Geodesic Solutions Company Blog
- Created on Friday, 11 October 2013 10:39
- Written by Jonathan Foote
We have been hard at work for the last 6 months, working on the next stair-step release: version 7.3.0, which focuses on mobile friendly features. Previous version 7 releases were about 3-4 months in the making. This one took a lot longer due to the re-design of the entire default template set, which now uses Responsive Web Design (RWD) principles. We've also added a lot of optimization options that will make pages load much faster, which is particularly important for viewing sites on mobile devices. In total, 7.3.0 has 39 new features & enhancements, 45 maintenance / bug fixes and stability improvements, and 106 template files changed.
When you first look at the new default design, which you can see in our main demo, it may look very similar to the previous 7.2 design, at least if you view it in a browser on your desktop computer. The goal was to make the desktop look very similar to the previous version, though you may notice minor changes throughout. However, if you look at the new version on a mobile phone or tablet, or just change your browser width to be small, you will see where the huge changes are and the reason this new version was 6 months in the making. The entire layout responds to the size of the window or device! On mobile devices, it gives a feel close to what a native app might look like. This responsive layout extends into every part of the site on the front side, including listing placement, registration, etc.
See the changelog for a full list of changes. We will also have a forum post up shortly with all the technical changes. For those updating from a previous release (even those using the 7.3 release candidates), be sure to follow the Full Update Instructions as there will be additional steps that may be required to your existing templates. For most, the changes are minor if you wish to keep using your existing design. No matter what you want to do with the design, the full update instructions will have you covered as it contains instructions for different scenarios.
- Created on Thursday, 26 September 2013 18:04
- Written by Jonathan Foote
We are ecstatic to announce that the much anticipated 7.3 release candidate 1 is now available for download! At this time we recommend this new version only for new installations, or if you plan to use the new default design, as we are still working on the instructions for those wanting to update and keep the existing design. This new release is focused on features that make it more Mobile Friendly! Here are a few highlights:
- Default Design now uses Responsive Web Design (RWD) - responds to the size of the screen, making for an awesome experience for desktop users or mobile users, or any sized device in between. See our philosophy for more detailed explanation.
- Capable of assigning template sets to load for "only mobile", or "only desktop" for those that wish to create a "mobile version" of the templates. Note that the default design does NOT do this, it uses RWD techniques so that the exact same content changes layout and design based on the size of the screen, rather than showing entirely different content to mobile devices. (see the link above for our own philosophy on that)
- Page Speed Improvements - can now combine, minify, and compress JS and CSS (which is a big deal to help speed up the page, especially on mobile devices)
- Image uploader re-done using HTML5 - can now upload images on iPhones, iTablets, iTables, and whatever else Apple comes up with! The new uploader works using HTML5 to upload the images (or files), so it works on devices that previously were blocked due to lack of Flash support. The upload interface also got a facelift to bring it into the responsive design fold.
If you want to give it a try, existing customers can get it from the client area, in My Downloads. New customers can get it by purchasing the software. Unless otherwise requested, any new installations will use the new release candidate, updates will only update to 7.2.5 (unless 7.3 is requested and you don't mind using default design). You can find more technical information in the user forums here, and can see all the changes in the full changelog.
- Created on Wednesday, 24 July 2013 10:58
- Written by Jonathan Foote
This is the 3rd time in as many weeks, that I have received a legitimate e-mail from a website that I'm a member of, telling me that the usernames and passwords on the site have been compromised by a hacker, and that I should make sure to change my password on any other sites that I used the same password for. It seems there is something sweeping the net! What they (the hackers) do, is use the username / passwords from a website they have already hacked, and try those users and passwords on other websites. When they happen across a username / password that matches an admin account on another website, the hacker is able to then get the usernames and passwords from the new website as well. They also cross reference the passwords and sometimes use password recovery tools to obtain additional passwords. Just to make it clear, this is NOT talking about a vulnerability in Geodesic software, or any other specific software. That is the scary part, it isn't something that can be "patched", these string of hacked websites are the result of human nature - when people use the same password on multiple websites they visit.How to protect your users
There are a few basic security practices that have always been a "good idea", but many of us are not aware of them, overlook them, or simply don't do them because of the hassle. The more "secure" something is, that usually means the more of a hassle it is, but in most cases it's worth the hassle. Here are a few tips you can do now:
- Do NOT use the same password for multiple sites, and especially do not use a password for the admin panel that you have used for other websites, now or in the past! If you are, change any such passwords right away. This is how the hackers are able to hack more and more sites, when an admin used the same password on a website that the hacker has already hacked. If you have a bad memory like I do, read on to see my tips for a good password management strategy.
