Author Topic: New audax.uk site  (Read 13609 times)

frankly frankie

  • I kid you not
    • Fuchsiaphile
Re: New audax.uk site
« Reply #125 on: November 23, 2018, 09:38:52 am »
Storing plaintext passwords in 2018?
Sure sounds like it - if indeed this statement above is true.

Password security was one of the main drivers that initially got the Board (as opposed to just some individuals who wanted SHINY) behind the new project.

I'm assuming the new website will eventually have a standard 'user' login that is not merely a membership login - it surely needs to be equally accessible to non-members in terms of repeat visits and event entries.  I'm a bit surprised that what we see so far is actually much more member-focussed than even the old site is - I thought one of the original aims was something more attractive to non-members.
It's not dark yet but it's getting there.

frankly frankie

  • I kid you not
    • Fuchsiaphile
Re: New audax.uk site
« Reply #126 on: November 23, 2018, 09:54:21 am »
If usernames and passwords are trivially available to someone snooping then that someone could login to the site using those details to view the other personal information which is stored within (address, phone numbers, etc).

I know telephone directories are a thing of the past but you're surely not too young to remember how they worked.  Were they evil??

Quote
Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

I did have a look at the new GDPR documentation a while back, just out of idle interest, and I noticed that up-front they were making a distinction between 'personal data' (which a phone number obviously is) and 'sensitive personal data' (which it isn't, according to GDPR).  I may have got their precise terminology wrong - just going from memory.  AUK doesn't at present hold any personal data which falls under their 'sensitive' heading. 
Agreed though, that compliance absolutely requires encryption and good password practises - I'm sure the new project has both those up front, but there is a problem with Phase 1 where data is being pulled across between servers.
It's not dark yet but it's getting there.

quixoticgeek

  • Mostly Harmless
Re: New audax.uk site
« Reply #127 on: November 23, 2018, 10:35:31 am »
Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

Just which part of your personal data do you think is at risk?

If usernames and passwords are trivially available to someone snooping then that someone could login to the site using those details to view the other personal information which is stored within (address, phone numbers, etc).

Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

Exactly.

J
--
Beer, bikes, and backpacking
http://b.42q.eu/

Re: New audax.uk site
« Reply #128 on: November 23, 2018, 10:44:05 am »
If usernames and passwords are trivially available to someone snooping then that someone could login to the site using those details to view the other personal information which is stored within (address, phone numbers, etc).

I know telephone directories are a thing of the past but you're surely not too young to remember how they worked.  Were they evil??

The security threat of readily available personal information has increased massively over the last 20 years. Telephone directories being a thing of the past is a good thing!

They'd certainly be considered evil if they were reintroduced now with a default opt-in status.

Quote
Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

I did have a look at the new GDPR documentation a while back, just out of idle interest, and I noticed that up-front they were making a distinction between 'personal data' (which a phone number obviously is) and 'sensitive personal data' (which it isn't, according to GDPR).  I may have got their precise terminology wrong - just going from memory.  AUK doesn't at present hold any personal data which falls under their 'sensitive' heading. 
Agreed though, that compliance absolutely requires encryption and good password practises - I'm sure the new project has both those up front, but there is a problem with Phase 1 where data is being pulled across between servers.

I'm amazed that encrypting passwords on the existing AUKweb system (and ensuring they're encrypted in the new system) isn't a priority (less so than getting HTTPS on the new site, but still).

Password security was one of the main drivers that initially got the Board (as opposed to just some individuals who wanted SHINY) behind the new project.

I find that sentence quite worrying.

(It's relatively trivial to implement in PHP in the existing system but then I'm not surprised it hasn't given the previous comments about how the majority of dev/maintenance work on aukweb was effectively stopped a while back.)

The new system will eventually be GDPR compliant does not excuse ignoring the existing system which isn't going anywhere for a while.
"Yes please" said Squirrel "biscuits are our favourite things."

quixoticgeek

  • Mostly Harmless
Re: New audax.uk site
« Reply #129 on: November 23, 2018, 11:02:44 am »
Quote
Sounds like the developers are considering GDPR compliance as another "TODO" item rather than a "no ship" stop item.

