The FBI confirms NGOs and Associations are Targets of Russian Hackers

James Comey Testimony on Russian Hackers Targeting Nonprofits and NGOs
James Comey Testimony on Russian Hacking Includes Acknowledgement of Russians Specifically targeting NGOs and Nonprofits

Growing Tendenci – The Open Source AMS, has been eye opening. I didn’t realize fully why our clients were constantly being attacked. Even behind all of our firewalls, scanners, ACLs, malware, rootkit detection, antivirus, third party scanners, multifactor, use of Honeypots, we don’t store credit cards, and then still even more custom security measures we’ve developed in house.

I mean seriously, it’s not like you’re going to scan a site we host and not have it logged and inspected and blocked aggressively when possible. Nothing is hack proof obviously. But our security practices are  FAR beyond the norm.

I didn’t have the luxury of questioning the motive. We do.

When necessary, we have engaged authorities for assistance. So it was interesting to see this from former FBI Director James Comey’s testimony:

Source: http://www.politico.com/story/2017/06/08/full-text-james-comey-trump-russia-testimony-239295

BURR: Okay. When did you become aware of the cyber intrusion?

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

BURR: And in that time frame, there were more than the DNC and the D triple C that were targets?

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Let me repeat that last part for emphasis in case anyone who works with Associations and Non Profits needs some ammo to take back to their board about why they can’t host for $10 a month on a cheap hosting site.

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Those words should weigh heavily on people in the NPO/NGO sector. It is worthy of mention to everyone using an AMS system. To be secure, you need to be able to inspect your own code if you host with us or somewhere else. Please do so with Tendenci at https://github.com/tendenci/tendenci/  . Security is a process, not a magic pill.

The motives for these attempted hacks are above my pay grade. Just know if you feel you are being targeted, well, it isn’t paranoia if they really are out to get you. And they really are out to get you.

And please don’t click that link in your email. Please. Just don’t do it.

Stay vigilant my friends.

PS – two other facts I can add. I can personally confirm it was in the hundreds just based on our client base. This does NOT mean they breached, but targeted? Yes. And second, by my estimations it started in earnest in 2013, not 2015.

PPS – and now we start the count down before they take my blog offline with DDOS again. Whoever “they” is. All I see is a matrix at this point… and I’m ok with that oddly enough. Because if the Zombie apocalypse is real in downtown SF, then everything else is possible too.

Disclaimer: This post is NOT about the President. Or about former FBI Director Comey’s testimony as it relates to our elected Zombies on both sides who vote party over the people they represent.  No, this post is about a small part of Comey’s testimony that relates to Associations and Nonprofits. It applies if they use Tendenci or not. Whatever the motive of the Russian hackers, the fact is that associations and nonprofits are being singled out for attacks. This is a fact of your current reality.

What is “x” competitor’s achilles heel?

tendenci-mobile-responsive-standard
In the course of owning a business you get a lot of phone calls from investors and venture capitalists. It’s a game, but a fair one if played correctly in that whatever your revenue, their criteria is just about twice yours. When we were 1M they were looking for 2M companies. When we were 2M they were looking for 3. When we were over 3 they were looking for 5, etc…. But they knew that when they contacted. So why?

Because knowledge is power. In an industry like membership management software there isn’t much transparency because so many companies are private. So they call. The calls are always polite. It’s important to remember they are frequently just due diligence by the firm as they negotiate to purchase a competitor in your space. Again, there is nothing wrong with this if knowledge is shared both ways.

Business Owner action item: as the business owner it’s up to you to ask the questions as well. Start with the simple stuff like “where do you see the industry going in 5 years?” etc. Trading information can be helpful, for both parties and if you are the smaller fish you better be more nimble anyway

How do most of the calls end? Typically the same and both parties knew it when the call started.

“well let’s stay in touch and touch base in a year.”

If you did your job and asked questions of them as well, then hey, that’s fair. In the VC world the “it’s not you, it’s me” breakup equivalent is “we are looking for someone a bit larger and with higher profits so call back”. But both parties knew that when the call started, it’s just the polite way to end the call. What highly profitable business owner wants to sell? Not many that I know of. It’s an attempt to be polite.

But, sometimes something interesting happens. Specifically I had someone ask me an interesting question recently about a competitor. It was a bit out of the blue which tells me it was on their to do list more than mine. The investor rep asked:

What do you see as company-x’s Achilles Heel besides being on the Microsoft platform?

I have to admit that I wasn’t expecting the question and I prefer to not say bad things about competitors. Usually they are good people trying hard in a competitive environment. We hang out together at NTEN, SXSW and for some of us OSCON. They really are good  people. So I didn’t answer the “Achilles Heel” question fully. This is me correcting the record.

Yes, they have a problem. Why? Because in one of my History classes while getting a BS in POLS from Texas A&M University we studied Carnegie Steel. Given I like history,  let’s look at it through the lens of “what would Andrew Carnegie do?”

In 1870 Carnegie decided that instead of being a “capitalist” with diversified interests he was going to be a steelman exclusively. Using his own capital, he erected his first blast furnace (to make pig iron) that year and the second in 1872. In 1873 he organized a Bessemer-steel rail company, a limited partnership. Depression had set in and would continue until 1879, but Carnegie persisted, using his own funds and getting local bank help. The first steel furnace at Braddock, Pa., began to roll rails in 1874. Carnegie continued building despite the depression—cutting prices, driving out competitors, shaking off faltering partners, plowing back earnings. In 1878 the company was capitalized at $1.25 million, of which Carnegie’s share was 59 percent; from these policies he never deviated. He took in new partners from his own “young men” (by 1900, he had 40); he never went public, capital being obtained from undivided profits (and in periods of stress, from local banks); and he kept on growing, horizontally and vertically, making heavy steel alone. From 1880 onward, Carnegie dominated the steel industry.

Still with me? Because from that dominance he sat at the top of the food chain. And then inexplicably they poked him. Why? WTF?

Carnegie had thought of selling out and retiring in 1889: his annual income was $2 million, and he wanted to cultivate his hobbies and develop the philanthropic program that was taking shape in his mind. But the threats that now came from the West as well as the East were too much for his fighting spirit and his sense of outrage, and he took the war into the enemy camp.