- Use strong passwords for your admin account on your website.
- In the Geo software, use hashed passwords: In the Geodesic admin panel, go to Admin Tools & Settings > Security Settings > General Security Settings and for 2 settings: Admin Password Storage Method and Client Password Storage Method - change both to Geodesic Hashed. If the password is hashed in the database, the hacker will not be able to "un-hash" it. You can see more information in the user manual.
This is the main reason most of us use the same password for different sites, or even a "set" of passwords we switch between for different things... If we all had perfect memory it would not be a problem to remember 10, 20, or even 100 different passwords. But most of us don't have that good of a memory, so we use the same password. We are a hacker's dream come true, all they have to do is hack one website we have an account on, and now they can access any website we use! In fact, this same strategy has been used to hack celebrity accounts, sometimes posting as them or sometimes using it to get the "inside scoop" to sell to the highest "bidder". So how can we protect ourselves, and possibly use a different password for every site we go to? There are a few different ways, for instance you could keep a notebook next to your computer to write down every password. That might work if you don't have many websites you use frequently. Or you could use variations of the same password, but this is NOT a good solution as hackers are smart - if they see a number in a password they will try different combinations. So don't just use the same password with a single number changed or in a different order or something, the passwords need to be completely different between different sites.
What I personally have started using, shortly after the first e-mail I got informing me that the user/passwords were compromised - is to use a password management software. What I use is Keepass - an open source application that has been around for a very long time that I read a recommendation for. It saves all your passwords for you so you don't have to remember every one, you only remember a single super-strong password. It uses AES 256bit Encryption to protect your saved passwords, which is the same level of encryption authorized for use on government classified top secret documents! What it does, is encrypt a password database (file) using a single master password and/or key file. When you register for a new user account on a website, you use Keepass to generate an entirely random, long, and super strong password for you. It has a password generator built in that can be set to generate a password based on the specific restrictions of the website, for instance if a website does not allow special characters you can turn special characters off when you generate the password. You can also specify the password length of the random password, so that you can use near the maximum amount of characters that the specific website uses. You then save the username / password generated in the Keepass encrypted database, so it remembers it for you! You can have a different, super strong, entirely random (making it more difficult to "brute force" (guess) the password), and best of all you only have to remember a single master password. There are plugins available for almost anything, including Google Chrome, Firefox, pretty much any browser you might use. There are also apps available for Android, iPhone, and others. It can be complicated to set up - but then anything that is as secure as Keepass is going to take some work to set up, otherwise it would not be very secure... Keepass is like a mini Fort Knox sitting on your computer, protecting all of your passwords and even personal information. Even if hackers got your password file, they would not be able to do anything with it unless they also have your master password and key file (if you use a key file, see below for explanation).
The rest of this article is going to be dedicated to talking about Keepass and some good tips and advice on how to use it. Note that Keepass is open source and entirely free to download and use. There are other password managers available, and many of them are also good choices, Keepass is just the one I use and so the one I know about.Why Keepass?
