Richard Pope was there at the beginning of GOV.UK and helped steer it to the magnificent beast it is today. He reflects, clear eyed, on the various successes and failures of the geeky attempt to turn the state into something approaching modernity.

He's forthright on his views about the lack of vision in most projects:

The aim of most digitization programmes is the status quo, delivered more cheaply. This is not surprising. Government business cases are woven from such hopes. The resulting documents are catnip to treasury officials. But efficiency is a trap.

All of the advice and lessons are sensible and pragmatic. It is an efficiently written book which avoids the temptation of too much name-dropping or mythologising mundane events. There is, perhaps, a tinge of bitterness that some projects got dropped or some ideas never quite made it. While the personal is political, he doesn't get into the Politics of the time - but does acknowledge that every decision has a political dimension.

Where credentials will ‘live’ is both a technical question and a political question. Apple’s and Google’s digital wallets, and those of Samsung and others, are turning the storage of credentials into a zone of contest between the public and private sectors.

Similarly, he is much more interested in what is proven to work and what helps users rather than getting caught up in the various ideologies which spring up around digital government:

Privacy debates tend to attract absolutists on both sides, with sometimes-arbitrary arguments that everything must be put under user control in the name of privacy, or the counterargument: that it doesn’t matter what information is reused because people assume the government knows it anyway. Both are unhelpful.

Underpinning all of the advice is the realisation that it needs organisational will and political cover to instigate transformation. These things don't happen in isolation and techies need to confront the reality of the way the world is organised.

It is (delightfully) weird seeing friends quoted in this book - and from GovCamp no less! - and gratifying to see one of my posts cited. There's a section about the NHSX Covid tracing app (which I was intimately involved in) - I think it is a fair assessment of what happened and whether those choices were in the best interests of the country. But, again, it is weird seeing your personal history in a book!

Ultimately, it is the sort of book which should be mandatory reading for all Civil Servants and Politicians of every colour. We have to reconfigure the interface between the citizen and the state in order for them to have a more copacetic relationship. We have to redesign the state so that it is able to meet the challenges of today. We have to ensure that it is able to rapidly adapt to the challenges of tomorrow.

I was trying to explain why link shortners like bit.ly and ow.ly weren't sensible for Government use. They didn't seem to particularly care about the privacy implications or the risk of phishing. I needed to take a different tack.

"So, you know how .uk is the UK and .de is Germany, right?"
"Yes."
"What country do you think .ly is for?"

There was some consulting of ISO 3166-1 alpha-2 whereupon the blood drained from their face and they stepped outside to make a phone call.

A little while later, the National Cyber Security Centre published an explainer about why they weren't using bit.ly any more.

Throughout my time in the Civil Service I advocated for the use of .gov.uk URls everywhere. They're a trusted destination for users, they're under Government control so are less likely to be hijacked, and they don't require users to give their data to third parties.

I helped the Government Communication Service write "Link shorteners: the long and short of why you shouldn’t use them."

Today, in the post, I received six QR codes for Government services. Let's take a look at them.

The Good

Policing Surrey have a QR code which points to surrey-pcc.gov.uk/...

Excellent! 10/10! No notes.

Woking Council send out this code which use qr.woking.gov.uk

Brilliant! The use of the qr. subdomain means they can easily track how many people follow the link from the code.

The Bad

Childcare Choices is a leaflet which is, I assume, shoved through everyone's letterbox. All the URls in the leaflet say gov.uk² - but what happens when you scan?

Our old friend enemy Bitly. A user scanning this has no idea where that code will take them. They cannot access the content without giving their data away to Bitly.

Surrey also sent me a leaflet with two different QR codes.

There are many reasons not to use .io. Of particular interest is the scnv.io privacy policy which, if you click that link, you will see is missing from their website! What does this company do with the data of people who scan that code? No one knows!

The Ugly

Surrey police started so well, but the back of their leaflet is a major disappointment.

Aside from using an unintelligible Bitly link, the QR code is inverted. The QR standard is very clear that the codes should be black-on-white. Some scanners will have difficulty scanning these white-on-dark codes. They may look æsthetically pleasing, but it's a pretty rubbish experience if you can't scan them.

Now What?

I've been writing about QR codes for 17 years! I'm thrilled that they've finally caught on. But, like any piece of technology, they need to be used sensibly. The rules are pretty straightforward - mostly boiling down to testing your codes and keeping them simple.

Is there a risk risk of QR hijacking? Possibly. The best defence is to train users to look for a trusted URl.

In this case, using link shorteners is training users to be phished. If they are used to official Government QR codes going to weird locations, they won't notice when a scammer tries to send them to a dodgy site.

Please practice safe QR generation!

In response, I was given an eye-roll and told "because that's how most people get their information, grandpa!"⁰

Last week, I saw this job advert and I got an involuntary shudder.

But I am wrong. Time moves on. Some of us find that difficult to cope with. The world is different and that difference is to be embraced.

