
Coding in the open: how to do it securely - robin_reala
https://gdstechnology.blog.gov.uk/2017/09/27/dont-be-afraid-to-code-in-the-open-heres-how-to-do-it-securely/
======
jamiegreen
I know most of the comments here are about the use of GA, but I just want to
comment on the main point to say I think it's pretty great they are going with
an open source first attitude. I work for a big intergovernmental org, and I
can say that most/all our projects are very much closed source. :/

------
sordidasset
the tumbler-padlock analogy is broken. I know how to pick a lock mostly
because the "how it works" info is open.

~~~
jononor
Do you now have a better or worse understanding over what kind of locks are
not secure?

~~~
rbcgerard
+1

And importantly, when to use a deadbolt, or deadbolt + steel frame door, or a
safe. All of which are well understood but can be implemented depending on
when circumstances warrant. i.e. tool shed vs bank vault.

------
Nursie
Oh look, more gov.uk pages that pull in Google Analytics.

Because it's certainly not a privacy problem to have every interaction between
a citizen and their government reported to an overseas megacorp.

But sure, let's talk about security.

~~~
robin_reala
I try to answer this every time the question is asked; my last attempt seemed
to be satisfactory to most people so easiest to just link to it:
[https://news.ycombinator.com/item?id=15070904](https://news.ycombinator.com/item?id=15070904)

~~~
Nursie
And I try to bring it up every time gov.uk is mentioned.

Safe harbour provisions and contractual agreements of this sort are
effectively worthless when it comes to crossing borders, particularly where
the US is involved.

Using adblockers to turn it off is not acceptable, and won't protect the
majority of less tech-savvy folks.

If you can use Piwik for things you think must be be more secure then that
tells me two things -

1\. It's possible for you to use Piwik

2\. You don't believe that sending sensitive data to google is always a good
idea either. You just don't think that most government-citizen interactions
are sufficiently sensitive for some reason.

~~~
robin_reala
Sure, it’s possible to run your own analytics achitecture but at a 100m visits
a month is it practical? Point two of the GOV.UK design principles is to do
less: [https://www.gov.uk/design-principles#second](https://www.gov.uk/design-
principles#second) . When GOV.UK first started it definitely had to hit the
ground running which requires immediate evaluation of user data ASAP.
Certainly at the time there wasn’t enough dev hours available given a limited
number of people to evaluate, build and run an analytics framework of the
scale necessary.

Having said that, then isn‘t now, and I wouldn’t be surprised if a future
Government as a Platform service isn’t a cross-government analytics system
hosted from the UK. I just don’t see the pressing need for it, based on the
assumption that Google actually are anonymising the data. If you want to
disagree with that assumption then that’s a valid viewpoint too, but I see no
evidence for it.

~~~
vog
_> based on the assumption that Google actually are anonymising the data. If
you want to disagree with that assumption then that’s a valid viewpoint too,
but I see no evidence for it._

This is exactly the wrong way around. For every sensitive area, such as
privacy, it is upon the company to prove proper handling of data. But if that
company is outside your legislation, without any legal means in their country,
how could that ever be possible?

Taking just their word is like trusting the food industry with hygienics until
their customers become undeniably sick.

A better strategy is not to create sensitive datasets in the first place. In
Germany, this principle is called "Datensparsamkeit", which could be
translated to "data frugality".

Moreover, every country should have something like the FDA for data hygienics.
Unfortunately, even in Germany where we do have "Datenschutzbeauftragte"
(designees for data protection), those can make a lot of noise but don't have
much power. This is still better than not having those people, though.

~~~
robin_reala
I’m not disagreeing with you outright, but your argument is on the _ad
infinitum_ scale. For instance, GOV.UK PaaS uses AWS as a host[1]. Is that
worrying? Should we not be using Cisco gear because of US govt backdoors?
Should we not be using Chinese manufactured chips? These considerations are
ones the military has daily, but they hinder the ability to deliver. Analytics
is arguable both ways (and I lean towards your argument at this point in time)
but there are good reasons past and present for GA.

[1] [https://www.cloud.service.gov.uk](https://www.cloud.service.gov.uk)

~~~
Nursie
These aren't really equivalent to actively sending out data to overseas
entities by anyone using your pages.

