A few weeks ago, one Eric Butler, a freelance web developer and security researcher from Seattle, released a Firefox extension called Firesheep. Firesheep allows the user to hijack HTTP sessions transmitted over unsecured wireless networks. In other words, someone can walk into a coffeeshop, open their laptop, and via nothing more than a public wifi connection, find other patrons and log in to their accounts on sites like Facebook without a username or password. Firesheep is ridiculously simple to use; with three or four clicks the user can log in as anyone else using that wifi connection—all without the victim ever suspecting a thing.

Butler released Firesheep to bring attention to a very common, basic security flaw that's baked-in to many popular websites and services. In his words:

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users.

The release of Firesheep—which was downloaded over 100,000 times within 24 hours of its release*—preoccupied the tech press for days. A big draw was its focus on popular sites like Facebook, Twitter, Foursquare, Flickr, Tumblr, and Yelp, all of which broadcast sensitive personal information despite their built-in "privacy controls". Hand-wringing over the ethics of releasing such a tool ensued; others wondered aloud whether it was even legal to do so.

But some were happy to see Firesheep get out in the wild. The program, as they pointed out, merely utilized an already widely-exploited security issue. Formerly, you had to be a hacker or a nerd to hijack HTTP sessions, or at least willing to spend five minutes with Google to find tools to help you. Firesheep made it simple enough for nearly anyone to try it; the press it received no doubt buoyed its popularity. Butler's goal, of course, was to force this security issue into the mainstream. "The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all."

When will Firesheep no longer work at all? To summarize what Butler and others have been saying, that day will come when websites properly and widely adopt the HTTPS protocol. HTTPS adds a layer of encryption to your communications, protecting them from eavesdroppers and thieves—even on public wifi connections. Because of the extra computing involved, HTTPS is more intensive than HTTP; thus far, it has been confined largely to online banking, credit card transactions, and occasional sites like Gmail. But in terms of cost and engineering, computing is at the point now where HTTPS can be broadly implemented at a reasonable effort.**

If we were asked to pick sides on this, we'd side with Butler.

Populi has always used industry-standard 128-bit SSL encryption for every last communication between your computer and our servers. If you're using Populi over coffeeshop wifi, HTTP-hijackers won't be able to get anywhere near your session, no matter what tools they're using. But we'll never simply rest on this encryption method. Perfect security, as we've repeated before, is a moving target. With all the interest hackers have in the juicy hunks of personal data colleges keep track of, they're gonna keep trying. Consequently, we would say that our top security features are more cultural than technological. Quite simply, we're dedicated to the safety of your data, your right to access it, and your right to keep other people out of it. In other words, we're dedicated to staying on our feet.

*It's well on its way to 800,000 as of this writing.

**If you're looking to guard yourself against HTTP-hijacking, tools like HTTPS Everywhere can help (as long as you're visiting sites that have the protocol as an option).

A Populi user forwarded an email she received from an "Alice Hobbs" which reads as follows:

Dear Webmail User,

This message is from the Webmail Support team to all email users. We are currently carrying out an upgrade on our system, hence it has come to our notice that one of our subscribers Infected our Network with a worm like virus and it is affecting Our database.

We are also having congestions due to the anonymous registration of email accounts, so we are shutting down email accounts deemed to be inactive. Your email account is listed among those requiring update.

To resolve this problem, simply click to reply this message and enter your User Name here

(_____________) And Password Here (___________) to have your email account Cleared against this virus.

Failure to comply will lead to the termination of your Email Account.

Hoping to serve you better.

Alice Hobbs

Webmail Support

This email is a phishing scam.

Not only do we not employ anyone named Alice Hobbs, but we have a strict policy: NO ONE AT POPULI WILL EVER ASK FOR YOUR USERNAME AND EMAIL. The only people who do this are scammers—in this case, operating via an IP address from Zhejiang Province, China.

If you received this email, delete it. If you responded to this email, please log in to Populi and change your password immediately.

Just to be clear, Populi itself has not been compromised; this is an attempt by hackers to compromise Populi (and possibly harvest sensitive information) by gaining access through a legitimate user account. Also, there's a good chance that you won't see this email; our spam-catchers have been sequestering most of these emails and junking them.

Please feel free to post this article to your Populi News Feed, or however you think would be a good way to spread the word.

Happy Monday everyone!

We knew when we got into this business that, well, we were getting into business. In business, honest competition is good and necessary. It helps companies fight complacency and results in better products for consumers. But just because competition is good doesn't make everything done in the name of competition good.

We recently did a demo for a fellow claiming to represent St. Mary's University in San Antonio, Texas, which he said was shopping around for a new information system. The demo was just a low fly-over, nothing intensive or detailed. During the demo, our salesman got a funny feeling about the guy on the other end of the call. After it ended, we did a little research.

The guy had nothing to do with St. Mary's. We gave them a call—they'd never heard of him (and they weren't shopping). A little Googling, a little LinkedIn-ing, a little review of our notes in Highrise, and we figured out that the guy is the Sales Manager for one of our competitors. The company in question offers software similar to ours, and we've bumped into them during the sales process with some colleges. They've won some, we've won others. Fair enough. They're cheaper than Populi, and from the sounds of it, you get what you pay for—less-than-straightforward salesmen, development and support outsourced overseas, K-12 software shoehorned into a college setting...

...and, apparently, their Sales Manager is willing to lie about representing a college.

Now, we're not put out that a competitor saw Populi. That just means that we're the ones worth imitating. We honestly couldn't care less about seeing their software. We're just rather aghast at the willingness of this company to lie about representing an institution our industry is supposed to be serving. What must these guys think of their customers?

