韩小寒

Site Security

Security of this website is very important to me. As a software developer with more than 30 years of professional experience, and more than a decade in software security, I've seen the amount of damage that can occur when a programmer doesn't make security their primary focus as they're creating a website. The results can be catastrophic.

For that reason, as I've created the site I have made security priority number one. From the very first steps of selecting a hosting service through picking page templates and code libraries, the first consideration is always security. For that reason, very little of this site actually uses publicly available code. Far too many open source and other free software solutions are lacking from a security standpoint, as the majority of software developers are either completely untrained, or poorly trained in security. Every week multiple sites are compromised because of flaws in code that the site's developers didn't write or didn't vet properly. My belief is that most freely available code is best avoided when possible. So aside from the basic page template (which should be safe) I've coded the site completely from scratch with security in mind from day one, not bolted-on and retrofitted into the site afterwards. The security implications of every line of code were considered before they were added.

Over nearly ten years at my last full-time job one of my primary responsibilities was security -- from coding, to training, to auditing. I couldn't tell you how much time I spent learning which coding techniques are good and which are bad (and why!), and the methods that hackers use to get into data on websites. Even though I had been developing software for nearly three decades before I became involved with that project, I was naive. But I learned so, so much, and have applied that knowledge in every aspect of the creation of not only this site but all of the software I'm involved with at any level. Everything I do goes beyond what is considered best practice. And I continue to spend more than a few hours every week researching industry trends and vulnerabilities, and apply what I learn here.

I'm doing everything I can to protect your data. A few basic examples...

Security

  • The site is protected by not one but two industry-leading firewalls. The servers and services running on them are restricted by IP address and are only accessible to those that absolutely need access.
  • The site actively monitors for multiple types of break-in attempts and shuts them down as soon as they're detected.
  • I check for and install security updates on the site web and database servers multiple times per week, or whenever public security announcements are made about the services being used.
  • The site and all client data are backed up to multiple locations daily.
  • All user accounts, events, resources, messages, etc. are identified using long, random tokens rather than sequential numbers (which can be guessed by attackers).
  • Account information is protected using the latest and most secure techniques, making hacking accounts as difficult as possible. (For example, your password isn't actually stored on the site – we store a mathematical representation of that password (memory-hard PBKDF), even more advanced than what is considered state-of-the-art today. This is intentionally very difficult to calculate (even harder for administrative accounts), and adjusts dynamically over time to become more difficult as computers get faster.)
  • The way the site tracks logins is far more secure than is typically found on even the most secure websites. Hijacking your login would be extremely difficult. Very few other sites have this technology.

Privacy

I've tried to develop the kind of site that I would feel comfortable with. And I believe that that is not just in the best interest of site users, but also me as the site creator. I believe that a relationship of trust is more important than any information that can be gleaned from sharing your data.

  • We will never sell any of your data to anyone, ever!
  • The site only collects the information that is needed to make it functional.
  • Your personal information is only made available to those who absolutely need it -- for example, with your permission we'll share your phone number with other members of a crew working a particular event, but nobody else besides site administrators will ever have access to it.
  • We don't use any third party site analytics or tracking tools. And aside from the Free version of CrewAxis (to help offset the considerable cost to running it), it will always remain free of advertising.
  • Each CrewAxis client gets their own, completely independent database with its own unique security credentials. So even if one customer's site becomes compromised (leaked user password, unknown security vulnerability, etc.), data belonging other clients is inaccessible. This is considerably more complicated and expensive to host than using shared databases, but I believe it is the right thing to do.

The bottom line is that security and your privacy are of paramount importance. I have done, and will continue to do, everything in my power to protect your data and maintain your confidence. If you have questions or wish to submit other feedback about the site, please contact me here.

Doug Johnson
Site Designer and Developer