All posts by Kerika

About Kerika

Kerika is the only task management tool that's designed specially for global, remote teams.

Why we are integrating with Box; Part 1: Privacy Overhang

(The first in a series of blog posts explaining why, and how, we are adding Box as a cloud service in addition to our long-standing integration with Google Drive.)

When we first started working on Kerika, back in 2010, Google Docs was an obvious choice for us to integrate with: it was pretty much the only browser-based office suite available (Microsoft Office 365 wasn’t around and Zoho was, and remains, somewhat obscure), and we were quite sure we didn’t want to get in the business of storing people’s desktop files in the cloud.

Google Docs (not yet renamed Google Drive) did have various limitations in terms of the file types it would support, and further limitations on the maximum size permitted of different types of files — the largest spreadsheet that they would support, for example, wasn’t the same size as the largest Word document — but the idea of building Kerika as a pure-browser app was a very appealing one.

So we integrated with Google Docs at a low level, fully embracing their API, to provide a seamless experience unlike anything that you might find from competing products:

  • When you add a document to a card or canvas in a Kerika board, it is automatically uploaded to your Google Drive, where it is stored in a set of nested folders.
  • When you add people to a Kerika board, their Google Drives automatically get dynamic links to your Google Drive, giving them just the right access, to just the right files.
  • When people’s roles change on a project team, their Google Docs access is automatically and instantly changed.
  • When a document is renamed in Kerika, the new name is reflected back in Google Drive.

Many of our users who are already using Google Docs loved our integration: one user went so far as to say “Kerika makes Google Docs sing!”

The Google integration was not easy, particularly in the early days when there were wide gaps between the documentation and the reality of the API: we had to frequently resort to the wonderful Seattle Tech Startups mailing list to cast about for help.

But it seemed worth while: our Google integration has definitely helped us get paying customers — organizations moving off the traditional Microsoft Office/Exchange/SharePoint/Project stack were looking for a tool just like Kerika, particularly if they were also grappling with the challenges of becoming a Lean/Agile organization and managing an increasingly distributed workforce.

We even signed up organizations, like the Washington State Auditor’s Office who started using Google Apps for Government just because they wanted to use Kerika!

But, there are other folks we encounter all the time who say to us: “We love everything about Kerika except for the Google integration”

Some folks want to work with Microsoft Office file format all the time (although that’s possible even with our Google Drive integration, by setting a personal preference, and will be even easier in the future with new edit functions announced at Google I/O), but, more commonly, we came up against a more basic concern — people simply distrusted Google on privacy grounds.

It’s debatable as to whether it’s a well-grounded fear or not, but it is certainly a widespread fear, and it is not showing any signs of diminishing as we continue to talk to our users and prospects.

Some of this is due to a lack of understanding: users frequently confuse “security” and “privacy”, and tell us that they don’t want to use Google Apps because it isn’t secure. This is really far off the mark, for anyone who knows how Google operates, and understands the difference between security and privacy.

Google is very secure: more secure than any enterprise is likely to be on its own. They have a lot of software and a lot of people constantly looking for and successfully thwarting attackers. It’s always possible for someone to hack into your Google account, but it will be through carelessness or incompetence on your end, rather than a failure on Google’s part.

Privacy, however, is a different matter altogether, and here Google does itself no favors:

  • It’s Terms of Use are confusing: their general terms of use, for all Google services, contains this gem which drives lawyers crazy: “When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
    The Google Apps for Business Terms are much more specific: “this Agreement does not grant either party any rights, implied or otherwise, to the other’s content or any of the other’s intellectual property.”
    But most people derive a first, and lasting, impression from Google general terms, and few get around to investigating the GAB specific terms.
  • Google finds it hard to acknowledge people’s privacy concerns. This is somewhat puzzling, and can perhaps be best explained as a cultural problem. Google genuinely thinks itself of a company that “does no evil”, and therefore finds itself reflexively offended when people question its commitment to privacy. It’s hard to address a problem that challenges your self-identity: the Ego acts to protect the Id.

