Category Archives: Rants

The Sorry State of Tourism in Ireland

I first visited Ireland around this time eight years ago, for St. Patrick’s Day 2012. It did not take me long to fall in love with the place. Since then, I have revisited Ireland other times, lived there for about a year and a half, and been around most of the country. As a result, my Irish experience has been a mixture of thrills and disappointments.

Separate hot and cold water taps (when hot water is actually available) is a disease more prevalent in Ireland than the Coronavirus.

When I recently revisited Ireland around the same time that the Coronavirus outbreak started, I once again had mixed feelings. Many things were really nice, but I wasn’t spared any disappointments.

As part of the Sorry State of the Web series, in which I promote good web development practices by illustrating bad ones, I will focus on websites (and other technology services) I came across during my research for this trip. Other things that annoyed me, such as cafes charging you an extra 2 Euros just to toast your sandwich, will be out of scope.

Aran Islands

The Aran Islands may be beautiful, but their website could have been better.

In fact, they did make it better by fixing this problem with ampersand HTML entities showing within the page.

Insecure WiFi at Penneys

Penneys, the chain of department stores that you might otherwise recognise as Primark in the UK, offers free WiFi to their customers.

Unfortunately, given that you need to join the WiFi via an endpoint that does not come with a proper SSL certificate, it is not only useless, but plain risky for customers to use.

Secret Valley Wildlife Park

The Secret Valley Wildlife Park website has a number of issues.

For starters, some of the links at the bottom (i.e. Terms & Conditions, Privacy, and Cookies) don’t work. The cursor doesn’t even turn into a pointer, and if you look at the HTML, it seems they put anchor tags without href attributes.

On the Animals page, images take ages to load because they used huge images in the page without using thumbnails (see also: The Shameful Web of April 2017 (Part 1)). If you’re including large images in a page, always use small versions and link to the larger version.

There also seems to be a problem with HTTPS… we’ll get to that too.

Going on the online booking system (which is what we care about when it comes to HTTPS, since sensitive information is involved), we see that HTTPS looks okay so far. They also used to have a test ticket type that I’m happy to see has been removed. In fact, they recently updated this page with a plea for funds since Coronavirus is messing up their business (understandably).

Unfortunately, when you proceed to the next step and are about to book a ticket, the connection suddenly isn’t secure any more. It’s a small mixed content problem because of an image, but the problem is that it undermines the trust that people have in such websites (when it comes to keeping their sensitive financial data secure), and can potentially have security-related consequences.

So while I sympathise with Secret Valley (and so many others affected by the Coronavirus), it’s also important to keep your data safe. By all means, send them money, but do it using alternative, secure means.

The M50 Toll

If you’re going to be renting a car in Dublin and using it to drive around the country, one of the things you’re going to have to do is pay the toll on the M50 motorway. The M50 uses a barrier-free toll system that can be paid online by 8pm on the next day.

While the close deadline is a little annoying, being able to pay it online is quite convenient… when it works.

In this case, the system just didn’t want to work, although I tried several times. This can happen, but what is a little worrying here is that I don’t think those details about the error (the XML-like thing) should be disclosed to the customer.

Blackrock Castle Observatory

If you like science, then Blackrock Castle Observatory is a great place to visit. They have a lot of interactive exhibits that explain concepts from astronomy and science in general:

Wait… what’s that at the bottom-right, where the arrow is pointing? Let’s take a closer look:

Uh oh… someone didn’t activate Windows! That’s quite embarrassing, and can be seen on several of their exhibits.

Wrap Up

Although Ireland will always have a special place in my heart, it hasn’t spared me any disappointments, both in terms of the service I received in various places as a tourist, but also on websites and other technology-related services.

This article, like others in the same series, is an educational exercise aimed at improving technology standards, especially on the web which so many people come in contact with. The aim is to learn from this and provide a better service, so I hope that nobody is offended, particularly in this difficult time.

Instead, I hope that in such times, when we depend on technology so much more, we can overcome these obvious problems and use technology safely and reliably to reduce the burden of living in a difficult situation as much as possible.

With the Coronavirus currently devastating health, economy, tourism and peace of mind across the world, we need to be safe, help each other, and show empathy because so many people are affected in different ways.

The Sorry State of Buying a Mobile Phone in Malta

A few years ago, I ran the Sorry State of the Web series of articles to promote good web design/development practices by pinpointing shameful ones that should be avoided (an approach inspired by Web Pages That Suck).

Websites today are very different from when Vincent Flanders started Web Pages That Suck. Things like Mystery Meat Navigation are almost gone entirely, as modern websites embrace more minimal designs and are often built on foundations such as Bootstrap or Material Design.

However, after a series of very frustrating experiences today while trying to buy a mobile phone, I am convinced that the state of professionally-built websites has not really improved. Websites may have converged to similar designs that overall are less painful, but the user experience is still miserable because of a lack of professionalism.

As a result, although I would have preferred not to continue this series, I feel there is still value in doing so. In this article, we will focus on websites of companies that sell mobile phones in Malta, where the technology and customer service are both still very medieval.

Sound Machine

Let’s start with Sound Machine. When you first visit this site, you get one of those cookie notices at the bottom-left. That’s pretty normal, especially in the GDPR era.

However, part of this notice sticks around even after you close it. It’s particularly noticeable if you scroll down so that the background is uniformly dark:

This is pretty strange, and probably unintended. But wait… do you notice something in that dark footer area? That’s right — this website was made by none other than Cyberspace Solutions, to which I had dedicated an entire article 3 years ago. I guess this explains a lot.

Another little mistake can be found in their Cookie Policy, where someone has been a little careless with their HTML tags:

But the worst blunder of all is that the Contact form does not even work:

In fact, when you press the Send button, a spinner runs next to it and never stops. There is no indication of the failure, unless you open the Developer Console, which most people obviously will not know how to do.

The result of this is a poor user experience, because (a) the form does not work, (b) there is no indication that anything failed, and, to make matters worse, (c) there is no email address given as an alternative. A customer therefore has no option other than to give them a call or show up in person, which many prefer to avoid for various reasons.

The takeaway from this is that when you build a website, you should always double-check to make sure things look right and that things actually work. Customers aren’t very happy when they don’t.

Direct Vision

Direct Vision has a nice e-commerce website where you can look for products and eventually buy them online. Let’s say I’m interested in the Samsung Galaxy A40… I get a lot of options:

Let’s take a look at the black phone on the left:

Great! It seems to be in stock!

Except that… it isn’t! It turns out that this phone is not available at all in one of their shops, and in the other, it’s only available in a couple of colours (Coral and White). The black one, as it turns out, is not in stock. They need to order it.

So why do they say that it is in stock when it isn’t? The salesgirl tried to give a dumb explanation, and also suggested I go with one of the other colours and get a cover to hide the undesired colour. Naturally, I didn’t buy that (pun intended). It’s truly shameful to waste people’s time in this way.

Tablets and More

Tablets and More is another consumer electronics store. Browsing around, it’s easy to notice a few things out of place. For instance, the thing at the bottom left that fails to load:

…and which, after a few seconds, becomes something else but still fails to explain what it’s supposed to be:

Even the product descriptions seem to be a real mess…

…in what appears to be a copy & paste job from GSM Arena:

What shall we say, then, about the creepy practices of harvesting people’s email addresses via the live chat feature (something that is becoming increasingly common in live chat products nowadays) or of not displaying prices and expecting people to get in touch to find out how much an item costs?

It’s almost as if this store is intentionally doing everything it can to keep customers away.

