Why does it seem so difficult to get the basics right?

This post was triggered by a recent stay in a London hotel and those of you who know me are fully aware that staying in hotels isn't a particularly unusual thing for me but in this case, finding a hotel which addressed my basic needs so well is definitely unusual.

You might be asking yourself why my basic needs are so unrealistic as to be rare to find in a hotel so let's look at that.

In my case one of the most important elements for a hotel room is temperature. Personally I like my hotel rooms on the cold side - if it's too warm in the room then I will have a terrible night's sleep which is no fun but far too often what the hotel terms as "air-conditioning" and what I understand by that are totally different. This hotel's air-con was excellent - so much so that I had to turn it up from the coldest setting which is unheard of for me!

Next on my list is a comfy bed but again, what I consider "comfy" and what someone else does could be quite different things. This bed was very comfy with a nice duvet and lovely feather pillows - I was a happy boy.

Finally on my list of basic requirements is peace and quiet. I am quite a light sleeper and a room too near a lift or a noisy area will disturb my sleep badly.

Given that my list of basic needs turns out to be three items (cool enough, comfy bed and quiet enough) I find it a bit shocking that it's so rare that I find a hotel that adequately meets these needs.

That leads me on to ask - how many other businesses are getting the basics wrong? It's very easy these days to be distracted by the latest technology or focussing on winning new business or any number of other things. I think it's worth remembering that regardless of what you business you are in, you should try and get right back to basics sometimes and making sure you're doing those things as well as you can.

Bad usability: Halfords website search

I needed some oil and decided to go to Halfords website and see how much it cost. I typed "10W30" into the search facility and the website searched for "power". As you can see from the image below, this search returned 197 results - not one of which had any relevance to what I was looking for. 

Ironically the oil I wanted does exist on their website but you can’t search for it unless you know to add the word "oil" into the search term. Even then, their website search results seem to prioritise any number of other oils which aren't 10W30 over the one product that is. 

Simon on: Wearable technology

So wearable technology in the form of Google Glass or smartwatches is supposed to be the latest game-changer for the meetings industry. This looks very much like another example of the latest shiny thing being hailed as a breakthrough.

In spite of the hype surrounding the likes of the Galaxy Gear, the watches are little more than repeater stations for smartphones and they need charging every couple of days.

Then there’s Google Glass which appears to provide a connection to email, the Web and other functions by showing, in effect, a heads-up display in the top right corner of the wearer’s field of vision. 

Various voices are already being raised in alarm at the privacy issues the gadget raises by providing users with the ability to record video and take photos using Glass without anybody else knowing.

But the point about all of this is that none of the technology provides a real benefit to the meetings industry. It’s a distraction. It’s probably going to have as much impact as 3D television had on the nation’s viewing habits. 

The good news for meeting planners is that, for now, all those blogs promoting wearable tech can be safely ignored.

Originally published in Conference News

Simon on: Free Wi-Fi at events

People are still demanding free Wi-Fi at conferences because hotels and coffee shops do it so why not conference venues? Sadly, it’s not as simple as that.

Over recent years the number of Wi-Fi devices being carried by conference attendees has increased significantly. Many now have at least one smartphone plus a tablet computer and probably other kit as well.

The problem is exacerbated by the increasing number of people carrying myfi devices which, as Apple found out years ago, can create havoc on a Wi-Fi network.

The increasing number of Wi-Fi-enabled devices means that, while an organiser of a conference for just a few hundred has a fighting chance of providing reliable free Wi-Fi, those running bigger events have a choice: bring in a specialist or deal with a stream of complaints about poor connectivity.

The problem is that Wi-Fi is not an inexhaustible resource: there are only a few channels available and they can become clogged quickly, meaning that range and capacity of the Wi-Fi access points falls to the level where the service is virtually unusable.

So if you have  more than a few hundred attendees and you want stable, reliable Wi-Fi at your conference, you have to accept reality: you have to pay to provide the service. Don’t assume you can get it free.

Originally published in Conference News

How to choose a good password

As many of you will know, online security is a subject I'm fairly passionate about. So much so that I've been writing a fair bit and also speaking at some events about it all lately.

After looking back through my blog posts I realised that I've not written anything about how to choose a good password and that is the most crucial element in the fight to keep your online accounts safe. So now seems like the perfect time to remedy that and explain the current best practice for passwords.

I specifically say "current" best practice because like most things - the advice can change from time to time and actually has changed over recent years.

The old advice for creating a secure password was to have a random string of upper and lower case letters interspersed with numbers and symbols. Something that didn't look anything like a word you would find in a dictionary and that was at least 12 characters long (and preferably more like 16 characters). Something like this :-

UY8&beY!6alPQ:3s

Although that is a 16 character password, there are a couple of problems it - the biggest of which is that it's incredibly horrible to remember and most people couldn't.

