techcafeteria

[Oops! Forgot to publish this Idealware post from late January…]

Here are a few updates topics I’ve posted on in the last few months:

Nonprofit Assessment

The announcement that GuideStar, Charity Navigator and others would be moving away from the 990 form as their primary source for assessing nonprofit performance raised a lot of interesting questions, such as “How will assessments of outcomes be standardized in a way that is not too subjective?” and “What will be required of nonprofits in order to make those assessments?” We’ll have a chance to get some preliminary answers to those questions on February 4th, when NTEN will sponsor a phone-in panel discussion with representatives of GuideStar and Charity Navigator, as well as members of the nonprofit community. The panel will be hosted by Sean Stannard-Stockton of Tactical Philanthropy, and will include:

• Bob Ottenhoff of Guidestar


• Ken Berger of Charity Navigator


• Lucy Bernholtz of Blueprint R & D


• Christine Egger of Social Actions


• David Geilhufe of NetSuite


• and host Holly Ross of NTEN.

I’ll be participating as well. You can learn more and register for the free event with NTEN.

The Half-Life of Internet Explorer 6

It’s been quite a few weeks as far as headlines go, with a humanitarian crisis in haiti; a dramatic election in Massachusetts; A trial to determine if California gay marriage-banning proposition is, in fact, discriminatory; high profile shakeups in late night television and word of the Snuggie, version 2 all competing for our attention. An additional, fascinating story is unfolding with Google’s announcement that they might pull their business out of China in light of a massive cybercrime against critics of the Chinese regime that, from all appearances, was either performed or sanctioned by the Chinese government. There’s been a lot of speculation about Google’s motives for such a dramatic move, and I fall in the camp that says, whatever their motives, it’s refreshing to see a gigantic U.S. corporation factor ethics into a business decision, even if it’s unclear exactly what the complete motivations are.

As my colleague Steve Backman fully explains here, here’s been some fallout from this story for Microsoft. First, like Google and Yahoo!, Microsoft operates a search engine in China and submits to the Chinese governments censoring filters. They’ve kept mum on their feelings about the cyber-attack. Google’s analysis of that attack reveals that GMail accounts were hacked and other breaches occurred via security holes in Internet Explorer, versions six and up, that allow a hacker to upload programs and take control of a user’s PC. As this information came to light, France and Germany both issued advisories to their citizens that switching to a browser other than Internet Explorer would be prudent. In response, Microsoft has issued a statement recommending that everyone upgrade from Internet Explorer version 6 to version 8, the current release. What Microsoft doesn’t mention is that the security flaw exists in versions seven and eight as well as six, so upgrading won’t protect you from the threat, although they just released a patch that hopefully will.

So, while their reasoning is suspect, it’s nice to see that Microsoft has finally joined the campaign to remove this old, insecure and incompatible with web standards browser.

Google Wave: Still Waters

I have kept Google Wave open in a tab in my browser since the day my account was opened, subscribed to about 15 waves, some of them quite well populated. I haven’t seen an update to any of these waves since January 12th, and it was really only one wave that’s gotten any updates at all in the past month. I can’t give away the invites I have to offer. The conclusion I’m drawing is that, if Google doesn’t do something to make the Wave experience more compelling, it’s going to go the way of a Simply Red B-Side and fade from memory. As I’ve said, there is real potential here for something that puts telecommunication, document creation and data mining on a converged platform, and that would be new. But, in it’s current state, it’s a difficult to use substitute for a sophisticated Wiki. And, while Google was hyping this, Confluence released a new version of their excellent (free for nonprofits) enterprise Wiki that can incorporate (like Wave) Google gadgets. That makes me want to pack up my surfboard.

Google unveiled a bold new product last week; one of critical and compelling import to anyone who believes that their online reputation is important.  I’m not talking about Google Buzz.  I’m talking about Google Profiles.  This isn’t a new service—Google introduced the profile pages a few years ago.  But the release of Google Buzz has illuminated how important they are in Google’s plans, and how important they can be for us.  And if this profile is now a major component in my personal branding strategy, I demand better tools to manage it than Google has provided.