I first read about Keepass in a magazine I have a subscription to, Maximum PC, they have been recommending using Keepass to secure your passwords for years. I read a recent article comparing them to another password manager tool, the article concluded they would be sticking to Keepass since it has been around so long (so has had a very long time to "mature"), and is open source (so anyone can view the code source, which is a good thing in the security world). So after reading that article, and since I recently got that notice from a website saying the user database was compromised, I decided to give Keepass a try. I chose Keepass due in part because of the recommendation on Maximum PC (and their own reasons for recommending them), and also because Keepass works in Linux, Windows, and Android phones. I use Ubuntu (Linux) for development so having something that worked in both Windows and in Ubuntu was a requirement. (Keepass also works on Macs as well) They also have android apps and iPhone apps, along with apps for other mobile devices.Getting Keepass
First you have to download Keepass from the website at keepass.info - there are 2 versions, get the version labeled Professional Edition (note that either version is entirely free) as it has more features and such. If you need the ability, get the version that runs "stand alone" and you can run it from a USB drive. The download page on the website will have more information to help you get the one you need. Just a note: don't click on the download link on the very right hand side - that is a tricky banner ad! I fell for that myself and accidentally downloaded some zip compressor software by mistake, I really hope they take that banner off as it is very confusing. Don't let that deter you from using Keepass though, most likely they do not control the banner ads, and they have to make money to cover hosting costs somehow! Just be sure you pay attention to where you are clicking to download.Creating your Password Database
When you first start up Keepass, it will be completely empty. You click on the icon to create a new password database. There are a few different options - you can enter a master password, and/or use a "key file". There is also an option to lock to the Windows account, but I would not recommend that as it means you cannot use the database on any other computers or on your phone, so if you need to access your passwords from somewhere else you will be out of luck. When it comes to "locking" something, whether it is on the computer or in the "real world", it is based on either "something you know" - like a password, a pin, or the combination on a combination lock. Or it is based on "something you have" - like the keys to unlock a door. With Keepass you have the option to lock it with a master password, which is "what you know", and/or with a key file, which is "something you have". But the best option is to use both - so that you have to type in the master password, AND use the key file that you have saved on your computer or a thumb drive. You should store the key file "locally" only, do not upload it to any "cloud storage" or similar, that would be like posting the keys to your house on the Internet! I'll go over cloud storage more further down. If a hacker gets your password database, and somehow finds out what your password is - they still cannot open it up without the key file, which means they need to also hack or gain access to your own computer or thumb drive (wherever you have the key file stored). And conversely, if someone gets a copy of the key file, they still cannot unlock your passwords unless they also know the master password. So make sure to use both a master password AND a key file. The key file can be generated for you (which I believe is the more secure option), or you can even use any file, even a picture saved on your computer or similar. See composite master keys for more information about how the keys work.Browser Plugins
Once you have Keepass 2 up and running, and have created your password database, next I would recommend setting up one of the available plugins for whatever browser(s) you use. I use Google Chrome myself, so I'll give a brief guide on how to set it up. First go to the Keepass plugins page, and click on the one for ChromeIPass. It will direct you to the place to get the plugin in the "chrome web store", go ahead and install it. The cool thing about Google Chrome is that if you "log in" using your Google account (sign into Chrome), plugins will be synced with any other computers that you use Google Chrome on. So once you have the ChromeIPass plugin installed in one spot it will auto-install on any other locations the first time you start Chrome up. This next part you will still have to do for any other computers though - you need to install the plugin "inside" Keepass. This is a security feature so that a malicious program or virus can't just add itself into your Keepass without you realizing it. So next, you go to the KeePassHttp page on Github, and download the file KeePassHttp.plgx. You download it by clicking on the file, then clicking the "raw" button. This is an open source project hosted on Github, specifically made to allow Keepass to "talk to" plugins in browsers. In other words, you need it for the Chrome plugin to work. So download that file to the downloads folder on your computer, then you will need to copy the file into the same folder that Keepass is installed in. For me it was in the file C:/Program Files (x86)/Keepass/, when you copy it will require you to approve it if you have Windows 7 or 8. Once it is copied into the same folder, close Keepass and start it back up for the plugin to be activated inside Keepass. Now in Chrome, buried in the settings, turn off the option to "offer to save passwords", from now on you should use Keepass to save passwords (using the Keepass plugin). If you have a lot of passwords already saved in Chrome, it will still auto-fill those passwords.. At which point you can have them also saved by Keepass. I would recommend that once you are sure you have all the passwords you need saved inside Keepass, to view the Chrome passwords, and remove all of the saved passwords inside Chrome.Recommended Practices