Phone Box

The minute you land at Phone Box, you can immediately tell that something is wrong:

If a site isn’t being served over HTTPS, then it’s possible for requests to be intercepted by a man in the middle and arbitrary responses served as a result, as Troy Hunt demonstrates in his article about HSTS. This is particularly risky for websites that require you to submit information, and Phone Box does indeed fall in this category:

As I’ve written ad nauseam throughout the Sorry State of the Web series, it is not okay to accept login credentials insecurely over HTTP. While other information being sent insecurely may or may not fall under GDPR and Data Protection laws, I think we would be a lot more comfortable if such details (such as one’s personal address) are not leaked to the world.

At least, this site does not take credit card details, since the only payment method available is cash upon delivery. Let’s hope they don’t decide to accept credit cards as a new feature.

Conclusion

Even from a small sample of websites, we have seen a range of issues going from simple negligent oversights to serious security problems and broken features. In 2020, businesses are still paying a lot of money for web design agencies to do a half-assed job. They probably do not realise how much business they are losing as a result.

How can we make things better? I have a few ideas.

  • Web design agencies: test your website’s functionality and content thoroughly. Get up to speed with the latest security and data protection requirements, as there may be legal repercussions if you don’t.
  • Businesses: choose very carefully who to work with when building a website. Take a look at their past work, and get a second opinion if you don’t feel you can evaluate it. Make it easy for customers to reach you and give them a good service. Otherwise, don’t complain that you are losing business to online marketplaces such as Amazon.
  • Customers: do not buy from businesses that have insecure websites, shady practices, or salespeople who think you’re stupid. Things will only change when they notice that their behaviour is detrimental to their own survival.

The State of Drag and Drop in Linux

A few months ago, looking for a replacement for Windows (which always finds new ways to get on my nerves), I spent a couple of weeks playing with Linux Mint with MATE desktop. During this test drive, one of the annoyances I came across was the inability to drag a URL from Chromium’s address bar to create a link on the desktop. I literally ended up asking for help, and still didn’t figure it out.

Creating a URL shortcut on a Windows 10 desktop by dragging the padlock icon in Chrome

In Windows, this is something I’ve been doing for many, many years. It’s not rocket science. You drag the padlock icon next to the address bar onto your desktop and a shortcut is created, pointing to that URL.

Ubuntu 19.10

Since Ubuntu 19.10 was released a week and a half ago, I thought I’d try it out. The first thing I figured I’d make sure was that I could drag and drop links to the desktop. Ubuntu is one of the most popular and mature operating systems around. Surely they’d support such a basic usability feature, right?

Ubuntu 19.10 doesn’t let you drag links to the desktop.

Well, it turns out that dragging links from default browser Firefox to the desktop has no effect whatsoever. Odd, isn’t it? Let’s try dragging that link to some other folder instead.

We try dragging a link from Firefox to the Documents folder
“Drag and drop is not supported. An invalid drag type was used.”

That’s annoying. I mean, drag and drop is a really basic feature that has been around forever. Let’s try dragging a file from one folder to another… obviously that’s going to work, no?

It looks like it’s going to work, but it doesn’t.

As you drag the file, a little plus icon appears beneath the hand as if to tell you that something’s going to happen. Alas, however, this also has no effect.

And of course, dragging the file to the desktop similarly does not work:

Dragging the file to the desktop has no effect

So we can’t drag links from Firefox, and we can’t drag and drop files. Maybe we’ll have better luck with Chromium?

We try dragging a link from Chromium into the Documents folder
Once again, we get that “Drag and drop is not supported” failure.

So it seems, like someone hinted in that original question about drag and drop in Linux Mint, that this has nothing to do with the browser and is something related to the desktop environment.

Once again, I had to swallow that feeling of incompetence and ask for help with this. Aside from the usual Stack Overflow treatment of getting my question closed as a duplicate, one of the comments led to other Q&As that uncovered a bitter truth: that drag and drop support was intentionally removed. Why would anyone in their right state of mind do that?

Kubuntu 19.10

Incredulous, I decided to try the KDE flavour of Ubuntu — Kubuntu. Drag and drop a link from browser to desktop? No problem:

We drag the padlock icon next to the address bar to the desktop
A context menu appears, asking what we want to do with the URL. “Link Here” creates the equivalent of a desktop shortcut in Windows.
An icon is created on the desktop, leading to the webpage we wanted to keep track of.

Was that really so hard? I get it, there were reasons why GNOME decided to do away with desktop icons and the like. But surely there are better ways to solve the problem than to do away with a basic and essential usability feature.

A desktop environment without basic drag and drop support in… almost 2020… is just garbage.

On Stack Overflow

love Stack Overflow. As a software developer, I think it is one of the most important and useful resources ever made, helping me quickly resolve countless issues in my work and side projects.

I also hate it with a passion, and think it can be a royal pain in the ass. My main reasons for this stem from the community, especially those with moderation powers, being made up of a bunch of kids (not necessarily in the physical sense) who are addicted to the gamification system and will do anything to ramp up their reputation.

Given that I ask about as many questions as I answer, the result was that I have seen many of my legitimate questions closed and/or downvoted for various reasons such as “not constructive” or “duplicate”. Many times, the people casting such judgement would not actually understand the question.

One of my biggest frustrations with the site came when I asked the question “Task.Factory.FromAsync with CancellationTokenSource“. A troll with very high reputation (read: mod_powers++) marked this question as a duplicate of another question which had nothing to do with mine. When I challenged him, he went as far as to edit the unrelated question such that it did answer my question. He actually admitted this in the comments to my question (which have by now been cleaned up by moderators after I reported the matter, but I have conveniently kept screenshots), and even asked me to offer a bounty so that he could get more points:

As a regular user of Stack Overflow, I was highly put off at not being able to ask any reasonable question without it being closed down.

Answering questions is just as frustrating. Typically, when a question is asked, a barrage of short, two-sentence answers will appear. These will be progressively edited into better answers, but as long as they can get something in initially, they will start accumulating points. This is a common tactic and discourages spending the time to write well-thought answers for relatively little reward. Not that I believe that the reward system is more important than the quality of the questions and answers. But alas, many people do, and that is the reason for this sort of phenomenon.

And you can tell that something is really messed up when you get entire courses, such as this 6-hour Pluralsight course, explaining how to use something that is supposed to be a Q&A site.

But in fact, what I am describing is nothing new, and has been going on for many years. In fact, around 2013, Michael Richter wrote a very informative post about the problems plaguing Stack Overflow. It has disappeared from its original location, but can still be read (along with around a couple of weeks’ worth of comments) thanks to the Internet Archive.

I am reproducing Mr. Richter’s article below for ease of future reference. Aside from the issues with Stack Overflow, I would also like to emphasise the story around his “goto” answer, which reverberates a problem I encounter extremely regularly with developers being too religious about what they have been taught, and not using their head to adequately reason about techniques in the particular context they need.

Update 1st June 2019: “Why StackOverflow sucks” is another interesting example of moderator abuse on the site.

Without further ado…

“Why I no longer contribute to StackOverflow” by Michael Richter

I was active in the StackOverflow (and the broader Stack Exchange) community for a while. I no longer am. Here’s why.

Introduction

I have an account at StackOverflow. Follow the link and check out a few stats:

  • I’ve been a member for almost four years at the time I’m writing this.
  • I’ve scored over 14,000 points in their gaming system.
  • I’m in the top 3% of their contributors overall as of this writing.

I point this out not to brag but to make sure it’s clear that I’m not writing this because of “sour grapes” or because I’m not getting the recognition I think I deserve. Indeed, to be blunt, I’m getting way too much recognition, but more on that below.

