Tag Archives: security

Hillary Clinton’s Shadow IT Problem

As you likely know, when Hillary Clinton was Secretary of State, she set up a private email server at home and used it for her email communication, passing up a secure government account. This was a bHillary_Clinton_Testimony_to_House_Select_Committee_on_Benghaziad idea, for a number of reasons, primary among them the fact that sensitive information could be leaked on this less secure system, and that Freedom of Information Act (FOIA) requests could be bypassed. But the burning question, at a time when Clinton looks likely to be nominated as the Democratic candidate for President, is what her motivation was for setting up the server in the first place. Was it to bypass the Freedom of Information Act? Was it to easily trade classified materials, as her most critical accusers suspect? Or was it, as she claims, because she had a lot of personal email to send and she didn’t want to manage two accounts? 

This post doesn’t seek to answer those questions. Instead, it pitches yet another theory: that Clinton’s motivations might have had everything to do with technology and little to do with politics. Judicial Watch, a conservative foundation looking for evidence that Clinton broke laws in her handling of the email, received some fascinating information in response to a recent FOIA request. 

Upon joining the State Department in early 2009, Clinton immediately requested a Blackberry smartphone. Having used one extensively during her 2008 Presidential campaign, she, like almost every attorney in that decade, had fallen in love with her Blackberry, hence the request. After all, Condoleezza Rice, her predecessor as Secretary of State, had used one. President Obama had a special secure one that the NSA had developed for him. But they said no. Even after being called to a high level meeting with Clinton’s top aide and five State Department officials, they still said no.The NSA offered Clinton an alternative. But it was based on Windows CE, a dramatically different, less intuitive smartphone operating system. A month later, Clinton started using her own server. Judicial Watch claims that this info proves that Clinton knew that her email was not secure, but I think that she has already admitted that. But it also reveals something much more telling.

As a three plus decade technology Director/CIO (working primarily with Attorneys), I can tell you that people get attached to specific types of technology. I know a few Attorneys who still swear to this day that Wordperfect 5.1 for DOS was the best word processing software ever released. And there are millions who will tell you that their Blackberry was their virtual right arm in the 2000’s.

How devoted are people to their favorite applications and devices? I worked for a VP who was only comfortable using Word, so when she did her quarterly reports to the board, she had her assistant export huge amounts of information from our case management system. Then she modified all of it in Word. Once delivered, she had her assistant manually update the case management system in order to incorporate her changes. Efficient? Not at all. But she loved herself some Word. I’ve seen staff using seven year old laptops because they know them and don’t want to have to learn and set up a new one. And it wasn’t until the bitter end of 2014 that both my boss and my wife finally gave in and traded up their Blackberries for iPhones.

Again, the point here is not that Clinton should have ditched the secure, government system in order to use her phone of choice. In her circumstances, the security concerns should have outweighed her personal comfort. But for many, the desire to stick with tech that they know and love is often counter to logic, efficiency, security and policy. And most of us work in environments where bucking the system isn’t quite as dire as it could be for the nation’s top diplomat.

Shadow IT” is technology that users install without company approval because they prefer it to what’s offered. What I know is that I can’t secure my network if it’s packed with technology that my users hate. Smart people will bypass that security in order to use the tools that work for them. An approach to security that neglects usability and user preference is likely to fail. In most cases, there are compromises that can be made between IT and users that allow secure products to be willingly adopted. In other cases, with proper training, hand-holding, and executive sponsorship,  you can win users over. But when we are talking about Blackberries in the last decade, or the iPhone in this one, we have to acknowledge that the popularity of the product is a serious factor in adoption that technologists can’t ignore. And if you don’t believe me, just ask Hillary Clinton.