About a year ago, Google pointed out that, if you have a populated Google Profile, they will include it below the search results when people google your name. So, for someone like me—who does want to be easily located on the web, but has a reasonably common name, this seemed like a good deal, and I filled out my profile.  As a result, I’m prominently placed in the profile links when you search for my name, even though I’m about the fifth best known “Peter Campbell” on the web.

A Google Profile page contains four important pieces:

• Biographical information about you.


• Links to your important web sites.


• Secured contact information.


• Google Buzz integration.

The bio and links are much like other online profiles, such as Yahoo! and Facebook.  The contact info option is interesting, as you can share it with groups defined in your Google Contacts.  I can’t see a good reason to do this, as any group I’d be willing to share with (such as “family”) already knows how to find me and, if they don’t, they aren’t going to think to look at my Google Profile(!). So I’ve left this blank, as it seems like better security to not publish my address and phone number online if I don’t have a good reason to.

The Buzz integration is particularly worrisome.  First, by default, Buzz publishes your connections to your profile.  It’s easy to turn off, and recommended if you have any concern about anyone in the world knowing who your online friends are.  I turned this right off.

Second, your Buzz stream is published to the profile as well. So consider that—anything you say on Buzz gets added to your profile, which might be prominently placed in search results for your name (whereas your buzzes might not be).  We all know that employers are getting savvy, and searching the web for info about us as part of a candidate review.  But I assume that an employer seeing my Twitter stream on Twitter will bear in mind the context—Twitter, like Buzz, is a conversational medium.  A profile is much more like a resume.  I may well buzz about my favorite Doctor Who episode, but I’m not going to discuss TV shows on my resume…

The furor over Buzz’s privacy violations at rollout were really much more about the profiles—many new Buzz users didn’t even know they had  a Google Profile prior.

So, Google—I hope you’re listening.  If my Google Profile is going to factor more and more into my online identity—and the way that Buzz both highlights it and depends on it suggests so—you need to give me more tools and flexibility about how that profile looks and what information it contains.  Here’s what would make me feel like I have a profile on the web, as opposed to Google having a dossier on me on the web:

• Less structured content.  The “what can’t you find on Google” question is cute, but it’s not a key component of my personal branding.  Get rid of the cute stuff, and give me more options to share the info that I want to share, not that you necessarily want to hear.


• A logo, stylesheet, and other basic web design tools.  I’d like this to look more like this blog, with the black background and the Techcafeteria logo.


• My own tabs, and the ability to remove the extra tabs that you think I should have.  Mostly, the decision to publish my Buzz feed to my profile should be mine, not yours.  Make that optional, but add the ability to add new tabs and link them to other websites or RSS sources.

For an example, look at my home site at http://techcafeteria.com.  That is a profile, with info about me; lifestreaming; shared resources via RSS; and a contact form.  If Google Profiles could do what I ask, I’d scrap the current Techcafeteria site and link this blog, along with my other feeds, directly to my Google Profile, and redirect both techcafeteria.com and peterscampbell.com to it.

Until then, that’s not my profile.  That’s Google’s profile of me, and it’s a bit creepy.

Last week, we talked about domain registrar services and what to look for. In today’s followup, we’ll focus on how to transfer a domain and the accompanying security concerns, then talk a bit about registrars vis a vis hosting services.

Domain Transfers

Transferring domains is a somewhat complex process that has been designed to minimize the risk of domain hijacking. In order to insure that transfers are performed by the actual owner of the domain, a few important measures are in place:

• Every domain has an authorization (a.k.a. EPP) code associated with it. Transfers can not occur without this code being submitted. If you don’t have this information, your current registrar does. Some registrars have automated functions that will deliver that information to the domain contact; others require that you ask for them via email to the registrar or their support ticket application. Registrars are required to provide you with these codes within five calendar days of your request. If they don’t, your best recourse is to determine who they get their domain authority from (there are only a handful of companies that resell registration services) and appeal to them for assistance.


