The FBI confirms NGOs and Associations are Targets of Russian Hackers

James Comey Testimony on Russian Hackers Targeting Nonprofits and NGOs
James Comey Testimony on Russian Hacking Includes Acknowledgement of Russians Specifically targeting NGOs and Nonprofits

Growing Tendenci – The Open Source AMS, has been eye opening. I didn’t realize fully why our clients were constantly being attacked. Even behind all of our firewalls, scanners, ACLs, malware, rootkit detection, antivirus, third party scanners, multifactor, use of Honeypots, we don’t store credit cards, and then still even more custom security measures we’ve developed in house.

I mean seriously, it’s not like you’re going to scan a site we host and not have it logged and inspected and blocked aggressively when possible. Nothing is hack proof obviously. But our security practices are  FAR beyond the norm.

I didn’t have the luxury of questioning the motive. We do.

When necessary, we have engaged authorities for assistance. So it was interesting to see this from former FBI Director James Comey’s testimony:

Source: http://www.politico.com/story/2017/06/08/full-text-james-comey-trump-russia-testimony-239295

BURR: Okay. When did you become aware of the cyber intrusion?

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

BURR: And in that time frame, there were more than the DNC and the D triple C that were targets?

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Let me repeat that last part for emphasis in case anyone who works with Associations and Non Profits needs some ammo to take back to their board about why they can’t host for $10 a month on a cheap hosting site.

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Those words should weigh heavily on people in the NPO/NGO sector. It is worthy of mention to everyone using an AMS system. To be secure, you need to be able to inspect your own code if you host with us or somewhere else. Please do so with Tendenci at https://github.com/tendenci/tendenci/  . Security is a process, not a magic pill.

The motives for these attempted hacks are above my pay grade. Just know if you feel you are being targeted, well, it isn’t paranoia if they really are out to get you. And they really are out to get you.

And please don’t click that link in your email. Please. Just don’t do it.

Stay vigilant my friends.

PS – two other facts I can add. I can personally confirm it was in the hundreds just based on our client base. This does NOT mean they breached, but targeted? Yes. And second, by my estimations it started in earnest in 2013, not 2015.

PPS – and now we start the count down before they take my blog offline with DDOS again. Whoever “they” is. All I see is a matrix at this point… and I’m ok with that oddly enough. Because if the Zombie apocalypse is real in downtown SF, then everything else is possible too.

Disclaimer: This post is NOT about the President. Or about former FBI Director Comey’s testimony as it relates to our elected Zombies on both sides who vote party over the people they represent.  No, this post is about a small part of Comey’s testimony that relates to Associations and Nonprofits. It applies if they use Tendenci or not. Whatever the motive of the Russian hackers, the fact is that associations and nonprofits are being singled out for attacks. This is a fact of your current reality.

What is “x” competitor’s achilles heel?

tendenci-mobile-responsive-standard
In the course of owning a business you get a lot of phone calls from investors and venture capitalists. It’s a game, but a fair one if played correctly in that whatever your revenue, their criteria is just about twice yours. When we were 1M they were looking for 2M companies. When we were 2M they were looking for 3. When we were over 3 they were looking for 5, etc…. But they knew that when they contacted. So why?

Because knowledge is power. In an industry like membership management software there isn’t much transparency because so many companies are private. So they call. The calls are always polite. It’s important to remember they are frequently just due diligence by the firm as they negotiate to purchase a competitor in your space. Again, there is nothing wrong with this if knowledge is shared both ways.

Business Owner action item: as the business owner it’s up to you to ask the questions as well. Start with the simple stuff like “where do you see the industry going in 5 years?” etc. Trading information can be helpful, for both parties and if you are the smaller fish you better be more nimble anyway

How do most of the calls end? Typically the same and both parties knew it when the call started.

“well let’s stay in touch and touch base in a year.”

If you did your job and asked questions of them as well, then hey, that’s fair. In the VC world the “it’s not you, it’s me” breakup equivalent is “we are looking for someone a bit larger and with higher profits so call back”. But both parties knew that when the call started, it’s just the polite way to end the call. What highly profitable business owner wants to sell? Not many that I know of. It’s an attempt to be polite.

But, sometimes something interesting happens. Specifically I had someone ask me an interesting question recently about a competitor. It was a bit out of the blue which tells me it was on their to do list more than mine. The investor rep asked:

What do you see as company-x’s Achilles Heel besides being on the Microsoft platform?

I have to admit that I wasn’t expecting the question and I prefer to not say bad things about competitors. Usually they are good people trying hard in a competitive environment. We hang out together at NTEN, SXSW and for some of us OSCON. They really are good  people. So I didn’t answer the “Achilles Heel” question fully. This is me correcting the record.

