On Heartbleed and security

You’ve probably heard by now of Heartbleed, a critical flaw in the de-facto security component used by most web services. This flaw makes it possible for attackers to access part of the memory of servers using OpenSSL for encryption, and steal data from it.

Over the weekend, a few members have asked us where we stand on the issue.

In short, PhotoDeck relies on the affected component, but we took the appropriate steps swiftly, and don’t believe there is a meaningful risk to your data. As a precaution, it is always a good idea to change your password, and especially to make sure you don’t re-use the same password across different services.

This is not the first (nor the last) time in PhotoDeck’s lifetime that a major security bug surfaces. We actively monitor security issues on a continuous basis and make sure we are able to react swiftly when such issues arise.

As a result, we were able to implement a correction to our system as soon as it was available, within about 21 hours of the bug being announced. This is a relatively short window, and from a hacker’s viewpoint there were far higher-profile targets to exploit than PhotoDeck. We have no evidence of data being compromised.

Still, what is the risk exactly?

PhotoDeck does not process (and therefore we don’t store) credit card numbers, and all financial traffic goes directly to our payment providers, so no financial data is accessible through PhotoDeck. In fact, in our setup the affected component only has access to data in transit (active sessions), not to the database. Similarly, the image and video files are out of reach.

Nonetheless, in theory, some users login credentials could have been compromised. So as a precaution, you can change your password (ME / Change my password).

More importantly, make sure that you don’t reuse the same password across services.

We will keep monitoring closely the Heartbleed situation, as well as security issues in general.


Posted in Behind the scenes | Tagged

“Everyone can now track down noisy tabs”

From time to time, we are asked if it is possible to play background music on PhotoDeck sites. The answer to the question is “no” (except as part of a video), and not implementing the feature is a conscious design decision.

We normally base our developments very much on our members’ needs and wants, so I thought I’d share the rationale behind that.

Many people prefer a site without music

I’m one of those pesky guys that close a site as soon as it forces music through my computer. I feel invaded, and insulted that I have to look for a small “Pause” button somewhere on the page to kill the noise (and it’s downright embarrassing when I’m in a room with other people). So usually I close the site immediately and move on.

I’m far from an isolated case. Want proof?

“Everyone can now track down noisy tabs”

That’s the title of a Google announcement of a new feature on Chrome. That feature helps identify more quickly the “noisy tabs”, i.e. the sites that play audio, so users can close them down faster.

Design for the busy-pesky client, not for yourself

For me, this is a golden rule. A photography website should make the photographer look great. But the main goal of a professional photography website is to make it easier for a client, or potential client, to do business with you, the photographer.

Whatever you do on your website, make sure it doesn’t give an excuse for a busy or angry client to go away. Visitors should feel in control, not held captive.

Usability trumps coolness, even for photography websites, and that is a philosophy we strive to follow.

Videos

You can still put a video on your frontpage, with audio, as videos are generally better tolerated when they add real value. But use with care…

Agree? Disagree? Let us know via Twitter!


Posted in Behind the scenes | Tagged , , , ,

Looking for a new remote team member!

As we’re growing, we’re looking for a new team member to help with Member support, initially for a couple of hours per day. The job is done remotely and offered as a freelance contract.

Interested in joining the PhotoDeck innovation train ? We’re looking for a hands-on person who:

- can readily identify with PhotoDeck basic values: fairness, honesty, love to get the job done and well done (aka “good-guys” and “no-bullshit” values) ;

- loves helping people, day-in day-out ;

- is a native English speaker, located in Europe or on the US/Canada East Coast ;

- can work independently and is willing to learn ;

- is self-reliant also technically and comfortable with software in general ;

- has some hands-on experience with creating websites.

All boxes ticked? The following qualities are not mandatory but can make a difference:

- already created and customised a website on PhotoDeck (huge plus) ;

- familiarity with the practise of photography or video, and its business ;

- deeper technical understanding: DNS setup, HTML/CSS, access to multiple OSes…

Email jobs @ photodeck and tell us about you!


Posted in Behind the scenes, PhotoDeck News |

PhotoDeck speed measured

The fastest photography websites around?

You might already know how important website speed is to us, and hopefully you’ll have noticed that our websites are significantly faster than what is usual.

Some times ago, we explained that they enjoy an exceptionally high Google Page Speed score. That applies to our mobile sites, too.

A complementary and important measure is our servers response time. That is, how much time it takes for the servers to load and spit an HTML web page (this doesn’t include the time it takes for data to move across the Internet, nor the images delivered directly from the Amazon cloud).

To put things in perspective, the response time for traditional small sites and blogs is often measured in seconds.

A year ago, the server response time for our websites was around 170ms. But when I say that speed is important to us, I should actually say that we are fanatic about it. So Cedric went back to the drawing board.

And here is the histogram of our servers response times over the past 8 days:

There is beauty in this nerdy figure!

There is beauty in this nerdy figure!

Looking closer at the numbers:

Average response time = 47ms

That’s 70% faster than a year ago, with more features, and it was already very fast back then.

Over 23% of web pages served in less than 10ms!

Now that will be tough to improve significantly ;)


Posted in Behind the scenes | Tagged , ,

Mobile photography websites

100% full-screen on compatible browsers (e.g. Android)

This is not a mobile app

Native mobile apps are nice. They are optimized for the very device they were built for.

But a mobile app is of little use to a photographer: you can’t expect prospective clients to find, download and install a mobile app just to see your work.

The goal: mobile websites that behave like native apps.

Mobile websites work on any device and don’t require your clients to install anything. They just open their browser or click on a link, and, voilà…

Problem: building a simple mobile site (like www.photodeck.com viewed on a mobile) is relatively easy. Designing a mobile site that behaves like a native app is complex – much more complex. Someone in the team lost some hair fighting mobile browsers idiosyncrasies ;)

Mobile Safari

But we’re stubborn.

