The Habib Bank Limited (HBL) website has a glaring security gap in its HBL Internet Banking service, even though it may not be immediately apparent by just looking at the interface.

HBL Internet Banking requires users to enter a few select letters of their password by clicking on the virtual on-screen keyboard (they do it this way for other arguable reasons). The implementation of this implies that the password is stored in the database in plaint-text or similar—which is how they can verify individual letters of the password (Update: as verified by the HBL lead, they do not use one-way hashing or store combinations). Storing passwords in plain-text means that someone with access to the database can read them clear as day. You should never store passwords in plain-text and no one should ever be able to read your password.

Muslim Commercial Bank (MCB) also stores plain-text password, at least for password reset requests. Though the temporary password is set to expire within a day and it is possible they only store the temporary passwords in plain-text, it is still quite bad from a security standpoint, though not as bad as HBL’s implementation.

Update: though it is possible here that they generate a random password and only store the encrypted version, which would mean MCB is not storing it in plain-text. It seems that is likely the case, in which case this is perfectly acceptable behaviour.

You Just Don’t Store Passwords in Plain Text

It is a password after all. No one should have access to your passwords unless you explicitly let them in on the secret. Not even the developers at HBL or anyone in their IT team. Why should they? In the U.S. such behavior would even be deemed illegal since it is extremely negligent.

The problem is worse than it sounds. It is well known that most users reuse their passwords across different sites. If your HBL password gets compromised and you use the same password on another bank account, email account or social website, those accounts are now also compromised.

In HBL’s case, their database administrators can easily get access to thousands of account holders’ usernames and passwords.

And what if HBL servers ever get hacked? If the passwords were stored in their encrypted form instead of plain-text, a hacker would still have a hard time defrauding the accounts. But with plain-text passwords, a hacker would have instant access to every user’s password. He could then login as that user and HBL would never be the wiser because the hacker can log in through all the proper channels.

Even worse, undoing the damage after a security breach with plain-text passwords can be a nightmare. First, HBL would have to issue a notice to all users to change their password. It would also have to instruct them to change the password on any other account where they may have used the same password—quite embarrassing. HBL would then have to lock all accounts and disable user access to online banking until customers phone in or visit their nearest branch to have their passwords reset. Even then, it would have to disallow resetting the password to the previous one.

If even the most basic security best-practices were employed, the passwords would be much safer. These practices are so common, it is disconcerting to learn that the developers were oblivious to it and what other security blunders lurk within.

Technical Background: Passwords are encrypted with a one-way hashing algorithm that results in another reasonably long and convoluted string of text. Encrypting “secret” this way would result in “e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4”. For most practical purposes, the resulting text cannot be reversed to get “secret”. So how do you verify if the user entered the correct password when logging in? You simply encrypt the entered password and verify that it results in “e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4”. This makes it secure and no one ever needs to know your password.

Update: September 15, 2011

Some comments have asked how I came to the conclusion that passwords are stored in plain text. As I mention in the first paragraph–it’s not entirely obvious but if you have a basic understanding of password encryption schemes, you can draw some reasonable conclusions.

Passwords are stored using a one-way hashing algorithm. MD5 and SHA-1 are popular one-way hash functions for this purpose. As I mention in the technical details, all passwords are encrypted using similar cryptographic hash functions.

Why is it done this way?

It’s so that no one can reverse an encrypted password such as “e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4”. That’s why it’s called a one-way hash function. Since all passwords are stored in the database in their encrypted form, they are secure. The encrypted password “e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4” is quite useless to an attacker. He can’t do anything with it. He cannot reverse it to get the original passwords. That’s the beauty of one-way cryptographic hash functions.

If no one knows the password, how does the computer know the correct password was entered?

The computer asks the user for their password. It then encrypts whatever the user entered, using the same one-way hashing function and verifies that it results in the same encrypted password. If it does, the password entered was correct.

How do you know HBL is not using a one-way cryptographic hash function to encrypt their password?

