AUK Finances and Website Project was: AUK Chairman Statement

[Greenbank]

Aye true, I do find it slightly surprising that one of the aims I read was to get away from volunteers writing and maintaining the system.

I think the aim was more to get away from it being just a few (and one in particular) volunteers who the only ones able to maintain/extend/fix the system.

Getting a professional company is certainly one solution to this, but fraught with its own problems and downsides.

[mattc]

So to be clear, how long do you think this has taken? Do you really think it is value for money?

£150K seems like an exorbitant amount to me.

You've had since August to add your comments about the VFM of the work done: http://forum.audax.uk/index.php?topic=1564.225 (or on a thread near this one)

Just posting that "It's a bit crap and expensive" was never very helpful, even less so 3 months down the line.

Of course if you contributed to the work in getting this project off the ground, you have a little more right to make unhelpful complaints (but not much more ... )

I didn't realise that voicing an opinion on the internet required me to have a right to complain. If I needed one I think being a paid up member is plenty enough reason, but thanks for pointing out my error.

the volunteers are all (or at least mostly) paid-up members too.

(No need to thank-me, I'm here for you next time.)

[grams]

I think the aim was more to get away from it being just a few (and one in particular) volunteers who the only ones able to maintain/extend/fix the system.

I'm not sure how having the only way to do anything being to shovel tens of thousands of pounds AUK doesn't have to a private company is an improvement on that, TBH.

And in any case there's no clear roadmap or timeline for removing dependence on AUKweb for essential daily operations, so doing anything requires doing both for the foreseeable future.

Hooray!

[Greenbank]

And in any case there's no clear roadmap or timeline for removing dependence on AUKweb for essential daily operations, so doing anything requires doing both for the foreseeable future.

Exactly, after which phase will they be in a position to turn aukweb off?

[HeltorChasca]

I’m in and having a gander. Thanks for the help.

[Bianchi Boy]

The spelling mistake is still on the front page and when are we going to get https?

I am been a little harsh here but early impressions stick and these two things need to get sorted and quickly. The spelling mistake not been fixed just should be fixed and it should only take 1 minute.

BB

[quixoticgeek]

Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

J

[j_a_m_e_s_]

Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

J

I'm using the old site as a preference until I'm forced to use the new one. See how clearly you can see the events coming up? I'm sort of cutting out the middle man, in the sense that anything meaningful is going to divert me back to Aukweb anyway.

The new one isn't quite there, so I've no reason to migrate. Just yet.

[djrikki]

Thank you. I’ve tried all combos to no avail. I’ll pop an email across. Thanks all. Hope to see you soon Cudzo.

The issue could be something to do with mixed case?? Although I can't actually visualise what it would be.  The old site stores mixed-case passwords but the login comparison is all done in lowercase for some reason.  The new site is unlikely to work the same way!

Storing plaintext passwords in 2018?

Sure sounds like it - if indeed this statement above is true.

In regards to the new website... quite clearly there has been no big announcement yet, someone leaked the new website address and we are being used as guinea pigs to test the site and iron out any issues before an official release - and nothing wrong with that given the subject matter.

[frankly frankie]

Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

Just which part of your personal data do you think is at risk?

I'm using the old site as a preference until I'm forced to use the new one. See how clearly you can see the events coming up? I'm sort of cutting out the middle man, in the sense that anything meaningful is going to divert me back to Aukweb anyway.
The new one isn't quite there, so I've no reason to migrate. Just yet.

1. If linking to the old site we might at least (in this context) use the secure version https://www.aukweb.net
2. I don't expect that link to work for much longer.  The new site is clearly still in alpha but as soon as it gets to advanced beta stage the old front-end will be progressively mothballed and that address will probably just forward to the new site, for a while.  That could just be days away, or it could be weeks, I simply have no idea.

[jiberjaber]

Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

J

LOL - I was just about to post that not being https was no different to the original site, then I stuck https in front of the original site and it worked!... guess who's bookmark hasn't had that extra S for sometime! 

[Greenbank]

Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

Just which part of your personal data do you think is at risk?

If usernames and passwords are trivially available to someone snooping then that someone could login to the site using those details to view the other personal information which is stored within (address, phone numbers, etc).

Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

[frankly frankie]

Storing plaintext passwords in 2018?

Sure sounds like it - if indeed this statement above is true.

Password security was one of the main drivers that initially got the Board (as opposed to just some individuals who wanted SHINY) behind the new project.

