Our next release: "Show Password" and Improved Search

Among the big-picture upgrades we've been working on for awhile, our upcoming release features a bunch of lower-key interface tweaks. We strongly believe that the little things can make as much difference to our users as the big things. A seemingly-minor interface improvement might be just the thing to speed up a common task, which in turn makes for a much better experience for our users.

Two such changes slated for the next update are a Show Password option on the login screen and a new Search field.

Populi requires strong, complex passwords. Weak, easily-compromised passwords are a huge security problem; a strong password policy improves security. However, the better your password is, chances are you've had to abstract it from real language... thus, making it harder to remember or type correctly. To help you with this, soon you'll have a Show Password checkbox to help you enter it accurately. Among other things, we're hoping it will encourage the use of stronger passwords by making it easier for you to use them. When showing your password, of course, you'll need to be more vigilant about over-the-shoulder snoops when using Populi in public places.

We're also changing our search field. The old version, for posterity's sake:

Appearance-wise, the new search field fits in better with our overall direction for Populi's look and feel:

When you're not searching, the field hides behind the Search tab. When you need to find someone or something, just click it. The field opens, the cursor ready for your entry; when you're done, just click elsewhere on the screen to hide it. Need to search again? Just click the tab, and your last search—with all the results—is right there.

The interface update actually conceals a subtle speed improvement in how Populi handles searching. Previously, you'd enter your term, get the results, click elsewhere to work... and then, when it came time to run the search again, you'd have to refocus, click, and press enter. These steps actually required Populi to run the search all over again. But the tab lets Populi save your last search and all of its results.

Good interface design factors in many things—like convenience, performance, and user behavior, to name but a few. We're restless and relentlessly self-critical when it comes to how well Populi adheres to good design principles. Thus, even things like logging in and searching—things for which our customers never request support—don't escape our attention; even the simplest things are subject to improvement. We revise them because we trust that these details will add up, in the long haul, to a much better experience for all our users.

Some recent updates...

Our feature trickle continues. In the midst of working on some pretty big upgrades and brand-new features, we've been fixing bugs, tweaking the interface, and putting some spit-and-polish on the functions deep inside Populi—the stuff that makes the front-end run better. Of some note, regular Staff users can now add News Articles that are visible to Students. We pushed an update for the iPhone App to fix an attendance-taking bug some instructors have bumped into. IPEDS reporting for the Winter & Fall Enrollment and Fall Completions series received some general improvements.

We've also released some improvements to online tests. Students can now review their answers for tests they've already taken. And instructors can now share Test Questions between Courses!

And there's a lot more to come in the near future...

Firesheep causes a stir

A few weeks ago, one Eric Butler, a freelance web developer and security researcher from Seattle, released a Firefox extension called Firesheep. Firesheep allows the user to hijack HTTP sessions transmitted over unsecured wireless networks. In other words, someone can walk into a coffeeshop, open their laptop, and via nothing more than a public wifi connection, find other patrons and log in to their accounts on sites like Facebook without a username or password. Firesheep is ridiculously simple to use; with three or four clicks the user can log in as anyone else using that wifi connection—all without the victim ever suspecting a thing.

Butler released Firesheep to bring attention to a very common, basic security flaw that's baked-in to many popular websites and services. In his words:

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users.

The release of Firesheep—which was downloaded over 100,000 times within 24 hours of its release*—preoccupied the tech press for days. A big draw was its focus on popular sites like Facebook, Twitter, Foursquare, Flickr, Tumblr, and Yelp, all of which broadcast sensitive personal information despite their built-in "privacy controls". Hand-wringing over the ethics of releasing such a tool ensued; others wondered aloud whether it was even legal to do so.

But some were happy to see Firesheep get out in the wild. The program, as they pointed out, merely utilized an already widely-exploited security issue. Formerly, you had to be a hacker or a nerd to hijack HTTP sessions, or at least willing to spend five minutes with Google to find tools to help you. Firesheep made it simple enough for nearly anyone to try it; the press it received no doubt buoyed its popularity. Butler's goal, of course, was to force this security issue into the mainstream. "The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."

When will Firesheep no longer work at all? To summarize what Butler and others have been saying, that day will come when websites properly and widely adopt the HTTPS protocol. HTTPS adds a layer of encryption to your communications, protecting them from eavesdroppers and thieves—even on public wifi connections. Because of the extra computing involved, HTTPS is more intensive than HTTP; thus far, it has been confined largely to online banking, credit card transactions, and occasional sites like Gmail. But in terms of cost and engineering, computing is at the point now where HTTPS can be broadly implemented at a reasonable effort.**

If we were asked to pick sides on this, we'd side with Butler.

