September 14, 2012 | Posted by Paul
I’ll have another post on Blesta, probably next week. If there’s something in particular you’d like me to touch on or want to know about, email me at sales and I’ll consider it for my next post.
It’s Friday afternoon and we are starting to wind down for the weekend, so I think I’ll just reflect on the past couple weeks.
Last Thursday a short while before noon the power went out in the whole building. The power was out for several hours, and we were on generator power. I didn’t realize that the generator doesn’t power the lights, or some of the wall outlets.
I sent out this tweet.
This picture doesn’t quite capture the creepiness of it all. I was unable to capture the subtler red glow in the furthest reaches of the building, or that rambling squiggly-squaw sound that zombies make. Maybe I imagined that last part. I did, right?
It was kind of exciting, the generator kept everything critical up and running (Like blesta.com) and we didn’t have to refuel it. The power eventually came back up and everything switched back over like it’s suppose to.
There was only one problem. My linux computer was plugged into an outlet that was not on generator power, and my battery backup ran out of power.. and it would not boot back up. Dead. On top of that, one of the hard drives was making a cyclical click or screeching sound. Not good.
Being the sort of guy that backs up everything, I thought this would be no problem. A couple new hard drives, kick off the R1Soft restore CD and I’ll be back to normal in a few hours. Nope, the R1Soft backups are corrupt. Well, not the /boot partition, just the / partition — that’s like everything I need. They let me down, big time.
It was a long night, or early morning depending on how you look at it, but I was able to recover everything from the drives with a little linux shell magic. I did have to do a fresh install of the OS, but an upgrade was long overdue anyway. I had my data back.
Someone will ask, so I’ll tell you. Blesta code was never at risk because it’s in several different geographic places at all times.
Do you have backups? Multiple backups? Backups of your backups?
Alright, I hope everyone has a great weekend. v3 alpha is rapidly approaching.. looking at the tasks and there are only a few left. Stay tuned. If you’re a developer and there’s something you want to build on v3 for personal or public use let me know. You might be eligible for the alpha.
Tags: dark | hard drive | linux | power outage | zombies
August 17, 2012 | Posted by Paul
Back in May our largest competitor WHMCS was compromised, and I wrote a blog post titled “Thoughts on Security“. After my post, the hackers released a data dump and the personal information of their customers became public. Names, email addresses, credit card numbers and more. A nightmare scenario for any company, and worse for their customers.
I got a lot of email, and a few phone calls after that post. People are now, more than ever, concerned about security and they should be. It’s something that cannot be taken for granted, and can no longer be ignored. It requires diligence. There is no such thing as security through obscurity.
Most recently LinkedIn, Dropbox, and Blizzard were all compromised. These are big companies with big budgets and they are big targets, but it highlights the fact that nobody is immune.
Today’s post is sort of a follow up on that last post. I wanted to be more specific in terms of security measures we’ve taken within our software — specifically our next major release, version 3. It’s because we believe security doesn’t come from obscurity that we are so open about the steps we take to protect not just our customer data, but in as far as possible, our customers’ customers.
We don’t claim to know everything there is to know about security, but it’s an area we spend a considerable amount of time in discussion, research, and development. It takes priority over new features in our development cycle.
Passwords in v3 are stored using bcrypt, computed from an HMAC-SHA-256 hash of the user password, if supported by the server. The advantage to using bcrypt is that it slows down the time it takes to compute the value. How could slowing it down possibly be good you might ask? Because, if an attacker happens to acquire your users’ hashed passwords, and also the key used to generate the HMAC-SHA-256 hashes, it would be impractical and time consuming to brute force them from a list of common passwords (known as a dictionary attack). Without the HMAC key, it becomes computationally infeasible to brute force (with 2^256 possible combinations of hashed passwords, and a 1/4 second to compute 1 bcrypt password, you would only be able to attempt 126,144,000 bcrypt passwords per year. So, statistically, it would take 4.5897 x10^68 years to crack a single user’s password).
Now, assuming the HMAC key is known, a 60,000 password dictionary file would take statistically 2.083 hours to crack 1 users password assuming the password is in the dictionary to begin with. This is fantastic because it gives you much needed time to reset every users password and notify them, making the leaked hashes virtually useless.
Additionally, a bcrypt password is never the same. If user A and user B both have a password of “hunter2″, the stored values will not be identical.
Blesta supports two-factor authentication (in v2.5 and v3) for both TOTP (Time based One Time Password) and MOTP (Mobile One Time Password) for staff users. Both methods use a token, like OATH Token for the iPhone. Staff members log-in by entering their username and password, and are then prompted for their one time password. Once this token is entered, it can never be used again, so a man in the middle attack is not feasible.
I did a video on Staff Login a while back that shows two-factor authentication in action, if you haven’t seen it.
Shipping with v3 is a plugin called PHPIDS, which is an intrusion detection system. The plugin is excellent at detecting, logging, and blocking various attacks and uses the PHPIDS library.
