Notice: Only variables should be assigned by reference in /var/www/geodesicsolutions.com/plugins/system/SEOSimple/SEOSimple.php on line 100

Geodesic Solutions Company Blog

Dual Release - new 7.3.4 and a new 7.4 Beta

We have just released both version 7.3.4, and a new beta version for the next feature release, 7.4beta1! These are available for anyone running GeoCore Classifieds, GeoCore Auctions, or GeoCore MAX and have current download access.

Most sites will want to update to version 7.3.4, as it is the latest stable release in the 7.3 product line. This new maintenance release takes care of a number of issues that have accumulated since the last release (17 Fix/Maintenance Changes, and one template set change). You can see more details in the forum post for 7.3.4, and in the 7.3.4 changelog.

Beta Version

Category Screenshot

(Above: Screenshot of the new category admin page in the beta version)


For those that want to try out the bleeding edge changes, you can also download the latest beta release, version 7.4beta1 which is the first beta release out for the future 7.4 release. We plan to release more beta versions as more features are finished by the developers, until all of the features we have planned for 7.4 are finished. We still have a ways to go before that happens, likely 2-3 months or more as this release has "big plans". There are 2 main things finished so far in the beta: The category admin has been re-done, which adds a lot of features as part of the re-do, and a new importer, along with hand-full of other features (13 features / enhancements to be exact). You can see more information in the informal forum post here (this one in the client area of the forums, current clients only).

Note that as always, we do not recommend using the beta version on a live site, at least not until you have had a chance to test it thoroughly. See the Beta Releases section in the user manual for more info about beta releases, before deciding if you want to use it or not.

New Feature "Vote Drive" - cast your votes today

We're having a vote drive for features listed in Bugzilla! For those that are not aware, we use Bugzilla for feature and bug tracking, and we use a built in "vote" function to give us an idea of what features people want the most. You can see more information about bugzilla and how we use it in the user manual wiki page Bugzilla Info.

First A note on features: The software already has lots of features built in, in fact it is the most feature-rich classifieds and auctions software available in the market today. Even so, we continue to add more features with each major release to make the software even better than it already is! We must be careful to add features that people want and avoid adding features that might only be useful to a specific website's needs (such features would be better suited for a custom addon, using the addon framework built into the software). One way we ensure this is by taking "votes" for feature requests, and using that to decide which features do get added to the software in the next feature release. That will keep the software feature-rich without the extra bloat of features that no one uses or has a need for.

We use votes for feature requests within Bugzilla as a vital part of how we decide what to work on next, but not many realize they have the ability to vote on features, or even that the Bugzilla issue tracker exists on our website! Existing customers can access bugzilla at geodesicsolutions.com/bugzilla/, you just need to log in with your Geodesic client area e-mail and password (that is issued when you purchase the software). Access to the Bugzilla system is limited to existing customers only.

There are many things that go into the decision about what feature we add in what versions. A large part of that is how much "demand" for the feature there is. Another part is how much development time a feature would take to add. So say that "feature a" there are 50 people that want it, but it is a feature that will take a full month to add. If there is "feature b" that only 20 people want, but it will only take a day or less to add, that feature is more likely to get added with fewer votes needed to justify adding that feature. It is a balance between how many want a feature, and how much time it would take to add that feature. More complex features will still take more time and thus will take a lot more votes to justify adding that feature instead of 5 or 6 "less popular" features that we could do in the same amount of time instead. There are other factors as well, you can see a more in-depth explanation in the user manual wiki, in the section How We Add Features. And this is why we are having a "feature vote drive", the more people are voting on features that they want, the better idea we will have about which features people want the most. Right now the vote counts are pretty low, something we hope to remedy with this vote drive!

Trouble Navigating / Finding a Feature? See the Bugzilla Info page in the user manual.

Don't See a Feature? If you want a specific feature and don't see it listed in Bugzilla, send us a feature request! We can either direct you to the Bugzilla bug, or can create a new one for you if it is something we might consider adding to the software in the future. We do not just accept "every" request, for instance we would never add forums into the software because that isn't what the software is for, the software is made for classifieds and auctions. But we WOULD consider a request to link the software to another forum software!