Overview

If you’re a software developer of any kind, and if you haven’t been sleeping under a rock, you know of Joel Spolsky and Jeff Atwood’s StackOverflow (and broader StackExchange ecosystem). For the rest of you, allow me to lift up your rock a little and explain what the site is.

In brief, you ask questions related to programming and other people answer them. The site is “gamified” (what an utterly horrendous neologism, that!) so you score points for asking questions that get voted up, answering questions and getting voted up, for doing book-keeping tasks and a variety of other things. You can also earn “badges” (gold, silver and bronze) for accomplishing certain things.

The intent of the system is to provide some form of recognition for people who help others with software development problems. It sounds innocuous, but in the end I find it vaguely distasteful and off-putting.

I’ve been asked more than a few times now why I think this, so today I will commit my explanations in writing once so I can just point to this page instead of repeatedly saying the same thing.

The problems

The problems I see with StackOverflow are summarized in this list:

  1. Poor pedagogy
  2. Poor reward system
  3. Poor community

I’m willing to engage in discussion of any of these flaws. Comments are turned on for this post. They are, however, moderated so if you plan to simply spew bile at someone who dares say bad things about a site you like you:

  • won’t get your 15 seconds of Innarwebs Fame™®;
  • will add to this counter of people who contribute to point #3 above: count so far: 6

Poor pedagogy

As an educator, I find the StackOverflow approach to “helping” people unproductive and contrary to any kind of real learning. For illustration, go back and take a look at my profile. Specifically take a look at the tags tab. See the #1 tag there? Java. Most of my answers (and most of my points) come from Java-related questions.

Now comes a confession.

I’m not a Java programmer. I’ve only ever briefly programmed in Java professionally. I hated the experience and I hate the language. I certainly don’t consider myself a Java expert. Yet I managed to get the bulk of my points from Java. How is this possible?

It’s possible because I did what many of the people whose questions I answered (and got points for) should have done for themselves: I saw a simple Java question, hit Google, read briefly, then synthesized an original answer.

There’s an old cliché in English: give a man a fish, he eats for a day; teach a man to fish, he eats for a lifetime. StackOverflow is filled to the brim with people giving fishes. The people asking are learning nothing useful beyond the shortest of the short terms and the people teaching are not helping in any but the most trivial of ways. In the long term, I submit, StackOverflow is probably holding back the development of programmers (and thus the entire field of programming).

Poor reward system

Incidentally, my #2 tag is C++. There was a time I would cheerfully have called myself a C++ expert. These days I still likely know more about the language than most people working in it, but I have, if it’s at all possible, an even deeper abiding hatred of the language than I do for Java.

So why, if I hate Java and C++ (and several other languages that score well on my tags list), do I bother answering questions on those topics? This is because of the second problem I have with StackOverflow: the reward system is ludicrously designed.

The high school “cool kids table”

The very nature of StackOverflow’s structure has it such that only those who answer simple questions of the most popular programming languages will get a reward. To illustrate this, look at the difference between this Java-related answer and this non-Java one.

The Java answer scored me 460 and took me probably under a minute to write. The one about operating systems scored me 60 points and likely took about fifteen minutes to write.

If you’re going for points (and that’s the entire raison d’être for gamification!), are you going to waste time like that for 60 points when you could fit in a dozen 460-point answers? Of course not! You’re going to go wherever the points are, And the points are the low-hanging fruit of trivial questions from popular languages. The way StackOverflow is structured rewards people who put as little work as possible across as many simple questions as possible within only the most popular segments. Spending thought (and thus time) on answers interferes with points- and badge-mongering. Answering questions outside of the top ten languages similarly interferes.

This “cool kids table” problem has a very real effect. Look again at my profile. 218 answers. 10 questions. Why is this? I could arrogantly claim that this is because I know more than everybody else, but the real reason is that getting answers on any question that requires thought is a non-starter. As my approach to scoring points (Google + hasty rewrite) shows, I’m quite adept at answering trivial questions myself. For a prime example of the problem, consider this question. It got five answers (one of which you probably can’t see), only one of which even really answered part of the question. Why? Because answering the whole question would have taken a lot more work than most people in StackOverflow would be willing to put in. There’s just no percentage in spending time on difficult questions when you can hoover up a cool thousand points in a fraction of the time.

Broken scoring

Even if the “cool kids table” wasn’t an issue at StackOverflow, the system is still largely broken. Remember how I have over 14,000 points as of this writing? Two years and a bit ago, when I decided to stop participating in StackOverflow, this was not the case. I was “only” at OVER NINE THOUSAND! and several hundred points shy of getting moderator status. In well over two years I have contributed nothing to StackOverflow: no questions, no answers, nothing. (Well, that’s not true. When my score went over 10,000 I tried out the moderator powers for a couple of edits, just to test them out.) Over one third of my reputation was “earned” from me doing absolutely nothing for over two years. Indeed I went from the top 4% of contributors at my time of departure to the top 3%, despite, you know, me not doing anything.

Any scoring system that allows this to happen is simply broken in my opinion.

Poor community

And now my reputation score will go down!

Petty children

As of this writing my score was, as mentioned above, over 14,000. (14,076 to be precise.) I predict that this is going to go down as more people find out about this blog entry and start voting down my questions and answers in petty revenge. How do I know? I’ve been on the receiving end of sudden bouts of negative votes before. Consider this question about ‘goto’ constructs, for example. As of this writing it has 72 up votes and 13 down votes. It is simultaneously one of my most popular answers as well as one of my most hated ones.

The people who hated it weren’t content, however, with merely voting it down. No, after I posted that answer I had a mysterious downward turn in my reputation as downvotes appeared all over my answers. People got so upset at my mocking one of the Holy of Holies of computing that it wasn’t enough to just downvote the answer, they had to punish me. (Their selected means of punishment was as highly amusing as it was highly ineffective.) This is not the way a community of mature users acts.

Creeping authoritarianism

That kind of behaviour is, of course, inevitable in any kind of Innarwebs™® interaction. Pseudo-anonymity makes doorknobs of otherwise-normal people. There is something else, however, in the whole Stack Exchange hierarchy that bugs me: the creeping authoritarianism.

The “flavour” of StackOverflow today is entirely different than the flavour it had when I started. When I started the community as a whole still had a bit of a sense of humour. Sure sometimes questions and/or answers would be a bit off-topic or a bit irreverent, but it gave more of a community feel that way, even if it was on occasion less-than-“professional”.

This changed slowly but surely in the way that all “community moderated” things change. Here is the recipe that all such “community-driven” approaches almost, but not quite, invariably follow:

  1. A wide-open community based on “merit” is built.
  2. The community gets a kernel of users who build up “merit” by virtue of, basically, being obsessive twerps.
  3. As this kernel of “serious” users builds up its influence, they start to modify what the standards of the community are to match their own desires.
  4. These standards get enforced on other members of the community who lack sufficient “merit” (read: who have a life outside the site) to fight back.
  5. The tenor of the community changes to match the notions of the obsessive, but “meritous” minority.
  6. Lather. Rinse. Repeat.

This happened at Wikipedia and it’s happened at StackOverflow. StackOverflow was once fun. It is no longer. StackOverflow once had a tolerance for things a little outside of the norm. It does no longer.

Take a look at the site now. Some of the most popular questions and/or answers are now locked down and only kept for “historical reasons”. Consider this answer. It’s likely the best-known and most-loved answer on the entire damned site! It’s funny and it’s informative. But it’s something that makes the current powers-that-be at the site crazy and thus it is locked and we have this ominous note appended: “This post has been locked while disputes about its content are being resolved.”

What. The. Fuck!?