Highlights Of The 2015 Nonprofit Technology Conference

I’m back and moderately recovered from the 2015 NTC in Austin, Texas, where, along with plenty of good Texas food and beer, I shared some wisdom and learned a lot.  Here’s a summary, with my favorite pics:

#NTCBeer is a proven formula. Take a decent bar, Nonprofit techies, and a room without blaring music, and everyone has a great time, whether they’re NTEN mavens like me, or first time attendees. We estimate that about 275 people came by this year. Here’s a great shot of the room by Jason Shim:

7th annual ntcbeer - room

 

On Wednesday morning I led my session on contract negotiation.  I’d been hoping for an even mix of nonprofit staff and vendors in the room, as these are the types of topics that we don”t spend enough time discussing together, but we were skewed heavily on the customer side.  All the same, it was a good Q&A. I learned some tricks to add to my arsenal, such as, when buying software from small vendors or developers, arranging for rights to the source code should the vendor go under. One vendor somewhat sheepishly asked if I thought that scoping out a fixed bid discovery phase to be completed before submitting a project bid was a bad thing, and I am with him all of the way. We need to stop asking vendors for fixed pricing when there’s no realistic basis for estimating the hours. My slides, below, are a good read for anyone who is responsible for negotiating contracts; and whomever took the collaborative notes just rocked it, capturing fully the wisdom of the crowd.

On Wednesday afternoon I attended Dar Veverka and Andrew Ruginis‘ session on Disaster Recovery and Backup. A solid session that covered every aspect of the topic, with practical advice for nonprofits that might have trouble budgeting time and funds to do this critical work well. Slides are here.

Thursday morning’s choice was Google Analytics session by Yesenia Sotelo. I was looking for a good overview on what Analytics can do and how to do it, and this fully met my needs. Great news: NTEN recorded this one and the video will be available from them by March 12th! Here’s Yesenia’s inspirational presentation style, captured by official NTEN photographer Trav Williams:

16086373604_c92375bab7_z

 

The afternoon session was a panel by four of my favorite people, Robert Weiner, Tracy Kronzak, Dahna Goldstein and Marc Baizman. What To Do When Technology Isn’t Your Problem focused on the user side of systems implementation, pulling heavy on the mantra of “People, Process, Technology”. The slides are here, and the collaborative notes on this one are pretty good. Even more fun: here’s the quiz they gave us that you can take to see how ready your org is to implement systems successfully.

 

Friday started with an ignite plenary that featured a moving presentation by Debra Askanase on how she overcame vision impairment and unsupportive teachers to beat math anxiety and ace Calculus. Then Johan Hammerstrom of CommunityIT and I did a rambling talk on IT security, policies and Bring Your Own Device (BYOD). I was a little worried that we might have leaned too heavily on the talking head side, with the presentation weighing in at close to an hour.  But it was a crowd of our people (IT staff) and the feedback was positive. Slides are here; collaborative notes here; and, keep your eyes open, because I’ll have a URL for a video of the session later this week.

NTEN gave out a lot of awards. It was great to see Modern Courts, a New York org that advocates for adequate numbers of family law judges, win the DoGooder ImpactX video award. It was also great that friends mentioned in this post, Ken and Yesenia, won “NTENNys”, and very moving that they gave one to the late Michael Delong, a colleague with Techsoup who passed away suddenly, and far too young, last year. Lyndal cairns joined the NTEN Award club. And I was moved to tears when my friend David Krumlauf picked up NTEN’s lifetime achievement award. David’s generous, untiring work supporting the capacity of nonprofits has always been an inspiration.

There were also a couple of pleasant surprises: Ken Montenegro, IT Director at the Asian Pacific American Legal Center and a colleague of mine in the Legal Aid community is the newest member of the NTEN Board. And Karen Graham, recently of the sadly shut-down Map Techworks program has got a new gig: Executive Director at Idealware! Congrats all around.

The last session on Friday was a strong one on User Adoption, led by Tucker MacLean, Norman Reiss, Austin Buchan and Kevin Peralta. Pushing more on the people-process-tech theme, this session really engaged the crowd and offered solid advice on how to help users feel involved in technology rollouts. Bonus: their resource section included my post on Building NPTech Culture. Sadly, they have yet to share their slides. Update! They do have slides.

As usual, I had a blast at the conference, meeting new people and catching up with old friends. It was a little difficult to socialize as well as I have in the past, given that we were staying at a variety of hotels and the convention center was massive. With a little less than 2000 attending, I think we might have been better off in a hotel. But I still had a great time at Box.org’s offices Wednesday night (a party co-hosted by Box, Caravan Studios, Twillio and others); a small Access to Justice get-together with Michelle Nicolet, Jimmy Midyette, and the aforementioned Ken Montenegro on Thursday; a great party at Container Bar, hosted by the Chronicle of Philanthropy; the dinner below on Friday, followed up by Michelle Chaplin‘s karaoke party, where I scratched “singing Randy Newman’s Guilty (best known by the Bonnie Raitt cover) in public” off of my bucket list. What’s going to top that next year?

