Tag Archives: security

Why the TSA Groping is a Big, Big Problem

tsa_before-after

Photo by Raymond Mendosa

I’ve been pretty horrified by the new TSA security procedures since I first caught wind of them.  The Boing Boing blog has been doing excellent coverage of the fiasco, providing the best examples of how damaging these new exposing and groping procedures can be to innocent Americans, and why crossing over from threat detection to threat assumption policies is bad, bad, bad for our democracy.

I’ve also been hearing the backlash against the complaints.  A number of people had relatively painless holiday travel experiences last week and are now saying it was all a lot of hype.  But I continue to consider a level of terrorist prevention this extreme to be more likely to traumatize more Americans than the threat they’re protecting us from will.  It’s not about the 95% of the population who, like me, can pretty much shrug and say “I don’t care that much if you photograph me semi-nude” or, “I can tolerate a little more radiation — it’s not like this is the only place I’m exposed to it” or, even, “I get that you’re going to touch my private parts and that this isn’t molestation, you’re not enjoying it either”.  It’s about the rape and molestation victims, past and future, as well as the people who, for personal or religious reasons, can’t minimize the trauma of being exposed to or groped by strangers.  Not the majority of us, but a very significant minority,

So then I see an article like this, which has the top TSA official basically saying to parents (like me), “don’t explain to your children that what the TSA agent is about to do to you is necessary, but should never, ever be tolerated by strangers when Mommy and/or Daddy aren’t right here with you and it isn’t absolutely required for security reasons”, but, instead saying, “tell your kid that the TSA agent is just playing a harmless game that involves touching you”.  Because strangers touching children’s genitalia is, of course, no big deal and the priority here is to make sure everyone is calm and smiling as they submit to these procedures.  Months later, when lecherous Uncle Eddie wants to play the same game, well, Mommy and Daddy know about this game and said it was okay for the TSA agent to play, so they’re not going to consider this a problem…

Security at the cost of the humiliation of abused adults and government approved molesting of children terrorizes citizens.  It doesn’t make us more secure, even if it’s not a “big deal” for most of us.  This is a government-sanctioned human rights violation, and we really shouldn’t tolerate it.

Why Does The Right Attack Nonprofits?

Robert Egger’s brilliant response to Rush Limbaugh’s recent diatribe against nonprofit employees. is a must watch, particularly the last five seconds or so, which neatly sum it up. Limbaugh claims that nonprofit employees are “lazy idiots” and “rapists” of the economy. Wow, like what he does for a living is so healthy…

This a month or so after a madman was stopped on the Golden Gate bridge in San Francisco with a car full of weapons, headed to kill people at the ACLU and the Tides Foundation. Both of these organizations work to protect people’s rights, the ACLU being the better known of the two. Lesser known Tides’ mission is to promote social justice and maintain a healthy, sustainable environment. Why did the killer target them?

Glenn Beck makes his living by standing in front of a blackboard and espousing paranoid-inducing theories about democratic cabals aimed at destroying the American way of life.  His rants have succeeded in getting White House officials, such as Van Jones, removed, and, along with other Fox News conspirators, ACORN, a voter registration organization, disbanded.  In the first case, the White House, shamefully, asked Jones to resign in the face of all of the ridiculous criticism.  In the second, Fox News aired doctored footage alleging that ACORN helped pimps and prostitutes, creating falsified scandals that drove the nonprofit under.  ACORN was investigated, and the investigation found some evidence of tax evasion and questionable destruction of documents, but, notably, absolutely no consulting on prostitution practices or, as was widely alleged, improper handling of voter registrations. But all of this started when Beck chose them — as he did with Tides — as fodder for his unsubstantiated and false conspiracy theories.

I sum up Limbaugh’s comments as his standard, poorly-thought out rambling.  He meant some particular nonprofit or sort of nonprofit, and chose far too broad a term to make a lucid point.  But I question whether Limbaugh is ever capable of making lucid points. If we didn’t have the evidence of the bust for Oxycontin abuse, it wouldn’t be hard to still recognize drug-addled behavior.

What Beck does is far more insidious and dangerous. Like Limbaugh, he’s not concerned at all with honestly portraying the people and groups he discusses.  He’s building a narrative, one that the viewers can watch and feel that they have a special stake in, relayed by his tear-filled eyes and cautioning tone. This intimate dialogue is really engaging.  But Beck is entirely unwilling to be accountable for the lies that he spreads, even when they come close to inspiring mass murder.

It’s completely unintuitive and bizarre that nonprofits — poorly resourced organizations that struggle to do the work that our government does less and less of — are lambasted and threatened by the people that rally loudest for eliminating government programs.  We’re the ones who are getting important work done with funding that is volunteered, not assessed.  Most nonprofits have no leftist or rightwing agenda — they have clearly stated missions that they’re trying to serve (as Egger’s video makes clear).  Maybe Beck and Limbaugh should be a bit more appreciative of the fact that we enable mouths to be fed, museums and parks to stay open, and air to continue to be breathable in a country where the government can get fewer and fewer social services funded.

Tech Tips From The Nonprofit Technology Conference

This article was first published on the Idealware Blog in May of 2010.

Last month, I reported on the first annual Tech Track, a series of sessions presented at the April, 2010 Nonprofit Technology Conference. In that post I listed the topics covered in the five session track. Today I want to discuss some of the answers that the group came up with.