You absolutely should be taking precautions to make sure that what you're
doing on AWS is secure. And in fact erring on the side of using providers who
host in European countries, preferably European organisations.

(addendum - I spent a lot of the early part of this year working on AWS-based
data processing systems for a large bank, they took massive precautions with
the transport and storage of their data within the AWS system, including IPSec
overlays, 14 day maximum node lifetimes and various other things. I realise
that at some point you're trusting amazon, but there's a lot can be done to
avoid having problems in the first place. "Not sending data to places you
don't absolutely have to" seems pretty basic)

------
fghtr
Btw, please sign a related petition if you didn't already:
[https://publiccode.eu](https://publiccode.eu).

~~~
dest
OK with public code, but with limits, some data and code should be closed [1],
including:

    
    
        keys and credentials
        algorithms used to detect fraud
        unreleased policy
    

[1] [https://www.gov.uk/government/publications/open-source-
guida...](https://www.gov.uk/government/publications/open-source-
guidance/when-code-should-be-open-or-closed)

~~~
dangerface
I get the others but why "unreleased policy"? The public will find out what
the policy is so whats the point?

~~~
Ensorceled
It's essentially insider trading to know policy before the policy is released.

In Canada, Tax Policy Changes take effect from the day the bill is introduced
to Parliment or published for discussion for exactly this reason.

~~~
PeterisP
For tax policy, it would make sense to solve this problem in the entirely
_opposite_ way - i.e. declare that any tax policy changes cannot take effect
faster than the next fiscal year; it's also fair and much more reasonable.

~~~
hinkley
Let's say they decide to put a tarrif on something a lot of people hate or
think problematic. Let's say for argument's sake, 2 stroke generators. But
they have a lot of power (and users) so you don't think you can swing a yearly
tax. But a tax on new purchases/builds might be tractable. They get to keep
all the existing ones but they can't build more. That's grandfathering.

If you give the wrong people to the end of the year, they'll grandfather in as
many as they can, even if they sit unused. So now you're putting off curbing
the installed base and instead you've actually created a glut. Now your tax
will have zero net effect for four or five years and will make things (say,
smog) far worse in the short term.

~~~
SomeStupidPoint
It can actually end up unwinding your tax (or regulation) --

If the people rushing to buy up the supply to simply store them off-line
happen to cut off people who need them for what are sensible and essential
reasons, you end up with a litany of cases of the tax causing problems paraded
about as it comes into effect, and it ends up repealed or undercut because of
political pressure.

(Usually 1-year window extended because "we need more time to phase it in" and
by the time the second window would close, it's gutted.)

It's not just that it can end up counter productive in the short term, it's
that it can undercut itself as a law as well by destabilizing a market that
usually has low, but important volume.

------
EGreg
In the past I really worried about open source networked software, because
however you slice it, it is missing a huge chunk of security by obscurity,
making 0days very likely. Especially for new projects. All security
vulnerabilities are out in the open for all to see. Sure, honeypots can help
you learn about vulnerabilities, but it will take years to patch them all. In
the meantime, everyone using your software is vulnerable.

Then I discovered blockchains. Here, the software is _run by the network_ and
does nothing persistent unless a majority of the nodes agree. That makes it
much harder to corrupt the persistence layer. Blockchains are NOT just for
achieving global consensus about a ledger. They can be per-stream-of-data.
That's the approach we take at Qbix.

There are still many other vectors of attack besides corrupting the database.
However, in Web apps, the real pernicious thing is corrupting the data.
Everything else has already been secured by webserver makers and language
runtime designers.

PS: Finally, you can corrupt things on the client level, eg making a client
sign a transaction the user didn't authorize. But at least it is localized to
the corrupted clients, and not the whole network.

