Alastair Revell - Blog

Microsoft: What does the future hold?

2008-06-30T20:29:39.14+01:00

I suspect that at some point in the future, today may well be seen to be very significant! Why? Simply because today was the first day that Microsoft moved forward without its founder at the helm. (Bill Gates retired from Microsoft as an executive last Friday, although he still remains its non-executive chairman).

Changes in strategic leader nearly always are accompanied by big changes in direction, not necessarily immediately, but often relatively soon afterwards. This is even more evident when the strategic leader has been the organisation’s founder. Microsoft is clearly very keen to play down any hint of a change and I doubt there are any plans to be different at this stage, but I suspect when we look back at some point in the future, the big changes will seem to have sprung from this period.

Obviously, the direction and stance that Microsoft takes will have a profound influence on the computing industry and business at large. It will be interesting to see how Microsoft moves forward and what those changes will be.

This weblog is produced by Revell Research Systems.

Web Compliance? It is often simply unbelievable!

2008-05-31T15:56:25.734+01:00

I can’t believe just how many web designers claim that their web sites are compliant with the standards when they are demonstrably not!

I’m talking in particular about the World Wide Web (W3C) consortium’s standards for HTML and XHTML. You’ve probably seen their compliance logos proudly displayed on web sites that claim to comply. The standards are exacting and very unforgiving on slips in the code. A particular page either complies or it does not, but this is nothing particularly challenging for a professional discipline that is used to such binary situations.

The standards are important for all sorts of reasons, not least because there is a greater chance that more browsers will render the sites as intended, that search engines are more likely to index them properly and that people using less popular browsers because of their disabilities are more likely to be able to access them.

There are standards in many different professions and one thing you expect of professionals working in those fields is that they will work to them. Indeed, they would be unprofessional if they did not.

I find it contemptible that an increasing number of web designers will proudly place the W3C’s compliance logo with a link to test the page in question against the W3C’s validator, which when clicked shows not just one or two errors, but hundreds. The fact that they link to the validator when the page is riddled with serious errors clearly indicates that they have little regard for their clients.

Do not get me wrong. I know how hard it is to keep a web page compliant, particularly since many editing tools seem to delight in surreptitiously inserting non-compliant elements in to them. However, there is a clear difference between a casual slip and complete disregard for the standards. It is those that are just sticking the badge on and misleading their clients that anger me.

What makes me so angry about this particular issue, though, is that it goes to the very heart of professionalism within our field. It must surely be a tenet in any profession that those in it do not misrepresent the truth to their clients or to the general public.

This weblog is produced by Revell Research Systems.

A Contentious Lunchtime Thought?

2008-03-18T15:40:18.625+00:00

I came across an interesting article by Bruce Lawson on The Web Standards Project web site about the UK Government Accessibility Consultation that was held by the Cabinet Office last November.

The consultation clearly aimed at looking at ways of making .gov.uk web sites more accessible to people with disabilities. It proposed making it mandatory for government web sites to achieve World Wide Web Content Accessibility Guidelines (WCAG) AA-level compliance (presumably to meet European objectives for inclusive e-government).

The bit that caught my eye was the proposal that government web sites should face withdrawal from the .gov.uk domain if they failed to comply.

It occurred to me that a similar approach could be very effective at ensuring commercial .uk web sites comply with existing UK legislation (such as the Companies Act 2006 and the Disability Discrimination Act 2005). What if the Internet domains publishing web sites that failed to comply with UK legislation simply couldn't be renewed?

This weblog is produced by Revell Research Systems.

EMail: The Beginning of the End?

2008-03-07T14:32:41.093+00:00

I was interested to read Ben Limberg's article on the BBC News web site this morning about how stressful email is becoming. It highlighted for me that spam continues to grow and it reminded me of my earlier article on this blog about the need to start tackling the phenomenon rather than hiding it.

The BBC article suggests that around two million emails are sent every minute in the United Kingdom. The majority of reports I read suggest that spam currently accounts for around 95% of all email in circulation, so the BBC statement implies that an amazing 1,900,000 junk emails are sent every minute in Britain!

Certainly, my own consulting practice's email logs have doubled in the last six months and I am pretty confident we are not getting that much more real email. The growth of spam seems to be as exponential as ever.