• Communication is strictly through the registered “whois” email address of the domain owner. You can determine what that is by doing a whois lookup on your domain.
  
  Tip: While most domains can be looked up at http://whois.net. However, whois.net has some trouble with .org domains, so the alternative http://www.pir.org/whois is a more reliable source for most non-profit domains.
  
  
  If the address that your domain is registered with is either non-functional or owned by someone other than you, then you need to update it, via your current registrar’s web interface, before you can successfully transfer the domain.


• Domains can (and should) be locked to prohibit transfers before and after you switch registrars. Locking and unlocking your domains is usually done by you, from your registrar’s web site. If you don’t have options to do that when you log on to the web site, your registrar should do it for you upon request.

Transfer Procedures

To initiate the transfer, go to the web site of the registrar that you want to switch to and follow their instructions. They will have you submit a request and, upon receipt of your domain fees, issue an email to the email address associated with the domain containing a link to a form where you can confirm the request. That form will also ask for the authorization code. Subsequently – and this can take up to seven days – you’ll receive an email from your current registrar asking you to confirm the transfer request. Once that is submitted, the transfer should go through.

Detailed rules about how domains are transferred, as well as what the responsibilities of the registrars are in handling the transfers, are listed at http://www.icann.org/en/transfers/policy-en.htm.

Choosing Registrars

Registrars charge anywhere from $5.00 to $50 dollars for a year’s domain service. The two best known registrars are Network Solutions and GoDaddy. Many people go with Network Solutions because they’re the longest standing of the registrars (for many years, they were the only registrar). GoDaddy has become very popular by dramatically undercutting the cost. Note, though, that both of these registrars have been accused of questionable business practices:

• Network Solutions has engaged in “Front Running“, a questionable practice of locking domains that a potential customer might search for in order to block competitors from making the sale. They will also use subdomains of your domain to advertise, a practice called subdomain hijacking. A decent registrar will not seek to make profits based on your intellectual property.


• GoDaddy famously suspends accounts based on corporate requests. In 2007, they suspended seclists.org, a website that archives internet security mailing lists, per the request of MySpace, with no court order or valid complaint. MySpace was upset that content posted to one of the lists that Seclists archived was inappropriate. But, instead of contacting Seclists to deal with the content in question, GoDaddy closed the site and wouldn’t respond to desperate emails or phone calls regarding the sudden closure. Worse, after the fiasco was resolved, they were unrepentant, and reserve the right to shut down any site for any spurious reason. If your NPO does work that is in the least bit controversial, keep this in mind when considering GoDaddy.

Web Hosting and Registrars

Many registrars supplement their business by providing web hosting services as well. Some will even offered discounted or free domain registration with a hosting plan. While this simplifies things, it can also be a bit risky in the “eggs in one basket” sense. Having a separate registrar and control over your DNS service allows you to be more flexible with switching hosts, should your current host prove themselves unreliable or go out of business. And the web hosting industry is pretty volatile, with companies coming and going pretty quickly. I would suggest a best practice is to keep your host and registrar separate.

You have a web site and you have a domain, and as long as the web site is up and running, everything is fine. But what happens if your domain is hijacked? What if you need to make changes to your domain registration, or register a new one, and your registrar is simply disinterested? What if they go out of business? Your domain name is a valuable property, and you should keep it in pro-active and trustworthy hands.

How Domain Registration Works

Domain registrars provide the service of keeping your domain name mapped with current information so that it can be found on the web. Domain names are meaningful aliases for numeric IP addresses, and aren’t technically required in order to host a web site. But, the internet would be hard to navigate if we could only find things by their numeric addresses.

The primary thing that a registrar does is to keep your contact (whois) data maintained; point your domain to the appropriate name servers; and allow you to move your domain to another registrar if you choose to.

Domain Services

In addition to domain registration, most registrars offer additional services, such as:

1. Are they accredited? ICANN, the organization that oversees domain management , accredits registrars. If they aren’t on ICANN’s list, they aren’t trustworthy.