I did have a look at the new GDPR documentation a while back, just out of idle interest, and I noticed that up-front they were making a distinction between 'personal data' (which a phone number obviously is) and 'sensitive personal data' (which it isn't, according to GDPR).  I may have got their precise terminology wrong - just going from memory.  AUK doesn't at present hold any personal data which falls under their 'sensitive' heading. 
Agreed though, that compliance absolutely requires encryption and good password practises - I'm sure the new project has both those up front, but there is a problem with Phase 1 where data is being pulled across between servers.

There is also a whole extra set of rules if you're holding data pertaining to people under 18. I don't know what the minimum age of anyone involved in AUK is, but if we have children on the the membership roll, then GDPR gets a whole lot more complex.

J
--
Beer, bikes, and backpacking
http://b.42q.eu/

telstarbox

  • Loving the lanes
Re: New audax.uk site
« Reply #130 on: November 23, 2018, 11:10:36 am »
See child protection policy here: http://www.aukweb.net/official/policies/child/
2019 🏅 R1000 and B1000

j_a_m_e_s_

  • Prisoner 17091
    • AUK results
Re: New audax.uk site
« Reply #131 on: November 23, 2018, 12:09:17 pm »
Could people stop trying to login until we have https? and can we beat whoever it is at the company doing this, with a stick, to make them roll out https asap. Not having it on a site like this is beyond gross incompetence.

Just which part of your personal data do you think is at risk?

I'm using the old site as a preference until I'm forced to use the new one. See how clearly you can see the events coming up? I'm sort of cutting out the middle man, in the sense that anything meaningful is going to divert me back to Aukweb anyway.
The new one isn't quite there, so I've no reason to migrate. Just yet.

1. If linking to the old site we might at least (in this context) use the secure version https://www.aukweb.net
2. I don't expect that link to work for much longer.  The new site is clearly still in alpha but as soon as it gets to advanced beta stage the old front-end will be progressively mothballed and that address will probably just forward to the new site, for a while.  That could just be days away, or it could be weeks, I simply have no idea.

1) What's good for the goose......Sorry, I've corrected that.
Rule 77

Re: New audax.uk site
« Reply #132 on: November 23, 2018, 12:12:03 pm »
It's just mind boggling to me that this site (alpha, beta or whatever) has got anywhere near the live internet without HTTPS. There is absolutely no excuses for it not to have been implemented from day one, this is apparently a professional web development company. It worries me enormously that a statement like "The new system will eventually be GDPR compliant" is even uttered. Eventually? It should be compliant now!!

I don't want to diss the site as I think it looks pretty good. A few things, as I said earlier, need tidying up but overall it looks fine. But the members need confidence that the site will be secure, sustainable and money well spent, the annual maintenance fee is enormous IIRC. The HTTPS issue is not helping with that confidence at the moment.

Re: New audax.uk site
« Reply #133 on: November 23, 2018, 12:17:59 pm »
It worries me enormously that a statement like "The new system will eventually be GDPR compliant" is even uttered. Eventually? It should be compliant now!!

I don't think that statement has actually ever been uttered by anyone. I purposely chose to put it in italics rather than in any form of quotes in the hope that it wouldn't be taken as a quote. The phrase is my guess at how they seem to be approaching this project with regards to GDPR, so it's still an assumption, but I think it's a fair one given the evidence available.
"Yes please" said Squirrel "biscuits are our favourite things."

Re: New audax.uk site
« Reply #134 on: November 23, 2018, 12:24:31 pm »
The correct way to store passwords is using one-way encryption, I'd be very surprised if passwords are stored in plain-text.

Anyone tried using the Password Reminder function?  If you receive an email inviting you to Reset your Password (as opposed to sending you your actual password) its extremely likely (although you would have to see the database to be 100% sure) that the current system uses one-way encryption and that password is hashed and salted.  Most servers support such encryption with PHP straight out-of-the-box.