Sooooo… Carnegie then did NOT retire but rather took the fight to them. He took the fight to them with the advantages and business knowledge of his industry that he possessed. Now back to our story…

He (Carnegie) would not join their pools and cartels; moreover, he would invade their territories by making tubes, wire and nails, and hoop and cotton ties and by expanding his sales activities into the West. He ordered a new tube plant built on Lake Erie at Conneaut, which at the same time would be a great transportation center with harbors for boats to run to Chicago and a railroad to connect with Pittsburgh.

The competition surrendered, but at a much higher price than they would have otherwise.

Thus originated the U.S. Steel Corporation in 1901, through the work of J.P. Morgan. The point was to buy Carnegie off at his own price—as he was the only disturbing factor that held back “orderly markets and stable prices.” The Carnegie Company properties were purchased for almost $500 million (out of the total capitalization of the merger of $1.4 billion); Carnegie’s personal share was $225 million, which he insisted upon having in the corporation’s first-mortgage gold bonds. At last Carnegie was free to pursue his outside interests.

Why, how, could the competition have so badly misjudged things? They missed the megatrends/macroeconomics and underestimated their competitor. Realize one dollar of capital in the hands of experience is far more powerful than ten dollars in the hands of bankers.

It’s quite simple really. Carnegie had lowered his costs and built up his capital to the point that the competitor’s moves were an “event” and his response was simply a “choice”. A freaking choice. If that doesn’t make you nervous then I didn’t explain it well.

From the start Carnegie was willing to pay the price to win. Who knows, maybe he was just bored? Regardless the competition was in over their heads with a combined company run by bankers without the institutional knowledge of a steelman.

The bankers accepted their losses. But their misstep meant they paid a significant price for not researching the market, researching the trends, and especially for not understanding the machine Carnegie had built. It wasn’t just the capital, it was years of best practices developed by Frick and Carnegie that allowed him to win. A business is complex. Business practices are maintained by people, not Viseo flowcharts or Powerpoint.

Pick your fights.

Further – the only thing more complex than a business is communities of people like the open source community. You can’t buy them off or learn the social norms in a year or two.

[redacted]

Back to the phone call – in this case, the competitor the investor asked about is one we see occasionally in the sales process. They have some aggressive affiliates but I can’t say I’ve had a bad encounter with their CEO or one of their employees. So yes, I know them. I know how our product is differentiated with greater functionality. (having a better product does help – but they would say the same thing).

SWOT analysis if it got aggressive?

Well I can back into the competitors costs using the usual methods like salary survey sites and looking at their network. There are people who will research these things for a very reasonable price. Add to that the fact that they are proprietary AND require two year contracts just makes it easier. You wouldn’t want to sign your nonprofit up with a proprietary solution if you knew there was a better solution that was also open source, right? (data says 90% want use open source or “roll their own” – NTEN).

Maneuvering around their market positioning would be as strategically challenging as going around the Maginot line. Easy pickings – IF someone wanted a fight.

If this sounds arrogant, it isn’t. It is just me acknowledging how the future would put the very existence of our company in question if we hadn’t changed. I did what any self-aware responsible and knowledgeable CEO would do. We did a pivot. And WordPress and Drupal are great examples to follow.

The bigger question is why other leaders didn’t see open source coming?

Our competitive position – Tendenci has driven our costs down and gone open source in a group of competitors trapped with huge employee expenses, high proprietary licensing costs, shared servers which amplifies security risks, and constant turn over in their work force. Meanwhile hack attacks are sky rocketing and insurance and benefit costs climb.

Add to that programming isn’t something you can throw money at – it just takes time and adding more keyboard-monkeys just slows down the innovators.

To the person who asked the question – my answer is this:

Company X’s achilles heel is they exist at the whim of a better positioned open company with an aggressive strategy. You don’t have to win every prospect, you just have to force the competitor to sell below their cost. And wait.

The rest is details.

Tendenci will continue to rise because it is exactly what nonprofits and government agencies are asking for. Freedom. Respect. Dignity. Openness. Love.

Tools to help the cause first and our company second.

PS – if you are an investor in that company, don’t worry. I have no intention of implementing the above strategy right now as this is a case of “there is no spoon.” What is next is far more interesting to me. There is some amazing stuff on the horizon. I just wanted to come clean on how vulnerable some companies are. And yes, in a SWOT analysis or a prospectus, you should probably cross reference their technology with tech trends. I guess that is a question for the attorneys and IANAL.

Christmas with the family and depression (ya, I know, bummer post.)

HOLIDAYS AND DEPRESSION

IF IN A SERIOUS SITUATION – CALL 911 IMMEDIATELY. OR CALL A PROFESSIONAL SUICIDE HOTLINE LIKE (800) 273-8255

Yes I realize I’m in dangerous territory. But I’m also old enough to have seen depression turn people into drugged out zombies or some who have tragically committed suicide.

when liberty weeps
When Liberty Weeps by artist Anu Srivastav

Yes in 2015 I’ve lost a few friends to suicide. More than a few if you count aquaintances. It seems like more than usual. Given Tendenci is open source and intended for nonprofits and cause based membership organizations, it should come as no surprise that I’ve proof read a lot of text on sites like our client

The Depression and BiPolar Alliance of Houston
http://www.dbsahouston.org/
(713) 468-5463

Just to repeat, this is a personal post on my personal blog. I repeat, I am not trained and am in no way qualified on this topic. I only know the devastation left behind when someone makes a decision to leave. They can call (800) 273-8255 and begin the process of healing.

You know what doesn’t work? Telling someone at risk “Hey, just cheer up buddy!” That is truly as stupid as telling an amputee “Just try harder buddy!” without giving them a prosthetic leg.

Don’t do that shit.

If you don’t understand depression is physical then you have never experienced depression. And that is your blessing. You are one of the lucky ones. Yet please read this as perhaps you can be a part of the solution without being an *^*&@@#!

Yes, I realize I’m selfishly upset about losing so many brilliant minds in the tech and entrepreneurial community to death these last few years, for whatever reason. And I understand why the newspaper doesn’t report on self-taken lives as that has been proven to increase tragic clusters. I get that.

Let’s be productive, OK?

If you have a friend or even an acquaintance that you are worried about, maybe taking action is the right thing to do. This depends on your relationship with them. And that is a definite “maybe”.

