Security on websites used to apply for UK visas is utter crap, an independent investigator looking into the matter has concluded - in so many words. They should remain shuttered until a list of improvements are completed by the governmental agency responsible for processing applications and the India-based private contractor hired to run the sites. The system, implemented by a company called VFS, was so porous that user security questions could be viewed using simple SQL injections. There were no formal third-party penetration tests conducted. One internal report even recommended a Windows 2003 server running Service Pack 2 should be rolled back to SP1. Fortunately, organization inertia prevented the recommendation from ever being carried out. "I note the expert view that the VFS online system is so poor that it should be completely rewritten - one expert described it as an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over," the independent investigator, L. M. Costelloe Baker, wrote in her report (PDF here). "I also note that VFS has accepted that it is not an IT company and that it needs to outsource its software writing." The scathing, 47-page report came at the insistence of the UK's Foreign and Commonwealth Office following the discovery in May that the site was leaking the personal details of visa applicants. The breach was particularly notable because the security hole responsible had been reported more than a year earlier but no action had been taken. When Sanjib Mitra, the Indian individual who uncovered the problem, went public with his discovery on May 17, the story led television news casts and resulted in a promise from the Parliamentary Under Secretary of State for the FOC that the agency would conduct a thorough investigation into the matter. The FCO, in responding to the report, said the VFS application site will be replaced by a UKvisas application facility called visa4UK. UKvisas has made other changes, including measures to ensure contractors maintaining visa application centers comply with various security compliance laws and industry best practices. The investigator also took UKvisas to task for failing to act on notifications from three people that there were security weaknesses. "I do not find it acceptable for a complaint to be simply passed on to a third party - VFS in this case - for a response," Costelloe Baker write. "If UKvisas felt responsible for replying to the complaints, it may have paid more attention to the outcomes." ®
The SCO Group today took a major shot to the groin, when a judge confirmed that Novell still owns the Unix operating system copyrights. US District Judge Dale Kimball issued a decision that spent 100 pages working its way through the various claims and counterclaims presented by SCO and Novell over the years, concerning Unix ownership rights. Much of the controversy covered by Kimball stems from the vague language of a 1995 Asset Purchase Agreement between Novell and SCO. Subsequent discussions held between the two companies did little to clear up the confusion as to whether or not Novell shifted Unix copyrights to SCO during the technology swap.
CommentsComments Another week goes by and there are more lizards, more weapons, more examples of verbal silliness and, of course, more comments. Note: some comments are attributed to "Anon". This is shorthand and stands for "The Anointed One"; he who is all-knowing, all-reading and on-all-commenting.
Within the last 24 hours the Australian Commonwealth Government announced that they would be spending AUS$189m (US$162m) on a range of packages and programs designed to protect Australian Internet users against all that the Internet has to offer, under the name Netalert.
Rare was the day when Anthony Wilson, the Manchester music impresario and local TV presenter who died yesterday, could walk down the street in his home city without a murmur of "wanker" and "twat". It was as much as a part of the city as the incessant drizzle. But Wilson revelled in the role of camp, ironic antihero and played it to the hilt. In interviews in early June, six months after his cancer had been diagnosed, Wilson fretted that Mancunians were suddenly "being nice to me". This was a shock in such a fiercely unsentimental city. Music lovers visiting Britain from overseas began skipping London in the 1990s, heading straight for what's now recognised as Britain's great music city - and that owed much of that outrageous charm of Tony Wilson. In the mid-70s Tony Wilson used his influence at Britain's leading independent TV station Granada to promote the Sex Pistols and a new generation of punk bands, then put his weight and capital behind a small independent club and label in the city. Through fluke, good fortune and a fierce pride in promoting local talent - Wilson had a recording sound genius in producer Martin Hannett, a designer in Peter Saville, and a charismatic genius in Joy Division's Ian Curtis - Factory Records became the first real British independent label since Joe Meek's Triumph Records to gain international kudos. The commercial success of Joy Division (later New Order) was invested in a "New York style" nightclub, the Hacienda, which later became a focal point of Britain's coalescence into a dance culture. This bit of history celebrated in Michael Winterbottom's movie 24 Hour Party People - a generous dramatisation of Manchester music mythology. Manchester's rise to prominence as a world music city coincided with London's decline - and by 1980 the metropolis that gave the world The Who and The Kinks in the 1960s had added nothing but novelty bands (The Joboxers, Right Said Fred... and Blur) until the creative melting pot spewed forth drum and bass, garage, two step and a mass of urban dance music. Tony Wilson chose this portrait of himself to loom over the Hacienda box-office Wilson himself had a famously terrible judgement for music and also, for a Piscean, he was notoriously Aquarian when it came to money. He rarely knew what was happening musically in Manchester (he was wary of The Fall and declined to sign The Smiths, and promoted folk music just as acid house was taking off) at any given point in its Factory's history, and he rarely knew who was pocketing the readies from his business endeavours. He revelled in the role of intellectual fop. In Winterbottom's movie, a cameo Christopher Eccleston playing a drunk recites Petrarchus' cyclical view of history under a railway to invigorate a dispirited Wilson. In real life, Wilson contradicted Victor Lewis-Smith's contention