Brain Dump

Exposing the contents of my head to the light of day

password policies that cause bad behaviour

There is one sure fire indicator of how well an organisation understands data security.  Its password policies. And so many organisations fail so badly so often.

Most password systems are in place simply to allow the system to verify a your identity (they can also be used to verify authority - but it this is rarely seen these days).  This is done by using one or 'factors' that the you provide to show:

  • what you know (a password)
  • what you have (one of those key fob dongle things)
  • who you are (biometrics like fingerprints or retina scans)

All of these are based on assumptions such as your key fob hasn't been stolen or your fingers cut off by international terrorists in order to gain access to the missile launch system.  Of course the most common assumption is that you and only you know your password.

This assumption is a perfectly reasonable assumption if  you have been properly trained about the importance of not sharing your password or writing it on a post-it now stuck to your monitor.  And it an organisations policies that show how well they understand that they are making this assumption.

Unfortunately, it seems that so many organisations create and enforce policies that do everything possible to break this assumption. Policies that insist:

  • require a new password to be created every 30 days (and try and prevent the reuse of old passwords)
  • insist on passwords including numbers and capital letters,
  • limit the length of the password to just a dozen or so characters.

All of these make it more difficult to remember a password (as so wonderfully explained by XKCD), thus driving you to do one of two things

  • write down your password in a list somewhere
  • request a new password every time you forget it and want to use the system

Writing down the password is obviously a bad thing as it increases the chances of that assumption about only you knowing it.  At worst it will mean anyone who can see the post-it stuck to your monitor can your password. At best it will mean that anyone who has access to your note book, telephone, or online password management tool has access.

The affect of getting a new password (invariably sent by email) is that your password is effectively exposed to anyone who can read your email.  And that means

  • the staff who look after your email system
  • people who work at your Internet service provider
  • anyone who can access your computer, phone or other devices when you aren't looking

Effectively, an email based 'forgotten password' mechanism delegates the security of any system to the security provided by your email system and devices.

 

There are lots of potential ways to fix this problem, single-sign-on servers, 2 factor login systems, sensible password policies, locked down email, but the underlying issue is that the people who run the information security function of an organisation should consider that they job is not about computer authentication and identity systems, or document and data management.  Their job is about changing people’s behaviour, about understanding how they work, and why they do what they do and how you can persuade them to behave differently.

Event sponsorship opportunity of wifi fail

If you've ever been to a tech conference or event, I'm sure you've noticed how the wifi always seems to fall over. The venue owners alway seem to under estimate the number of wifi devices that are used by techies. I have a version 1 iPad so have to have my phone connected too in order to take and post photos. Also, I understand that iOS devices (iPhones and iPads) treat wifi access point really badly and too many in the same place will cause routers to crash horribly.

Quite why venues can't do a bit of testing and actually check how far their wifi provision can be pushed is a mystery to me, but when typing in a wifi password for the umpteenth time at a recant event it occurred to me (and my friend @chrisdymond) that someone is missing an opportunity to take advantage of this failure.

If a company were to sponsor the wifi login password and brand up the login page (if it's a proxy based authentication system), then their name would be embedded in the attendee's brain for days. It's something they would simply HAVE to remember. A good combination of username and password could help too:
Username: acme-web-apps
Password: good-UX

Of course they would run the risk of forever being associated with failure!

I heard from Chris this morning that the password for the wifi at Activate2011 is sponsored by Barclaycard. Let's hope it doesn't crash eh!

doing homework for an unconference

I attended localgovcamp this weekend and once again I found it exciting, invigorating, and enlightening, but mostly I found it exhausting.  It is difficult to maintain that level of thinking and participation for an entire day, let alone beyond that.

Of the many sessions (35 in total) I mostly enjoyed the ones led by Catherine Howe (@curiousc).  Her first was around establishing and maintaining online identities that can then be used to develop authority and trust. Catherine’s main questions seem to be about whether we can have meaningful online democratic engagement without some structure around identity (although I may not have understood the premise completely).

Catherine's second session was about the re-application of Agile software methodology to other areas of activity in local authorities (or similar institutions).  Catherine masterfully steered the conversation around the predictable traps of blaming the issues on the usual suspects of lack of leadership/vision and corporate IT policies.  She guided us towards finding tools, techniques and approaches we can use to solving the problems.  By the end, she had a general consensus that we needed to build a body of evidence to show how more iterative approaches to projects can work.