Iron Works BBQ Dinner

Where I’ll Be At 15NTC

15ntc (1)The 2015 Nonprofit Technology Conference starts on March 3rd and marks my tenth year attending (out of the last eleven). Based on my prior experience, I’m looking forward to highly enriching and rewarding social event, hanging out with about 2500 of the nicest people I could ever hope to know, this year at the Austin (Texas) Convention center.

Huh! So we’re Convention Center-sized now. The challenge — which NTEN pulled off with over 2000 attendees last year — is to host that many people and still maintain an atmosphere of community. Last year, during the Ignite plenary, Susan Reed told a story that was breathtakingly personal and inspirational, displaying an impressive level of trust in the community. I wonder what we’ll see this year, just as I wonder if the sheer size of the facility might daunt us. But what I do know is that the NTEN staff set a tone that is remarkably open and welcoming, and they craft the event in ways that make it more difficult to avoiding meeting a ton of new people than it is to make the new friends. I will literally know hundreds of the people attending, but I fully expect to have at least 25 new friends by the time the Geek Games have subsided and we all head home.

So, where will I be?

Tuesday, 3/3, 7:00 pm: #NTCBeer

This seventh annual pre-conference social event that combines great people with good beer (and other beverages) will be held at The Cedar Door.  In addition to a good beer selection, we’ll have a private room with full bar and plenty of options for good food to eat.

We’ll see if we top the approximately 300 people that showed up in DC last year (with more turned away as the bar hit capacity). Note that, while #ntcbeer is a conference event, we don’t turn away friendly nptechies who just happen to be in town.

Thanks to NTEN for finding the location this year! If you plan on attending, please let us know on the #ntcbeer Facebook event page.

Wednesday, 3/4, 10:30 am: Software and Service Contracts – How to Negotiate Reasonable Terms in the Cloud Era

campbellpeter.img1_Rounding out my wonky trio of tech management topics (Project Management at 13NTC; Requests for Proposals at 14NTC), we’ll talk about the key things to challenge vendors on and the best tone to set in negotiations, with some new thinking on what needs to be addressed for hosted (cloud) systems. I blogged on the NTEN Blog about this session in greater detail, and you can register for it on the Sched page, assuming that you’ve signed up for MyNTC.

Thursday, 3/5, 6:00 pm: Access To Justice Get-together

gavel-145568_640Do you work in legal aid? Join us at an informal drinks and, possibly, dinner meetup at Banger’s Sausage House and Beer Garden. You can RSVP on NTEN’s social events calendar (Thursday tab, row 8)

 

Friday, 3/6, 10:30 AM: Crafting IT Policy to Improve Security and Manage BYOD

 invisible-man-154567_1280I’ll be joining Johan Hammerstrom, CEO of Community IT Innovators, in a session that discusses the latest security threats and offers tools and a framework for defending our orgs from them. We’ll start with a talk about securing information when it no longer lives behind a firewall, then move to new ideas about dealing with security breaches, then on to standard IT policies, including Bring Your Own Device (BYOD), assuming that’s still a topic of great interest. You can register for this session here.

 

Other than that, I’ll be all over the place and on Twitter. If you want to meet up, ping me there!

How I Spent My 2015 Technology Initiative Grants Conference

I’m back from our (Legal Services Corporation) 15th annual technology conference, which ran from January 14th through the 16th  in San Antonio, Texas.  It was a good one this year, with a great location, good food, great people – nearly 300 of them, which is quite a record for us. There were plenty of amazing sessions, kicked off by a fascinating keynote on international access to justice web app partnerships. Slides and videos will be up soon on LSC’s website. But I did want to share the slides from my sessions, which all seemed to go very well.  I did three:

Are You Agile

I kicked off the first morning doing a session on agile project management with Gwen Daniels of Illinois Legal Aid Online. My slides provided a basic overview of project management concepts, then Gwen did a live demo of how ILAO uses Jira and a SCRUM methodology to develop websites and applications. Having studied agile more than actually practicing it, I learned a lot from her.  The combined slides will be up on LSC’s site. I pulled my intro from this broader presentation that I did at the Nonprofit Technology Conference in 2013:

Shop Smart: How A Formal Procurement Process Can Safeguard Your Investments

On Thursday, I summarized everything I know about software and vendor selection, writing proposals, and negotiating contracts into this dense presentation on how to purchase major software systems.

