audit report technical

audit

Download the original attachment

 

GLOBALink Technical Review - Confidential Report

Sunil Abraham, Director – International Relations, Mahiti Infotech Pvt. Ltd

Technology

1. Homegrown Content Management   System: The site uses a customized content management system [CMS]   that has been built in an iterative fashion over several years. Years   ago, this was the right thing to do because there were no mature CMSs   available under a FOSS license. This situation has completely changed.   Home grown CMS today are the exception not the rule. None of GLOBALink   requirements in terms of presentation, persistence or functionality   require a custom built CMS. All its requirements can be implemented   on any standard FOSS CMS given a sufficiently trained technical team.   By sticking with its technological legacy, GLOBALink is wasting valuable   resources by repeating efforts and errors.

2. Single CMS and Multiple   Channels of Delivery: Today, there are more mobile phones in China   today than people in the USA and they send 1.6 billion Short Message   Service [SMS] messages per day. It is a similar situation in India,   Philippines, Indonesia and many other parts of the Asia Pacific region.   Mobile and SMS penetration is several multiples of PC and Internet penetration.   GLOBALink is absolutely right in sticking with email to engage with   its traditional supporters but it should also engage with new constituencies   by employing Really Simple Syndication [RSS], SMS, WML, etc. There is   an urgent need for GLOBALink to ensure that its website is accessible   from mobile phones and devices by implementing a proper style sheet.   Here again, standard CMSs like Plone come with multiple style sheets   for different clients.

3. Multiple CMS Instances   for Partners: Apart from the heavily controlled content featured   on the public and member sections of the website, GLOBALink is also   hosting websites for tobacco control activists and organisations across   the world. Even though the server has support for PHP and MySQL, most   partners will be forced to write their own code to manage their websites.   We recommend that GLOBALink installs and provides standards FOSS based   CMSs such as Joomla and Plone to its partners. Thus making it possible   for non-technical users to build and maintain large and complex campaigning   website around tobacco control.

4. Single Point of Failure:   The technologist who develops a homegrown CMS is its single point of   failure. Only the current web master understands it and is able to maintain   and upgrade it. If, God forbid, he is unavailable to GLOBALink then   it will take at least three months for a replacement web master to learn   the system and come up to speed. This also means that all security patches,   new features, upgrades, updates, corrections can only be implemented   by the web master. It is not possible for the management of GLOBALink   to subcontract technical work for the CMS to external service providers.   This reduces GLOBALink's institutional agility.

5. Cascading Style Sheets:   The site does not properly implement Cascading Style Sheets [CSS]. For   example, the member edit form¹ has several problems – the   banned <FONT> tag is used; attributes for <TABLE> tags are   hard coded; “class=selectbold” is repeated for all the <OPTION>   tags of the form element Guessed Cities. Implementing CSS will result   in four benefits: consistency across different browsers and platforms;   reduced page weight; uniformity across the site; and ease of code maintenance.   W3C Compliant CSS should be implemented as soon as possible.

6. Change Management:   There does not seem to be any process in place for design and documentation.   New features have been added and improvements have been carried out   in an ad hoc manner based on user feedback. It was noted during the   meeting that even some of the most important stakeholders were not consulted   before building the next version of the website. There is a need to   redesign the whole site based upon a proper consultative process with   all the stakeholders. Special care must be taken to ensure participation   of all age groups and nationalities.

7. Code Quality:   Coding style is poor. There does not seem to be an indentation of tags   based on their hierarchy. This makes the code unreadable.

8. Conservative Outlook:   Due to work overload, the current web master may not have been able   to update his technical skills. He appears not to be aware that modern   CMSs can be easily integrated with databases and mailing list software.   The technical destiny of GLOBALink as a network and community should   not be wedded to an individual's ability.

Security

1. Unencrypted Password!   The homegrown CMS has one of the most serious security flaws known to   the world of web development. During registration passwords are usually   processed by a Cryptographic Hash Function², which creates   a digital fingerprint. Only this digital fingerprint is stored on the   database. The original password is never stored in the database in plain   text format or in any other format that could be unencrypted. This is   because the web master would then have access to the passwords of all   users. When any user tries to login to the site, the password provided   is again processed by the Cryptographic Hash Function and the resultant   fingerprint is compared with the fingerprint in the database. Currently   GLOBALink is storing the password in plain text and also sending the   password back to the browser in plain text. This is MOST DANGEROUS.   Using this I was able to determine that Ms Katie Walford's password   is “m******13”. She works for the Government of New South Wales   in Australia. Very often Internet users give the same password for commonly   used services. Using this password a malicious administrator or web   master could inflict serious financial and personal damage upon members   of the community. With a little “Social Engineering” a cracker would   be able to enter into other password-protected systems used by Ms Katie   Walford. This also exposes the tobacco control community to hackers   from the tobacco industry. We recommend immediate implementation of   SHA2³ based hashing of passwords. This is a standard feature   in most FOSS CMSs.

2. User Authentication:   The site currently uses challenge response authentication instead of   cookie-based authentication. This is alien to most regular web users   as the gray window that appears looks very different from the standard   browser controls. Also this type of authentication does not permit for   an easy logout, which is a serious security concern especially in countries   where activists use shared access to the Internet.

