I don’t normally want to criticise websites, but I’ve heard so many complaints about our National Day Parade (NDP) website and I can’t help but agree with them. It’s almost a national embarrassment that a country with such advanced and developed infocommunications capabilities could not find someone better to showcase its most important national event on the Internet.
It’s not even just one aspect where the NDP website is failing. There are problems with security and privacy, design and layout, HTML coding, and more.
Let’s start with security and privacy. It’s one of the biggest thing on the Internet that everyone is concerned about. You see, the ticket balloting submission, in the sub-site http://eballot.ndp.gov.sg/, does not use SSL to encrypt its web communication. They are going to ask people to submit private personal information, but they don’t think to use encryption on their website. Really?
As you can see above, the form data is submitted in a plaintext HTTP POST. Adding SSL is such a simple thing to do, but apparently there was no one on their team with even some basic common sense to think about it.
The personal data comprises full name, telephone number, and NRIC number. Our government frequently talks about Internet security, data protection, and most recently the Personal Data Protection Act (PDPA) which will become fully enforced from 1 July 2014, yet the NDP website doesn’t think about their basic sense of responsibility to protect the transmission of personal data. Sure, sure, I know, the government is excused from the PDPA.
I’m not done with security. Have you heard about SQL injection attacks? Unvalidated input? Well, the fellows behind the NDP website seem to know a little bit about that. They decided to be so paranoid about restricting input that your name, for example, is only permitted to contain alphabets and spaces. So, I’m very sorry, Singaporeans with See-Toh or Aw-Yeong family names, you are not permitted to join the ballot. The same goes for those who chose fancy names like D’Souza. Similarly, Nagaratnam s/o Subramaniam and Rajadarshini d/o Balakrishnan, you can’t be in the running either. Whoever wrote the specs for this app ought to be fired.
The HTML coding of the NDP website is also nothing short of atrocious. Totally embarrassing. 176 errors according to the W3C’s Markup Validation Service.
Yes, there are no doubt many repeats of the same type of error. But there are plenty of examples showing a complete lack of grasp of basic HTML. Or perhaps a total disregard for writing proper HTML. Whichever way, this says so much about their level of professionalism.
Let’s talk about site design. Oh dear, where do I start. At the top navigation bar, as you mouseover its various links, they become highlighted as you’d expect. However, the drop-down panel is completely the same. It’s the same because the drop-down panel is already populated with all the 2nd level navigation links. Then, in that case, there’s no need for so many individual entries in the top-level navigation eh?
Next, let’s talk about those greyed out links. Sure, I can understand it may be far too early before the actual NDP event, so some of the links may not yet be relevant. For example, they may not be ready to give out traffic information at this time. That’s fine. Then why put the link there at all? There’s no excuse for so many links to be not working. There are a total of 29 links in that drop-down panel, 15 of which are greyed out. That’s more than 50% of the links not working. Please tell me what impression that leaves you.
I’d say this website is a mock up to show how the final product will look like. That’s what a web design firm might do to demonstrate to their client what they propose to build. You don’t go live with such a half-baked website.
It gets worse. On the main page, as you mouseover the big tiles, you’d notice some tiles are clickable (indicated by your mouse pointer). The Photo of the Week, for example, seems to be clickable. Click on it, but nothing happens. Oh yes, that’s right, it’s probably not ready yet. This is a mock up. I’m sorry, let’s not dwell on not-ready things anymore.
Let’s talk about how the information is presented. For example, in the Media Releases page, the link for Theme, Logo & Concept is a ZIP file. The link for Ticket Balloting is a PDF. In fact, this style of just tossing in files, instead of putting proper content on a webpage, seems prevalent in other sections of the NDP website. Another example is the page on the Junior Red Lions, which simply contains a link to a JPEG picture about, well, the Junior Red Lions.
There’s yet another example in the Big-Hearted Family page. There isn’t even an effort to, say, properly lay out the image, again another fault that seems to be repeated in other pages.
If you ask me, this aspect of the NDP website almost seems to be a document repository. Just stash PDFs, ZIPs, and JPEGs in there.
Let’s talk about design again. Can you see the plethora of fonts used on the main page? Usually, you shouldn’t use too many fonts together. The page will simply look very haphazard, lacking consistency, lacking an identifiable style. It’s definitely possible to pull off a design that includes a myriad of carefully selected fonts. Obviously, this NDP website isn’t that.
Moving on, let’s check out the NDP website on a smartphone. Oops. They did not design for mobile. There’s no responsive design, and there’s no mobile site. It’s alright. Maybe they did intend for mobile users to use their prominently featured mobile app. Let’s take a look there. There’s a link to download the Android app. But wait, there’s no iOS app? Wow.
Last, but certainly not the end of it, the NDP website is not on IPv6. IDA has been pushing hard for IPv6 adoption in Singapore. They’ve said last year that 95% of government e-services are IPv6 enabled. It’s probably true. Oh, but not the NDP website. I suppose someone in the organising committee didn’t get the memo about IPv6 adoption.
I know the NDP website is fronted by Akamai, but Akamai does support IPv6. So it is strange that the NDP website would not be served on IPv6. I want to mention Akamai here, because it brings me back to the issue on security and privacy. Yes, the ticket balloting sub-site is also served through Akamai. Would you believe it, your personal data is being sent in plaintext, unencrypted for anyone in-between to see, across the Internet to a Content Delivery Network? What is wrong with the people behind the NDP website?
You see why I’m dismayed with the NDP website. We are a nation that’s strong in ICT capabilities. But we put up such a website for the most important national event. This is an embarrassment.
I hope the Anonymous Group get to know about the NDP website.