Security Basics

And on Friday, usual suspect Steve Heye and I led a session on security, factoring all of the things that we think orgs should know in an era of frequent, major breaches and distributed data.

I’ll hit some of these same themes in March at the Nonprofit Technology Conference, where I’ll be speaking on contract negotiations (cloud and otherwise) and information policies (with Johan Hammerstrom of CommunityIT. See you there?

Should You Outsource Your IT Department?

This post was originally published on the MAP Techworks Blog in November of 2014. 

agreement-303221_640For a nonprofit that’s reached a size of 25 or more staff, a key question revolves around how to support technology that has grown from a few laptops and PCs to a full-blown network, with all of the maintenance and troubleshooting that such a beast requires. Should you hire internal IT staff or outsource to a more affordable vendor for that support? I’d say that the key question isn’t should you — that’s more a matter of finances and personal preferences. But what you outsource and how you go about it are critical factors.

The IT departments that I’ve worked on provided a range of services, which I’ve always broken down into two broad categories.  The first is the plumbing: computer maintenance, installation, database input, training, and tech support.  These functions can, with a few caveats, be successfully outsourced. The caveats:

  • You can’t just hire the outsourced IT firm and expect them to understand your needs after an initial meeting and walk-through.  They should be micro-managed for the first month or two.  Their inclination will be to offer a generic level of support that may or may not work for your application mix or your company culture. Orient them; set clear expectations and priorities; and check their work for a good while. If you don’t, your staff might immediately lose faith in them, setting up a situation where they don’t use the service you’re paying for and, when they do interact, do it begrudgingly.  The outsourced staff should be on your team, and you need to invest in onboarding them.
  • Everyone has to remember that it’s your network. Don’t give the outsourced service the keys to your kingdom.  You should keep copies of all passwords and they should understand that changing a system password without your prior knowledge, consent, and an updated password list is a fire-able offense.  And be ready to fire them — have a backup vendor lined up.

The other bucket is strategic tech planning. In-house infrastructure or cloud. Data management strategy. How tech integrates into a broader strategic plan and supports the mission.  How tech plays into the strategies of our partners, our clients, and our communities. These components can benefit from the advice of a good consultant, but are too integral to the work and culture of an organization to be handed off to outsiders wholesale.

Outsourcing your tech strategy can be a dangerous gamble.  If you have a great consultant who really cares about your mission, they can offer some good advice. But, in most cases, the consultants are more interested in pushing their tech strategy than developing one that works well with your organizational culture.  I find that my tech strategy is heavily informed by my understanding of my co-workers, their needs, and their ability to cope with change.  To get all that from outside of an organization requires exceptional insight.

Let me make that point another way — if you don’t have a tech strategist on your internal, executive team, you’re crippled from the start. These days, it’s as essential as having a development director and a finance person. Consultants can inform and vet your ideas, but you can’t outsource your tech strategy wholesale to them. It’s core to the functionality of any successful nonprofit.

The right outsourcer can be cost effective and meet needs. But be very thorough in your selection process and, again, do some serious onboarding, because your dissatisfaction will be tied completely to their lack of understanding of your business and your needs. There are a number of NP-specific vendors (Map for Nonprofits, former NPowers and others, like DC’s CommunityIT) that get us and are better choices, in general, than the commercial services.

A Tale Of Two (Or Three) Facebook Challengers

Screen Shot 2014-09-26 at 8.20.31 PMFor a website that hosts so many cute pet videos, Facebook is not a place that reeks of happiness and sincerity. It’s populated by a good chunk of the world, and it’s filled with a lot of meaningful moments captured in text, camera and video by people who know that, more and more every day, this is where you can share these moments with a broad segment of your friends and family. And that’s the entire hook of Facebook — it’s where everybgoogleplusody is.  The feature set is not the hook, because Google Plus and a variety of other platforms offer similar feature sets. And many of those competitors, including Google’s offering, are more sensitive to the privacy concerns of their users and less invasive about how they share your data with advertisers.

