Devs SLAM UK.gov's JavaScript-astic, 'shoddy' security education website A high profile UK government cyber security campaign aimed at changing attitudes to online security has come under criticism for the poor quality of its expensive website. Cyber Streetwise was launched with great fanfare, and much positive comment from the IT security biz, last month. It was part of a campaign led by the Home …
Having worked in gov IT i see your 3:1 manager to dev ratio and instead of a grin at a jolly good exaggeration i'll just join you in a solemn, knowing frown
It got to the point when they realised so many of the normal staff were now managers that they had to invent new lower paygrades for the new people joining as non-managers
...ditto. And most of the guys who worked there were learning on the job and weren't that good at learning either. They were far more interested in lunch time, their holidays and general entitlements not to mention getting their moneys worth out of the sick leave. Oh, and you never see one do any extra hours without 'overtime'. [which was rarely on offer....so no extra then]. And the manager seem hell bent on making the wheels turn as slowly as possible.
Not saying everybody who works in Gov tech are all like that, but I've worked on gov projects a couple of times over the years and none of the projects have ever left me to conclude anything different than the above.
Seems to be pretty much doomed really... first we had the road accident that is The Year of Code, now we've got Cyberstreetwise....
Also, I note CyberCrapWeb gets 4 million and fusterclucks it, yet a national initiative to teach kids "code" fusterclucks it with only half a million.. Much better value for money there!
Perhaps they can persuade the UKs banks and large online retailers to take online security seriously - far too many sites have password and ID verification policies that appear to have been thought up by a primary school class or seem more aimed at limiting the organisations liability (very UK) than preventing breaches.
Perhaps they can persuade the UKs banks and large online retailers to take online security seriously
Alas. I refer you to a statement:
The Cyber Streetwise campaign aims to effect behavioural change
The best behavioural change is effected by giving a good example. This site seems to be too much "do as we say, not as we do" which is EXACTLY the wrong message to give.
BTW, the problem you illustrate have little to do with taking online security seriously - it's more about allowing them to evade liability if they have followed some basic rules. This is really the main problem in industry: practically all budgets I have seen are aimed at doing just enough to avoid liability, not to actually SECURE the place. As long as the focus remain on that instead of a genuine desire to protect the clients I fear nothing will change from the presently more or less ritualistic overpaid administrator approach to IT security.
ALL IMHO of course..
> aimed at doing just enough to avoid liability, not to actually SECURE the place
It pains me deeply to say it but this is in fact a perfectly logical approach. Where you can offload liabilities so others get the hurt, this is the 'sensible' option for a business short of cash, or legally required to maximise profits.
It says so much about our society, I think.
"The Cyber Streetwise campaign aims to effect behavioural change"
Yeah, the comment was more hope than expectation, this being gov.uk.
Re liability: one of the little lines that really irks me that banks regularly deploy is "...taking steps to safeguard your money" or thereabouts. It may well be 'our money' in some greater scheme of things, but if they can't take the appropriate steps to stop it getting nicked, its their problem as far as I'm concerned; tinkering with the paintwork may help them avoid legal liability, but they'll still be thieving shits.
I had a card lifted in Thailand about 10 years ago, found out quickly and duly reported it, at which point as I understood it, it stopped being my problem. There were several small transactions some hours after that and I remember calling their call centre and pointing out to the Purveyor of Canned Tritisms at the other end that these were not my problem. He agreed and they were removed, but he still insisted on banging on every other sentence about the steps they were taking to recover "your money" even though he'd just agreed it wasn't. It feels like social engineering; blame the victims till they believe it themselves - really so much 'UK'.
Physical banking required the exercise of very few skills on the part of consumers to keep it reasonably secure; online banking and electronic transactions need to reach something of a similar standard, and pushing the liability bar much higher would seem to be the best way to make that happen.
The cynic in me thinks this is just because they want to censor the internet.
By 'advertising' that the web is insecure and you should be more savvy, it makes filtering easier to swallow. We have had months of media about cyber stalking, bullying and paedophilia and this is the next step toward acceptance.
It's all a lovely organised ecosystem of information control and censorship don't you think?
It's funny how the system works. Global warming (as another example of a government hot topic for manipulation) has moved into a strange state at the moment - it's now barely mentioned, it's just implied. I have not seen many news articles blaming the 'extreme' weather on global warming, and yet a year ago that's exactly what they did and ten years ago it was bad to even mention the idea!
Happy Friday everyone!
"> Check out the site with images turned off."
"Or with Noscript installed."
It gets worse. I have NoScript, GhostScript, and AdblockPlus installed and running.
I have to disable all three, and thus make my browser inherently insecure, just to view their site that doesn't even tell me how to make my browser secure.
Not only that, with LightBeam, I see they connect to a number of sites that are considered the pinical of security: Facebook, Twitter, Mookie1.com, doubleclick.net... (there may be more, I have a lot disabled)
If you visit the Privacy Policy page, note how they collect information about you, then spread it via Twitter, Facebook, Mookie1 and doubleclick. If there is text with a scroll knob, try using your mouse scroll wheel to scroll up and down the text. Then try watching their sample videos, the first half loads quickly, and when it waits to buffer again the second half loads quickly - I'm appalled to say, but the YouTube experice is by far superior.