2. Do they add a year to the existing expiration date, or charge you for a full year as of engagement? They should do the former.


3. Do they offer automated access to all functions (via web forms), including locking/unlocking domains, retrieval of authorization (EPP) codes, and modification of all whois records? (Some registrars prefer to list themselves as the technical contact. It should be up to you whether they can have an official name on your domain, not them).


4. Do they list a telephone number, and is it promptly answered during business hours?


5. Do they respond promptly to emails and support requests? The ability to communicate with your registrar is rarely needed, but, when it is, it’s critical – you don’t want them out of the loop if your domain is subject to an attempted hijack.


6. Do they offer the ability to manage DNS for mail servers and subdomains? While this is an added feature, it’s common enough to be worth expecting.


7. Do they have any additional services (examples above)? While these supplemental services are far from critical, they are convenient. More to the point, a company that is engaging in a robust suite of services is more likely to be focused on their business. The truth is that anyone can be a domain registrar, if they make the proper investment, but whether it’s a going concern or a neglected piece of extra income for them is a question you’ll want to ask.

Next week: Safely transferring domains and a word on web hosting completes the topic.

It’s time for another quick note on upcoming events and happenings in my nonprofit-focused life. These are spare on details, but I’ll be making noise as they finalize.

First, you’re looking at the newest Idealware board member. There’s still some paperwork to fill out, but this is a done enough deal that it’s worth mentioning here. I join at an exciting time, with our first book on the way; a new website about to be unleashed,  and the successful rollout of the Idealware Research Fund (which met it’s initial goal!).

Coming up in February is the Green IT Consortium/NTEN virtual conference on Greening your Technology. Matt Eshleman of CITIDC and I will be reprising the Server Virtualization session that we did at NTC last year. Mark down the date of February 10th, and look for details very soon, including after-conference get-togethers in SF and DC..

Also in February, but as yet not fully scheduled, I’ll be participating on an NTEN-sponsored panel with representatives of Guidestar, Charity Navigator, and the NPTech/Philanthropy community to discuss the upcoming changes in how these organizations assess nonprofits. I’ve been blogging about this potentially dramatic change in the way NPOs are assessed, along with the associated concerns, here and here.

April brings the big event: NTEN’s Nonprofit Technology Conference, 4/8 to 10, in Atlanta, Georgia this year.  I have a lot going on—I’m assembling a group of NTEN’s more technical presenters to lead the technology track, five sessions that will focus on the less trendy, but eternally critical tasks that nonprofit techs face daily: keeping the servers running (and virtualizing them); installing wireless; supporting computer use and planning and purchasing with little budget.  Our hope is that this track will not only impart a lot of useful information, but also serve as the introduction of a peer community for the front line NP techs. And I’ll be flying down early enough to participate in Day of Service and this year’s experimental unconference, where we’ll, among many other things, discuss how we standardize on shared outcome measurements and what that might look like.

The biggest challenge? Doing all this without breaking the stride on my work at Earthjustice, where I’m busy developing a case management system, installing email archiving software, deploying videoconferencing systems and prepping for Office 2007 and Document Management roll-outs, among other things; blogging weekly for the aforementioned Idealware; and spending as much quality time as I can get with my wonderful wife and kid. If you have any extra hours in the day to donate, send them here!

...or you might. I find that, in a 25 year IT career that has always included a percentage of tech support, human nature is to use the features of an application that we know about, and only go looking for new features when a clearly defined need for one arises. In that scenario, some great functionality might be hiding in plain sight. Here are a few of my favorite “not very well-hidden” secrets. Share yours in the comments.

Google Search Filtering

Have you ever clicked the “Show Options” link on your results page? Do a search for whatever interests you and try it (it’s located right under the Google logo). This will add a left navigation bar with some very useful filtering options. Of note, you can narrow to a trendy real-time search buy clicking on “Latest” under “Any Time”; choose a date range,filter out the pages that you’ve seen, or haven’t seen yet – how useful is that for finding that page that you googled last week but didn’t save? The funny thing is that Google has an “Advanced Search” screen, which, of course, can do many things that this bar can’t (such as searching for public domain media).