Session 1: Working Without a Wire

This session covered wireless technologies, from cell phones to laptops. Some conclusions:

The state of wireless is still not 100%, but it’s better than it was last year and it’s still improving Major metropolitan areas are well covered; remote areas (like Wyoming) are not. There are alternatives, such as Satellite, but that still requires that your location be in unobstructed satellite range. All in all, we can’t assume that wireless access is a given, and the challenge is more about managing staff expectations than installing all of the wireless by ourselves. It will get there.
Wireless security options are improving. Virtual Private Networks (VPNs), remote access solutions (such as Citrix, VNC andTerminal Services) are being provided for more devices and platforms, and the major smartphone companies are supporting enterprise features like remote device wipes.
Policy-wise, more orgs are moving to a module where staff buy their own smartphones and the companies reimburse a portion of the bill to cover business use. Some companies set strict password policies for accessing office content; others don’t.

Session 2: Proper Plumbing

This session was pitched as covering virtualization and other server room technologies, but when we quizzed the participants, virtualization was at the top of their list, so that’s what we focused on.

We established that virtualizing servers is a recommended practice. If you have a consultant recommending it and you don’t trust their recommendation, find another consultant and have them virtualize your systems, because the recommendation is a good one, but it’s a problem that you don’t trust your consultant!
The benefits of virtualization are numerous — reduced budgets, reduced carbon footprints, instant testing environments, 24/7 availability (if you can upgrade a copy of a server and then switch it back live, an advanced virtualization function).
There’s no need to rush it — it’s easier on the budget and the staff, as well as the environment, to replace standalone servers with virtualized ones as the hardware fails.
On the planning side, bigger networks do better by moving all of their data to a Storage Area Network (SAN) before virtualizing. This allows for even more flexibility and reduced costs, as servers are strictly operating systems with software and data is stored on fast, redundant disk arrays that can be accessed by any server, virtual or otherwise.

Session 3: Earth to Cloud

The cloud computing session focused a lot on comparisons. While the general concern is that hosting data with a third party is risky, is it any more risky than hosting it on our own systems? Which approach is more expensive? Which affords the most freedom to work with our data and integrate systems? How do we manage disaster recovery and business continuity in each scenario?

Security – Everyone is hackable, and Google and Salesforce have a lot more expertise in securing data systems than we do. So, from a “is your data safe?” perspective, it’s at least a wash. But if you have sensitive client data that needs to be protected from subpoenas, as well as or more than hackers, than you might be safer hosting your own systems.
Cost – We had no final answers; it will vary from vendor to vendor. But the cost calculation needs to figure in more than dollars spent — staff time managing systems is another big expense of technology.
Integration and Data Management – Systems don’t have to be in the same room to be integrated; they have to have robustAPIs. And internal systems can be just as locked as external if your contract with the vendor doesn’t give you full access and control over your data. This, again, was a wash.
Risk Management – There’s a definite risk involved if your outsourced host goes out of business. But there are advantages to being hosted, as many providers offer multiply-redundant systems. Google, in particular, writes every save on a Google Doc or GMail to two separate server farms on two different continents.
It all boils down to assessing the maturity of the vendors and negotiating contracts carefully, to cover all of the risks. Don’t sign up with the guy who hosts his servers from his basement; and have a detailed continuity plan in place should the vendor close up shop.
 If you’re a small org (15 staff or less), it’s almost a no-brainer that it will be more cost-effective and safer to host your email and data in the cloud, as opposed to running our own complex CRMs and Exchange servers. If you’re a large org, it might be much more complex, as larger enterprise apps sometimes depend on that Exchange server being in place. But, all in all, Cloud computing is a viable option that might be a good fit for you — check it out, thoroughly.

I’ll finish this thread up with one more post on budgeting and change management in the next few weeks.

Void Rage: Unable to Muster Facebook Anger

Following is a guest post from Jon Loomer, offering a different perspective on Facebook’s privacy changes.

Jon Loomer’s career has evolved from overseeing Fantasy Basketball product, content, marketing and promotion for the National Basketball Association to his current position as VP of Strategic Marketing for a non-profit. His focus is on social media strategy, Facebook and mobile development. You can follow him on Twitter @JonLoomer or read his blog focused on the subject of baseball atTippingPitches.blogspot.com. The following opinions are his only and do not reflect those of his affiliations.

It took a few weeks, but internet rage over Facebook’s Like button and latest privacy ramifications is in full swing. Bloggers swinging at Facebook’s knee caps with aluminum bats seem to outnumber those who come to CEO Mark Zuckerberg’s defense 20:1. And if a blogger does post a defense, duck and cover as soon as you hit “publish” because the rage will bubble up from the comments section.

So when Peter asked me if I’d be interested in writing a guest post on his blog in defense of Facebook’s changes, I had mixed emotions. On one hand, I’m absolutely flattered that he’d ask. On the other, I’m uncomfortable taking a hugely unpopular stand. The position is so unpopular that it ventures into “controversial” territory. Can I post anonymously?

I’m not a controversial dude. And any controversial opinions I have, I tend to keep relatively private, restricted to my inner circle.

But here’s the irony: I share these “controversial” opinions on Facebook. And I only share them with a small group of friends by using lists. But to the outer circle, I’m a harmless guy without much flare for the dramatic.

You must be outraged!

