Yesterday, to very little fanfare, the Department for Constitutional Affairs launched a new website called The UK Statute Law Database. The site is basically a free online resource containing over 30,000 items of revised UK primary legislation, all searchable.
When I first discovered the site I wondered why it went live with so little Government boasting. After all, it's a successful Government IT project, and they are few and far between. Then I discovered the awful truth.
It is wise that they've not promoted it to much. The site is running on a Windows server using IIS 5.0. This is bad. This is very bad. IIS is now officially at 6.0 and whilst it remains utter rubbish as a web server it doesn't at least have quite the wealth of "how to hack IIS" guides as 5.0 does.
I'd be surprised if it isn't attacked by scriptkiddies at some point, although in fairness it's likely to fall over before that if gets a sustained amount of traffic from lawyers etc. I should add too that this has really lightened up the day in my office. We're all rather amused that such a system could go live. The question on our lips is if the front-end is running IIS5.0 what the hell is the database running? *shudders*
Update: I'm sure the ID cards database system will be very secure though.
Update 2: It has just occurred to me that should this site be compromised I will be the first port of call for the Old Bill. For the record, I am not encouraging any criminality, I am highlighting the fact that the Government has launched a system that is inherently weak in terms of security, and it clearly needs to look at it's processes in relation to security review.