Microsoft Outlook Shortcuts

If you use Outlook, you know how simple it is to find your mail and calendar. Other common folders are conveniently placed in your default view. But if you’re the slightest bit of a power user, or you work in an environment where users share mailbox folders or use Exchange’s Public Folders, than keeping track of all of those folders can get a bit tedious. That’s what the Shortcut view is for. Buried below the Mail, Calendar and Task buttons, you can move it up to the visible button list by right-clicking on the bar area (in the lower-left hand corner of Outlook 2003 or 2007’s screen) and choosing “Navigation Pane Options”. Highlight “Shortcuts” and then click “Move up” enough times to get it in one of the first four positions. Click OK, then click on the “Shortcuts” bar. From here, you can add new shortcuts and, optionally, arrange them in shortcut groups. You can rename the shortcuts with more meaningful titles, so that, if, say, you’re monitoring a norther user’s inbox, you can give it their name instead of having two folders named “Inbox”. One tip: to add shortcuts to a group, right-click on the group title and add from there.

Facebook Friend Lists

Nothing makes Facebook more manageable than Friends Lists, and, with the new security changes, this is more true than ever. If you’re like me, your connections on Facebook span every facet of your life, from family to childhood friends to co-workers. Wouldn’t it be useful to be able to send links and messages to all of your co-workers but not your friends, or vice-versa? Click on “Friends” from the Facebook menu, then all connections. If you’ve become a fan of a page or two, you’ll see that Facebook has already created two lists for you: Friends and Pages. To make more, scroll through your connection list and click to “Add to List” option to the right. You can create new lists from there, and add friends to multiple lists.

When you share a link, note, video or whatever, you can choose which list to send it to by clicking on the lock icon next to the “Share” button and choosing “Customize”.

There Are More

Did you know about these features? Are there other ones that you use that make your use of popular applications and web sites much more manageable? Leave a comment and let us know.

Awkwardness

To put Wave in perspective, I clearly remember my first exposure to email.  I bought my first computer in 1987: a Compaq “portable”. The thing weighed about 60 pounds, sported a tiny green on black screen, and had two 5 and 1/4 inch floppy drives for applications and storage).  Along with the PC, I got a 1200 BPS modem, which allowed me o dial up local bulletin boards.  And, as I poked around, I discovered the 1987 version of email: the line editor.

On those early BBSes, emails were sent by typing one line (80 characters, max) of text and hitting “enter”.  Once “enter” was pressed, that line was sent to the BBS.  No correcting typos, no rewriting the sentence.  It was a lot like early typewriters, before they added the ability to strike out previously submitted text.

But, regardless of the primitive editing capabilities, email was a revelation.  It was a new medium; a form of communication that, while far more awkward than telephone communications, was much more immediate than postal mail.  And it wasn’t long before more sophisticated interfaces and editors made their way to the bulletin boards.

Google Wave is also, at this point, awkward. To use it, you have to be somewhat self-confident right from the start, as others are potentially watching every letter that you type.  And while it’s clear that the ability to co-edit and converse about a document in the same place is powerful, it’s messy.  Even if you get over the sprawling nature of the conversations, which are only minimally better than  what you would get with ten to twenty-five people all conversing in one Word document, the lack of navigational tools within each wave is a real weakness.

Redundant?

I’m particularly aware of these faults because I just installed and began using Confluence, a sophisticated, enterprise Wiki (free for nonprofits) at my organization. While we’ve been told that Wave is the successor to email, Google Docs and, possibly, Sharepoint, I have to say that Confluence does pretty much all of those things and is far more capable.  All wikis, at their heart, offer collaborative editing, but the good ones also allow for conversations, plug-ins and automation, just as Google Wave promises.  But with a wiki, the canvas is large enough and the tools are there to organize and manage the work and conversation.  With Wave, it’s awfully cramped, and somewhat primitive in comparison.

