hands and heart

ABC #8: Inside HelpSpot Vault

Written by Ian Landsman, published on 03.30.2016

Get the skinny on our new little project HelpSpot Vault. What it does, how it works, how it connects with building our own business systems and HelpSpot’s marketing goals.



I suggest you listen since the transcript is kinda iffy, but better than nothing!

[Ian Landsman]: Welcome back to another Anything but Code. I have a quick little podcast today. We actually released a Help Spot Vault today. Help Spot Vault is a tool that lets you accept passwords or other kind of sensitive information either just over email or into your help desk system that we obviously make with Help Spot, without that information having to be stored in your system forever.

I’m going to give you a quick rundown of what vault is but then we’re going to go through a little bit of history as well as some kind of business details of why we made it. We might end up touching on code a little bit but I’m going to try not to. We’ll see how I do. Help Spot Vault came out of another tool we created called Paste Vault and we’ve run Paste Vault for maybe like three or four years. It did basically the same thing. It was on its own domain, pastevault.com and it was just a tool we mostly used for ourselves. People I knew would use it also. Again, it’s just a tool, a link to your customer. How we use it is Help Spot is on premise for many of our customers and we might need to log in as them, for example and see what’s going on with their installation.

They’ll often just send us the password, so it’s in our email. So, it’s basically in our email archives forever and then it’s also pulled in by Help Spot in our Help Spot installation forever. We have this person’s password. So, it was never really comfortable for me and so what we can do with Help Spot Vault and previously with Paste Vault is just send them to that, to Help Spot Vault and we’ll say put your password or whatever kind of details we need or something that maybe we don’t want to have live in our Help Spot forever, put it into the box there, give it a password and it’ll get all encrypted right in your browser. It gets encrypted again on our server in the case of Help Spot Vault.

It generates a link. You send that link to us. You tell us the password, either right with the link if it’s nothing too sensitive but you could also even include the password some other way. You could call us with the password or send it separately if you want to have a little more security there. That way this link, it expires in a set amount of time. You set how long it is. It could be as little as ten minutes or up to seven days. So, you get this link. This link is only good for that period of time.

We can use it, in our case, log in to your installation and see what’s going on. Three years from now, all that’s in our Help Spot database and in our email archives is a link that is no longer valid. If you click on the link, it’s gone. The actual note will have been deleted off the server, so it won’t even be retrievable. So, you’re all set. It’s really handy. It’s just a nice way to collect that information without having to store it, and without helping customers kind of, level up on their security. Well, before I get to that, we’ll talk about that in a second.

So, a really handy little tool. What we have done is, as previously run on this pastevault.com domain, it was kind of separate from Help Spot. It was kind of just forgotten over there. I mean we used it all the time but it didn’t get any love. What I decided to do was enhance its visibility and also make it a more useful marketing tool for us as well. So, this is a really useful little tool that a lot of people can use. If you work in customer support, this is something you should be using, especially if you deal with a lot of customers who are less technically savy, which isn’t even our case.

Most of our customers tend to be fairly savy and will still do things like send us passwords. This is something that makes sense for the Help Spot customer base and the potential customer base. So, we moved it to Help Spot at helpspot.com, so now it is helpspot.com/vault. We call it Help Spot Vault and it is baked right into the main Help Spot website. We now have a little tools section where we are going to be putting some of these little tools that are useful sometimes for customer support and some ideas for some other sorts of business tools as well, a little tools area just to have a spot for that at helpspot.com. So now it’s part of the website. It’s not off forgotten. Links and things do help a little bit with the coming Google Juice, which is great.

Maintenance wise, it’s right in our main site. It’s also tied together design wise and everything, much more easily than when it’s off on its own. This is one of the things; last week in the podcast, when I was talking about building your own systems, this is the kind of thing that building your own systems lets you do because if our site was a wordpress.com site, it would be either impossible to do this or it would be very difficult to do it. By being a PHP framework based site, we have control over all the code and we can do stuff like create a tool that’s part of the website and manage as a singular thing. Not that you want to do everything that way.

Obviously, if you have a bigger application, you don’t want it as just part of your website usually. But for these little tools, it’s great and Paste Vault doesn’t require registration, doesn’t require an email. You literally just go to this screen, type in some information, give it a password and an expiration time and that’s it. So, it’s very straightforward. There’s not a lot of app overhead to it and by being altogether, we can integrate designs.

Actually, the tools section has its own dark theme design but it still uses the base underlying components of the main Help Spot website. Again, that’s not code I’m having to copy and paste between places or trying to use the CSS file in two different sites and we change it one place and it breaks over in the other and all that kind of stuff. We can kind of leverage everything we’re doing in one spot. It makes it easier to Google Analytics and all that kind of stuff to have a single place to see what’s going on with these things. So, today we put it up on Product Hunt.

