Feeds

Devs SLAM UK.gov's JavaScript-astic, 'shoddy' security education website

'This is the kind of code you might write for a bet,' says critic

Website security in corporate America

A high profile UK government cyber security campaign aimed at changing attitudes to online security has come under criticism for the poor quality of its expensive website.

Cyber Streetwise was launched with great fanfare, and much positive comment from the IT security biz, last month. It was part of a campaign led by the Home Office called the National Cyber Security Programme, and delivered in partnership with the private and voluntary sectors. The government spent a whopping £4m on the project, which also includes a marketing campaign.

Building better security awareness is a noble aim and El Reg gave the scheme a broadly positive welcome. But it seems that we might well have let our cynical guard down, judging by the criticism the cyberstreetwise.com site has received from website development experts and other observers, a perspective that stands in stark contrast to the flood of earlier praise from IT security vendors.

Developer Chris Applegate wrote a hard-hitting critique of the site, making a number of criticisms over its generally poor design and unintuitive user interface as well as pointing out that "a lot of the content of the site is just links to other sites".

"Rather than pages, you’re presented with a set of 'shops' on a cartoon 'street'," Applegate writes. "This is not only an incongruous metaphor, but it makes it look like a site aimed at children rather than adults and business owners."

Applegate is even more scathing of the architectural design of the website.

"Even in a Web 2.0 age, conventional wisdom for a website that delivers chunks of static content (rather than a fully interactive web application), you deliver the majority of your content from your CMS as HTML pages; meanwhile JavaScript is used to control interactions on that content within each page," Applegate explains.

"This site rejects that model in favour of something I’ve never seen before at this scale — it pre-loads the entire website’s content as one massive JavaScript global variable (350kB worth in the source code of the homepage. Then there’s another very large script (over 290kB and 8,000 lines) which parses & outputs the relevant page or section back into HTML for the browser to render. Throw in the CSS and other scripts (jQuery, analytics etc.) and the weight of the text files alone, not including images or fonts, is nearly 1MB."

"This is the kind of code you might write for a bet ('Let’s replicate a CMS and HTML tree builder in pure JavaScript!') rather than put on a production website," he concludes.

Ouch.

Other lines of criticism include those expressed by IT consultant Paul Moore here about "shoddy content" and questionable advice.

We attempted to put these criticisms to people behind the project, who referred us to the Home Office press team. Despite numerous calls and emails over several days El Reg was unable to solicit any defence of the scheme. If this was a football match it'd be declared a walkover.

The downbeat assessment of the site by developers sits in stark contrast with the cheerleading by information vendors at the time the site was launched last month.

Matt Palmer of the ISACA Security Advisory Group described Cyber Streetwise as an "extremely useful resource for small business managers".

Martin Sugden, chief exec of Boldon James, described it as "a great step towards helping SMEs combat the ever-present cyber security threat".

Ashish Patel, regional director at McAfee-owned security appliance firm Stonesoft, added that Cyber Streetwise embodies the "growing value placed on cross-industry and governmental collaboration within the security space".

Sophos, meanwhile, was keen to big up its association with the project.

The Cyber Streetwise website – www.cyberstreetwise.com – offers a range of interactive resources for SMEs and consumers to gain impartial advice on how to protect themselves online. Sophos, which has provided security expertise and content for the Cyberstreetwise site, is also pushing visitors from its own dedicated web page – www.sophos.com/cyber-street – to the Cyber Streetwise website.

As Applegate notes, "it’s not nice to call out on the quality of others’ work, but sometimes it has to be done."

Separately, a recent survey commissioned by BT found that the UK trails other leading economies in cyber-security awareness. Fewer than a fifth (17 per cent) of UK business leaders view cyber security as a "major priority", compared to 41 per cent of a sample of US IT decision makers quizzed in the same poll, as Out-law.com reports.

A Home Office spokesperson said that while its cybersecurity education programme cost £4m, the site itself came in at £160K excluding VAT. He acknowledged the site had been criticised by "techies" over its design and even that there might be some merit in their criticism, but said the site was not built with an intended audience of the more technologically knowledgeable, referring us to an FAQ that dealt with these questions.

"The Cyber Streetwise campaign aims to effect behavioural change, primarily targeted at two specific audiences: Women aged 35-55 and SMEs," it said. "These audiences were chosen because research has suggested that both of these groups are most at risk from cyber crime, but also have the greatest potential to be able to take action against it.

"Small changes in behaviour could save the public and small businesses in the UK a tremendous amount of money. Though the crime is online, it is not invisible to the UK Government which is aiming to reduce these opportunist crimes. Reducing the opportunity can be achieved by inspiring people to act as responsibly online as they do in the street."

The FAQ also deal with why the site site was so JavaScript-heavy.

"We used JavaScript to create an immersive user experience for both audiences, allowing them to explore the content – learning the basics on their journey, while being able to choose to read further. There are no page refreshes throughout the experience, which is completely served using HTML5 and JavaScript."

The design of the site meant it was outside general government design guidelines, which is why it was hosted on a .com domain. The statement goes on to explain why the site is chock-full of links: "Cyber Street did not want to recreate the wheel, but wanted to provide a friendly aggregator of resources for the public to click through to if they wanted to learn more about a certain aspect of cyber security." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.