I was very impressed.  However, I was more impressed at reading Catherine's comments about *camp/unconference events in general in her post Epic Localgovcamp.  My thoughts were heading in exactly that direction.  I love the opportunity to get together at these kind of events (this was my first localgovcamp but not my first unconference) with passionate and knowledgeable people that challenge and stretch my thinking and understanding.  But I do find that some of the discussions cover the same ground over and over again. This is particularly true of the open data movement, where the activists are still fighting to convince, cajole and convert people to their cause.

So I can see a conflict between building our combined understanding and moving our thinking and actions forward while still remaining open and inclusive. How do we begin to develop common language without it turning into off-putting jargon?  How do we discuss complex issues that practitioners encounter or edge cases that need to be generalised?

I have a suggestion.  I have no idea whether it goes against everything that is good and holy about the unconference way, but I will put it out there anyway.

Why don’t we pre-announce what we would like to discuss at some unconference sessions?  Just for a few sessions per event, we can set some pre-reading or a list of videos to watch, perhaps even propose a theory to be debated or discussed.  Basically, we could do some homework before we get there.  This, of course should be done in public where anybody can participate, and we would need to make it clear to participants on the day that the session did require some preparation so may be a bit tough to follow for the unprepared.  But, hell, I'd certainly attend any session that promised to expose that level of thinking with my ears open and my notebook ready.

It's not just about Apps

This is a presentation that I gave at the Local by Social North East Edition on Friday the 4th of March.

As I hope you can tell from the speaker note/script below.  I am trying to highlight that there is much that can be done without the aid of technical people and that that work will tell us a great deal.

******

Good morning.

My name is Saul Cozens and I am the Technical Director of a Web Application Development company in Sheffield, but today I’d don’t want to talk about me and what I do.  I like to talk about us.

When I listen to some of the conversations within this wonderfully creative and innovative community I sometimes worry that we are missing a trick.  I worry that we have too narrow a focus, that we are not taking advantage of some of the knowledge, skills and potential that exists around us.
I keep wanting to shout:  “It’ s not just about Apps”

First, let me be clear what I mean by the word ‘App’.  When someone says App, I think of a little square icon on the touch screen of the mobile device I’ve just paid a small fortune for (or that I will do for the next 24 months).
I know it can mean other things as well, but that’s how I mean it today.

I think that Apps are great.

********

They are easy to find,
they usually have some kind of user rating on so I can tell the good ones from the really bad ones,
I can install them with a couple of taps and
they update automatically whenever the author adds a feature or fixes a bug.

They are child’s play.

They are also very often, brilliantly focused to solve a single problem.

***********

So good Apps are designed very specifically for the circumstances of the user, their situation, their mode.  
They recognise that because they are mobile, they are going to be used when the user is also doing something else and so they have to be incredibly simple to use.  

But there are a couple of things that bother me with our focus on Apps.
We tend to think of their success in terms of the numbers of users not in the value that they deliver.  There are many very popular Apps that are immensely fun

*********

and generate huge revenues for their authors, but our objectives are not really about fun or revenue generation,

so should we use the same measures?

There are exceptions. Some Apps are designed for very niche user groups and deliver huge amounts of value to them and through them.  An example is the Nursing Constellation App.  

*********

It combines numerous nursing practice references and allows them to be carried around in a pocket.  At a cost of about £100, this App is pretty expensive, and has relatively few users but it has the potential to save lives.

I guess I’m trying to say that the mass production model that is dominant in the App marketplace

*********

is not always the most appropriate one to deliver the most value.  

Perhaps when thinking of the people who we can deliver value to, we should not limit ourselves to those with a smart phone in their pocket, but instead think of the improving the effectiveness of those fewer people who deliver value to a wider group.

We can use technology to improve the lives of people even if they do not use that technology directly.

This is particularly true when the people we are trying to deliver to, our ‘market’, are not just the digitally connected and technology literate few, but are a wider community of people with more basic needs than to remember where they parked their car.

The second concern I have about our obsession with Apps is the fact that there are relatively few people who can create them.  