The Holidays Amplify Depression for Many People

If you have and urgent issue right now – do this:

Call 911

Call the US suicide prevention hotline at (800) 273-8255
In Houston call (713) 468-5463

Why this post now? Well for whatever reason, depression is worsened for many during the holidays. Nobody has a solution for this.

But I can suggest spending time with that person. To just be with them. Or listen to them and if they say “no” then maybe the solution is to leave them the hell alone and everything will be cool. It’s an impossible balance, no that isn’t fair, nothing in life is fair. It’s all a gray area. Depression is definitely not fair either, so there is that.

If you are seriously concerned, given one of our Tendenci clients is The Depression and BiPolar Alliance of Houston I know there is great information and numbers to call at http://www.dbsahouston.org/suicide-prevention/ or call them at (713) 468-5463

MY UNPROFESSIONAL THOUGHTS THAT I HAVE SEEN HELP PEOPLE IN MY LIFE BUT MAY NOT APPLY TO YOUR SITUATION

Family

Stay close to family and friends that you truly know and trust. If it’s your work-out friends at the gym, your weekly poker game, your church group, or even your local pub. Hang with the people who you know who you can trust to stand behind you.

Relatives

Relatives – Don’t expect Santa to show up or your long lost family member to return. Be realistic and not overly optimistic.

My experience is fights between family tend to go up during the holidays between eggnog and family being together for the first time in a year. So don’t expect “White Christmas.” My family is more like an episode of Seinfeld or a Robert Earl Keen song

My family is a bit better than this video. But a few chords strike home. Worth a watch.

Robert Earl Keen song

OK, back to getting through the holidays for you and yours.

Volunteer – Give First

Volunteer to help others. This one is the one that helps me the most. Giving is the best gift you can receive. And yes picking up the neighbor’s paper counts.  So does volunteering with the local homeless shelter or just walking the elderly neighbors dog. Ask the old Veteran down the street if he’d like you to fix his flag holder on his front porch.

Small things that reward you as well as the recipient. It ain’t about the stuff.

Call that coworker you know doesn’t have family in town and just say “Merry Christmas.” That’s it. Keep that shit simple.

Do something different, but not dangereous. Walk through the trails of that park you have been meaning to walk through for years. Adopt a pet. Put on those old shoes you are going to throw away anyway and walk into the marsh in Galveston just a little bit to see the fish. Then throw the shoes away.

Losing a Loved One During the Holidays

Losing a loved one during the holidays, as many of us have, simply causes us to think about them more.

So yes, definitely think about those you have lost, but try to find a way to think about the loving, funny and positive things that led you to love them in the first place.

When someone departs that’s beyond my pay grade and I’ll leave that to God. Remembering them with joy – I believe that is something we can all do.

Now, first I must confess that I have not achieved this goal.

But why oh why do we remember the date of our Father’s funeral but can’t tell you his birthday even faster?

“The Meaning of Life Conversations”

Your friends and family may want to have “The Meaning of Life Conversations.” As my friend says “Oy vey” you aren’t a trained counselor. Neither is anyone else after two glasses of wine. Listen if asked but think thrice before offering advice. If it’s serious, suggest they see a professional counselor. Keep an eye on your friends and call them a cab. Look out for one another but don’t try to solve it at the holiday party. If it’s that urgent, then both of you can leave the party in a cab and get a coffee at IHOP.

Family Gatherings

Family Gatherings – make something out of nothing. At a family holiday gathering in the mountains I once found a flat stone about the size of a saucer near the house. Brought it inside, cleaned it, and suggested all of the kids could use a sharpie and sign it so we could all remember that Christmas. It turned into a tradition. And I love that stone still displayed on our porch. It was genuine, beautiful, and it cost nothing.

Gifts?

Gifts? – I’ve given up on this one and unless I know, I either ask the person or ask their best friend. Or an Amazon gift card. If you’re low on cash, give away your airline miles. If you’re good with cars, give them a paper that says “one free car repair minus the cost of the parts.” Maybe just a Christmas card with the words “Love you” written by you.

Parties

Parties. For many of us these are terrifying. “zOMG, what is their name again?” But if you enjoy them, then go. If you don’t, then don’t go. Or go with a trusted wing-man/wing-woman who won’t abandon you. Stuck alone – pretend you have an urgent update to do on your phone and play a game. Fake it.

Photography at Parties – Yes be in the photos. Don’t make a scene. Do try to avoid holding a drink in your hand in the photos. Why? because if you are holding a drink and you blink when they take the photo you look hammered. Or you just learn to never blink.

Work & Entrepreneurs

Work – this varies. Some people like the time off completely. For me I use it to plan for next year while everyone else is napping. I just don’t talk about it with them. It’s just a great time to plan ways to help the ones you love by providing for them without the interruptions of the daily business.

Entrepreneurs and business owners don’t have work-life balance. They are planning like crazy, either on the web or in their brains. But they aren’t having the same thoughts you are going down the ski slopes in Aspen or putting together a 1000 piece puzzle of Santa.

Here is the deal, If you surround yourself with extreme risk-taking type A personalities, then don’t be surprised by their hard-wired  risk-taking and constantly driven behavior. Huge victories followed by crushing defeats. Retreat into their cave to heal, and then for some dumb-ass reason go do it again. Entrepreneurs chose an activity with a 95% failure rate. The highs are very high and the lows are very low. Honestly I don’t know how you put up with us, but I do know I couldn’t live without you.

Trivial games – why not?

Play Cards – no, not Texas Hold’em. Ask your elders to teach you spades or bridge or spoons. There are games that aren’t as high stress as Risk or Chess that bring you together.

Penny Bags – over the year we collect pennies and we have a bag that they all get put in and all of the kids can reach in and take out as many as their hands can hold. It’s just fun. Sometimes the older kids will ask if they can pull for a younger and the younger one can pull for them. It’s cool.

Legacy and Meaning

This one I mean the most. Talk to your elders. And by “Talk” I really mean “Shut up and listen.” Example: Walk up to your Great Grandmother and ask her if it’s OK if you turn on “voice memo” on your iphone and ask her what it was like when cars were invented? What was your great grandfather like?

Treasure those memories. If appropriate post on www.geni.com so others will hear the wonderful and funny stories about the people that created you. It is a beautiful gift to future generations and my elders have always been honored when I truly want to listen to them. And I do. I wish I had done it more.