Too early to tell?

Of course, we’re looking at a preview.  The two things that possibly differentiate Wave from a solid wiki are the “inbox” metaphor and the automation capabilities. Waves can come to you, like email, and anyone who has tried to move a group from an email list to a web forum knows how powerful that can be. And Wave’s real potential is in how the “bots”, server-side components that can interact with the people communicating and collaborating, will integrate the development and conversation with existing data sources.  It’s still hard to see all of that in this nascent stage.  Until then, it’s a bit chicken and egg.

Wave starting points

There are lots of good Wave resources popping up, but the best, hands down, is Gina Trapini’s Complete Guide, available online for free and in book form soon. Gina’s blog is a must read for people who find the types of things I write about interesting.

Once you’re on wave, you’ll want to find Waves to join, and exactly how you do that is anything but obvious.  the trick is to search for a term “such as “nonprofit” or “fundraising” and add the phrase “with:public”. A good nonprofit wave to start with is titled, appropriately, “The Nonprofit Technology Wave”.

If you haven’t gotten a Wave invite and want to, now is the time to query your Twitter and Facebook friends, because invites are being offered and we’ve passed the initial “gimme” stage.  In fact, I have ten or more to share (I’m peterscampbell on most social networks and at Google’s email service).

Yes, we do Twitter requests!

To break down that tweet a bit, kanter is the well-known Beth Kanter of Beth’s blog. pearlbear is former Idealware blogger and current contributor Michelle Murrain, and Beth asked us, in the referenced blog post, to dive a bit into internet security and how it contrasts with internet privacy concerns. Michelle’s response, offers excellent and concise definitions of security and privacy as they apply to the web, and then sums up with a key distinction: security is a set of tools for protecting systems and information. The sensitivity of that data (and need for privacy) is a matter of policy. So the next question is, once you have your security systems and policies in place, what happens when the the policies are breached?

Craft a Policy that Minimizes Violations

Social media is casual media. The Web 2.0 approach is to present a true face to the world, one that interacts with the public and allows for individuals, with individual tastes and opinions, to share organizational information online. So a strict rule book and mandated wording for your talking points are not going to work.

Your online constituents expect your staff to have a shared understanding of your organization’s mission and objectives. But they also expect the CEO, the Marketing Assistant and the volunteer Receptionists to have real names (and real pictures on their profiles); their own online voices; and interests they share that go beyond the corporate script. It’s not a matter of venturing too far out of the water—in fact, that could be as much of a problem as staying too close to the prepared scripts. But the tone that works is the one of a human being sharing their commitment and excitement about the work that they (and you) do.

Expect that the message will reflect individual interpretations and biases. Manage the messaging to the key points, and make clear the areas that shouldn’t be discussed in public. Monitor the discussion, and proactively mentor (as opposed to chastising) staff who stray in ways that violate the policy, or seem capable of doing so.

The Case for Transparency

Transparency assumes that multiple voices are being heard; that honest opinions are being shared, and that organizations aren’t sweeping the negative issues under the virtual rug. Admittedly, it’s a scary idea that your staff, your constituents, and your clients should all be free to represent you. The best practice of corporate communications, for many years, was to run all messaging through Marketing/Communications experts and tightly control what was said. I see two big reasons for doing otherwise:

Controlled messaging worked when opening your own TV or Radio Station was prohibitively expensive. Today, YouTube, Yelp and Video Blogs are TV Stations. Twitter and Facebook Status are radio stations. The investment cost to speak your mind to a public audience has just about vanished.

Is the importance of hiding something worth the cost of looking like you have something to hide? At the peak of the dot com boom, I hired someone onto my staff at about $10k more (annually) than current staff in similar roles were making. An HR clerk accidentally sent the offer letter to my entire staff. The fallout was that I had meaningful talks about compensation with each of my staff; made them aware that they were getting market (or better) in a rapidly changing market, and that we were keeping pace on anniversary dates. Prior to the breach, a few of my staff had been wrongly convinced that they were underpaid in their positions. The incident only strengthened the trust between us.

