gov.uk security stupidity nothing new

Those of you who have been following the comments to my earlier blog posting (Please Use Firefox 2 or IE 6) or my Twitter tweets might be interested in an item I wrote for my newsletter Tales from the Terminal Room, July 2002. Entitled “Inland Revenue’s Cookies Fail Crunch Test” – sorry about the awful pun – it suggests that gov.uk seems to have learned little about security over the last 7 years:

In the UK, it is that time of year when we suddenly realise that we have only a few weeks to complete our tax forms and deliver them to the Inland Revenue. I, says she rather smugly, have already done mine but not online as the UK government continually exhorts us to do. I did have a go last year but the Web site kept crashing and after four attempts I reverted to the good old-fashioned paper form. This year I did not even consider the online route, which is just as well because the service had to be temporarily withdrawn following a security breach.

A problem with cookies allowed users of Inland Revenue’s online self-assessment tax form to see other people’s tax details. An official statement explained: “The way in which the ‘session cookie’ identifying the user was managed meant that it could, in certain rare circumstances, be presented to another user.”

It seems that Inland Revenue’s site allocated the same cookie to more than one user because they were using IP addresses to identify users. Many Internet users, and especially those accessing the Internet from home, use ISPs with dynamic IP addressing: that is the ISP allocates a different IP address to a user each time they access the Net, which means that the same IP address may be assigned to several different users in quick succession.

The Inland Revenue said that examination of activity logs suggested that the web site had compromised the privacy of 47 of the site’s 28,679 users and there were 665 for whom the possibility could not be eliminated.

The problem has now been fixed and the site is back up and running, but I for one am not reassured.

For the Inland Revenue’s side of the story see: http://www.inlandrevenue.gov.uk/news/sa_online.htm

Inevitably, the URL in the final sentence no longer works but you can still view a copy at http://www.archive.org/.  Copy and paste the whole URL into the Waybackmachine Take Me Back box, and on the list of results click on August 2002.  Alternatively, http://web.archive.org/web/20020804140436/http://www.inlandrevenue.gov.uk/news/sa_online.htm should take you straight there.

Please use Firefox 2 or IE 6

This would normally fall into the “I don’t belieeeeve it” category had I not already heard of the problems endured by UK central and local government departments in trying to move on from Internet Explorer 6.

Out of curiosity I decided to see what pittance I might receive from the state when I retire so tried the advertised http://www.thepensionservice.gov.uk/. First of all I could not just use my existing username and password for the government gateway service to use the pension forecasting service. That’s fair enough. I appreciate the additional security level but then I had to wait two weeks for an activation code. This morning it arrived, I “activated” my account and attempted to log in. In a flash, a “Technical Error” page popped up with error and error ID codes, and instructions to phone them for help.

What followed has left me stunned.

“Are you using Firefox or Internet Explorer?” the nice lady asked.

“Firefox”

“Which version?”

“3.5.2” I replied

“If you want to use Firefox, you’ll have to go back to version 2”

A few seconds of silence followed and then I asked if I could use IE 8. No, was the answer, it had to be IE6 or possibly IE7. Google Chrome? Not compatible. Opera? She wasn’t sure but if it was the latest version then no. Safari? Er..probably not. She explained that they haven’t security tested the latest versions of the browsers and Chrome is definitely out.

It is pathetic, stupid and irresponsible. We are all exhorted to keep our browsers up to date as part of our online security measures but the UK government is encouraging us to do the opposite. We are encouraged to file our tax returns online and use the government web sites to obtain information about our entitlements, but to do so we have to use browsers from the stone age. It does not fill me with confidence. Quite the opposite, I am beginning to feel seriously paranoid regarding the security of gov.uk sites.

So have I got my pension forecast? Once I had stopped haranguing the poor lady on the help desk I was transferred to another department, my personal details were taken, and I was told my forecast would be in the post in about 10 days. So much for fast, efficient e-government!

I am still sitting here gobsmacked and wondering if I dreamed the whole thing. I think, after all, that this has to be filed as a Victor Meldrew moment.

Directionlessgov: compare Directgov search with a Google custom search

Checking through the last year of postings on my blog I regret to say that I somehow managed to forget to cover the excellent Directionlessgov. This is an “alternative” search option for the Direct.gov.uk web site and uses Google. It has has been set up by the group that is also behind They Work For You and The Government Says.

“We got so fed up with the general uselessness of the multi-million pound shambles otherwise known as the Direct.gov.uk portal, that we decided to build something better in under an hour. Sadly, we ran catastrophically behind schedule, but we still finished before lunch.”

Type in your search and view the results from Google on the right hand side of the screen. For comparison, and to rub salt and a hefty dose of chilli pepper into the wound, results from Directgov are displayed on the left hand side.