I'm assuming the new website will eventually have a standard 'user' login that is not merely a membership login - it surely needs to be equally accessible to non-members in terms of repeat visits and event entries.  I'm a bit surprised that what we see so far is actually much more member-focussed than even the old site is - I thought one of the original aims was something more attractive to non-members.

[frankly frankie]

If usernames and passwords are trivially available to someone snooping then that someone could login to the site using those details to view the other personal information which is stored within (address, phone numbers, etc).

I know telephone directories are a thing of the past but you're surely not too young to remember how they worked.  Were they evil??

Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

I did have a look at the new GDPR documentation a while back, just out of idle interest, and I noticed that up-front they were making a distinction between 'personal data' (which a phone number obviously is) and 'sensitive personal data' (which it isn't, according to GDPR).  I may have got their precise terminology wrong - just going from memory.  AUK doesn't at present hold any personal data which falls under their 'sensitive' heading. 
Agreed though, that compliance absolutely requires encryption and good password practises - I'm sure the new project has both those up front, but there is a problem with Phase 1 where data is being pulled across between servers.

[quixoticgeek]

Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

Just which part of your personal data do you think is at risk?

If usernames and passwords are trivially available to someone snooping then that someone could login to the site using those details to view the other personal information which is stored within (address, phone numbers, etc).

Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

Exactly.

J

[Greenbank]

If usernames and passwords are trivially available to someone snooping then that someone could login to the site using those details to view the other personal information which is stored within (address, phone numbers, etc).

I know telephone directories are a thing of the past but you're surely not too young to remember how they worked.  Were they evil??

The security threat of readily available personal information has increased massively over the last 20 years. Telephone directories being a thing of the past is a good thing!

They'd certainly be considered evil if they were reintroduced now with a default opt-in status.

Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

I did have a look at the new GDPR documentation a while back, just out of idle interest, and I noticed that up-front they were making a distinction between 'personal data' (which a phone number obviously is) and 'sensitive personal data' (which it isn't, according to GDPR).  I may have got their precise terminology wrong - just going from memory.  AUK doesn't at present hold any personal data which falls under their 'sensitive' heading. 
Agreed though, that compliance absolutely requires encryption and good password practises - I'm sure the new project has both those up front, but there is a problem with Phase 1 where data is being pulled across between servers.

I'm amazed that encrypting passwords on the existing AUKweb system (and ensuring they're encrypted in the new system) isn't a priority (less so than getting HTTPS on the new site, but still).

Password security was one of the main drivers that initially got the Board (as opposed to just some individuals who wanted SHINY) behind the new project.

I find that sentence quite worrying.

(It's relatively trivial to implement in PHP in the existing system but then I'm not surprised it hasn't given the previous comments about how the majority of dev/maintenance work on aukweb was effectively stopped a while back.)

The new system will eventually be GDPR compliant does not excuse ignoring the existing system which isn't going anywhere for a while.

[quixoticgeek]

Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

I did have a look at the new GDPR documentation a while back, just out of idle interest, and I noticed that up-front they were making a distinction between 'personal data' (which a phone number obviously is) and 'sensitive personal data' (which it isn't, according to GDPR).  I may have got their precise terminology wrong - just going from memory.  AUK doesn't at present hold any personal data which falls under their 'sensitive' heading. 
Agreed though, that compliance absolutely requires encryption and good password practises - I'm sure the new project has both those up front, but there is a problem with Phase 1 where data is being pulled across between servers.

There is also a whole extra set of rules if you're holding data pertaining to people under 18. I don't know what the minimum age of anyone involved in AUK is, but if we have children on the the membership roll, then GDPR gets a whole lot more complex.

J

[telstarbox]

See child protection policy here: http://www.aukweb.net/official/policies/child/

[j_a_m_e_s_]

Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

Just which part of your personal data do you think is at risk?

I'm using the old site as a preference until I'm forced to use the new one. See how clearly you can see the events coming up? I'm sort of cutting out the middle man, in the sense that anything meaningful is going to divert me back to Aukweb anyway.
The new one isn't quite there, so I've no reason to migrate. Just yet.

1. If linking to the old site we might at least (in this context) use the secure version https://www.aukweb.net
2. I don't expect that link to work for much longer.  The new site is clearly still in alpha but as soon as it gets to advanced beta stage the old front-end will be progressively mothballed and that address will probably just forward to the new site, for a while.  That could just be days away, or it could be weeks, I simply have no idea.