How to Vote? First you find the feature you want to vote for in Bugzilla (see the info about navigating Bugzilla above). Then, just click the vote link! It will look something like the screenshot below.

Vote Link Screenshot

7.3.0 Final is released, new Mobile-Friendly "Responsive Web Design" is now available

We have been hard at work for the last 6 months, working on the next stair-step release: version 7.3.0, which focuses on mobile friendly features. Previous version 7 releases were about 3-4 months in the making. This one took a lot longer due to the re-design of the entire default template set, which now uses Responsive Web Design (RWD) principles. We've also added a lot of optimization options that will make pages load much faster, which is particularly important for viewing sites on mobile devices. In total, 7.3.0 has 39 new features & enhancements, 45 maintenance / bug fixes and stability improvements, and 106 template files changed.

When you first look at the new default design, which you can see in our main demo, it may look very similar to the previous 7.2 design, at least if you view it in a browser on your desktop computer. The goal was to make the desktop look very similar to the previous version, though you may notice minor changes throughout. However, if you look at the new version on a mobile phone or tablet, or just change your browser width to be small, you will see where the huge changes are and the reason this new version was 6 months in the making. The entire layout responds to the size of the window or device! On mobile devices, it gives a feel close to what a native app might look like. This responsive layout extends into every part of the site on the front side, including listing placement, registration, etc.

See the changelog for a full list of changes. We will also have a forum post up shortly with all the technical changes. For those updating from a previous release (even those using the 7.3 release candidates), be sure to follow the Full Update Instructions as there will be additional steps that may be required to your existing templates. For most, the changes are minor if you wish to keep using your existing design. No matter what you want to do with the design, the full update instructions will have you covered as it contains instructions for different scenarios.

7.3 Release Candidate 1 is available

We are ecstatic to announce that the much anticipated 7.3 release candidate 1 is now available for download! At this time we recommend this new version only for new installations, or if you plan to use the new default design, as we are still working on the instructions for those wanting to update and keep the existing design. This new release is focused on features that make it more Mobile Friendly! Here are a few highlights:

  • Default Design now uses Responsive Web Design (RWD) - responds to the size of the screen, making for an awesome experience for desktop users or mobile users, or any sized device in between. See our philosophy for more detailed explanation.
  • Capable of assigning template sets to load for "only mobile", or "only desktop" for those that wish to create a "mobile version" of the templates. Note that the default design does NOT do this, it uses RWD techniques so that the exact same content changes layout and design based on the size of the screen, rather than showing entirely different content to mobile devices. (see the link above for our own philosophy on that)
  • Page Speed Improvements - can now combine, minify, and compress JS and CSS (which is a big deal to help speed up the page, especially on mobile devices)
  • Image uploader re-done using HTML5 - can now upload images on iPhones, iTablets, iTables, and whatever else Apple comes up with! The new uploader works using HTML5 to upload the images (or files), so it works on devices that previously were blocked due to lack of Flash support. The upload interface also got a facelift to bring it into the responsive design fold.

If you want to give it a try, existing customers can get it from the client area, in My Downloads. New customers can get it by purchasing the software. Unless otherwise requested, any new installations will use the new release candidate, updates will only update to 7.2.5 (unless 7.3 is requested and you don't mind using default design). You can find more technical information in the user forums here, and can see all the changes in the full changelog.

Time to stop using "shared" passwords, sites are getting hacked across the net

What's this about?

This is the 3rd time in as many weeks, that I have received a legitimate e-mail from a website that I'm a member of, telling me that the usernames and passwords on the site have been compromised by a hacker, and that I should make sure to change my password on any other sites that I used the same password for. It seems there is something sweeping the net! What they (the hackers) do, is use the username / passwords from a website they have already hacked, and try those users and passwords on other websites. When they happen across a username / password that matches an admin account on another website, the hacker is able to then get the usernames and passwords from the new website as well. They also cross reference the passwords and sometimes use password recovery tools to obtain additional passwords. Just to make it clear, this is NOT talking about a vulnerability in Geodesic software, or any other specific software. That is the scary part, it isn't something that can be "patched", these string of hacked websites are the result of human nature - when people use the same password on multiple websites they visit.