Our mobile sites will work great in both portrait and landscape orientations.

They will maximize the available screen estate, hiding the URL bar and going 100% full screen when possible (eg. on Android devices).

They will play nice with retina displays. And they will be FAST!

Stay tuned for more…

Update: already a member? Get your mobile site now!


Posted in Behind the scenes, PhotoDeck News | Tagged ,

Uptime / Downtime

Summer downtime? What summer downtime? (*)

You’d think it would be normal to assume that a web service just works, all the time. Unfortunately software, computers and networks do break, so it is common for complex web applications to face downtime (ask Twitter or Facebook about it ;)

And the higher the service avaibility, the more difficult it is to improve. But we have high ambitions in that respect too.

A few months back, I wrote that we had enjoyed 99.95% availability for the previous year (members’ websites and PhotoDeck admin space are counted together). That’s about 20min downtime per month. I also wrote that although this was already an excellent figure for such a complex platform, we were working hard to improve it.

That project was completed in June. The results are in:

Boring flat graph = good news

Our uptime for July was 100%. As was August’s, too.

That’s right, not a single minute of downtime in over 2 months. And during that timeframe, we kept upgrading frequently the service, we had hardware outages, and we served over a million web requests (hits) per day.

We’re proud of this achievement, but we’re also touching wood. Downtime does ultimately happen, you never know what Murphy has in store ;)

Did you know?

We post updates about major issues at www.photodeck.com/status, where you can also track the PhotoDeck platform availability.

(*) The platform didn’t get any vacation and was never left unattended, but the PhotoDeck team did enjoy some personal downtime this summer in between project work… The weeks ahead are bound to be very exciting, more on that very soon…


Posted in Behind the scenes, PhotoDeck News |

Baby-sitting servers, so you don’t have to

Things have been quiet on the “new feature” front for the past few weeks, but we’ve kept ourselves busy as always. A major ongoing project of ours is about improvements in the server infrastructure that supports the PhotoDeck service.

Not that we’d have any server crisis going on, mind you:

99.98%
PhotoDeck service uptime April 2012

The service availability for April was 99.98% (yeah, even though we deployed some pretty significant infrastucture changes). For the past 12 months, it was 99.95% — still a number to be really proud of.

Still, it has happened a couple of times that we had to wake up in the middle of the night to attend a server. And like everybody else, we don’t like being woken up in the middle of the night. There’s been a couple of hardware failure we can mitigate but not prevent. There’s been a network outage at our infrastructure provider, also unpreventable. But we’ve also discovered that we could make some parts of the PhotoDeck architecture more robust still.

And that’s exactly what we’re doing – some heavy lifting on the infrastructure for even more robustness, and to accomodate our growth.

The most complex part of the project is behind us (well, for this round, as this is also about continous improvement). We still have a few bits and pieces to take care of, and we’ll soon also upgrade (again) the servers hardware, so that’ll keep us busy for a couple of weeks still…

Oh, I almost forgot:

We’re also playing with a great new feature in our lab, one that will be of interest to most of our members… It shouln’t be very long until it makes its way to the live service!


Posted in Behind the scenes, PhotoDeck News |

Tech post: about PhotoDeck software code

Today is the first post of a new kind in this blog: Tech posts!

The purpose of them is to share with our tech-savvy community some technical aspects of PhotoDeck.

You can safely ignore those posts and return to a sane activity (an outdoor one would have my preference!) if one or more of the following words makes you want run far, far away: “computer”, “geek”, “coding”, “html5″ (yes, 5, obviously!)… or if you don’t see the point in “windows vs. macos vs. linux” or “vi vs. emacs” wars (actually, I don’t either, but people who understand what I mean may want to keep reading!).

Now that you’ve been warned: today’s topic is about the size of PhotoDeck software code.

When the guys at 37signals shared their code statistics for the rewrite of their highly popular and successful Basecamp product, it was quite a surprise for me, for different reasons:

1. showing statistics on its own, non-public, code. Doesn’t sound like a usual practice to me.

37signals' Basecamp Next code stats

37signals' Basecamp Next code stats

2. 6334 Lines of codes (LOC): as pointed out in one of the comments, that’s not a lot of lines of code for such a product. People who have experienced enterprise web applications will fully appreciate this.

Why so few lines of code? maybe because they are smart, probably a bit lazy too (why getting tired writing 100 LOC when 10 will do?)… but also because of their choice of their web programming platform: Ruby On Rails (they invented it, actually). Ruby On Rails (aka “RoR”) stands out as an elegant and efficient way to build web applications. The code is concise, clean, beautiful (well, you may not want to tell people that you can see beauty in software code, oops. Anyway, beauty is all relative: people used to read code written for other platforms might succumb to its charms, religious considerations taken apart).

Back to PhotoDeck: when starting building the product (that was more than two years ago), we decided to give Ruby on Rails a try. We were eager to quickly put our ideas together, and confront them early with photographers. Would ‘RoR’ promises hold? Yes. I was blasted by the speed at which we have been able assemble things, and deliver. Today, PhotoDeck is still powered by Ruby On Rails, and we can’t be happier by this choice. What about our own code statistics? Here there are:

PhotoDeck code stats

PhotoDeck code stats

3. Yes, with 25000 Lines of code (+ 10000 for automated tests), PhotoDeck RoR code is approximately 4 times larger than Basecamp Next… and I can guarantee that I’m lazy enough to (try to) write concise code (concise, yet maintainable as I don’t like giving myself avoidable work!). One more reason to be surprised!

Product size also gives us an idea of its complexity and features. It seems that our features list shows!


Posted in Behind the scenes |