As I said already, I would recommend to stop saving passwords in the browser itself. Some browsers are able to export the username / passwords, which you can then import into Keepass using the import tool. Others you may just need to copy them by hand, or another option - just copy in your "main" sites. As you are copying them, especially for the sites you "care about", be sure to go to the site and log in, and change the password. Have Keepass generate a random password for you based on any password requirements for the specific site. This is especially important on your: primary e-mail account, banking passwords, and FTP passwords. It is beyond the scope of this article to go into detail about saving FTP / SFTP / SSH passwords in Keepass, just be aware you can do that and you should make sure those passwords are random and strong.Keepass + Cloud Storage = Awesome
Keepass really "shines it's brightest" when you use it with cloud based storage, like Dropbox or Google Drive. These cloud based storage services all work similarly - you have a folder on your computer that you copy files into. It is then "synced" with the "cloud". Now any other computer you have the storage set up on, will automatically update with changes. What that means is that you can easily "sync" your passwords between different computers, even on your phone! Personally I use primarily Dropbox, and use Google Drive as a "backup". I use Dropbox because it works in Ubuntu (Linux) which as I said earlier, is a requirement for me. At the time of this article, Google Drive does not work on Ubuntu or I would have used Google Drive. You can also use Amazon's service if you use their S3 cloud storage already, or any cloud based storage you like.
But wait, cloud storage? Isn't this supposed to be secure, wouldn't someone working for the company be able to download my password file? Or what if my cloud storage gets hacked? Answer: That's why we use Keepass encrypted password database - in theory, you could post your encrypted password database file on the internet for anyone to download, and it would be perfectly safe as long as you have a strong master password and use a key file. The password file is useless without the 2 different keys in combination. As long as you do NOT store the key file on cloud storage! You keep your key file on a thumb drive, and/or on your local computer. NEVER upload it to anything "online", including e-mail, cloud based storage, FTP to your site, etc. DO back the key file up in multiple spots and on different computers / devices, but DO NOT let a copy get on the web. So again: Yes put the database file itself on cloud storage, do NOT put your key file along with it. Not even "hidden", don't try to be clever by using a key file that is just an image on your website or something - that is called "security through obscurity" and is NOT good security. There are techniques that can be used to figure out what file it is, for instance looking at access times on the files, things like that. So again, do not store your key file in cloud storage or anywhere accessible from the web where hackers might be able to gain access to it.HOW to use cloud based storage + Keepass
It might seem like a good idea to just open the Keepass database directly from the cloud based storage folder - this is not a good idea for several reasons. Instead, what you do is save the database file on your computer "outside" of the cloud folder, for instance in my documents. When you open up Keepass, make sure to open the file from My Documents not from the Dropbox folder or whatever your cloud folder is. Now, make a copy of the file in your cloud based folder the first time you are setting it up. From then on, inside Keepass, whenever you make changes to the Keepass file such as adding a new password or changing the organization of the passwords (Keepass can organize password accounts into "groups" to make it easier to manage) - after you save the file, go to File > Synchronize, and you will sync it with the copy in your cloud folder. You also do this when you first open the file in the morning to get access to your passwords, so that any changes you may have made on other computers or devices will be copied into your own copy (just wait for the cloud folder to be synced first).Why not just open from Cloud folder?
By using the method above, "working from" a copy that is "local" then using the sync tool in Keepass to synchronize it with the copy in the cloud folder - that leaves 2 copies, a local and a cloud copy. But why? For several reasons, but they all stem around making sure you don't corrupt the only copy of the file you have. Say you are saving the keepass file, and somehow Keepass crashes in the middle for whatever reason (not very likely, but it could happen). If you are using the cloud folder directly, now your cloud copy is corrupted! When you start up any computer using it, the computer will download the corrupted file, and now that computer's copy is also corrupted! This could also happen if you have 2 computers running at same time (say you are sharing the Keepass database file with your spouse), and both computers happen to save file changes at the same time - now both copies get corrupted! Sure a lot of cloud storage services have the ability to restore past versions, but that isn't something you want to "rely on". If you have a "local" copy and just sync it to the cloud copy, if the cloud copy does get corrupted you still have the local file, so you can just re-copy the non-corrupted version to the cloud folder. Or visa-versa if your local copy somehow gets corrupted, copy the cloud one over.Back up the database file!