Acceptance

I’m sure this post is all over the place from an organizational perspective. From suicide prevention to how to navigating through the holidays for those with depression or memories of someone you lost in holidays past. I can’t help that.

But if you or a friend are feeling sad. Accepting one another, the hug, the love, the phone call, even a text message. These are beautiful things you can do for yourself and your friends and family.

I wish everyone a Merry Holiday Season. Let’s just look out for each other, call an Uber, call a Cab, call a crisis hotline, use your love for each other and your common sense.

Actual Emergency? Do one of these two things.

Call 911
US suicide prevention hotline at (800) 273-8255

#peace

The Internet has Fundamentally Changed – Here’s One Partial Solution

This post is based on the premise that 1) we have a serious security problem on the Internet and 2) money is the only (unnecessary) barrier to solving a large portion of it.

The Problem

The Internet has fundamentally changed. It is so virus and malware infected that a normal human being can’t keep their own PC, Mac or Linux computer from being infected. In other words, the Internet is broken. And our devices don’t work if they aren’t connected to the Internet.

Screen Shot 2015-01-23 at 4.43.01 AMIt’s just not right. Why should you have to become a security expert? And it DOES NOT NEED TO BE THIS WAY. There is no need for this. The powers that be over the Internet are CHOOSING this and you are the victim.

The (Partial) Solution

We can’t fix it all, but what if we could stop the bleeding by even 50%? Or maybe 30%. Or even 10%. It’s a start. These are our neighbors, our family, our friends and they are being victimized by identity theft because, well, because they are human. Well, reduce the crime? WE CAN! We just have to encrypt everything. By doing so, a large portion of the problem goes away.

Will there still be break ins? Of course. Frequency however will be radically less and you are far less likely to be a victim.

Why? Because the weapons of cyber-warfare are now out in the open to be purchased for as little as $500 on the forums. People are desensitized to it all and now just accept it.

As a company that hosts web sites, here is what I know to be true.

  1. Clients will use weak passwords and we can’t audit that because WE encrypt the passwords in the database. So if a client uses “changeme” or “123456” of “washington” as their password we can’t see it, but when you login from the local hotel the wifi isn’t encrypted and bad guys can. We can’t detect or fix this because its encrypted on our side. But if you aren’t using SSL then it’s NOT encrypted when you send it over.
  2. Example top 100 passwords used on Adobe after they were hacked. http://stricture-group.com/files/adobe-top100.txt
  3. Clients and end users are faced with hundreds of passwords so they use the same passwords over and over. If someone gets one of your passwords, they effectively get everything.
  4. With the proliferation of Open Source, as Tendenci is, developers will deploy a site for you, give it to you, and leave it to you to maintain. So are you running your security updates? Because that is your responsibility now.

Why don’t people encrypt their web sites? Because there is a $50 to $500 a year fee. Plus a hidden cost of updating it every year and paying your hosting provider to install your SSL certificate so the real cost is more like $250 to $1,000 a year.

So why?

Generating a certificate takes one (1) line of code. ONE LINE! Hosting servers to verify the certificates does come at a cost, but so does DNS and it isn’t anywhere near as expensive. Generating a key is technically FREE. Here – go do it for yourself.

openssl genrsa -des3 -out server.key 1024

The certificate you just generated is called a self-signed certificate. So if you visit the site from IE you get a scary message that it can’t be verified. BUT if you visit a site with no encryption, oh, then IE is completely cool with that. Onward thus. Proceed into into unencrypted unsafe territory with abandon. Do you see the problem here?

So what’s the motive? Why? Because of the cash machine. The certificate authorities want to charge you for their certificate chain saying that you are legit. But GoDaddy charges $270 for a wildcard SSL? Or Network Solutions can offer the same wildcard ssl for $494 with a 5 year contract.

So I guess if you aren’t rich your voice isn’t as legit as someone else’s voice? The bottom line is the certificate authorities want your money. Now, DNS service providers usually charge 10 to 15 a year to resolve your domain name. Tell me again why an SSL certificate is $50 to $500 or it gives a browser warning that terrifies people? It’s not a new debate, it’s a license to print money that deters security on the Internet globally.

It’s just greed. But the cost is astronomical to the citizens of the world. It’s like a city not repairing roads and ignoring the cost the citizens bear fixing their cars which is so much more than the cost of filling potholes and installing stop signs. It’s pennies for lives. Hence, cities fix the roads (for the most part.)

What if we flipped it? Why don’t you have to pay $100 a year to NOT have your site encrypted? What if security was the default? What if encrypted email was 10$ a month but unencrypted email was 500$ a month? Would that get people attention?

We can self sign web sites and email ourselves. We don’t need no stinkin’ web authority to do it. It’s one line of code.

Oh wait. Stop. Idealistic guy trying to save the world with open source disclaimer. Why not? Because of the “man”.

The browser will give you a terrifying warning about that certificate not being “approved” and IE will flat out block it if you don’t pay up. No, you must pay “the man” which is in this case the Certificate Signing Authorities who are powerful enough to have their codes shipped with all of the web browsers. What would their cost be to include a public domain certificate authority, much like wikipedia is for information be? Um…. nothing. Zero. Nada. They just wouldn’t get a kick back.

It’s generating an “approved” key where the registrars make all of their money. It’s about the money. It’s greed. Even from foundations like Mozilla – they could easily solve this by endorsing a free and open certificate signing authority. They haven’t. I expect more from them. Some leadership in this would be nice. Where is Lessig on this? Why is there no outrage?

I’ll tell you why? Because it’s too geeky. Too technical. People zone out. zOMG, I like to create things. I bore myself talking about this crap. But it matters. Encrypt it all. Now. And do it for free. If my client buys a domain name why do I have to do ANYTHING to encrypt it? Don’t they deserve that? Should encryption be the default. I THINK SO. And I don’t think you should have to pay for it given it is as simple as DNS and could easily be included.

And yet the powers that be continue to be the “Certificate Authorities” and they continue to make money causing only 4 to 5 % of the web to be encrypted. So you and I continue to be the victim.

