Andy’s Mind

A high profile case of personal data leaking onto Internet because of poor design of a web application just occurred in Poland. It is worth looking at, I think, as it shows clearly one problem with how many web applications are created today.

First a brief recap of the situation: one of major Polish banks - Bank Pekao, part of UniCredit group - started a hiring campaign. As part of that they hired a PR agency that also built them a special website - zainwestujwprzyszlosc.pl (”Invest in your future dot pl”) where candidates could submit resumes and cover letters. And submit they did - hundreds of them. Then one blogger noticed resumes submitted showing in Google results when he searched for his last name and found someone’s resume available for download. He checked the link and to his amazement found that under http://zainwestujwprzyszlosc.pl/files/0 you could find a listing of more than a thousand resumes and download them. Hundreds of files full of personal details and - as it is usually the case - people making fools of themselves in cover letters.

Following his blog post getting immensely popular the story was picked up by mainstream media, someone notified the authorities and the bank. By Monday the whole nicely designed site was replaced with a brief message posted in a hurry saying that the site is closed.

Now this classic story shows many things one could write about - for example total ignorance of media exploited by bank’s PR who said that this situation “was due to a hacker attack” when it was clearly a major design flaw. Or the fact that after the bank officially stated this and added that they closed the page and people’s data is now secure everyone could easily pull those files from Google’s cache. Or that - worse even - coupling of ignorance with arrogance when they accused the blogger and others of “stealing data”.

But I want to concentrate on the root cause of all this mess which I think is not treating web applications as serious software.

I reckon that all this happened because web is still treated as “pages” - not software. So everyone worries about how their sites are designed in terms of graphic beauty, not engineering. Consequently, building web sites is entrusted to “web designers” or “interactive agencies” or - even worse - PR firms (as in this case). Those well meaning companies or people are usually good at whatever their primary business is (graphic design, communication) but lack knowledge of software engineering.

In fact there are many people now who even claim to be “programmers” because they can build a “script” in PHP or even put things together with Ruby on Rails. This obviously doesn’t make them programmers - just like being able to replace oil in your car doesn’t make you an engine designer - but they still claim that to totally ignorant customers who, let me restate that, don’t treat their sites as software. Bank in question has - I’m sure - a very capable IT department, but I bet this website was ordered by someone from marketing or HR who never bothered to consult his own IT colleagues - because it is just “some pages”.

This approach might have been ok 8 years ago when few web sites were rarely anything more than pages + images. But by now it is hard to find such “pages” anymore - the web abounds with true applications. And applications means software - with all the things to consider “interactive agencies” never heard of like data models, database design, scalability and - yes - security!

But failing to recognize web applications for what they really are (software, getting more complex every year) companies hire wrong people or outsource to wrong teams. And then they have problems.

At Code Sprinters we take a totally different view. We don’t claim to do “pages”, we don’t call ourselves “interactive agency”, openly admit we suck at PR and are not good at graphic design. We are a software company specializing in delivering web applications and systems.

And that we take seriously. We hire only true software engineers, that is people who know what data model is, how database design works, what design patters are - and are trained (and mentally capable) to consider consequences given design will have for scalability and security. Work done by such people does cost more - not only because they are more expensive than “web designers” (which is not always true), but also because they put more work into building each web application - and that because they don’t skip building it to be secure, don’t skip building a suite of automated tests around it and do take care to write the code someone else will be able to read & extend in the future.

To be honest I won’t say we never ever have bugs in our applications - but major design flaws like in this case are simply not possible (leaving important files on a publicly accessible directory and feeding it to Google to index them is outrageously bad design). We would die of shame if anything this bad would ever be delivered by us.

The Peako incident shows clearly that is not wise to entrust building software to people who don’t have a clue about it. Pekao has just learned the hard way what the real cost of doing that is. Consider how much will this bank have to pay now all the people who will be smart enough to sue them for damages? Consider damage to their image and reputation. And take into account that under EU privacy protection laws they even face penalties from the government and are under investigation now.

Others should learn from this example. After all this is a huge bank and it will survive it - hiring is not their primary business and most of their clientele is not geeky enough to understand the problem. But think what would a blunder like this do to an HR company?