When you encrypt  “secret”, it results in “e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4”. But HBL asks you to enter specific characters. So say you enter “s”, “r” and “t”. In that case HBL would has to fill in the other blanks “_ec_e_”. That shows that HBL knows a part of your password because it fills in these blanks for you.

But that’s only part of the password. Not the whole password, is it?

Well, HBL asks you to enter different letters from your password each time. That means it knows your full password and each time it fills in the remaining blanks. So on a subsequent login attempt it may ask you to fill in different blanks such as “s__r_t” which means it knows the whole password.

I still don’t believe you. Are you making this up?

Don’t take my word for it. Try asking on stackoverflow.com or superuser.com or a serious security mailing list. Just refer them to this post and ask them for their opinion. If you want to discuss particulars or have some pressing concerns, you can find my email address at the bottom of my about page.

Update: September 17, 2011

The lead developer for HBL (Abdul Azeem Yasin) had this to say on the matter of one-way hashing of passwords:

Between your claim that SHA1 and md5 being the more secure way of storing password is again your opinion.

I could only hope that it was my opinion–and such a grand one at that. SHA-1 is the U.S federal standard (now being bumped by SHA-2). It was designed by the National Security Agency (NSA) which just happens to be cryptography intelligence agency of the U.S. Department of Defence.

And again, the lack of understanding is further exemplified:

put e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 at http://www.md5decrypter.co.uk/ and  you will get your hashed password in this case secret Imagine storing hashes in database and some one with access to the db or some one invading an application and having access to thousands of hashes :)

Rainbow table attacks aren’t new. That’s why you use a good password salt. You can also use bcrypt (which has built in salting and even harder to brute force).

You do realize that it would have been impossible to do partial password authentication in case of one way hashing.

Impossible, really?

He also continues to defend that an HSM is the equivalent of one-way hashing and that using public/private keys are a good way to go about it. Since the plain-text passwords are behind an HSM, that makes it okay. In fact, his explanation makes it clear:

Now when the user comes in to authenticate a pin verification message is sent to HSM in case of partial password a sentinel value is set i.e. if the password is abcdef123 and abcd is taken as an input from user abcd$$$$$ is sent to HSM  by encrypting it with public key of HSM. HSM decrypts it and only check the password positions which are not sentinel values.

Which is like saying, since the HSM provides a very secure environment, you can stuff in there whatever you want. Doesn’t matter if it’s all your user’s passwords even though the means exist to encrypt each password individually. Nor does it help to allege that one-way password encryption is really something that is just my “opinion” (mine, and practically every operating system, major website and software company in the world).

What’s even more surprising is that he feels everyone is wrong and he is absolutely right. Reminds me of the the most popular security question on ServerFault about the most dangerous kind security auditor to have in your company, “Our security auditor is an idiot, how do I give him the information he wants“?

It’s possible to build a platform on top of other platforms, and occasionally the platform that sits on top gets the upper hand. Web browsers for example, sit on top of operating systems. The web browser platform, over the years, has evolved considerably enough to threaten the underlying operating system platform. Email, chat and document authoring all work quite well within the browser but were once primarily in the operating system domain. As browsers continue to advance in capabilities (video, offline mode, built-in storage) they can usurp even greater chunks of functionality originally provided by the operating system.

Since browsers work across all popular platforms, users may not ultimately care whether their laptop is running Windows or Mac, so long as the browser works fine and allows them to conduct their daily activities. This is a threat that Microsoft has long recognized and some might even say, is the reason for stifling the Internet Explorer browser.

A platform like Adobe Flash sits even higher atop the browser platform. Flash is capable of doing more than the browser can do on its own. That’s why a lot of games are built on Flash with complex physics engines and animations. Most video is still served using Flash, which the new HTML5 standard hopes to remedy by providing its own video decoder. Java also had similar ambitions of becoming the platform that sat atop all other platforms. Had it executed well, it would have been possible to write applications once in Java and then run them on all other platforms. And it was hoped that if all applications were written in Java then the underlying platform wouldn’t even matter any more.