Let's take a look at what people were saying about mobile apps in government a decade ago:

government’s position is that native and hybrid apps are rarely justified - make sure your service meets the Digital by Default Service Standard and it will work well on mobile devices (responsive HTML5)

"We're not ‘appy. Not ‘appy at all." (2013)

It wasn't a ban on apps, it was merely saying "if you can't build a decent website, then you're probably not competent enough to build a decent app."¹

I came to GDS directly from a decade working in the mobile industry. I'd gone from dumbphones, to BlackBerrys, to the explosion of smartphones. Back in 2013, it wasn't immediately obvious who would win the smartphone wars². The iPhone app store was only 5 years old. Windows Phone 7 was being heavily pushed by Microsoft. BlackBerry 10 was launching to great fanfare. Symbian was probably dead, but LiMo and Maemo might have had a comeback. Android was a huge fragmented mess. HP was determined to relaunch its fortunes with WebOS while Mozilla were going after the lower-end handsets with Firefox OS.

Government services have to be accessible to everyone. Would departments really have produced apps for half-a-dozen different operating systems? Would they have had the skill and budget to keep them all updated?

Government services shouldn't disturb the market. If the UK had said "Right! You can only submit a tax return using a BlackBerry!" would that have unfairly caused a spike in their market share?

Even still, smartphone penetration was only at about 60% in the UK. Did it make sense to spend huge amounts of money for something which wasn't universally accessible?

Back then, a de-facto ban on apps was a sensible precaution.

But today?

I was involved in the UK's COVID-19 App. By that time, there were really only two smartphone OSes in the game; Android and iOS³. The APIs had stabilised such that developing a single app per platform was feasible⁴.

There are also things which the Web just can't do. Apps are needed to read the NFC chips in passports, to use BLE for contact tracing, and to enforce biometric security on accounts.

That contact tracing app, for better or worse, helped show that it was possible for Government to develop national-level apps and that people would install and use them.

Does the world need a "GOV.UK App"? I don't think so. But I'm old and wrong⁵. Research shows that people trust apps more than the web. Lower-income households are more likely to have a shared smartphone than a PC - and an app with multiple accounts is more secure. The web still isn't great at caching data for offline use - so being able to look stuff up when you're out of signal is a must. Apps usually use less data than websites - which is great for people with limited data allowances, or on slow speeds.

Some techies think that we are Keepers of The Sacred Flame. If we rant hard enough, progress will stop and we'll be comfortable that our knowledge isn't obsolete. I think I'm rather happy to be freed of that notion.

Tempus fugit, tu senex fossilium. Esne laetus?

It's hard to sum up those 2,462 days. Every day brought new challenges. I saw my work presented to the highest offices in the land, discussed on the nightly news, cancelled due to General Elections, and implemented across the nation. I represented my country across the world, helped protect it from attacks both digital and biological, and tried to speak a little truth to power.

Along the way I met some fascinating and fantastic people. I was challenged technically, intellectually, and emotionally. I leave a little less naïve, but just as enthusiastic about the power of open technology to transform the state.

It would be impossible to list everything that made me proud to be a Civil Servant. And I carry with me the memories of hundreds of brilliant people that I met. Whether the informal explosion of creativity which is GovCamp, to the rather more genteel meetings in the House of Commons, everyone I met was generous with their time and passionate about their work.

Here is an (incomplete) list of my highlights in no particular order.

Obviously, the absolute top of the list was meeting Chief Mouser to the Cabinet Office, Larry. I know it's a bit "I've danced with a man, who's danced with a girl, who's danced with the Prince of Wales" - but I've scritched a cat who has been scritched by monarchs, emperors, and presidents. That's pretty nifty!

And, yes, I got the obligatory photo of me outside №10. I learned that it's not a brilliant idea to wear a black shirt while standing in front of a black door. So I tarted up my wardrobe for a subsequent visit.

It's sometimes a little heady to think of the audiences I've addressed. I spoke around the world on technology matters in Government. But it was absolutely surreal to address the various security services. Obviously, there's no photo pointing the other way!

I had the immense privilege to represent my country at a number of international events. In the final days of the UK's membership of the EU, I was one of the delegates to an EU committee looking at closer co-operation through technical standards.

I was also the Government's representative to the W3C - which allowed me to become an editor on the HTML5 standard.

While I didn't get to the UN, I was a delegate to ICANN. Which meant I got to enjoy the experience of simultaneous translation.

I've blogged extensively about my time at NHSX - and may blog more once the inquiry has finished. It was... intense. Being asked to help launch a new team, briefing the Secretary of State on tech matters, launching an app which made headlines around the world, and only once getting into trouble with the press!

Some of the highlights are less tangible. If you search the Digital Marketplace you'll see that nearly every project mentions open source, open standards, and open APIs. If you read various announcements by ministers, departments, and directors you'll see them banging on about the need for interoperability. That is, in part, due to my influence.

One of my main reasons for getting into the Civil Service was because, a decade ago, I was appalled at the lack of security on .gov.uk websites.

Alex

@blangry

"Dear The Government, I have found over 500 vulnerable websites. Please fix them?" - @edent pic.x.com/n35wsjbyob

---

I spent the last 18 months helping fix that. The vast majority of .gov.uk sites use HTTPS by default, there are effective policies which stop the worst attacks, and there's continual monitoring in place to detect when things go wrong. The brilliant team at Securing Government Services toil tirelessly to keep everyone in the UK safe. It was a joy and an honour to work with them.

Of course, there are some things which didn't go as planned.

Regrets?

