We heard great news today from StreetDoctors, one of our customers. StreetDoctors use volunteer student medics who teach much needed emergency lifesaving skills to young people at risk of violence.  See them in action here:

StreetDoctors have been validated as a Level 2 by both NESTA and Project Oracle. Project Oracle is the evidence hub for Children and Young People set up by the Mayor’s Office for Policing and Crime. The monitoring and evaluation data they have collected has demonstrated that StreetDoctors sessions have a positive impact on the young people we are teaching. Some of the data analysis they submitted shows:

  • 90% of young people (YP) agreed they understood the consequences of violence.
  • 87% of YP agreed they could provide medical intervention to a haemorrhaging/unconscious person.
  • 79% of YP said they would be willing to act if first aid was needed.

Led by the Research and Evaluation taskforce, StreetDoctors volunteers continue to measure impact by conducting session observations and debrief focus groups. In April the taskforce presented their findings at the Royal College of Paediatricians and Child Health conference and were awarded the best oral presentation by the Paediatric Educators Specialist Interest Group.

In June StreetDoctors were honoured to receive a Highly Commended at the Civil Society Charity Awards, the sector’s most highly-regarded excellence recognition scheme.

Jo Broadwood, StreetDoctors CEO, said

Bringing in Lamplight has made a huge difference to our confidence in our data!


Our congratulations to StreetDoctors – have a look at their website http://streetdoctors.org to find out more.

If you have good news you’d like us to share please drop us a line.

There’s a number of changes wrapped up and just-about ready to go that will give you many more options to increase the security of your system. There’s a fair few, so we thought it’d be useful to explain them in detail in advance.


Computer security old school
Computer security old school
Photo credit: Stehpan Ridgway on Flickr


1. Two-factor Authentication

Two factor authentication adds a layer to the login process.  At the moment, you need “something you know” – your password.  Two-factor authentication also requires “something you have” – your mobile phone.  When set up, an app on your phone generates a 6-digit code every 30 seconds, which is only valid for 30 seconds.  (This is a bit like the little widgets some banks give you to do online banking).  You have to enter your username/password, and then this 6-digit code, to log in.

Two factor authentication massively increases the security of your system, and is strongly recommended by security experts for use with all online services that support it.  This pdf from SANS (a well respected IT security organisation) explains why in a bit more detail.

To use two-factor authentication with Lamplight, you’ll need to install an app on your phone.  Instructions for most devices are available on the Google support pages.  If (like me) you have a Windows phone, there’s an app called ‘Authenticator’ made by Microsoft in the Marketplace.  You can use these apps for lots of other online services, and they don’t send any information anywhere.

To set it up, you need to go into the admin section of Lamplight and click on ‘Enable two-factor authentication’.  Lamplight will generate a secret code that you need to enter into the app on your phone.  Once your phone and Lamplight both have this shared secret, they can both generate the 6-digit code you need to log in.

Each operator logging in will have their own secret code (and not everyone has to use it, if it’s impractical for some).  We strongly recommend enabling two-factor authentication if at all possible.  While it does add an extra step to the login process, the security benefits are so significant it’s really worth doing.

2. Password policies

System Administrators will now be able to set up password policies, which all operators have to follow when changing their password.  You can require that passwords:

  • be at least a certain length
  • contain at least one lower-case character
  • contain at least one upper-case character
  • contain at least one number
  • contain at least one punctuation symbol
  • do not contain any of the top 500 most popular passwords
  • be changed every <x> days

As a general rule, longer passwords are better than short passwords with a mix of characters in them.  We recommend that you use long passwords (say 20 characters or more) and a password manager (here’s another ‘Securing the human’ pdf about them) to store them, if possible.  Password managers can actually make security easier, as well as stronger, particularly if you use them across a number of sites.

3. Force password change

System Administrators can force someone to change their password the next time they log in, through the ‘add, edit and remove database operators’ section of the admin menu.  If you’re adding a new password policy, you might want to do this afterwards to ensure that everyone has to change their passwords to comply with the new policy.

