Jan 29, 2012
Last night with all the indignation of the morally righteous someone wrote to me and demanded that I do exactly what they say or they would blog about how awful gRSShopper was to the world.
Let me beat him to the punch: gRSShopper is awful. I have never denied it, or claimed anything else. In fact, the most recent version is a 0.3 pre-release release.
His particular concern was that he had heard passwords were being stored as plain text. No, he didn't actually know this, he had just heard it somewhere.
Passwords are in fact stored in the database, not lying around in some plain-text file, and the database is secure and protected against access. So it's not like passwords were there for the taking, and there is no evidence whatsoever that they have ever been taken.
Despite his rudeness, though, he had a fair point about how they were stored, so last night I rewrote the logins so that passwords are encrypted when they are created, and retroactively encrypted every password in the system. This morning I also rewrote the password retrieval system so now it resets passwords instead of simply sending them (I used to encrypt passwords in the past, but actually changed it back because so many users had problems with the password reset system).
It turns out that this was not enough, and he demanded (yes, demanded, complete with bold-face commands littered thoughout his emails) a better password encryption system, one like the ones used by Drupal and Wordpress.
Because in principle, if someone hacked their way into the database, they could then use a brute-force algorithm to crack the passwords, at which point they would have access to - well, information stored in the database.
The concern of course is that people sometimes use the same password in other systems, and so if some hacker got into the gRSShopper database they could access other accounts that people have unwisely set up using the same password.
I'll tell you what. Here's the login system as it now exists in gRSShopper: click here
When I get some time in the future, I'll use full sha1 encryption and make it crack-proof. I'll also put the whole downes.ca and mooc.ca server onto HTTP Secure (https) so people can't pick your passwords out of wifi transmissions they're eavesdropping on (the https stuff he didn't mention but it has been on my mind for years).
Until then: either send me back the login script with the changes made (and don't forget they have to be backward compatible so they don't mess up user accounts even more than I messed them up yesterday), or give me a bit of a break.
gRSShopper does not have a budget. It's something I do in spite of the wishes of my employers, not at their behest. I've paid for the web server out of my own pocket for years. I've spent a lot of my own personal time (and whatever office time I could get away with) working on it. I went through a long process to get permission to release it as open source so that if people had a problem they could fix it.
It would be great if there were some support for the project, if some foundation were to give me the sort of money they give to the grant-writing experts at Stanford and MIT, if I could devote my time to working on making open learning accessible to people instead of working on private hush-hush projects for the government. But I don't have any of that kind of support, and it's even a violation of public service conflict-of-interest guidelines to apply for it (I can't publish books either, for the same reason) so I can't.
So if you have criticisms, either ask me nicely, help me out, or use something else. Don't write to me as though I'm some sort of subordinate you can demand perform this or that task just because you say so on threat of 'exposing' what a crappy software author I am. I love getting suggestions and help. I pathologically hate being given commands or ultimatums.
Oh yeah, and if you're a foundation or some big company or whatever that would like to fund my work, I'm all ears.