Perhaps I should have agitated harder for there to be an Open Source Program Office. When the Head of Open Source left GDS, there was no one to replace her. I tried getting Government funding for the various OSS projects we use - but there are so many complications around funding non-tangible projects. And, anecdotally, some OSS projects didn't want to receive money from Government. If it had been my full time job, I might have made a dent in it. Alas, it fell by the wayside.

I know it sounds stupid, but I found no adequate way to stem the tide of PDFs being uploaded to GOV.UK. I'd present to people, they'd agree it was a problem, and then nothing would happen. I discussed whether we could just ban departments from uploading them (no), put big warnings on the site discouraging use (maybe), or tell directors that their departments were breaking the rules (yes) - but it didn't make much of a difference. Everyone agrees that PDFs are inaccessible and don't work properly on mobile. But publishers love a fixed layout. So they stay.

It was a similar story with Open Document Format. Over the years, the number of Word Doc and XLSX files diminished. But ODT and ODS uploads never really took off. Partly it was a lack of tooling and partly a lack of native viewers on operating systems. Plain CSV had a resurgence though, which was nice.

I think both of my failures were due to my ideology not accounting for either inertia or fear of change. Sure, I was hampered by Microsoft's defaults and Apple's lack of filetype support - but the major problem was that I never found an adequate way to reassure people that change was necessary and safe.

And the less said about the PAF the better. I tried, I really did!

As I look back, I think the good outweighs the bad. Could I have stormed the Prime Minister's office and screamed at them until they installed Linux on every desktop in Government? No. And even if I had, it wouldn't have made a difference. Civil Servants advise and Ministers decide. That's the maxim. I pushed the agenda of open technology because that's what I was hired to do.

It would have been impossible for me to have internally lobbied for letting people handle salmon suspiciously - or whatever. I got involved in a wide range of discussions where I thought my expertise could help (none salmon related) and did my best.

Why leave?

7 years is a long time. I went from GDS to NHSX to the Data Standards Authority to CDDO. Each was a new adventure. But each was capped with two unfortunate problems.

The first is that there is no promotion available for people who don't want to line manage teams. I was a subject matter expert at Grade 7. If I wanted to move up to G6, I'd have spent a substantial portion of my time working on clerical, pastoral, and managerial duties. I don't enjoy that - and I'm not very good at it. People deserve a line manager who is interested in management. That's not me. Expertise is valued in the CS - but generalists are needed at the higher levels. I get that - but it puts a career limitation on anyone who does want to specialise.

The second is related; pay. I know it isn't the done thing in polite society to complain publicly about money - but that's a taboo which needs breaking. When I started at the Civil Service I knew that the pay wasn't high but the benefits were great. But every year I received a below-inflation pay rise. I asked various managers if exceeding all my targets would get me a pay rise - but the answer was no. Not their fault - the system is inflexible. With the cost of living rising, I just couldn't justify working somewhere which couldn't pay me fairly - no matter how much I enjoyed the team or the mission.

I want to do interesting work. And I need to be paid fairly for it.

And next?

Well, my friends, stay tuned. The next season of The Terence Eden Adventures is going to be... interesting!

Sadly, the scan available is too low a resolution for most modern purposes. Wikipedia has vector logos of most of the coats of arms - but not this one.

In desperation, I emailed the College of Arms. They sent me back the most delightful LMGTFY I've ever received.

Thank you for your e-mail which Rouge Croix Pursuivant has received as Officer in Waiting for the week.

The Royal Arms you sent depict the Crown as used by Kings George V and VI. In 1953, The Queen chose to use St Edward’s Crown (which has a dip beneath the orb on the top, as opposed to having a semi-circular top).

Government Departments use the Royal Arms without the Crest (the lion on top of the crown). If you google “British government coat of arms” - images, you will see what various departments are using, either the open line drawing shown under “commons.wikimedia”(line one far right) or the more stylised black versions (as used by the FCO) which may reproduce better when photoreduced to a tiny size.

Nothing here is digitised, the College never having been publicly funded. If another Department cannot supply you with a high quality version, I can either send you a new drawing or scan in a previous one. In either case, I will have to charge for it – hence my advice on self-help above!

Using a reverse image search, I discovered a stock photo site had a copy.

Annoyingly, they've slapped a watermark over it and seem to be claiming copyright. Which is nonsense as the same image is freely available from The Internet Archive on Flickr! It's from the British Museum's Annual Report of 1925!

There are several version of this image available

With a little bit of editing, I turned it into a black-and-white version, which has cleaned up pretty well.

That's... OK. Not brilliant. Just fine. Even with better scans, there's a limit to what can be recovered from a 100 year old print.

I thought about trying to recreate it using the Wikipedia vector version as a template:

But there are some challenges:

• The "Honi soit qui mal y pense" is in lower case on the 1925 version.
• The lion's tail is significantly different.
• The crowns are a different style.
• The "Dieu et mon droit" are laid out differently.

So I think I'll just stick with my cleaned up version. If you think you can do better - or if you have a higher quality scan - please drop a note in the comments box.

Today's flaw, however, is a particularly basic mistake which simply shouldn't be allowed to happen by any competent site owner.

What Is An Open Redirect?

A redirector is a small web service which takes the user to a new web page. It's a simple enough concept - if you visit: http://www.planningportal.gov.uk/PpWeb/jsp/redirect.jsp?url=http://bbc.co.uk

you'll be taken to the BBC's homepage. It's an older technique which allows a website to track which external links you clicked on.