And so it is with Apple’s iPhone and iTunes platforms.  Currently, Apple does not want its platform to be displaced by another platform that sits on top. That’s the reason why Steve Jobs so vehemently rejected Adobe Flash. If Flash were enabled on the iPhone, it would be possible to download applications written in Flash and run them on the iPhone. In fact, Adobe Flash already has thousands of games waiting to flood the iPhone if only it were possible. Applications sold on iTunes would face some serious competition if Flash were allowed on the iPhone. Adobe could then build its own store and its own music and video download services. The same holds for Java which is also banned on the iPhone.

Similarly, with Amazon’s Kindle bookstore application and Raphsody’s music application, Apple fears that applications of this nature threaten the iTunes music, books and videos business by building a secondary retail platform for digital content. In fact, since Jail Breaking the iPhone has been deemed legal in the U.S., it is possible to sell all sorts applications for the iPhone without ever going through the AppStore (though for now, there are many technical hurdles preventing this from happening).

Apple has acted strategically to strike a balance in what it does and does not allow iPhone applications to do. It also exercises full control over which applications are allowed on the AppStore, through an approval process which can take weeks. This sort of regulation does not have much precedent and is fairly unique to the iPhone. Facebook doesn’t have an approval process. Windows doesn’t either, nor does Google’s Android platform. In fact the latter two allow complete freedom which is probably why they need an antivirus to protect naive users from downloading malicious applications.

Apple’s ambition is to build a platform that is self-sustaining and free of long term threats to its core digital retail business including books, music, videos and applications. In its recent announcement, Apple gave the likes of Kindle and Raphsody until June 30^th to share 30% of sales revenue from digital content with Apple, as is already the case with iPhone applications. This stipulation applies to all digital content sales including magazines, newspapers, video, music, etc. Apple would rather that all transactions happen through its own platform or marketplace. If not then iTunes could soon be disrupted by other stores sitting atop the iPhone.

Apple is currently facing anti-trust scrutiny from regulators since this restriction limits the competition to Apple’s own iTunes business.  However, if Apple is able to pull this off (and for the moment, that is a big if), its platform will become one of a kind. It will be a platform that is completely regulated and well protected from the pitfalls of most other platforms. It will be a platform that is open to development and creativity but closed to disruption–a game that Apple knows all too well.

The next few months should bring a lot of drama and excitement to the mix.

Pakistan in general has poor regulations or controls in place and few if any buildings provide wheelchair ramps, let alone consult with semioligists. Fortunately, there is some saving grace on the web, because the W3C consortium along with countless other bodies, provides guidelines on accessibility. And engineers can build accessible sites with little effort.

Unfortunately, with Cascading Style Sheets (CSS) it’s easy to make a total mess of accessibility guidelines. Dawn has had little or no guidance with their portal improvements but that’s no excuse to have black links.

Firstly, these links are hard to distinguish from bold text since they are identical to bold text. So now if the page has both, bold text and hyperlinks then the only way for a user to discover that is by hovering their mouse over it. The whole web is built on hyperlinks and it’s because of these lovely links that we can go off on tangents and then use the browser history feature (such as back and forward buttons) to keep track. But in this case the user has no idea what’s immediately clickable without inspecting each block of bold text. Just as frustrating is the experience of a user hovering over what seems like a link, only to discover that it’s just bold text. To make matters worse, Dawn’s visited links are the same color as unvisited links, so the user doesn’t really know if he has already read the hyperlinked article. That’s loss of information for no good reason.

Secondly, with the above change, hyperlinks have hijacked the bold style. Bold text competes with hyperlinks for attention but the reader will not know what the author truly intended to highlight. In fact, when the content writer finds his copy on the web, he’ll quickly realize that all the wrong stuff is appearing in bold and the emphasis of passages will be almost arbitrary.

Bolded, black links are bad enough but it should still be pointed out that underlines on hyperlinks are also preferred and are the default, by design. That’s because there are still some color blind people out there who would like to know what information is hyperlinked and can be consumed through a click. Even if you leave alone the color blind people, there are still plenty of devices that are handicapped in that they don’t have color screens. The users of these devices rely on the underlines as well.

