Three IT stories came up earlier in the week that show how IT problems and decisions can adversely affect end-users – I’ve had a quick look at each in turn to understand the problems encountered and to try and learn lessons.

• The HTML spec making ‘alt tags’ on images optional for generated content
• The Olympics ticketing website overload at deadline day
• The PlayStation Network security breach and user data release

Accessibility

The first – a change to the HTML specification affecting web content accessibility (WCAG) – is the most minor of the three stories for most people, however it is crucial for a significant proportion of web-users and to accessibility experts signals a worrying direction from the W3C.

The W3 working group reached a decision on the use of the alt attribute on images for the HTML specification. When introducing accessibility to web-developers, one of the first things that is mentioned is entering meaningful text in the alt attribute on images. This allows alternate devices such as screen-readers to provide the alternative description in place of the image. The attribute is currently mandatory and it is customary to use an empty alt attribute for images that do not require a description to be read e.g. decorative images that do not convey content.

The core of the issue that the W3 are addressing appears to be that user generated image content (e.g. photos on Flikr) often does not have the alt attribute populated as users can’t be bothered. In this case, the decision is to allow alt to be optional when the page has been created by a publishing tool (when the document contains <meta name=generator>).

Marc Drummond has a great summary of the issues in his post “When standards go awry“. It’s worth checking out both the article and the interesting comments thread if you’re interested in web-accessibility (and don’t forget to come back here afterwards, k?).

To my mind, the wider question here is about how to enable accessible content when that content is increasingly self-published by users with no interest or awareness in accessibility concerns. Whilst the website creator can ensure the design complies with Web Content Accessibility Guidelines, we can see that user generated content may omit the content of the alt attribute on images, or choose low contrast colours that are difficult to read. I’m not sure that the right answer in these cases is to throw in the towel and say that it’s too hard to get users to do this.

For example UK government websites have a commitment to WCAG AA, and where content management systems are used to manage that content it needs to help content creators with little accessibility knowledge, to enter the relevant information to meet accessibility requirements. In some cases this might be prompting for alternative text, or if a tool allows HTML to be entered directly (e.g. WordPress) providing feedback on the validity of the HTML. By helping users to create accessible content, many of these techniques can help more users than directly targeted e.g. by ensuring that alt attributes are entered correctly, we help not just the target of blind people, who are the ‘typical’ screen-reader users, but also dyslexic users are aided and low bandwidth users with images disabled in their browser.

Olympics

The ticket sale for the 2012 Olympics has been making headlines for all sorts of reasons and at the deadline of the bidding phase for tickets, entirely predictably the website struggled under the load. For all the criticism there a few interesting elements to the ticket sale,. Putting aside the concerns about using a lottery approach I found the website (over)load arising from the lottery interesting. For one thing, the tables were turned: usually a website crashes at the start of a ‘first come, first served’ ticket sale as thousands of people simultaneously try and grab tickets before they run out.

When enough people want to access a website like this at the same time, it’s little different to a DoS attack. There are technical methods for minimising the impact of a surge of users (e.g. adding extra servers for horizontal scaling, caching, very small page sizes), but an alternative is to try and avoid the surge from happening at all. By using a ‘lottery’ type system, the ticket allocation is spread more widely than just the people on the ball enough to be on the website at 9 o’clock on the opening day. Also its now just the ‘Johnny come latelys’ that experience the overloaded website. I wonder if they could have avoided the late rush too, for instance by having staggered deadlines for instance per country or county, or by letter of surname: it wouldn’t need to be by much, but stretching the deadline over a few days would help to spread the load.

PSN

The big story of the day is the admission by Sony that the PlayStation Network (PSN) had been hacked, with user details of 77 million people lost, including names and passwords. The announcement was unable to confirm definitively that credit card details had not been taken. It is worth noting that Sony have taken a number of textbook steps for dealing with a security breach. Firstly they shut down the systems once the intrusion was detected. They resisted the pressure to keep the systems running, in order to ensure the intrusion did no further damaged and to preserve the evidence for investigation. They also brought in an external security firm to investigate the breach. It is more unfortunate that it took nearly a week to advise people that the data loss had occurred, by which point some of the opportunity for limiting personal loss (e.g. changing passwords and credit card details) had been lost.

Passwords

Firstly if you’re a PSN user, it’s time to change any passwords on other services that share the same password and quickly. You may want to contact your bank to get new credit cards issued too.

There are a number of other actions and questions around security here, both for Sony and for users. A lot of people have jumped to the conclusion that because passwords have been leaked, they must have been stored in plain text. This may turn out to be the case, but I suspect that what has been leaked is the contents of the password table which has the ‘hashed’ version of the password. This is the password once it has been run through a one way cryptographic routine. Whenever you enter your password it is hashed and compared with the hashed version in the password table. This ‘hashing’ function is designed to be one way (i.e. very hard to reverse back to the original string).

It is possible to crack these however; one technique is to use ‘rainbow tables’ which are pre-computed tables of every possible hash value, allowing the reversal to be performed by lookup, rather than calculation. Jeff Atwood at Coding Horror has an excellent article on Rainbow Hash Cracking including techniques of improving the security using ‘salting’ to add extra characters to the password before hashing to make the resulting hashed value unique.

I sincerely hope that Sony were using password storage techniques such as these, rather than storing as plaintext as has been implied on many discussion fora. And any companies that are not using these techniques should treat this as a wake-up call and review their password storage policy immediately.

Either way though, as a user, it is time to change any passwords which were the same as the PSN password. As a user it also raises the old dilemma of how to manage passwords for tens of different services, avoiding overlaps in case of breach but still keeping the password list manageable and memorable. Whilst having a common password for message boards may be a reasonable risk to help with memorability, it it becoming more pressing to have different passwords for each service that holds financial information such as banking and anything that holds credit card details (e.g. Amazon). These should be strong passwords: strength can be checked using the password meter. If this is still an unmanageable number of passwords, then perhaps it is time to consider using tools such as LastPass, which stores passwords encrypted on your PC and allows easy entry of credentials.

Consequences

The consequences of a breach like this can be very serious for the affected company, which is why organisations need to take this seriously. Firstly there is the potential for fines from regulators for breach of data protection laws. If the data is held in the UK, then the Data Protection Act applies, which appears to allow for a £500K fine and potentially prison sentences for negligent individuals. For smaller organisations and start-ups, this fine could put them out of business at a stroke. Depending on where the data was held, different legislation and consequences will apply. Regardless of the fine levied, Sony have vast resources available and should be able to meet it. The risk to Sony’s reputation is far greater however. A loss of confidence in the PlayStation as a result could see consumers moving more and more to other consoles, which is likely to have a far greater impact on Sony’s fortunes.