Many of my professional acquaintances are on both Facebook and Google Plus. But they comprise only about a third of my Facebook friends. So I check Facebook most every day.  I go to Google Plus on rare occasion.

Facebook has a well-known history of overstepping.  From the numerous poorly thought out schemes to court advertisers by letting them tell the world what lingerie we’re buying to use our photos in sidebar advertising, to the constant updating of security settings that seems to always result in less security, it’s clear to most of us that Facebook is trying to please it’s advertisers primarily, and we are more the commodity that they broker than the clientele that they serve.

A few years ago, some people who valued Facebook but were fed up with these concerns developed Diaspora, the anti-Facebook — a network that is built on open source software; distributed, and highly respectful of our right to own and control our content. Diaspora does this by storing the data in “podEllos“, which are individual data stores hosted by users.  You can join a friend or neighbor’s pod, or start your own.  The pods, which work a lot like peer-to-peer apps like BitTorrent, communicate with each other, but the people who run Diaspora do not control that data.  You can blow away your Pod from your file manager or command line if you care to, and nobody is going to stop you. If these networks were fictional, Facebook would have been created by Andy Warhol and Diaspora by Ursula LeGuin.

And this week’s big news is Ello, which, like Diaspora, has defined itself in relationship to Facebook as the user-focused alternative.  Ello is, at present, a rough beta network that shows glimmers of elegance.  Their manifesto is poetry to BoingBoing readers like me:

“Your social network is owned by advertisers.

Every post you share, every friend you make, and every link you follow is tracked, recorded, and converted into data. Advertisers buy your data so they can show you more ads. You are the product that’s bought and sold.

We believe there is a better way. We believe in audacity. We believe in beauty, simplicity, and transparency. We believe that the people who make things and the people who use them should be in partnership.

We believe a social network can be a tool for empowerment. Not a tool to deceive, coerce, and manipulate — but a place to connect, create, and celebrate life.

You are not a product.”

But let’s be clear about Ello. It’s centralized, like Facebook; not distributed, like Diaspora.  It was built with about half a mil of venture capital funding. It will need to make money at some point in order to return on that investment.  As we watch Twitter get more and more commercialized, we know that this is a story just waiting to happen.

So, what am I saying?  That we should skip Ello and proceed to Diaspora?  Sadly, no.  While Diaspora has the model that I believe is viable to sustain a non-commercial, user-focused network, Grandma isn’t going to host her own server pod.  Peer-to-peer technology is not ready for prime time yet.  So I don’t see a Facebook killer here, or there, or anywhere in sight.  I see people who understand that the crass pimping of our personal lives that Mark Zuckerberg calls a business model is problematic and worthy of replacing.  We can’t replace it with something too geeky for the masses, nor can we replace it with a clone that kinda hopes that it will have a better business model (but likely will only have a less abrasive version, much like Google Plus).

I have a lot of high hopes lately.

I hope that we can curtail this trend of training our local police to be paramilitary units and champion nationwide community policing, as a community controls and reduces crime, while a military goes to war.

I hope that we can reverse the damage that was done when TV News programs became subject to Neilsen ratings.  I consider that to have been a dark day for our society. It was the hard turn that steered us to a place where news is available for whatever biased lens that you want to view it through.

And I hope that somebody will develop a Facebook competitor with a viable business model and a compelling feature set that will yank all of my friends and family out of their complacent acceptance of Facebook’s trade-offs. In this digital era, this is insanely important. We commune online; we share our most treasured moments. We sway each other’s attitudes on important matters.  The platform has to be agnostic, and it has to be devoted to our goals, not those of a third party, such as advertisers.  We have enough problems with societal institutions that have a stated purpose, but answer to people with different aims.

These are all realistic dreams.  But they seem pretty far away.