In fact, what I used to think was a pretty cool feature - the pop up facility in Microsoft Outlook that notifies you of new email - has started to take on rather more menacing conations recently. A few weeks ago we had a sudden surge in spam, which seemed to outwit our spam filters for a while, which led to the notification feature becoming a real distraction. Thankfully, we've tweaked the system and the spam getting through has now returned to more manageable levels, even for someone as intolerant as myself.

I doubt the inventor of email, Ray Tomlinson, had any idea in 1971 that his 200 line email program would kick start such an enormous communication revolution. EMail has certainly become one of the most important communications media of our age.

However, I wonder if its ascendancy is beginning to falter. Certainly, more people are telling me that they no longer check for real messages in their "spam folder" because it is too time consuming. It does occur to me that this might signal the beginning of the end for email, which would be a shame if it was just because of spam.

This weblog is produced by Revell Research Systems.

Internet Attacks: It Won’t Happen to Us…

2008-02-11T21:35:25.984+00:00

The lack of understanding of IT-related security issues in many small-to-medium sized businesses that I encounter as a management and technology consultant often worries me.

There seems to be a mindset amongst senior managers (often at partner and director level) that security breaches are only perpetrated by external human hackers and that their firms are not sufficiently important enough to attract attention.

These senior managers miss the fact that almost all initial external attacks are automated and that although many of these attacks may be unsuccessful in compromising their organisation’s data security, they may nonetheless seriously damage their internal infrastructure, resulting in significant costs in order to rectify the damage.

It would be a lucky organisation indeed that did not have its Internet defences probed at least once every couple of minutes. The most recent log I inspected for a small organisation was receiving an attack per minute in what appeared to be an attempt to swamp instant messaging clients with spam. The log also revealed port scans and other nefarious activity once every 10 minutes. These more serious attacks are often scanning for weaknesses through which to inject malware.

We have conducted occasional exercises in assessing just how bad this type of wanton vandalism is by simply connecting an unprotected set of newly built PCs to the Internet. Our somewhat primitive research shows that it takes around 15 minutes before machines in this condition are crippled with malware. Much of the malware also seems to be aimed at stealing credit card details and the like; and could cause enormous damage to an organisation’s reputation.

I’m often confronted by SME senior managers that argue that they have nothing of value on their networks, but my immediate retort is that neither did the machines mentioned above, but the cost of putting them back together again was expensive. It is clear from the subsequent discussions with these managers just how valuable having an operating computer system actually is to their organisations.

The irony is, of course, that the sort of dubious activity I see time and time again in firewall logs is the equivalent of a criminal gang casually walking down the road trying the doors and windows of each building they encounter for weaknesses, with a view to coming back later to investigate the weaker buildings further. I have little doubt if our streets were full of such marauding gangs then there would be huge public concern. The problem for IT is that this kind of behaviour is literally “out of sight, out of mind”.

I believe, like many other observers in the profession, that there is a discernible shift away from writing viruses for the sheer devilment of it to one of seriously making money out of it.

Indeed, Joe Telafici, vice president of operations for McAfee’s Avert Labs, recently said in a BBC interview that he felt 2007 had effectively seen the extinction of young hackers who wrote viruses and other malicious programs for fun and that writing Windows malware was now all about money.

This weblog is produced by Revell Research Systems.

Personal Details of 25M People Compromised by UK Government

2007-11-20T21:28:24.64+00:00

I suspect the loss of 25 million child benefit records by HM Government in the United Kingdom will have considerable, long-term ramifications.

I understand that the compromised data represents the details of all the recipients of Child Benefit in the United Kingdom and includes names, addresses, dates of birth, national insurance numbers and, in many cases, the banking details of the parents or guardians involved.

According to a BBC news report, HM Revenue & Customs (HMRC) sent a couple of CDs with this highly sensitive data to the National Audit Office on 18th October 2007, but didn’t discover the information was missing until 24th October 2007. Apparently, the CDs were sent by internal mail without being registered or recorded in any way. It was clearly an accident waiting to happen.

Worse still, when they didn’t turn up, it seems from the statement made to the House of Commons by the Chancellor of the Exchequer, Alistair Darling MP, that a further copy was sent by recorded delivery, which apparently he believes should not have happened either!