TL;DR

There are a number of reasons why I stopped contributing to StackOverflow. I am disquieted by its poor pedagogical value, I think its scoring system is fundamentally broken and rewards the wrong things, and I think its community lacks maturity even while it becomes more and more pointlessly authoritarian. So what would I recommend as an alternative?

How about learning? You know, that thing that puts information in your head that you can apply later at need. Use Google. Use Wikipedia (if you must). Use RosettaCode for code examples. (Contribute there too!) Engage with other users of the tools you use in the form of user groups, mailing lists, web forums, etc. Learn foundational principles instead of answers to immediate questions.

On Daily Standup Meetings

Agile development methodologies such as Scrum, Kanban and XP have taken the software development industry by storm. By now, most companies have drunk the kool-aid – first the decision-makers, then the developers – and follow it with a manner of religious zeal.

It seems like this exciting new “agile” way of working has made traditional hierarchical management and reporting lines obsolete. Agile has by now entrenched itself deeply within the fabric of software companies, and it seems like we’ve forgotten the old ways.

We are now faced with the conflict of fixed-backlog sprints and shifting requirements, burndown charts that never converge, armies of full-time scrum masters babysitting developers to death, and the progression (or regression) of the Daily Scrum into… the Daily Standup Meeting.

While I understand this article may be controversial and may touch a nerve in a large number of people, I find it much more important to work efficiently and to challenge harmful norms than to mindlessly conform to them. My hope is that at least some people might read this article with an open mind, break out of their stupor, and start questioning these established practices. In order to improve, it is necessary to first acknowledge problems, and then take active steps towards addressing them.

What is the Daily Standup Meeting?

Image credit: taken from here

The Daily Standup Meeting is a “ritual” (quoting Jason Yip’s comprehensive article on the topic) in which the development team (and possibly other stakeholders) gathers to report on the progress of each individual member. They must in turn answer three questions:

  • What did you do yesterday?
  • What are you going to do today?
  • Are there any obstacles hindering your progress?

Let’s take a look at the meaning of each word, aside from “Meeting” which is obvious enough. As a “Daily” meeting, this happens routinely every day at a specific time. All those involved must stop what they are doing and participate, whether it is productive or not.

What I have just described is nothing new: I have participated in Daily Scrum meetings of this nature for years, and I’m pretty sure this goes back much father than my personal experience can account for.

A more recent twist, though, is the Daily “Standup” Meeting. The idea is to force people to stand up in order to keep meetings short, by having the physical discomfort as a disincentive to letting the meetings drag on unnecessarily.

Standing Up

This factor, on its own, speaks volumes. Rather than solving the problem of pointless meetings that are a complete waste of time, we choose to make people feel uncomfortable in the hope that the meetings will be kept short.

The first problem with this is how ridiculous and humiliating it is. Not even in church are you obliged to stand up, and perhaps at school there may have been instances where some posture was enforced in punishment (a practice that is probably considered barbaric by today’s standards).

But no. We are fully grown adults, who have been working for several years in the industry, and there is a perfectly comfortable sofa behind us, but we cannot use it, under pain of menacing glares from everybody in the room.

This also has no regard for any physical issues that the participants may be undergoing that may make this practice more uncomfortable than for the average human being. Such people should not have to disclose their personal problems to the team in order to waive the enforcement of a certain posture on the job, something that nobody has the right to enforce in the first place.

The second problem is that, well, it doesn’t work. Standing up or not, the tendency to ramble on is a lot more powerful than the discomfort (which most people can just as well get used to). Which brings us to the next section.

Excessively Long Standups

Do you remember what we’re supposed to do in standups? Basically, answer the following three questions, and then get on with our work:

  • What did you do yesterday?
  • What are you going to do today?
  • Are there any obstacles hindering your progress?

It is much harder than you would think, to stick to the plan. Despite having been brainwashed into enthusiastic and excited participation in this drudgery, people’s overexcitement tends to take over. There are many different scenarios which result in deviation from this template, and in turn cause Daily Standup Meetings to drag on. These are just a few of the most common I’ve encountered:

  • People want to justify their job and show that they are doing something, so they read out a whole list of every little detail they worked on since the last Daily Standup Meeting.
  • Stakeholders ask a lot of questions to the development team. They have a right to be answered, but the Daily Standup Meeting is not the right place.
  • Developers going off on a tangent and having a technical (or other) discussion between two or three people, but keeping everyone in the room.
  • Lots of people in the room, so it takes a while to go through what everyone has to report. This is mainly a problem when developer teams are large, but it can also be a result of participation of a lot of stakeholders who join the Standup. With 20 people in the room, it’s hard to keep meetings efficient.

Broadcasting Information

The format of the Daily Standup Meeting is such that the development team and any other stakeholders are present (whether physically or otherwise). It allows everybody in the room to be kept up to date with progress (in theory) and to be able to help remove any obstacles (again, in theory).

Personally, I believe that this is one of those cases where too much transparency is a bad thing. The main reason for this is that there is no reason why each person should need to broadcast their progress to so many people in the room. Typically, you work with one or two direct colleagues, and report to your manager. There is no need to keep a whole crowd in the loop.

Rather than focusing on what each of us needs to do, we instead feel the urge to get involved in what the whole team is up to. A consequence of this is that it becomes necessary to involve everybody in the team in order to take the slightest technical decision, which is really the opposite of the empowerment that should be enabled by giving developers such autonomy.

In practice, keeping everyone on the team updated has no real benefit. They may know you’re working on something, but they would not understand the business or technical decisions, and as a result, they would not be able to take up the task you are working on, in your absence.

Another problem is the direct access to the development team from higher-up stakeholders. Part of a manager’s job is to manage expectations, both to his superiors and to his subordinates. And yet, higher-level stakeholders and members now suddenly have full access to the fine details of what the development team is working on.

A real problem here is when members of the development team are cornered into publicly answering uncomfortable questions, possibly by external stakeholders or maybe even by members of their own team. Such things should really go through a manager or scrum master rather than being laid out in a public shit show. It is not uncommon for such meetings to degrade into blame games.

Even in the absence of such situations, it is often uncomfortable for developers to speak (let alone report their progress) in front of a small crowd, even if it consists of their own direct colleagues. While the stereotype of anti-social developers may be questionable, in my experience I have observed that most developers feel intimidated when speaking in front of people, just as they feel uncomfortable when someone (even a direct colleague) sits next to them while they work. It is thus quite easy for developers to go on the defensive if challenged about their work during the Daily Standup Meeting.

And this, of course, is something that should be completely avoided. As any manager worth his salt would know, you should never, ever reprimand someone in front of other people. This is also a fundamental flaw of retrospective meetings, although that is beyond the scope of this article.

Finally, the routine of the Daily Standup Meeting makes it convenient for people to provide updates and feedback during the meeting itself, rather than spontaneously as needed. Communication should be spontaneous and immediate; that is what keeps things efficient.

A trend I have seen is for companies with poor communication to turn to agile ceremonies to try to resolve the problem. Little do they realise that they are making it worse by adding more ritual baggage and introducing more middlemen. There is no substitute for real and effective communication.

What Alternative is There?

Honestly, what was so terrible about the good old system of hierarchical reporting lines? Think about it:

  • You talk directly to your manager when you’ve finished your work and need to work on something new.
  • Your manager can ping you periodically for progress, but otherwise you can focus on your work.
  • If there are impediments, the manager can bring the right people on board.
  • If you need to talk to some direct colleagues (e.g. to integrate with their API), just do so. No need to have the whole team in a meeting for that.
  • Requirements and other outside interferences go through the manager first.
  • Feedback and criticism take place one-on-one with the manager.
  • Each manager reports to their manager. No need for crowds.