Why You Should Delete All Facebook Mobile Apps Right Now

fblogoIt’s nice that Facebook is so generous and they give us their service and apps for free. One should never look a gift horse in the mouth, right? Well, if the gift horse is stomping through my bedroom and texting all of my friends while I’m not looking, I think it bears my attention.  And yours. So tell me why Facebook needs these permissions on my Android phone:

  • read calendar events plus confidential information
  • add or modify calendar events and send email to guests without owners’ knowledge
  • read your text messages (SMS or MMS)
  • directly call phone numbers
  • create accounts and set passwords
  • change network connectivity
  • connect and disconnect from Wi-Fi

This is a cut and pasted subset of the list, which you can peruse at the Facebook app page on Google Play. Just scroll down to the “Additional Information” section and click the “View Details” link under the “Permissions” header. Consider:

  • Many of these are invitations for identify theft.  Facebook can place phone calls, send emails, and schedule appointments without your advance knowledge or explicit permission.
  • With full internet access and the ability to create accounts and set passwords, Facebook could theoretically lock you out of your device and set up an account for someone else.

Now, I’m not paranoid — I don’t think that the Facebook app is doing a lot of these things.  But I have no idea why it requires the permissions to do all of this, and the idea that an app might communicate with my contacts without my explicit okay causes me great concern. Sure, I want to be able to set up events on my tablet.  But I want a box to pop up saying that the app will now send the invites to Joe, Mary and Grace; and then ask “Is that okay?” before it actually does it.  I maintain some sensitive business relationships in my contacts.  I don’t think it’s a reasonable thing for Facebook to have the ability to manage them for me.

This is all the more reason to be worried about Facebook’s plan to remove the messaging features from the Facebook app and insist that we all install Facebook Messenger if we want to share mobile pictures or chat with our friends.  Because this means well have two apps with outrageous permissions if we want to use Facebook on the go.

I’ve always considered Facebook’s proposition to be a bit insidious. My family and friends are all on there.  I could announce that I’m moving over to Google Plus, but most of them would not follow me there.  That is the sole reason that I continue to use Facebook.

But it’s clear to me that Facebook is building it’s profit model on sharing a lot of what makes me a unique individual.  I share my thoughts and opinions, likes and dislikes, and relationships on their platform. They, in turn, let their advertisers know that they have far more insight into who I am, what I’ll buy, and what my friends will buy than the average website.  Google’s proposition is quite similar, but Google seems to be more upfront and respectful about it, and the lure I get from Google is “we’ll give you very useful tools in return”.  Google respects me enough to show some constraint: the Google+ app on Play requires none of the permissions listed above. So I don’t consider Facebook to be a company that has much respect for me in the first place.  And that’s all the more reason to not trust  them with my entire reputation on my devices.

Do you agree? Use the hashtag #CloseTheBook to share this message online.

Is It Time To Worry About Cybercrime?

This article was originally posted on the Idealware Blog in September of 2011.

For the past decade, the bulk of unlawful web-based activities have been profit-motivated: phishing, spam, “Nigerian” money scams, and hacking to get credit cards. This year has seen a rise in politically motivated crimes, most widely exemplified by the loosely-knit group of hackers known as “Anonymous“.  Anonymous hackers attack the websites of organizations, be they government, corporate or otherwise that they deem to be repressive or unethical.  In addition to defacing the sites, they’ve also routinely exposed confidential user information, such as login names, passwords and addresses.  If we are now entering the age where political cybercrime is commonplace, what does that mean for nonprofits?  How can we defend oursleves when we already struggle with basic security on tight budgets and limited resources?

Two high profile victims were Sony, the gigantic electronics and entertainment conglomerate, and BART, the Bay Area Rapid Transit commuter service.

  • Sony was initially a target for Anonymous after they took legal action against a computer geek named George Holtz, who figured out how to reprogram a Playstation game device in order to play blocked third-party games on it.  This violated the Sony license, but the hacking and gaming communities felt that the license restriction wasn’t very fair in the first place. They considered the action against Holtz unwarranted and severe.  Sony also, famously, installed a hacker’s rootkit, themselves, on a number of music CDs with interactive computer features, and were sued for that crime.,  Could it be that the hackers were particularly annoyed that this mega-corporation will stoop to their tactics, but sue them for similar actions?
  • BART was targeted for more visceral actions.  Their internal police force shot Oscar Grant, an unarmed youth, in the back a few years ago, and then, again, recently, fired on a homeless man holding a knife, killing him. These actions drew the attention of the community and resulted in protests, some violent.  But BART only drew the attention of Anonymous when they took the step of blocking cell phone service at their four downtown San Francisco stations in order to quell communication about a planned protest.  This action is under investigation by the FCC and has been decried by the ACLU; it was quite likely illegal. Then it was revealed that, at a press conference to discuss the protests, they seeded the audience with BART proponents coached in what to ask and say.