Ok so you have been using the database file for a day or 2 now... Have it set up to sync the database with a copy on your cloud storage, everything is set up and working well. Now is the time to back that thing up! Keep in mind, this little file is storing access details to everything you use on the internet - if you loose it somehow, that is going to be a lot of work getting back into those accounts! So you want to be as sure as you can be that if something happens to the file, you can get it back from a backup. Don't just think backing it up on the cloud is enough, what if you loose internet access (well granted, in that situation you won't be logging into anything LOL, but what if just the cloud site you use goes down somehow)... And on the same day your computer catches fire while you are away, and tragically burns down your house? You just lost your computer, your house, you don't want to loose access to everything online on the same day! I would recommend a minimum of 2 "physical different" locations for this file. Pray that you never have to use the backups, but you want to have them there in case you need them. I've read one person went so far as to keep a copy on a thumb drive that he gave to a relative for safe keeping, another copy on another thumb drive that he keeps in a lock box, a copy on his personal website, a copy at work, and periodically "syncs" all the copies to make sure they all have the latest passwords. I don't go that far myself, but I do plan to make multiple "physical" copies, kept in different physical locations, along with backup on many different places... Remember though, the key file - do NOT back up the key file anywhere that is accessible "online". Back that up on your local computer, on a thumb drive you might keep somewhere else... The idea is to protect against natural disaster. If you keep 5 backup copies, they won't do much good if they are all in your house and your house burns down... Or if you even go as far to give copies to neighbors, what if there is a flood or hurricane or whatever natural disaster is common in your area... There are many tips out there for strategies for backing up data, those general strategies apply here as well. ESPECIALLY if you use Keepass as your "digital vault" for anything important in your life (see the next section).Keepass can store more than passwords
Something interesting I ran into when researching Keepass, is how flexible it is. It allows you to attach files, add custom fields, etc. This lets you do things like attach important documents inside your Keepass file, or anything digital you don't want others to get access to. Financial records, PDF user manuals, pictures of your belongings (for insurance purposes should something happen), anything like that can be stored inside your Keepass database. I myself have only been using it for a few weeks, and already have 2-3 user manuals stored in it for easy access, along with copy of warranties for some high ticket items. It allows you to keep a "digital vault" of anything important. If you do use the Keepass database like this however, it becomes even more important to make sure you make periodic backups to "physical" media like a thumb drive, and make sure to back up your key file as well (just not anywhere "online"). If you have a CD burner, burn a copy as well...Reminders to Change Passwords
One really cool thing built into Keepass, is the ability to set up an "expiration date" for a password. I would recommend doing this for any really "important" sites like banking or e-mail. After all you don't have to actually remember the password yourself, so why not change it periodically? Keepass will remind you to change it, at which point you can go to the applicable website, change the password (having Keepass generate a new random password for you). And you can do this for other "periodic reminders" as well! For instance, you could create a group called "reminders", and add an entry for "sync up backup copies", the actual password doesn't matter as it won't be used for anything. Just set the password to expire once a month, and it will be a reminder for you to sync a copy of your Keepass database file with all the "physical" copies you have for backup purposes! That way if you do end up having to rely on a backup, you don't loose the last 6 months or longer, worth of "new passwords" or "password changes" that may have occured between time you originally created the backup and now.More Information
I wanted to provide a general starting point that was targeted for the average site owner, if you would like the technical security details about how it works, you can find much more information on the keepass.info website, and also across the web. If I missed anything that you think may be useful, let me know, just drop us a line on the contact us page. Any feedback or questions are welcome!