That just about solves all the problems I’ve described earlier: notice the contrast of involving only the people who are necessary, as opposed to everyone. The important factors to make this work are having a manager who is organised and has excellent people skills, and that everybody on the team is able to communicate efficiently and effectively.

Agile methodologies will remain a reality for many years to come. But are they really an improvement?

Update 11th September 2017: Here are some reactions to this article on social media (might require login):

The Abysmal State of the Web in June 2017

This will be the last article in the Sorry State of the Web series (at least for the time being). The idea was to learn from the mistakes of other so-called ‘professional’ websites, ranging from silly oversights to illegal practices. Hopefully, the silliness encountered has also made some people smile.

However, with 11 articles over 6 months, I believe I’ve made my point enough times over. Despite all the technological advancements, the web is in a state that I can call sick at best, and that is mainly the result of clueless developers. I have some slight hope that things may get better, but given that most of the issues I pointed out have not been addressed to date, that hope is realistically very slim.

From my part, I want to focus less on beating a dead horse and more on learning technology and writing high quality articles. I don’t exclude revisiting this series in future if I feel it’s worth it though. Once again, I extend my heartfelt thanks to all those who have contributed entries for this article and the ones before it.

Banif: Random Virtual Keyboard

If you think that the mainstream banks in Malta have terrible websites (and recently I covered how Mediterranean Bank’s newly launched online investment platform took them several steps back), then you should really take a look at Banif Bank Malta.

To log into their online banking section, you have to enter a username and a password. This would be understandable, if not for the fact that the password field is disabled so you can’t actually type into it. Instead, you have to click on keys on a virtual keyboard. To make matters worse, this is not your usual QWERTY keyboard: the key placements are randomised.

Let’s consider a few reasons why this is a terrible idea:

  • It makes it a lot harder for users to type in their password (in terms of user experience).
  • It slows down password entry, both because one has to use the mouse vs the keyboard and because the random placement requires the eye to look for keys as opposed to using muscle memory. This makes it easier for people watching you enter the password to identify what you are actually entering, and it also makes you more likely to pick simpler passwords.
  • People looking over your shoulder can easily see what key the cursor is on, which defeats the purpose of password field obfuscation.
  • The restrictions on the password field are client-side and trivial to disable. This does no favours for server-side security, which should really be the main focus.
  • You cannot use a password manager.

Since I’m not a security expert, I presented this case to the community at Information Security Stack Exchange. From there, I got to two related existing questions:

It seems that the main reason why this horrendous technique is used is to counteract keyloggers, which at a basic level can’t track keypresses (since they are not happening) or mouse clicks (since the placement of keys on the screen changes).

However, as one of the best answers points out, this is merely an arms race between the bank and attackers. It’s a vicious circle in which attackers and banks take it in turns to step up their game. The end result is that customers are the ones paying the price, by having to deal with ridiculous security measures like this.

Dealing with keyloggers is hardly an excuse for this kind of rubbish. There are much more robust and orthodox ways of dealing with this sort of thing, such as one-time passwords or two-factor authentication.

Insecure Logins

One of the most common issues we’ve seen throughout this series is that of websites with login forms where the credentials are not transmitted over HTTPS. Thus it is not hard for them to be intercepted and read in clear text. Keeping up with tradition, we have a list of such examples this month.

We can start with American Scientist, which I see has since undergone a complete redesign and does currently use HTTPS for the whole website (including login). This is how it was just a couple of weeks ago:

Then we have the Malta Chamber of Advocates, which aside from very ridiculously presenting a homepage with no content whatsoever, is just another case of insecure login:

But wait! The next one, ironically, is from none other than Bank Info Security:

Then we have Great Malta (whatever that is supposed to mean):

Local newspaper The Malta Independent is no less guilty:

…and neither is Infobel:

In another case if irony, we can look at J. Grima & Co. Ltd. They are “Security & Fire Specialists”, but web security is clearly not one of their areas of expertise.

Excitable Web

I was very excited (!) to come across Excitable Web, because it is a prime example of the clueless developers I was mentioning earlier. It is of little importance that each time you load a page, the page seems to render without CSS for half a second before rendering properly; because we’ll focus on more interesting stuff here. If you click on the “Who We Are” link, we get this:

You can see there are a couple of MySQL errors displaying directly in the page due to deprecated code. Such an experienced professional should know that server-side errors should never be displayed directly to the visitor, as this may reveal vulnerabilities among other things.

These errors seem to have been fixed since then, so we’ll move onto the next thing: the writing. It’s really generous of the webmaster to give us:

“A Breif [sic] Background On With [sic] Whome [sic] You Are Dealing With”

You can find other such gems within the content itself. Thank you, Adrian. Now we really know who we are dealing with.

For extra points, spot one of my own blunders within that screenshot!

Flybussen Translations

Here’s a tiny oversight from Norwegian operator Flybussen. While their site has an English version, their calendar unfortunately doesn’t:

JobsPlus Going Below Minimum Wage

JobsPlus has by now become a regular in this series. Those who believe that we should have equal pay for equal work (which is a legal requirement, by the way) will be delighted to see this vacancy where the position advertises a salary range of between EUR4,500 and EUR70,000. What’s even funnier, though, is that EUR4,500 is actually below the minimum wage (another legal requirement) for a 40-hour full-time work week.

Legal requirements aside, this is just a case of missing validation by our award-winning friends at JobsPlus who should have a central role in avoiding precarious work and exploitation.

Kelly on Yellow Pages

If you take a look at the Yellow Pages entry for Kelly Industries, you’ll come to the conclusion that they have enough business to not give a rat’s ass about what potential customers think about their brand.

Creativity Centre

I’ve received reports about issues with the Malta’s National Centre for Creativity‘s payment processing engine, but I haven’t been able to verify them without actually attempting to make a purchase. However, I did notice this problem with the checkout button actually not being properly visible if you’re using a laptop (and thus a limited screen resolution):

For a National Centre for Creativity, I must also point out that they didn’t quite put a lot of creativity into the website’s design.

Mixed Content

Another common problem we’ve seen throughout the series is that of using HTTPS, but serving some content over HTTP. This is called Mixed Content, and it invalidates the trust guaranteed by a fully HTTPS website.

This month, we have Malta Gift Service (also guilty of using Comic Sans for their main header):

…and our dear friends at Scan:

Apostrophes of Doom

Given that my surname contains an apostrophe, this often makes it a pain to deal with validation that unreasonably decides that an apostrophe is an invalid character. I’ve written about this especially in the original “The Sorry State of the Web in 2016“. There is no real reason to not accept apostrophes if you’re using proper practices (e.g. using prepared statements) to prevent SQL injection.

Unfortunately, Microsoft has decided that my surname cannot have an apostrophe:

I suppose I will need to remove the apostrophe from my identity card if I want to ever get a job at Microsoft.

Piscopo Gardens

The Piscopo Gardens website has been down for I don’t know how long due to some internal server error.

Aron isn’t doing a very good job at keeping the site up and running.

Robert Half

Swiss recruiter Robert Half believes that “It’s time we all work happy.™” (so much that a trademark was apparently filed).

That obviously doesn’t apply to their own website, which clearly doesn’t work if you enter “.net” in the search field:

Now I understand the name. Their website only Half works.

Ryanair Mischief

We noticed a couple of things on Ryanair’s website that are more sneaky practices than examples of bad web design per se.

First, there’s the newsletter checkbox that is opt-out rathern than opt-in (i.e. it automatically signs you up if you ignore it and leave it unchecked):

Then there’s this appeal to fear the middle seat:

Oh dear, not the middle seat!