Unfortunately, this can be abused. Spammers can use links like: http://GoodSite.com/?url=BadSite.com to trick people into visiting illegitimate web pages.

When those links are used in an email, it can help bypass spam filters. The presence of a .gov.uk domain adds the appearance of legitimacy to any phishing attempt.

Abuse of Open Redirects is perfect for phishing, spamming, trolling, and all manner of digital nastiness.

What Does It Look Like?

Here's the NSFW portion of the blog. Google crawls the web - and your emails - looking for links. When it finds them, it adds them to its search index. We can ask Google to give us all the results for the word X on website Y by performing a search for "X site:Y".

This lets us see all the times a UK Government site has been used to spew spam.

As a guess, the spammers have abused the open redirect and pasted those links on forums, in comments, and social media. Google dutifully follows and indexes them.

PlanningPortal.gov.uk is the only UK Government site which I could find which has this vulnerability. The US Government has vastly more sites with this particular problem - many of which seem to link to deeply disturbing content.

How to stop such wickedness?

There's an easy way, a hard way, and a pragmatic way to prevent this sort of vulnerability.

The easy way is - don't use a redirect service. If you want to link to an external website, just use a normal link. There really is limited use for them these days. Tracking can be accomplished by JavaScript analytics libraries without hijacking your user's browser.

The hard way is - create a whitelist of sites which can be linked through your redirect service. This is difficult because someone has to constantly maintain exactly which links are allowed through. You also have to manage which links are broken or are no longer acceptable.

If you absolutely need an open redirect and don't have the staffing levels to manage it, the pragmatic solution is this:

Final Thoughts

This isn't a new or innovative attack - Google have been warning about this vulnerability for the last 7 years!

Websites need constant care and maintenance against an evolving threat landscape. If a site contains such basic errors, I think it's reasonable to suspect that it is probably dangerously broken in other ways.

The UK Government should be holding GOV.UK website managers to a higher standard than this.

Would you like to know every domain name the UK Government had registered? Of course you would! There could be all sorts of interesting tit-bits hidden in there (ProtectAndSurvive.gov.uk? EbolaOutbreak2017.nhs.uk? MinistryOfTruth.police.uk?)

Rather than relying on Freedom of Information requests, or Open Data, we can go straight to the source of domain names - the DNS!

Shut Up And Give Me The Codez!

Download all UK Government host names .gov.uk 15,436 records .nhs.uk 4,877 records .police.uk 466 records .mod.uk 268 records .parliament.uk 91 records

That's... quite a lot! The majority are host names - only around 2,247 of the GOV.UK ones are domain names. Many of them are not currently live.

Still, I wonder how many are new?

Steph Gray

@lesteph

Not intended snarkily, but has web rationalisation/no new govt domains been formally abandoned as a policy now?

---

Steph Gray

@lesteph

Replying to @charlottejee@charlottejee stuff like exportingisgreat.gov.uk, workplacepensions.gov.uk etc

---

Charlotte Jee

@charlottejee

Replying to @lesteph@lesteph This seems to say new domains need approval rather than that they aren't allowed: gov.uk/government/pub…

---

The Gov.UK file is a CSV which also show when the domain was first registered (if available).

Geeky Details

The Domain Name System (DNS) lists every single domain name (example.com). It tells your computer which IP Address is associated with a Domain Name. If your local DNS doesn't know where example.gov.uk lives, it goes to the ISP's DNS. If they don't know, they ask an upstream provider's DNS. And so on, until someone asks the .gov.uk nameserver for an authoritative response.

So, can you download every domain name in existence? No, not easily. It usually involves filling out lots of forms and giving some compelling reason why you want it.

However, Rapid7's sonar project provides a sort of "best guess" for all the domain names which it can see.

To download the entire file is 12GB. That's the zipped version.

Once unzipped, it's a whopping 67GB

A quick look at the file shows it contains 1,408,097,159 records. Youch! That's a lot of domain names!

This is what the file looks like

$ head 20150926_dnsrecords_all
cshengmei.com.h310.6dns.net,a,103.225.196.101
reseauocoz.cluster007.ovh.net,cname,cluster007.ovh.net
cse-web-cl.comunique-se.com.br,a,200.166.77.69
ext-cust.squarespace.com,a,198.185.159.176
ext-cust.squarespace.com,a,198.185.159.177
ext-cust.squarespace.com,a,198.49.23.176
ext-cust.squarespace.com,a,198.49.23.177
ghs.googlehosted.com,cname,googlehosted.l.googleusercontent.com
isutility.web9.hubspot.com,cname,a1049.b.akamai.net
sendv54sxu8f12g.ihance.net,a,54.241.8.193
sites.smarsh.io,a,199.47.168.63
www.triblocal.com.s3-website-us-east-1.amazonaws.com,cname,s3-website-us-east-1.amazonaws.com
*.01ete21.cn.cname.yunjiasu-cdn.net,a,162.159.210.34
*.01ete21.cn.cname.yunjiasu-cdn.net,a,162.159.211.34

As a brief primer, a CNAME points to another domain name. An A Record points to an IP address. There are lots of different domain records.