A search on my own council’s (Reading) recycling policies came up with the following results:

directionlessgov

No contest: Directionlessgov wins outright!

For another Google custom search engine covering local government, you might also like to try LGSearch, which I covered in March 2009.

Searching for file types made easy

One of the Top 10 Tips that participants of my advanced search workshops regularly come up with is using file format options to focus your search. If you are looking for an expert on a topic, a conference presentation or a quick overview of a topic then seek out PowerPoint files; government and industry reports are often stored as PDFs; and substantial collections of statistics may be left in Excel format. Both Google and Yahoo have options for file type searches on their advanced search screens, but if you want a quick and easy way of searching both of these search tools for the four main file types (Word, Excel, PDF, PowerPoint), then head for DocJax.

Simply type your search terms into the box and DocJax will pull up a list of all four file formats in Yahoo and Google that contain your terms. You can then limit your search to just one file type by clicking on one of the four logos at the top of the list.

DocJax

I have only one minor quibble with DocJax, which is that it does not deduplicate the results. Other than that, it is an excellent tool for filetype searching. Many thanks to Peter Guillaume for alerting me to the service.

If you prefer to search Yahoo and Google separately, then try Browsys Advanced Finder. Select Files form the menu at the top of the screen, enter your search terms and click on Yahoo or Google for your preferred file type. There is no need to re-enter your search terms for each search – just click your way through the list.

BrowsysFiles

I usually berate such services for not including Bing (formerly Microsoft Live Search) in their lists because Bing does sometimes come up with unique content. Although not included in Bing’s advanced search options one used to be able to simply incorporate the filetype: command followed by the file extension in the search. On testing it today, though, I discovered that the filetype command no longer works in Bing. Like the link and linkdomain commands, it has been obliterated from their search system. Another example of Bing dumbing down their search. This does not bode well for Yahoo: as part of the recent Microsoft deal, Microsoft will power Yahoo search and as a result Yahoo will lose many of its current search features. I’m afraid that rather than stealing market share from Google, Bing’s current approach to search will encourage users to stay with the big G.

Google Caffeine

A short post prompted by Phil Bradley’s posting on the proposed new hyperactive Google, nicknamed Google Caffeine. See his article for further details and background information, and if you are interested in comparing the current Google with Google Caffeine try Caffeine Compare. I have been running my searches and test searches on both over the past few days and found:

1. No difference at all for the majority of searches.

2. Minor and insignificant differences for a handful of searches

3. For some business information searches, worse and an increased number of irrelevant results with Google Caffeine.

Not much else to say other than I am not very impressed at this stage.

Who phoned?

Having just come back from two weeks holiday, one of my first tasks was to check the phone messages on both my land line and my mobile.A handful of callers left messages, several did not and were number ‘withheld’ or ‘International’, and a few rang without leaving a message but are known contacts in the “phone book” so their names were recorded in the log. About half of those who did not leave a message were just logged as a number and some made repeated calls.There is no point in calling most of these numbers back because you usually end up at a switchboard. Even if you do get the individual who rang they have long forgotten the purpose of their call. But I am a curious person and I like to see if I can track down the identity of mystery callers.

I first search the various contact lists on  my computer using Copernic Desktop Search. Sometimes that throws up a long forgotten contact. A straightforward Google search on the number may also work. If those fail I run the geographic numbers through a program on my desktop called CodeLook. This will tell me the area, exchange and telecoms operator but not the identity of the owner of the number. It can be enough, though, to jog my memory about a friend, relative, or customer. The program is part of a subscription service for  members of Magenta Systems’s UK Tariff Comparison web site but there is also a free online version at http://www.telecom-tariffs.co.uk/codelook.htm.

There is one type of caller that drives me mad: the call centre. They ring repeatedly, hardly ever leave a message, and often there is no-one at the other end when you do pick up. For these numbers Whocallsme is a godsend. This is a user supplied database of UK phone numbers of:

“telemarketers, non-profit organizations, charities, political surveyors, SCAM artists, and other companies that don’t leave messages, disconnect once you answer, ignore the Do-Not-Call List regulations, and simply interrupt your day.”

On this occasion, Whocallsme identified two of the repeat callers. The first was a British Gas call centre. They repeatedly phone me trying to persuade me to change my gas supply to them (I already have my electricity supplied by them). Asking them to cease and desist has no effect whatsoever so they will now be added to the automatic “Choose to refuse” list on my land line. The second was a mobile number and turned out to be Orange. I have a four month old dispute with their billing department so that number was definitely worth pursuing and following up.

All this might seem like a lot of effort to track down who phoned you but it can be worth it if only to identify and filter out the junk callers.