4. Login policies

Photo credit Incase on Flickr

System Administrators can set up Login Policies that determine where and when different operators can log in to Lamplight.  For example, you might have a ‘sessional staff’ policy that only allows logins between 2pm and 6pm on Mondays and Thursdays, and 9am – 1pm on Fridays (because that’s when they work).  Or you might have an ‘office hours’ policy that only allows logins between 9am and 5pm, Monday to Friday, from your office internet connection.

You can set up a series of these policies, and then choose which to use for each member of staff.  Someone trying to login ‘outside’ of these policy restrictions will see a ‘sorry, not now’ page.

The restriction on where you log in from, uses the IP address of your computer.  You really need a fixed IP address (which your Internet Service Provider may or may not allow) to use this.  If you don’t have one, your IP address is likely to change at some point, and then you won’t be able to log in at all.

When is this happening? Tell me more!

The updates are all ready and waiting for our code review process over the next week or so.  Providing that nothing major comes up in that, these changes will go live the weekend of the 25th October.  Your existing login process will be just the same afterwards as it is now, until your system administrator adds some policies or you set up two-factor authentication.

Next week we’ll also add a video to our YouTube channel explaining all these changes in more detail, and showing you how to set them up in Lamplight.  We’ll add a note to the login page at that point too.

It’s also well worth subscribing to the “Securing the Human” newsletters and circulating them internally.  They come out monthly and explain ‘end-user’ computer security issues really well.

Any other business…

The changes we’ve made to enable this have also allowed us to add ‘multi-system’ logins.  If you use more than one Lamplight at the moment, you need a different email address for each.  We can now combine these to a single email address, and when you log in you’ll get a choice screen to select the system to log in to.  You’ll need to contact us about this if you’d like to use it.


 See more

You can see these changes in action on this short YouTube video

tldr; As of 31st July 2013 Lamplight will no longer actively support Internet Explorer 8 or below.  You ought to upgrade soon.

Why?  A number of reasons.

Windows XP is on the way out.

The only sensible reason for using Internet Explorer (IE) 8 in most cases is that you have Windows XP operating system.  IE9 and 10 do not run on Windows XP, so you have to upgrade the operating system, and possibly hardware, to upgrade Internet Explorer – which may get expensive (but needn’t be – see below).

However, Microsoft will stop supporting Windows XP in April 2014.  In Microsoft’s own words

you will no longer receive updates, including security updates

and you can read more about the security and privacy implications of this from Microsoft.  In short: you should stop using XP too.

So, if you’re using Windows XP, you need to be thinking about upgrading soon.  And if you’re not using Windows XP, you can use Internet Explorer 9 or 10, or…

There are other (better) browsers

That’s assuming you want to keep using Internet Explorer: there are other browsers like Firefox, Google Chrome, Safari or Opera (which all work on XP and above).  All of which are better than IE8.  If you are really stuck with IE8 for now, you could try Google Frame

Other things will stop working (or have already)

Google Apps stopped support last year.  Disqus (a commenting system for blogs) doesn’t show comments.  More and more web sites and applications will reduce or remove support for IE8 as we approach April 2013.

It’s expensive to support old browsers

IE8 has quirks and is missing a number of standard features, which makes supporting it takes time  we’d rather be spending on other things.  An Australian company called Kogan added a 6.8% tax on all purchases made using IE7.  The New York Times created a web-page and had to employ one person solely to make it work in IE8.

It’s cheap to upgrade (or can be)

If you don’t want to upgrade your hardware, you could consider moving to a Free and Open Source alternative like Ubuntu instead of Windows.  It’s different, but familiar; it looks similar, and free software is available to do pretty much everything you might want to do on Windows.

If your computer can handle it, you could upgrade to Windows 7 or 8.  Registered charities can do so for £8 per computer through Charity Technology Exchange.

What will happen if I keep using IE8?

First of all, you’ll soon see a warning on the login page linking to this blog post.  But otherwise, nothing much, at least not for now.  Lamplight won’t suddenly stop working on the 1st August.  But as time goes on we will no longer test new features on IE8, and we won’t fix problems that only appear on IE8.  Some functionality that uses modern web technologies may not work at all.

But really, the security risks in continuing to use Windows XP beyond April 2013 are so significant that we would say you must upgrade before then.