How to protect your users

There are a few basic security practices that have always been a "good idea", but many of us are not aware of them, overlook them, or simply don't do them because of the hassle. The more "secure" something is, that usually means the more of a hassle it is, but in most cases it's worth the hassle. Here are a few tips you can do now:

  • Do NOT use the same password for multiple sites, and especially do not use a password for the admin panel that you have used for other websites, now or in the past! If you are, change any such passwords right away. This is how the hackers are able to hack more and more sites, when an admin used the same password on a website that the hacker has already hacked. If you have a bad memory like I do, read on to see my tips for a good password management strategy.
  • Use strong passwords for your admin account on your website.
  • In the Geo software, use hashed passwords: In the Geodesic admin panel, go to Admin Tools & Settings > Security Settings > General Security Settings and for 2 settings: Admin Password Storage Method and Client Password Storage Method - change both to Geodesic Hashed. If the password is hashed in the database, the hacker will not be able to "un-hash" it. You can see more information in the user manual.
How do I remember a different password for every website?!?

This is the main reason most of us use the same password for different sites, or even a "set" of passwords we switch between for different things... If we all had perfect memory it would not be a problem to remember 10, 20, or even 100 different passwords. But most of us don't have that good of a memory, so we use the same password. We are a hacker's dream come true, all they have to do is hack one website we have an account on, and now they can access any website we use! In fact, this same strategy has been used to hack celebrity accounts, sometimes posting as them or sometimes using it to get the "inside scoop" to sell to the highest "bidder". So how can we protect ourselves, and possibly use a different password for every site we go to? There are a few different ways, for instance you could keep a notebook next to your computer to write down every password. That might work if you don't have many websites you use frequently. Or you could use variations of the same password, but this is NOT a good solution as hackers are smart - if they see a number in a password they will try different combinations. So don't just use the same password with a single number changed or in a different order or something, the passwords need to be completely different between different sites.

What I personally have started using, shortly after the first e-mail I got informing me that the user/passwords were compromised - is to use a password management software. What I use is Keepass - an open source application that has been around for a very long time that I read a recommendation for. It saves all your passwords for you so you don't have to remember every one, you only remember a single super-strong password. It uses AES 256bit Encryption to protect your saved passwords, which is the same level of encryption authorized for use on government classified top secret documents! What it does, is encrypt a password database (file) using a single master password and/or key file. When you register for a new user account on a website, you use Keepass to generate an entirely random, long, and super strong password for you. It has a password generator built in that can be set to generate a password based on the specific restrictions of the website, for instance if a website does not allow special characters you can turn special characters off when you generate the password. You can also specify the password length of the random password, so that you can use near the maximum amount of characters that the specific website uses. You then save the username / password generated in the Keepass encrypted database, so it remembers it for you! You can have a different, super strong, entirely random (making it more difficult to "brute force" (guess) the password), and best of all you only have to remember a single master password. There are plugins available for almost anything, including Google Chrome, Firefox, pretty much any browser you might use. There are also apps available for Android, iPhone, and others. It can be complicated to set up - but then anything that is as secure as Keepass is going to take some work to set up, otherwise it would not be very secure... Keepass is like a mini Fort Knox sitting on your computer, protecting all of your passwords and even personal information. Even if hackers got your password file, they would not be able to do anything with it unless they also have your master password and key file (if you use a key file, see below for explanation).

Keepass Tips

The rest of this article is going to be dedicated to talking about Keepass and some good tips and advice on how to use it. Note that Keepass is open source and entirely free to download and use. There are other password managers available, and many of them are also good choices, Keepass is just the one I use and so the one I know about.

Why Keepass?