Anonymous hacked a dozen or more Sony Websites and three BART websites in protest/retaliation for what they consider to be corporate crime. Here’s how easy it was for them: one of the Sony servers containing hundreds of thousands of user account records was running on an old, unpatched version of Apache with no encryption. The initial attack was simply accomplished using a hack (SQL Injection) that is ridiculously easy to block (by updating to a current software version, in most cases). The Administrator password to get into the BART police site was “admin123”.  The “hacker” who broke into that site reported that she’d never hacked a web site in her life, she just did a bit of googling and got right in.

These were corporate web sites, run by companies that take in vast amounts of consumer dollars every day, and they couldn’t be bothered to do even the minimum amount of safeguarding of their customer’s data.  They might not be the criminals, but is it wild to suggest that they were criminally negligent? This isn’t a matter of them not having the money, resources or available expertise to protect our data.  It was a matter of them not taking the responsibility to protect it.

What can nonprofit organizations, that aren’t obsessed with bottom lines, do to avoid the problems that BART and Sony have faced?

  • First and foremost, we need to protect constituent data.  If your NPO doesn’t have the weherewithal to do that internally, than your online data should be hosted with companies that have strong commitments to security and privacy of customer data.
  • Second, should breaches occur (and they do), your primary goal should be timely, open communication with the victims of the data breach.  We’re getting past the point where our constituents are naive about all of this (Sony has done a great job of prepping them for us).  So your first response to exposed constituent data should be to tell the constituents exacty what was exposed.
  • One uncomfortable situation like this won’t kill your credibility, but a history of bad or callous relationships will amplify it.  This is one of the reasons why good social media policies are critical — the people who can support or sink you when something like a data breach occurs are on Twitter and Facebook, and they’ll feed the media stream with support or slander, depending on how well you relate to them.
  • We promote causes online, but we admit faults there, too.  We don’t engage customers by lying to them, hiding things that impact them, or dictating the terms of our relationships with them.
  • Our supporters are people, and they have their motivations for supporting us (or not) and their ideas about how they should be doing it.  Their motivations and reasoning might be quite different from what we assume. Accordingly, we should be basing our assumptions — and campaigns — on the best feedback that we can coax out of them.  Long-held industry assumptions are suspect simply because they’re long-held, in a world where technology, and how we interact with it, is constantly changing.

 

If we ever needed reverse primers in how to manage constituent relationships, the Sony and BART fiascos are prime ones.  They are victims of illegal and unethical behaviour.  But by viewing their customers and constituents as threats, with callous regard for the people who keep them in business in the first place, they’ve created a public relationship that did nothing to stem the attacks. Sony has put far more money and effort into attacking and dehumanizing their customers with lawsuits and invasive, annoying copyright protection schemes than they have in listening, or trying to understand the needs and desires of their constituents.  BART has tried to block their ears so tightly to shut out public criticism of their violent, shoot first police force that they’ve crossed constitutional lines of conduct. We — nonprofits — know better. It’s a two way relationship, not a dictatorial relationship with our supporters, that will serve as our most effective firewall.

How Glenn Beck Incites Violence

The above clip is one of the more succinct examples of what Glenn Beck spends just about every day doing: taking historical facts, arranging them in a shady jigsaw puzzle of innuendo, and then identifying individuals that he claims are diabolically plotting to destroy America. It’s the equivalent of taking the noodles out of your bowl of alphabet soup, arranging them into a death threat, and then attributing the threat to someone you’ve never met.

Frances Fox Piven is a Professor of Political Studies and Social Science who, like many patriotic Americans, was a radical in the sixties.  How radical?  She co-authored a paper suggesting that, were the welfare system to be taxed to the point of failure, it might result in a government-backed mandatory wage for all citizens.  If that sounds like socialism, it’s only because it is socialism.