In fact, for this and other reasons, the use of underlines is altogether deprecated for all other text and reserved exclusively for hyperlinks. This way hyperlinks get the prominence they deserve.

Note: Underlines are typically used in print because early typewriters could not do bold text. Purists will argue that artificial devices such as bold text or underlined text should not be used at all, instead, the writing itself should draw any emphasis. This is true for literary pieces, however for informational pieces, especially on the web, bold text improves the scannability of articles.

After trying out various LAMP configurations the one that worked best in the end was generated using Linode’s own configuration script presented here with minor changes. This script is for the default install which includes Apache 2 + PHP Prefork + MySQL 5 and modifies the config files directly (my.cnf, php.ini, apache2.conf).

The script also makes backups of the config file (though if you run it twice, the old backup will be overwritten so make your own backups just in case).

The script sets MaxRequestsPerChild to 500 which is helpful to mitigate WordPress/PHP memory leaks since this causes Apache to recycle worker processes every so often. You should experiment with higher settings here until you encounter memory leak issues.

#!/bin/bash
#
# StackScript Bash Library
#
# Copyright (c) 2010 Linode LLC / Christopher S. Aker 
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice, this
# list of conditions and the following disclaimer in the documentation and/or
# other materials provided with the distribution.
#
# * Neither the name of Linode LLC nor the names of its contributors may be
# used to endorse or promote products derived from this software without specific prior
# written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
# DAMAGE.

function mysql_tune {
   # Tunes MySQL's memory usage to utilize the percentage of memory you specify, defaulting to 40%
   # $1 - the percent of system memory to allocate towards MySQL

   MYSQLCONF=/etc/mysql/my.cnf
   cp $MYSQLCONF $MYSQLCONF.backup

   if [ ! -n "$1" ];
      then PERCENT=40
      else PERCENT="$1"
   fi

   # sed -i -e 's/^#skip-innodb/skip-innodb/' $MYSQLCONF # disable innodb - saves about 100M

   MEM=$(awk '/MemTotal/ {print int($2/1024)}' /proc/meminfo) # how much memory in MB this system has
   MYMEM=$((MEM*PERCENT/100)) # how much memory we'd like to tune mysql with
   MYMEMCHUNKS=$((MYMEM/4)) # how many 4MB chunks we have to play with

   # mysql config options we want to set to the percentages in the second list, respectively
   OPTLIST=(key_buffer sort_buffer_size read_buffer_size read_rnd_buffer_size myisam_sort_buffer_size query_cache_size)
   DISTLIST=(75 1 1 1 5 15)

   for opt in ${OPTLIST[@]}; do
      sed -i -e "/\[mysqld\]/,/\[.*\]/s/^$opt/#$opt/" $MYSQLCONF
   done

   for i in ${!OPTLIST[*]}; do
      val=$(echo | awk "{print int((${DISTLIST[$i]} * $MYMEMCHUNKS/100))*4}")
      if [ $val -lt 4 ]
         then val=4
      fi
      config="${config}\n${OPTLIST[$i]} = ${val}M"
   done

   sed -i -e "s/\(\[mysqld\]\)/\1\n$config\n/" $MYSQLCONF
}

function apache_tune {
   # Tunes Apache's memory to use the percentage of RAM you specify, defaulting to 40%
   # $1 - the percent of system memory to allocate towards Apache

