In the wee hours of January 4th, we released the first major Populi update since June 11, 2010. Featuring an overhaul of Populi Academics, brand-new Account Management features, continued refinement to the navigation and interface, and some new API capabilities, the release encompasses a half a year's worth of development time. We released literally hundreds of features, updates, bugfixes, and tweaks which make Populi more flexible and accommodating to the wide variety of schools we count among our customers—including liberal arts colleges, seminaries, nursing schools, and technical colleges.

Academics

We did a near-complete overhaul of Populi Academics, focusing on a new dimension: Programs. Programs enable you to partition your Courses, Degrees, and students into unique courses of study with distinct GPA's. You can have Graduate or Undergraduate-level Programs, and define each using credits or hours. Each Program can have a unique Grade Scale, Pass/Fail Threshold, Full-time Threshold, and Academic Standings (complete with custom system tags); additionally, you can define particular Degrees, Courses, and even Tuition Schedules to apply only to students enrolled in a given Program.

To accommodate Programs, we've re-designed Transcripts, the Degree Audit, Courses, Transfer Credits, and Student Profiles. Populi's built-in reports and reporting tools have been accordingly updated to let you sift through your data in light of the new improvements.

Awards, too, have been completely overhauled—now they're called Honors, and they tie in with Programs, Degrees, Academic Terms, and transcripts in much more useful ways. We've re-tooled Academic Settings, giving Academic Admins the ability to manage Grade Scales, the Retake Policy, and a lot more. We also added a setting for vocational and nursing schools that enables tracking of Clinical Hours—contact us if you'd like us to flip this switch.

Account Management

Populi Account Admins can now manage your school's account details right from Populi. The new Account bar shows up to five tabs, depending on your level of access. Account Settings features everything that General Settings used to include—address, phone number, etc.—but with additional options to allow students and faculty to upload their own ID photos, manage high-level access to SSNs, and even change Populi's header color. Integrations lets you enter credentials for 3rd-party apps like iTunes U and Ebrary. Backups lets you download your core Academic and Financial data in CSV format. Payment Settings lets you manage your Pricing Plan and Payment details. And Invoices/Payments lets you view your invoice history, check your billing details, and make payments (and even pre-payments).

Lots of Other Stuff

As described in some other posts, we've improved the navigation and interface throughout Populi—but most dramatically in Admissions. Our gradual movement towards top-level tabs (as opposed to our past mix of top-level tabs and sidebar navigation) lets us use your computer screen more efficiently—and improves how Populi looks and behaves on devices like the iPad.

Besides the new navigation design in Admissions, you can now print applications and enjoy simpler adding of Prospects in My Prospects. The Term Book List has moved from Academics to Bookstore, and we've tightened up the linkages between course Book Lists and inventory management in Bookstore.

A new text editor (in News, Lessons, Bookstore Settings, and many other areas) gives you lots of ways to easily format text, include pictures, embed links, and so on. And now you can embed videos hosted on YouTube or Vimeo right into Course Lessons and News items just by copying and pasting the video URL.

We've improved and clarified the welcome email, set-password screen, and login screen (with a new option to Show Password to help you type it in correctly!). And we've built out the API to expose the data you'll need if you want to integrate Populi with Open Directory.

Keep reading after the jump for a list of things we've trickled out over the past several months...

Minor stuff since June 11, 2010

Many minor releases have intervened since last June; numerous features, large and small, have gone out to you. Here they are, in rough chronological order (oldest to more recent):

• Campus and section now displayed when adding courses on Student tab and when importing courses to a Term
• Fixed an issue where you couldn't grade incomplete students in finalized Pass/Fail courses
• Students can see their overall percentage grade for a Course
• Financial Aid users can select an account to credit when refunding Financial Aid
• Numerous fixes to minor display issues here and there
• Added a new Attendance Report to Academics > By Term
• Students can now have multiple Advisors
• New filter options permit an Aging Report in Financial > Billing > Student Balances
• Added the ability to handle Foreign Currencies and Exchange Rates in Accounting
• Custom receipts
• Payments/Refunds report in Billing
• Numerous improvements (and bugfixes) to Google Calendar integration
• Online Application enhancements including some Javascript to track conversions from external websites (like your Facebook page).
• Fixed up a dozen issues with foreign phone numbers
• Academic Admins may export SSN's via Data Slicer
• Fixed a tabbing issue in the Online Application
• You can now share test questions among different Courses via settings in the Course Catalog
• Numerous improvements to IPEDS reports
• Student Loan Clearinghouse report
• You can now charge Bookstore Tax and Shipping charges to student accounts
• Re-tooling of Payment Plans to make them more understandable and simpler to use
• Staff users can add News Items that are visible to students
• Fixed a really pesky attendance-taking bug in the iPhone app
• Numerous tweaks to online application and component notifications
• Fixed some issues that permitted users to duplicate course abbreviations in Course Catalog
• Improved access to online tests—students can now review tests they've already taken in the Test "History" view

In our January 4 release (more details forthcoming!), we updated several aspects of the IPEDS reports to make sure what Populi produces adheres to the new reporting guidelines. In particular, many of our customers have been asking about the changes they've observed in the Race/Ethnicity categories. For your convenience, here's a link to a FAQ on the new guidelines; the first question addresses the Race/Ethnicity issue.

We had a great year, we're looking forward to the coming year, and we really are grateful to be working with you all. Merry Christmas!