I first read about Keepass in a magazine I have a subscription to, Maximum PC, they have been recommending using Keepass to secure your passwords for years. I read a recent article comparing them to another password manager tool, the article concluded they would be sticking to Keepass since it has been around so long (so has had a very long time to "mature"), and is open source (so anyone can view the code source, which is a good thing in the security world). So after reading that article, and since I recently got that notice from a website saying the user database was compromised, I decided to give Keepass a try. I chose Keepass due in part because of the recommendation on Maximum PC (and their own reasons for recommending them), and also because Keepass works in Linux, Windows, and Android phones. I use Ubuntu (Linux) for development so having something that worked in both Windows and in Ubuntu was a requirement. (Keepass also works on Macs as well) They also have android apps and iPhone apps, along with apps for other mobile devices.

Getting Keepass

First you have to download Keepass from the website at keepass.info - there are 2 versions, get the version labeled Professional Edition (note that either version is entirely free) as it has more features and such. If you need the ability, get the version that runs "stand alone" and you can run it from a USB drive. The download page on the website will have more information to help you get the one you need. Just a note: don't click on the download link on the very right hand side - that is a tricky banner ad! I fell for that myself and accidentally downloaded some zip compressor software by mistake, I really hope they take that banner off as it is very confusing. Don't let that deter you from using Keepass though, most likely they do not control the banner ads, and they have to make money to cover hosting costs somehow! Just be sure you pay attention to where you are clicking to download.

Creating your Password Database

When you first start up Keepass, it will be completely empty. You click on the icon to create a new password database. There are a few different options - you can enter a master password, and/or use a "key file". There is also an option to lock to the Windows account, but I would not recommend that as it means you cannot use the database on any other computers or on your phone, so if you need to access your passwords from somewhere else you will be out of luck. When it comes to "locking" something, whether it is on the computer or in the "real world", it is based on either "something you know" - like a password, a pin, or the combination on a combination lock. Or it is based on "something you have" - like the keys to unlock a door. With Keepass you have the option to lock it with a master password, which is "what you know", and/or with a key file, which is "something you have". But the best option is to use both - so that you have to type in the master password, AND use the key file that you have saved on your computer or a thumb drive. You should store the key file "locally" only, do not upload it to any "cloud storage" or similar, that would be like posting the keys to your house on the Internet! I'll go over cloud storage more further down. If a hacker gets your password database, and somehow finds out what your password is - they still cannot open it up without the key file, which means they need to also hack or gain access to your own computer or thumb drive (wherever you have the key file stored). And conversely, if someone gets a copy of the key file, they still cannot unlock your passwords unless they also know the master password. So make sure to use both a master password AND a key file. The key file can be generated for you (which I believe is the more secure option), or you can even use any file, even a picture saved on your computer or similar. See composite master keys for more information about how the keys work.

Browser Plugins

Once you have Keepass 2 up and running, and have created your password database, next I would recommend setting up one of the available plugins for whatever browser(s) you use. I use Google Chrome myself, so I'll give a brief guide on how to set it up. First go to the Keepass plugins page, and click on the one for ChromeIPass. It will direct you to the place to get the plugin in the "chrome web store", go ahead and install it. The cool thing about Google Chrome is that if you "log in" using your Google account (sign into Chrome), plugins will be synced with any other computers that you use Google Chrome on. So once you have the ChromeIPass plugin installed in one spot it will auto-install on any other locations the first time you start Chrome up. This next part you will still have to do for any other computers though - you need to install the plugin "inside" Keepass. This is a security feature so that a malicious program or virus can't just add itself into your Keepass without you realizing it. So next, you go to the KeePassHttp page on Github, and download the file KeePassHttp.plgx. You download it by clicking on the file, then clicking the "raw" button. This is an open source project hosted on Github, specifically made to allow Keepass to "talk to" plugins in browsers. In other words, you need it for the Chrome plugin to work. So download that file to the downloads folder on your computer, then you will need to copy the file into the same folder that Keepass is installed in. For me it was in the file C:/Program Files (x86)/Keepass/, when you copy it will require you to approve it if you have Windows 7 or 8. Once it is copied into the same folder, close Keepass and start it back up for the plugin to be activated inside Keepass. Now in Chrome, buried in the settings, turn off the option to "offer to save passwords", from now on you should use Keepass to save passwords (using the Keepass plugin). If you have a lot of passwords already saved in Chrome, it will still auto-fill those passwords.. At which point you can have them also saved by Keepass. I would recommend that once you are sure you have all the passwords you need saved inside Keepass, to view the Chrome passwords, and remove all of the saved passwords inside Chrome.