When we got into this business, we knew we were getting into something that had made itself obnoxious to a lot of colleges. This episode has hardened our resolve to be different—to just serve our customers, simply and honestly.

A student at Visible School of Memphis, Tennessee wrote to us about how he—and many other students there—are using a Mac program called Fluid, which creates desktop "apps" for websites. Fluid is a "site-specific browser" that serves up one particular website; it's a great way to dedicate a spot for a web app like Populi on the Mac desktop or Dock and launch it separate from your browser. We use Fluid around here, too—it's nimble, lightweight, and stays out of the way. We like it. Anyway, the student wanted to see if we had a desktop icon he could use. Fluid defaults to use a website's 15 x 15-pixel favicon (you know, this thing) for the desktop icon, but when you blow up an icon that small, it looks pretty poor. Adam Sentz took a few seconds and provided him with this 512 x 512 icon, which you're free to download yourself to use with Fluid.*

Dennis Hixson, Vice-President of Pacific Life Bible College of Surrey, British Columbia, is easily our most-caffeinated customer. To show his appreciation for our development and support teams, he sent us three pounds of Intelligentsia Coffee from the roasting lab in Los Angeles, California. UPS dropped off a pound of Intelligentsia's invincible Black Cat espresso blend and about two pounds of a really beautiful, jammy Guatemalan bean. We love coffee around here—some love it as fuel, some love it as a culinary experience—and we're really grateful to Dennis for gifting us some of the best.

Our trickle of features continues. We released a Student Loan Clearinghouse report; it accompanies various IPEDS series in our preset reports in Academics. We added the ability to charge Bookstore tax and shipping charges to student accounts. Populi Accounting now accommodates foreign currencies. And Payment Plans have been slightly re-tooled to make them easier to use.

All the while we're still working on some bigger-ticket items, interface updates, and numerous other projects.

*Fluid, of course, is Mac-only. Google Chrome lets you do something similar for Windows PCs by creating "Application Shortcuts" for individual websites—check the Chrome documentation for full particulars.

Wow, it's been busy here lately. So busy, in fact, that we've barely had time for this poor ol' blog. So here's some news about what we've been up to...

Since May, we've brought on some 25 new colleges, seminaries, and other institutions. We have another 5 ready to launch in the next few weeks. As I write this, almost all of our current customers are in the midst of course registration for the Fall 2010 Academic Term. At any given moment during the day, Populi is handling hundreds of users and thousands of students, much more than ever before.

This is a thick time of year for our customers—and so it is for us, too! We spent the summer training registrars, bursars, other staff, and faculty. Thanks to Adam Sentz's constant scrutiny and improvement of the interface, many of our new users have just logged in and figured it out themselves. Meanwhile, further improvements are in store for the look and feel of Populi, making it easier to use (and easier on the eyes).

Aaaand... we've been very busy designing, testing, and releasing new features. The past two weeks we've trickled out several items of note and numerous back-end improvements, constituting almost a mini-release. The new stuff includes:

Google Calendar Integration Improvements: Having built out Populi's integration with Google Apps, we're happy to announce that it now supports full Course Calendar syncing. When you add a course to an Academic Term, it automatically creates a corresponding Course Calendar in Google. As you add faculty and students to that course, they're automatically subscribed to its Calendar. The Calendar feeds directly into the Events on their Populi Home pages, and even includes assignment due dates, special meeting times, and so on.

Payments/Refunds Report: Thanks to feedback from some of our most thorough financial users, we built a report in Billing that gathers together all Payments and Refunds in a single table. Filter it to see different types of payments, amounts, and date ranges—and print the receipts with a single click. We also added receipts to the custom Layout options in Communications.

Online Application Enhancements: In addition to an email verification field, there's some new Javascript on the back-end of the Online Application that lets you connect it to an external, online marketing campaign (say, your Facebook page). It lets you (among other things) track "conversions" from your campaign to the application, giving you a better sense of how your marketing efforts are working. We're eager to see what our customers come up with for this—this, too, was based on a customer's suggestion. If you want to put it to work for you, the complete details are in the Populi Knowledge Base.

Our work hasn't been the only thing keeping us occupied. Isaac recently ran a triathlon (and check out these wild pics from his trailcam!), Mark's two bands have been gigging around town, and Toby recently welcomed a son into the world. Some of us have gardens, others are finishing their degrees, and one has a motorcycle.

We've been busy, we're busy now, and there's no sign of the busy-ness letting up anytime soon. Thanks to all our customers for keeping our days interesting and full of stuff to do.

The App Store just approved the updated Populi iPhone app and it's available right now.

Though anyone with a Populi user account can use it, the app is primarily aimed at students and instructors. The general idea is to give you access to the Populi stuff you'd want to see on a phone—calendars, contacts, and courses—and link it up to some of the neat stuff iPhone lets you do. For instance, you can look up your Populi contacts—and tap to make a call, send an email, or map their address. Instructors who take attendance on the iPhone get to use one of the simplest, most intuitive interfaces out there. Anything you update using the App shows up in Populi in real-time, and vice-versa.

The updated app includes support for iOS4 and the Retina Display, access to your To-Dos, and the inclusion of Lessons with your Courses. Go get it! It works on all iOS devices (iPhone, iPod Touch, and iPad). And if you want more out of your mobile Populi experience, the built-in Safari browser apps on those devices can access the whole program. What's more, our last major update introduced a new, more mobile-friendly layout that we'll be rolling out to the rest of the program in an upcoming release.