You're missing some basics. For example, I can find out easily what version of Apache/OpenSSH etc you are running (Apache/2.2.11 (Ubuntu) mod_ssl/2.2.11 OpenSSL/0.9.8g mod_wsgi/2.3 Python/2.6.2, OpenSSH 5.1p1). Please turn off the banners that advertise these things. Also, don't run your SSH server off of your Apache box. And use public keys instead of passwords.
You can consult this hardening guide written by the NSA for Red Hat: http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf. Even though you're using Ubuntu, the same general principles apply. Follow that guide to the letter and you will be secure enough until you can afford to higher professional pen testers.
Note that the NSA guide doesn't cover web application security, so you'll need to take other steps to ensure that part of your business is secure.
That's a fine security page (except that it needs to be clear that you're holding on to gmail passwords). But, please remember: if you don't have a security response page, which tells people how to contact you if they find a horrible security problem in your application, they are within our cultural norms to write a very unpleasant blog post about you.
Well, I've got good news and bad news. The good news is I want to use your service. If it works the way it looks like it works, I'd pay you to use it. I'm guessing a lot of other people will think the same thing. That's huge!
The bad news is that "bank-level" encryption and assertions of good intentions are not sufficient for me to give you my Google password. My Google password is one of two that is not recorded anywhere. The second is for the vault that contains my other 575 passwords. I almost edited my original post to be less melodramatic, but on reflection I think it's right. For a cool grand, I would spend the time to completely separate the associated accounts (analytics, webmaster, docs, calendar, talk, voice) and any password reminders that forward into my gmail now into a separate account. Short of that, I just can't do it. I'm selfishly hopeful that Google gives you a way in without needing to store my password.
I'm hopeful google borrows a few ideas for their next features. Sorry, I'm not giving anyone my password. Next time release it as a firefox plugin, or something client-side.
That you store passwords in the first place is the problem. As a developer, I consider it to be borderline unethical to build such a system in the first place, as it is inherently insecure. Furthermore, it helps to train users that it is ok to enter your username and password into other sites - which makes it easier for phishers and other sites that may have poor security.
Have you had a vulnerability assessment done?
Do you protect against SQL Injection?
Do you protect against Cross-Site Scripting?
How about Cross-Site Request Forgery?
What preventative measures have you taken to lock down your servers?
I know most users don't care about all of those and you're trying to be friendly by saying you use "bank-level" encryption, but some more info would be nice for those of us that care.
We use the latest in bank-level 256-bit SSL encryption to protect your information, and your passwords are securely encrypted.
Right. 256 bits, like everyone else, like it makes some critical difference over 128 unless you're the freaking NSA, and like anyone even bothers trying to break into a TLS session. Not encouraging.
First thing I always check is whether the site's behind a gateway, so let's try and connect on 22:
$ ssh etacts.com
The authenticity of host 'etacts.com (173.203.202.141)' can't be established.
RSA key fingerprint is ec:c2:2f:fe:ef:7e:06:a3:a5:f0:a3:54:04:79:2a:16.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'etacts.com,173.203.202.141' (RSA) to the list of known hosts.
sailormoon@etacts.com's password:
Permission denied, please try again.
Tsk. Early days I know, but .. if you become popular for storing a large database of people's login creds for gmail .. that's a nice juicy target.
And I actually found the mention that they're encrypting the passwords, like that means anything (the key is obviously somewhere on the server, and once they're in, they're in) to be more worrisome than not.
Somehow Mint convinced a million people to give them their bank logins. It probably just takes time, credibility, and a really attractive service. Though, hackers might never be your audience.
It's interesting that of all the various Google Data API's (which many use OAuth, I believe) Gmail isn't one of them. I guess that makes sense, since there are protocols like IMAP and POP... but for something like this it would be nice.
The Google Contact API supports OAuth, which is fantastic because so many sites want your email address and password to get contacts (for like invite friend style functionality) but it doesn't appear they store any kind of communication frequency data.
How about an option where the user enters their credentials once per day (or however often they like), directly feeding the polling process, so that their credentials aren't stored?
IANASE[1], but this seems a lot less secure than letting them keep track of your credentials. It seems like an open invitation for man-in-the-middle and phishing attacks. Training your users to (thoughtlessly) enter their credentials over and over seems like a really bad idea.
You should release an app that people can self-host which provides a layer of indirection for IMAP. That is, an IMAP client/server I can run myself. I put my credentials in the client part, and give you an account in the server part. That way I don't need to give you my real credentials password.
Of course, this would limit the reliability of your service to the reliability of my connection, but that's a trade-off I'd be willing to make.
We use the latest in bank-level 256-bit SSL encryption to protect your information, and your passwords are securely encrypted.
Etacts will never email your contacts without your
permission.
Your data is completely private and will not be shared
with other users.
To help you keep track of who you haven't spoken with, we fetch your email headers. We don't store the content of your emails or attachments. When you view an email in etacts, we fetch the email directly from your Gmail server and don't store it on our servers.
Uh. Hey, Etacts. Are you storing my password long term or not? That's my question. Glad you're doing the bank security encrypty thing. But you can't keep my Gmail password.
we do keep your gmail password, but you have the ability at any time to delete your gmail password or your entire etacts account. We will try to make this more clear, thank you for the feedback.
Just throwing a thought out there: What about an option that allows people to use etacts without storing their password. So every time a user wants to "refresh" their data, they would have to re-enter their password.
The security advantages are limited– the password has to go through you guys either way– but there may be a difference psychologically.
I don't think mail2web would be as widely-used if they didn't have a policy against storing passwords.
You can't convince people like me to give you a gmail password. It's simply not going to happen.
