recruit.ox.ac.uk Permalink Generator

If you’ve ever applied for a job with my employer, the University of Oxford, you’ll have come across recruit.ox.ac.uk, one of the most-frustrating websites in the world. Of its many problems, the biggest (in my mind) is that it makes it really hard to share or save the web address of a particular job listing. That’s because instead of using individual web addresses to correspond to individual jobs, like any sanely-designed system would, it uses Javascript hackery and black magic to undermine the way your web browser was designed to work (which is why, you’ll find, you can’t “open in new tab” properly either), and instead provides its own, inferior, interface.

Some day I might get around to writing e.g. a userscript and/or browser plugin that “fixes” the site – from a user’s perspective, at least. But for the time being, because this morning I needed to share via social media a link to a UX developer post we’ve just advertised, I’ve come up with a little bookmarklet to fix this single problem:

recruit.ox.ac.uk Permalink Generator

Drag the bookmarklet to your bookmarks toolbar, then - when on the recruit.ox.ac.uk site - click it to use it.

This tool makes it easy to get permalinks (web addresses you can save or share) for job listings on recruit.ox.ac.uk. It might be adaptable to make it work with other CoreHR-powered systems, if it turns out that this missing feature comes from the underlying software that powers the site: it could also form the basis of a future userscript that would automatically fix the site “on the fly”. Here’s how to use it:

  1. Drag the link below into your browser’s bookmarks (e.g. the bookmarks toolbar).

    recruit.ox.ac.uk permalink

  2. When you’re on a recruit.ox.ac.uk job page, click on the bookmark. A permalink will appear at the top of the page, for your convenience. If you’re using a modern browser, the permalink will also appear in the address bar.
  3. Copy the permalink and use it wherever you need it, e.g. to share the link to a job listing.

If you have any difficulty with it or want help adapting it for use with other CoreHR systems, give me a shout.

Rave Reviews for Your Password Sucks

Last month, I volunteered myself to run a breakout session at the 2012 UAS Conference, an annual gathering of up to a thousand Oxford University staff. I’d run a 2-minute micropresentation at the July 2011 OxLibTeachMeet called “Your Password Sucks!”, and I thought I’d probably be able to expand that into a larger 25-minute breakout session.

Your password: How bad guys will steal your identity
My expanded presentation was called “Your password: How bad guys will steal your identity”, because I wasn’t sure that I’d get away with the title “Your Password Sucks” at a larger, more-formal event.

The essence of my presentation boiled down to demonstrating four points. The first was you are a target – dispelling the myth that the everyday person can consider themselves safe from the actions of malicious hackers. I described the growth of targeted phishing attacks, and relayed the sad story of Mat Honan’s victimisation by hackers.

The second point was that your password is weak: I described the characteristics of good passwords (e.g. sufficiently long, complex, random, and unique) and pointed out that even among folks who’d gotten a handle on most of these factors, uniqueness was still the one that tripped people over. A quarter of people use only a single password for most or all of their accounts, and over 50% use 5 or fewer passwords across dozens of accounts.

You are a target. Your password is weak. Attacks are on the rise. You can protect yourself.
The four points I wanted to make through my presentation. Starting by scaring everybody ensured that I had their attention right through ’til I told them what they could do about it, at the end.

Next up: attacks are on the rise. By a combination of statistics, anecdotes, audience participation and a theoretical demonstration of how a hacker might exploit shared-password vulnerabilities to gradually take over somebody’s identity (and then use it as a platform to attack others), I aimed to show that this is not just a hypothetical scenario. These attacks really happen, and people lose their money, reputation, or job over them.

Finally, the happy ending to the story: you can protect yourself. Having focussed on just one aspect of password security (uniqueness), and filling a 25-minute slot with it, I wanted to give people some real practical suggestions for the issue of password uniqueness. These came in the form of free suggestions that they could implement today. I suggested “cloud” options (like LastPass or 1Password), hashing options (like SuperGenPass), and “offline” technical options (like KeePass or a spreadsheet bundles into a TrueCrypt volume).

I even suggested a non-technical option involving a “master” password that is accompanied by one of several unique prefixes. The prefixes live on a Post-It Note in your wallet. Want a backup? Take a picture of them with your mobile: they’re worthless without the master password, which lives in your head. It’s not as good as a hash-based solution, because a crafty hacker who breaks into several systems might be able to determine your master password, but it’s “good enough” for most people and a huge improvement on using just 5 passwords everywhere! (another great “offline” mechanism is Steve Gibson’s Off The Grid system)

"Delivery" ratings for the UAS Conference "breakout" sessions
My presentation – marked on the above chart – left people “Very Satisfied” significantly more than any other of the 50 breakout sessions.

And it got fantastic reviews! That pleased me a lot. The room was packed, and eventually more chairs had to be brought in for the 70+ folks who decided that my session was “the place to be”. The resulting feedback forms made me happy, too: on both Delivery and Content, I got more “Very Satisfied” responses than any other of the 50 breakout sessions, as well as specific comments. My favourite was:

Best session I have attended in all UAS conferences. Dan Q gave a 5 star performance.

So yeah; hopefully they’ll have me back next year.

Your Experience May Differ

To: Daniel Hill <dlh9@….>
From: Dan Q <dan@….>
Subject: Aberystwyth University Is Awesome! Warning: Your Experience May Differ.