I’ve never done much for the Product Hunt. I don’t have a lot of time to actually follow Product Hunt. I’m obviously aware of what it is. But, I thought it’d be fun to put it up on Product Hunt and just see what happens. I obviously let people know about it on Twitter. I emailed a few people I know and said hey, we’re on Product Hunt. Check it out. I had a really strong response there. I put it up at maybe 9 o’clock Eastern, in the morning and its 3:30 now that same day and it’s got 70 uploads and it was featured on the home page by the Product Hunt team, thank you, if you are listening.

It’s gotten some nice traffic and gotten some feedback. People are using it. It’s been a nice little launch. The Product Hunt community, I have to say, is pretty nice. I definitely like it better than the Hacker News community. I was actually expecting a lot of push back on the security end of this and we’ve only gotten very little and none of it was too abusive, so that was great.

That’s one of the tricky things about doing something like this. One of the reasons why I did previously put it on its own site and kind of never really talk about it too much is that it feels like well, we’re collecting people’s passwords and the security implications of that, worrying about that and all that kind of stuff. As I thought through it more, security is one of these things that’s kind of on a continuum and right now, we and many other people have a problem with their customers just sending them passwords in plain text into their databases and they stay there that way forever.

There’s all kinds of similar use cases like email to email. Emailing something to someone, that stays in their email account forever. Passwords is the obvious kind of thing but there’s many other uses for this. I know someone who uses it often to send tabular data actually like rows out of a customer database and there is not actually social security numbers and things like that. But, it’s just names and ID’s of customers from this one system and they would just prefer that not live in the other people’s database forever, in their email, in their help desk tools. So, when you think about it in that context and what other people are doing with it, it’s not necessarily a tool for sending your social security number all over the place or uploading private tax documents.

This is about helping people level up a little bit. So, take that person who would previously not even think about it, just shove a password in an email thinking email is secure and send it off. Giving them a little more security, giving yourself a little bit more peace of mind that this isn’t in your database for every person that then accesses your help desk forever in the future, so every employee for the next 20 years who has access doesn’t necessarily have access to this information.

It’s just not good for you as a company to have access to people’s servers and things indefinitely. Is it 100% fool proof? I’m sure it’s not because nothing is, right? If Apple can’t be 100% fool proof and Google can’t be 100% fool proof, I’m sure there are ways to get into Help Spot Vault and obviously it includes JavaScript, for example from Google. If Google’s servers are hacked and they get something bad in the Google Analytics code, they could obviously attack us. Our servers could be hacked. If you are under direct threat, in terms of someone is literally trying to get access to you as a person, if you’ve been targeted to that level, you might have a keystroke logger on your computer or a browser that’s vulnerable and just sending back everything you type somewhere.

All those things are possible. This doesn’t solve all those issues but it does attempt to eliminate as many of them as it can and it’s all obviously securely connected. It actually encrypts within the browser before it gets sent to our servers and then on our servers, it’s encrypted again as much as possible and we don’t have the password that you set, so it would be impossible for use to decrypt it and you don’t have the password that we set, the key.

So, in terms of just getting access to the raw output from our database or something, you wouldn’t be able to decode that either. It tries to take reasonable steps to secure it, but you obviously have to be careful anywhere online when you’re pasting stuff around. The idea here is to bring people up to that next level of security from just completely insecure, not even giving it any thought, to at least a little secure and some expiration of that data from the end location.

If nothing else, forget the NSA, forget direct attacks, right? The most likely place your information is going to be stolen from is the place you’re sending it to. It’s just like credit card fraud. Still, the most prominent way that’s going to occur is you go to a restaurant, you hand them a credit card and they walk off with it. They steal your credit card information. This is that same idea, making that a little harder. It’s not to stop the NSA, it’s to stop people in terms of the end location of your information not having access indefinitely to URL’s, passwords, customer ID’s and things like that indefinitely, literally infinitely in to the future. That stuff doesn’t need to live in there.

So, that’s what Help Spot Vault does and the pushback is not too bad. People seem to kind of get it, which is really cool. Now, on the business end, I kind of think it will be interesting to see. We had people sign up for the newsletter. I think the idea of doing these sort of engineering-as-marketing little projects is interesting to me. I think it’s something that we have the skills to do and desires to do, which is certainly more fun than traditional marketing. I think that’s kind of cool. I think it’s a challenge because it forces you to think simply and that’s against my nature, so it’s a little but fun in that way too. I tend to, by nature, want to build bigger, and more complicated solutions to things and if you’re going to have just this little corner of the website with useful tools, those useful tools really can’t be a whole other application because that starts to get confusing and what is this site about?

Things like that. It’ll be interesting to find that balance, but I definitely have some ideas for some more small tools and we’ll see how it goes. All right, oh, my gosh. I’m already 15 minutes. Holy cow. I can really drone on here. All right. Well thanks for listening. We have a bunch more stuff coming up, so I will be back on here next week. Thanks for tuning in.

Get started with HelpSpot
Manage your support email, organize your help desk,
and improve your customers experience.