The Good, the Bad, and the Messenger

Your blog should allow comments, and—short of spam, personal attacks and incivility—shouldn’t be censored. A few years ago, a former employee of my (former) org managed to register the .com extension of our domain name and put up a web site criticizing us. While the site didn’t get a lot of hits, he did manage to find other departed staff with axes to grind, and his online forum was about a 50-50 mix of people trashing us and others defending. After about a month, he went in and deleted the 50% of forum messages that spoke up for our organization, leaving the now one-sided, negative conversation intact. And that was the end of his forum; nobody ever posted there again.

There were some interesting lessons here for us. He had a lot of inside knowledge that he shared, with no concern or allegiance to our policy. And he was motivated and well-resourced to use the web to attack us, But, in the end, we didn’t see any negative impact on our organization. The truth was, it was easy to separate his bias from his “inside scoops”, and hard to paint us in a very negative light, because the skeletons that he let out of our closet were a lot like anybody else’s.

What this proves is that message delivery accounts for the messenger. Good and bad tweets and blog posts about your organization will be weighed by the position and credibility of the tweeter or blogger.

Transparency and Constituent Data Breaches

Two years ago, a number of nonprofits were faced with a difficult decision when a popular hosted eCRM service was compromised, and account information for donors was stolen by one or more hackers. Thankfully, this wasn’t credit card information, but it included login details, and I’m sure that we all know people who use the same password for their online giving as they do for other web sites, such as, perhaps, their online banking. This was a serious breach, and there was a certain amount of disclosure from the nonprofits to their constituents that was mandated.

Strident voices in the community called for full disclosure, urging affected nonprofits to put a warning on the home page of their web sites. Many of the organizations settled for alerting every donor that was potentially compromised via phone and/or email, determining that their unaffected constituents might not be clear on how the breach happened or what the risks were, and would simply take the home page warning as a suggestion to not donate online.

To frame this as a black and white issue, demanding that it be treated with no discretion, is extreme. The seriousness and threat that resulted from this particular breach was not a simple thing to quantify or explain. So it boils down to a number of factors:

• Scope: If all or most of your supporters are at risk, or the number at risk is in the six figure range, it’s probably more responsible, in the name of protecting them, to broadcast the alert widely. If, as in the case above, those impacted are the ones donate online, then that’s probably not close to the amount that would fully warrant broad disclosure, as even the strident voice pointed out.

• Risk: Will your constituents understand that the notice is informational, and not an admission of guilt or irresponsibility in handling their sensitive data? Alternatively, if this becomes public knowledge, would your lack of transparency look like an admission of guilt? You should be comfortable with your decision, and able to explain it.
• Consistency: Some nonprofits have more responsibility to model transparency than others. If the Sunlight Foundation was one of the organizations impacted, it’s a no-brainer. Salvation Army? Transparency isn’t referenced on their “Positions” page.
• Courtesy: Some constituencies are more savvy about this type of thing than others. If the affected constituents have all been notified, and they represent a small portion of the donor base, it’s questionable whether scaring your supporters in the name of openness is really warranted.

Since alternate exposure, in the press or community, is likely to occur, the priority is to have a consistent policy about how and when you broadcast information about security breaches. Denying that something has had happened in any public forum would be irresponsible and unethical, and most likely come right back at you. Not being able to explain why you chose not to publicize it on your website could also have damaging consequences. Erring on the side of alerting and protecting those impacted by security breaches is the better way to go, but the final choice has to weigh in all of the risks and factors.

Conclusion

All of my examples assume you’re doing the right things. You have justifiable reasons for doing things that might be considered provocative. Your overall efforts are mission-focused. And the reasons for privacy regarding certain information are that it needs to be private (client medical records, for example); it supports your mission-based objectives by being private, and/or it respects the privacy of people close to the information.