Yes, they have a problem. Why? Because in one of my History classes while getting a BS in POLS from Texas A&M University we studied Carnegie Steel. Given I like history,  let’s look at it through the lens of “what would Andrew Carnegie do?”

In 1870 Carnegie decided that instead of being a “capitalist” with diversified interests he was going to be a steelman exclusively. Using his own capital, he erected his first blast furnace (to make pig iron) that year and the second in 1872. In 1873 he organized a Bessemer-steel rail company, a limited partnership. Depression had set in and would continue until 1879, but Carnegie persisted, using his own funds and getting local bank help. The first steel furnace at Braddock, Pa., began to roll rails in 1874. Carnegie continued building despite the depression—cutting prices, driving out competitors, shaking off faltering partners, plowing back earnings. In 1878 the company was capitalized at $1.25 million, of which Carnegie’s share was 59 percent; from these policies he never deviated. He took in new partners from his own “young men” (by 1900, he had 40); he never went public, capital being obtained from undivided profits (and in periods of stress, from local banks); and he kept on growing, horizontally and vertically, making heavy steel alone. From 1880 onward, Carnegie dominated the steel industry.

Still with me? Because from that dominance he sat at the top of the food chain. And then inexplicably they poked him. Why? WTF?

Carnegie had thought of selling out and retiring in 1889: his annual income was $2 million, and he wanted to cultivate his hobbies and develop the philanthropic program that was taking shape in his mind. But the threats that now came from the West as well as the East were too much for his fighting spirit and his sense of outrage, and he took the war into the enemy camp.

Sooooo… Carnegie then did NOT retire but rather took the fight to them. He took the fight to them with the advantages and business knowledge of his industry that he possessed. Now back to our story…

He (Carnegie) would not join their pools and cartels; moreover, he would invade their territories by making tubes, wire and nails, and hoop and cotton ties and by expanding his sales activities into the West. He ordered a new tube plant built on Lake Erie at Conneaut, which at the same time would be a great transportation center with harbors for boats to run to Chicago and a railroad to connect with Pittsburgh.

The competition surrendered, but at a much higher price than they would have otherwise.

Thus originated the U.S. Steel Corporation in 1901, through the work of J.P. Morgan. The point was to buy Carnegie off at his own price—as he was the only disturbing factor that held back “orderly markets and stable prices.” The Carnegie Company properties were purchased for almost $500 million (out of the total capitalization of the merger of $1.4 billion); Carnegie’s personal share was $225 million, which he insisted upon having in the corporation’s first-mortgage gold bonds. At last Carnegie was free to pursue his outside interests.

Why, how, could the competition have so badly misjudged things? They missed the megatrends/macroeconomics and underestimated their competitor. Realize one dollar of capital in the hands of experience is far more powerful than ten dollars in the hands of bankers.

It’s quite simple really. Carnegie had lowered his costs and built up his capital to the point that the competitor’s moves were an “event” and his response was simply a “choice”. A freaking choice. If that doesn’t make you nervous then I didn’t explain it well.

From the start Carnegie was willing to pay the price to win. Who knows, maybe he was just bored? Regardless the competition was in over their heads with a combined company run by bankers without the institutional knowledge of a steelman.

The bankers accepted their losses. But their misstep meant they paid a significant price for not researching the market, researching the trends, and especially for not understanding the machine Carnegie had built. It wasn’t just the capital, it was years of best practices developed by Frick and Carnegie that allowed him to win. A business is complex. Business practices are maintained by people, not Viseo flowcharts or Powerpoint.

Pick your fights.

Further – the only thing more complex than a business is communities of people like the open source community. You can’t buy them off or learn the social norms in a year or two.

[redacted]

Back to the phone call – in this case, the competitor the investor asked about is one we see occasionally in the sales process. They have some aggressive affiliates but I can’t say I’ve had a bad encounter with their CEO or one of their employees. So yes, I know them. I know how our product is differentiated with greater functionality. (having a better product does help – but they would say the same thing).

SWOT analysis if it got aggressive?

Well I can back into the competitors costs using the usual methods like salary survey sites and looking at their network. There are people who will research these things for a very reasonable price. Add to that the fact that they are proprietary AND require two year contracts just makes it easier. You wouldn’t want to sign your nonprofit up with a proprietary solution if you knew there was a better solution that was also open source, right? (data says 90% want use open source or “roll their own” – NTEN).

Maneuvering around their market positioning would be as strategically challenging as going around the Maginot line. Easy pickings – IF someone wanted a fight.

If this sounds arrogant, it isn’t. It is just me acknowledging how the future would put the very existence of our company in question if we hadn’t changed. I did what any self-aware responsible and knowledgeable CEO would do. We did a pivot. And WordPress and Drupal are great examples to follow.

The bigger question is why other leaders didn’t see open source coming?