Please tell me someone out there is a little outraged by this? Not that I/we/you aren’t the problem as well…. read on …

To emphasize the point on weak passwords (again – this is YOUR responsibility, but irrelevant if on an unencrypted connection), these are the actual top 10 passwords used on Adobe logins (mind you this software costs thousands of dollars and this is the key to get it.) 1,911,938 of your fellow citizens chose “123456” as their password. Seriously. Another 345,834 people chose the password of …. wait for it …. “password.”

Rank	Count	Actual (no really) Passwords
---	-------	------------
1	1,911,938	123456
2	446,162	123456789
3	345,834	password
4	211,659	adobe123
5	201,580	12345678
6	130,832	qwerty
7	124,253	1234567
8	113,884	111111
9	83,411	photoshop
10	82,694	123123

One simple solution that would significantly reduce network attacks. Encrypt every site. At no cost beyond the price of the domain name. Make it easy. And free.

Dear non-technical people – please stay with me for a moment. I know I have to use a bit of geek speak but I want to try to explain the ruse that is being played on you. That it isn’t needed. That the cost of certificates is almost non-existent and you are the victims.

Encryption explained in one paragraph (simplified)

If I give you the number 21 and ask you what prime numbers divide into it besides 1, there is only one way to find out and that is to try every prime number. But if I give you 7 (my “public key”) and you can verify very quickly that it divides to a prime. That’s it.

Solution – every web site is encrypted with SSL by default and you have to pay extra to NOT encrypt your website. Done.

Obstacles – the companies that sell SSL certificates don’t want that. I pay $300/year for our wildcard certificate and what I am proposing is that they be given away for FREE TO EVERYONE WHO GETS A DOMAIN NAME.

Seriously, this isn’t a game people. YOU, as an individual need to not use dumb passwords. As programmers say, like it or not, “you can’t fix stupid.” Yet I do have sympathy given the average human has NO IDEA of the cyperwar that isnt pending, it’s happening NOW!
Screen Shot 2015-01-23 at 4.42.20 AM
Thus WE, all of us need to have everything encrypted end to end to avoid the obvious. Occam’s razor.

SXSW V2V – Proprietary to Open Source: Giving Away $6M is Harder Than You Think

My presentation slides from speaking at SXSW V2V in Las Vegas this week. The official description is below and they are producing a video so I’ll either update this post or add the video as well.

Proprietary to Open Source: Giving Away $6M is Harder Than You Think

After 15 years running a successful business, Ed Schipul released the source code for his proprietary software, Tendenci, to the world. Foreseeing the impact the cloud, mobile, and GIS, Ed knew he had to change his business model or become irrelevant. Open source was the path to future sustainability and innovation.

There were however, seemingly insurmountable challenges. Tendenci 5, the first open source CMS platform for nonprofit organizations, had to be completely rewritten from .Net, ASP and SQL to Python, Django and PostgreSQL. From Github to cloud software, he had to choose all the tools to put in place to support his rewritten product and new architecture.

Lessons learned from the transition include the importance of testing and how to make your application’s architecture more scalable as well as what open source tools have proved to be most valuable. Ed will share his reasons for thinking that all of this is the best choice for both the product and the development community.

See more at: http://schedule.sxswv2v.com/events/event_V2VP29570#sthash.SM08HnZT.dpuf

moving google apps domains to … google apps … is painful

After having recently moved google apps accounts from the domain schipul.com with an alias for our tendenci.com emails, to reverse it to be tendenci.com with aliases from the schipul.com domain, I wanted to help you avoid some pain.

First – there is no easy way to do this. There is a planning doc from google apps, but google apps and google analytics aren’t even on the same page. (Trust me, we got so frustrated that we finally conferenced google in with google and listened to two highly intelligent people contradict each other. #sigh).

I don’t intend this post to be a “how to migrate your google apps domain to a new one” but I can at least hopefully help you on a few particular items. Consider this a “stuff to look out for” post with the usual YMMV caveat.

  1. There is no “switch” to change primary google apps domains.
  2. As of January 2014, the only way to do it is to DELETE your primary domain and wait for google to “fully delete it” (whatever that means) and add it back to your new google apps domain. Probably best to keep a primary that isn’t on google.
  3. Analytics is tied into a gmail, either gmail.com or google apps account. Given you probably don’t want to lose analytics and PPC for 1 to 5 days, move this one a week ahead of time at least. How? Get this.
    —– to change google analytics master accounts you have to update each one individually. Really fun for an agency with a few hundred accounts under management. Thus DO THIS FIRST. If I could do it again I’d go with agencynamehere@gmail.com and move everything over there instead of waiting out even the removal of an alias from the primary.
  4. You have to remove the alias domain fully before you can add it as a new google apps domain. This includes removing it as an alias from deleted accounts, which requires restoring the account, removing the alias, deleting the old account again which resets the “up to a week to delete” clock for the deleted account. /~slams head on desk~/
  5. Removing the alias domain is hard. Searching for the alias won’t show everything. you basically have to check every group, user, resource (shared calendars) etc to see if they have it as an alias. And they probably do because you set it to automatically add that alias to all resources in the domain like google prompts you to do.

First make a backup. More on that below. AFTER backing up the accounts, even if it doesn’t get docs and calendars etc, migrate. Well, sort of.

For us, we used backupify to move our google app accounts content
https://www.backupify.com/free-tools/migrator-google-apps

Side note I also used Backupify to backup my facebook pages before requesting a merge and that was also delayed. However, I believe Backupify rocks, but gmail and facebook don’t make it easy. I couldn’t find a better solution than backupify so they get a tip of the hat from me.

Back to backupify and google apps – it does NOT move the domain or create a new app account, it just moves “most” and “some” and “tries really hard” to move the data. Works fine for the young guns but if you have 15+years of emails it won’t move it all no matter how long you wait.

Out of sequence, but see the next post on backing up your google app emails for deleted accounts or your larger accounts as backupify can’t migrate those. You have to backup and restore. Or backup and don’t restore. A great chance to start over. See next post.

