Response to Heartbleed Security Threat

Earlier this week, a security vulnerability known as Heartbleed was announced. This was an important event because Open SSL, the underlying library in question, powers security and encryption for approximately two-thirds of the internet including sites like your bank.

heartbleedFirst and foremost, we have no evidence that leads us to believe this vulnerability was used to access Edthena data or Edthena servers.

Because Edthena focuses on maintaining a high level of security for our users, this was a major development that demanded quick action. This is how we responded:

  • Within an hour of the security patch being released, we successfully updated and restarted our servers. This means that we were no longer vulnerable to the security exploit.
  • Within 18 hours, we revoked our existing cryptographic keys and completed the necessary steps to generate and implement new keys for accessing our data.

In short, while Heartbleed presented a potential threat to our data, we acted immediately to deploy a fix and restore the highest level of security to our systems and for our users.

Essentially every site needs to take steps to upgrade security measures, and they’ll need to communicate those upgrades to users like we’ve done here.

You can test any site for whether they’ve installed the updates by visiting http://filippo.io/Heartbleed

Image from Heartbleed.com

The Five Layers of Edthena Security

This post originally appeared on Education Week. It’s authored by Edthena CTO David Weldon. 

I spend a lot of my time thinking about security. In fact, “Will this be secure?” and “Will this scale?” are the first two questions I ask myself when contemplating any new feature. Adam’s first question is often “How soon can we ship this?”, but that’s understandable.

Preventing evildoers from getting their hands on your data comes in many forms: how we restrict access to our servers, how we interact with service providers, and how we transmit content to users.

Our users demand a place where their video and data are not only stored safely but also protected from unintended access. It’s the opposite of popular video sharing sites like YouTube, and we’d even go so far as to argue YouTube is not a good place for sharing classroom videos.

We believe we’ve built Edthena into the secured sharing platform that our users need. It’s one thing to say it’s secure, but it’s another to explain it publicly. 

I firmly believe that a secure system is one which can be explained in great detail and yet remains impervious to attack. In this post I will explain the five steps we take to ensure only the right people are accessing our users’ content inside Edthena.

edthena security measuresIdentity Verification

We go out of our way to make Edthena a social platform so you can feel confident you are interacting with only the people you know and trust.

The only way to activate an Edthena account is via an email invitation generated by our platform. This ensures that each account is associated with a unique email not shared by anyone else in our system. This approach of using email invitations to verify identity is considered a best practice for other scenarios like online contract-signing services.

In the Edthena platform, we also require every user to upload a profile photo during registration. From then on, your smiling face will appear in each one of your comments and groups.

Password Strength

We believe in strong passwords, but not in ridiculous rules. The Internet is replete with forms requiring a minimum of six characters with at least one number and one symbol.

Even with those restrictions, people still do a terrible job. I’ll bet I could unlock about a third of the web by trying every permutation of “P4ssw0rd!”.

It turns out that a simple collection of unrelated words like “correct horse battery staple” is incredibly hard to crack (and it’s pretty easy to remember). We use a sophisticated library which looks for things like keyboard patterns, industry terms, and known passwords to help ensure a sufficiently strong phrase.

Access Controlled Groups

By default, every video in the system can only be seen by the uploader. The only way to let others view your content is by sharing it to a group.

Group membership is controlled by the group admin. That person is clearly identified to the members of the group and is responsible for approving requests to join the group. Because you can always see exactly who is a member of your group, you can feel safe knowing that only a trusted set of users have access.

Unlike other platforms with complex privacy and sharing policies (I’m looking at you Facebook), Edthena has extremely simple choices of either unshared or shared to a group. This keeps things easy to learn for our users and increases confidence that only the intended audience will have access once shared.

Single-use URL

Every time you watch a video in Edthena, your browser is making a request to our content delivery network using a single-use URL. Not only is the URL generated on the fly, but the only way to initiate the process is to be signed in as a user of our system and access the video conversation inside one of your groups.

This is my favorite security feature. Even if a malicious person who was a known individual with access to your group could somehow figure out the address to one of your videos, the link is set to expire automatically to prevent further download of the content.

Data Encryption

Many sites, including us, can say that we utilize 128-bit, “military-grade” encryption to ensure that information is protected against unauthorized access. But we take things one step further.

Unlike some sites which may mix secure and insecure content, our servers make sure that all data—the comments, the pictures, and the video—are transmitted over a secure connection. This removes the possibility of someone listening in on your Internet connection and seeing any of your Edthena data.

That’s it for the overview, but if you would like to know more detail about any of the above please reach out to us by email.

