I'm in the wrong business

There must be a glut of greasy salesmen roaming the country and peddling crappy software to government-led organisations. Dazzled by the PowerPoint presentations of these greasers, the saps who run the public sector and have no clue what constitutes good design and usability lap up the platitudes.

We used to pay our local school, for instance, using cheques. And they’d send out a printed newsletter every week. Someone then came along and said “Save the planet. Save money. Don’t print. Manage all media and payments centrally. Go digital.”

So they did.

I admit it’s better not to unscrunch the scrappy piece of paper and chuck it away every week. Yay environment. I can sidestep that the digital newsletter employs a template designed by someone I can only assume is an unpaid grad student or a blind Year 9 kid. It’s certainly no worse than it was before, despite them always trying to shoehorn content into the template when it won’t fit. I’m sure it saves the staff time. Perhaps the school only bought one overpriced template.

Anyway, the newsletter is delivered by ParentMail, managed by some cowboys called 123Comms. I can barely scratch the surface of what’s wrong with this snake oil system without breaking down into a quivering wreck.

It seems the school provide 123Comms with their SIMS database (or engineered an agreement with the operator, the terrifyingly inept Capita, to access it directly) because I had all manner of trouble trying to convince them to change my email address and mobile contact information when the system first went live. It sent me reminders weekly to sign up or install the mobile app, when I’d already created an account and logged into it.

The school claimed they’d updated my details their end. Clearly not, even two weeks later. So I changed my contact info directly in ParentMail, then I got four or five notifications from them to say it had been updated on my behalf by the school, but the admin staff assured me they’d not done anything. Then it reverted to my non-smartphone number (and therefore wouldn’t display any info they sent out) and started sending me reminders about downloading the app, so I just logged in, told it never to contact me ever again and abandoned the system.

Their security practices were second rate too, despite vague assurances amid techno-waffle about key lengths and rehashing passwords. It was all for nothing when you attempted to log in and it told you it couldn’t find a particular email address on the system. Thus if you want to know if someone has an account, just keep typing emails until it says you found one! Bad. I wrote to them and they’ve (thankfully and eventually) fixed it.

[Incidentally, it seems that both Gmail and Hotmail do a similar thing when logging in: they’ve changed from a single page sign-on to a two-step process: “Enter username”, click Next, “Enter password”. If you type a username that isn’t in the system, it tells you so immediately. Maybe that’s no longer deemed a security concern?]

ParentMail was billed as a one-stop shop for everything parents need: buying stuff, paying for lunches and clubs, trip authorisation, and so forth. But most of it never materialised. I thought it was just implementation headaches.

Imagine my surprise when they announced they’d bought a separate payment system from a different set of greasers.

Eduspot… eduspit

Now, online payments are handled by this heap of crap called Eduspot. Once you log in (I’ll get to that in a minute) you get confusing UX abound as you try to work out what you owe, add it to your basket and keep schools in business. Sometimes a ‘+’ button will add stuff to your basket. Other times a similarly-styled button will twist down a ream of badly-laid-out info.

The entries aren’t grouped or in any discernible order (by date). It’s one big list with dinner money at the top, school trips and other sundries intermingled next in some vague date order (latest date first, even if it’s in the future) and then After School Club entries appear in descending date order beneath that. No way to sort the data either. What?!

A graphic of a key tucked away at the bottom doesn’t manage security settings or allow you to access your account details, it displays a massive pop-up legend of what the on-screen color-coded carnage means, obscuring the data you’re trying to decipher.

And forget adjusting anything. The council want us to pay in advance for school meals, but going on a trip means the school staff have to update all the relevant records to indicate that a meal wasn’t needed that day. And they don’t seem to be able to do that in advance (or it’s too unwieldy to do so). The system accrues meals on a day-to-day basis. If I log in on Friday morning, it only shows four meals taken. Log in on Friday afternoon and it shows five. I’d need to manually adjust the “unpaid dinner money” value at the top if I was to pay in advance. Mad.

But the worst thing? Oh the very worst thing is the login process. Here’s the ultra secure pieces of information they require:

• Child’s first name. Super secure, that.
• Mobile number. Hundreds of people know that, including all his friends’ parents.
• Email address. Hundreds of people know that, including parents and anyone with a Facebook account.
• Password. 6 characters. Cannot be changed.

Yes, you read that right. Access to all this personal information, payment history, club attendance including dates and times, trips, meals, parental consent, and stuff we’ve bought through school is all “protected” (and I use that term loosely) by a six-character password the school set up on our behalf that cannot be changed.

Worse, the password is stored on their systems in plaintext. Not hashed, not salted, not stretched, nothing. Stored as-is.

And if that wasn’t the ultimate worst security bad practice, guess what: if we miss a payment or they send us a message for any reason, they include all our sign-in details at the bottom of every message including the password. I kid you not. A plaintext email containing plaintext password is the same level of security as writing it on a postcard, then posting it to the BBC for them to read out during the news headlines.

I absolutely despair that in 2018, with over twenty-five years of Internet hack knowledge and web user interface design behind us, companies still make software that is this shit. I’m not sure what’s worse: that someone built it or that someone else would waste my tax money to buy it.