Sites don't have to use HTTPS to be GDPR complaint - the move to HTTPS is mostly driven by SEO, if the site doesn't use sensitive-data then there is no technical need for certification.  In fact in most servers configurations you can use Let's Encrypt to create self-signed certificates and it costs absolutely nothing.

Then its just an exercise of trawling through all your existing pages/code and replacing "http://" with "//" and at that point it's also a sensible idea to go through setting up any Redirections in .htaccess so old resources still point somewhere - link retention I think they call it.
Frequent Audax and bike ride videos:

https://www.youtube.com/user/djrikki2008/videos

Re: New audax.uk site
« Reply #135 on: November 23, 2018, 12:43:11 pm »
Anyone tried using the Password Reminder function?

You get emailed a plaintext password that was the default I was given when I first registered many years ago. It's not the same as the password I changed mine to some years ago (which still works after doing the password recovery option).

My guess is this original password is auto-generated using the membership ID as a seed, and it will probably always work. (Yep, I can login with both this reset password and my changed password.)

So, can't tell whether the user supplied passwords are encrypted/hashed based on this.

All kinds of wrong regardless.
"Yes please" said Squirrel "biscuits are our favourite things."

321up

  • 59° N
Re: New audax.uk site
« Reply #136 on: November 23, 2018, 04:17:36 pm »
... the old front-end will be progressively mothballed and that address will probably just forward to the new site, for a while.  That could just be days away, or it could be weeks, I simply have no idea.

So will we loose access to all the things on aukweb.net that haven't been migrated to audax.uk  ???

For example I've not been able to find the calendar download (xls & csv) on audax.uk - this is absolutely essential for us, I can't think of a way to mitigate some of the other issues without it.

Will there be a way to use the aukweb.net long list events calendar after the old front-end is mothballed?  Perhaps this can be added as an optional view on audax.uk before it's removed from aukweb.net?  In it's present form the events calendar on audax.uk is a horrible to use (i.e. split over a multiple of pages and right click 'open in new tab' does not work).  Even the audax.uk calendar events map view doesn't show all the rides (I've discovered it only shows events for whatever 'page' of events it's on - what's the point in that?).  Surely being able to quickly and easily find rides is the most important function of the website.  I hope that the events calendar and perm events sections on aukweb.net won't be shut down before they sorted out on audax.uk site.

A.

frankly frankie

  • I kid you not
    • Fuchsiaphile
Re: New audax.uk site
« Reply #137 on: November 23, 2018, 05:20:41 pm »
The detail of how the transition will work hasn't been settled yet.  But in general, I'm supposing the highest-level 'subheadings' as shown in the aukweb blue sidebar will each either work in one site or the other.  So - Joining, Calendar, Perms, DIYs etc.  It's technically possible (and occasionally necessary) to get more fine-grained than that (sub-sub- or sub-sub-sub-headings) but I think both sides will want to avoid that as much as possible.
Calendar seems fairly well-developed on the new site (if you like that sort of thing) so is obviously one of the first general areas where aukweb will switch off and simple forwarding into the new site Calendar will occur.  But the Home page itself might transition quite early in the process too - ie aukweb.net will simply forward to audax.uk - and after that it's down to the new site developers to provide access to the old where appropriate (eg Results, Members, Organisers).

If it's important to you, I'd recommend you bookmark the link to the aukweb page you want ie https://www.aukweb.net/events/download/
It's not dark yet but it's getting there.

Re: New audax.uk site
« Reply #138 on: November 23, 2018, 06:38:52 pm »
, the annual maintenance fee is enormous IIRC.


I believe a sum over £2000 per month was quoted at Stirling
Last Saturday. Or some £25,000 per year approximately to cover looking after the site. Or in other words with say 8500 members then just under £3 each.

Re: New audax.uk site
« Reply #139 on: November 23, 2018, 06:58:51 pm »
This table appears in the most recent board papers (costs per annum inc VAT):
Quote
1st Line Support
£2,340
2nd Line Support
£12,240
Maintenance
£14,400
TOTAL
£17,980

Anyone notice the minor mistake?