Image credit: Taken from Wikipedia

Better to go for a team-building treasure hunt in 35-degrees-Celsius weather with a laptop on my back than be stuck in a middle seat! Actually, no. Give us a break, Ryanair.

Conclusion

I am happy to have managed to raise awareness about bad practices in web design with this series. I know this because I have heard several reports of companies that I have pissed off. I am a lot less happy that these companies have not really done much about it despite all this. That is their problem now. No doubt others have learned from the countless issues pointed out.

Let’s continue to make companies with a web presence understand that such a public face requires a high level of professionalism, and that they will lose business if they don’t step up their game.

Once again I would like to thank all the contributors to this series, and also the readers who have loyally followed it.

The Sorry State of The Web: 3 Group Special

It’s been around 15 years since I first came across Web Pages That Suck. Coming from a time when flashy Geocities-style websites were the order of the day, it was a web nitpicker’s paradise. This is where the term Mystery Meat Navigation (which I have written about in the past) was actually invented.

The very premise behind Web Pages That Suck, “learn good web design by looking at bad web design”, is something that has fascinated me back then, and still does to this day (in fact, it is one of the main reasons behind the Sorry State of the Web series).

Today, we will look at a family of related websites (belonging to a single group of companies) which I’m sure would qualify as first class citizens of Web Pages That Suck.

Enter MyKrypto

I first heard about MyKrypto on the radio. The ad described Bitcoin as a currency just like any other – and said that you could produce it! An old version of their website, which I obtained via the Google Web Cache, is along the same lines of the radio ad:

“Malta has the Euro, UK has the Pound and USA has the Dollar, the Internet has the Bitcoin. Bitcoin is digital and produced by computers..start producing money today!!”

While it’s true you can produce Bitcoins, this feels a lot like a scam in that it’s urging people to print their own money (in a way) without telling them about the risk or the difficulty involved in actually mining Bitcoins. In fact, the website also used to say that Bitcoin mining is a secure investment:

Whether Bitcoin mining is really a secure investment is debatable (although one can get an idea by looking at market crashes that have occurred in the past). In any case, while I’m not a lawyer, I don’t believe a company can legally give investment advice unless it is an authorised financial institution, especially without evaluating the risk portfolio of potential investors.

MyKrypto Home Page

The above selling points were removed, and the site transitioned into a different realm of madness. The site’s homepage had this image with Comic Sans text:

This was eventually replaced by the text image we see today:

Although the text changed, the link behind it remained the same. It’s basically a Google link (notice the URL) that takes you to this Satasoshi graphic on Deviantart:

So, in case it’s not clear, let’s summarise the fails that occur just within that little text image:

  • Using an image to show text with a particular font.
  • Using Comic Sans on what is supposed to be a serious website.
  • Linking to a Google search result rather than to an actual webpage.
  • Completely failing to understand what you’re selling (it’s a Satoshi, not Satasoshi, and the horse has nothing to do with it).

MyKrypto Mining Page

Let’s move over to MyKrypto’s Mining page. It now looks something like this:

While the image is totally out of place – and we’ll get to it – this is on the whole not too bad. Let’s take a look at what the previous version of this page (from just a couple of weeks ago) used to look like:

First, the title.

“What is minning?”

I don’t know. Perhaps this lovely lady might be able to answer that.

Image credit: taken from Wikipedia’s Minnie Mouse page

Next, we can take a look at the text.

“Do you look up for information on the internet? Did you ever google for a product or information? Did you ever wondered how google is so intelligent by search for the right information? Google is based on mathematical calculations. FIND X. Let’s say I want to google for ‘this week top 20 music list’ as you type in the google box and press search google, google will do all the calculations to find ‘this week top 20 music list ‘. this is called Math (Algebra) when we were at school we used to have the same problem solving; – FIND X.”

It is simply beyond belief how much crap these guys have managed to fit into a single paragraph. But beyond that, take a look at the image below that paragraph in the screenshot. It’s a popular joke that has been circulating for many years: a clueless student answered a mathematical problem in a witty manner. Of course, whoever built the MyKrypto website didn’t get the joke, and put the image there as an example of mathematics. Go figure.

List of fails in this section:

  • Terrible use of English (if it can be called that).
  • Google does not solve algebraic problems to give you your search results.
  • Don’t lie about what you used to do at school, if you evidently know nothing about English, mathematics, or computing.
  • Try to understand what an image actually means, before ripping it off.
  • Try to understand what you’re talking about in the first place.

MyKrypto Audio

MyKrypto automatically plays audio.

That’s something really annoying, especially if you happen to already be playing music. It’s also of questionable legality depending on whether the site has the right to distribute that music.

Besides, using some cheesy 70s disco background music – reminiscent of Earth, Wind & Fire – is totally not appropriate on a company website.

MyKrypto Mobile

Mobile users will be disappointed to find out that they can’t really browse the entirety of the site because the navigation is simply not available:

MyKrypto Plagiarism

To be fair, messed up paragraphs like the one we saw earlier are a rare sight on this site. In fact, a lot of MyKrypto’s content is blatantly stolen from other websites.

Let’s see some examples:

I think they should plagiarise more. It would make them look a lot less silly.

CEO Plagiarism

Of course, the plagiarism on MyKrypto makes perfect sense if we look at the LinkedIn profile of 3 Group CEO Dario Azzopardi (MyKrypto is part of 3 Group):

When I first read this, I thought it was really weird as a job description. So I Googled part of it.

Google did its algebra (!), and what do you know

…and further down…

3 Group: Questionable Stuff

Having seen all this, I thought it was just as well to check what else 3 Group actually do.

3 Group do IT Services, IPTV, and E-Money. That’s a nice name for the Bitcoin stuff we’ve seen above. They actually got the link wrong, and E-Money points to IPTV.

If we take a look at IT Services, we get to this horrendous page with a background animation driving you nuts while you try to read text with very bad contrast:

Further down that page, 3 Group are trying to convince people that free antiviruses are bad, and that they should instead pay 3 Group to install McAfee for them:

Towards the bottom, you can see some grey text representing a link to Intel’s homepage. Of course, they didn’t bother to actually make it a link that you can just click on. What’s even worse is that the superhero on the left is an image overlaid onto the text where the link is, so you can’t even select and copy it.

Right, what else do 3 Group do? Ah yes, IPTV. It’s interesting how they have this “Legal” page under the IPTV section, claiming that “IPTV is 100% legal”, and quoting some court case from the European Court of Justice.

This is noteworthy because:

  • Naturally, a company encourages trust by stressing that its services are 100% legal.
  • This company knows a lot about copyright, given the aforementioned plagiarism.
  • It claims that “watching streams even those which are illegal is not an act of copyright infringement”. So it’s ok if it’s illegal, as long as it’s not copyright infringement, right?

Well, they say IPTV is legal, so it must be true.

Image credit: taken from here

That’s curious, because I could swear I recently read an article about this Kodi TV streaming service being declared illegal across the EU:

Conclusion

While 3 Group’s web design is appalling at best, this is not nearly as worrying as their questionable business practices. As an exception in this series, I hope not only that web designers/developers learn from the mistakes we have seen here, but also that potential customers do some proper research and understand what these guys are actually trying to sell to them.

The Pitiful State of the Web in May 2017 (Part 2)

This article is a continuation of The Pitiful State of the Web in May 2017 (Part 1) and a part of the Sorry State of the Web series. I and the others who contributed to the content of this series hope that web developers will learn from the mistakes of others and produce better quality websites.

Dakar: Language Issues and Insecure Login

Dakar Software Solutions is a well-known name locally, especially in the realm of payroll systems.