   APACHECONF=/etc/apache2/apache2.conf

   cp $APACHECONF $APACHECONF.backup

   if [ ! -n "$1" ];
      then PERCENT=40
      else PERCENT="$1"
   fi

   PERPROCMEM=10 # the amount of memory in MB each apache process is likely to utilize
   MEM=$(grep MemTotal /proc/meminfo | awk '{ print int($2/1024) }') # how much memory in MB this system has
   MAXCLIENTS=$((MEM*PERCENT/100/PERPROCMEM)) # calculate MaxClients
   MAXCLIENTS=${MAXCLIENTS/.*} # cast to an integer
   MAXREQUESTSPERCHILD=500
   KEEPALIVETIMEOUT=2
   sed -i -e "s/\(^[ \t]*MaxClients[ \t]*\)[0-9]*/\1$MAXCLIENTS/" $APACHECONF
   sed -i -e "s/\(^[ \t]*MaxRequestsPerChild[ \t]*\)[0-9]*/\1$MAXREQUESTSPERCHILD/" $APACHECONF
   sed -i -e "s/\(^[ \t]*KeepAliveTimeout[ \t]*\)[0-9]*/\1$KEEPALIVETIMEOUT/" $APACHECONF
}

function php_tune {
   PHPINI=/etc/php5/apache2/php.ini

   # Tunes PHP to utilize up to 32M per process
   sed -i'-orig' 's/memory_limit = [0-9]\+M/memory_limit = 32M/' $PHPINI
}

mysql_tune 40
apache_tune 40
php_tune

/etc/init.d/apache2 reload
/etc/init.d/mysql reload

By default the script allocates 40% memory each to MySQL and Apache. You can change two lines near the bottom to read mysql_tune 50 and apache_tune 30 for example, if you want to allow MySQL to use 50% memory and Apache 30%. However, make sure the Apache + MySQL combined don’t take more than 80% otherwise the rest of the system won’t have any RAM left to work with.

Microsoft Windows, for example, allows any vendor to build software for Windows without restrictions.

Similarly, when Facebook announced that it would allow any vendor to build applications on top of its ‘social media platform’, it fully embraced the platforms strategy and achieved rapid growth in return.

In fact, over a very short period of time, Facebook boasts over half a million applications in active use with over a million developers and entrepreneurs.

Of the 500 million active users on Facebook, 70 per cent use at least one of these third-party applications each month. Facebook dominates the web as the largest social network, getting more hits than the next top 30 websites combined, while Microsoft dominates the consumer PC market with 91 per cent market share (as of late 2009). The platform strategy has proven instrumental in both cases.

Microsoft or Apple?

Microsoft is the epitome of a platforms strategy because not only does it allow application developers to thrive, it also has a rich ecosystem of certified trainers providing accreditation and diplomas to technicians, repair shops specialising in Microsoft personal computers and partners authorised to sell Windows software licences in their respective localities.

Furthermore, Microsoft has also lent its platform to hardware makers like Dell and HP through tactics such as volume discounts, co-branding and application bundling.

The company has ensured its success by tying itself to the success of millions of other businesses. Apple, on the other hand, missed out on the party early on because it chose to take charge of repairs itself. The company also decided to control distribution and no initiatives were given to third-party vendors.

Apple’s iPhone platform is also extremely tight-fisted: all applications must be sold through Apple’s AppStore where Apple frequently exercises its right to reject applications from being listed or remove them without notice. It also charges 30 per cent commission on all revenues.

Although this anti-platforms strategy has crippled its computer sales, which now comprise only about 25 per cent of the company’s total revenue, it has worked tremendously well for the iPhone and iPod.

A platforms strategy requires not only inviting others to build on the platform, but also encouraging them to build an entire business around your platform.

The more open the platform, the more tremendous its growth. The Internet itself is the greatest platform upon which companies like Google and Facebook are built.

Published in The Express Tribune, August 23rd, 2010.

It felt like the cirque de soleil of conferences with a healthy mix of audience engagement, ranging from an abrupt ovation for our country with a national anthem who intent was to rebase the audience back to our country’s patriotic roots, to motivational talks which engaged the audience in a 30 second breathing exercise and acknowledgement of people in adjacent seats–all designed to underline the prominence of “presence”, “awareness” and connecting. The topic on energy for a change focused on solutions and the Thar coal mines, whose 4% reserves are enough to sustain the entire country. Micro-finance seems to be another recurring theme in the financial and charitable circles and there was plenty of quantification and empirical evidence of it being implemented and working in Pakistan. All talks came from people who are out there on the field, accomplishing these things.