1) What's good for the goose......Sorry, I've corrected that.

[jochta]

It's just mind boggling to me that this site (alpha, beta or whatever) has got anywhere near the live internet without HTTPS. There is absolutely no excuses for it not to have been implemented from day one, this is apparently a professional web development company. It worries me enormously that a statement like "The new system will eventually be GDPR compliant" is even uttered. Eventually? It should be compliant now!!

I don't want to diss the site as I think it looks pretty good. A few things, as I said earlier, need tidying up but overall it looks fine. But the members need confidence that the site will be secure, sustainable and money well spent, the annual maintenance fee is enormous IIRC. The HTTPS issue is not helping with that confidence at the moment.

[Greenbank]

It worries me enormously that a statement like "The new system will eventually be GDPR compliant" is even uttered. Eventually? It should be compliant now!!

I don't think that statement has actually ever been uttered by anyone. I purposely chose to put it in italics rather than in any form of quotes in the hope that it wouldn't be taken as a quote. The phrase is my guess at how they seem to be approaching this project with regards to GDPR, so it's still an assumption, but I think it's a fair one given the evidence available.

[djrikki]

The correct way to store passwords is using one-way encryption, I'd be very surprised if passwords are stored in plain-text.

Anyone tried using the Password Reminder function?  If you receive an email inviting you to Reset your Password (as opposed to sending you your actual password) its extremely likely (although you would have to see the database to be 100% sure) that the current system uses one-way encryption and that password is hashed and salted.  Most servers support such encryption with PHP straight out-of-the-box.

Sites don't have to use HTTPS to be GDPR complaint - the move to HTTPS is mostly driven by SEO, if the site doesn't use sensitive-data then there is no technical need for certification.  In fact in most servers configurations you can use Let's Encrypt to create self-signed certificates and it costs absolutely nothing.

Then its just an exercise of trawling through all your existing pages/code and replacing "http://" with "//" and at that point it's also a sensible idea to go through setting up any Redirections in .htaccess so old resources still point somewhere - link retention I think they call it.

[Greenbank]

Anyone tried using the Password Reminder function?

You get emailed a plaintext password that was the default I was given when I first registered many years ago. It's not the same as the password I changed mine to some years ago (which still works after doing the password recovery option).

My guess is this original password is auto-generated using the membership ID as a seed, and it will probably always work. (Yep, I can login with both this reset password and my changed password.)

So, can't tell whether the user supplied passwords are encrypted/hashed based on this.

All kinds of wrong regardless.

[321up]

... the old front-end will be progressively mothballed and that address will probably just forward to the new site, for a while.  That could just be days away, or it could be weeks, I simply have no idea.

So will we loose access to all the things on aukweb.net that haven't been migrated to audax.uk 

For example I've not been able to find the calendar download (xls & csv) on audax.uk - this is absolutely essential for us, I can't think of a way to mitigate some of the other issues without it.

Will there be a way to use the aukweb.net long list events calendar after the old front-end is mothballed?  Perhaps this can be added as an optional view on audax.uk before it's removed from aukweb.net?  In it's present form the events calendar on audax.uk is a horrible to use (i.e. split over a multiple of pages and right click 'open in new tab' does not work).  Even the audax.uk calendar events map view doesn't show all the rides (I've discovered it only shows events for whatever 'page' of events it's on - what's the point in that?).  Surely being able to quickly and easily find rides is the most important function of the website.  I hope that the events calendar and perm events sections on aukweb.net won't be shut down before they sorted out on audax.uk site.

A.

[frankly frankie]

The detail of how the transition will work hasn't been settled yet.  But in general, I'm supposing the highest-level 'subheadings' as shown in the aukweb blue sidebar will each either work in one site or the other.  So - Joining, Calendar, Perms, DIYs etc.  It's technically possible (and occasionally necessary) to get more fine-grained than that (sub-sub- or sub-sub-sub-headings) but I think both sides will want to avoid that as much as possible.
Calendar seems fairly well-developed on the new site (if you like that sort of thing) so is obviously one of the first general areas where aukweb will switch off and simple forwarding into the new site Calendar will occur.  But the Home page itself might transition quite early in the process too - ie aukweb.net will simply forward to audax.uk - and after that it's down to the new site developers to provide access to the old where appropriate (eg Results, Members, Organisers).

If it's important to you, I'd recommend you bookmark the link to the aukweb page you want ie https://www.aukweb.net/events/download/