From the PHPIDS website:
Furthermore the PHPIDS is able to detect yet unknown attack patterns with the PHPIDS Centrifuge component. This component does in depth string analysis and measurement and detects about 85% to 90% of all tested vectors given a minimum length of 25 characters.
The video is below, as usual you can make the video full screen, and be sure to turn on your sound.
ACL (Access Control List)
v3 introduces a fully featured ACL. Access to different areas and tasks is limited to the group a staff member is part of. For example, a support staff member may only need to have access to support features, and be kept far away from private customer details. You have fine-grained control over what they can and can’t access.
I did a video on this one too, appropriately named Full Featured ACL. It’s worth a watch, if you haven’t seen it.
v3 logs a lot of things, including credit card accesses. Anytime a staff member views a credit card number it’s logged. If card numbers are siphoned off, you’ll be able to tell exactly who took them.
Offsite Gateways and Batch Processing
In v3 we are introducing offsite storage of card details for gateways that support it, like Authorize.net’s CIM method. For those using local storage of card numbers they are still encrypted. Now with up to 3072-bit RSA cipher (depending on your system), and you can optionally set a passphrase on them. A passphrase is similar to a password, and is not stored on the server anywhere. Credit card numbers can be encrypted without the passphrase, but the passphrase would be required to decrypt them. When enabled, all payments made from stored card numbers must be batched manually with the passphrase. It’s an added layer of security that can be enabled or disabled anytime. (Just don’t forget the passphrase if you set one!)
minPHP and PDO
The open source PHP framework we wrote, minPHP, provides foundation level security for Blesta v3. minPHP supports, and v3 uses PDO which helps make queries safe and secure through parameter binding. Cody wrote more on this in his article title Eliminating SQL Injection.
Smarty’s not that Smart
Blesta has never used the Smarty template system, and v3 is no different. We rarely trust 3rd party libraries, especially bloated ones with very little benefit. The template system in minPHP is light weight and secure and it has many similarities to the template system we used in previous versions. We feel justified in our approach to keeping things simple and light weight, especially in light of recent security exploits with Smarty that affected at least two of our competitors.
Our strict requirements in terms of integration of 3rd party libraries, and our aversion to bloated code put Blesta on a higher playing field.
I’m not good at marketing, I’m really not. I tend to think of good marketers as a little dishonest and don’t always hold them in the highest esteem. Their job is to portray their product in the best possible light and at times make it seem better than the competition. I think the product should speak for itself and I am passionate about what we’re doing because I know we are building something great.
Part of what sets us apart from our competition is our desire to do things right, along with our expertise to follow through on that desire. No shortcuts. No compromise. After all, that’s what I would want in a billing system for myself, because, if the focus is right, everything else will fall into place. If not, it’s an exhausting game of cat and mouse and I have no interest in that.
Tags: ACL | bcrypt | intrusion detection | PDO | phpids | security | sql injection | two factor authentication | v3 | version 3
August 10, 2012 | Posted by Paul
I’m a fan of all operating systems, Windows, Linux, and OSX. I just happen to make all these videos I post on a Macbook.. an old late 2006 model, that just couldn’t keep up anymore. I’ve had to retire it, and am excited to be doing these on a new Macbook Pro. I haven’t missed the spinning pinwheels of death one bit. Hopefully this means I can up the production value a bit.. only time will tell.
So this week, just a quick sneak peak at a feature that a lot of people have been asking for.. We call it, Loginless Payments. It’s difficult enough at times to get customers to pay, so this is all about making it as easy as possible to collect, and providing a great customer experience at the same time. A customer may have forgot their password to login, but it’s no longer an obstacle because we have eliminated that step entirely.
When a customer gets an invoice in their email, a special link is provided to pay that invoice. It doesn’t log them into their client area, but it does let them pay without having to login. This link is included in all payment reminders and late notices as well. Click, pay, done.
The video is below, as usual you can make the video full screen, and be sure to turn on your sound (And turn it up! This one turned out a little on the quiet side for some reason).
Tags: client area | loginless | payment | payments | video
July 27, 2012 | Posted by Paul
It’s been a busy week, which is pretty normal.. but extra busy because we’re a man down right now. Tyson does great work here, and the Superior Court of California thought he would do a great job as a juror too. I’m sure he will, and we hope to have him back from jury duty next week to hear all about it. (And also to get back to cranking on Blesta!)
I get a lot of email and phone calls about Blesta, and in talking with people, certain things start to stand out.. like the incredible need for a downloads section in the client area. I was happy to tell several people this week that it will be included in v3.
And then I realized that we haven’t really mentioned this before.
The download manager is a plugin, and here’s what it looks like installed in the staff interface..
Here’s the link it registers in the client interface where all the downloady-goodness appears..
Other plugins can register links here too. So there you have it! Downloads ship with v3.
Thanks for reading, I hope you have a wonderful weekend!
Tags: download manager | downloads | v3 | version 3