They had this little glitch with the language of dates in the news of their Dakinet product (which might be fixed now):

Also, Dakar joins the long list of websites that offer insecure login:

Insecure Login Galore

As you can imagine, Dakar is not alone in failing to transmit user credentials securely. We’ve seen a lot of these before, and we have a lot more to show here.

For starters, we have Freelance Malta. Since all of the site is based on insecure HTTP, the login form and both registration forms transmit credentials insecurely:

Then we have Gizmodo, the popular tech website:

KeepMePosted is a similar offender:

And then we have MyMoneyBox (part of the MFSA family), which given its name should know better about security. In fact, it seems to have now gone HTTPS, so the login is now secure. But as you can see below, it wasn’t until recently:

Couchsurfing: Invalid SSL Certificate

I recently caught the Couchsurfing blog giving invalid certificate warnings:

Oops. Looks like the certificate had expired.

Needless to say, it is useless to use HTTPS if it is not trusted. Fortunately, this issue has since been fixed.

Malta Police Force: Passwords In Email, Freedom of Information Link

The Malta Police Force website offers a number of services including filing a police report online. At the bottom of the declaration where you’re about to file a report, there’s a link to the Freedom of Information Act:

Unfortunately, it doesn’t work:

That error is actually coming from elsewhere on the government network (looks like it’s the Department of Information). Either the Malta Police Force need to fix their link to point elsewhere, or the DOI needs to fix a problem in their SharePoint system.

There’s something a lot worse, though. Some people have reported that when you file a police report, you choose a password, which is then sent to you via email.

This image was contributed by someone who actually filed a real police report. Aside from various spelling issues in the email, you can see that the password (obfuscated here for obvious reasons) is included.

This is something you always want to avoid because you can never assume that email is a secure channel on which to send sensitive information such as credentials or credit card information. Good practice is to let users choose their password over a secure channel (which the system reportedly already does), store it securely using a one-way hash, and provide the means to reset it using limited-time tokens in case the password is forgotten.

Rizzo Farrugia – Broken Link For New Equity

When new shares under the symbol “PG” were listed on the Malta Stock Exchange, Rizzo Farrugia were quick to add it to their own list:

However, they were not nearly as fast at creating the detail page that the listing links to:

No big deal there. It was fixed the next day.

PWC Refresh Form

PricewaterhouseCoopers has this newsletter signup form. It has a reset button. Something pretty normal, you’d think, until you see that it refreshes the entire page!

Form resetting functionality has been built into browsers since long before I started creating websites (15 years and counting). In this case, I see they wanted to reset the CAPTCHA. But they already have functionality to reset the CAPTCHA without reloading the page (the orange round arrow next to the CAPTCHA), so why reload the whole page just to reset a form?

IDPC: Line Spacing

The Office of the Information and Data Protection Commissioner has a form where you can submit complaints:

What I’d like to call out here is the questionable design choice of using massive line spacing, which is especially noticeable in the Complaint text area since about half of the tiny box is wasted with empty space.

Line Separator Characters

JobsPlus, whose encoding issues we have already visited in “The Broken Web of March 2017“, is now also exhibiting these weird LSEP characters:

It’s okay though. Perhaps they can’t sanitise their data, but they still get to keep their eBusiness Award!

I have also spotted the same problem at Creative Jobs:

Summary

Transmitting credentials insecurely remains one of the most common issues on websites today, and it is completely unacceptable. Depending on the nature of the user account, this might not be as risky as transmitting credit card details insecurely (something we’ve also seen in abundance over the past few months), but that does not relieve websites from their duty as data controllers to transmit sensitive data securely.

It is also important to test websites properly in order to identify broken links and data-related issues as we have seen.

Finally, secure transmission of sensitive data does not stop at using HTTPS. SSL certificates must be integral and trusted, otherwise it is just as good as not having HTTPS. Email is not a secure channel, so don’t use it to send sensitive data, especially if there exist alternative data flows where you don’t have to.

The Pitiful State of the Web in May 2017 (Part 1)

Welcome back to the Sorry State of the Web series! This is a collection of bad stuff found on so-called professional websites, contributed by both myself and others who have submitted entries. It is sad to see so many fundamental mistakes being repeated over and over again, and by calling them out, we hope to promote better quality work in web development, and as a result, a better experience on the web.

Unfortunately, this month we are once again about to see a lot of security-related violations, including insecure login and credit card processing. We will also see a lot of negligence. Thus, without further ado…

Deal: Insecure Login

deal.com.mt, like many other websites we have mentioned and will mention, support registration and login over insecure HTTP:

You will also notice the strangely superimposed text saying “Please log into this app” below the Facebook button. Certainly not an artistic style I would want to imitate.

Careers in Finance: A Different Kind of Education

Careers in Finance, a pathetically designed website that seems to be part of MFSA, has this Warnings page.

The warnings page presumably takes you to a list of unrecognised training institutions. So when you follow the link, you get…

…this. Aside from the error page, you’ll notice a hilarious misspelling of the word “Universities” in the filename. Whoever named the file was evidently alienated by more… interesting stuff at the time.

Microsoft: Runtime Error Page

I noticed a similar runtime error when accessing a webpage on Microsoft’s own website. They could have handled this better.

The Malta Independent: Sneaky Advertising

The Malta Independent had this really invasive ad covering the whole site as you load it:

If you click the link at the top-right of the ad that says “Skip and Visit Site”, you are actually taken to the website that the ad is promoting, rather than just closing the ad and letting you read the online newspaper. What a sneaky way of raising advertising revenue!

If you wanted to just close the ad, you actually had to click the “X” at the top left, which is very easy to miss.

This shameful advertising mechanism seems to be gone now, thankfully.

Mediterranean Bank: Out With the Old, In With The Crap

Last weekend, Mediterranean Bank launched their shiny new internet banking platform, after a whole weekend of planned downtime for the changeover.

Existing users have to undergo a migration process, and this is fraught with flaws.

The first thing you see in this new system is a field requesting a “Client number”. The problem is, nobody has any idea what this client number is. In the old system, we used to use a username and various other fields, but no client number. And sure enough, if you enter something invalid, an error appears, telling you to enter your old username if you are using the new platform for the first time.

That would have been useful to have before you try to login.

After that, you have to enter your surname. So they made a whole webpage just for you to enter your surname (yes, full page reload).

To migrate your account, you have to enter all the stuff you used to have in the old system (understandably, because you have to be authenticated). That includes a secret question:

Now, using secret questions is already arguably very stupid in the first place. But not obfuscating the answer (which the old system did properly, by the way), is just terrible from a security standpoint. Security answers, while not passwords in themselves, are password-like material. You do not want someone looking over your shoulder to be able to read them just because you are typing them in.

Moving on to the less serious and more silly flaws, it seems like Mediterranean Bank have taken inspiration from JobsPlus (see the March issue) and put in a language selector with just English in it:

You can choose between English… and English.

What about that cookie policy at the bottom? They ask you to read their cookie policy, but there is no link. It looks like they just forgot to include it, because their main website (i.e. not the online banking part) has it:

Sport Malta: Insecure All The Way

Sport Malta, another website by Cyberspace Solutions Ltd. (a company well-known to this series – see “Lost in Cyberspace in February 2017“), was caught processing credit cards and login insecurely:

It seems like they now have HTTPS, but it doesn’t quite work because of mixed content:

Poor guys. They can’t seem to get one thing right.