that Oxbridge graduates mention their college at dinner parties within seven minutes - only by invariably mentioning his Cambridge education within the first 180 seconds of meeting. Wilson insisted a vast portrait hung over the box office over the Hacienda. Yet for all the pretensions, Wilson forged a link between the Jewish cultural entrepreneurs of North Manchester - promoters and managers such as Alan Wise and Elliott Rashman, who were heirs to the tradition of Charles Halle (who the Mancunian novelist Anthony Burgess credited with "civilising England") - and the hippy South Manchester scene of CP Lee and Bruce Mitchell. Cities need such characters. In the punk era, Liverpool had Bill Drummond and Manchester, for better or worse, had Wilson - both were relentless promoters. While Drummond came and went (to later burn £1m for the heck of it, as an "art project" after his pop success with KLF), Wilson, a Salford Catholic, stayed to the end. Wilson never invested a penny outside the city of Manchester. Thirty miles away over the Pennines, Sheffield had a thriving scene which gave us The Human League and Pulp, and gave a backbone to electro and acid house - but lacked such a svengali as a Drummond or Wilson. Because Wilson stuck around, with New Order sustaining the Hacienda, he later basked in the light shone by "Madchester", when "even the white boys learned how to dance". Even if he didn't immediately recognize a trend, once he saw it, he promoted it ferociously. And in losing him, the North of England lost a great voice. In 1992 Wilson set up In The City, a music industry schmoozefest to which this reporter was generously given a keynote [transcript] - "just to shake things up". Wilson was fabulously utopian about the potential of music, never more so than in this quote to biographer Bill Sykes, who's writing a life of the great scene maker and music promoter Roger Eagle: "I always think that what Richard Boon and Howard Devoto did bringing the Pistols to Manchester on June 4th  was the same thing as the Germans putting Lenin into a cattle cart and sending the railway train into Russia," he said last year. "They sent this firebrand, this spark to fuck up the Russians, which of course it did. It caused a revolution." We couldn't ever admit as much on earth, but we'll miss you so much, Anthony H Wilson. ®
InterviewInterview I've been an enthusiast for ALM (Application Lifecycle Management) since the days of AD Cycle in the 1980s – but I can't help noticing that universal adoption still seems to be some way off. Perhaps it's the "hero culture" we have in IT: the ALM promises of "getting it right first time, good alignment with the business and no surprises" don't offer much scope for a hero to save the day, riding in on a white charger when the brown stuff hits the fan. Perhaps no one really wants what ALM promises...
So much for buying and renting videos from Google. On Wednesday, August 15, the world's most popular search engine waves goodbye to the DTO/DTR (download-to-own/download-to-rent) feature on Google Video, the video site that's played a barely-audible second fiddle ever since Google acquired the nothing-but-free-clips YouTube late last year. The Mountain View outfit announced the news with an email to Google Video customers on Friday afternoon, and one of the recepients was a certain El Reg insider. He will remain unnamed, as he may not want the world to know he actually paid for online videos, but here's what the note said: As a valued Google user, we're contacting you with some important information about the videos you've purchased or rented from Google Video. In an effort to improve all Google services, we will no longer offer the ability to buy or rent videos for download from Google Video, ending the DTO/DTR (download-to-own/rent) program. This change will be effective August 15, 2007. To fully account for the video purchases you made before July 18, 2007, we are providing you with a Google Checkout bonus for $2.00. Your bonus expires in 60 days, and you can use it at the stores listed here: http://www.google.com/checkout/signupwelcome.html. The minimum purchase amount must be equal to or greater than your bonus amount, before shipping and tax. After August 15, 2007, you will no longer be able to view your purchased or rented videos. If you have further questions or requests, please do not hesitate to contact us. Thank you for your continued support. Sincerely, The Google Video Team When contacted, Google acknowledged that its buy-rent service was indeed shutting down, saying that it prefers to generate revenue on its video sites via advertising - something that's served it quite well in the search market. "Both Google and YouTube are exploring a wide variety of ways to monetize online video content - from pilot testing AdSense for video syndication to trying various ad formats on YouTube - and the early results have been very encouraging," said spokesperson Gabriel Stricker. "Reaffirming our commitment to building out our ad-supported monetization models for video, we have decided to remove the DTO/DTR (download-to-own/download-to-rent) feature on Google Video." Google Video has been selling and renting videos, including classic television shows, primetime TV, news, sports, and music clips, since January of last year. For a few dollars, customers could watch a video for a day, and for a few dollars more, they could watch it for the rest of eternity - or at least until Google put an end to its buy-rent service. These for-pay videos can't be viewed without a specialized Google player, and that goes away on Wednesday. To appease people who were silly enough to purchase videos outright, the company is providing credits via Google Checkout. It looks like our El Reg hack has $2 to spend. Considering that Google prefers to make money through advertising, not actually selling stuff, you can't really use these credits to buy anything of interest from the site itself (unless you're into tchotchkes bearing Google logos). And since eBay refuses to acknowledge Google Checkout, you can't use them there either. But you can get free stuff from third-party retailers, like Starbucks. So, the news of the day: One free but terribly-bitter drip coffee for The Register. Bootnote What effect will these video refunds have on Google's bottom line? Very little. "The amount of the refunds is not material," Strickler told us. You can bet that a relatively small number of people have actually used the buy-rent feature. Otherwise, they wouldn't have shut the thing down. ®