So, to sum it all up:

• quality - and security - do cost,
• web applications are software,
• software should be built by people who are qualified to do it,
• “interactive agencies” or “web designers” on average don’t have skills and experience to build complex software.

If you save on your web applications or hire wrong people to build it well - you’re in for trouble.

It is always with amazement that I find looking at my statistics, that the set of key words that brings most of random visitors to this humble blog is “Dilbert Scrum”. This is so ever since I’ve commented on an episode of Dilbert in which agile is mentioned. Based on it I’ve moved on to discuss Scrum - and probably no one else did exactly that, because if you type “Dilbert Scrum” into Google that post of mine is now number 1. I suspect this post will strengthen that effect.

Interestingly, I’m not sure Dilbert ever referred to Scrum directly but even so people think he must have - so they look for it. Also, this shows that people want to find an image, not a text. Texts are boring, you have to concentrate (which is hard) and think sometimes (which is even harder). Images are much much easier. Which is, probably, why Dilbert brings so many visitors to my page who come for only one thing: the link to the comic strip (BTW: It was wrong, I just fixed it).

So, the Irish have overwhelmingly rejected the “EU constitution” disguised as “Lisbon Treaty”. Thank you, Ireland! You did what all those who were denied their say by their supposedly democratic governments hoped for.

But this is not over yet for Ireland - the pressure will now mount, because the euro-socialists didn’t expect anyone to say no this time. Eurocracts will probably try to bully Ireland to get back in line with all kinds of threats - from being “left outside” to economic loses. For now they are expressing their anger by saying that “the NO vote is Ireland’s problem“.

Irish prime minister was already summoned to Brussels to explain himself - which shows clearly what the role of national PMs will be in the future EU super-state. And there is already talk of re-doing the referendum - a nice example of how much respect the supposedly democratic leaders have for the people’s vote.

So, dear Irish friends: hold on tight now!

Not even two weeks have passed since I wrote here about why the ubiquity of Google worries me and now Yahoo is falling into Google’s hands as well. TechCrunch first broke the news yesterday and now is reporting about the conditions of the deal (which are much better for Google) and criticizing Yahoo executives for, basically, giving up on their company and its fight for a place in the Net.

In any case this is clearly a step in the direction of Google becoming the only search engine known worldwide. That would mean a single entity having monopoly over who gets traffic and who doesn’t. Or, in other words, deciding which content is visible and which is not. And this is for sure bending the worldview of its users - if not intentionally then as a result of the SEO experts’ efforts.

This is why I did choose to use Microsoft’s Life Search instead. Joe Ziz commented asking why switch to a search that is not better and is run by a corporate behemoth too.

You see - the point here is not using something technically better but different. If my worldview - as affected by search results - has to be skewed I prefer it to be skewed in a different way. And the problem with search is that with current technology a good search engine requires resources no startup can build. That leaves Microsoft as the only viable competitor - they can match Google’s resources because they can afford it. Probably no one else in the industry can.

And I’m less afraid of Microsoft’s domination of the past than Google’s (near)monopoly of the present. Microsoft just reaped huge profits by selling low quality software, Google is dealing with a much more delicate matter: information.

Now, the big picture behind all this is whether freedom of speech on the Internet will be preserved or not. It is much more likely to survive if there is not too much concentration - that is if the Internet is indeed a neutral pipe connecting small and big alike and putting them on equal footing. If Google (and a few sites like it) dominates and if Net neutrality goes away (which is something all telcos would love to see - selling access to major sites like TV channels is a great idea for Mammon worshipers) then Internet will become as much a censored propaganda channel as TV and radio have became already.

And this is not impossible - the naive thinking of the early 90ies that because the Internet was designed to function after a series of nuke blasts it will be impossible to censor it was proven wrong by China and its Internet Police. In the end it turns out that even if it is technically doable to go around Internet censorship it doesn’t matter if it is too difficult for the majority of the population.

This is a grim vision. It might or it might not become reality. But it is worth knowing how much the shape of the Internet will affect the shape of the society in world’s industrial nations. Google’s influence is not to be underestimated.