Baby’s Days have fixed the Picture links on the Demo Site!

Hey readers, sorry again about the lack of blog posts this week!  Things are just so insane planning my wedding and working as a childminder; the blog will have to slow right down but there is still plenty of material to cover including a very sensitive issue with the legalities of Childminders using Baby’s Days.  I’m waiting for absolute clarity on this from The Information Commissioners Office before blogging properly but hopefully early next week I will know more.

If you are concerned about this in the interim as many seem to be on Facebook, you should read this and contact the ICO directly; note that you don’t have a contract with Baby’s Days, you accept their T&Cs.  I am more than sure if you approach Baby’s Days you will get their rose tinted view and not the actual facts to say the least, so the impartial link should help with that.

Today’s blog post is a quick one.  A while ago I posted about how individual photos were able to be viewed without any authentication by the person attempting to view them.  Baby’s Days fixed the issue whilst insisting I was a lair, but I proved the loophole was still present in the demo system in a follow up post; which you can read here.

Baby’s Days still insist that I was lying and that all individual photos required validation (which isn’t true as you can read from the comments in the blog, customers reported their photos were not individually password protected), Mark Kahl the director of Baby’s Days insists I am a liar and continues to post comments such as this in the official Baby’s Days Support Group:

Mark-Kahl-calls-me-a-bad childminder againAnyway, the reason for this blog post is because now photos on the demo do require authentication, isn’t that a bit weird.  Why has it suddenly changed?  These are the questions that Baby’s  Days customers should be asking.  Please make sure you  backup your data and don’t record data on any aspect of the system that can not be backed up.

I promise to blog later in the week, I’m going to blog about a company called Orange Moon and also about a childminder who encountered an inspector who was not so keen on Baby’s Days.  I’d also love to hear form anyone that has provided Baby’s Days with any planning records or other intellectual property over the years for another blog post I’m drafting.

Hope you all had a fab easter and that Tuesday doesn’t hurt too much!

Am I making it up?

No I am not.  It’s a fact that individual photos are able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, would be able to determine and view anyone’s images on the system without ever needing to log in to babysdays.

This is a short simple post.  Apparently I am making this all up (so the parent that noticed it and the email Sys IQ sent him doesn’t exist then?) and there is no problem with the photos.  I will be posting in more detail tomorrow night but for now, do this if you are a Baby’s Days user and you think I’m on a Witch Hunt you can try the following and see for yourself.

Go to a photo in your diary section.

Right click your mouse button.

You will see something that says something like, “copy image URL”.  Copy the URL into Notepad or Word or similar.


Log out of Baby’s Days.

Paste the URL back into your browser (ie. Firefox or Chrome) and it will load the photo.  You will be able to see the photo even though you are not logged into baby’s days.

With some manipulation of the URL some people will be able to navigate to other children’s photos.  (The following was added at 23.41 on the 18th Feb after a few messages from people still confused)  The parent who informed me of this is using a Baby’s Days system that has the directory listing feature of Apache turned on.  This enables people to navigate through the directory structure of all images if they have one URL.  Hopefully this makes more sense?

Parents have the URL for their own children’s photos so they already know the URL for their own child’s photo.  Even if the directory feature is turned off, a parent can still gain access; they would need to alter the URL to access a different child’s photo.  That’s why a parent made this discovery, not just a random person (Thankfully!)  If you wanted you could write a computer programme to generate all the possible URL combinations and you would have access to every photo.  It’s not a simple as changing a digit there and here, the URL includes a JPG name that is random and also possibly a time and date stamp.  It wouldn’t be very easy to guess it, but it is possible.  Each individual photo should really be password protected.

If you log in as a parent and look for yourself as Mark Kahl has advised customers (to reassure you all it’s nice and safe), of course you will only be able to access your own child’s photos.  As I said, it’s a code problem, not a simple navigation front end error.  It is to do with the authentication of the code that has been used and the way in which the photos are named and dated as they are uploaded to the server.

The individual URLS for each child’s photo can, with some skill, not just by anyone, be second guessed and certainly can be easily guessed by a programme made for this purpose, it’s called image harvesting.  And because you don’t need to log in to see links to photos anyone can access anyone else’s photos.

Hope that clears it up.

Sorry I had to post this explicit set of instructions, which I omitted form the first post for security reasons.  I hope it doesn’t effect anyone’s business, but I will not be called a liar by Mark Kahl and this is the only way to prove that what I am saying is true unfortunately.

Edited at 2pm on Thursday 19th Feb.  I downloaded a demo, I uploaded a photo, here is a link to the photo.

You can see my photo even though you are not logged into my demo site.  Individual photos do not have a password, this is what I’m tryng to explain.  No doubt they are going to try and say “it’s different security bexause it’s only the demo site”, but that’s not true.

Be aware. Parents can access other children’s photos.

Hi folks, I’m definitely on the mend and have most blog posts for the next week already drafted.  I was going to post tonight about the ICO and their final decision about Baby’s Days / Sys IQ acting illegally and beyond the scope of the Data Protection Act; but I decided to post something more important, especially if you are a current Baby’s Days user.

Last night I received a blog comment from a parent of a child who is on a Baby’s Days subscription owned by a nursery.  The parent is a web developer and wanted to write a script so that photos from the diary would automatically download to his home computer when he ran a programme.

The parent quickly found he was able to access not only his child’s photos but also all of the other children’s photos on the system and also photographs of parents signatures!