I may avoid controversy, but Facebook feeds off of it. Everywhere I turn, I read another blog telling me how angry I should be with Facebook’s dangerous disregard for my privacy. And because of this, a small part of me is trying to convince the rest of me that I, too, need to be outraged. But I can’t conjure up the energy.

The Utility of Facebook
First a little background on me as a Facebook user. I’ve used Facebook since it rolled out to the non-student public in 2006. My company partnered with Facebook on an application for that initial launch. So I’ve been there from “the beginning.”

And I’ve also been there through a multitude of changes, some vertical and some lateral. No matter how major the changes were, they were controversial. And the uproars increased as the Facebook population screamed past 100, 200, 300 and 400 Million.

This undoubtedly has something to do with my lack of rage now. I’ve become numb to the anger. Whether it’s a Facebook change or any other controversial revelation, I try to remain level headed. Before I react negatively to Facebook’s changes in particular, I try them out for a while. Think about the end game and why they’d make the change. And when I read a rumor about how Facebook is going to charge a monthly fee, or that they allow pedophiles to access my profile, I research first.

While I haven’t agreed with every change Facebook has made, I still recognize that they have made gradual improvements over the course of the past four years that have resulted in a much better overall product. The navigation is vastly improved, and I have far greater control now over who sees what and when.

Sure, some things (name, profile photo, gender, current city, networks, friends, pages) are available to the public now. But these are not things that bother me. You could already pull up photos of my handsome mug (hereherehere and here) by running a Google search. I’d hope my gender is obvious. And although I did scale down my pages after they became publicly viewable, I am now comfortable sharing those interests with anyone who cares.

After that, I’ve always used my privacy settings. Status by status, link by link, photo by photo, I pick and choose my audience. There are times when I keep what I share to a small audience of “Good Friends.” There are others when I share with all of my friends, some of whom I don’t know. And still others, I’ll feel the need to share with “Everyone,” as in — shudder — everyone on the Internet.

But I also use Twitter. I maintain a blog. So there are certain things I’m used to sharing with everyone. And when I share with the world, I have a reason for doing so.

It’s because of this control that I find Facebook extremely useful. I can contact just about anyone from my 500+ connections in an instant. I can promote my blog or share my son’s lemonade stand to raise money for childhood cancer research. Or I can simply goof off casually with friends. But it’s all controlled.

I also control what it is that third party developers see and what my friends can share about me. Developers can access everything that is already available to the public (which isn’t a whole lot), and my friends can’t share much more than that about me either. So I leave enough available for most useful applications to work, but without giving away more than I am comfortable.

The New Features
So all that said, Facebook rolled out a few features recently that were said to impact my privacy. I personally found them to be brilliant. I knew there would be backlash (there always is), but I admit I didn’t expect anything at this scale.

The Like Button: This addition has essentially made millions of web pages an extension of Facebook. The collage of my friends’ faces acts as a welcome mat at the front door of sites that are new to me. My friend likes this? Let me check it out. My friend says I should go to this restaurant? Not a bad idea. These are things that I would have otherwise seen on Facebook, but now I see them at the source to provide more relevance.

Not only is the Like button good for me as a user, but it is also good for me from the business side — both on my blog (loosely defined as a business) and my organization’s web pages. I’ve quickly realized that users are much more inclined to click a Like button than go through the process of retweeting or even sharing through Facebook. It’s easy. It’s awesome.

Instant Personalization: Policies aside (we’ll get to this later), I love the idea. I can go to Pandora and immediately access music that I like or my friends like. I can go to Yelp and immediately find a restaurant that they recommend. There is so much to like here. It makes the web a warmer, more social, and more relevant place.

Updated Privacy Settings: This has caused a stir, but it really wasn’t a problem for me. As I mentioned before, I’ve always been on top of my privacy. So when the new privacy settings were rolled out, I took my time to make sure everything was set up the way I wanted. While some may claim that Facebook pulled a fast one on us, it’s not as if this was done discretely without you knowing. You were forced to go through the new settings and verify. Might it have been a bit overwhelming? Maybe. But if you care about your privacy like I do, it’s something you should understand.

Community Pages: This one has been run more on the down low because it is a beta product. Thousands of community pages have been created by Facebook and some general pages have been converted (often to the dismay of the administrator). Unlike the typical Facebook page, there is no admin control (at least for now) of the community page. It is, apparently, intended to be a wiki of some sort, with information fed by people’s content who like the page. It’s not clear yet what value, if any, these pages have, but the usage is likely to evolve.

The Confusion
Part of Facebook’s problem is that this new Facebook-centered web can be a bit startling at first. When you go to another website, you don’t expect to see a list of your Facebook friends who like something. You don’t expect a website you did not previously visit to know what you like and don’t like to make recommendations. But people need to simply look at the web as an extension of Facebook, particularly when using social plug-ins. Instead of viewing that your friend likes an ESPN article in your Facebook feed, you see it on ESPN.com. It’s not as if the world can see this information. What you see is different than what I see. And your privacy settings still apply, which may not be immediately obvious.

There is also confusion because there are very few blogs and articles being written on this subject that equally weigh the issue. Many make it seem as though all of our private content is at risk; that no matter how we adjust our privacy settings, everything is available to the world. They are biased towards negativity and rage because that’s what brings traffic. We are told to either delete our Facebook profiles or simply put them on lock-down, preventing everyone from seeing anything, disallowing instant personalization, and blocking as much information from third parties as possible.