*********

It takes specialist skills, knowledge and tools.  

Don’t get me wrong, there are people out there like that and if you find one willing to help you develop an App, befriend, cherish and nurture them, they are precious, but there are so very many more people out their with knowledge, skills and experience that can be used to harness technology to deliver value and help make others more effective in delivering value.

As a very simple example, I frequently see people people filling in online forms by typing then clicking on the next field, then typing and clicking, typing and clicking.  Often, these are people who fill in the same form several times a day, but still they type and click, type and click.
By introducing them to the concept of the TAB key (and the shift TAB) I give them the potential to spend less time filling in forms.  They can spend less time thinking about the mechanics of the form and more about the information they have providing.

Everyone of us has the ability to have this impact, the knowledge and the skills to use technology to improve the lives of users and the effectiveness of others in doing the same.

So if it’s not Apps that will allow us to do this what will?  

Platforms.

***********

What do I mean by Platforms?  
Stuff like Wordpress, Twitter, Google Docs, Yahoo! Groups, Flickr, Netvibes.  
Aren’t these just web apps?

I think some web apps deserve to be called platforms because they are generative, they allow us create solutions to many different problems by configuring them.  

**********

Yahoo! Groups is configured in a specific way to make Freecycle, Flickr is configured with a some conventions and processes to run the Visit Dublin photo competition, the introduction of a simple hashtag makes Twitter useful as a conference Q&A tool or turns a TV show into a shared experience.  

And Wordpress... let’s not try and list the different ways that Wordpress has been configured to solve different problems.

These platforms get applied in ways that the original designer of the platform never anticipated.  

*********

In many instances, the problem never existed when the platform was designed or maybe the problem affects so few people that it was just not visible to the platform designers.

Platforms become even more powerful when we connect them together,

**********

when we can link the RSS output of one into the API of another.  
When we use Posterous to allow people to submit photos and videos to an group managed approval process and then publish them on a Flickr group, Youtube channel and a Wordpress blog, all without writing a line of code.

This stuff is simple to do.

**********

Relatively. Like learning to tie our shoe laces, we still need to be shown by others and practice but it more about gaining an understanding than developing skill.  You don’t need a degree in it!

Using and configuring platforms also introduces new things that we need to learn about.  Things that are not technical in nature.

**********

The way that we put solutions together, the configurations we use, changes how people use them.  

An anonymous commenting system will have a very different atmosphere than one where you must login with your Facebook identity.

Making a poll result visible without having to vote first can skew the outcome.  

Allowing comments only at a page level rather than on each paragraph ends up with very different conversations.

We don’t yet understand all of the impact of all of the available configurations.  This knowledge is either not yet gained or just not very well distributed.  

**********

We need to gather this understanding from every project and every experiment that we run and we must share it.

*********

We should add structure to help us remember what information is important to allow others to re-use including who the target users are, what skills and knowledge they posses, what tools were utilised, what manual or administrative process were required and what policies had to be produced or applied.

But this structure should not constrain how the things we learn are expressed,

***********

but instead to add to them so that it is easy for others to find, to filter, to rate and comment on, to amend, update and re-use.  

We need an App Store for our configurations.  

One that helps us with the mechanics of configuration (how do I link Posterous to Wordpress?) as well as the impact of those configurations.

This structure will help us distribute the understanding we have of our toolset, it will help US become more effective.

But the important thing is that we share our experiences, our stories

*************

This stories should be told in the medium that suits them and us best.  Sharing through video, screencasts, user interviews, all of those things and others.

We need stories of our triumphs.

************

How we got it right, what the successful outcomes were, where we delivered value and how we helped other be more effective at delivering value.

and also the failures.  

************

What went wrong and why.  As individuals we don’t often get to try again, but as a group we can we can iterate, adapt and amend.

***********

To summarise:

It’s not all about Apps, but we can learn from them.
We should not judge value by number of users.
We should seek out smaller groups of users who need out help.
We can configure as well as make.
We must share in order to learn.

***********

Thank you for listening.

