Baby’s Days have fixed the Picture links on the Demo Site!

Hey readers, sorry again about the lack of blog posts this week!  Things are just so insane planning my wedding and working as a childminder; the blog will have to slow right down but there is still plenty of material to cover including a very sensitive issue with the legalities of Childminders using Baby’s Days.  I’m waiting for absolute clarity on this from The Information Commissioners Office before blogging properly but hopefully early next week I will know more.

If you are concerned about this in the interim as many seem to be on Facebook, you should read this and contact the ICO directly; note that you don’t have a contract with Baby’s Days, you accept their T&Cs.  I am more than sure if you approach Baby’s Days you will get their rose tinted view and not the actual facts to say the least, so the impartial link should help with that.

Today’s blog post is a quick one.  A while ago I posted about how individual photos were able to be viewed without any authentication by the person attempting to view them.  Baby’s Days fixed the issue whilst insisting I was a lair, but I proved the loophole was still present in the demo system in a follow up post; which you can read here.

Baby’s Days still insist that I was lying and that all individual photos required validation (which isn’t true as you can read from the comments in the blog, customers reported their photos were not individually password protected), Mark Kahl the director of Baby’s Days insists I am a liar and continues to post comments such as this in the official Baby’s Days Support Group:

Mark-Kahl-calls-me-a-bad childminder againAnyway, the reason for this blog post is because now photos on the demo do require authentication, isn’t that a bit weird.  Why has it suddenly changed?  These are the questions that Baby’s  Days customers should be asking.  Please make sure you  backup your data and don’t record data on any aspect of the system that can not be backed up.

I promise to blog later in the week, I’m going to blog about a company called Orange Moon and also about a childminder who encountered an inspector who was not so keen on Baby’s Days.  I’d also love to hear form anyone that has provided Baby’s Days with any planning records or other intellectual property over the years for another blog post I’m drafting.

Hope you all had a fab easter and that Tuesday doesn’t hurt too much!

Are all Baby’s Days systems “identical”?

Hey readers thanks for all the messages of support over the last week, many of you were worried the blog might not return, but as promised here it is!  I managed to get so much wedding stuff done, the only thing left now is a heavy duty Generator that I need to hire so if you’re in the South West and have one kicking about let me know :)

Anyway, today I wanted to blog about how the director of Baby’s Days, Mark Kahl, repeatedly claims all Baby’s Days systems are “identical”.  This has come up this week on their Facebook support group as many users are experiencing their devices (mainly iphones and ipads) crashing and then losing all their work.

A line that Baby’s Days like to use when dealing with some technical support issues is, ‘all systems are identical, if anyone else was having this issue we would have 1000s of complaints, it must be your end’ or words to that effect.

In my experience this isn’t true, all systems are not identical.  I say this based on my own experience; if you have read this blog from the start you will know it was started because the director at Baby’s Days (Mark Kahl) uses his discretion to decide which systems do and do not get the monthly upgrades, that’s right you aren’t automatically entitled to them as part of your subscription.  My system and at least 2 other systems did not receive the control centre update when it was released, despite the fact that all other customers had been updated. If you don’t believe me here is a link to a post which has further details.

So no in my experience all systems are not identical and Sys IQ Ltd have the ability to make some systems do some things and some systems do other things. So when Mark Kahl says all systems are identical please take this with a pinch of salt.  If you have a technical issue open a ticket with support and get it sorted, don’t be fobbed off with ridiculous excuses.

As lots of users have had problems with Baby’s Days crashing their devices recently and their servers have been down twice in the last few days so I’m going to be blogging about that tomorrow and what exactly a SaaS Application is; so bring your nerd glasses!  Just take heart in the fact that if the system is crashing and you can play videos on youtube it’s probably nothing to do with the RAM on your device (as Bbaby’s Days advise), so don’t drive yourself mad trying to “fix” it like I used to!

Are Baby’s Days denying that photos could be accessed without a password?

The short answer to this is that yes they are denying it, even though many people commented on the blog and messaged me on Facebook to say they could see photos without needing a password.

I’ve frequently contacted Baby’s Days to ask if they want to comment on any blog posts and they always ignore me.  They know how to contact me if they do want to clear up any possible discrepancy I may have posted.  Yet they have never contacted me to clarify the content of anything I have posted.

This is because everything posted is 100% accurate. 

Some of his supporters believe that I am able to make up “lies” under free speech rights, but free speech doesn’t give you the right to lie. The reason I can continue to post these things that reflect badly on Baby’s Days is because they are all true and I can prove they are.