The talks had plenty of substance and mind fodder. It’s easy to get pigeon-holed into our respective trades so it was a good change to get a richer, broader perspective from people across the various walks of life.

It’s a shame that it will be another year before the next TEDx, but I’m hoping there are other forums in between that continue the discussion.

Interested readers may view a dynamically sortable table of the complete list of top 1000 most visited sites on the web which also has APV added (Warning: on slow computers it may take a while to load or crash your browser since it’s a long list that requires Javascript processing).

I used it to gather the following data for sites in the News category.

News & Current Events

This category includes sites with an online and television presence, covering current and breaking news.

• BBC (#43) with 45 million UU and 56 APV, the highest in the overall News category
• ifeng.com (#55) in Chinese/Mandarin
• CNN (#64) with 34 million UU and 38 APV
• Digg (#252) is also impressive given that its a community driven news aggregator that runs automatically
• FoxNews (#279) with 11 million UU and 8 APV

Newspapers

This category includes the traditional print newspapers complemented by an online presence

• NYTimes (#83) takes the top spot with 26 million UU and 23 APV
• Yomiuri (#213) with 20 APV
• Daily Mail (#236) with 22 APV
• WSJ (#277) with 15 APV
• Mainichi (#287) with 7 APV
• Guardian (#310) with 16 APV

Business News

• CE.CN (#500) with 7.4 million UU and 5 APV giving it 34 million monthly PV
• Forbes (#633) with 6.1 million UU and 18 APV giving it 110 million monthly PV

Local News

This category includes online news sites which focus on national coverage

• iG.com.br (#477) out of Brazil
• zjol.com.cn (#746) out of China

Social Networks

Of the top 1000 sites, the ones with the highest APV are comprised primarily of social networking sites along with a few classifieds and shopping sites. This makes sense because people spend a lot of time on social networking sites viewing a lot of pages.

Page Views

Facebook is the grand daddy of all websites. Not only does it have the highest number of UU at 540 million, its PV count gets even more impressive with an APV count of 1056. Facebook gets a total of 570 billion page views per month which is more than all the next 30 websites combined! Yahoo web portal is a paltry second with 70 billion page views from it’s 490 million unique users.

Building large scale systems like The Express Tribune news portal and turning it around in 6 months requires a team of determined masochists and some really quick thinking. One has to think about scalability, performance, security, architecture and pliability of the product. One also has to think about usability, information architecture and layouts. About user interactivity, community engagement and publication workflows. Integration with television and print and a coherent new media strategy.

But it’s here and it’s far from over. Going in, I was confident that we would easily come out ahead of the competition (whom I have written about here and here) but I never thought I would have so much fun doing it.

The Express Tribune website uses some existing platforms and our developer toolkit is quite powerful, but to get to where we wanted to go, we got neck deep in every aspect of the system.

Beyond being just a pretty website, it has some behind the scenes features where it really shines out. This is where the competition has a lot of catching up to do. For example, assigning headlines and stories to sections or updating the page layout happens directly from the section itself, rather than going in to some specialized administrative screen. The image management and carousels are first class features and not just an after thought. The News in Pictures and slide shows can be done in under 5 minutes. The pages load blazingly fast, because we optimized not only the caching mechanisms but also the web server, database server, application server and even the operating system.

The user interface follows some hard principles. For example, the comment preview feature is painstakingly simple and dynamic so users know exactly how their words will appear. The submit button is below the comment preview by design, so the user is forced to preview on his way to the submit button. The design follows a horizontal rhythm using grid-based layouts. The weather widget updates the weather without having to refresh the page and on the back end we do some very specific caching so we can handle thousands of users, yet provide the latest weather updates or auto updating stock charts. The alerts ticker is directly linked to the Express 24/7 television station which requires some trickery on the part of both, the television platform as well as the web platform.

The interesting bits about strategy are something I cannot talk about other than to say that if the website works well for you and you find yourself interacting more and more, it’s because we put the user first. And in the short and long term both, our strategy will allow us to surpass the competition and out-pace them so we maintain the lead.