3. Access Control: The   site uses an overly simple access control policy. Either users could   be authenticated or “logged in” or anonymous or “logged out”.   There are no roles, user groups using which a user could grant or revoke   permissions to end objects and container objects. This prevents granular   and delegated access control. Using a standard CMS with proper user   and rights management infrastructure would allow for more user generated   content and more collaboratively authored content.

4. Homegrown Content Management   System: The site uses a customized CMS and therefore there has been   no independent security audit. Standard CMSs such as Plone, which are   used by organizations such as US Government and NASA, usually have a   better security record than homegrown CMSs. If a breach is discovered   in a FOSS CMS, then thousands of developers across the globe come together   to find a solution. In the case of GLOBALink there is only one web master.   This means that vulnerabilities could remain unresolved for weeks exposing   the community to their dangerous foes.

5. FTP Service: Currently   GLOBALink uses FTP internally and also provides FTP services to members   that host their website on its servers. The FTP protocol depends on   the transmission of the password in plain text and could be detected   by the opponents of this community. We recommend that FTP services is   terminated with immediate effect and replaced with SCP and/or SFTP.

6. Redundant Authentication:   As the Administer has to re-authenticate when moving from one backend   interface to the other. This can be addressed by migrating to standard   FOSS CMS with a properly developed authentication and access control   system.

7. Password Complexity:   There are CMS plugins that help the user to select a password with sufficient   complexity - ideally a mixture of numbers, letters and special characters.   The password of the Harold Colomes is 'toto' - a dictionary word, which   are often used in brute force attacks on the server. We recommend that   this be addressed as soon as convenient.

Usability

1. Aesthetics: Overall   the website has poor aesthetics and usability. Several fundamental mistakes   have been made. This is because the current web master is a Programmer   and not a Graphic Designer or User Interface Engineer or Information   Architect. Effective web sites today require multidisciplinary teams   and cannot be executed by a one-man army. Engaging public imagination   and triggering camaraderie in a community is as much a design challenge   as it is a technical one. We strongly recommend that GLOBALink engage   the services of a graphic designer immediately.

2. Search System: The   search system is broken and needs immediate attention. From the usability   perspective there are several problems. The header is incomplete on   this interface. The search widget is titled “Search Engine” which   usually implies a service similar to google.com and is therefore inappropriate   for internal site-specific search system. The text box for the search   term is not labelled. The style of the text box is a Serif font while   all other components of the search widget are San Serif. The labels   “No Date” and “Custom date” are not intuitive. The “Menu”   hyperlink is too close to the search widget. The search system does   not allow the user to search across a date range, which is common on   sites with large archives. The search results interface has additional   problems. The search results widget is titled “Result of your query”.   Query is a technical term associated with RDBMSs that has not been used   earlier in the search widget and will therefore confuse the user. If   the search results in more than 30 results a Javascript based popup   says, “Your request returned more than 30 results. Please be more   specific”. Javascript popups are highly avoidable since they look   similar to system alerts and can be alarming for non-technical users.   These popups also remove the focus from the browser window thus necessitating   an additional click either to regain focus or to close the popup window.   The “30 result” limitation has no precedent on the Internet and   seriously impedes usability. This Javascript popup should be removed   and replaced with a proper pagination system that should include “Next”,   “Previous”, “XXX of YYY results” and an indication of the current   page. The search result should be in reverse chronological order [latest   items on the top] the current order gives the impression that the site   has not been updated for a long time. The search results widget should   also allow the user to change sort order based on “Title”, “Date   of Creation/Publication” and “Author”. It would also be nice if   the search widget could include “Content Type' so that the user can   distinguish between articles and forum posts.

3. Directory: The title   for the search widget in the Directory interface is titled “GLOBALink   World TC directory”. TC should be expanded to its full form. The “Search”   button uses a different style from “Go!” button deployed on the   site wide search system discussed above. The secondary title “Search   Engine” also uses a different style from the title on the site wide   search system. In member directories the primary field is usually “Name”   and not “Country” as in the current interface this is because the   typical use case is “I am looking for XXX from YYY”. The check boxes   for “MSN” and “Skype” are unnecessary – it is also not clear   why other instant messaging and internet relay chat services and technologies   are being discriminated against. Additionally the third check box is   labelled “Picture” which has nothing to do with the earlier two   options – this search option should be made visually distinct from   the others. The label “options” is meaningless to the average user.   The term “Sort by” is redundantly used in the drop down box. Usually   a field that is available as a sort option would also be searchable   though the search system. This is not the case with “City”.