However, Ms. Piven’s greatest accomplishment was not the destruction of the welfare system or the end of capitalism.  Instead, she is best credited for introducing the tie-in between voter registration and the DMV.  So, the woman who made it easier for Americans to vote is Beck’s poster child for the forces that are out to destroy our country.

So, it comes out that, in the last two years, since Beck started his prime time crusade to malign her, Ms. Piven has received a steady stream of nasty death threats.  Really nasty:

“I got e-mails that said, ‘Die You Cunt’, and ‘May cancer find you soon'”, she tells The Progressive. “And people are posting my address on the Internet with their messages that are really crude and ugly and violent.”

Piven’s politics were radical, but not as radical as suggesting that the founding of the U.N. and the abolishment of slavery were merely pieces of an anarchist/communist plot to destroy America.  But Mr. Beck and his blackboard are perfectly willing to float that hypothesis as if it were fact. And, once floated, he’s happy to then single out Ms. Piven as a key architect of this attack on America. Frances Fox Piven, a woman who cared deeply about all Americans and devoted her life to ending poverty, is a radical anarchist out to destroy our way of life.  Glenn Beck isn’t trying to protect us — he’s just making sure that we know that the plot to destroy our country exists, and Piven is one of the people responsible.

Beck’s acolytes believe him to be sincere, and they’re willing to take his word that Piven poses a threat to their security.  As I’ve been blogging here, Beck fans have loaded up their cars and set off to kill people that Beck identified similarly before.

It’s tempting to equate what Beck does to yelling fire in a crowded theater.  But what he does is far more insidious.  Imagine what your life would be like if you were the constant recipient of nasty, sometimes obscene death threats.  There should be laws against this type of malicious maligning of people whose politics don’t agree with his; there should certainly be human decency that says, “I’m not going to inspire this type of behavior”.  Beck has no such decency, and he isn’t engaging in political debate.  What he’s doing is far more personal, sadistic, and cruel.  And it will likely result in murder soon. It’s kind of a miracle that it hasn’t yet.

Why the TSA Groping is a Big, Big Problem

tsa_before-after

Photo by Raymond Mendosa

I’ve been pretty horrified by the new TSA security procedures since I first caught wind of them.  The Boing Boing blog has been doing excellent coverage of the fiasco, providing the best examples of how damaging these new exposing and groping procedures can be to innocent Americans, and why crossing over from threat detection to threat assumption policies is bad, bad, bad for our democracy.

I’ve also been hearing the backlash against the complaints.  A number of people had relatively painless holiday travel experiences last week and are now saying it was all a lot of hype.  But I continue to consider a level of terrorist prevention this extreme to be more likely to traumatize more Americans than the threat they’re protecting us from will.  It’s not about the 95% of the population who, like me, can pretty much shrug and say “I don’t care that much if you photograph me semi-nude” or, “I can tolerate a little more radiation — it’s not like this is the only place I’m exposed to it” or, even, “I get that you’re going to touch my private parts and that this isn’t molestation, you’re not enjoying it either”.  It’s about the rape and molestation victims, past and future, as well as the people who, for personal or religious reasons, can’t minimize the trauma of being exposed to or groped by strangers.  Not the majority of us, but a very significant minority,

So then I see an article like this, which has the top TSA official basically saying to parents (like me), “don’t explain to your children that what the TSA agent is about to do to you is necessary, but should never, ever be tolerated by strangers when Mommy and/or Daddy aren’t right here with you and it isn’t absolutely required for security reasons”, but, instead saying, “tell your kid that the TSA agent is just playing a harmless game that involves touching you”.  Because strangers touching children’s genitalia is, of course, no big deal and the priority here is to make sure everyone is calm and smiling as they submit to these procedures.  Months later, when lecherous Uncle Eddie wants to play the same game, well, Mommy and Daddy know about this game and said it was okay for the TSA agent to play, so they’re not going to consider this a problem…

Security at the cost of the humiliation of abused adults and government approved molesting of children terrorizes citizens.  It doesn’t make us more secure, even if it’s not a “big deal” for most of us.  This is a government-sanctioned human rights violation, and we really shouldn’t tolerate it.