Entire sectors seem closed to Google Drive: lawyers, who could certainly benefit from Kerika’s workflow management, and healthcare, which is already adopting Lean techniques (pioneered locally by the Virginia Mason hospitals.)

In the small-medium business (SMB) market in particular, there isn’t any meaningful outreach by Google to address the privacy/security concern.  (Google does reach out to large enterprises, but in the SMB market it relies entirely on resellers.)

For our part, we have done a ton of work persuading people that it’s OK to use Google Drive, but we don’t get paid for this (we are not a Google Apps reseller), and this is, at best, a distraction from our core mission of building the very best work management software for distributed, lean and agile teams.

We need an alternative cloud storage platform: one that has robust capabilities, is enterprise-friendly, and doesn’t come with any privacy baggage.

The full series:

 

More fonts for Whiteboards

We have expanded the selection of fonts that are available for Whiteboards and canvases:

New fonts
New fonts

The list of available fonts now includes:

  • Arial
  • Armata
  • Audiowide
  • Calligraffiti Regular
  • Cinzel
  • Dancing Script
  • Indie Flower
  • Josefin Sans
  • Kaushan Script
  • Lato
  • Lobster
  • Montserrat
  • Nothing you could do
  • Oswald
  • Pacifico
  • Permanent Marker
  • Pinyon Script
  • Raleway
  • Rock Salt
  • Shadows into light
  • Times New Roman
  • Verdana

 

Heartbleed: no heartache, but it did prompt a complete security review

So, here’s how we dealt with the Heartbleed bug…

We learned about the bug just like you did: through news reports early on April 7th. Heartbleed was a “zero-day” bug, and the OpenSSL team put out an updated (patched) version of the OpenSSL protocol the same day, which meant that everyone, everywhere, had to scramble to get their systems patched as quickly as possible.

(And the bad guys, meanwhile, scrambled to grab sensitive information, with the Canadian tax authorities being among the first to report that they had been hacked. Of course, “first to report” isn’t the same as “first to actually get hacked”. Most people who got hacked either never found out, or never said anything…)

Kerika uses OpenSSL too, and our immediate concern was updating the Elastic Load Balancer that we use to manage access to our main Amazon Web Services (AWS) servers: the load balancers are where OpenSSL is installed; not on the Web servers that sit behind the load balancer.

Using Amazon Web Services turned out to be a really smart decision in this respect: Amazon just went ahead and patched all their load balancers one by one, without waiting for their customers to take any action. In fact, they patched our load balancer faster than we expected!

Patching the load balancer provided critical immediate protection, and gave us the time to do a more leisurely security review of all our operations. This was long overdue, it turned out, and so we went into “housecleaning mode” for over a week.

One part of this, of course, was updating all our Ubuntu Linux machines: Canonical Software was also very prompt in releasing a patched version of Ubuntu which we loaded onto all of our development, test, and production services. So, even though the OpenSSL vulnerability had been patched at the load balancer, we also applied patches on all our development, test and production servers even though these couldn’t be directly accessed from the Internet.

Next, we decided to clean up various online services that we weren’t actively using: like many other startups, we frequently try out various libraries and third-party services that look promising. We stick with some; others get abandoned. We had accumulated some API keys for services that we weren’t using any more (e.g. we had a YouTube API key that no one could even remember why we had gotten in the first place!), and we deactivated everything that wasn’t actively been used.

Closing unneeded online accounts helped reduce our “attack surface”, which adds to our overall security.

And, of course, we changed all our passwords, everywhere. All of our email passwords, all of our third-party passwords. All of our online passwords and all of our local desktop passwords. (On a personal level, our staff also took the opportunity to change all their banking and other online passwords, and to close unneeded online accounts, to reduce our personal attack surfaces as well.)

We got new SSL certificates: from Verisign for our production load balancer, and from GoDaddy for our test load balancer. Getting a new SSL certificate from Verisign took much longer than we would have liked; getting one from GoDaddy took just seconds, but on the other hand, Verisign does have a better reputation…

We reviewed our internal security policies and procedures, and found a few places where we could tighten things up. This mostly involved increased use of two-party authentication and — most importantly — further tightening up access to various services and servers within the Kerika team. Access to our production servers is highly restricted even within the Kerika team: we use AWS’s Identity & Access Management service to restrict access using roles and permissions, even within the small subset of people who have any access to the production server.

