the web. It's an attractive object, security, but like unicorns it doesn't exist.

People are well-advised to regard promises of on-line security with scepticism – "We live on a diet of data hacking stories fed to us by the media. Have done for years", says the unicorn post. And anyone clicking on that link is meant to be taken to DMossEsq's list of hacking stories. That list is maintained on http://DematerialisedID.com, an old website of his which, on Thursday, was obliterated by some eHooligan.

It's annoying but in a small way it does sort of make the point, doesn't it? Security?

DMossEsq and his ISP are currently working to resume normal service. In the meantime the list of hacking stories has been moved to here.

Take a look at some of the hacking stories there. Or here. Or take a look at the Home Office's latest attempt to warn people about on-line security. Then ask yourself, how confident are you that GDS can offer security for your personal data stored in their identity assurance system. You be the judge. No-one else will.

Updated 28.1.14:
What is identity assurance? offered "a new service that will give people a secure and convenient way to sign in to government services". Can GDS deliver on that offer?

The question is taken up in a new post today, Security and convenience: Meeting user needs. Security is a user need and "if we don’t fulfil this need, digital services won’t be trustworthy or trusted, so people won’t want to use them". Yes. Obviously.

GDS are due to start testing IDA in the next few weeks with a view to having some services live by the end of the summer with hundreds of thousands of members of the public using them, if not millions. There's not long to go. What are GDS doing about this user need?

Their answer is "we’re trying to stimulate a competitive market for identity assurance as the quickest and most effective way to close the gap between solutions that are convenient and those that provide security ... We expect to see new methods emerge that are more convenient for end users but satisfy the required standards".

IDA goes back to a meeting held on 20 September 2010 if not earlier. Three-and-a-bit years later and they're still "expecting" to see a number of solutions "emerge"? That's the GDS approach to public services?

Good luck with that.

RIP IDA – Strange Life of Ida

ON THE SCREEN a scene at Kursk station in Moscow. A bright April day of 1902. A group of friends, who came to see Zinaida Krutitsky and her mother off to the Crimea, stand on the platform by the sleeping-car. Among them Ivan Osokin, a young man about twenty-six ...

Chapter 26, The Turn of the Wheel, opens with:.

ON THE SCREEN a scene at Kursk Station in Moscow. A bright April day of 1902. A group of friends who came to see Zinaida Krutitsky and her mother off to the Crimea stand by the sleeping car. Among them is Osokin ...

Osokin looks round, and suddenly an extraordinarily vivid sensation sweeps over him that, if he were not there, everything would be exactly the same.

more ►

Wednesday 22 January 2014

GreenInk 10: Private Eye Crook of the Year 2014 awards

(Hat tip: No2ID)

Sadly, there seems to have been no space in the latest edition of Private Eye for the following letter:

From: David Moss
Sent: 10 January 2014 14:05
To: Letters to the editor
Subject: The Gnome Business Awards for 2013, p.32, Eye #1357

Sir

Gnome awards Crook of the Year 2013 to James McCormick. He bought novelty golf ball-finders and sold them as explosives detectors to governments whose gullibility or corruption must also be award-winning.

When it comes to the 2014 awards, perhaps Gnome's panel would like to consider the McCormicks selling mass consumer biometrics technology which is meant to identify us uniquely and verify our identity.

Three world-class experts reviewed the literature and determined that biometrics is "out of statistical control". I.e. it's not a science [1]. By way of a practical example, they cite the charade at the US National Institute of Standards and Technology (NIST).

Under the terms of the USA PATRIOT Act 2001 section 403(c)(1), NIST have to certify all biometrics systems before they are deployed to federal law-enforcement agencies. What the scientists at NIST say in their certificates is: "This evaluation does not certify that any of the systems tested meet the requirements of any specific government application". By issuing certificates, NIST abide by the Act even if the certificates say that they haven't got a clue whether the biometrics systems work.

It's not just the USA. The panel will be spoilt for choice [2]. Governments all over the world are handing over public money to McCormicks talking biometricsballs.