It needs a moment or two just to reflect on the enormity of what was done here, not once, but twice. Sensitive details of just under half the UK population were sent by internal post between two offices with little consideration for its security. It seems the first reaction of those who discovered that the data hadn't arrived was to resend it, not to ask what had happened to it!

Furthermore, it seems that Mr Darling knew of the security breach on 10th November 2007, but did not instruct HMRC to inform the police for four days. Exhaustive searches have not found the missing CDs, although by their very nature, no comfort can be drawn from their recovery. They could easily have been copied at any time in transit, let alone after they had been lost. The data has been compromised!

The astounding reality is that just under half the nation’s personal and banking details have been compromised by employees of the government.

The BBC’s summary of Mr Darling’s statement suggests: "The missing information contains details of 25m individuals, 7.25m families - including children’s names, addresses, dates of birth, NI numbers and where relevant bank and building society account details.”

I believe that this amounts to the biggest loss of personal data in the United Kingdom to date and by far the most serious.

The Treasury seems to be blaming junior staff at HM Revenue & Customs, but I am extremely surprised to learn that junior staff have access to the banking details of pretty much every parent with a child under the age of sixteen in the United Kingdom. It seems that there are some exceptionally lax mechanisms for handling sensitive data at HMRC, who are still reeling from two earlier security breaches, including the loss of a laptop holding sensitive data.

The Information Commissioner, Richard Thomas, has apparently remarked that: “This is an extremely serious and disturbing security breach.”

Mr Darling suggests in his statement that the junior employees had breached internal rules for data security, but what I find incredible is that this seems to be routine. For instance, Paul Lewis of the BBC Radio 4 Programme Money Box reported on 3rd November 2007 that 15,000 Standard Life customers' details had been lost in very similar circumstances. Mr Lewis' article states:-

"A month ago a CD containing the names, national insurance numbers, dates of birth and pension plan numbers of nearly 15,000 Standard Life customers was lost by a courier taking it from the Revenue national insurance contributions office in Newcastle to the insurer's headquarters in Edinburgh."

According to Alistair Darling’s statement (as reported by the BBC) on the most recent data loss: “Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”

The simple phrase “password protected” really worries me. I would have been much happier had he said “securely encrypted”. The difference is immense.

My immediate reaction is, given the manner in which the data was sent in the first place, just how secure were those passwords? I have horrible images of Microsoft Excel spreadsheet files being locked with a flimsy password known to at least the sender and the recipient. Tools to unlock Excel files proliferate on the Internet and are readily available to anyone who cares to look for them using Google. (It is important to note that the exact file format and security mechanism used in this case does not appear to be public at present.)

The current media focus seems to be on the “banking details”, but I am worried about how this data could be used both now and in the future to compromise all sorts of information. For instance, a large number of people use their date of birth as the basis for their passwords and many organisations use date of birth questions as part of their online security.

If this data becomes widely available on the black market, then 25 million people (statistically more or less every other British reader of this article) may find their data being used fraudulently, possibly to compromise the likes of their ebay account, their email account, their online utility bill facilities, even their MySpace account.

My advice to anyone that uses any of the compromised data as the basis for their passwords is to change them immediately. If it has fallen into the wrong hands, they have probably had it for more than a month...

I certainly agree with Avivah Litan of the Gartner Group who is quoted by the BBC as saying: “The data lost - bank account numbers, names and addresses - represents a gold mine for the thieves and is much more valuable to them than credit card numbers or taxpayer id numbers.” She went on to suggest that “In fact, in the black market, bank account numbers sell for the highest price, or between $30 and $400 (£15 to £200), which is significantly more than the fifty cents to five dollars that criminals pay for credit cards.”

These disks, which are still missing, are clearly worth a fortune. If Avivah Litan is right then they have a black market value of at least £108M. If these disks fall into the wrong hands then it seems reasonable to expect considerable identity theft and fraud to follow for a long time to come. Certainly, there is sufficient detail in these files to seriously compromise the identity of many children in the United Kingdom for a very long time to come.