Finally, we are adding more monitoring, looking out for malicious activity by any user, such as the use of automated scripts. We have seen a couple of isolated examples in the past: not malicious users, but compromised users who had malware on their machines. Fortunately these attempts were foiled thanks to our robust access control mechanisms which manage permissions at the individual object level in Kerika — but, like every other SaaS company, we need to be vigilant on this front.

All of this was good housekeeping. It disrupted our normal product development by over a week as we took an “all hands on deck” approach, but well worth it.

Fixing 58 server bugs and warnings (Why so many?)

Along with the hundred styling changes and UI cleanup we are wrapping up, we also took the opportunity to fix around 58 different errors and warnings being reported by our server.

This might sound like a lot, so perhaps a little context is useful:

  • Kerika is built on top of Google Apps (at least, for now): we use Google’s OAuth service to sign up and sign in people, and we use Google Drive to share files within project teams.
  • A lot of errors show up as a result of this Google integration, only a fraction of which are solvable from our perspective:
    • Some errors relate to people from restricted Google Apps domains trying to use Kerika. This happens at least once a week — someone working at a company that has Google Apps for Business tries to sign up for Kerika, but fails because their Google Apps Administrator (typically, someone within their IT department) has prohibited any third-party apps from integrating with their Google Drive.
      This is an example of an unsolvable problem — we can’t override the existing protection that this company has set up (and nor would we want to!) so we are going to redirect users to an explanatory page that helps them understand the problem is not with Kerika.
    • Sometimes Google Apps has outages: when this happens, we can get a cascade of errors on our servers, because these outages are typically intermittent and inconsistent across our user base. Some folks experience problems, others don’t. We are trying to come up with a way to inform people about what’s happening, so they don’t think it’s Kerika that’s busted.
    • Sometimes Google burps: not have an outage, but experience a fleeting problem with uploading a file. We might get nothing back from Google than a generic “500 error: system not available”.
  • We have also had problems related to our use of Firefox for the Render Server: Firefox’s latest updates are sometimes less stable than previous ones, and in general Firefox is starting to have a really big footprint in terms of memory usage.
  • And, finally, we have had our own bugs, just like any other software developer. Some of these have been tricky to find, but as we find them, we squash them.

 

Adding URL references got a lot better!

A few weeks ago we introduced a new feature: if you included a URL reference in a card’s details, attachments or chat, we would fetch that Web page’s title and show that, instead of just the “raw URL”.

This turned out to be a really helpful feature, and so we are expanding it in our next version by adding logic to handle a wider variety of URLs: the new logic should make it easier to have smart references to URLs show up in your cards even when these URLs are pointing to obscure Web sites, Intranet sites, etc.

 

A shift towards short-lived cookies

In an earlier blog post we noted that Google is making it increasingly hard for people to create and maintain distinct Google IDs, and this is creating more problems for Kerika users, forcing us to rethink our “cookie strategy”. Here’s the background:

Long-lived and short-lived cookies

When you sign in to Kerika, you do so using your Google ID: the Kerika server gets an authorization token from Google and places a cookie on your local computer so that you don’t have to sign in again, if you close and then reopen your browser.

We had been using what’s known as a “long-lived cookie”: one that doesn’t automatically expire when you close your browser. That made Kerika more like a news site than a banking site: when you login to a news site as a registered user, you get a long-lived cookie so that you don’t have to login again, even after you have closed your browser (or even restarted your computer).

Banking sites, on the other hand, use “short-lived cookies”: if you close your browser tab, open a new one and try to access your bank account again, you will be asked to re-login.

Short-lived cookies are generally used for more sensitive websites, like banking, because there is a big tradeoff in terms of user convenience. Kerika had previously opted for long-lived cookies because we wanted to make it really convenient for people to get back to their Kerika boards after having closed their browser.