So as I say, until Wednesday there has been radio silence from Mark Kahl director of Baby’d Days regarding the factual content of this blog.  During my recent posts I’ve pointed out that photos could be accessed without a password.  Did Mark Kahl contact me to clarify issues on my latest post? No.  Did he issue a statement detailing how safe and secure his system is? No.

Instead he chose to post in the Facebook support group essentially calling me a liar.  Bear in mind a good portion of his customers have been banned from this group run by Kel Thomas so for their benefit here is what Mark Kahl, director of Sys IQ Ltd had to say about my latest blog post and how he has gone about reassuring you all that your data is “100% secure”.

1 2 3 4I’ve edited the post so you can just see the posts made by Mark Kahl, but if you would like to read the entire conversation between group members then click here.

The latest blog post was brought to my attention by a parent via the comments section of this blog, you can see the comment here.  After checking with some technical friends, I was informed that other parents could in theory access data in the way described by the parent, if the system was set up in the same way as it was at this nursery.  I then asked some blog readers that still use Baby’s Days to send me links to their photos so I could see if I could view them without their passwords.  Only after checking this information did I publish what the parent had mentioned.

It is 100% accurate to say that individual photos were able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, could have been able to determine and view anyone’s images on the system without ever needing to log in to babysdays.

How they can publicly deny this happened and call me a liar when everything points to the contrary is beyond me.  They are obviously just counting on their customers blind faith and assumptions that this company wouldn’t put their data at risk.  Obviously I am seeking legal advice as both Kel Thomas and Mark Kahl are publicly defaming me.

Given that Baby’s Days refused to update my system after advertising monthly updates, then terminated my account with no legal justification and then (maybe?  They wont confirm) deleted parts/all of my data illegally and in direct contradiction of the Data Protection Act and the advice of the Information Commissioners Office is surprises me enormously that anyone can believe a word that comes out of Mark Kahl’s keyboard!?

My message is clear.  Make sure ALL of your data is backed up, your documents, your notes, you dairies, registers, photos, the lot.  Use this company with your eyes wide open or you may find yourself in the same position as me unfortunately.

Am I making it up?

No I am not.  It’s a fact that individual photos are able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, would be able to determine and view anyone’s images on the system without ever needing to log in to babysdays.

This is a short simple post.  Apparently I am making this all up (so the parent that noticed it and the email Sys IQ sent him doesn’t exist then?) and there is no problem with the photos.  I will be posting in more detail tomorrow night but for now, do this if you are a Baby’s Days user and you think I’m on a Witch Hunt you can try the following and see for yourself.

Go to a photo in your diary section.

Right click your mouse button.

You will see something that says something like, “copy image URL”.  Copy the URL into Notepad or Word or similar.

NB. THIS WILL NOT WORK IF YOU USE THE URL FROM THE ADDRESS BAR AT THE TOP, IT HAS TO BE THE URL THAT DIRECTLY LINKS TO THE PHOTO WHICH YOU CAN ONLY SEE BY RIGHT CLICKING YOUR MOUSE.

Log out of Baby’s Days.

Paste the URL back into your browser (ie. Firefox or Chrome) and it will load the photo.  You will be able to see the photo even though you are not logged into baby’s days.

With some manipulation of the URL some people will be able to navigate to other children’s photos.  (The following was added at 23.41 on the 18th Feb after a few messages from people still confused)  The parent who informed me of this is using a Baby’s Days system that has the directory listing feature of Apache turned on.  This enables people to navigate through the directory structure of all images if they have one URL.  Hopefully this makes more sense?

Parents have the URL for their own children’s photos so they already know the URL for their own child’s photo.  Even if the directory feature is turned off, a parent can still gain access; they would need to alter the URL to access a different child’s photo.  That’s why a parent made this discovery, not just a random person (Thankfully!)  If you wanted you could write a computer programme to generate all the possible URL combinations and you would have access to every photo.  It’s not a simple as changing a digit there and here, the URL includes a JPG name that is random and also possibly a time and date stamp.  It wouldn’t be very easy to guess it, but it is possible.  Each individual photo should really be password protected.

If you log in as a parent and look for yourself as Mark Kahl has advised customers (to reassure you all it’s nice and safe), of course you will only be able to access your own child’s photos.  As I said, it’s a code problem, not a simple navigation front end error.  It is to do with the authentication of the code that has been used and the way in which the photos are named and dated as they are uploaded to the server.