Ok, so let's get all the *.gov.uk records out of there...

grep "gov\.uk" 20150926_dnsrecords_all
0-19insalford.info,soa,ns0.ictservices.co.uk postmaster.salford.gov.uk 2010022204 28800 7200 604800 86400
019186.gov.ukpfl.cn,a,122.9.230.117
100days.local.gov.uk,a,198.154.241.231
101.gov.uk,a,216.146.46.10
101.gov.uk,a,216.146.46.11
101.gov.uk,mx,20 sms2.101.gov.uk
101.gov.uk,ns,ns1.p08.dynect.net

Ah! Ok, we're picking up some websites which are pointing to a gov.uk site (potentially useful) and some false positives like "019186.gov.ukpfl.cn". Let's just look at records where the first column ends with .gov.uk":

grep "\.gov\.uk," 20150926_dnsrecords_all
100days.local.gov.uk,a,198.154.241.231
101.gov.uk,a,216.146.46.10
101.gov.uk,a,216.146.46.11
101.gov.uk,mx,20 sms2.101.gov.uk
101.gov.uk,ns,ns1.p08.dynect.net
101.gov.uk,ns,ns2.p08.dynect.net
101.gov.uk,ns,ns3.p08.dynect.net
101.gov.uk,soa,ns1.p08.dynect.net hostmaster.cscdns.net 2014121100 3600 600 604800 1800
1901redirect.nationalarchives.gov.uk,a,193.132.104.151
1sttouch.powys.gov.uk,a,212.219.229.79
1t6c3c0p2r0m934.forestry.gov.uk,a,212.38.180.45
2011.census.gov.uk,a,94.126.106.132
2014.colneyheathparishcouncil.gov.uk,a,81.27.85.11
2050-calculator-tool-wiki.decc.gov.uk,cname,wiki.2050.org.uk

OK, so how do we de-duplicate these? The first thing to do is manipulate the data. We only want the first column. There are an number of ways to do this in Linux, I prefer to use the Python tool CSVfilter.

To install sudo pip install csvfilter.

To grab only the first (zeroth) column
cat 20150926_dnsrecords_all | csvfilter -f 0 > out.csv

Now, this doesn't quite work. Why? Because some DNS records contain incredibly strange data! You can manually clean up the data, but that's a bit boring and utterly impossible to load into Excel or any other normal editor.

Here's what I did...

1. Copy all the lines containing gov.uk into a new file
   grep "\.gov\.uk," 20150926_dnsrecords_all > govuk.csv
2. Create a new file with only the first column
   cat govuk.csv | csvfilter -f 0 > govuk0.csv
3. Sort the file and make sure each line in unique
   sort govuk0.csv | uniq > govuk.txt

Hey presto! A more-or-less complete list of every .gov.uk website which is registered. The same can be performed for .NHS.uk, .police.uk, .MOD.uk etc.

Getting The Dates

Time to crack out the Ruby!

Using the WHOIS library, I wrote a simple script to parse the text records and query when the domain name was created.

#!/usr/bin/env ruby
require 'whois'

c = Whois::Client.new

File.open( "govuk.txt" ).each do |line|
   begin
      r = c.lookup(line.chomp)
      puts "#{line.chomp},#{r.created_on}"
   rescue Whois::Error => e
   rescue StandardError => e
   end
end

This isn't perfect - there are only records for the third level of gov.uk - and no records at all for Parliament, MOD, Police, and NHS. It is also a bit slow to run through the thousands of records - but we can see a few interesting bits and bobs.

Created in 2015

I suspect some of these are merely renewals, rather than brand new domains.

seemis.gov.uk,2015-10-29 00:00:00 +0000
yjb.gov.uk,2015-10-28 00:00:00 +0000
crbonline.gov.uk,2015-10-23 00:00:00 +0100
coi.gov.uk,2015-10-14 00:00:00 +0100
gibraltar.gov.uk,2015-07-29 00:00:00 +0100
dorsetforyou.gov.uk,2015-03-19 00:00:00 +0000
ico.gov.uk,2015-03-19 00:00:00 +0000
bridgnorthtowncouncil.gov.uk,2015-01-29 00:00:00 +0000

Oldest

wdc.gov.uk,2003-06-03 00:00:00 +0100
west-dunbarton.gov.uk,2003-06-03 00:00:00 +0100
clacks.gov.uk,2003-06-02 00:00:00 +0100
bassetlaw.gov.uk,2003-04-29 00:00:00 +0100
dti.gov.uk,2003-03-13 00:00:00 +0000

Sadly, clacks.gov.uk has very little to do with Terry Pratchett!

That's all folks!

Spotted anything unusual? Found a better way to do things? Stick a comment in the box!

If you've enjoyed this post, you can buy me something from my Amazon Wishlist.

Yeah, yeah, so I only played a small part in the (no doubt) hideously complicated process - but I'm happy to take full credit :-)

Last year, the UK Government opened up a Standards Hub. They were actively soliciting for challenges that the UK Government could take on.

I was one of the first to respond.

Terence Eden is on Mastodon

@edent

My suggestion for open formats in government has been published - standards.data.gov.uk/challenge/offe…

---

You can read my modest proposal on the standards hub.

The crux of my proposal was this:

Each user - whether they work for the Government or are a citizen - has the right to read documents. A user should not be expected to purchase new equipment or install new software, just in order to read an official document.