The problem we face

The problem we are facing now is that it is increasingly more likely that your Kerika login is out of sync with your Google login. There are at least two ways in which this could happen, one of which was always a risk, and the other a new risk resulting in the shift in Google’s approach to user IDs:

  • The old problem: people with multiple Google IDs would frequently switch between them, without logging out of Kerika. For example, someone has two Google IDs: A and B. She may have signed up with Kerika while she was logged in as User A. Since we were using long-lived cookies, a Kerika cookie identifying her as “User A” will stay on her machine until she logs out of Kerika.
    But, in the interim she may have separately logged out of Google as User A and logged in as User B (perhaps to check her Gmail on a different ID). This would result in a situation where she is known to Kerika as User A, and currently logged into Google as User B. In this scenario, she would be unable to open any files attached to her projects because of the mismatch in IDs.
  • The new problem: Google is making it easier for people to be logged in as two different IDs, using the same Chrome browser. (Note: this is true only with the Chrome browser; not true with Safari, Firefox or IE as far as we know.) This considerably increases the odds that a user is currently logged into Kerika as User A, and simultaneously logged into Google as User B.
    Because the user never consciously logged out from Google – just switched IDs while on YouTube or Gmail or somewhere – she may be unaware that she isn’t who she thinks she is…

The short-term solution

We can mitigate this problem by switching over to short-lived cookies. This makes the user experience a little more annoying, in our opinion (because you have to login more frequently to Kerika, or remember to keep your browser alive), but it should help reduce the odds that your Kerika ID is out of sync with your Google ID.

The long-term solution

Allow users to sign up directly at Kerika, without using their Google IDs!

Google+ isn’t ready for world domination

We just spent an hour trying, fruitlessly, to set up a “Google Hangout on Air”, and about the only thing we can conclude is that all those folks who are worried about Google’s plan for world domination can relax: Google isn’t close to having a single ID to track everyone.

In order to do a Hangout on Air (a public Hangout, that up to 10 people? can view), you need to have a YouTube channel connected to your Google+ account.

Well, we do have a YouTube channel for info@kerika.com, and Google+ account, also for info@Kerika.com, but that’s not good enough for Google which keeps providing this singularly unhelpful message:

Trying (and failing) to start a Google Hangout
Trying (and failing) to start a Google Hangout

Clicking on the “Click here to get started” link, which you might reasonably expect to take you to a control panel screen of some sort, just takes you down a wild-goose chase of outdated help pages from Google. These help pages have clearly not kept up with UI changes at YouTube, nor even with UI changes on Google+ itself.

Trying to make sure our Google+ profile is complete doesn’t help either: Google+ tells us that our profile is 85% complete, and that we have done everything we need:

Stuck
Stuck…

at 85 percent
at 85 percent

Pretty painful experience; we are going to stick with GoToMeeting for now.

It’s now easier to work with Microsoft Office files

Although Kerika is built on top of Google Drive, you can still share files in Microsoft Office format.

Here’s how it works:

  • By default, your files are converted to Google Docs format when you add them to a card or canvas in Kerika, but if you prefer, you can keep them in their original Microsoft Office (or other program, like Adobe) format.
  • Go you personal preferences page, at https://kerika.com/preferences, and you will see this preference switch:
Setting your Kerika preferences
Setting your Kerika preferences

Toggle the “Use Google Docs for projects in my account” to OFF, and your Microsoft Office files will remain in their original format even as they get shared using Google Drive.

To make this preference even more useful, we have added a “smart download” feature: if you are storing your files in Microsoft Office format, clicking on a file attached to that card will automatically download that file for you, so that you can open it in Microsoft Office.

For example, if you have added a Microsoft Word file to a card, and are storing it in the original MS Office format, clicking on the attachment will download the file and launch Microsoft Word so that you can immediately start editing the file.

In some cases you might see a “403 Access Denied” message appear: if you do, there is a simple workaround for this problem – just open docs.google.com in a separate browser tab, and try again. It will work this time.

A very important point to note: if you download and edit a file, make sure you attach the modified document as a new attachment to your card (or canvas); otherwise your team members won’t see the latest version!