Religion is the overwhelmingly dominant factor in predicting generosity

Some stats from the book Who Really Cares by Arthur C. Brooks:prayers

  1. Religion is the overwhelmingly dominant factor in predicting generosity —religious liberals and religious conservatives are identical.
    1. “Religious” is defined by Brooks as individuals who attend worship service at least once a week (30% of the population) and;
    2. “Secular” is defined by Brooks as people either don’t believe in a deity, or attend a place of worship one or less times per year.
  2. Religious people are 25% more likely to donate money than secular people
  3. Religious people are 23% more likely to volunteer, and even within the population of people who volunteer, religious people devote twice as much time.
  4. Conservative people give more money. Possibly a correlation as religious people are conservative.
  5. Political Affiliation (e.g. Democrat vs Republican) itself isn’t the predictor.

I believe it is worth pointing out that the definitions of “Religious” and “Secular” are polarized on opposite ends of the spectrum. There are many who perhaps attend a religious service once a month who would not fit either category as defined by Brooks.

All data from Who Really Cares – Compassionate Conservatism on Amazon.

Technology and Crisis Communication Panel at SXSW. Vote?

SHORT VERSION:

Please vote for my panel at SXSW DON’T PANIC – The Geek’s Guide to the Next Big Crisis

LONG VERSION:

A little more than four years ago I wrote my first blog post. It was about the need for a form of Emergency RSS. We can share celebrity gossip headlines through feed readers faster than we could use technology to respond to a crisis. And this was an important point as I started blogging in 2005 right after and in response to a need to share after Hurricane Katrina. Katrina Lower 9th Ward PhotoCrisis response and crisis communication has always been a passion of mine, and seeing our government’s mostly failed response in New Orleans compelled me to start blogging and contributing where I could.

Running the company I chose to stay in town during the Hurricane Rita evacuation. While Rita did not hit Houston, instead crushing the gulf coast near Beaumont with little news coverage in the wake of Katrina, we did learn from the Rita evacuation. We used a wiki page on Tendenci (our software) to track down all employees. Employees on the road, which for some of them was 10 to 20 hours during the evacuation, would text their manager’s who then updated the wiki to account for everyone. We quickly knew everyone was OK.

Then last year we prepared for Hurricane Ike which went over our town. When the storm hit the ONLY thing that worked was SMS messaging. No power, no water, no data, no TV. Just radio and text messaging. Hurricane Ike hits at nightLuckily we had set up a product called Yammer, which is like Twitter for your company (and they have a business model) and we were able to keep in touch. Data services, which is what your cell phone depends on to get to web pages, went down. Voice went down. The only thing that allowed us to keep in touch with all of our employees and their families was text messaging sent directly and through Yammer.

We learned a lot about the role of tech in a crisis combined with human behavior. Example – an employee’s cell phone would die. They would use someone else’s cell to text a message to their manager saying “we are OK and staying near College Station”. Except that is ALL they would say. We didn’t recognize the number and had no idea WHO sent it! The solution was to train all of our people to put their NAMES at the end of each text message. Seems like a small thing. It is. But it makes it possible to do a head count!

Since 2005 our firm now does the web site for the Houston Red Cross and Reliant Park, both of which are key for Houston Emergency Response planning. We have the privilege of working with Firestorm Crisis Communications and Preparedness and long time clients like crisis communicator Dan Keeney. I have attended Netsquared Houston meetings when David Geilhufe taught us about People Finder Information Format. And I work with people like Jonti and Katie who have helped all of us set up our ICE cards for our families.

Now I need your help. I’d like to continue the dialog on Social Media and Emergency Response. What IS the role of twitter beyond updates? What are the alternatives for Yammer? Is there a cost effective solution for businesses and families? We have come a long way, so let’s talk about it.

PLEASE VOTE AND COMMENT on this SXSW Panel I hope to moderate. Without your vote and your comments the panel might not make. And I believe in this topic too much to see that happen. Spare a minute? Please VOTE!

DON’T PANIC – The Geek’s Guide to the Next Big Crisis

Are you and the people you care about prepared? Our panelists will share their crisis stories and tell you how to be ready, both online and offline. PFIF, Yammer, Facebook and iPhones – the technology and strategy is there and getting better, so let’s take it to the next level.

  1. How does emergency response and communication relate to the Web? Do developers and small business owners really need to care about Crisis Communication?
  2. How can our emergency teams (fire, ambulance, police, etc.) benefit from standardized data sharing? What can I do about it?
  3. What does the rise of Mobile Web mean for the next natural disaster or other catastrophe?
  4. What tools (Web, mobile and otherwise) are out there right now that my family, friends and company should be using now?
  5. As a geek, what are 5 things you should do TODAY to keep your family safe and your business running when disaster strikes?
  6. If practice makes perfect, what kind of drills and regular training should your business be doing right now that won’t break the bank or kill your billable hours?
  7. What are some of the technical lessons we learned from Hurricane Katrina?
  8. Tech and communication stories and lessons from Virginia Tech, Hurricane Ike and beyond…
  9. What is a crisis to you and how do you strategically and technologically deal with it internally and for the rest of the world to see?
  10. How can you best identify your strongest and most reliable communicators and rock stars during times of crisis? How do you deal with employees that book it and vendors that disappear?

Why am I doing this?

Well, it isn’t for business as I have no financial ties to yammer or twitter or any other messaging services. Tendenci is a content management system that powers associations and sites like the Houston Red Cross, but they are already customers. And ANY emergency response technology must be open source for maximum adoption long term. I just believe passionately in our need to share information and I think technology can help with crisis communication. Social media sites like Facebook and Twitter bring a lot to the table. If you, like me, are passionate about this, please vote for the panel “DON’T PANIC – The Geek’s Guide to the Next Big Crisis” and I hope to see you in Austin next March!

Caroline Collective Coworking Space Anniversary

Houston’s own Caroline Collective Coworking Space is having an anniversary party this Saturday!

caroline-anniversary-party-1
And a few more related links to the party THIS Saturday at Caroline.

1. Caroline link post: http://carolinecollective.cc/2009/06/04/were-one-lets-have-some-fun/
2. Facebook invite: http://www.facebook.com/event.php?eid=184256345206
3. Artshound: http://www.artshound.com/event/detail/25097
4. Mentions on twitter: http://twitter.com/#search?q=@carolineco%20party

I hope to make it on Saturday and hope to see y’all there too! From the announcement:

And a special thanks to the party sponsors step up to offer things to donate and would love to show them some love, including Riazul Tequila, Sweet Leaf Tea, Saint Arnold, 29-95.com, Tacos A-go-go, Danton’s Gulf Coast Seafood, and Aztec Party & Tent Rental.