The reality, at least as far as I can tell, is that the latest changes won’t harm you if you are already on top of your privacy settings and careful about what you share. But based on the media coverage, it would be easy for someone to overreact and go with the flock.

Show Me
This is my biggest problem with the outrage over Facebook’s changes: Almost everything I read is in abstract terms. Please, show me the danger of Facebook’s changes. You’ve probably seen this example of Facebook users who have told the world, knowingly or not, that they have cheated on a test. Well, I can do the same with Twitter users. What’s the point?

Maybe I should feel bad for people who unknowingly publish embarrassing information about themselves for the world to see, but I don’t. For many reasons.

First, let’s not fall for the claim that Facebook made this radical change from closed to open overnight. The latest change did allow search engine indexing of your public profile (if you kept the box checked to allow it) or of that information you shared with “everyone,” but keep in mind that the former definition of “everyone” was all users on Facebook. So you went from sharing embarrassing photos and information about yourself to 400 Million people to the entire world. Eh.

And again, Facebook forced us — all of us — to confirm our privacy settings. Did you ignore them? If you did, should I feel bad for you? Eh.

I understand that I don’t represent all Facebook users, and that’s a very good argument for anyone opposed to the changes. Most people do not spend the time refining their privacy. And many may simply be confused by the settings.

Still, if you’re confused, just restrict everything as much as possible. I keep seeing stats on number of settings and options, but if you just set everything to “Friends” (and your friends truly are your friends), you’ll be fine. Assuming, of course, you’re still careful about what you share.

Everyone needs their own global privacy policy, and this goes beyond Facebook. When you share, do so with the understanding that, even with the best possible settings, any friend can simply copy and paste your status; or save and repost your photo; or simply post a photo or story about something you did. No privacy settings can prevent stupid activity from being seen. It will eventually get out.

That said, I am leaving the door open slightly for the possibility that Facebook has given others far more access to my private life than I know. If this is the case, show me. Show me the application that could potentially harm me.

The Policies
While I enjoy using Facebook and am not in the “delete my profile” community, I admit that I’m not all that comfortable with the entire path that Facebook has taken. I enjoy the new features and am fine with the current privacy settings. However, I do think that they need to be better at communicating changes. They need to be better at communicating, from page to page, what is viewable and what isn’t. Go above and beyond to explain the user’s privacy. Smack them in the face with what audience they are sharing. While I do think Facebook has done a better job at communicating changes than they are given credit, they need to do more.

And I also agree that opt-ins instead of opt-outs are the best policy, particularly with a potentially controversial change. If you are so sure someone is going to want something, first make the compelling argument. Encourage them to check it. Show them what they’re missing if they don’t.

Even so, I firmly believe that putting too much focus on Facebook takes away the important focus on the user’s responsibility to do everything they can to protect themselves. As mentioned before, users needed to agree to each change. We need to be vigilant and understand the ramifications. And if you are too lazy to do the research to understand it, at the very least you need to be more careful about what you post.

How Facebook Can Get Out of this Mess
Just as I am not completely in Facebook’s corner on some of their policies, I also see ways for them to get out of this PR firestorm. While I don’t have much sympathy for the ignorant user, Facebook is still responsible for communicating that these are positive changes.

If I were Facebook, I’d do the following:

  • Put a My Privacy: Who Sees This? link on Community Page by “Related Posts by Friends”
  • Put a My Privacy: Who Sees This? link within social plug-ins, where feasible
  • Put a My Privacy: Who Sees This? link on “trusted third party” sites that implement instant personalization
  • Provide video and commentary explaining some of the changes, answering the criticisms, showing the user why the changes are good for them, and acknowledging that those changes are not for everyone, providing an easy explanation of how to protect themselves
  • Provide regular webinars or tours on features and use of lists to everyone, not just those with the proper page connections
  • Make Instant Personalization opt-in

The last item may be the trickiest since users have already technically opted in to instant personalization when they went through their new privacy settings for the first time. But considering this project is technically a pilot, there’s no need to automatically opt everyone in. Do what they did before. Bring up a box explaining what instant personalization is. Provide videos. Explain why it is good for them. Explain potential risks. Shoot down conspiracies. And then force the user to check the box if they want it.

In Conclusion
While I am not surprised by user backlash as a result of the most recent Facebook changes, I did not expect this level of outrage from mainstream media and technically savvy, intelligent people. With that in mind, it is important that we all do the following:

  • Research and understand the benefits and risks involved
  • Weigh those risks and benefits with the way that each person uses Facebook
  • Understand and actively utilize Facebook’s privacy settings
  • Establish a global “privacy setting,” understanding that if we are concerned about privacy we should always be careful about what we share

In the end, it’s personal. These changes are likely to affect me differently than they do you. Maybe Facebook is just too much of a hassle for you. Maybe Facebook does not offer enough benefit to you to actively manage a sometimes confusing control panel of privacy settings. Maybe you do have reason to be outraged. But I don’t believe this feeling is universal. We all need to rationally weigh the risks and benefits and decide what is best for us.

The Softer Side Of Security

This article was first published on the NTEN Blog in April of 2010.

As the technical staff at our nonprofits, we wrestle with all sorts of complex security concepts: firewalls, encryption, network address translation.