I can’t imagine that the UK population will feel too enamoured about identity cards and the national identity database when HM Government is currently sending their identity backwards and forwards en-masse on poorly protected CDs. There must be questions raised about how secure people’s personal data is throughout government.

The BBC has already reported that Douglas Thomson and his wife believe that £2,800 was removed from their Alliance & Leicester account using this data on 5th November 2007. According to Mr Thomson: “At the time, our bank was at a loss to explain how such detailed info was somehow available to someone else. At least we now know how.” It must be said that the Alliance & Leicester maintains that this incident is completely unrelated to the HMRC data loss.

The problem is that we all seem to have a problem assessing the importance of data. How many people have important data stored on their computers at home, which isn't backed up? How many students have lost their dissertations and essays to disk corruption, but had no backup? How many people lose mobile phones with the personal details of their friends in their address book? How many people send sensitive material by (intrinsically insecure) Internet email?

As I reflect on this issue, I realise I am not unduly surprised about this latest revelation. Many organisations, let alone people, are extremely cavalier with data. I think the problem is that data really doesn’t look very impressive when it is stored on a couple of CDs. The sheer magnitude of 25 million records doesn’t really hit home until its lost, stolen or printed out.

The Information Commissioner, Richard Thomas has said: "The alarm bells must now ring in every organisation about the risks of not protecting people's personal information properly."

Perhaps this incident is just the wake up call we all need.

This weblog is produced by Revell Research Systems.

Do You Have a Good Web Site?

2007-11-05T17:43:17.625+00:00

What is the minimum for a good web site?

I am often asked to give an opinion on whether a web site is good or not. I normally start by assessing whether the web site complies with relevant law and technical standards, since these are easy and objective tests to apply.

It seems sensible to me to say that all good web sites, at the very minimum, will comply with these. I am, of course, aware that good web sites will also have well-written copy and excellent graphics, be informative and easy to navigate, but these are much more subjective than the bare minimum requirements above and consequently far more open to opinion.

However, I do believe that it is reasonable to assert that any site that fails these basic fundamentals cannot realistically be called a good web site, so it is pretty easy to assess whether a particular site is not good.

So what laws and standards are applicable?

Legally, web sites built for operation in the United Kingdom should comply with the Companies Act 2006, the Electronic Commerce (EC Directive) Regulations 2002 (eCommerce directive) and the Disability Discrimination Act (DDA) 1995 as a bare minimum. (There are similar requirements in many other jurisdictions.)

I have mentioned some of these before in my earlier article Legal Compliance of UK Web Sites in which I suggested that the eCommerce requirements actually are just common sense in that they help to build trust between site operator and visitor. Many people report that they are happier if the know where a business is based, even if they only ever trade with them online. I think the DDA is equally sensible – why would any business want to turn away custom?

Technically, I believe web sites should comply with the standards of the World Wide Web Consortium (W3C), such as those for XHTML and Cascading Style Sheets (CSS).

Firstly, most browsers render code written to these standards correctly, so a web site that is compliant will reach a much greater audience. This includes those browsers designed for use by people who have some form of disability, which helps compliance with the DDA. Code that ignores these standards will generally still be rendered, but exactly how will depend on what the browser thinks is trying to be achieved, which is highly likely to differ between products. The result is that the same web site can look somewhat different and sometimes even totally broken using different browsers.

Secondly, search engines are also far more likely to understand compliant code, which means that web sites that are built to these standards are far, far more likely to receive better search engine results than those that don’t. In fact, given how many web sites have been optimised by so called search engine optimisation (SEO) consultants, it is staggering how many still aren't compliant, but I touched on this in my article on Search Engine Optimisation (SEO) in August 2007.

I doubt that many people who commission web sites are actually experts in web design. If they were, they would presumably have built their own web sites in the first place. The point is that people who commission web sites look to their web designers to execute their work to the best available technical standards and certainly expect their work to comply with the relevant laws.

The reality is that this rarely seems to happen. I believe that many web sites operated in the United Kingdom fail to comply with the relevant laws, which leads me to conclude that many web designers build web sites that do not comply with the law.

The questions is: How upset would you be if you found the web site that you had paid good money for landed you in court facing a hefty fine because it was illegal?