(also none of these things are hosting. Place your bets what they might be charging for that)

Re: New audax.uk site
« Reply #140 on: November 23, 2018, 07:44:41 pm »
I'd be surprised if the hosting wasn't covered in the £1200/month maintenance fee, but that's just a guess.

If I'd have known it was going to end up with these kinds of figures (initial outlaw and ongoing support/maintenance) I'd have been tempted to tender for it myself.
"Yes please" said Squirrel "biscuits are our favourite things."

Re: New audax.uk site
« Reply #141 on: November 23, 2018, 08:23:47 pm »
I'd be surprised if the hosting wasn't covered in the £1200/month maintenance fee, but that's just a guess.

That's described as two days per month "bug fixes, simple enhancements" at £600/day.

Quote
If I'd have known it was going to end up with these kinds of figures (initial outlaw and ongoing support/maintenance) I'd have been tempted to tender for it myself.

Back of the queue!

321up

  • 59° N
Re: New audax.uk site
« Reply #142 on: November 24, 2018, 06:49:54 am »
The detail of how the transition will work hasn't been settled yet.  But in general, I'm supposing the highest-level 'subheadings' as shown in the aukweb blue sidebar will each either work in one site or the other.  So - Joining, Calendar, Perms, DIYs etc.  It's technically possible (and occasionally necessary) to get more fine-grained than that (sub-sub- or sub-sub-sub-headings) but I think both sides will want to avoid that as much as possible.
Calendar seems fairly well-developed on the new site (if you like that sort of thing) so is obviously one of the first general areas where aukweb will switch off and simple forwarding into the new site Calendar will occur.  But the Home page itself might transition quite early in the process too - ie aukweb.net will simply forward to audax.uk - and after that it's down to the new site developers to provide access to the old where appropriate (eg Results, Members, Organisers).

If it's important to you, I'd recommend you bookmark the link to the aukweb page you want ie https://www.aukweb.net/events/download/

Or perhaps AUK could make it easy for us and preserve the menu to all the pages on aukweb.net ?  Perhaps under an 'old website' top level menu?

I gather that we are not the only people who find the calendar and perms event information less accessible on new audax.uk than the old aukweb.net site.  Is there any technical reason why AUK could not continue to provide links to allow people to choose which site they use (at least whilst aukweb.net is still in service)?  It seems to me that would be a trivially easy thing to do and would cost very little or nothing to implement.  Is there any technical reason why the old style pages could not be hosted on the new platform when aukweb.net is retired?  Please explain how AUK can justify removing access to the old style pages when this will make the information less accessible to some people.

An alternative would be to redesign the calendar events and perm events pages on audax.uk so the information is easily accessible to everyone.

whosatthewheel

Re: New audax.uk site
« Reply #143 on: November 24, 2018, 07:25:23 am »
I pay 22 quid per year to Wordpress...  ::-)

Redlight

  • Enjoying life in the slow lane
Re: New audax.uk site
« Reply #144 on: November 24, 2018, 10:55:47 am »
In regards to the new website... quite clearly there has been no big announcement yet, someone leaked the new website address and we are being used as guinea pigs to test the site and iron out any issues before an official release - and nothing wrong with that given the subject matter.

To clarify, the website address wasn't leaked. As the work-in-progress version was being shown to attendees at the Reunion last weekend, it seemed only right that it should be made accessible to any member so that people could try it out and give feedback - as many have done. That was my decision, in the knowledge that there was still a fair bit of work scheduled to bring the "back end" up to requirements and that anyone trying to use the site to enter rides, etc, would find that it wasn't yet fully-functioning.  It seemed better, to my mind, to do this, with the exisiting site still operating, rather than "launch" the new site with a lot of fuss and risk members not being able to use it straight away. 