With internet penetration growing the way it is, I have no doubt that The Express Tribune portal will provide common ground for a lot of avid readers and have interesting side effects.

Why Use Abstract Classes?

An Abstract class provides concrete base functions as well as abstract functions that must be implemented by concrete child classes—binding them into a contract so to speak, if they wish to make use of the base functionality.

This is a subtle but important point and this is where abstract classes really shine. They can call abstract functions from within base concrete functions. Jumping straight to an example is the clearest way to explain this.

abstract class Animal {
  function greeting() {
    $sound = $this->sound();      // exists in child class by contract
    return strtoupper($sound);
  }
  abstract function sound();      // this is the contract
}

class Dog extends Animal {
  function sound() {              // concrete implementation is mandatory
    return "Woof!";
  }
}

$dog = new Dog();
echo $dog->greeting();            // WOOF!

This opens up a whole lot of interesting possibilities. For example, you can write a drive() function that calls $this->start(); $this->accelerate(); in an abstract class. Then create a motorcycle class that defines its own start() and accelerate() functions that may be different from those in the car class. In turn, the motorcycle and car can both be driven by just calling drive() without having to implement it locally.

Characteristics of Abstract Classes

Make a note of these characteristics to lock down your understanding of abstract classes:

1. Single inheritance. Child classes can extend only one class at a time.
2. Abstract classes cannot be instantiated — no new Animal();
3. Abstract classes can define class variables of type const only.
4. Abstract class A can be extended by another abstract class B. Abstract class B can implement none or any of the abstract functions in A.
5. In the previous case, a child class C which extends abstract class B must implement all abstract functions in B as well as the abstract functions in A which have not already been implemented in B.
6. The signature of the concrete functions and abstract functions must be the same. However, if an abstract function is defined as abstract function speak($greeting); then it is okay to implement it as function speak($greeting, $shout = FALSE) but not function speak($greeting, $shout).
7. The visibility of functions in the child classes must be the same or less restrictive than the parent class. Thus, a protected abstract function can be implemented as either protected or public but not private.
8. Declaring functions as static abstract throws a strict warning in PHP 5.2 or earlier, however, as of PHP 5.3 this is allowed.

The website is a big hoarding with no less than 20 advertisements on the front page while at the same time carries less than 100 words of actual news. And it looks really ugly.

This is what happens when you just don’t care about the readers. This is what happens when designers develop, developers design, business units dictate the roadmap and talent in general lacks. This is also what happens when you just don’t understand interaction design, information architecture, usability or have been oblivious to the paradigm shifts in online advertising and technological trends. This screen capture of the Jang News website clearly highlights all this.

The actual news content is highlighted in green boxes while the rest of the page is mostly advertisements. All ad slots highlighted in red are available for sale while unsold ad space is used for in-house products. The advertising tariffs section of the website indicates the type of ads available for sale on Jang News Online which includes video and expandable ads at a premium. The annoying expandable ads block access to the news until readers close them (shown in the screen capture) while video ads block the rest of the page because they take so long to load (Pakistan has very low broadband penetration in any case).

Jang News Online gets a considerable amount of traffic because the Jang News Group has entrenched itself as the face of news over the past 70 years that it has been around–a time during which it enjoyed little or no competition which helps explain their complacency.

Now, I am not even sure why an advertiser would want to publish one ad amongst 20 when it’s well known that users develop banner blindness and moreover the website’s ad space is extremely diluted and the screen interface is so cluttered.

The page reminds me of the days popup ads ran rampant until readers expressed rage and all major browsers (Internet Explorer, Firefox, Safari, et al) reacted by featuring popup blockers to put an end to it all. Unfortunately, in Jang’s case it’s not easy to block the spam. The website’s front page is practically an online hoarding which seems to take it’s cue from the million dollar homepage (whose sole purpose is to show advertisements) rather than a news site. One may easily pass this off as spam in its current state.