Problems with Professionalism

There does seem to be a general lack of professionalism within the web design business in the United Kingdom. I can feel the hackles of many web designers rise as I suggest that many of them simply are not “professional”, but you would not expect any other profession to deliver a product that was illegal, so why should web designers be any different?

Of course, there are some excellent web designers who produce competently designed sites that comply with the relevant law, who refuse to build sites that don't comply and who use best practice and the latest technical standards, but did you use one of them to build your site?

I think part of the problem is the public perception that building web sites is easy. Certainly, putting together a simple web page is extremely easy, but there is far more to it than meets the eye if your aim is to produce a good web site.

This notion that web sites are some how easy to construct has led to large numbers of would be entrepreneurs flooding the market. The competition in this segment is fierce and the weapon of choice is to undercut the competitor. The result is that things that the buyer is unaware of are pushed aside in order to cut costs, including laws and standards that should be the bedrock of good design.

I think the advent of the British Computer Society’s push for professionalism marks the turning point towards a greater degree of professionalism within Information Technology as a whole; although I believe that we have barely started this journey.

The British Computer Society is raising the profile of its professional qualifications, including that of Chartered Information Technology Professional (CITP), which is the new benchmark within the profession. The status of a Chartered IT Professional (CITP) is equivalent to that of a Chartered Accountant or Chartered Surveyor and is recognised as such by the British Government.

Chartered IT Professionals may practice in one or more of the disciplines within the IT profession, which includes web design; although that obviously does not mean that all CITPs are web designers. Chartered IT Professionals are bound by rules of professional conduct and are subject to the disciplinary procedures of the society, so they should never produce web sites that do not comply with the relevant law and should not undertake such work unless they are competent.

I believe that in the not too distant future, many businesses will look to only engage Chartered IT Professionals in the United Kingdom because they will be assured that their work will be at least to the minimum standards prescribed by law. It would certainly help businesses assess whether their prospective web designer would abide by the law.

So are there tools I can use to check my web site?

I started this article by asking if you had a good web site. There are a couple of very useful, public tools that you can use to assess whether your site meets the internationally agreed technical standards. (You should check their individual terms of use before using them.)

W3C Markup Validation Service
http://validator.w3.org/

HTML or XHTML markup is one of the fundamental building blocks of any web page.

You can simply test any page by cutting and pasting its web address (it's easier than typing it!) into the address box on the page and clicking “Check”. If it complies, you get a green page. If it fails, you get a red page with a list of its failings.

The beauty of this particular validator is that it is designed and built by the people who authorise the web standards. It is from the “horse’s mouth”!

W3C CSS Validation Service
http://jigsaw.w3.org/css-validator/

Although Cascading Style Sheets (CSS) are not used in all web sites, it is becoming the preferred method of stipulating the “look and feel” of a web site. If a web site uses CSS, it should be compliant.

You use it exactly like the W3C’s Markup Validation Service and it provides similar feedback.

What about accessibility?

There are also several free, online tools that will assess compliance against the W3C Content Accessibility Guidelines (WCAG). It should be understood that not all of the guidelines can be tested automatically and some require a degree of subjective interpretation. These rules are also under revision because the web has moved on since they were first devised. However, web sites that comply with these rules are likely to have a reasonable defence that they have been built with the Disability Discrimination Act in mind. Watchfire's WebXACT tool is one such free tool.

Problems with Quality Assurance or ... ?

Incidentally, you should not rely on the fact that a web site states that it is compliant with the W3C standards. Research conducted by Revell Research Systems suggests that many sites claim compliance, but in fact fail miserably. I have little doubt that all web designers are fallible (including ourselves!), so the odd page that has somehow mistakenly been overlooked in quality assurance prior to publishing might be forgivable, but our research highlights that most of the pages on many of the sites claiming compliance fail.

At best, this is a clear failing in the quality standards of the web designers concerned. At worst, I leave you to draw your own conclusions about their professionalism.

And what about the legal requirements?

There are no automated checks to test compliance with the law, but you should ensure that your site complies. For instance, if you are a limited company, you must state the country in which your company is registered, its registration number and your registered address.

Pinsent Masons Outlaw web site provides some good general advice, but you should remember that it is always best to consult an expert when in doubt, both for legal matters and on the technical matters discussed above.

