Wheedle: What went wrong?

I know it’s been a while since I last posted here, but let’s just move past that for now, and get to the bit where I talk about…


Last week I managed, by chance, to get a sneak peek at the site before its official launch yesterday. It actually looked pretty good on the surface; obviously borrowing heavily from Trade Me, for better or for worse. There were UI quirks here and there, but it looked fairly polished, and performed exceptionally fast (as it should under pretty much no load).

Yesterday, however, it became apparent that you didn’t have to scratch very deep to discover some alarming issues; the two of note being:

  • A huge security flaw:
    • users had their password emailed to them.
    • registered users had their username and password stored locally in a cookie, in plain text.
  • Sensitive URLs were exposed, e.g. you could determine/guess the URL to edit the details (reserve, buy-now, etc.) of anyone’s auction. Auction edits weren’t authenticated. (thanks @ruatara)

…and I would be very surprised if there aren’t a great many more issues.

Now, there’s been abundant commentary on Twitter, and in other media, about this rather large balls-up.

Insufficient server capacity

Some have said (ill-informedly) that excessive load due to launch has been causing issues. Wheedle’s claims of 40 on-shore servers, if true, would mean load, even at more intense launch levels, would not be an issue. Geekzone are serving nearly 7 million pageviews per month off one server.

Wheedle’s boast of 40 dedicated IBM-supported servers drew some scorn. In this day and age, they should probably be using some sort of scalable platform where server capacity can be increased (and reduced) dynamically as required.

Inadequate pre-launch testing

Wheedle GM Carl Rees claimed the problem was due to inadequate pre-launch testing.

He has no idea. The username/password flaw is inarguably a design fault. I’m sure it would have tested fine, but this is just not how you handle site security at all.

The issue with exposed guessable unauthenticated URL routes is indeed a pre-launch testing cock-up – you can easily automate that stuff, but behind that, it’s primarily a code design/development issue. That stuff should simply not happen.

Bespoke platform

Some have criticised the decision to build from scratch, instead of building on an existing proven product. This might be a valid claim up to a point; it would almost certainly have prevented the security issues they have.
In my experience, however, building on an existing product gets you only so far before it starts to become the problem. In my experience, even building with the more flexible frameworks like Symfony or Ruby on Rails, you’ll always get to a point where you have to start replacing the pre-built stuff to better suit your app’s needs.
I don’t think you’ll find too many large scale web apps that aren’t effectively built from scratch.


An inordinate quantity of scorn has been directed at Wheedle. Some of it might be warranted, but it probably went a bit too far.

I feel immensely sorry for Wheedle’s Rich List backer, Neil Graham. He must be hurting pretty bad.
He had a noble idea – to unseat Trade Me, which is increasingly taking advantage of its monopoly on the online auction market in NZ – and he had the resources (well, the cash, at least) to do it.
He did, however, lack guidance and expertise – which is not that hard to find, really, and leads me to my next point…

A lot of people have also scorned Wheedle’s use of off-shore developers. NZ has a massive resource of incredibly talent web developers, and it’s a shame they weren’t put to use here. This is a good point.

Plenty of others have written plenty about Wheedle already, so I’m going to finish up here.

A great idea, but woefully poorly executed. I think a lot of people have learned many things over the last few days.

Posted in Coding, Commentary | 3 Comments

Pears: Create your own pattern library

At work, we have what we call our module library, which is an interface with which to browse (and edit) the snippets of code and style (we call them modules) that we use to make up our site. They’re not templates, as such, but rather starting points for the blocks with which we build our pages.

Dan Cederhom of Simplebits has just announced his release of a WordPress theme that you can use to create your own pattern library.

It’s called Pears.

He’s hosting it on github, so you can tweak/improve it as you will.

Posted in Tools, User Interface, Wordpress | 2 Comments

Steve Lacy: What Larry Page really needs to do to return Google to its startup roots

Here’s a good read.

Posted in Link | 3 Comments

Best of Swiss Web 2011

A big congratulations to my good friends at L//P for absolutely pwning the Best of Swiss Web awards, yet again!

Three gold, three silver, and two bronze, but also taking the title of Master of Swiss Web 2011 for Migipedia!

Brilliant work, guys! And keep up the good work!!

Catch the noise on Twitter (#bosw)

Posted in Commentary | 3 Comments

JavaScript Decision Tree tool

My goal has been to make a JavaScript Decision Tree tool as a new content module for our next site redesign.

It needs to work such that the same piece of JavaScript can be utilised without modification for any decision tree tool we build on the site, with a very simply-defined markup structure,

So I’ve been self-administering repeated doses of headdesk/facepalm over the last couple of days, but I came back today after a Friday lunch (you know what I mean) and found a solution. It’s not pretty, with at least two nested ‘for’ loops, but it works.