- Created on Wednesday, 24 April 2013 18:20
- Written by Jonathan Foote
We are pleased to announce that GeoCore Version 7.2 is now available for download! Like always, this update is available for GeoCore Classifieds, GeoCore Auctions, and GeoCore MAX. If you are using a previous product, GeoClassifieds GeoAuctions or GeoClassAuctions, be sure to follow the update instructions to upgrade to Geocore! Version 7.2 is a "minor" feature release, although the features added will be a pretty "major" advance for some, depending on how you use the software!
Some may realize that we just released version 7.1 back in February, just 2 months ago, so you may wonder what we could possibly add in just 2 short months? The answer is 2 very highly requested features (not to mention 51 other enhancements), along with 24 fix/maintenance changes! We've been very busy the last 2 months and plan to keep the momentum going! Think of version 7.2 as a "stair-step" release, rather than waiting 1-2 years in between "major" feature releases: along the way we release these "stair-step" releases so that you can start using new features a lot sooner. It also makes updates easier when we release more often, as that usually means there are fewer "additional" steps required when you update (as long as you keep up to date with new versions).Highlights:
- Combined listing placement steps: The normal "category", "listing details", "media", and other steps can now be combined so that you enter everything on a single page! The admin may also choose to only combine certain steps.
- Buy now only auctions - decrease quantity: Buy Now Only auctions now have the ability to decrease in quantity as individual items are purchased (by setting the price to apply to a "single item" instead of the "entire lot", when the auction is being created). For example, a seller could make available 10 widgets in total, and then a particular buyer could purchase 2 of them. The auction's remaining quantity would decrease to 8, with the auction closing automatically once all items have been sold.
- Email Notification changes: New notifications may now be sent when a user's "favorite" listing is about to expire. Also, "listing filter" notifications have been combined into a single, periodic email (as opposed to a separate email for every matched listing).
- In total, 53 features/enhancements, 24 fix/maintenance changes, all accounting for changes to 156 different template / design files! See the technical changelog for 7.2 for the full list of changes, and the information posted in the user manual for more detailed information about the release.
Note that the live demo will soon be updated so that you can check out the new features, or you can request your own personal trial demo as well.
- Created on Tuesday, 26 February 2013 14:24
- Written by Jonathan Foote
Developers everywhere will be happy to hear that we now have developer API documentation (using PHPDocs), generated from the actual GeoCore source code. Developers, you can find them at geodesicsolutions.com/phpdocs/.
We have had PHP Docs generated in the past, as part of the example addon. But due to technical problems with the software used to generate them, we haven't been able to update them since around version 5. This marks the start of using PHPDocumentor 2, which you can find at phpdoc.org. With every new release, we plan to re-generate the documentation so that it is as up to date as possible.
Our standard practice for new methods, is to always document what version the method was added in. When something changes, we make sure to document the version for that as well. All of this version availability information can be found in the PHPDocs. So if you are working on something for a client that is using an older version, you can refer to the PHP Documentation to make sure the methods in GeoCore were actually "around" for the version the client is at, and be able to advise your client if they need to update to a newer version of the software. If you are a developer that creates/distributes 3rd party addons, this will help you identify what the "minimum version" is for your addon. Note that if an entire class is added in a specific version, it will note that on the class documentation, it won't mention it on each individual method.
Even if you are a developer that likes to use an IDE, and load the GeoCore software inside an IDE so that most of the API documentation is not needed, the generated PHPDocs can still be of some use to you. As you probably know, there are 2 files that are encoded for licensing purposes. The PHPDocs actually include documentation for all "publicly accessible" methods and classes contained in those files. So if you are following the code and come across something that is defined in an encoded file, you don't have to be totally in the dark about what it is doing, you can refer to the PHPDocs! As always, if you have any development questions not answered by the user manual, feel free to contact support and a Geodesic developer will try to help as best as possible.
If you are a developer and are new to GeoCore software, a good place to start is the developer section in the user manual, read over that section to familiarize yourself with how the software works.