Monthly Archives: September 2011

Is It Time To Worry About Cybercrime?

This article was originally posted on the Idealware Blog in September of 2011.

For the past decade, the bulk of unlawful web-based activities have been profit-motivated: phishing, spam, “Nigerian” money scams, and hacking to get credit cards. This year has seen a rise in politically motivated crimes, most widely exemplified by the loosely-knit group of hackers known as “Anonymous“.  Anonymous hackers attack the websites of organizations, be they government, corporate or otherwise that they deem to be repressive or unethical.  In addition to defacing the sites, they’ve also routinely exposed confidential user information, such as login names, passwords and addresses.  If we are now entering the age where political cybercrime is commonplace, what does that mean for nonprofits?  How can we defend oursleves when we already struggle with basic security on tight budgets and limited resources?

Two high profile victims were Sony, the gigantic electronics and entertainment conglomerate, and BART, the Bay Area Rapid Transit commuter service.

  • Sony was initially a target for Anonymous after they took legal action against a computer geek named George Holtz, who figured out how to reprogram a Playstation game device in order to play blocked third-party games on it.  This violated the Sony license, but the hacking and gaming communities felt that the license restriction wasn’t very fair in the first place. They considered the action against Holtz unwarranted and severe.  Sony also, famously, installed a hacker’s rootkit, themselves, on a number of music CDs with interactive computer features, and were sued for that crime.,  Could it be that the hackers were particularly annoyed that this mega-corporation will stoop to their tactics, but sue them for similar actions?
  • BART was targeted for more visceral actions.  Their internal police force shot Oscar Grant, an unarmed youth, in the back a few years ago, and then, again, recently, fired on a homeless man holding a knife, killing him. These actions drew the attention of the community and resulted in protests, some violent.  But BART only drew the attention of Anonymous when they took the step of blocking cell phone service at their four downtown San Francisco stations in order to quell communication about a planned protest.  This action is under investigation by the FCC and has been decried by the ACLU; it was quite likely illegal. Then it was revealed that, at a press conference to discuss the protests, they seeded the audience with BART proponents coached in what to ask and say.

Anonymous hacked a dozen or more Sony Websites and three BART websites in protest/retaliation for what they consider to be corporate crime. Here’s how easy it was for them: one of the Sony servers containing hundreds of thousands of user account records was running on an old, unpatched version of Apache with no encryption. The initial attack was simply accomplished using a hack (SQL Injection) that is ridiculously easy to block (by updating to a current software version, in most cases). The Administrator password to get into the BART police site was “admin123”.  The “hacker” who broke into that site reported that she’d never hacked a web site in her life, she just did a bit of googling and got right in.

These were corporate web sites, run by companies that take in vast amounts of consumer dollars every day, and they couldn’t be bothered to do even the minimum amount of safeguarding of their customer’s data.  They might not be the criminals, but is it wild to suggest that they were criminally negligent? This isn’t a matter of them not having the money, resources or available expertise to protect our data.  It was a matter of them not taking the responsibility to protect it.

What can nonprofit organizations, that aren’t obsessed with bottom lines, do to avoid the problems that BART and Sony have faced?

  • First and foremost, we need to protect constituent data.  If your NPO doesn’t have the weherewithal to do that internally, than your online data should be hosted with companies that have strong commitments to security and privacy of customer data.
  • Second, should breaches occur (and they do), your primary goal should be timely, open communication with the victims of the data breach.  We’re getting past the point where our constituents are naive about all of this (Sony has done a great job of prepping them for us).  So your first response to exposed constituent data should be to tell the constituents exacty what was exposed.
  • One uncomfortable situation like this won’t kill your credibility, but a history of bad or callous relationships will amplify it.  This is one of the reasons why good social media policies are critical — the people who can support or sink you when something like a data breach occurs are on Twitter and Facebook, and they’ll feed the media stream with support or slander, depending on how well you relate to them.
  • We promote causes online, but we admit faults there, too.  We don’t engage customers by lying to them, hiding things that impact them, or dictating the terms of our relationships with them.
  • Our supporters are people, and they have their motivations for supporting us (or not) and their ideas about how they should be doing it.  Their motivations and reasoning might be quite different from what we assume. Accordingly, we should be basing our assumptions — and campaigns — on the best feedback that we can coax out of them.  Long-held industry assumptions are suspect simply because they’re long-held, in a world where technology, and how we interact with it, is constantly changing.

 

If we ever needed reverse primers in how to manage constituent relationships, the Sony and BART fiascos are prime ones.  They are victims of illegal and unethical behaviour.  But by viewing their customers and constituents as threats, with callous regard for the people who keep them in business in the first place, they’ve created a public relationship that did nothing to stem the attacks. Sony has put far more money and effort into attacking and dehumanizing their customers with lawsuits and invasive, annoying copyright protection schemes than they have in listening, or trying to understand the needs and desires of their constituents.  BART has tried to block their ears so tightly to shut out public criticism of their violent, shoot first police force that they’ve crossed constitutional lines of conduct. We — nonprofits — know better. It’s a two way relationship, not a dictatorial relationship with our supporters, that will serve as our most effective firewall.

Two Thoughts On The New FaceBook Timeline


Photo by
smemon

Facebook announced that, on October 3rd, our profiles will all turn into “Timelines” that describe our lives (as Facebook knows them) in a glossy, magazine like format. And, as of right now, you can enable magazine apps (for WaPo and Guardian, more to come) that will randomly post what you’re reading to your wall without asking your permission first.I have two thoughts on this:

First, I feel sorry for the early adopters. I came to Facebook late, long after I had reason to distrust Zukerberg and co, in response to the cajoling of some of my more notorious nptech friends. I never believed that anything I posted there was private, and I had been well trained in online reputation management by my prior years of activity on bulletin boards, Usenet, mailing lists and Twitter. For many of you, all of your early mistakes are about to be unearthed and offered for everyone to see, from new friends that you’ve made since you got your FB voice modulated, to advertisers who are eager to know that, three or four years ago, you were really into SpongeBob.

Second, this new API feature that allows an app to post your activity when it wants strikes me as the epitome of anti-social networking. I really appreciate that I can peruse my wall and see articles, pictures and clips that my friends, co-workers and family thought I might like to see. This is, perhaps, the biggest boon and focus of social networking: curated sharing. It’s not random; it’s not based on a metric; it’s based on someone I like enough to call a friend saying “I found this worthwhile”. But, were I to install the WaPo app, it would decide which articles I want to share with my community for me. So I might click on some very boring report on a White House policy effort, or a review of some TV Show that I’m checking to verify that I was right to ignore it, and WaPo will happily tell my friends that I’m reading about this or that. This sucks the value out of social networking and turns me into a spammer.

Reports came in today that Spotify, the popular online music service, now defaults to posting every song that you listen to to your FB profile. If I have twenty friends who listen to Spotify all day and do this, I’m afraid that I’ll never bother to read my FB feed again. It’s cool if you’re listening to that awesome Gillian Welch cover of Radiohead’s “Black Star” and want to share the occasion; it’s not if you follow it up with the Hall and Oates hit, the Eddie Veder Beatles cover and the Indigo Girls or Beyonce or Five for Fighting song that follows. I’m not THAT interested.

So Facebook is apparently about to take sharing into the realm of spamming, and make all of us the perpetrators. Nice move…