Dear Daniel,

There’s an age-old tradition amongst Aberystwyth graduates, and in particular amongst Computer Science graduates. But to truly understand it, you first need to understand a little bit about Aberystwyth University. Also, to understand recursion, you must first understand recursion (you’ll “get” that joke by your second year, if you don’t already).

As you know, your username is “dlh9”. There’s a reason for that: The letters are your initials. “But I don’t have a middle name,” I hear you cry (or, at least, not one that the University know about), “Where’s the ‘L’ come from?” Well, it turns out that Information Services, who look after all of the computer networks, have a System [TM]. And their System [TM] is that staff get usernames like “abc”, undergrads get “abc1”, postgrads get “abc12”.

(this has lead to some awesome usernames: for example, “bed” used to be the username of somebody from Residential Services, and “sad” was once the username of one of the counsellors at the Students’ Union)

Anyway, I digress. I was talking about usernames. The digit in your username is the year you started your course. So, because you’re starting this year, yours is “9” (see, ‘cos it’s 2009 – get it?). You’re not allowed to spend more than nine years getting your degree, so that’s a pretty good primary key (you probably know what one of those is, but if not, you will before the academic year is out). Postgraduates get two digits because they often hang around for years and years. I don’t know what would happen if somebody spent a century getting their PhD, but I’m guessing that it wouldn’t be pretty.

And so there’s been a long-standing tradition amongst Aber grads, and particularly Comp. Sci. Aber grads, and especially particularly Comp. Sci. Aber grads-who-graduated-and-got-jobs-in-Aberystwyth and never got around to leaving… that when their username comes up for “renewal” – when a decade passes after they first started their course – they finger (you’ll learn what that means soon enough, too) the Aber computer systems and check if their username has been re-assigned. It’s a great way to make yourself feel old, as if the annual influx of younger-every-year Freshers didn’t do that perfectly well already.

Over the years, I’ve seen many friends play this little game. Some of them won, but most of them lost – it turns out that the odds aren’t really on your side: there are 17,576 conceivable username combinations each year – from aaa9 to zzz9 – and only 3,000 new students, so odds are less than 50% whether or not you ignore the statistical biases that mean that things like “qxz9” (Quentin X. Zachary?) are basically never going to turn up.

So imagine my surprise when I, for the first time, get to play the game, today… and I not only win, but I get a double-win, because the person to whom my old username has been recycled is an undergraduate in my old department!

Yes: I was the last owner of “dlh9”. I was “dlh9” from 1999, when I started, to 2004, when I graduated, an alumni of the Computer Science Department at what was then the University of Wales, Aberystwyth (it changed it’s name to Aberystwyth University shortly afterwards – this, combined with the fact that I have since changed my name by deed poll, means that I am the proud owner of a degree certificate that contains neither my name nor the name of an existing university!). At the time, my name was Daniel Huntley – I didn’t have a middle name, either – and I spent five years getting a four-year degree in Software Engineering before I started working for a software company here in this very town. I haven’t yet got around to leaving.

It still feels strange to write an e-mail to your e-mail address – my old e-mail address. It feels like I’m writing an e-mail to myself. I wonder what I’d have made of it if I’d have received this e-mail when I first arrived at University. It’s not so hard to imagine: the person I am now would be unrecognisable to the person I was back then, just like I am a complete stranger to you, but writing to you nonetheless. But even if you discard this e-mail and never think of it again, you’ll have done me a wonderful service by allowing me the chance to participate in a fascinating thought experiment that has granted me a great and deep nostalgia for the time I spent at that University.

(by the way; I apologise if your e-mail address is still getting the spam it used to get when it belonged to me)

Like me, Aber’s changed over the last ten years. The University’s changed, and the Computer Science Department has changed too. But I’m sure that you’ll find the place as beautiful and as satisfying as it has always been: this remarkable town on the West coast of Wales, where the mountains meet the sea, full of strange and quirky characters, a million miles from anywhere, and truly unique. I find myself longing for you to have *my* experience of Aberystwyth; to do all the great things I did, to meet all the great people I did – but you won’t. You won’t have the same lovers; you won’t discover the same music; you won’t join the same clubs; you won’t have the same beautiful sunsets while you roast burgers on disposable barbeques and the rising tide laps at your ankles; you won’t have the same hangovers; you won’t scrape through the same exams; you won’t steal the same traffic cones; you won’t climb the same mountains. A different story told differently.

You won’t have any of the things that made my time here in Aberystwyth so wonderful for the last ten years, but don’t dispair, because you’ll have something far better – you’ll have all of your own marvellous experiences. Mine are mine in nostalgia alone, but yours are yet to come. And I hope you have an ass-kickingly good time, because that’s what every Aber Comp. Sci undergrad deserves when they come to this magical corner of the world.

When you get as far as your lectures, tell Richard Shipman I said “Hi”. That’ll put you in his good books, I’m sure. ;-)

And if you see me around town, give me a wave and I’ll buy you a pint. If you got nothing else from reading this old man’s drivel, you just earned yourself a free pint. When I was a student, I’d have called that a win-win. Your experience may differ.

Good luck, and best wishes;


Dan Q
https://danq.me/