Tagged , ,

Why YouTube isn’t a solution for classroom observation videos

When explaining Edthena to someone for the first time, the common question is why YouTube can’t be utilized to achieve the same end-goals.

We’d like to think that there is a lot of value in the way we facilitate collaborative conversation on video. These are things that YouTube isn’t designed to do.

But let’s assume for a second that you don’t see value in things like a fully-managed video compression tool or time-synced annotations or the ability to upload attachments like a lesson plan. So now we’re evaluating based solely on the function of video storage and delivery.

Even on this level, I’d assert that YouTube isn’t the right place for classroom videos since it’s not a secure, private location for sharing video. YouTube is designed to make video sharing really easy. Almost too easy.

One of the most common ways to share information on YouTube in a “private” way is to make a video unlisted. This excludes the video from search. But this means that anyone with the URL can access the video. And if they have access, they can watch the video, embed the video in other places, and even download the video using 3rd party tools.

Potentially more concerning than a video set to unlisted is a video mistakenly set as public. After all, this is the default option for all new videos uploaded to YouTube.

Take a look at this search for “edtpa” which pulls back several classroom videos:

edtpa video

It’s completely possible that the video uploaders in the screenshot gathered permissions for public display of these students. But my experience and instinct is that at least some of the videos available via public search are not intended to be so easily discovered.

This is why having a platform like Edthena is so important. Our platform defaults all video to private, and each uploader chooses to explicitly share a video to a group of specific individuals.

When using Edthena, a program decision maker doesn’t have to worry about accidental exposure of sensitive information. We lock everything away inside our platform using several layers of security, encryption, and even a secure connection.

Edthena is the opposite of YouTube when it comes to security for video, and that’s a good thing in this instance.

Note: There is a mechanism on YouTube which enables private videos to be selectively shared via Google+ to other users. However, I’ve rarely met people who understand how to do this.

Tagged , , , , , ,

Edthena is now a member of AACTE

We’re excited to announce that we’ve been accepted for membership into the American Association of Colleges for Teacher Educators (AACTE).

Edthena accepts membership into American Association of Colleges for Teacher Education (AACTE).

Edthena accepts membership into American Association of Colleges for Teacher Education (AACTE).

At first glance, this might seem strange, since we’re not a college of education. However, AACTE’s qualification for membership is that an applicant must have improvement of the education of teachers as a primary purpose. This is our purpose at Edthena.

Unlike many companies, we’re laser focused on teacher educators and teachers and keep them in our mind first and foremost when developing our platform for online observation.

As more and more colleges of education choose to participate in edTPA and integrate video throughout their program, they need a platform that makes video observation simple, easy, and secure. Thus, it makes sense that Edthena is actively participating in the organization which represents those colleges of education. We want to be a close partner for everyone in the process to transform their program.

Video Uploading is as Important as Video Conversations

This post originally appeared on Education Week. It is authored by Edthena CEO Adam Geller.

Last week Dave (CTO) described the Edthena Video Tool which allows users to compress and upload their videos with drag-and-drop ease.

Wait, an application that users install locally?

That’s right.

But I thought Edthena was an online platform for video observation and feedback.

That’s right, too.

But Dave said that developing the Video Tool took a long time. How did you know investing the time would be worth it? Time is always in short supply at a startup.

Very true. But the decision to build the Video Tool as more than just an add-on came from several iterations of trying to figure out what we needed to do to add value for our users by solving their problems.

Ultimately, it came down to providing whatever we needed to ensure users could be successful with the entire video observation and feedback process. And it turned out that, the process was more than just how to interact with videos online. We had to help users get the videos online.

Learning From User Frustration

Many people are unaware that digital videos can be very large in size. Compared to the amount of bandwidth available, an uncompressed video could take days to upload. Thus, compressing videos before upload is a critical step to ensure users can be successful uploading the video to the internet.

If users can’t get their videos online, then your video-focused site is worthless. This is true whether you’re talking about YouTube, or Vimeo, or Edthena.

This compression problem is a tricky one. YouTube and Vimeo both provide extensive help documents about how to compress a video before upload.

When the first version of the Edthena platform launched to users at the beginning of the 2011 school year, we had a web application with an upload page. And a strong warning about needing to compress your video before upload.

Most of our customers planned to use Flip video cameras. This made it seem like solving the compression problem would be easy since we could provide instructions on how to click three buttons to compress a video using the inlcuded Flip software.

I’m almost not exaggerating about the number of clicks. It was definitely less than five.

But users could not and/or would not follow the instructions.

This meant that their experiences trying to upload the file to our server was often a headache. Or a failure. And this was making it tricky to get users to test the actual process of providing feedback of teaching online.