Don’t Fight It will DJ and the illustrious (you)genious will serve as MC.

Houston Green Scene will be providing the party favors: 2″ biodegradable peat pots with organic potting soil and planted daisy seeds.

The Godfather, The Undertaker, and Informal Systems

In recent talks I have found an anecdote that has worked well to explain the difference between formal and informal systems that most Americans can relate to. The book The Godfather opens with:

Amerigo Bonasera sat in New York Criminal Court Number 3 and waited for justice; vengeance on the men who had so cruelly hurt his daughter, who had tried to dishonor her. (pg 3)

bridgeThe two young men who did this were set free by a corrupt judge. Amerigo Bonasera, the Sicilian Undertaker, concludes “For justice we must go on our knees to Don Corleone.” The formal American system in this fictional book has failed our Undertaker. So he reaches out to the informal system in his community; Don Corleone. When they meet on the day of Corleone’s daughter’s funeral, a day “that by tradition no Sicilian can refuse a request” (pg 17), Amerigo asks the Godfather to have the men killed. Corleone refuses and rebukes Amerigo for basically being a rainy-day-friend. Corleone says:

“…until this day you never came to me for counsel or help. I can’t remember the last time you invited me to your house for coffee though my wife is godmother to your only child. Let us be frank. You spurned my friendship. You feared to be in my debt. … Now you come to me and say, ‘Don Corleone give me justice.'” (pg 21)

he continues

“Why do you fear to give your allegiance to me? … if you had come to me, my purse would have been yours. If you had come to me for justice those scum who ruined your daughter would be weeping bitter tears this day. If by some misfortune an honest man like yourself made enemies they would become my enemies” – the Don raised his finger pointing at Bonasera – “and then, believe me, they would fear you.”

“you shall have your justice. Some day, and that day may never come, I will call upon you to do me a service in return. Until that day, consider this justice a gift from my wife, your daughter’s godmother.” (pg 23)

Justice is delivered on page 53 “… they seemed to be pulps of human beings. Miraculously, said the News, they were both still alive though they would both be in the hospital for months and would require plastic surgery.” – And the Undertaker owes the Godfather.

All of us can relate to this story, particularly if we have children. “I don’t need you! I’m (an adult/in high school/have my own job/etc/etc) now! I can do it on my own!” But really NONE of us can do it on our own, with any level of success at least. It takes support from both formal and informal systems. Success requires support from family, the rule of law, the employer and these days more and more success requires the full support of extended urban tribes.

For Public Relations folks, I like to bring up the shift from formal distribution (traditional mainstream media) to informal distribution (bloggers, youtube, twitter brand attacks). In my opinion, many people in PR and in media DO understand the shift from centralized to distributed (long tail, small pieces loosely joined) media. Yet what they potentially don’t fully understand is the shift in authority from the police to the Don Corleone’s of the world. And let us not forget the Godfather wasn’t exactly a saint, collecting protection money, bribing the police and “knocking off” the competition.

For public relations professionals, the bloggers are hidden (no Bacon’s directory! gasp!). And bloggers are completely biased and proud of it. And have authority far beyond what a small olive importer should have. From the bloggers perspective the world is finally acknowledging their informal system of authority. About time.

Just an observation about the shift from formal authority in the media to a more informal system. And we all need to get to know and be friends with the new kids in town. With respect.

PRSA International NP Social Media Presentatoin Slides Posted

My slides for my talk on Monday in Detroit with the PRSA International Conference 2008 are posted and embedded below. Very excited about co-presenting with Brian Reich of EchoDitto for the first time. As a long time follower of Brian on twitter, I am quite sure this will be an interesting session and we'd love to have YOU there! The topic is Social Media Strategies for Non Profits.

I should also say I am humbled and excited at the same time about presenting on the day that Bob Lutz from GM who blogs at the Fastlane Blog is opening! Wow! While I am not bullish on GM (sorry Bob) , I do love the candor he brings to the conversation.

So here are the slides – feel free to follow along during the talk:

Here are a few helpful links that will make sense if you attend:

  1. Corporate Story Telling
  2. Cell phone anthropology – this is brilliant in its simplicity and forces major changes to the art of story telling
  3. Media Converter – conversion of file types is a BIG deal and the new simplicity of Media Converter is a game changer in my opinion.
  4. Apple Brand Love versus Dell Brand Love (if you can call the latter that).

I'd also like to thank @happykatie for all of the help researching and preparing for these presentations. As well as the rest of our team. When I go speak, it is very much a team effort and I really hope folks realize it ain't just me!

On a side note, I have noticed that as I have gotten more active on flickr, facebook (gah I hate their ugly URLs) and twitter, indeed my blogging has diminished. I still want to blog, I still like the "home base" aspect of having a blog. But the immediacy of twitter is so much more compelling and somehow the time to blog is reduced. So if you are wondering where I have been these days, follow me at the above links and we can stay tight, cool? Thanks!

And maybe, just maybe, this guys is write that blogs are dead. Nah.

Houston SXSW Panels – Can You Spare a Vote (and a comment?)

Voting ends tomorrow (Friday) the 29th of August 2008 for SXSW 2009. If you have a minute and like the topics, a vote would be truly appreciated!

Me!
Personal Branding for Profit and

Social Media for NonProfit Rockstars

HappyKatie also has two panels submitted:
Strategic PR for Social Media Geeks and Heart Your Peeps – Build Your Business From Within

@deneyterrio has two panels submitted:
Is Your Company Blog Cheating On You and one with Reggie called My Life With NF in Web 2.0 

The Houston crew has a bunch of sxsw panels submitted and they are all listed here. But there is a catch. Less than 24 hours of voting left! And commenting – comments are GREATLY appreciated! Houston Panels for SXSW Submission are listed here.

Erin, Rachel, Michaela and Beth – THANKS!

A huge thanks to our panelists from the SXSW "Pimp my non profit" panel.

A few other shout outs:

  1. Thanks to the DC Netsquared chapter for the concept.
  2. Thanks to Techsoup for starting Netsquared which is how I met these folks to begin with.
  3. Thanks to Katie who’s hard work made the panel possible.
  4. Thanks to the approximately 300 people who attended our panel, asked questions and demonstrated the number of sxsw attendees interested in the topic!
  5. Thanks to the people who voted and commented to help us get on the radar for non profits at SXSW!