I don't think that's too much to ask. You may buy a computer every 6 months - but there are plenty of citizens who only have access to a Windows 95 PC. Or a Nintendo Wii. Or an eReader. Or who don't have admin rights to install new software.

Many of these devices are perfectly serviceable - and all are guaranteed to read either PDF or HTML. Open standards means zero extra cost for the citizen.

Next Steps

Based on my suggestion, two challenges were created:

• Challenge: Viewing government documents
• Challenge: Sharing or collaborating with government documents

After several months of wrangling, the Government announced a solution to both of these challenges - Open document formats selected to meet user needs.

When departments have adopted these open standards:

• citizens, businesses and voluntary organisations will no longer need specialist software to open or work with government documents
• people working in government will be able to share and work with documents in the same format, reducing problems when they move between formats
• government organisations will be able to choose the most suitable and cost effective applications, knowing their documents will work for people inside and outside of government

The selected standards, which are compatible with commonly used document applications, are:

• PDF/A or HTML for viewing government documents
• Open Document Format (ODF) for sharing or collaborating on government documents

Cabinet Office and The Rt Hon Francis Maude MP

And, boom, just like that the open standard of ODF is mandated across government. In the future, you won't have to buy Microsoft Office just to read or respond to a government document. You won't need the latest and greatest computer, or cutting edge software.

Here's the thing. I don't know what would have happened if I hadn't made my initial contribution. Perhaps someone else would have. The tide is turning away from the proprietary standards of the past and Governments around the world are embracing Open Standards.

But I did contribute. I did make my voice heard. And the world has changed a little bit for the better.

And now it's up to you. Find a challenge on the Government's website, contribute, engage, make your voice heard,

Huge thanks to Hadley Beeman for telling me about the Open Standards Challenge, and to Tracey Williams for keeping me informed of its progress. Much of real credit for this amazing achievement belongs to Linda Humphries for running the consultation, and to The Rt Hon Francis Maude MP for listening to such wise counsel.

The primary cause of the vulnerabilities I've exposed over this series is abandonment.

In a flurry of excitement a website is commissioned and created. Then, as time wears on, people begin to drift away from the project. Job titles change, people are reshuffled, and senior management's gaze focuses elsewhere.

Who is now responsible for updating and maintaining the software? No one. Like an unwanted puppy, it has been abandoned on the street and proceeds to pick up all manner of diseases in its malnourished state.

So we move on to the tragic fate of the abandoned Public Inquiry website. Long after "lessons have been learned" these sites stand in monument to the vast human undertaking required to make sense of a tragedy.

Not so much.

Leveson

The Leveson Inquiry last updated its website in November 2012. Since then, it has been left to rot. Much like the Noble Lord's proposals on regulating Britain's feral media.

• The admin page is freely available - although "protected" by an expired SSL certificate.
• The search functionality is broken. Reducing its usefulness.
• The outdated WordPress 3.7.1 powers the site.

That's fairly mild. As weeks turn into years, we can expect the site to decay further.

What about Inquiries which ended many years ago? The National Archives maintains a list of all previous inquiries and an archive of their original websites.

Taking a look through some of the more high profile site reveals a very sorry state.

Victoria Climbié

Victoria Climbié was tortured and murdered by her guardians. The public inquiry, headed by Lord Laming, had a hugely positive effect on the way child protection works in the UK.

The official report - along with hundreds of news sites - still link to this long abandoned site.

Rather than keeping the website running, keeping all the documents in public view, the domain was allowed to lapse.

Where upon a "Mr Benedict Sykes" bought the domain, and it became stuffed full of barely related keywords and adverts.

Benedict is a "creative, innovative and extremely credible Online Marketing Manager".

I'm not sure how credible it is to take a report into a murdered child and then use it to sell links to investment guides and addiction councelling. But then I don't have the same well defined set of ethics as Mr Sykes...

At Benedict we adopt a simple ethical code for all online activities taken on behalf of our clients. Our ethics are based around our belief that the internet's true purpose is to supply users with the right information at the right time. We abide by Google's rules and go further in being guided by our own philosophy on what the internet should and could be one day.

Benedict's Ethical Philosophy

A fine way to profit from a child's senseless death.

Harold Shipman

The serial killer Harold Shipman murdered around 250 people. The inquiry into his activities found serious failings in the way the state controls doctors, pharmacists, and coroners. The total cost of the inquiry was £21 million.

That wasn't enough money to keep the site registered in perpetuity, apparently.

It has now been taken over by Gary Taylor - an affiliate marketer - who has redirected it to a spam site full of loan adverts.

Both the Shipman Inquiry website and the new spam site are registered to Gary. He links to the personal loans site in his Google+ profile. On his personal website he boasts about his SEO prowess.

It's not Gary's fault that the Government couldn't be bothered to keep the site running - indeed, he appears to have bought it from some other 3rd party.

The site should have been left standing in memorial to the victims. A tribute to let their families know that the state recognises their loss and will do everything in its power to stop such horrors from being inflicted on other people.

But now it's just a sordid way for the Midlands Young Entrepreneur Of The Year (2008) to make a few quid.

Bloody Sunday

After £190 million and 10 years, the Saville Report into Bloody Sunday was published in 2010.