That said, some of the feedback has been very helpful and has identified things that weren't on the schedule so at least we can get them dealt with before the site becomes "official". 
Between the Disney abattoir and the chemical refinery

Bianchi Boy

  • Cycling is my doctor
  • Is it possible for a ride to be too long?
    • Reading Cycling Club
Re: New audax.uk site
« Reply #145 on: November 24, 2018, 02:50:47 pm »
Just looked at the event list. There are just too many things against each entry. Simply distance, date, time, ride name and location would be enough. What all the boxes and blank screen areas about? Needs to be slimmed down to the Must in MSCW analysis.

Sent from my E6653 using Tapatalk

Set a fire for a man and he will be warm for a day, set a man on fire and he is warm for the rest of his life.

Manotea

  • Where there is doubt...
Re: New audax.uk site
« Reply #146 on: November 24, 2018, 04:08:27 pm »
Quote
The old system can't be be turned off but the web pages will become progressively unavailable (forwarding) as the new site develops.  Seems only right, to me.

If I was responsible for maintaining the old system I might agree but as I'm not I don't. :)

The success of the new system will be measured by its takeup. Turning off the old system for no good reason negates that.

Fact is we're going to be dependent on the old system for event entry and admin purposes for quite some time to come.

So discussions about turning off the old system are beyond premature.

In the real world systems set to be superceded are generally allowed to whither on the vine or at least proper notice given to the point where withdrawal is simply not an issue.

Regardless of whatever approach is taken, all of this might have been thought through, consultation taken and appropriate guidance offered.

(For example, some process for reporting issues arising and the programme for addressing them would have been helpful...)

As is, we have a project which has cost x man years and £100k+ released apparently with no notice or preparation.

Not so much a soft launch as a humpty-dumpty launch...


Re: New audax.uk site
« Reply #147 on: November 27, 2018, 04:44:52 pm »
Ah hah !  ;D Obviously turned custom errors off. Should be remote only in production. Amateurs  ;)
It is what it is. It's not what it's not, so it must be what it is.

Re: New audax.uk site
« Reply #148 on: November 27, 2018, 07:15:15 pm »
A really rather splendid site if you don't mind me saying...
I dunno why anybody's doing this!

Re: New audax.uk site
« Reply #149 on: November 27, 2018, 11:52:18 pm »
Looks OK to me, from a very casual glance.  But I'm a very very very infrequent user of the old site.

The colour coded distances don't work for me, but my colour vision is terrible so hey ...

I clicked on My Audax then View Membership and it crapped out with an unhandled exception (Invalid URI: The hostname could not be parsed.) & stack trace.

Edit: 

If you go to https://www.audax.uk/sitemap/ there's a placeholder showing that shouldn't be there  "____(End of Get Involved)"
Also the prefix hypnens are a bit unsightly, as in "---Top Tips"

The elements on the sitemap are text  and not links to the named pages.
The elements in sitemap do not match the menu drop downs.  Or - more strictly - they nearly do, but not quite.  eg Affiliation, Insurance and Strategy are on the menu but not the site map; History of PBP is on the site map but not the menu.  The Menu item "About audax" is mirrored on the sitemap by "Get involved".  THere are numerous other discrepancies.

On the choose a ride page https://www.audax.uk/choose-a-ride/
The links to DIYs and ECEs are prefixed http: not https:  Therefore the browser throws a wobbly when you click them

It's still rather arcane.  Audax is full of obscure codes and abbreviations.  That's part of the fun.  But this site doesn't go out of its way to explain them.  One example: https://www.audax.uk/results/rrty-roll-of-honour/ This page does not explain what RRtY stands for.  It explains that to qualify you need to have completed "a validated Brevet de Randonneur" each month for 12 months.  But it doesn't explain that "a validated Brevet de Randonneur" is actually a 200km bike ride.  There are other examples too...

OK, one last minor thing.  On search calendar events, you have to enter a full postcode (eg AB1 1AB).  Many, if not most, postcode searches (eg store locators) will allow you to enter just the outbound portion of the postcode (AB1).  I don't know whether the geolocation service that the site uses supports this, but it would be a nice to have.

Right that's it.  I'll take my nitpicking hat off and leave it alone now.

That's not nit picking. All of this should have been caught at System test by the supplier.
Reine de la Fauche