Our competitive position – Tendenci has driven our costs down and gone open source in a group of competitors trapped with huge employee expenses, high proprietary licensing costs, shared servers which amplifies security risks, and constant turn over in their work force. Meanwhile hack attacks are sky rocketing and insurance and benefit costs climb.

Add to that programming isn’t something you can throw money at – it just takes time and adding more keyboard-monkeys just slows down the innovators.

To the person who asked the question – my answer is this:

Company X’s achilles heel is they exist at the whim of a better positioned open company with an aggressive strategy. You don’t have to win every prospect, you just have to force the competitor to sell below their cost. And wait.

The rest is details.

Tendenci will continue to rise because it is exactly what nonprofits and government agencies are asking for. Freedom. Respect. Dignity. Openness. Love.

Tools to help the cause first and our company second.

PS – if you are an investor in that company, don’t worry. I have no intention of implementing the above strategy right now as this is a case of “there is no spoon.” What is next is far more interesting to me. There is some amazing stuff on the horizon. I just wanted to come clean on how vulnerable some companies are. And yes, in a SWOT analysis or a prospectus, you should probably cross reference their technology with tech trends. I guess that is a question for the attorneys and IANAL.

systemd – I’ll deal with it like I deal with Pepsi in the North East

OPINION: The topic is init scripts. The part of a computer that determines what starts first and next and next etc. Most of my readers, and I thank you both, will want to close this tab in your browser and come back on a non-geeky day.

System Init. – Do you need your keyboard before your monitor? Nah, we’ll bring up the monitor before the keyboard.. And yet we have bigger issues like when to initialize the CPU, RAM, HDs, USVs peripherals, etc.

So I was udating my automatic services in Windows… oh wait, no it was in Linux on 14.04.3 and everything kept telling me the same thing.

zOMG why are you using upstart when systemd is the bright-new-shiny!?!?

I know I’ll have to give in but this thing smells like something between SELLinux and WindowsNT’s implementation of POSIX.

American corporate espionage preparedness is unprepared

American corporate espionage preparedness, in a random sample and via anecdotes, is in bad shape. We are not prepared.

the-company-man

The video is 30 minutes but worth it for training your team. Now a question.

What is the technical difference between a Speaker (thump thump) and a Microphone (can you hear me now?)?

NOTHING. There is no difference between a speaker, headphones or microphones. No. Difference. At. All. None.

Significance:

Plug your headset into the microphone jack on the stereo and poof – you have a mic.

Why do you care? Because if your employees are relaxing after work, at the local vegan cafe. Just unwinding, spending 20 minutes at the salad bar. nearby people hypothetically might get bored. “Hackers aren’t vegans” you say, “so it can’t happen here.”

Mics vs speakers – the answer is anyone can just put their iphone down with the headphones in and record away. Especially if the marks are “extremely loud bar talkers” as these two were.

Identity? Well gosh, they left their credit card receipt detail side up so I could helpfully straighten their table and take a quick photo of their info on the way to the restroom

How does this impact you? Well these two gentlemen next to me are clearly in town for a conference. Still wearing lanyards with fortune 500 company logos? Accents. Of course, we’re either the first or second most diverse city in the USA.

Again, It’s Houston – we know what’s going on. Houston is all about the back channel. And once your dialed in? Well it’s kinda like the matrix. Seriously – why else would millions of people live in a paved over swamp with the moniker “The Bayou City”?

Back to the situation at hand. These fools spouting corporate secrets next to me because I have headphones on and my audio turned off.

I’m white hat so no, I did not record anything and will not inform their companies nor will I inform them. No I did not take a detailed photo of their receipt although it sits just to my right at the moment as it has for 10 minutes.

Honestly I have other battles to fight. And so do you. Yet make no mistake – if they had revealed some anti-American activity I would have arranged for them to meet up with some of my friends who love America as much as me and my friends know how to handle such matters delicately.

This blog post is simply an anecdote, a story that is true, of knuckle-heads who weren’t thinking before they spoke.

As for companies that employ people, what are our options? First the obvious – we can try to hire for common sense, Then you can train and test – I do drills to test our team,

Big picture? What will work best? Dunno. I do know ignoring the issue of human hacking /social engineering isn’t the solution.

To repeat, we know humans are the weak link because I’ve tested it with my own company and as a paid approved pentester at the request of some of our clients. I’ve unfortunately been 100% successful in finding security holes in my pre-approved and client authorized tests.

Even when the employees KNEW ahead of time that someone was testing the systems..I’ve yet to fail to find an opening and honestly I’m not that good at the whole pentesting thing … like I don’t have the best tools or a infinite budget or even a good lock pick set with a proper bump key.

In other words – I’m amateur at best and only to protect my own clients.

But sheesh, a little reality training would go a long way with folks like this. The humans are almost always the weak point. I was in one restaurant and they said “ya, the Internet has been spotty for days.” I said “well maybe I can help. Would you mind taking photos of the front, back, connections and the serial number on your router and I might be able to fix it.”