If There Isn’t a Solution, Build One

I spent a lot of time trying to figure out how we could better train users on the process to compress a video using a free or paid software program from the Internet.

But the options varied by operating system and even by operating system version. And I only owned one (very old) laptop. And all the options involved multiple steps and were more complex than the Flip software had been.

uploader oldAfter discovering there was no good option, it became clear that we needed to provide a simpler and better solution. This meant we’d need to build an application that was installed locally on a user’s computer.

Releasing an installed application is MUCH scarier than launching a web application. Unlike a web site, once the code is released to the users and installed, it can’t be updated easily. You have to get it really right on the first try.

(Important context here is that Dave had not yet joined the company, so I was responsible for managing the design and development processes myself.)

In spring of 2012 we finished development of our first installable application. It was called the “Edthena Prep Tool” because you could use it to prepare your video for upload.

The Edthena Prep Tool offered drag-and-drop compression for all our users. There were no scary screens filled with unnecessary and complicated options. Just push the big button, and a very compact video file would be saved to your desktop and ready for upload to the site.

The response was extremely positive. For the first time, our partners didn’t have to worry about training their teachers how to compress a video. They just had to make sure they were using our Prep Tool.

We were providing the best-in-class commenting tools and an easy way handle the otherwise complex and cumbersome video compression process.

Success rates and satisfaction increased, but users were still having issues uploading the files. And if users can’t get their videos online, then your video-focused site is worthless.

Some More Prototyping

It turns out that file size wasn’t the only problem. The technical limitations of a browser-based upload were making it difficult for high rates of success on the first attempt to upload the video.

The logical next step was to enable the Prep Tool to upload the video, too. This added a significant level of complexity, as the application on the user’s computer would need to communicate with our servers to get the right permission to store the videos.

In fall of 2012 we released a new version of the Edthena Prep Tool which compressed and uploaded videos. This was a game changer.

While still not perfect for all users and all video sources, this allowed nearly everyone to be successful most of the time. And the Prep Tool would automatically retry the upload for you if there was a connection error.

A side benefit of building user-authentication into our Prep Tool is that only valid users could benefit from the one-step compression process that we had designed and implemented. While we were flattered that the tool was being used to compress home videos for easy sharing on other platforms, it didn’t lock in the value for Edthena.

Finally, time to build the real thing

It was clear that having the compression and upload tool was a huge value add for our end users and their organizations. So when it came to plan our strategy for the build out of the new Edthena platform for August 2013, we knew that it had to include a compression and upload solution.

Because of everything we had learned during the course of two years, it was clear that we should invest a significant amount of Dave’s time into building a solution.

edthena-video-tool[1]The result is that the new Video Tool launched with the ability to compress and upload a video with drag-and-drop ease.

Oh, and then there’s the big enhancement that we can constantly monitor performance and push code updates to each user’s version of the app without needing them to reinstall. Auto-updating applications (the way we built ours) is a very new technology.

The ability to send updates silently to users is a dramatic improvement from the earlier Prep Tool. In fact, I’d say the ability to release new updates in the background constantly is a huge strategic advantage.

Today we just send a code update to our server, and the application on each user’s computer automatically updates instantly. In comparison, to update the old Prep Tool required a new version of the application to be compiled, downloaded by each user, and then reinstalled for the enhancements to take effect.

As Dave mentioned, at first things were a bit rocky with the new Video Tool, but because we could constantly send performance updates, we’re now tracking at 98% success on the first attempt to upload and more than 99% overall success.

But Wait…There’s More!

So you nailed it, right? You solved the users’ problem. They could get their videos online. Any video. Any length. Just drag-and-drop-and-walk-away. Finally the focus would be on the video observation experience!

To a large extent, this was true. But we found out there was still more we could do to solve the problems of our users.

billy mays but wait there's moreBecause we made the upload process so easy and so successful, the new feedback was about the process teachers were experiencing before they put the video into the Video Tool.

Some organizations ask their teachers to trim videos to a specific length. This created complexity for teachers around needing to utilize other programs before they could use our Video Tool. And in comparison to their experience with our Video Tool, the process was too hard.

The solution? Design a way for users to trim videos quickly and easily.

And because of the way we built the Edthena Video Tool with automatic updates, we released the trimming feature last week with the utmost ease: It automatically appeared in everyone’s Video Tool on Monday night.

This is the feature Dave alluded to last week in his post.

So did it work?
Yes. Within minutes someone had successfully trimmed her video.

And did they fall in love again with Edthena?
Yes. Email kudos arrived the next morning.

Tagged , ,
Follow

Get every new post delivered to your Inbox.

Join 588 other followers