From my limited understanding of this, this is because of the way the code is set up.  If you look at the code (which most parents wouldn’t, but they are perfectly entitled to) it provides a “path” if you like, direct to data.  Each parents path should lead them only to their child.  But in this case Baby’s Days had decided to basically remove the “fence” around the paths so that parents could access any path and whatever photos they wanted.

I know most parents provide permission for all parents to see their childs photos so this might not be a big deal to some (!!!) but also you have to remember parents access Baby’s Days on their phones.  If that phone is lost anyone picking it up would have access to the over 100,000 images this nursery has saved.  Also I’m pretty confident parents wouldn’t feel comfortable with anyone being able to save and copy their electronic signature?  Also you have to ask if this could happen with photos could it happen with medical forms or concerns forms?  Would a child be placed in danger by a parent accidentally coming across a “concern” form for example?  These are very important questions that anyone using Baby’s Days really needs to be asking themselves.

The parent contacted Baby’s Days and they were their usually sunny selves and seemed rather blasé about it.  They even said they would put the “fence” back for now so the paths only led to parents children, but they would take the fence down at a later date when they needed to talk to the nursery again?!

I’ve been planning a post for a while now about data security and the fact that Baby’s Days is designed more around security by obscurity, not by design.  Sadly what this parent has discovered is just the tip of the iceberg and as soon as I have more info I will of course be posting it here.

In the meantime if you are still using Baby’s Days please back up your data and think about what sorts of data you are storing there and what it could mean for the children in your care if it fell into the wrong hands.

Babys Days: The reviews they don’t want you to see.

So, it seems that current customers of Baby’s Days have been told that I am a customer with a grudge and that everyone else in the world thinks Babys Days is awesome.  Just to remind everyone this blog is here because Baby’s Days refused to update my fully paid up system, when I questioned this and tried to make others aware their updates could be restricted my account was terminated.

I was a happy user plodding along for almost 4 years without a care in the world, and then this happens.  It’s arguably only a matter of time before these customers who currently see me as some sort of hysterical grudge holding loon, find themselves in the same position as me.

I thought it would be helpful to collate some other users views of Baby’s Days.  It seems most negative reviews are removed under threat of libel action but if you look you will find them and you will also find posts by Babys Days that demonstrate their true attitude.

I am hoping that these reviews will demonstrate to current customers that my concerns are rational and shared by others; not just a byproduct of holding a “grudge”.  As ever, all I ask is for customers to please back up their data so that they will be safe if Baby’s Days pull the rug from underneath them.

Tomorrow I am going to be blogging about the Data Centre that Baby’s Days uses, so pop back for a nosey.

Who is MAKUK and are they connected to Babys Days?

Hey folks, sorry for the lack of posts over the weekend, it has been so busy here!  We had a Childminder night out to celebrate Xmas and then chopped down our Christmas tree and decorated it and before I knew it the weekend had gone!  Anyway enough about me and on with the first of this weeks blog posts….

Who is MAKUK?

Following on from the last post, I said I would be blogging about adverts places by a user called MAKUK on website advertising for freelance workers.  This was after I discovered that Baby’s Days possibly use freelancers to design the system and that possibly the system is not created “In house” as they claim.

MAKUK has posted many many adverts, so I will just provide you with a brief overview of this users activity.  Obviously I do not know if MAKUK is connected with Baby’s Days (by the way the company director of Baby’s Days is called Mark Adam Kahl and he lives in the UK) so I will show you one advert made by this user that possibly shows there may be a connection with Baby’s Days.

The user MAKUK has posted many jobs and has used many different contractors from the Ukraine (at least 2 different contractors), the USA (again at least 2 contractors), India and Sri Lanka.  This could account for the possible small bug that I found on my system and which led to me being removed from The Official Support Group.  Let me explain…..

The best way to describe it in lay person terms is to say, there are essentially lots of different authors writing chapters in the same book; the authors don’t know each other and possibly don’t speak to each other, so they don’t know each others thoughts or ideas and without reading all the other chapters they can’t be sure what others have written.  So although the story makes sense, there are times when the language used is different, or where one author might write in a different tense to the next.  The flow of having only one author just isn’t there.

When you transfer this analogy over to a computer system, it means there is the potential for small bugs to creep in as there is no “master author” overseeing how the software (or ‘book’) is coming together.  That would explain how my possible bug and other possible bugs I will blog about later have come to be. 

I’ve posted already on this blog that many companies use contractors, that’s isn’t what the problem is here.  The problem is that it isn’t good practice to also mislead your customers and put down your competitors in the process of using them.

I also wonder if Baby’s Days head in the sand approach to their use of contractors may have led to some problems in terms of systems bugs and problems as it doesn’t seem that anyone is properly overseeing the flow of the “chapters” these contractors write.  Most companies have systems in place to do this, but as Baby’s Days deny using contractors I am unsure if they have considered this possible problem.

I have had over 60 questions in my inbox / on Facebook over the weekend and sadly I can not answer them all as I am not the director of Baby’s Days but I have done my best.  It is a shame the company hasn’t taken the opportunity to clarify their use of and supervision of freelance workers and the work they create.  I think they are rather hoping I will go away, but I will be here and I will help you all as much as I can.  Feel free to post any worries in the comments below anonymously, it might take me a few days but I will get back to you.

Pop back tomorrow when I will be blogging a collection of Babys Days reviews sent to me anonymously or written on other websites.