But here are three quick questions:

  • Would you spend $10,000 on a security system for your building, and then set the access code to “12345”?
  • Would you set the administrative account name and password to your network to the same thing that five other companies in your building use?
  • Would you allow an outside vendor to manage your network without sharing the passwords with you or anyone else at your organizations?

I’ve seen all three of these situations occur, the first two at commercial law firms, the latter at a large nonprofit [disclaimer: not the one I work for now!]. There are some infamous and true stories of clever hacking that played on the human side of security, such as the teenagers who took a couple of clipboards and interviewed people in the lobby of a large office building under the guise of a school project, in the process collecting birthdays; kids, spouses and pets names; street addresses — all things people commonly use as the base for their network passwords.

But all of the sophisticated systems in the world offer little more than a swiss cheese defense if we don’t have good organizational policies to address the human side of security. And even that’s a little tricky, as policies that are too complex for staff to easily comply with will be subverted in ways that open more security holes.

A sustainable password policy requires that passwords be:

  • Of a decent length (7-15 characters);
  • Comprised of a mix of letters, numbers, and/or additional characters, preferably with mixed case; and
  • Not be based on data that can easily be associated with the user, such as kids names or the TV show that they often discuss online.
  • They should also n ot be so obscure (as in “6T5re#bb77l”) that they can’t be easily memorized — that’s a recipe for password post-its!

In addition to maintaining a secure password policy (and enforcing it with network policy automation), staff should be resourced with tools to manage passwords.

There are numerous free or inexpensive applications and services that offer encrypted, password-protected storage for the collection of passwords. Looking for the ones that synchronize to a mobile app will add additional convenience.

From the management level, a best practice is for the lead in IT to print all passwords, seal them in an envelope, and give it to the CEO or HR executive at the organization, repeating (with secure destruction of the outdated list) as passwords change. Twice in my career as a CIO/IT Director, I’ve walked into situations where my predecessors left mad, and took all of the system password information with them, leaving me, initially, unable to manage the networks that I’d been hired to oversee. Don’t put your nonprofits work at risk by omitting this type of failsafe.

All of the port blocking, proxy servers and point to point tunneling on earth won’t protect you from the person who clicks on a malicious link in an email. Only education, communication, and support will address those security holes, and no security plan can be considered valid if it doesn’t incorporate policies along with the technical protection.

Why I Don’t “Like” Facebook

Big changes are happening at Facebook, and they mean that what you do and say, on and off of Facebook, is now being more heavily tracked and more broadly shared. If you think that your Facebook data is somewhat private — e.g., shared only with friends and people you specify — you are wrong.

Facebook announced dramatic changes in their service at their annual “F8” conference on Wednesday. Facebook used to be a network where you could establish semi-private communities with family, friends and like-minded sets of people. Now it’s an internet-wide info-sharing platform that can keep your friends, and the businesses and advertisers that Facebook partners with, fully briefed on all of your internet-based activities and opinions.

The biggest announcement was the introduction of the Open Graph and the new “Like” buttons for the web at large. Yesterday, you could only “like” or “fan” something that appeared on Facebook’s web site. Now you can “like” things anywhere that the social graph and like buttons are implemented. What you “like” will be shared with Facebook, your Facebook friends, and all of the applications you subscribe to on Facebook, and, depending on your Facebook privacy settings, the world at large.

Also this week, and all of a sudden, despite what you might have confirmed a few months ago when Facebook started this paradigm shift, your likes, interests and job history are now Google searchable. That’s right: even if you went in and flagged them as private, your only way to protect this information, as of yesterday, is to remove it (and wait a month for it to fall out of Google’s cache).

Online privacy is a relative concept

Much of the Facebook privacy that we lost wasn’t real privacy to begin with, because any time you add an application (such as a quiz), that application’s developers have complete access to your entire Facebook profile. Worse, anytime a friend invites you to use an application, that application gets access to your profile. You don’t have to lift a finger to have data that you’ve marked as private shared with strangers; you just have to have friends on Facebook who aren’t thinking that, by inviting you to compare movie favs, they’re telling a complete stranger your gender, age, birthdate, job history, sharing all of your photos and publishing your wall to them.

Why “Love it or leave it” is unfair

I have friends who are somewhat blaze about all of this. After all, nobody put a gun to my head and ordered me to join Facebook. I just got so many requests from friends and family that I caved. And, once I caved, I connected to a bunch of “blast from the past” friends, extended family, former co-workers and current associates. So, now have a real investment in Facebook as a social connector. Sure, if I don’t like these changes, I can just delete my account and be done with it. But I’m throwing away far more than just a social network profile — I’m tossing out my connection to my communities of friends, family and professional associates, who are now expecting me to be on Facebook with them.

I could decide that I don’t like the policies of my local utility company, too, and just cancel my service. But the services they provide enable other services that I want/require as well — such as light, heat, computing, communication. Leaving Facebook wouldn’t be as extreme as canceling power services, but, with 40 million users and climbing, Facebook is like a utility in many people’s lives, and it supports services in such a way that relationships beyond our relationship with the service provider are centered there.