4. Discussions: There   is no way for the user to distinguish between high traffic and low traffic   discussions. There is also no way for the user to distinguish between   discussions with recent updates and those that have not been updated   for a while. The red circular icon is called “light”; this visual   analogy has no precedent on the web site. The message box that provides   instructions for the use of this icon has the word “click” underlined   – it is not clear why this has been done since it is not a hyperlink.   Even though the interface is titled “GLOBALink discussions” the   hyperlink used to access more discussion is titled “Click here for   more lists”. This is counterintuitive. Moving on to the discussion   summary page which features posts under a specific discussion or list.   Here, there is no threaded view of the discussion so it is difficult   for a user to understand “who responded to whom and in what sequence”.   Pagination is missing so the user might have to click on “earlier”   or “later” repeatedly to get to the relevant post. The complete   row representing the post summary is highlighted and the mouse changes   to hover state – therefore it is difficult for the user to tell whether   the click will result in the “post detail” or in the “member profile”.   A thumbnail of the member is provided along side each post summary –   this unnecessarily increasing the page weight and can be irritating   for users from the developing world with poor connectivity. The title   of the posts have abbreviated even though there seems to be sufficient   space for it in each row. The maturity of the member could be represented   in relative term [i.e. member for 8 years] instead providing an absolute   date [i.e. member since 16 Feb 1994]. This could also be represented   graphically by using a graduated scaled. The star icon scheme used for   rating each is not explained. Finally, at the interface for viewing   the detail of a single post: here, the summary user profile at the top   of the page is confusing. The user has clicked to view a detail of a   post by the profile summary is giving greater importance. Here the maturity   of the member is titled “Joined GLK since”. It is not clear why   GLOBALink has been abbreviated here. Also it is not clear whether the   poster joined as a member or in some other capacity. It is not clear   why there has to be two separate hyperlinks for “Full profile” and   “Contact”. Ideally these two links should be combined and contact   information should be available on the “Full Profile” interface.   The RSS feed for the discussions could be improved. The feed only contains   the title, forcing the user to come to the website to read the body   text even though the RSS feed requires HTTP based authentication. In   other words, users of RSS readers are counted as part of site statistics   so there is no need to draw them to the website repeatedly. The metadata   category is the same as post title and is therefore redundant.

5. FAQ: The FAQ interface   hides all answers by default and requires the user to click on each   question in order to view the answer. Since most of the answers consist   of a couple of sentences there is no need to make the user click repeatedly   like this. Most web users scan web pages and will find the FAQ interface   cumbersome.

6. Backend Database Tools:   The interface for missing approvals is not intuitive. If we were to   examine these two records⁴ it is not clear why one is approved   and the other is missing approvals. From the list interface⁵   is it not possible to easily tell the age of each request for approval   and the number of missing approvals per applicant. It would also be   useful to have totals next to the hyperlinks to these interfaces from   the admin sub-homepage. Otherwise the administrator has to click each   time to see if there are any “missing approvals” or “missing city   or country”. The system to create smokefree places is very cumbersome.   It uses a wizard style sequence of menus but the form fields are not   distributed uniformly. The first three tabs of the wizard accept only   one field and the last tab requires 22 fields. This defeats the purpose   of using tabs. The icon system used for the “Environment” form fields   is unnecessary. The 'delete' hyperlink, which affects the whole record   should be a button instead and should be placed next to the “Cancel”   and “Update” button instead of next to the “Valid” form field.   There is no easy way for the administrator to delete multiple records.   If the user clicks on Get “GLK members from list” on the admin sub-homepage   they reach an unintuitive interface titled “Gross Data”. On clicking   “TobaccoPedia Admin Page” hyperlink on the admin sub-homepage the   user reaches an interface without header and footer. No easy way for   the administrator to delete multiple invoices. No search system for   invoices. Some of the links on the “Database Tools” widget on the   admin sub-homepage are reports while others are interfaces for updating   records. These should be visually separated. Passwords for the GLOBALink   FTP accounts are transmitted and represented to the Administrator in   plain text – making the security flaw discussed earlier obvious. No   facility is provided to delete individual or groups of FTP accounts.   Facility to add new templates does not exist. Clicking on “Poll Admin”   on the admin sub-homepage results in a “404” error.

7. Grid Consonance: Lack   of grid consonance in the arrangement of the form fields. This greatly   reduces the readability of these forms. This should be addressed in   the next version of the application in consultation with a graphic designer.

8. Fonts: Use of multiple   fonts and font sizes in the same form. Use of multiple colour without   any clear rationale for the choice and deployment of colour. We recommend   that an aesthetically pleasing W3C CSS compliant style sheet be developed   at the earliest opportunity in consultation with a graphic designer   who understands and sympathizes with the global campaigns against tobacco.

9. Menu Hyperlink: Many   frontend interfaces have a hyperlink titled “Menu”. Most web users   are unfamiliar with this term as it is usually used in connection with   desktop users. We recommend that this hyperlink be deleted from all   frontend and backend interfaces.

10. Registration Form:   Far too many fields for people with limited English language skills   coming from developing countries. Some of the language used on the form   would be difficult to understand, for example, 'Please report this word   in the following text box'. Would be better to use, 'To help us fight   spam, please enter the letters in the image into this text box'.

11. URLs and Brands:   The GLOBALink website consists of several different urls such as Tobaccopedia.org,   Localink.org etc. Ideally this should be replaced by wiki.GLOBALink   and local.GLOBALink. Multiple brands and urls, if used by organisations   with limited budgets, usually end up fracturing the community.