Also – as noted on Beth’s blog, here are a few other bloggers’ take on the panel

Long Station
Patty in the Burbs
07G
Community Mobilization

SXSW Schedule Set – Pimp My Non Profit Panel Monday


  Senseable at Emerging Arts Fest 
  Originally uploaded by eschipul

Back late last night from ETech in San Diego. Just attending that one. Not big enough with the west coast glitterati to have a panel there. But yes yes, indeed we are rocking SXSW with the Pimp My Non Profit Panel!

Our panel is Monday from 5 to 6!

If you are attending SXSW and I am missing a great panel I should attend please DO let me know? This is my initial plan.

Netsquared Mashup Challenge Posted

Net2sharebuild
The folks at Netsquared hosted a great conference call last week on the Netsquared Mashup Challenge, which is the theme for the 2008 Net2 conference. As one of the Netsquared Houston Meetup organizers I thought it was cool they were including us (also on the call are my partners in crime with Houston net2 Katie and Jason.)

So… I have been waiting to see this posted on the Netsquared site, and now here is the skinny:

Get Ready for The NetSquared Mashup Challenge!

Do you have an idea for how a mashup that could be a tool for social change?

Do you look at all of the data available online, and imagine ways to
combine and connect it to increase awareness about an issue?

Do you see projects like MAPLight.org or chicagocrime.org and think, I’ve got an idea for something like that, I just need a little help getting it off the ground?

If you answered yes, then join the NetSquared Mashup Challenge!  We’ve created the Challenge because we believe you have great ideas for how data can create insight,
and we want to create a platform to facilitate those kinds of mashups
being built. Plus, we’ve got cash prizes to award to the folks who come
up with the most innovative mashups for social change.

There are three parts to the Challenge:

1. Applications
Individuals working to create
change will share with the NetSquared Community what change they are
trying to make, as well as the information/data sources they believe
can be married to help create that change. Applications will be available online February 1 and accepted until March 14, 2008.

(KEEP READING HERE)

The big take away is that you can submit starting on Friday. I know I’ll be pestering some of our past Netsquared speakers to submit their organizations. I suggest YOU do the same!

Non Profits and Social Media Research

Research links for my talk at GotSocialMedia tomorrow. Just some interesting notes on social media and non profits from recent events. As usual the primary trouble maker in the middle of it all is Beth.

  1. Metrics and evaluation of social media – Beth Kanter
  2. Evaluating the value of network causes – Allison Fine Blog
  3. Mobile phone credits in Kenya as part of activism – apophenia
  4. Social Media Outreach – Rising Voices
  5. fundraisers need to be worried about a pending financial disaster in the global economy
  6. Nonprofits Outpacing Business in Use of Social Media
  7. ROI: Can You Quantify the Untangible? You Can’t Quantify Love

On quote worth extracting is from the interview of Eric Mattson on netsquared:

We found that in general, charities and nonprofits are very familiar
with social media. If memory serves, blogging was the technology
they’re most familiar with, and that certainly makes sense when you
look at the growth and the popularity of social media. Social
networking is very popular, but it’s certainly skewed towards the
younger generation, whereas blogs seem to have spread across all sorts
of places, including major media outlets, really coming along as the
one technology that people are most familiar with.

Themes from the above links and from other reading:

  1. Non profits have adopted social media very quickly. Some argue faster than for profit businesses.
  2. Reading is as important as writing. Be a part of the community. Link out. Pay attention.
  3. Metrics only partially measure ROI. Dual non profit bottom lines compound the "reporting" problem but does not take away from actual changes resulting from the use of social media.
  4. Microfundraising has huge potential (Kanter, FrozenPeaFund examples)
  5. Video – the adoption rate of video isn’t quite there yet, but it will be.
  6. Mashups Rule – programmableweb mashups for example.
  7. Crisis forms communities. Communities exist after crises subside, yet aren’t leveraged typically.

What seems to be missing from the dialog on non profits, social change and social software

  1. Discussion of brands, both NGO brands and personal brands that we are all developing
  2. A break down of audiences by motivation type (obviously an interest of mine)
  3. Clear delineation of web apps versus mobile phone applications.
  4. Retention and renewal of "membership" isn’t discussed (for Associations this is a big deal, so to see the topic of audience engagement and a concerted effort for "renewal" not discussed seems odd to me. Possibly for lack of a material motive given most SNs are free? Hmmm.)
  5. Little talk of the current recession in the US (with some exceptions)
  6. Little talk about "public relations" in the sector (but this is not a new trend, Red Cross comes to mind)

The deck from GotSocialMedia isn’t as comprehensive as the links and thoughts above. But I’ll slidedeck post it either right before or the day after the talk. Gnite y’all.

The Frozen Pea Fund

This is a repost of many many blog posts on the subject of the Frozen Pea Fund. But it is simply too important not to talk about it.

Why Frozen Peas?

Here is Susan’s explanation, from Boobs on Ice, the blog she’s using to chronicle her cancer experience:

aWhen I discovered a very thick area in my breast I called the
doctor. The next day I was in her office. A half hour after that I was
in the diagnostic radiologist’s.

A full afternoon and multiple stab wounds later we had a variety
of samples of malignant tentacles of tissue that were on their way to
the lab.

I was in a little pain – it would increase as the local
anesthetic wore off – but left his office with a soft cold pack in my
bra.

To keep bleeding down & relieve pain I’d need to keep things
cool. Traditional ice packs are hard and heavy. As much as I try to be
a good sport I’m not into having a brick sitting on my chest.

Enter a bag of frozen peas.

(continue reading and get involved here)

Ed – Week 3 of Mustaches for Kids


  Ed – Week 3 
  Originally uploaded by deneyterrio

OK, tonight is the night. The stache-off of Mustaches for Kids Houston.

Saturday December 15
8 pm – 11pm
Stags Head Pub
2128 Portsmouth st
Houston TX 77098

It’s not too late to pledge me! All funds go to Texas Children’s Hospital. Jason is coordinating that. Feel free to post a comment as a pledge?

Per Jason make the checks out to "Texas Children’s Hospital" and indicate "tax deductible" in the memo field. Of course nobody itemizes anymore, but hey, if you did, that deduction would be cool.