EUROPA: Cobwebs and Such

Like Sport Malta, the website of the European Union has a bit of a mixed content issue that invalidates its HTTPS setup:

So like any good citizen would do, I decided to report the issue. In their contact form, you can specify what browser you’re using. Well, the browser versions in the list are ancient (I was using Chrome 58, and the latest one in their list is 40; likewise, although I was using Firefox 53, I could only choose up to Firefox 34. They even managed to misspell the Konqueror web browser.

Anyway, I reported the HTTPS problem, and also asked them nicely to update the browser versions on the contact page. When you write to them, they tell you that it can take about 3 days for them to get back to you.

And that’s exactly what happened. Today, I received a reply, which said:

“Would you kindly clarify if you are referring to some specific webpages?
You may contact us again in any of the 24 EU official languages via our webform which is available here:
https://europa.eu/european-union/contact/write-to-us_en
This clarification would enable us to forward your message to the relevant department of the European Commission for information purposes.”

So basically, having taken 3 days to reply, these guys didn’t even bother to browse their own website’s homepage. And contacting me back through a no-reply email address, they expect me to fill in that form again, just so that I can tell them what they could already have determined themselves, and then forward it to some department where it would then get lost in a bureaucratic hole.

No thanks.

Spotlancer: Insecure Login

Just more of the same from Spotlancer:

TicketArena: Insecure Credit Card & Login

Be careful where you buy your tickets from! Ticket Arena is served over insecure HTTP, yet it processes credit card info:

…and credentials:

“Your credit Card is 100% Safe and Secure,” they said. “We use the latest standards for security with Comodo,” they said.

Image credit: taken from here

Summary

As I’ve repeated ad nauseam over the past articles, you simply cannot process sensitive data (including passwords and credit card details) over an insecure channel. It doesn’t matter if you’re using an HTTPS iframe inside an insecure HTTP-served page. It’s simply not enough.

Websites also need to be tested better. Several websites that we have seen in this article have various problems of different severity levels that could have easily been caught earlier with a little more attention.

We’ll see more issues along these lines in Part 2. In the meantime, I would like to thank all those who sent reports for entries that were included in this article, and I welcome submissions for the June issue.

The Shameful Web of April 2017 (Part 2)

This article is a continuation of The Shameful Web of April 2017 (Part 1) and a part of the Sorry State of the Web series, in which I and various contributors show various blunders in supposedly professionally made websites in order to promote a better web.

The Hive: Mixed Content

At the time of writing this article, The Hive still has an issue with its HTTPS connectivity in that it is considered insecure because it’s using a resource that isn’t coming over HTTPS.

If you want your site to be served over HTTPS, then any images, scripts, and any other resources that it uses must also be served over HTTPS.

Malta Stock Exchange: Content Should Come First

Think of this: if I trade on the stock exchange, I would like to be able to see stock and share prices quickly.

So let’s go to the Malta Stock Exchange website:

(By the way, until a few days ago, there was a nice big photo of Fort St. Angelo instead of this Latest News section. It still gets in the way of finding the information you want, but it looked a lot more silly with a nice picture of the Fort, and I wish I had grabbed a screenshot back then.)

Now, we have to scroll halfway down the page:

Then, we need to expand “Regular Market”…

…and finally, we can see the prices we were looking for. Unfortunately, this is not very intuitive if you’re visiting the site for the first time, and it is a real pain in the ass to have to do this every time you want to check the share/stock prices. This is the information that people want to see most of the time, and it should be the first thing presented on the site, not buried somewhere far down the page.

There is nothing intrinsically ‘wrong’ with this in the sense of many other serious flaws that I usually write about in these articles. However, from a usability point of view, it really sucks.

MTA: Load Times and Insecure Login

The Malta Tourism Authority website is a terrible failure in terms of load time: it usually takes over 20 seconds to load.

As if that wasn’t enough, it offers an insecure login facility, which you’ll know to be a serious Data Protection violation if you’ve read previous articles in this series.

Olimpus Music: Insecure Login

Another offender in the category of insecure logins is Olimpus Music.

Basically, don’t use their online checkout facility until they use an encrypted connection.

Owner’s Best – A Real Mess

In “The Broken Web of March 2017 “, we covered some issues with the Owner’s Best website. I see they still haven’t fixed the “Error : Rows Not Set” bug that you can still see if you scroll to the bottom of the page, and neither did they fix the property detail links scrolling down to the contact form and confusing people as a result.

But there’s more. And worse.

For starters, they have a “Property TV” link in the navigation.

Sounds interesting! Let’s see what it does.

Boom. Dead link.

Okay. Let’s try searching for something from the homepage. Oops, I forgot to enter a budget – my bad.

But what the hell is this Fulcrum Alert? And what is wrong with the close buttom? That was a rhetorical question actually. Image 404s in console:

Oh dear. Okay. Let’s put in a budget then.

I put in 10,000. Hey, I’m broke. Obviously, nothing matched, and I got a sad message saying “None properties found”. Yes, you has very good England.

Now I put in a budget of 10 million. That means that I’m super rich, and I’m ready to spend anything up to 10 million on a single property. I got 3 results. Wow. These guys must deal in some real luxury stuff. In fact, two of the results are over budget.

The above search results are based on a 5-million-Euro budget. It gave me this one 4.3-million-Euro bungalow in Dingli. Why didn’t I get this when I searched with 10 million Euros as a budget? 4.3 million is less than 10 million, right?

Now I searched with a budget of 100,000 Euros. Not only do we get all these nice results that would have fitted quite nicely within the several-million-Euro budgets we pretended to have earlier, but we also get properties that are beyond budget, like the one at the top right and the one at the bottom right.

In summary, let’s just say that the search functionality at the Owner’s Best website works in mysterious ways, whether that is intentional or not.

Seasus – Insecure Login

Let’s welcome Seasus among the ranks of the websites that offer an insecure login form:

It is touching to see how much they care about their clients.

Something Different – Various Issues

Let’s take a look at Something Different, a website by Untangled Media (we’ve covered some more of their work in the past).

First, they accept credit card details over an insecure connection. That’s bad. Very bad.

Of course, the credit card iframe itself uses HTTPS, but it’s an HTTPS iframe embeded in an HTTP page, which is still insecure (and illegal – see “The Sorry State of the Web in 2016“), and there is no padlock icon necessary to provide the user with the trust guarantees s/he needs in order to give out his/her sensitive information on the web.

Login is also served insecurely, as you can see above.

We can see another instance of this, as well a lack of a lot of basic validation, in the user registration process:

As you can see above, you can fill in bogus data for most fields. There isn’t even a simple check on the structure of the email address.

In the second step of user registration, you choose a password. Insecurely, of course.

And that’s it! Congratulations for registering your invalid account insecurely!

In this section, we took a look at Something Different. Or rather, more of the same.

Untangled Media / Winit

In Untangled Media‘s Web Publishing section, you’ll find references to various sites including Something Different (see previous section) and something called winit.com.mt:

As they say in the summary, “Everybody loves winning things.” So do I! Let’s follow the link and check out the site.

Oops. Let’s try going to the root of the domain instead.

Win it indeed! It’s more like Untangled Media have lost it.

Summary

April has been a very busy month for spotting issues on websites. We’ve seen a lot of serious security flaws (e.g. insecure login and credit card processing) that have been covered extensively throughout this series.

However, we’ve also spotted a number of issues including high loading times (on one occasion due to the use of large images without thumbnails) and various usability problems. Always keep in mind that websites need to deliver information (whether to sell or otherwise), and thus, information needs to be delivered in a timely, clear, and intuitive manner.

Let’s hope that this article makes some people chuckle, and makes others do a better job of building websites!

Thanks for reading, and stay tuned for the May edition of The Sorry State of the Web! If you find any issue that you would like to include in this series, we would love to hear about it.