The individual URLS for each child’s photo can, with some skill, not just by anyone, be second guessed and certainly can be easily guessed by a programme made for this purpose, it’s called image harvesting.  And because you don’t need to log in to see links to photos anyone can access anyone else’s photos.

Hope that clears it up.

Sorry I had to post this explicit set of instructions, which I omitted form the first post for security reasons.  I hope it doesn’t effect anyone’s business, but I will not be called a liar by Mark Kahl and this is the only way to prove that what I am saying is true unfortunately.

Edited at 2pm on Thursday 19th Feb.  I downloaded a demo, I uploaded a photo, here is a link to the photo.

http://demo8441.babysdaysdemo.com/images/sted/gallery_image/diary_2/2015/02/thumb/2_1552_1424354330.jpg

You can see my photo even though you are not logged into my demo site.  Individual photos do not have a password, this is what I’m tryng to explain.  No doubt they are going to try and say “it’s different security bexause it’s only the demo site”, but that’s not true.

Are Baby’s Days really the people you want to do business with?!

You may have noticed a trend to this weeks blog posts. Let’s recap the post titles in date order Mon-Thurs:

1.  Babysday’s buy all domains similar to my blog
2.  Babysday’s buy NobleMinder domain
3.  Babysday’s (potentially) bribe customers to leave only positive reviews on their new website
4.  Babysday’s make false advertising claims

Just from these 4 posts alone it’s no surprise to find that I personally feel this company is very underhand in the way it conducts its business.  And it’s responsible for looking after apparently thousands of childminders data. That thought makes me feel a little bit queasy to be honest.

Last week I mentioned a guest blog post coming on Friday but sadly the guest blogger was up to his eyes and didn’t have time to prepare the material but now finally after a lot of hard work everything is done and I can now publish the guest bloggers post.

Richard Waite is the director of a company that used to be known as megaMinder. megaMinder offer a system almost identical to babysdays, infact I personally believe it has more features than Baby’s Days does and from what I’ve seen it had some of these features way before Baby’s Days.

The key thing about megaMinder is that it’s free. Totally Free. It has (total safe and appropriate) adverts that fund its development. The company is family run and all of the website (the app has been contracted as it needs a different skill set) has been designed in house.

By in house I mean actual in house, staff based in the UK that are part of the company. I don’t mean in house like Baby’s Days use it, to mean some man they found online who lives in the Ukraine or Outer Mongolia.  Anyway because members of the team are actually developers, with the right funding, their system would come on in leaps and bounds.

If all megaMinders customers opted to pay for the system and remove the adverts (which is an option they offer) then it would put Baby’s Days in serious shit poop.

So what did Baby’s Days do about this potential business rival?

Set up some unique selling points for their own software? Ummm no.

Improves customer service so it surpasses all others in the market? Definitely not?

Fix some of the minor problems that customers have on the system that would help significantly, like the iphone screen moving? Ermmm no.

In their typical fashion, obviously following the Dummies Guide on, “How Not To Do Business,” they trademarked their competitors brand name!!! Why would you even think that’s a good idea? 

Any questions about this blog post, please let me know and anything I can’t help with I will. Anything I don’t know, Richard is very helpful so I will pass along to him. The most important thing is that all current users of megaMinder have nothing to worry about, their service will continue as normal and their data will not be affected.

Here is the announcement from megaMinder, now called Minding Matters:

To all our customers, users and visitors

We would like to inform you that we have now rebranded our company for various reasons.

Whilst doing a google search on our company megaMinder in the beginning of September 2014 last year a link popped up to the Intellectual Property Office and we found the following. IPO

With further investigation it came to light the owner of an opposition company called baby’s days has opened another company called sysiq with whom they are associated with and trademarked our company brand megaMinder and what we offer our clients. (WOW what a great team these guys must be to work with.)

Now we could have very easily have opposed their application for the trademark however we felt that it would be negative and time would be wasted instead of focusing on the more important things like giving great customer focused software and services to our existing and new clientele.

The aggressive efforts they are going to try have a stranglehold of the market is not quite one would think reasonable and is totally unjustifiable.

Are these people you want to do business with? NO THANK YOU

So congratulations baby days / sysiq on acquiring your new trademark we wish you all the success and hope you manage to explain to your existing and new customers why you would want to conduct your business in this manner.

The rest of this week will be a week long special about Minding Matters, so make sure you pop back and don’t forget you can subscribe for updates!