25 million people caught up in UK Government data security fiasco

Posted on By Mark Wilson

I’m treading carefully here to avoid political comment but, for those who haven’t seen tonight’s news, a UK Government department has lost the personal details for 25 million people including names, dates of birth, national insurance/child benefit numbers and bank details. On a CD. In the post.

So, I’d like to thank HM Revenue and Customs for making such a monumental **** up with my family’s personal information. In this day and age, I find it amazing that two government departments have to transfer data between one another on CD (isn’t that why they have a Government Secure Intranet?) but to send that in the internal mail (unregistered) is amazingly inept (and, according to tonight’s BBC News, against Government guidelines). Furthermore, the news report I heard said that the passwords protecting the data could be cracked in seconds, so I’m interpreting that as a statement that the data wasn’t even encrypted.

What makes it so galling is that the information was being transferred to the National Audit Office. Surely they can be trusted to access the Revenue’s systems directly without needing a database extract on CD? And why did it take nearly 3 weeks for someone to report that the data was missing?

Fair enough, names and dates of birth are public information and bank details are not exactly top secret (my bank has told me it’s not something to be too concerned about) but it puts my own attempts to maintain data security into perspective. If the Government can’t keep my identity safe, who can?

Anybody who is concerned about the implications of this data breach should check out the HMRC and APACS information on the data loss.

A clear virtualisation licensing and support statement from Microsoft

Posted on By Mark Wilson

I’ve commented before about the licensing implications for Windows Server in a virtual infrastructure but yesterday, I was at a Microsoft partner event during which Microsoft UK’s Clive Watson gave an extremely clear explanation of Microsoft’s position and I thought that it was worth repeating here:

  • The current version of Windows Server (Windows Server 2003 R2) is licensed by association (not installation). This means is that, regardless of whether the operating system is actually installed or not, a purchased operating system license can be associated with a device. In practice I can run any operating system I like on a server and, if I associate a legally purchased copy of Windows Server 2003 R2 with it, then I’m licensed to run Windows Server 2003 R2 on it.
  • Each Windows Server 2003 R2 Enterprise Edition license also allows up to four virtual copies of Windows Server 2003 R2 – so if I associate a Windows Server 2003 R2 Enterprise Edition license with a server, I can run any virtualisation product on the server and I am licensed for 4 virtual machines (VMs) running Windows Server 2003 R2.
  • Multiple licenses can be associated with a device, so if I associate two Windows Server 2003 R2 Enterprise Edition licenses with a server then I can run 8 Windows Server 2003 R2 virtual machines, 3 licenses allows 12 VMs, etc.
  • There is a point after which it becomes more cost-effective to use Windows Server 2003 R2 Datacenter Edition, which is licensed per physical CPU. This allows unlimited virtual instances of Windows Server 2003 R2 to be run. Datacenter Edition used to be available exclusively from OEMs but that is no longer the case.
  • There are also grandfathering rights, so the Windows Server 2003 R2 licenses can be used for previous versions of Windows Server, as long as they are still supported (i.e. back to Windows 2000, which is currently in its extended support phase). For client operating systems (i.e. Windows 2000 Professional, XP and Vista) and operating system versions that are out of support (e.g. Windows NT), a separate non-OEM license must be owned in order for a virtual machine to be legally licensed. For volume license customers, there are arrangements to allow upgrade from an OEM copy of Windows and there is also the Vista Enterprise Centralised Desktop (VECD) programme for customers who are looking at running a virtual desktop infrastructure.
  • Only active VMs need to be licensed – so an unlimited number of virtual machines can be held in a library for activation on a host server (subject to the limits on the number of running VMs at any one time.

The long and short of it is that I can run VMware ESX Server, Citrix XenSource or any other virtualisation product and by associating one or more Windows Server 2003 R2 Enterprise/Datacenter Edition licenses with the physical server(s), I am licensed for a number of active (and unlimited inactive) Windows Server 2003 R2/Server 2003/2000 Server virtual machines. A licensing calculator is also available.

With regards to support, the situation is less clear. Microsoft’s common engineering criteria ensures that all products since 2005 have shipped with support for Microsoft Virtual Server 2005 and this has now been updated to include Hyper-V. There are a few exceptions to this (products that are in the process of being retired and products with hardware requirements that cannot be met through virtualisation). Microsoft knowledge base article 897615 discusses the support policy for Microsoft software running in non-Microsoft hardware virtualisation environment and, crucially says that:

Microsoft does not test or support Microsoft software running in conjunction with non-Microsoft hardware virtualization software

Effectively, Microsoft will use commercially reasonable endeavours where a customer has a Microsoft support agreement but may require an issue to be replicated on physical hardware (or using Microsoft virtualisation).

One more point that’s worth mentioning – Microsoft doesn’t just support its own operating systems in a virtual environment – Microsoft knowledge base article 867572 lists the supported guest and host OSs including Red Hat Enterprise Linux and Novell SUSE Linux Enterprise Server – and Microsoft are keen to stress that support is end-to-end (i.e. Microsoft applications, any supported operating system and the Microsoft virtualisation product) with agreements in place to back off Linux operating system support to XenSource/Novell where required with Microsoft remaining the primary point of contact.

Windows Live OneCare 2.0… proof readers required?

Posted on By Mark Wilson

Overnight, I received an e-mail from the Windows Live OneCare team announcing the end of the OneCare 2.0 beta. That’s good news (OneCare is not exactly inexpensive and new features would be welcome) but then I read a bit more closely:

[…] Beta to Close at End of December 2007
We wanted to give you an advance notice that the (v2.0) beta will be closing at the end of February […] To thank you for your participation, we’re extending a special introductory offer […] at 39.95 AUD for a year[…]

[Emphasis added by the author]

Let’s just hope that the beta testing was better than the proof reading and mail merge on the communications. I have a .co.uk e-mail address and I haven’t lived in Australia for six years. At least when I click on the link the special price is £14.99 (i.e. pounds sterling).