Apple’s lax security with MobileMe
I learnt two surprising and potentially dangerous things today. MobileMe’s webmail and Apple’s iDisk are not encrypted. Discussion of this available here and here.
While I can understand that the argument for email encryption is not that obvious, emails being inherently insecure for many cases, I am surprised and disappointed about the lack of SSL encryption for iDisks. This is especially surprising because if you mount an iDisk on Windows you can do so with SSL encryption and it works fine. Even more worrying is that backup data using Apple’s Backup software is also not encrypted. Now, I don’t tend to store anything of sensitive nature on my iDisk anyway, but I am positive this would catch a good number of people off guard who just expect it to be doing the right thing. Many Macs generally will also be synchronising their iDisks automatically so you could easily be transferring data over an insecure open WLAN the minute you connect to it.
This is doubly troubling because Apple does not actually warn users about this and I am certain many live with the warm cosy feeling that “Macs don’t have security problems”. Apple’s semi-official stance seems to be to use an encrypted disk image on iDisk if you want to pass around sensitive data, which I have yet to experiment with. However I can’t imagine why it would be difficult to use SSL for iDisks or allow the user to turn it on as an option. Finder could even verify certificates automatically and refuse to work if there’s a mismatch (thus removing the possibility of the user accepting a bad certificate).
Something for the Mac users out there to be aware of.
Scred back after outage at the hosting facility
Our hosting service had a major issue at their facility which cut Scred off from the world for a few hours during Sunday. They are one of Finland’s largest hosting services and so Scred was not the only affected, but many other sites as well. Unfortunately for us this hit at a bad time, soon after we had launched our totally rewritten version and thus, perhaps, giving a bad first impression to some. The outage lasted from approximately 1700 GMT to 23:00 GMT. Everything should now be back in order.
As a footnote we did stumble across one or two issues with our new Django version. One bug affected some who were trying to register. We apologise for this and have now remedied the problem. Please do not afraid to let us know if you are still having troubles.
New Scred release (“Ashes to Ashes”)
After three months of hard work we are finally releasing the next step in Scred development, ‘Ashes to Ashes‘. The name is significant because with this release it is time to say goodbye to our old Perl-based core. In fact we have effectively rewrote the entire Scred service on Django and Python. Every line of code had to be rethought, every template ported and even our database altered. Believe me when I say that this is more work than what might immediately be obvious, especially as we put in effort to do things like currency conversions correct instead of “close enough”.
Hardly any of this will be visible to the user. In fact we measure the success of our porting by that. Every corner case had to be replicated and no funny surprises should be visible to the user. Indeed this should be almost totally invisible to people visiting the site. It has been an immense task, so why did we do it? We did it for you, the users. Our old core was getting more and more difficult to maintain. Adding new features was slower than we liked and bugs would easily appear. With our new core we are positive this will change and we will now be immediately starting work on new features.
The only things users might notice with this new core is that our service is now somewhat faster, it has a bit better error handling and, for some users, there are very small differences in how balances are converted, and rounded, from one currency to another. In our belief this one is now more correct. Anyone affected has been notified.
Unsurprisingly this effort took more time than we would have liked, especially as we wanted to make absolutely sure user balances were not unduly impacted and that the new database structures would not cause problems. If, however, you stumble across problems, please let us know and we will work hard to fix them.
So why Django?
We will hopefully write up further articles about how the transition went, but basically Django had the best documentation, was easy to get into and was built on a language that gained adequate acceptance from our team. Ruby on Rails did not make us feel confident about scalability and performance, and Ruby is a language none of us are comfortable with. Catalyst seemed reasonable but Django’s documentation was simply better, and we liked the idea of making a clean break from our existing Perl templates and code. We did also investigate using OpenACS on Tcl, which looked like it would be the best at scaling and performance, plus being mature, but the learning curve for this felt very steep and documentation, again, difficult to approach. Plus it has the major downside of requiring AOLWebServer, which would mean moving away from Apache altogether. An idea that did not sound appealing.
We hope users will experience a smooth transition and rest assured that new features are speedily on their way.
Night of Code event on August 21st, 2008 (Kaapelitehdas, Helsinki)
We’re happy to announce to be hosting this year’s second Night of Code on Thursday, August 21st, 2008. Doors open at 5pm and we’ll probably there’s time to hack until 11pm. The location is Kaapelitehdas (The Cable Factory), Section E, 5th Floor.
As before, we’ll start with a couple of unconference sessions after which there’s time to listen to good music and write some code. So, bring your laptop if you’ll be staying the whole evening.
We’ll have some snacks and drinks available.
If you’re planning on attending the event, we’d appreciate it if you’d leave a comment on this post. Alternatively, we also have a Facebook event that you can register to.
P.S. We’ve traditionally held a Night of Code every year when there’s the Night of the Arts event here in Helsinki. Unfortunately we’ll have to hold the event a day early this year, but if you’re around Kaapelitehdas on the following day, do check out the action there. Lots of interesting stuff by the resident artists.
2 comments