I think that’s ridiculous that Anonymous should get to know.
It’s our data out there – our fellow singaporeans?
Drop a note to the website, i’m pretty sure someone will take a look at it.
I think that’s ridiculous that Anonymous should get to know.
It’s our data out there – our fellow singaporeans?
Drop a note to the website, i’m pretty sure someone will take a look at it.
I love this post. Thanks for writing it.
Oh gods. This is terrible. The website, that is, the post is great.
that’s because our dear gahmen subcontracts all their work to the lowest bidder
Xelrr Ang I suspect this one is an NSF. Got that feel. Don’t blame him ah, if he’s an NSF, do this shit on top of other things. But knn, spring a bit la.
If is NSF confirm won’t blame, but I’ll ask who is the idiot who arrowed the NSF despite all that NDP budget.
Don’t think its a NSFs work either.
likely the one responsible should be the in-charge of the NSF
U shld read how Business Times compared SGX website agst our regional rivals, especially Philippines. I have never read such a critical piece by MSM before.
BT 28 Mar 2014: “How other exchanges present their websites”.
Wonder what kinda IT consultants our establishment is using….
Have you ever thought that more likely than not, this was done by a lowly-paid NSF who was ‘coerced’ to come up with a ‘professional-looking’ website for the NDP?
Although that is plausible, I believe that is highly unlikely. There is a budget for NDP and they won’t need to coerce any NSFs into this.
very likely this is the case.. budget constraintsbthey calls it.
Guek Hoon well, its probably NSF behind it. My cousin when he was still in the army, built the website a few years ago.
Actually NSFs do design the NDP sites at least for 2009/2010… The fmn in-charge often sets up a crack team comprising of NSFs – nothing a few offs cannot do…
i agreed with this comment, trust me when i say it, i was part of the NSF team working on some this stuff during my service, and i not gonna say wad i was working on incase somebody is watching…
The Budget for NDP is very low. NDP relies heavily on Sponsorship and at this point of time, it’s most likely done by an NSF. To be fair, if it was an NSF, it would probably be someone with a polytechnic diploma from a related course. So the skill level would not be comparable on a professional level.
I remember I got a sudden call up for reservist and my job is to work on their NDP website many years ago. Hilarious.
I remember I got a sudden call up for reservist and my job is to work on their NDP website many years ago. Hilarious.
Really? Free Website? wow.
Really? Free Website? wow.
the only flaw in this article post (which I find very well written and enjoyable – thanks) is the claim that Singapore is “well known” to have strong ICT capabilities.
Singapore does NOT have strong ICT capabilities in software (or networking) – never has, probably never will.
Hardware? Yes SG used to be great at hardware, has lost much of its skills since collapse of Creative, but has a history and background in it that measures up.
It is well known that Singaporean software is amidst the worst quality known in the civilized world.
That Singaporean internet is louded as excellent yet in reality is leaps and bounds worse than neighboring Thailand, Malaysia, Vietnam and Philippines.
In Software – even SEA countries like Vietnam put SG to absolute shame.
This of course is well known by everyone else in the real world, though the typical Singaporean view is one opposite.
This is not the first govt website that “sucks”. They literally all do. The banking software does too – and these are the 2 biggest industries in SG: banking and govt. Yet their software sucks, and they have the best software engineers the country can possibly get.
This is what the focus of this article should be – the reasons why SG sucks so bad at software.
But SG still isnt mature enough to admit that to itself so, good articles like this go to waste really, and this problem will just repeat itself over and over, which amazingly S’poreans are so good at forgetting rather quickly…
I strongly agree with this. Singapore lacks greatly in ICT capabilities, look at how our “Army” is using technology… it’s retarded to call it a 3G army.
Management executives of most ICT companies in Singapore generally refuse to admit that we “sucks” at software development. They keep thinking that we are at the leading edge of software development. As a developer, it’s always facepalming everyday when listening to the management level convincing themselves that their product is superior without even doing proper market research.
Drake Lim WHATTT!
I strongly agree with this. Singapore lacks greatly in ICT capabilities, look at how our “Army” is using technology… it’s retarded to call it a 3G army.
Don’t think its a NSFs work either.
Actually NSFs do design the NDP sites at least for 2009/2010… The fmn in-charge often sets up a crack team comprising of NSFs – nothing a few offs cannot do…
i am glad i took a security module. Nice post!
Good job for detecting this and pointing it out. But did you consider informing the organizers first to take down the site and have it fixed first, before announcing it to the world of its vulnerability? This would be a great service done to protect fellow Singaporeans. Of course, they might have turn around to say it had no issue, but I am sure you would have had the facts captured. Nevertheless, it is good of you to point it out. More should be aware of the cyber threat.
Management executives of most ICT companies in Singapore generally refuse to admit that we “sucks” at software development. They keep thinking that we are at the leading edge of software development. As a developer, it’s always facepalming everyday when listening to the management level convincing themselves that their product is superior without even doing proper market research.
If you’d fancy, could do a source code dive of DBS ibanking site too. Suddenly you may feel worried about keeping money in there.
Such a thorough analysis! I believe you would have also offered your expertise to the media team as a service to this country you are so proud of? Otherwise, what’s all the comments about feeling embarrassed for..
i agreed with this comment, trust me when i say it, i was part of the NSF team working on some this stuff during my service, and i not gonna say wad i was working on incase somebody is watching…
actually, don’t blame the developer, blame the person who sign-off the project lol!
So you’re the chap who found out the flaw! Lol. Good job I must say. I also left a comment on your Straits Times post. I think the site is now secure. It’s now https. Credit to you bro!
likely the one responsible should be the in-charge of the NSF