Recommended Practices

As I said already, I would recommend to stop saving passwords in the browser itself. Some browsers are able to export the username / passwords, which you can then import into Keepass using the import tool. Others you may just need to copy them by hand, or another option - just copy in your "main" sites. As you are copying them, especially for the sites you "care about", be sure to go to the site and log in, and change the password. Have Keepass generate a random password for you based on any password requirements for the specific site. This is especially important on your: primary e-mail account, banking passwords, and FTP passwords. It is beyond the scope of this article to go into detail about saving FTP / SFTP / SSH passwords in Keepass, just be aware you can do that and you should make sure those passwords are random and strong.

Keepass + Cloud Storage = Awesome

Keepass really "shines it's brightest" when you use it with cloud based storage, like Dropbox or Google Drive. These cloud based storage services all work similarly - you have a folder on your computer that you copy files into. It is then "synced" with the "cloud". Now any other computer you have the storage set up on, will automatically update with changes. What that means is that you can easily "sync" your passwords between different computers, even on your phone! Personally I use primarily Dropbox, and use Google Drive as a "backup". I use Dropbox because it works in Ubuntu (Linux) which as I said earlier, is a requirement for me. At the time of this article, Google Drive does not work on Ubuntu or I would have used Google Drive. You can also use Amazon's service if you use their S3 cloud storage already, or any cloud based storage you like.

But wait, cloud storage? Isn't this supposed to be secure, wouldn't someone working for the company be able to download my password file? Or what if my cloud storage gets hacked? Answer: That's why we use Keepass encrypted password database - in theory, you could post your encrypted password database file on the internet for anyone to download, and it would be perfectly safe as long as you have a strong master password and use a key file. The password file is useless without the 2 different keys in combination. As long as you do NOT store the key file on cloud storage! You keep your key file on a thumb drive, and/or on your local computer. NEVER upload it to anything "online", including e-mail, cloud based storage, FTP to your site, etc. DO back the key file up in multiple spots and on different computers / devices, but DO NOT let a copy get on the web. So again: Yes put the database file itself on cloud storage, do NOT put your key file along with it. Not even "hidden", don't try to be clever by using a key file that is just an image on your website or something - that is called "security through obscurity" and is NOT good security. There are techniques that can be used to figure out what file it is, for instance looking at access times on the files, things like that. So again, do not store your key file in cloud storage or anywhere accessible from the web where hackers might be able to gain access to it.

HOW to use cloud based storage + Keepass

It might seem like a good idea to just open the Keepass database directly from the cloud based storage folder - this is not a good idea for several reasons. Instead, what you do is save the database file on your computer "outside" of the cloud folder, for instance in my documents. When you open up Keepass, make sure to open the file from My Documents not from the Dropbox folder or whatever your cloud folder is. Now, make a copy of the file in your cloud based folder the first time you are setting it up. From then on, inside Keepass, whenever you make changes to the Keepass file such as adding a new password or changing the organization of the passwords (Keepass can organize password accounts into "groups" to make it easier to manage) - after you save the file, go to File > Synchronize, and you will sync it with the copy in your cloud folder. You also do this when you first open the file in the morning to get access to your passwords, so that any changes you may have made on other computers or devices will be copied into your own copy (just wait for the cloud folder to be synced first).

Why not just open from Cloud folder?

By using the method above, "working from" a copy that is "local" then using the sync tool in Keepass to synchronize it with the copy in the cloud folder - that leaves 2 copies, a local and a cloud copy. But why? For several reasons, but they all stem around making sure you don't corrupt the only copy of the file you have. Say you are saving the keepass file, and somehow Keepass crashes in the middle for whatever reason (not very likely, but it could happen). If you are using the cloud folder directly, now your cloud copy is corrupted! When you start up any computer using it, the computer will download the corrupted file, and now that computer's copy is also corrupted! This could also happen if you have 2 computers running at same time (say you are sharing the Keepass database file with your spouse), and both computers happen to save file changes at the same time - now both copies get corrupted! Sure a lot of cloud storage services have the ability to restore past versions, but that isn't something you want to "rely on". If you have a "local" copy and just sync it to the cloud copy, if the cloud copy does get corrupted you still have the local file, so you can just re-copy the non-corrupted version to the cloud folder. Or visa-versa if your local copy somehow gets corrupted, copy the cloud one over.