I’ve created a JSFiddle of it, so you can take a look at it, modify it, laugh at it, etc.
Open it in JSFiddle or see it embedded below:

Posted in Coding, JavaScript | 34 Comments

Don’t make me steal

If you like to watch movies and TV series’ on demand; if you want to watch them whenever and wherever you want; if you’re frustrated with advertisements and anti-piracy messages when you hire DVDs and go to the cinema; if you want a decent and fair model for the downloading/distribution of digital content, then sign this manifesto now:

Don’t Make Me Steal

Pierre and Jordi, with the help of many others, have put this together, and it looks good and solid and well worth your support. Go sign it now.

Posted in Commentary | 1 Comment


A year or so ago, Last.fm started charging for their service. I was pretty gutted, since I had been listening to Last.fm radio pretty much all day. Sure, it’s okay to charge something for a decent service—and Last.fm is very decent—but what really got up my nose was that they were only charging people who were listening outside of the US, UK and Germany. What’s up with that? The internet is a global market—geography means nothing on the internet.

So I stopped listening.

Anyway, twelve months later and I’ve kinda got over it, so this morning I paid up and became a subscriber. Ah, it’s good to listen to my favourite tracks again 🙂

Last.fm really is a great service. And as if my battery doesn’t last long enough as it is, I downloaded Mobbler to my Nokia E90. Mobbler is—as the name might suggest—a mobile scrobbler. It’ll scrobble music you play with the Nokia music player, but more importantly, it will stream Last.fm radio.

So, if you haven’t already done so, sign up to Last.fm to track your listening, share your taste in music, discover new artists and check out my profile.

Oh, and I’ve added my listening history to the blog sidebar 🙂

Posted in Commentary | 1 Comment

Getting XML data into Symfony, automatically.

The problem

We have a complex XML file with many different node types, etc. supplied by a third party via a URL reference.
There’s an initial dump, and then an incremental update every couple of weeks, with additions, deletions and updates.

What I’d like to be able to do is to drive a symfony app with this data.

Some thoughts so far

I’m a symfony noob.

Getting the data

I could manually transform the XML into YAML to create the schema and the initial data load, and then build the app. But I don’t want to have to do this manually for the regular updates. Ideally, I’d like to use the symfony ORM to handle all the transactions, rather than a completely separate (outside symfony) script.

… and some images

The XML also contains URIs for remotely hosted images, and I’d like to be able to automagically pull these down to the local app file system and rewrite the references.

Anything that will help us to get started in the right direction would be greatly appreciated.

Posted in Coding, Tools | 4 Comments

Redesigning a corporate web environment

The Challenge

I’ve got this friend who is responsible for a corporate front-end web environment with almost a dozen browser-facing web applications. Pretty much all he can do at the moment is change static content in the antiquated and wildly inappropriate CMS. Changing anything significant requires implementation of an expensive one-off SDLC waterfall-type project with a business case, requirements-gathering, PM, BA, dedicated test-resource – the whole box and dice. These projects often under-deliver, with scope being reduced en route to avoid budget and deadline blowout.

He’s not happy with the way things are.

He’s got it into his head that it would be far better to create an easily-manageable front-end, with a unified, standardised UI under the control of his front-end web team. Key aspects are simplicity, speed, cost-efficiency, and trust – none of which can be used to describe the current state of affairs.

Some ideas

I was talking to my friend, and he said that at a high level, he’d like to abstract the various applications from the UI, where possible, by means of API/Web Services/etc. On the front-end would be a web application framework – He’s thinking Symfony or similar. He believes he has sufficient developer resource on his team to build/maintain/support this.

Some other ideas he’s been tossing around, in no particular order:

  • Source repository. (He doesn’t have one at the moment). svn or git? Stable trunk policy?
  • Continuous integration. (thanks Mike!)
  • Test-driven development.
  • Automated processes.
  • Security.
  • Content management.
  • Performance. Code-efficiency, caching, etc. (Although he’s heard it said that performance shouldn’t become an issue until performance becomes an issue)
  • The database. Does CouchDB lend itself to supporting a content-driven web application?
  • Will it blend scale?

More ideas…

… are welcome. He needs all the help he can get. While it’s all very bluesky (with pie) at the moment, he needs to turn it into a watertight, bulletproof, business case. And soon.

Posted in Commentary, Design, User Interface | 6 Comments

An update

It’s been a while since my last post.

During that while, I’ve returned reluctantly to New Zealand from an incredible 12 months in Switzerland. I was working for an outstanding company (Best Of Swiss Web 2009) on some outstanding projects.

I made some great friends, had some great times, learned to snowboard, lost nearly 15 kilograms, braved rubber bullets and tear gas on the 1st of May, and thoroughly enjoyed myself.

I’m now back in Auckland, and am three weeks into my new job as Web Development Manager at Vodafone. I’m part of a great team and am really hanging out to do great things on/with/through the web 🙂

Another thing I’m looking forward too is the next Auckland Web Meetup on the 2nd of July. It’ll be great to catch up with friends, eat pizza, drink an Epic, learn more and be inspired.

I’ve got a new mobile number (+64 21 623 923) and am making the most of my Nokia E90 (I know, it’s not an iPhone). I use Twibble as my Twitter client, and am continuously updating my location with Google Latitude. You can see my current location on the sidebar, along with a few feeds of Dan-generated content and links.

Posted in Commentary | 3 Comments