According to my Request Policy plugin, cyberstreetwise.com puts out requests for content to rackcdn.com, which them puts out requests for content to cyberstreetwise.com. As well as the usual suspects such as facebook and twitter and google analytics, they then try to load javascript from mookie1.com. WTF is mookie1.com and why should I trust it?
It's 2014. Cyber Streetwise - my cringe-o-meter just exploded.
If you use the word "cyber" in a security context, it means the following:
- You work for UK Government
- You are clueless about security but responsible for it
- You will implement it in ways more damaging than the threats you're mitigating
- You will be ripped off by your suppliers
- You clueless bosses will see that all security checkboxes have been ticked, so you'll be promoted
Our in-house security team always use the word "cyber" and all these principles apply
I honestly thought the website was aimed at teenagers, due to the cartoon images of young folk and the use of 'down wiv da kids' expressions like 'streetwise'. Was it really the case that the website was aimed at SMEs and woman of a certain age?
From what I saw of the website, the content isn't terrible, but it should have been better.
If the site was aimed squarely at children or as an online game then the overall presentation with the parallax (layered) scrolling and cartoon style graphics is actually very good. And they even avoided using Flash.
The navigation, however, sucks balls and is very much along the level of incompetence exhibited by flash "web designers". e.g. they have no clue whatsoever about web design, optimisation or anything so they just made an all inclusive flash "site". Generally a desire to control everything and re-implement everything in a custom manner that makes no sense and is not optimal for any user or device. But it looks pretty when a screen shot is taken.
...and this is pitched both at businesses and home users???
> The FAQ also deal with why the site site was so JavaScript-heavy.
>
> "We used JavaScript to create an immersive user experience for both
> audiences, allowing them to explore the content – learning the basics
> on their journey, while being able to choose to read further.
So by clumsily breaking out of a well-understood and well-tested user experience (browsing web pages) they've somehow made it more immersive? As opposed, to, say, introducing introducing a jarring dissonance?
And what happens to the "immersive" user experience when the user hits one of the (many, many) external links and end up off on some banking website or wherever?
> There are no page refreshes throughout the experience, which is
> completely served using HTML5 and JavaScript."
Okay. So the site's JavaScript-heavy because it's completely served using HTML5 and JavaScript. I don't think that explanation has quite the causal relationship they were looking for.
And anyway, what's wrong with a few page refreshes? Are we still all on dialup? Clearly it's much more immersive to spaff a great wad of JavaScript into the user's browser and have a cute little Shoreditch "loading" throbber every so often.
> Women aged 35-55 and SMEs
It's 2014 for $DEITY's sake. A surprising number of people know how to use websites without being patronised by cartoon graphics and so-called immersive experiences. Yes, that includes women aged 35-55 and SMEs.
> "Small changes in behaviour^H^H^H Wasting less taxpayer money on
> badly thought-out digital campaigns could save the public and small
> businesses in the UK a tremendous amount of money."
FTFY.
If you start with accessibility in mind you generally end up with a web site that does the basics of what 'the customer/client' needs it to do in a simple, logical easily tested and easily maintained way. Then* once you've done what you want in the no-frills does what it say on the tin accessible site then the graphic designers and coding monkeys can be let on board to fuck the hole thing up with code and graphics done on a friday afternoon and it turns into a battle of unproductive wannabees trying to sell their snake oil.
*The achievements in my career that give me the greatest pleasure are the ones I managed to get the accessible but functional site live due to some government milestone.
They've just paid four fucking million for about 100 html pages cut and pasted from other sources.
The intention was likely to have no 'buffering' or slooooow page transition to give a good user experience.
Somewhere down the line a middle manager has made that 'page load times as close to zero as possible', and the next one down says 'zero page loading times ever.'
Its the same management structure that thought you could target women 33-55 and SMEs with exactly the same site. And the same management structure who didnt think that 'good practice is good practice, regardless of who you're talking about'.
Never attribute to malice what can be attributed to incompetence.
Web application != website. That's the fail here. There's nothing intrinsically *wrong* with a JavaScript framework application (BackboneJS, EmberJS, pick your flavour), but in this context it was just a horrible choice of technologies. What were they thinking?
Some of the upstream notes about payload side are a little naive. Moderns applications will localstorage assets, so it's essentially a non-issue. Same goes for navigation/state.
When browsing to the site:
www.cyberstreetwise.com
I get redirected to the SSL version:
https://www.cyberstreetwise.com/
which seems fair enough. I then see a polite message telling me I have Javascript disabled (I use NoScript). Fine. I enable Javascript for the domain cyberstreetwise.com and then.... absolutely nothing, just a blank page! Only when Javascript from (apparently completed unrelated website) rackcdn.com is enabled is there any content. Hopeless.
Good to know I can enjoy the website without any annoying page refreshes - yes, those "Loading" pauses are just fine.
I had to laugh when I read the first few lines of the Privacy Policy: "Cyberstreetwise.com collects your personal information through cookies placed on our website either by a third party or hosted by Cyber Street". Good to know they have these cookie-things under control.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