Yours

David Moss

1. http://biometrics.nist.gov/cs_links/ibpc2010/pdfs/FundamentalIssues_Final.pdf
2. http://www.planetbiometrics.com/

If only they had seen ENISA's latest report.

ENISA is the European Union Agency for Network and Information Security and in eID Authentication methods in e-Finance and e-Payment services they say:

6.1 Biometrics adoption related risks
The results of the survey show that very few professionals incorporate biometrics as an eIDA method solution for e-banking. The rationale behind this phenomenon is that institutions must be able to comply with the GDPR. There exist legal issues when dealing with personal information (different legislation for every country). In Europe, a specific authorization from customers is required, which is a difficult task, since the majority of people do not feel comfortable with granting permission on the storage of their biometric information (i.e. personal body patterns). This, in general, is only manageable if a strong juridical base exists and the use is adequate, relevant and not abusive in correspondence with the goals and reasons for biometric data to be collected, used or saved, resulting in an important challenge to be addressed.

Moreover, there exist high associated risks, mainly due to the potential attacks to a centralised data base storage of biometrics parameters. The risk of compromise of the biometric information DB (even if it’s encrypted, hashed, etc.) is real and non-acceptable for CISOs and directors of the e-banking sector. The sensitive nature of biometric information: data is compromised forever (i.e. it’s not possible to change the hand print, Iris, fingerprints, etc.), resulting in both high risk, and great responsibility to be accepted, especially if other eIDA methods are suitable.

Another important factor is the usability, since current technologies do not provide 100% of accuracy at the first try. There are still open issues related to the False Rejection Rate (FRR) and the False Acceptance Rate (FAR), which remain open even in scientific experiments or proof of concepts.

In summary, because of the associated risks, the financial sector is still not prepared to use biometry neither as a unique authentication factor nor a second authentication factor.

Biometry is used in emerging countries, where there are no other means of unique identification of the persons, due to lack of governmentally supported credentials, and also in countries where Personal Data protection is not a priority, like it is in EU.

Specialists are working in finding a solution to the high risk associated to using the biometry, and one solution that is being analysed and starting to be implemented is the local storage of biometric identification profiles. This has three advantages: 1) the responsibility of the storage is transferred to the end user, 2) the chances of a successful threat to steal large amount of biometric information is low, because the threat should be successful on many devices and stores, 3) the biometric identification vector doesn’t have to travel over the network.

If the banks don't think that today's mass consumer biometrics are up to the job, why do governments waste our money on this magical non-technology?

GreenInk 10: Private Eye Crook of the Year 2014 awards

(Hat tip: No2ID)

Sadly, there seems to have been no space in the latest edition of Private Eye for the following letter:

From: David Moss
Sent: 10 January 2014 14:05
To: Letters to the editor
Subject: The Gnome Business Awards for 2013, p.32, Eye #1357

Sir

Gnome awards Crook of the Year 2013 to James McCormick. He bought novelty golf ball-finders and sold them as explosives detectors to governments whose gullibility or corruption must also be award-winning.

When it comes to the 2014 awards, perhaps Gnome's panel would like to consider the McCormicks selling mass consumer biometrics technology which is meant to identify us uniquely and verify our identity.

Three world-class experts reviewed the literature and determined that biometrics is "out of statistical control". I.e. it's not a science [1]. By way of a practical example, they cite the charade at the US National Institute of Standards and Technology (NIST).

Under the terms of the USA PATRIOT Act 2001 section 403(c)(1), NIST have to certify all biometrics systems before they are deployed to federal law-enforcement agencies. What the scientists at NIST say in their certificates is: "This evaluation does not certify that any of the systems tested meet the requirements of any specific government application". By issuing certificates, NIST abide by the Act even if the certificates say that they haven't got a clue whether the biometrics systems work.

It's not just the USA. The panel will be spoilt for choice [2]. Governments all over the world are handing over public money to McCormicks talking biometricsballs.

Yours

David Moss

1. http://biometrics.nist.gov/cs_links/ibpc2010/pdfs/FundamentalIssues_Final.pdf
2. http://www.planetbiometrics.com/

If only they had seen ENISA's latest report.

more ►