Meanwhile, you could convince my mom to give up her gmail password with an animated GIF of a cartoon padlock.
What we can help you with here is how to communicate about security without setting off alarm bells. Your security page isn't awful; "bank security" is a security idiom, it's fine that you use it. But we can help you make it better. Make it clear that you're storing passwords so nobody can say they're surprised about, and make sure security researchers know how to contact you.
Yeah, that little notice didn't really inspire much confidence for me. The biggest question is whether you trust them with your email & password, but unfortunately there's not much they can do to alleviate this fear.
I think its a good idea; instead of going after email overload as a whole, go after a sub problem that it creates.
Please, fix the lander. It looks way too close to http://www.getballpark.com/ but only worse. If the metalab guys haven't tweeted about it yet, they definitely will. If you need some tips about it just send me a note jay (at) anomalyinnovations.com.
You can't call this a 1-to-1 copy. Sure, when you look at them side by side, they have a lot of elements in common and use a similar color scheme. But for the most part these elements are common to a lot of websites in general. (e.g. Lighthouse by entp, or http://www.campaignmonitor.com/ and many more) Visual Website Optimizer was a 1-to-1 copy of Basecamp to the point where they were actually using the exact background image. But I'd say that at most Etacts was inspired by the general style of many websites/web-apps rather than Metalab in particular.
However, I had never looked at Basecamp vs. Ballpark (though I could tell that they both follow the same trends) and if Metalab were to call Etacts out for their design as jayair suggests, I'd like to hear Metalab's explanation for the copy of Basecamp's design and copy.
"The Better Way To Get Projects Done" => "The Better Way To Get Paid"; "See Plans and Pricing/30-day free trial, sign up in 60 seconds" => "See Plans and Pricing/30-day Free Trial. Get started in 60 seconds."
Anyway, what I'm trying to say is that Metalab does have a distinct style in a lot of their designs (they seem to love text-shadows for example) but they're not the inventors of it either. The layout is pretty common place nowadays. (or as lunaru put it about a year ago when Ballpark came out: "the layout is pretty much a de facto standard" http://news.ycombinator.com/item?id=557277)
We originally had this feature in Xobni. We informally called it the ex girlfriend finder because those tend to be the people you used to communicate with a ton but not recently.
A lot of people are expressing concern about having to give you their Gmail password. Have you considered implementing an offline scanner for desktop clients that would then upload the contact and frequency information to your severs through SSL? You could then overlay your services in Thunderbird's/Outlook's/Mail's desktop interfaces.
That kind of kills the convenience of the service, but personally I would accept that for increased security.
Feedback: when I log in for the first time, I don't really have any prompts, and I'm not sure what I should do, or why I should do it. I'm thinking something like "Do you want to email XXX -- you used to talk to them a lot, and it's been a while." If you can help me along the path from "I just signed in" to "ETacts just helped me!", that would be awesome.
I thought about writing something to do this a few years ago. The issue which I ran into that always stopped me from doing it is that you need to integrate every medium a person uses for it to be really useful.
I also suspect that outside of business contacts I view lack of communication with someone as a signal that I'm not that interested in talking to them.
That's just an excuse to quit. So you start with email. Email is the baseline. The important thing is to have a clear vision and start building shit.
If it's really important to integrate other services, you can do that later. (I don't think it is, personally. At least not for the kind of people who would pay you money.)
At the time -- this was like 5-7 years ago -- I wasn't terribly interested in startups and doing school work or hanging out with my friends probably seemed like a better use of my time. I actually solved a lot of that problem on a later project where I needed to write parsers for the log formats of a bunch of IM/IRC clients, but now I really am not interested in getting reminders about who I haven't talked to.
What this sort of thing does really bring home for me is that in terms of trying to do a startup through y-combinator I should probably ignore whether I believe there is a market for something as long as I think some people would find it useful.
Precisely what i've been looking for. Thought Gist was a solution. They got it wrong, you guys got it right.Was actually planning on building this for myself.
I hate feature creep too, but important:
1. Company pages for company e-mails
2. Merging contacts
3. how to smartly import facebook and linkedin like gist does i.e. keep the people with companies, chuck the rest.
I thought about this a while back too, but convinced myself not to do it because I didn't think people would admit to using it. And if not, then it couldn't even spread by word of mouth.
Wow! I've been meaning to do something like this for a while, but way more useful than what I was going to do. What I had in mind was just a Google Reader Trends but for email (showing you when you received/read email by day, time of day, day of week, etc visually).
Having graphs in etacts would be nice, but I think you nailed the really important features! Now I just have to wait for the solution to the password problem. A desktop application, while less convenient than a web app, would still be awesome, and could even be made a portable install I take around on a USB stick.
Site looks great. You've got some gradient drop-offs on both the right and left sides.
If you can't see it, here's a method I use:
Paste a screenshot in photoshop. Hit Ctrl+U and turn the saturation all the way up. Then change the hue so the whole site looks orange or green (the eye tends to blur blue together). You'll more easily notice where the gradients are cut off.
I had an idea for a work-around for you for people who don't want to give their password. What if BCCing myaccount@etacts.com updated your info? Doesn't seem like it'd be hard to implement. I'd use the service if it had that feature, it looks really good. I think you guys are doing something really needed and cool, cheers and good luck,
please reach out to me when you are ready to discuss. My email is in the profile
Note - we are a company that hosts email on google apps. However, we can not and will not use this service through your website. However, something that we can host ourselves, and includes pricing that is friendly to small companies will be eagerly looked at.
It's a box on the upper right side of the screen, with words such as "Reconnect to" or "Send a message to". All to friends one hasn't contacted in a while.
