Feeds

Devs SLAM UK.gov's JavaScript-astic, 'shoddy' security education website

'This is the kind of code you might write for a bet,' says critic

SANS - Survey on application security programs

A high profile UK government cyber security campaign aimed at changing attitudes to online security has come under criticism for the poor quality of its expensive website.

Cyber Streetwise was launched with great fanfare, and much positive comment from the IT security biz, last month. It was part of a campaign led by the Home Office called the National Cyber Security Programme, and delivered in partnership with the private and voluntary sectors. The government spent a whopping £4m on the project, which also includes a marketing campaign.

Building better security awareness is a noble aim and El Reg gave the scheme a broadly positive welcome. But it seems that we might well have let our cynical guard down, judging by the criticism the cyberstreetwise.com site has received from website development experts and other observers, a perspective that stands in stark contrast to the flood of earlier praise from IT security vendors.

Developer Chris Applegate wrote a hard-hitting critique of the site, making a number of criticisms over its generally poor design and unintuitive user interface as well as pointing out that "a lot of the content of the site is just links to other sites".

"Rather than pages, you’re presented with a set of 'shops' on a cartoon 'street'," Applegate writes. "This is not only an incongruous metaphor, but it makes it look like a site aimed at children rather than adults and business owners."

Applegate is even more scathing of the architectural design of the website.

"Even in a Web 2.0 age, conventional wisdom for a website that delivers chunks of static content (rather than a fully interactive web application), you deliver the majority of your content from your CMS as HTML pages; meanwhile JavaScript is used to control interactions on that content within each page," Applegate explains.

"This site rejects that model in favour of something I’ve never seen before at this scale — it pre-loads the entire website’s content as one massive JavaScript global variable (350kB worth in the source code of the homepage. Then there’s another very large script (over 290kB and 8,000 lines) which parses & outputs the relevant page or section back into HTML for the browser to render. Throw in the CSS and other scripts (jQuery, analytics etc.) and the weight of the text files alone, not including images or fonts, is nearly 1MB."

"This is the kind of code you might write for a bet ('Let’s replicate a CMS and HTML tree builder in pure JavaScript!') rather than put on a production website," he concludes.

Ouch.

Other lines of criticism include those expressed by IT consultant Paul Moore here about "shoddy content" and questionable advice.

We attempted to put these criticisms to people behind the project, who referred us to the Home Office press team. Despite numerous calls and emails over several days El Reg was unable to solicit any defence of the scheme. If this was a football match it'd be declared a walkover.

The downbeat assessment of the site by developers sits in stark contrast with the cheerleading by information vendors at the time the site was launched last month.

Matt Palmer of the ISACA Security Advisory Group described Cyber Streetwise as an "extremely useful resource for small business managers".

Martin Sugden, chief exec of Boldon James, described it as "a great step towards helping SMEs combat the ever-present cyber security threat".

Ashish Patel, regional director at McAfee-owned security appliance firm Stonesoft, added that Cyber Streetwise embodies the "growing value placed on cross-industry and governmental collaboration within the security space".

Sophos, meanwhile, was keen to big up its association with the project.

The Cyber Streetwise website – www.cyberstreetwise.com – offers a range of interactive resources for SMEs and consumers to gain impartial advice on how to protect themselves online. Sophos, which has provided security expertise and content for the Cyberstreetwise site, is also pushing visitors from its own dedicated web page – www.sophos.com/cyber-street – to the Cyber Streetwise website.

As Applegate notes, "it’s not nice to call out on the quality of others’ work, but sometimes it has to be done."

Separately, a recent survey commissioned by BT found that the UK trails other leading economies in cyber-security awareness. Fewer than a fifth (17 per cent) of UK business leaders view cyber security as a "major priority", compared to 41 per cent of a sample of US IT decision makers quizzed in the same poll, as Out-law.com reports.

A Home Office spokesperson said that while its cybersecurity education programme cost £4m, the site itself came in at £160K excluding VAT. He acknowledged the site had been criticised by "techies" over its design and even that there might be some merit in their criticism, but said the site was not built with an intended audience of the more technologically knowledgeable, referring us to an FAQ that dealt with these questions.

"The Cyber Streetwise campaign aims to effect behavioural change, primarily targeted at two specific audiences: Women aged 35-55 and SMEs," it said. "These audiences were chosen because research has suggested that both of these groups are most at risk from cyber crime, but also have the greatest potential to be able to take action against it.

"Small changes in behaviour could save the public and small businesses in the UK a tremendous amount of money. Though the crime is online, it is not invisible to the UK Government which is aiming to reduce these opportunist crimes. Reducing the opportunity can be achieved by inspiring people to act as responsibly online as they do in the street."

The FAQ also deal with why the site site was so JavaScript-heavy.

"We used JavaScript to create an immersive user experience for both audiences, allowing them to explore the content – learning the basics on their journey, while being able to choose to read further. There are no page refreshes throughout the experience, which is completely served using HTML5 and JavaScript."

The design of the site meant it was outside general government design guidelines, which is why it was hosted on a .com domain. The statement goes on to explain why the site is chock-full of links: "Cyber Street did not want to recreate the wheel, but wanted to provide a friendly aggregator of resources for the public to click through to if they wanted to learn more about a certain aspect of cyber security." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.