Despite all that time and money, the site is now a haven for spammers. Thousands of news websites point there, countless newspapers will have made reference to the site, all now unwitting pawns in an anonymous spammer's SEO Expert's game.

The Iraq War

Hey, remember when the Security Services said Iraq had Weapons of Mass Destruction which could be launched within 45 minutes? Yeah, turns out they lied.

The Butler Review came to the conclusion that the "intelligence" which used to justify the war with Iraq was unreliable.

The Hutton Inquiry investigated the apparent suicide of Dr David Kelly. Prior to his death, he had been exposed as the person behind claims that the Government "sexed up" the intelligence relating to Weapons of Mass Destruction.

Both Inquiry websites are now used by spammers. Profiting from the bloody consequences of war - all because the British state cannot pay for the upkeep of a few websites.

&c.

And so it goes on. There are around a dozen Public Inquiry Sites which have been allowed to lapse and are now in the hands of spammers.

Even when the government has managed to keep hold of the domain - they aren't managing their portfolio properly. Zahid Mubarek was murdered by a violent racist after the prison service placed them in a cell together. The Home Office spent year resisting calls for an inquiry until the Law Lords ordered David Blunkett to set one up.

Today www.ZahidMubarekInquiry.org.uk is still owned by the Home Office - but no longer has a working website behind it. It's as if they want to flush the reports of an institutional racist prison service down the memory hole.

This is our digital heritage - and it is being squandered.

Legacy

Over the last week I've exposed how Parliament's website was open to attack, how a key Department for Education database could be hijacked, that the NHS is riddled with insecure websites, and that local government websites don't fare much better.

There needs to be a radical re-think in the way that the state approaches digital infrastructure. This means long term legacy planning - not just thinking in terms of election cycles. It means employing people who know what they are talking about - not just the heads of "Think Tanks". It means no longer being afraid of technology - but rather embracing the promise it brings of a better world for all.

Sadly, for now, when dealing with the UK Government's attitude to their websites, I think it best to hang a large banner above your browser reading "Lasciate ogne speranza, voi ch'entrate"

Over the last few days, I've shown that hundreds of websites run by branches of the UK state are in a perilous state of disrepair. There are multiple sites with hugely embarrassing XSS flaws, running ancient and unsecured software, languishing unmaintained and long since abandoned.

What are the consequences of failing to invest in security and maintenance? The websites become a haven for cyber-criminals. They exploit weaknesses in the sites and use them to push dodgy pills, fake goods, and all manner of illicit schemes.

The exploits which we are about to see range from the trivial - comment spam - to the extremely serious - complete site takeovers.

All the sites mentioned in this blog were notified on 19th February about the specific flaws found. I've no idea how these sites were compromised, nor whether any citizens' data are at risk. All I know is that a disastrous attitude to "cyber security" is rotting away within the *.gov.uk namespace.

Complete Site Takeover

This looks like the perfect site to by some "Genuine* Fashionable Boots", doesn't it? It is seemingly hosted with the endorsement of the Conservative run London Borough of Hillingdon. One of the most prosperous borough in London, and they can't even afford to hire a website security team.

—❦—

The Leadership Centre is funded by the government department for Communities and Local Government. Its mission?

We believe it takes great leadership to create thriving and prosperous communities so we work with and support senior leaders from across the public sector to help them shift their thinking on leadership.

Sadly, that doesn't extend to thinking about leading technology teams. The site has been abandoned for around the last 3 years. In that time, it has become riddled with spam.

—❦—

At the other end of the spectrum, we have the tiny borough of Amble. With a population of barely 6,000, their website plays host to a number of webpages extolling the virtue of knock-off boots.

—❦—

The town of Kidwelly is nearly 900 years old. It has a rich history including medieval castles, nature reserves, and an annual festival.

As far as Google is concerned, it also maintains a cottage industry for cut-price "blue pills".

Having spoken to the council, they have told me that the local police are currently dealing with the matter.

—❦—

Can we reasonably expect small parish councils under the yoke of austerity to have top-notch web security teams? If they are able to find the resources necessary to fund the protection of their digital assets, that's great - but it's highly unlikely.

Instead, Central Government needs to heavily invest in making sure that all councils - big and small - are able to competently run web sites and services.

Comment Spam

Every blog attracts comment spam. Fraudsters leaving vaguely plausible comments in the hope that publication will see a flurry of extra hits on their site. The bigger and more prestigious the site, the more likely the site is to be targeted. And the .gov.uk name is very prestigious.

Amongst the Government sites playing host to spam is the Foreign and Commonwealth Office's blog page for the British Ambassador to Somalia.

—❦—

The Northern Ireland Assembly is the devolved legislature for Northern Ireland. It has hundreds of comments, seemingly all of which promoting dodgy deals.

—❦—

A book of condolence in Oldham for a much loved community member now plays host to spammers.

—❦—

Lewes, and many other councils, have open forums which are overrun with spam messages.

—❦—

Even the UK National Archives have seen fit to save some comment spam for future generations to ponder.

Hidden Links

Finally, we get to the murky world of hidden links. These are spamming messages not designed to be seen by humans. They are hidden within the web pages' source code in the hopes that Google and other search engines will see them and increase the spamming site's popularity.

The spam covers the usual range from pharmaceuticals to knock off designer goods.