Change Management

This is what is so dishonest about CEO Mark Zuckerberg’s repeated assertion that Facebook is only following the direction of the Internet as an open sharing platform. He is right abut the trend. But this is the equivalent of saying that the trend is now for baggy pants and see-through tops, so all of your clothing has been swapped out in accordance with the trend. The internet is all things to all people, and there are plenty of places on it where privacy and closed community are the norm. Just because the internet is becoming more open, it doesn’t mean that Internet users need to be dragged into this new era.

It all boils into “Opt Out” vs. “Opt In”, and respecting rather than walking all over your customers. Facebook began with an assumption of privacy; changes in that assumption should be acknowledged by each user before they are enacted. Facebook could have easily developed their platform in ways that give users the choice of having open or private profiles. Instead, they’ve simply switched our private data to public without asking if that compromises our security, reputation or preferences. And it doesn’t escape my notice that there’s great money to be made in having more personal info about what I like and who I share that information with.

What you should do if this concerns you

If you went in and verified/altered your Facebook privacy settings a month or two ago, you should make another visit ASAP. Facebook has turned it around. Beth Kanter has a good write-up on what has changed. If you have any custom Facebook Pages, look out there as well — even if you’ve set profile data to private, if you link to any of your profile info from a Facebook page, it will default back to public. Whatever you do with your privacy settings, most of your basic profile data is now public and there is no option to make it private. So review your employment history, “about” and likes sections to make sure that it only has data that you don’t mind sharing with Google searchers and every advertiser on earth.

It all boils down to this

Facebook is now like Twitter and Google, with even less options for privacy than those big public networks offer. This doesn’t have to be a bad thing, it’s just a very different thing, and the crime here is mostly that “F8” and “social graph” are not terms that the vast majority of the 40 million Facebook users are paying any attention to. If you’re reading this, you know better, so you can set your profile up with information that you don’t mind being in the public domain, and you can decide if you’re willing to “like” things on the internet and, thereby, expose yourself and your Facebook community to the demographic analysis and actions that will ensue. I won’t be abandoning Facebook over this, but I’m very restrictive in my use of it, and will continue to approach it with great caution.

NPO Evaluation, IE6, Still Waters for Wave

This post was first published on the Idealware blog in January of 2010.

Here are a few updates topics I’ve posted on in the last few months:

Nonprofit Assessment

The announcement that GuideStar, Charity Navigator and others would be moving away from the 990 form as their primary source for assessing nonprofit performance raised a lot of interesting questions, such as “How will assessments of outcomes be standardized in a way that is not too subjective?” and “What will be required of nonprofits in order to make those assessments?” We’ll have a chance to get some preliminary answers to those questions on February 4th, when NTEN will sponsor a phone-in panel discussion with representatives of GuideStar and Charity Navigator, as well as members of the nonprofit community. The panel will be hosted by Sean Stannard-Stockton of Tactical Philanthropy, and will include:

I’ll be participating as well. You can learn more and register for the free event with NTEN.

The Half-Life of Internet Explorer 6

It’s been quite a few weeks as far as headlines go, with a humanitarian crisis in haiti; a dramatic election in Massachusetts; A trial to determine if California gay marriage-banning proposition is, in fact, discriminatory; high profile shakeups in late night television and word of the Snuggie, version 2 all competing for our attention. An additional, fascinating story is unfolding with Google’s announcement that they might pull their business out of China in light of a massive cybercrime against critics of the Chinese regime that, from all appearances, was either performed or sanctioned by the Chinese government. There’s been a lot of speculation about Google’s motives for such a dramatic move, and I fall in the camp that says, whatever their motives, it’s refreshing to see a gigantic U.S. corporation factor ethics into a business decision, even if it’s unclear exactly what the complete motivations are.

As my colleague Steve Backman fully explains here, here’s been some fallout from this story for Microsoft. First, like Google and Yahoo!, Microsoft operates a search engine in China and submits to the Chinese governments censoring filters. They’ve kept mum on their feelings about the cyber-attack. Google’s analysis of that attack reveals that GMail accounts were hacked and other breaches occurred via security holes in Internet Explorer, versions six and up, that allow a hacker to upload programs and take control of a user’s PC. As this information came to light, France and Germany both issued advisories to their citizens that switching to a browser other than Internet Explorer would be prudent. In response, Microsoft has issued a statement recommending that everyone upgrade from Internet Explorer version 6 to version 8, the current release. What Microsoft doesn’t mention is that the security flaw exists in versions seven and eight as well as six, so upgrading won’t protect you from the threat, although they just released a patch that hopefully will.

So, while their reasoning is suspect, it’s nice to see that Microsoft has finally joined the campaign to remove this old, insecure and incompatible with web standards browser.

Google Wave: Still Waters

I have kept Google Wave open in a tab in my browser since the day my account was opened, subscribed to about 15 waves, some of them quite well populated. I haven’t seen an update to any of these waves since January 12th, and it was really only one wave that’s gotten any updates at all in the past month. I can’t give away the invites I have to offer. The conclusion I’m drawing is that, if Google doesn’t do something to make the Wave experience more compelling, it’s going to go the way of a Simply Red B-Side and fade from memory. As I’ve said, there is real potential here for something that puts telecommunication, document creation and data mining on a converged platform, and that would be new. But, in it’s current state, it’s a difficult to use substitute for a sophisticated Wiki. And, while Google was hyping this, Confluence released a new version of their excellent (free for nonprofits) enterprise Wiki that can incorporate (like Wave) Google gadgets. That makes me want to pack up my surfboard.