Populi has always used industry-standard 128-bit SSL encryption for every last communication between your computer and our servers. If you're using Populi over coffeeshop wifi, HTTP-hijackers won't be able to get anywhere near your session, no matter what tools they're using. But we'll never simply rest on this encryption method. Perfect security, as we've repeated before, is a moving target. With all the interest hackers have in the juicy hunks of personal data colleges keep track of, they're gonna keep trying. Consequently, we would say that our top security features are more cultural than technological. Quite simply, we're dedicated to the safety of your data, your right to access it, and your right to keep other people out of it. In other words, we're dedicated to staying on our feet.

*It's well on its way to 800,000 as of this writing.

**If you're looking to guard yourself against HTTP-hijacking, tools like HTTPS Everywhere can help (as long as you're visiting sites that have the protocol as an option).

Phishing scam targeted at Populi users

A Populi user forwarded an email she received from an "Alice Hobbs" which reads as follows:

Dear Webmail User,

This message is from the Webmail Support team to all email users. We are currently carrying out an upgrade on our system, hence it has come to our notice that one of our subscribers Infected our Network with a worm like virus and it is affecting Our database.

We are also having congestions due to the anonymous registration of email accounts, so we are shutting down email accounts deemed to be inactive. Your email account is listed among those requiring update.

To resolve this problem, simply click to reply this message and enter your User Name here

(_____________) And Password Here (___________) to have your email account Cleared against this virus.

Failure to comply will lead to the termination of your Email Account.

Hoping to serve you better.

Alice Hobbs

Webmail Support

This email is a phishing scam.

Not only do we not employ anyone named Alice Hobbs, but we have a strict policy: NO ONE AT POPULI WILL EVER ASK FOR YOUR USERNAME AND EMAIL. The only people who do this are scammers—in this case, operating via an IP address from Zhejiang Province, China.

If you received this email, delete it. If you responded to this email, please log in to Populi and change your password immediately.

Just to be clear, Populi itself has not been compromised; this is an attempt by hackers to compromise Populi (and possibly harvest sensitive information) by gaining access through a legitimate user account. Also, there's a good chance that you won't see this email; our spam-catchers have been sequestering most of these emails and junking them.

Please feel free to post this article to your Populi News Feed, or however you think would be a good way to spread the word.

Happy Monday everyone!

Reporting: the Movie

Populi is stuffed full of built-in reports. Any SIS ought to be—that's part of how the software makes the massive amount of information in your database useful and comprehensible. Customers who've come over from other systems tell us that many of the most basic reports in Populi—say, the Students Table—required lots of elbow grease to get them out of their old software... running this option and that one, then exporting it all and merging it with two other spreadsheets. Yeesh. We want reporting to be a lot simpler than it typically is, because that's how you get at your information and make it work for your school. That's our approach, and we're constantly finding ways to improve on what we've done.

Here's a brief video of the reporting tools in Academics. Analytics gives you the birds-eye view of student, faculty, degree, and retention statistics. The Data Slicer lets you create endlessly customizable reports on your students. And the Preset reports help you complete various IPEDS series and the National Student Clearinghouse report with a click or two.

Reporting from Populi on Vimeo.

Bad Business

We knew when we got into this business that, well, we were getting into business. In business, honest competition is good and necessary. It helps companies fight complacency and results in better products for consumers. But just because competition is good doesn't make everything done in the name of competition good.

We recently did a demo for a fellow claiming to represent St. Mary's University in San Antonio, Texas, which he said was shopping around for a new information system. The demo was just a low fly-over, nothing intensive or detailed. During the demo, our salesman got a funny feeling about the guy on the other end of the call. After it ended, we did a little research.

The guy had nothing to do with St. Mary's. We gave them a call—they'd never heard of him (and they weren't shopping). A little Googling, a little LinkedIn-ing, a little review of our notes in Highrise, and we figured out that the guy is the Sales Manager for one of our competitors. The company in question offers software similar to ours, and we've bumped into them during the sales process with some colleges. They've won some, we've won others. Fair enough. They're cheaper than Populi, and from the sounds of it, you get what you pay for—less-than-straightforward salesmen, development and support outsourced overseas, K-12 software shoehorned into a college setting...

...and, apparently, their Sales Manager is willing to lie about representing a college.

Now, we're not put out that a competitor saw Populi. That just means that we're the ones worth imitating. We honestly couldn't care less about seeing their software. We're just rather aghast at the willingness of this company to lie about representing an institution our industry is supposed to be serving. What must these guys think of their customers?

When we got into this business, we knew we were getting into something that had made itself obnoxious to a lot of colleges. This episode has hardened our resolve to be different—to just serve our customers, simply and honestly.