The cost of cost saving

P133

My mind wanders on train journeys. I start to think about the things in front of me. So it is not surprising that I can make the occasion leap of thought. Today I was trying to find out whether my train ticket would be valid for the trim that was during just 5 minutes time. When the ticket guy asked to see my ticket I had to behave like someone in a foreign country trying to pay a bill with unfamiliar currency. I did not have a clue which of the many pieces of orange, credit card sized pieces of card was my ticket. I simply pushed the entire stack toward him and suggested he find it. As someone who has spent much time trying to work out how to reduce the cost of systems for clients, I can understand the thought processes behind using a single printer to reduce the tickets, seat reservations, receipts, confirmations and whatnot, but this cost saving justification does not factor in the impact on customer experience. This cost saving design decision means that when I travel by train I am made to feel stupid. Is it a good idea to make your customers feel stupid when using your service?

the irritation of unconventional text entry

In the past two days I have witnessed of two instances where the use of non-standard text entry devices has irritated me.

The first is the payment point of a car park (Exel in Broomhill, Sheffield) where you are required to enter your car registration before being issued with a ticket.  This for two reasons:

  • to prevent the transfer of parking tickets between cars
  • to allow them to implement an automated penalty notice issuing system that works by recognising the car registration as you exit

So it is incredibly important that you enter your car registration number accurately.  So what do Exel provide you for this task? A alpha-numeric keypad laid out in 4 columns in alphabetical order.  It is incredibly difficult to find the keys you are looking for on this keyboard. Doubly so when holding up someone else trying to buy a ticket.

Imag0186

The second instance is the ticket collection machines at Sheffield railway station.  This time you are asked to input your booking reference (incidentally, that's the alphanumeric reference labelled as 'Collection ref' rather than one above it labelled 'booking reference' - well done thetrainline.com) on a touch screen keyboard laid out in a 5x5 (+1) grid of letters and a 2x5 grid of numbers.

Imag0188

FFS this is a software keyboard. Why on earth can it not be set to use a qwerty layout and a numeric keypad or even a mobile phone style text input mechanism?  Hell, why not allow the user to choose?

I find it difficult to believe that these designs were chosen after user testing and so can only assume that it is due to complete incompetence (as I have applied Hanlon's razor)

QR code stickers to catalog a city

The process of cataloging all of the physical and public things in a city is a mammoth task. Identifying and geotagging all lampposts, grit bins, bus stops, drop curbs, litter bins, telephone junction boxes, parking meters, etc. is something that seems to be insurmountable.  Not only that but who should do it?

Obviously the local council has a responsibility, but so do many other local and national organisations like telephone companies, gas and electricity providers, car park owners, universities, oh the list goes on.

But the impetus to start such a catalog seems to be stifled by the thought that it needs to be complete to be useful. I want to challenge that assumption and to suggest a way in which the task of cataloging could be begun independently of the owners of the physical assets.

Gbtqyl
The idea is to create hundreds, no thousands of QR code stickers, each with a unique URL encoded on it. These URLs would be an unique but random short code, just like those used by URL shortening services like bit.ly.  The stickers should be waterproof, not easy to peel off and contain little other information (perhaps just the URL to allow access by people without QR code devices).

These stickers could then attached to any item in the real world and the URL attributed to the physical object and its location, type, photographs, condition, owner can all be added to the object's record.

But the sticking and the attributing don't have to be done at the same time. Stickers can be stuck and the attribution could be done by the first person to visit the URL by capturing its QR code.

"this item hasn't been cataloged yet, can you tell use what and where it is?"

Of course it may be that more than one sticker has been stuck to the object. No problem, the system's algorithms should be able to recognise the difference between two stickers on a lamp post and sticker on the litter bin attached to the lamp post.

Once items are catalogued, the URL becomes an interface for interactions:

"This is a lamp post on South Road. Do you want to:

  • Upload a photograph of it, 
  • Report it as faulty, 
  • Make a comment about it, 
  • Claim ownership of it."

by acting a brokerage for Interacting with public physical objects, the project could:

  • provide a common set of open APIs for developers
  • amass a collection of open data
  • show the existence of a digital city in the physical one
  • provide a single, unified and implement process in order to change peoples behaviour from consumer of public objects to being involved in their maintenance

Acting as a brokerage would also mean that existing systems could be utilised, FixMyStreet for fault reports (that are a council's responsibility), Gowala or FourSquare for comments or review, flickr for photographs.  Using these kind of services would greatly reduce the effort needed to build a common point of contact for them.  The project starts to feel like a link shortener for public physical objects.