No matter how well we protect our data, the walls are much thinner than they used to be. Any unfortunate tweet can “go viral”. We can’t put a lock on our information that will truly secure it. So it’s important to manage communications with an understanding that information will be shared. Protect your overall reputation, and don’t sweat the minor slips that reveal, mostly, that you’re not a paragon of perfection, maybe, but a group of human beings, struggling to make a difference under the usual conditions.

I’m wrapping up the Drupal 101 series with some talk about Drupal themes, and some additional info on topics that we’ve already covered. The goal of these posts is to give new Drupal administrators an idea about how Drupal works, and some pointers to the key add-ons and resources in the broad Drupal ecosystem. For reference’ sake, we started with an intro, moved on to Modules, and then covered navigation. So, now that we have a functional web site, what does it look like?

Getting Themes

Drupal comes with five or six themes to choose from, and, if you use them, then your site will look very, um, uninspired. This might not be a problem if your goal is not to impress your visitors, but simply provide information or functionality, but, if you’re putting up a website for your organization, you want one that stands out from the crowd. So you have two choices: you can find a better, less common theme, or you can customize one of the default themes.

The first place to go is to Drupal Theme Garden. This is where many Drupal theme designers share their work. Here, you can either find a theme to use (or customize for your use), or get a good idea about the types of things you can do with your theme.

Customizing Themes

From the Administration menu, you can modify any theme’s main text elements, deciding whether or not to display your site’s mission or slogan, name or logo. And you can replace the default “droplet” logo with your own logo (a no-brainer!). Assuming that you’ve started with a theme that you really like, this might be enough. But, if you want to do more serious customizations, such as moving the logo to the center of your header or changing the site colors, you’re going to need basic web 4.0 programming skills and, most likely, some level of comfort with the PHP scripting language.

Most themes consist of one or more style sheets, a number of “tpl” files with PHP/HTML code laying out various page elements, such as blocks, footers and sidebars, and one called page.tpl.php that establishes the overall page layout. The main styles are usually stored in styles.css, and you can make a lot of changes to your site’s appearance here, modifying default background colors and images, placing and resizing content.

If that’s not enough, most customizations can be done using Wordpress’s internal macros and functions, meaning that you won’t have to worry about assigning variables or what goes into the foreach loops. Wordpress has simple commands that you can insert into a page to loop through your posts and display them or list your categories in the sidebar. A nice breakdown of the Wordpress functions can be found at WpExplorer.com.

If you do modify the stylesheets and templates, make sure that you are storing your themes in sites/default folder and that you’re properly backing up whenever you do an upgrade. If you modify theme files in the main themes folder, and then upgrade to, say, a Drupal security fix, your modifications will be overwritten. In general, themes remain functional from dot release to dot release (e.g., what worked for Drupal 6.1 still works in 6.9), but the Drupal maintainers often make dramatic changes in number versions, so don’t assume that your theme in Drupal 6.9 will not be messed up if you upgrade to Drupal 7 (coming soon).

More Installation Options

In the first Drupal 101 post, I mentioned Fantastico, a two-click installer for Drupal available on most hosting services that use the cPanel site management interface. I subsequently ran into this useful article about Elefante and Simplescripts. These are packages that you can use to install a variety of popular open source applications, including Drupal.

In addition to application installers, there are other options for installing Drupal:

What I hope this Drupal 101 series has done is to offer some context and guidance for people new to Drupal who are about to give it a try, and some backing to my initial proposition that Drupal’s strength is it’s flexibility. Along the way, I’ve received tweets asking “Why Drupal?” and my answer is that Drupal isn’t the only CMS out there, or necessarily the best one for your web site. There are a huge variety of commercial and open source options. In fact, my personal website runs on a combination of Frog CMS and Wordpress, because I wanted a simple tool for integrating RSS feeds, which Frog provides, and a powerful blogging platform. On the other hand, last week the White House ditched their commercial CMS for Drupal. So this series might also inspire you to look elsewhere, particularly if a more traditional, tree-structured content management interface will work better for you than Drupal’s layout by association model. Whichever way you go, we suffer more from a surfeit of good options than a lack of same.