Google’s Creepy Profiles

Google Profile

Google Profile

Google unveiled a bold new product last week; one of critical and compelling import to anyone who believes that their online reputation is important.  I’m not talking about Google Buzz.  I’m talking about Google Profiles.  This isn’t a new service — Google introduced the profile pages a few years ago.  But the release of Google Buzz has illuminated how important they are in Google’s plans, and how important they can be for us.  And if this profile is now a major component in my personal branding strategy, I demand better tools to manage it than Google has provided.

About a year ago, Google pointed out that, if you have a populated Google Profile, they will include it below the search results when people google your name. So, for someone like me — who does want to be easily located on the web, but has a reasonably common name, this seemed like a good deal, and I filled out my profile.  As a result, I’m prominently placed in the profile links when you search for my name, even though I’m about the fifth best known “Peter Campbell” on the web.

A Google Profile page contains four important pieces:

  • Biographical information about you.
  • Links to your important web sites.
  • Secured contact information.
  • Google Buzz integration.

The bio and links are much like other online profiles, such as Yahoo! and Facebook.  The contact info option is interesting, as you can share it with groups defined in your Google Contacts.  I can’t see a good reason to do this, as any group I’d be willing to share with (such as “family”) already knows how to find me and, if they don’t, they aren’t going to think to look at my Google Profile(!). So I’ve left this blank, as it seems like better security to not publish my address and phone number online if I don’t have a good reason to.

The Buzz integration is particularly worrisome.  First, by default, Buzz publishes your connections to your profile.  It’s easy to turn off, and recommended if you have any concern about anyone in the world knowing who your online friends are.  I turned this right off.

Second, your Buzz stream is published to the profile as well. So consider that — anything you say on Buzz gets added to your profile, which might be prominently placed in search results for your name (whereas your buzzes might not be).  We all know that employers are getting savvy, and searching the web for info about us as part of a candidate review.  But I assume that an employer seeing my Twitter stream on Twitter will bear in mind the context — Twitter, like Buzz, is a conversational medium.  A profile is much more like a resume.  I may well buzz about my favorite Doctor Who episode, but I’m not going to discuss TV shows on my resume…

The furor over Buzz’s privacy violations at rollout were really much more about the profiles — many new Buzz users didn’t even know they had  a Google Profile prior.

So, Google — I hope you’re listening.  If my Google Profile is going to factor more and more into my online identity — and the way that Buzz both highlights it and depends on it suggests so — you need to give me more tools and flexibility about how that profile looks and what information it contains.  Here’s what would make me feel like I have a profile on the web, as opposed to Google having a dossier on me on the web:

  • Less structured content.  The “what can’t you find on Google” question is cute, but it’s not a key component of my personal branding.  Get rid of the cute stuff, and give me more options to share the info that I want to share, not that you necessarily want to hear.
  • A logo, stylesheet, and other basic web design tools.  I’d like this to look more like this blog, with the black background and the Techcafeteria logo.
  • My own tabs, and the ability to remove the extra tabs that you think I should have.  Mostly, the decision to publish my Buzz feed to my profile should be mine, not yours.  Make that optional, but add the ability to add new tabs and link them to other websites or RSS sources.

For an example, look at my home site at http://techcafeteria.com.  That is a profile, with info about me; lifestreaming; shared resources via RSS; and a contact form.  If Google Profiles could do what I ask, I’d scrap the current Techcafeteria site and link this blog, along with my other feeds, directly to my Google Profile, and redirect both techcafeteria.com and peterscampbell.com to it.

Until then, that’s not my profile.  That’s Google’s profile of me, and it’s a bit creepy.

Dealing with Domains – Part 2

This post was originally published on the Idealware Blog in January of 2010.

Last week, we talked about domain registrar services and what to look for. In today’s followup, we’ll focus on how to transfer a domain and the accompanying security concerns, then talk a bit about registrars vis a vis hosting services.

Domain Transfers

Transferring domains is a somewhat complex process that has been designed to minimize the risk of domain hijacking. In order to insure that transfers are performed by the actual owner of the domain, a few important measures are in place:

  • Every domain has an authorization (a.k.a. EPP) code associated with it. Transfers can not occur without this code being submitted. If you don’t have this information, your current registrar does. Some registrars have automated functions that will deliver that information to the domain contact; others require that you ask for them via email to the registrar or their support ticket application. Registrars are required to provide you with these codes within five calendar days of your request. If they don’t, your best recourse is to determine who they get their domain authority from (there are only a handful of companies that resell registration services) and appeal to them for assistance.
  • Communication is strictly through the registered “whois” email address of the domain owner. You can determine what that is by doing a whois lookup on your domain.
    Tip: While most domains can be looked up at http://whois.net. However, whois.net has some trouble with .org domains, so the alternative http://www.pir.org/whois is a more reliable source for most non-profit domains.

    If the address that your domain is registered with is either non-functional or owned by someone other than you, then you need to update it, via your current registrar’s web interface, before you can successfully transfer the domain.

  • Domains can (and should) be locked to prohibit transfers before and after you switch registrars. Locking and unlocking your domains is usually done by you, from your registrar’s web site. If you don’t have options to do that when you log on to the web site, your registrar should do it for you upon request.