This weblog is produced by Revell Research Systems.

Sweeping Spam under the Carpet

2007-10-05T19:43:11.312+01:00

Unless I am greatly mistaken, there has been yet another surge in spam in the last few weeks. Like many firms, Revell Research Systems uses a fairly sophisticated anti-spam system, which generally performs pretty well. It occasionally needs tweaking to improve its detection rate, but on the whole, it does its job well.

However, I am acutely aware just how much spam is actually chucked into our email system on a daily basis. It is literally huge. There is the spam that is sent to our active email accounts and then there is the massive amount sent to random addresses in the hope that something might strike lucky!

Worse still, spam is increasingly being sent with large attachments, which eats away at our bandwidth.

I believe that the majority of Internet users are blissfully unaware of just how much spam is actually in circulation (although they know that they receive an unreasonable amount). The problem is that much of it is sent to non-existent people and is handled in the background by email servers, whose time is now mostly devoted to handling spam email, which means the sheer scale of it is well off most people's radars.

This is, of course, the nirvana that corporate IT departments are asked to achieve – no spam reaching their users.

However, I really can’t help but think that this is little more than sweeping spam under the carpet. Sooner or later, we are going to have to bite the bullet and work out how we are going to stop spam altogether rather than simply hiding it.

This weblog is produced by Revell Research Systems.

Plymouth University's Best Computing Graduate Receives Recognition

2007-10-03T23:04:38.265+01:00

I'm pleased to announce that Darren Rees, from Llantwit Major in South Wales, formally received the 2007 Revell Research Systems Prize at the University of Plymouth at a small ceremony in Exeter this afternoon.

It was the first time I've actually met Darren, who is interested in pursuing a career in the highly competitive games industry. He is obviously a very able programmer and Dr Nigel Barlow, his tutor while at Plymouth, was clearly impressed with his final year project.

The prize (which we established last year to mark our 21st year in business) is awarded annually to the best final year student on the university's BSc(Hons) Computing programme. Essentially, Darren is the best computing graduate from the university this year.

Although he intends to take some time out to discover New Zealand, he would be a catch for any company looking for a young and talented C++/Java programmer with an interest in gaming.

More details about the prize are available at http://prize.rrs.co.uk.

Darren Rees (centre), receiving a certificate to mark his award of the 2007 Revell Research Systems Prize at the University of Plymouth, from myself (left), with his tutor while at Plymouth, Dr Nigel Barlow looking on (right).

This weblog is produced by Revell Research Systems.

Northern Rock Not So Sturdy for Online Customers

2007-09-16T12:53:21.484+01:00

I’ve just read the BBC News report about the problems Northern Rock’s online savers are having in accessing their funds. Like many online accounts, it appears that Northern Rock’s online account holders can only access their funds online in accordance with their terms and conditions.

This is clearly both frustrating and alarming to the bank’s online customers, who like many of their offline counter-parts, are trying to withdraw their money quickly, since they all perceive their investments as being far from safe.

I can’t help but wonder whether this will have an impact on the public’s perception of online banking as a whole. I think people may conclude that online-only accounts are inherently less secure than traditional accounts.

It seems to be certainly true that the bank’s traditional customers have received better service when they’ve eventually managed to get inside their branch than their online counter-parts. The traditional customer has obviously had to queue for ages, but at least they could see their position advancing in the queue, which at least offered some comfort for their patience and perseverance.

The problem for online customers is that they have no way of knowing where they are in the queue. In fact, technically, there is no queue. Each time they try to gain access to the bank’s web site, it is something of a lottery as to whether a web server will be available to service the request.

I suspect that even if a customer has one web request satisfied then there is absolutely no guarantee that subsequent requests will be answered – something akin to being told in the branch to go to the back of the queue once you’ve been greeted by the cashier, which would probably result in considerably less calmness than we are currently seeing on the high street outside the bank's branches!

The message is clearly that Internet-customers are second-class citizens as far as the bank is concerned, especially if one accepts that actions speak louder than words.

I think that when the dust settles, many online bank customers will re-evaluate how much money they should keep in their online-only accounts. It may also have some impact on how safe people consider Internet transactions to be in general…

This weblog is produced by Revell Research Systems.