Again, there are several sites which exhibit this malicious behaviour.

What Can Be Done?

The State needs to take responsibility for the websites run in its name. If site owners are unable or unwilling, then those sites should be removed from the web. It is simply too dangerous to allow them to stay online without decent security measures in place.

It is time that the Government started to treat cyber-security as a serious subject. They love putting out press releases, and making grand sounding plans with shadowy agencies - what they need to do is spend some money on basic front-line services.

Suppose, for a moment, that a hacker were to interrupt payment processing for banks, or tamper with the UK's water supply, or cut off the phone lines. The economic damage alone could run into the billions.

Anyone discovering such a flaw could illegally exploit it for their own gain, or sell the vulnerability to the highest bidder.

The computer industry's solution to this problem is the "Bug Bounty". Any security researcher / hacker who finds a security bug in, say, Facebook - is then able to disclose that bug directly to Facebook in return for cold, hard cash. And a generous "thank you" note. This provides an economic incentive to find and safely reveal bugs.

Some companies band together to provide bug bounties for critical Internet infrastructure. The giants of Capitalism banding together in Socialism to protect their interests. Lovely!

Ideally, I think, Governments should compel businesses to provide bug bounties. Think of it like a form of punitive fine - inapplicable to responsible companies. Force the privatised utilities, large companies, and infrastructure providers to pay up for security flaws in their software and hardware.

It's not so unreasonable; the Government already fines companies for breaches of the Data Protection Act - so why not fine companies for breaches of a future "Computer Security Act".

But that will be a long time coming. Let's start closer to home.

Why doesn't the UK Government offer a bug bounty for its services?

Imagine that you've just found a gaping huge security flaw in HMRC. With a single command from your computer, you can subtly alter your tax status - or see how much tax an individual has paid - or erase evidence that someone has paid their owed tax.

Ignoring the illegal aspect of acting on your findings - where's the incentive to responsibly report the problem? After all, you'd get a huge pay-day from selling it to the criminal underworld.

Let's step back a bit - how would you even successfully report your findings to the Government?

Assuming you've even heard of Office of Cyber Security and Information Assurance the only way of contacting them is via email. They don't offer a PGP key, so there's no way of contacting them securely. Oh, and based on my experience, they don't reply.

One could also try contacting the affected Government agency. But again, based on my experience, they won't have the first clue of how to respond to a reported security flaw.

Finally, one could try escalating to GCHQ's GovCertUK - the security agency charged with protecting vital national computing infrastructure. They do offer a PGP key - but its validity expired at the end of January 2014...

Wouldn't it be brilliant if our shiny new GOV.UK were to offer an easy to use form for reporting security vulnerabilities? Obviously, they would need a team acting as a clearing house for all the reports they receive, and the legal authority to test the vulnerabilities reported.

Finally, if a bug was found within the Government’s IT infrastructure, they could force it to be fixed and offer the reporter a suitable reward. It needn't be monetary, of course, it could just as easily be a medal, an honour, or a Peerage - whatever they deem suitable for strengthening the nation's security.

Is this something the Government should be involved in? Or should citizens simply exhaust themselves trying to report bugs with little prospect of them being fixed and no prospect of a "thank you" - let alone a reward?

Without a bug bounty, what incentive does the Government have for keeping its electronic infrastructure secure? Or do they just believe that the "stick" of criminal sanctions is larger than the carrot of rewarding decent behaviour?

The Terence Eden of October 2009 was a busy chap! 22 blog posts! What a guy :-)

One post which caught my eye recently, was asking "What are the browser statistics for 10 Downing Street?"

Here was their answer

UK Prime Minister

@10DowningStreet

Replying to @edent@edent Top are: IE7 22%, IE8 20%, IE6 12%, Firefox3.5.3 9%, FF3.5.2 7%, FF3.0.14 5%, FF3.0.13 4%, Safari 4.0.3 4%, Chrome 2.0.172.43 2%

---

So, three years later, how have things changed?

Firstly, I asked the team behind the (still in beta) GOV.UK

Terence Eden is on Mastodon

@edent

Anyone from @GDSTeam know if they'll be releasing browser statistics - or any other user metrics? shkspr.mobi/blog/2009/10/b…

---

Sam Sharpe

@SamJSharpe

Replying to @edent@edent very rough stats (-bots -spiders): FF 28%, IE<6 10%, IE7 12%, IE8 21%, IE9+ 13%, Safari 11%, Opera 3.5% /cc @GDSTeam

---

Then, I asked for the whole of the parliament.uk space

Terence Eden is on Mastodon

@edent

Replying to @blangry@blanalive If you've got any going. Would be better to have them published regularly than on an ad-hoc basis.

---

Alex

@blangry

Replying to @edent@edent IE8 23% IE9 17% Chrome 21/22 16% FF15 7.7% IE7 6.5% Safari 4% IE6 1.6%

---

These are, as they say, to be taken with a pinch of salt.

It's interesting to see the collapse of IE6, and the huge rise in Chrome. More interesting still, is the difference between the general parliamentary site and GOV.UK. There also doesn't appear to be a significant mobile presence - unless they're rolled up into the main stats.

One thing is for sure, it would be great to see these sort of official statistics regularly. Not least to counter the "must support IE6" and "Who on Earth uses Chrome" crowds.