Hi Cap'n Jon, I'll answer your questions the best I can below. I'll apologize in advance for being less than forthcoming on a couple of topics. I'm sure you can appreciate keeping security efforts and techniques under wraps.
What's the business model? Since it's free to users, what's your revenue stream? Advertising? Selling limited data to auto/marine suppliers?
For the moment I an relying on advertising. Truthfully I built this app to use for myself and some friends. As I was going through that process it seemed like something others might find useful I so hardened it and expanded the functionality, and continue to do so. In a perfect world I would like to partner with someone like a used dealers or boat brokers to offer TMC to their customers as an incentive. Optionally partnering with parts
sellers, perhaps linking my users with their search engines or offering my users a discount on their parts. Obviously I need to build a client base first.
How is the data stored? You mention syncing with local data for disconnected users. Is additional software required? If so, is it cross-platform - Windows XP/Vista/7, Apple OSX, Linux?
The occasionally connected element to TMC is very much in a development stage. The platform would be MicroSoft's Sync Services. I am an MS Developer so I use their products. However I would be able to port the UI to the three platforms you mention. I think this feature would be extremely useful to cruisers particularly, but I don't have a timeline on roll-out for that feature at this time. I did just attended a .NET users groups meeting in San Diego
that did a demo on Sync. For a code geek like me it's pretty exciting stuff.
What provisions are made for your server backups? Disaster recovery plans? You'll be potentially holding lots of data for lots of customers.
The site is hosted with a hosting service. They have extensive datacenter protection including nightly database dumps. I also take a manual backup regularly and I have the code versioned and multiple copies stored on several different mediums.
Have you had a security review? Was security "baked in" during the design phase? You mention your PM work with the US Navy, but I've seen lots of software put in place by the DoD that was less than what I'd term "secure". I haven't registered yet, so I don't know exactly what personal info you collect from your users.
I have not had a security review from an outside expert. I am a professional developer and have been for more than a decade. Of course that does not make me a security expert... Security has been a forethought throughout the development process. I was in the Navy 25 years ago and I was a Sonar Technician. I learned and managed the Navy's PM system as PM coordinator for my division. This was the first exposure to a structured PM System. I then spent 17 years with Sony Electronics
in various capacities helping to develop, manage, and continuously improve the PM processes there. The final 8 years with Sony were as a programmer after I graduated college. So my dev. experience has no link to DOD other than some consulting projects I've done in the last few years.
What's the hosting model? Self hosted? What OS? What web server, database, language? It plays into reliability/uptime and security.
The web and DB servers are on Windows 2008 server and the DB is in MS SQL Server 2008. The application was built in .NET 3.5
Any provisions for SSL support? If a userid/password is required for login, is the password actually sent (even encrypted) across the net, or a hash? If hashed, is it at least SHA-1?
I have not implemented SSL yet but I will be eventually. The password does go across the internet and some form of it is stored in a database. The hash is at least SHA-1 and I have no capacity to decrypt it, nor would anyone who potentially gained illegal or illicit access to it. To see what data is required to join you can safely click on the "Click here to join" button and see which fields have a red border without entering or providing any information. Those are the only required fields. Of course once in, to use TMC you would need to enter equipment
, parts as needed, then schedule PM's but that data seems to low risk to me.
I have had this trust issue come up a few times and I'm going to have to figure out a way to build trust that I'm not harvesting personal information. I'm not sure how to convey trustworthiness via the website but I'm going to spend some more time thinking about how to do that.
Hope that helps.
Any other questions feel free to ask away. I have bigger hopes for TMC than what is in place now but I am testing the waters at this point, to see if folks find it useful, before I invest more time and money
in the project
Thanks for your interest!