Transfer Procedures

To initiate the transfer, go to the web site of the registrar that you want to switch to and follow their instructions. They will have you submit a request and, upon receipt of your domain fees, issue an email to the email address associated with the domain containing a link to a form where you can confirm the request. That form will also ask for the authorization code. Subsequently – and this can take up to seven days – you’ll receive an email from your current registrar asking you to confirm the transfer request. Once that is submitted, the transfer should go through.

Detailed rules about how domains are transferred, as well as what the responsibilities of the registrars are in handling the transfers, are listed at http://www.icann.org/en/transfers/policy-en.htm.

Choosing Registrars

Registrars charge anywhere from $5.00 to $50 dollars for a year’s domain service. The two best known registrars are Network Solutions and GoDaddy. Many people go with Network Solutions because they’re the longest standing of the registrars (for many years, they were the only registrar). GoDaddy has become very popular by dramatically undercutting the cost. Note, though, that both of these registrars have been accused of questionable business practices:

  • Network Solutions has engaged in “Front Running“, a questionable practice of locking domains that a potential customer might search for in order to block competitors from making the sale. They will also use subdomains of your domain to advertise, a practice called subdomain hijacking. A decent registrar will not seek to make profits based on your intellectual property.
  • GoDaddy famously suspends accounts based on corporate requests. In 2007, they suspended seclists.org, a website that archives internet security mailing lists, per the request of MySpace, with no court order or valid complaint. MySpace was upset that content posted to one of the lists that Seclists archived was inappropriate. But, instead of contacting Seclists to deal with the content in question, GoDaddy closed the site and wouldn’t respond to desperate emails or phone calls regarding the sudden closure. Worse, after the fiasco was resolved, they were unrepentant, and reserve the right to shut down any site for any spurious reason. If your NPO does work that is in the least bit controversial, keep this in mind when considering GoDaddy.

Web Hosting and Registrars

Many registrars supplement their business by providing web hosting services as well. Some will even offered discounted or free domain registration with a hosting plan. While this simplifies things, it can also be a bit risky in the “eggs in one basket” sense. Having a separate registrar and control over your DNS service allows you to be more flexible with switching hosts, should your current host prove themselves unreliable or go out of business. And the web hosting industry is pretty volatile, with companies coming and going pretty quickly. I would suggest a best practice is to keep your host and registrar separate.

Dealing With Domains – Part 1

This post originally appeared on the Idealware Blog in January of 2010.

.biz .com .edu .org .net .gov .info .mil

Domain Name Management: not a very sexy topic. This will be a rare post for me that won’t mention popular search engines, the latest “superphone“, content management or rumored tablets. But I hope I can provide a good glossary on a geeky subject that anyone with a web site sporting their organization’s name has to deal with.

You have a web site and you have a domain, and as long as the web site is up and running, everything is fine. But what happens if your domain is hijacked? What if you need to make changes to your domain registration, or register a new one, and your registrar is simply disinterested? What if they go out of business? Your domain name is a valuable property, and you should keep it in pro-active and trustworthy hands.

How Domain Registration Works

Domain registrars provide the service of keeping your domain name mapped with current information so that it can be found on the web. Domain names are meaningful aliases for numeric IP addresses, and aren’t technically required in order to host a web site. But, the internet would be hard to navigate if we could only find things by their numeric addresses.

The primary thing that a registrar does is to keep your contact (whois) data maintained; point your domain to the appropriate name servers; and allow you to move your domain to another registrar if you choose to.

Domain Services

In addition to domain registration, most registrars offer additional services, such as:

DNS Management (address mapping) for subdomains (which allows you to host your main domain on one server, but, perhaps, an online store called “store.yourdomain.com” on another server),Aliasing of Addresses (so that both http://yourdomain.com and http://www.yourdomain.com go to the same place),Backup Mail Handling, so, should your primary mail server go down, messages sent to you will be stored until they come back around;Web Forwarding, so you can, say, register yourdomain.org, yourdomain,.com and yourdomain.net, but forward all visitors to the .com and .net sites to your website at yourdomain.org.

SSL (Secure Socket Layer) Certificates, to encrypt sensitive data, like online donation forms.

Things to Look For in a New Registrar

  1. Are they accredited? ICANN, the organization that oversees domain management , accredits registrars. If they aren’t on ICANN’s list, they aren’t trustworthy.
  2. Do they add a year to the existing expiration date, or charge you for a full year as of engagement? They should do the former.
  3. Do they offer automated access to all functions (via web forms), including locking/unlocking domains, retrieval of authorization (EPP) codes, and modification of all whois records? (Some registrars prefer to list themselves as the technical contact. It should be up to you whether they can have an official name on your domain, not them).
  4. Do they list a telephone number, and is it promptly answered during business hours?
  5. Do they respond promptly to emails and support requests? The ability to communicate with your registrar is rarely needed, but, when it is, it’s critical – you don’t want them out of the loop if your domain is subject to an attempted hijack.
  6. Do they offer the ability to manage DNS for mail servers and subdomains? While this is an added feature, it’s common enough to be worth expecting.
  7. Do they have any additional services (examples above)? While these supplemental services are far from critical, they are convenient. More to the point, a company that is engaging in a robust suite of services is more likely to be focused on their business. The truth is that anyone can be a domain registrar, if they make the proper investment, but whether it’s a going concern or a neglected piece of extra income for them is a question you’ll want to ask.

Next week: Safely transferring domains and a word on web hosting completes the topic.