Hmmmm. All your thoughts are very welcome.

 

New name, new permission

I've changed the name of this blog from the highly original "Saul Cozens' Blog" to "Brain Dump". And with that change I've given myself to permission to be less ponderous and considered about what I post. Not that what I posted previously was particularly well thought out and complete, but by naming this blog "Brain Dump" I hope to encourage myself to simply put half-formed ideas and thoughts out there for others to comment on, dismiss, correct, adapt or build on.
The quality may vary but I hope you find enough good stuff here to keep you interested.

HMG won't kill IE6

Today the Government responded to a petition to drive all Government bodies to upgrade their browsers to something that conforms to modern standards.  The petition was signed by 6,223 people who believed that the reluctance for many Government departments to upgrade costs many thousands (if not millions) of pounds of additional, unnecessary development costs to ensure that web applications still work with this 10 year old web browser. The petition also cited the security vulnerabilities in IE6 as another good reason to upgrade, surely our Government systems should be using secure and reliable software. The Government's response basically boils down to:
  • the security issues are dealt with by the Government networks, firewalls and filters
  • upgrading is not cost effective
Now, I can see that the cost to upgrade is more than will be more about upgrading all the existing systems that have been built to ONLY work with IE6 than just installing new browsers on all PCs and that that cost will bring no new direct benefit to users and therefore the cost doesn't seem to be justified, but what doesn't seem to have been understood is the future cost of NOT upgrading. Not only is there a cost for any web project that must be made compatible with IE6 (this cannot be understated), but the cost of Government users not being able to take advantage of new techniques, interfaces and tools that are commonplace in the web applications we all use daily is enormous. Our ability to open our Government up and  for citizens to work with civil servants is going to rely on everybody being able to use the same tools, to be able to see and share the same information and contribute to it together. Now surely there is someone, somewhere in Microsoft who is bright enough to work out how IE6 can be packaged up so it can still be used on those legacy systems that weren't built to the right standards in the first place, while still allowing IE8 (or another modern browser) to be used for all other modern systems.

big society, little hope?

This week I attended a meeting intended to start activity on the Big Society in the North.  I went along to find out a little more and to get an impression of whether the 'Big Society' thing is a political ideology driven scheme to dismantle the apparatus of the social welfare system or a real grass roots movement to redistribute the authority to JFDI to civic minded citizens. The overall impression I got was that the people in the room (excluding the usual Sheffield digerati) were all activists in the charity sector in one form or another.  Some had specific causes (recovery from substance addiction, self esteem building, providing conflict resolution skills to kids), some were thinking about general tools for organisers (online networks, hyperlocal information, skills exchanges, an app store) and a couple were thinking about the Big Society movement itself (what defines a Big Society activity? [see Matthew Taylor's blog post], what does the Big Society network look like?). Several of these people stood up and gave a pitch for their organisation, endeavour or idea, primarily to start a conversation among the attendees, to draw on wider experience and gather ideas. On the whole I walked away with 3 thoughts:
  • those people who pitched their specific cause were in the wrong room.  Everyone in that room was already up to their ears in pro-bono work and good causes or interested in the Big Society as a concept rather than the good work that happened under it flag.
  • Too few of the people there (excepting the internet people) were thinking about the power that networking would bring to their endeavour.  In fact one person actually suggested that their organisation abandon using technology to communicate and send each other postcards instead.  I'm all for simplicity, but not at the cost of magnitudes of scale of effectiveness.
  • No-one seemed to be thinking about building a community of practice for voluntary, pro-bono and charity work.  The idea that someone brought to create an app store of tools went in that direction, but the conversation seemed to head quickly toward technology rather than technique and practice. While discussing whether an activity could be considered as a 'Big Society' activity, it was suggested it should not be if a funded body was already doing it, but no-one revealed how someone would know if an activity that they want to undertake is already funded.
However, my overriding impression was of hope. The people who had gone to the Big Society in the North meetup were stoic in the face of a future without government funding and with tightening purse strings from private sector funders and were all still fighting hard to get done what they know needs to be done. Perhaps the encouragement to JFDI is worth more than all that funding after all.