Back up the database file!

Ok so you have been using the database file for a day or 2 now... Have it set up to sync the database with a copy on your cloud storage, everything is set up and working well. Now is the time to back that thing up! Keep in mind, this little file is storing access details to everything you use on the internet - if you loose it somehow, that is going to be a lot of work getting back into those accounts! So you want to be as sure as you can be that if something happens to the file, you can get it back from a backup. Don't just think backing it up on the cloud is enough, what if you loose internet access (well granted, in that situation you won't be logging into anything LOL, but what if just the cloud site you use goes down somehow)... And on the same day your computer catches fire while you are away, and tragically burns down your house? You just lost your computer, your house, you don't want to loose access to everything online on the same day! I would recommend a minimum of 2 "physical different" locations for this file. Pray that you never have to use the backups, but you want to have them there in case you need them. I've read one person went so far as to keep a copy on a thumb drive that he gave to a relative for safe keeping, another copy on another thumb drive that he keeps in a lock box, a copy on his personal website, a copy at work, and periodically "syncs" all the copies to make sure they all have the latest passwords. I don't go that far myself, but I do plan to make multiple "physical" copies, kept in different physical locations, along with backup on many different places... Remember though, the key file - do NOT back up the key file anywhere that is accessible "online". Back that up on your local computer, on a thumb drive you might keep somewhere else... The idea is to protect against natural disaster. If you keep 5 backup copies, they won't do much good if they are all in your house and your house burns down... Or if you even go as far to give copies to neighbors, what if there is a flood or hurricane or whatever natural disaster is common in your area... There are many tips out there for strategies for backing up data, those general strategies apply here as well. ESPECIALLY if you use Keepass as your "digital vault" for anything important in your life (see the next section).

Keepass can store more than passwords

Something interesting I ran into when researching Keepass, is how flexible it is. It allows you to attach files, add custom fields, etc. This lets you do things like attach important documents inside your Keepass file, or anything digital you don't want others to get access to. Financial records, PDF user manuals, pictures of your belongings (for insurance purposes should something happen), anything like that can be stored inside your Keepass database. I myself have only been using it for a few weeks, and already have 2-3 user manuals stored in it for easy access, along with copy of warranties for some high ticket items. It allows you to keep a "digital vault" of anything important. If you do use the Keepass database like this however, it becomes even more important to make sure you make periodic backups to "physical" media like a thumb drive, and make sure to back up your key file as well (just not anywhere "online"). If you have a CD burner, burn a copy as well...

Reminders to Change Passwords

One really cool thing built into Keepass, is the ability to set up an "expiration date" for a password. I would recommend doing this for any really "important" sites like banking or e-mail. After all you don't have to actually remember the password yourself, so why not change it periodically? Keepass will remind you to change it, at which point you can go to the applicable website, change the password (having Keepass generate a new random password for you). And you can do this for other "periodic reminders" as well! For instance, you could create a group called "reminders", and add an entry for "sync up backup copies", the actual password doesn't matter as it won't be used for anything. Just set the password to expire once a month, and it will be a reminder for you to sync a copy of your Keepass database file with all the "physical" copies you have for backup purposes! That way if you do end up having to rely on a backup, you don't loose the last 6 months or longer, worth of "new passwords" or "password changes" that may have occured between time you originally created the backup and now.

More Information

I wanted to provide a general starting point that was targeted for the average site owner, if you would like the technical security details about how it works, you can find much more information on the keepass.info website, and also across the web. If I missed anything that you think may be useful, let me know, just drop us a line on the contact us page. Any feedback or questions are welcome!