At this point I need to explain that there are ways to measure how good a password is and the best way is something called "entropy" which is basically a measure of the randomness of the characters in a password. You really don't need to understand how that works but we can use that as a comparison for how strong some example passwords are. The 16 character password above has an entropy of 77.7 bits.

Being able to remember a password is obviously a major requirement of passwords - otherwise people will write them down and that means someone else could find out what they are easily.

So instead of the older password advice, there is now some much better password advice which is to select 4 completely random words that are not related to each other and string them together. So for example :-

correcthorsebatterystaple

I've highlighted the individual words so that you can better distinguish them. I don't think anyone would dispute that this password is much easier to remember than the previous example and it is actually more secure as it has 93.6 bits of entropy.

Even so, that's not the best we can do with this password and a couple of very simple tweaks will make it much better. Those tweaks would simply be to capitalise the first letter of each word and to include a bit of punctuation like this :-

Correct!Horse&BatteryStaple?

This password is now still fairly simple to remember but has 140.2 bits of entropy which is approaching twice as secure as the first password I showed.

So, now you know how to create a really secure password and keep your online accounts and data safe but we're not quite finished. The final things we need to consider is that passwords do get lost and not just by you - as the recent eBay hack has proved, even the biggest players on the internet have security problems from time to time and there have been many of these attacks which have revealed passwords.

For that reason, it's REALLY important that you have a different password for each account on the internet. I know that's much easier said than done but there are tools like 1Password.com or LastPass.com which will help deal with that.

The MOST important piece of advice I can give though is no matter what else you do - make sure you have a completely different and secure password for your email account because most websites will allow a password to be reset with an email so if someone can login to your email they can probably login to most of your accounts.

Simon on: App security

Ask any organiser whether they would mind a competitor getting hold of a full list of their registrants in order to promote a competing event and most would probably object. 

Yet, according to recent reports, that’s what’s happening at some events. In some cases, the organiser has apparently been told that it’s possible and has ignored the warning.

The situation has arisen because some conference apps (not all by any means) allow any user to download a full list of registrants, in some cases, along with all their personal information.

A competitor doesn’t even need to attend the event. All they do is download the app to get free access to the registrant database.

The fact that some organisers have been told that this is possible with their event app and have done nothing to prevent it suggests that they don’t care about the security of their data. 

Unfortunately this seems to be a common attitude these days. A recent conference session on Internet security attracted only a handful of delegates while another promoting the wonders of social media was a sell-out.

Perhaps it’s time for organisers to learn how to safeguard their assets before being swept up by the latest bandwagon.

Originally published in Conference News

Data security is a deadly serious issue

My recent blog post said that programmers who stored passwords in plain text should be beaten to death with a house brick. That caused someone to email me saying that they thought it was a bit extreme and that perhaps I should consider changing it.

So the first thing I'd like to say is that my comment was not meant to be taken literally but I seriously believe that was obvious. I did have a think about it and I believe the sentiment was justified as a way to highlight the seriousness of the situation and I'd like to explain why starting with some examples.

The first example is the British Pregnancy Advice Service. They have a website which amongst other functions, allows people wanting advice on pregnancy, abortion and contraception to request contact from the charity.

Unfortunately, the charity didn't manage their website development well and didn't know that their website was storing highly sensitive personal information about people who contacted them. Their website was also vulnerable to hacking and someone broke into the site and stole a lot of sensitive personal information.

The charity was fined £200,000 by the Information Commissioner's Office in the UK – something that will certainly hurt badly for them but it was less than the maximum possible fine of £500,000. The charity said they were "horrified at the scale of the fine" but the ICO's Deputy Commissioner said "ignorance is no excuse".

At this point I need to say that I have no idea whether there were unprotected passwords in the BPAS website but at the same time, most attacks by hacking exploit lazy or bad programming that doesn’t adequately protect the data in question.

Then there's the case of Cupid Media who operate a variety of dating sites. In 2013 they were hacked and 42 million user account details were stolen from their server. Sadly these details did include plain text passwords and unfortunately, many people regularly use the same password for every website meaning lots of other sites that they are registered with could also be hacked.

Rather disturbingly I also saw a website recently which had almost no security – the admin elements of the site could be reached if you knew the right URL with no login at all and this website stored both passwords AND credit card details in plain text. Honestly, this is probably the most scary example of bad programming I have EVER seen in my life.

Even the general standard of programming was truly shockingly bad. Unfortunately, the person who wrote that website allegedly does this stuff for a living but honestly shouldn’t.

My point is that if a programmer doesn't understand that storing passwords in plain text is one of the worst possible things they can do then there is realistically no chance that they will understand all of the other security threats or how to keep your data safe.

As the UK Government "Cyber Essentials" scheme puts it "Compromise of information assets
can damage companies" and I completely agree.

So when I said you should "beat them to death with a house brick" I was doing so purely for effect. Don’t do that – just fire them and get someone else!