Among the big-picture upgrades we've been working on for awhile, our upcoming release features a bunch of lower-key interface tweaks. We strongly believe that the little things can make as much difference to our users as the big things. A seemingly-minor interface improvement might be just the thing to speed up a common task, which in turn makes for a much better experience for our users.

Two such changes slated for the next update are a Show Password option on the login screen and a new Search field.

Populi requires strong, complex passwords. Weak, easily-compromised passwords are a huge security problem; a strong password policy improves security. However, the better your password is, chances are you've had to abstract it from real language... thus, making it harder to remember or type correctly. To help you with this, soon you'll have a Show Password checkbox to help you enter it accurately. Among other things, we're hoping it will encourage the use of stronger passwords by making it easier for you to use them. When showing your password, of course, you'll need to be more vigilant about over-the-shoulder snoops when using Populi in public places.

We're also changing our search field. The old version, for posterity's sake:

Appearance-wise, the new search field fits in better with our overall direction for Populi's look and feel:

When you're not searching, the field hides behind the Search tab. When you need to find someone or something, just click it. The field opens, the cursor ready for your entry; when you're done, just click elsewhere on the screen to hide it. Need to search again? Just click the tab, and your last search—with all the results—is right there.

The interface update actually conceals a subtle speed improvement in how Populi handles searching. Previously, you'd enter your term, get the results, click elsewhere to work... and then, when it came time to run the search again, you'd have to refocus, click, and press enter. These steps actually required Populi to run the search all over again. But the tab lets Populi save your last search and all of its results.

Good interface design factors in many things—like convenience, performance, and user behavior, to name but a few. We're restless and relentlessly self-critical when it comes to how well Populi adheres to good design principles. Thus, even things like logging in and searching—things for which our customers never request support—don't escape our attention; even the simplest things are subject to improvement. We revise them because we trust that these details will add up, in the long haul, to a much better experience for all our users.

Our feature trickle continues. In the midst of working on some pretty big upgrades and brand-new features, we've been fixing bugs, tweaking the interface, and putting some spit-and-polish on the functions deep inside Populi—the stuff that makes the front-end run better. Of some note, regular Staff users can now add News Articles that are visible to Students. We pushed an update for the iPhone App to fix an attendance-taking bug some instructors have bumped into. IPEDS reporting for the Winter & Fall Enrollment and Fall Completions series received some general improvements.

We've also released some improvements to online tests. Students can now review their answers for tests they've already taken. And instructors can now share Test Questions between Courses!

And there's a lot more to come in the near future...

A few weeks ago, one Eric Butler, a freelance web developer and security researcher from Seattle, released a Firefox extension called Firesheep. Firesheep allows the user to hijack HTTP sessions transmitted over unsecured wireless networks. In other words, someone can walk into a coffeeshop, open their laptop, and via nothing more than a public wifi connection, find other patrons and log in to their accounts on sites like Facebook without a username or password. Firesheep is ridiculously simple to use; with three or four clicks the user can log in as anyone else using that wifi connection—all without the victim ever suspecting a thing.

Butler released Firesheep to bring attention to a very common, basic security flaw that's baked-in to many popular websites and services. In his words:

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users.

The release of Firesheep—which was downloaded over 100,000 times within 24 hours of its release*—preoccupied the tech press for days. A big draw was its focus on popular sites like Facebook, Twitter, Foursquare, Flickr, Tumblr, and Yelp, all of which broadcast sensitive personal information despite their built-in "privacy controls". Hand-wringing over the ethics of releasing such a tool ensued; others wondered aloud whether it was even legal to do so.

But some were happy to see Firesheep get out in the wild. The program, as they pointed out, merely utilized an already widely-exploited security issue. Formerly, you had to be a hacker or a nerd to hijack HTTP sessions, or at least willing to spend five minutes with Google to find tools to help you. Firesheep made it simple enough for nearly anyone to try it; the press it received no doubt buoyed its popularity. Butler's goal, of course, was to force this security issue into the mainstream. "The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."

When will Firesheep no longer work at all? To summarize what Butler and others have been saying, that day will come when websites properly and widely adopt the HTTPS protocol. HTTPS adds a layer of encryption to your communications, protecting them from eavesdroppers and thieves—even on public wifi connections. Because of the extra computing involved, HTTPS is more intensive than HTTP; thus far, it has been confined largely to online banking, credit card transactions, and occasional sites like Gmail. But in terms of cost and engineering, computing is at the point now where HTTPS can be broadly implemented at a reasonable effort.**

If we were asked to pick sides on this, we'd side with Butler.

Populi has always used industry-standard 128-bit SSL encryption for every last communication between your computer and our servers. If you're using Populi over coffeeshop wifi, HTTP-hijackers won't be able to get anywhere near your session, no matter what tools they're using. But we'll never simply rest on this encryption method. Perfect security, as we've repeated before, is a moving target. With all the interest hackers have in the juicy hunks of personal data colleges keep track of, they're gonna keep trying. Consequently, we would say that our top security features are more cultural than technological. Quite simply, we're dedicated to the safety of your data, your right to access it, and your right to keep other people out of it. In other words, we're dedicated to staying on our feet.

*It's well on its way to 800,000 as of this writing.

**If you're looking to guard yourself against HTTP-hijacking, tools like HTTPS Everywhere can help (as long as you're visiting sites that have the protocol as an option).