I still have the photos on an encrypted drive somewhere. My point is I didn’t misrepresent myself as a Comcast employee or whatever. I just said I was a customer and that I might be able to help.

Back to our main storyline. It is YOU, the management team and every employee who is handling YOUR company’s data. It should take more than sitting down next to two guys drinking IPAs for me to even have the opportunity to gather that type of intel.

And the router example where the waiter literally texted me all of the technical specs of the router? xOMG, no excuse.

In the various circumstances I fixed their internet, got their credit card processing systems working again, reset passwords with upper management’s permission. I did what I would do with my own family’s business. 

What did happen is that even with permission and weeks of advance notice, zero clients or friends have had any network my team has tested properly secured. It was not barriers already installed that blocked us. On the rare occasion we ere too impatient to power through something (which we can do), it was laziness, we simply were tired and wanted to go home. So we’d just ask a manager and say it was part of the test. Seriously.

Grok that. Leaders at a company who were specifically told who we were, that we were there to test network security, that it was serious and they were to block us in every way possible. Those managers would give u the keys to the kingdom if i asked the right way. (the “right way” is vague on purpose. I’ll do another post on that one later.)

Perhaps the scariest part is that I personally was never impeded by even the most basic security training for these employees or their own intellectual “well duh I shouldn’t do that” factor. In every instance if I hit a roadblock they helped me bypass any remaining obstacles.

  1. Train. Train. Train your people.
  2. Know, don’t expect but know they will get in. So shrink the attack vectors and restore from a known clean backup regularly.
  3. Try not to get anyone fired. The business owner would have been just as clueless.

—————–

PS – for the curious, the fastest network break in I’ve ever done? 5 minutes. The owner asked us to test his network security. I agreed and we agreed on a  price (remember this guy didn’t know me from Adam). Then I said “of course we’ll need your login to monitor how the red team is doing. He then just blurted out his username/password for the network and for his email. And assured us it wouldn’t be a problem with anything else because he always “used the same password.” Gosh. We printed nice reports and pounded sand for a few days, but it was the fastest… whatever you want to call it.

PPS – I bet if you owned stock in that corporation and liked the CEO you’d call it a hack. Similarly if a black hat, you’d call it like it was.

RIP Ian Murdock – you will be remembered

RIP Ian Murdock, founder of Debian Linux which is what powers Tendenci. Without his work in the Open Source Community there could be no Tendenci Membership Software. This is a sad way to end 2015, but I would like to think Ian would want us to continue to invent and create greater freedom and transparency in the world.

I am not good at wording such a tragedy so I will leave you with the respectful post on the debian project blog and links to some news stories on the topid.

ian-murdock

best, or possibly worst, explanation of subnet masks ever

Trying to explain subnet masks inside our company chat system, and this was the result. It is either the best, or possibly the worst, explanation of subnet masks and IP addresses ever. So there is that.

Credits: Images from this on IPV4 CIDR
http://www.sput.nl/internet/cidr-routing.html

My #knowledgeshare began like this and went down from there. But the actual IP is definitely about to be blocked. Hence I changed the IP to something ridiculous to protect the GUILTY:

after hours #knowledgeshare

the IP is 192.168.1.30 but I *only* want to block that one IP so I used a ‘subnet mask’ of 32 which looks like this

192.168.1.30/32  (not the real IP but you get the idea)

Because on the surface /32 makes NO SENSE AT ALL! Why? Because masks are binary. Obviously, right?

If you look at it in binary a pattern emerges like this big chart which also looks a bit scary.

ipv4 subnet mask in binary
IP V4 Table from http://www.sput.nl/internet/cidr-routing.html

Think of the zero’s as “hey you are cool man. come on into the party dude!” and the ones are like “oh hell no you aren’t getting in here!”

So the 1’s are the “mask” in a subnet mask.

Visualized another way it looks like the following party-pic. These guys are PARTYING HARD with 256 IPs.

IP binary subnet mask

But  you know, first you can’t have a zero IP address so you can’t use 192.168.1.0. Then you’ve got the supervisor (router) who gets the first IP in the block (e.g. 192.168.1.1 is the router in 192.168.0.1/255.255.255.0

Then you have the drunk screamer – that is the broadcaster. Think Robin Williams in Good Morning Vietnam! This guy, the biggest in the subnet, gets the last number.

In our example subnet that is 192.168.1.255 (remember IPs start at 0. Thus 0 to 255 = 256 IPs.) Anyway this guy –> “192.168.1.255” is the guy who is like HEY WHO THE HELL IS IN HERE!!!?!?!?!  And now everyone has to reply because they are screaming and we all have to answer!

So that leaves 254 (1router-broadcast=254) available host ips in this block. Further by convention you typically don’t assign the .0 IP so that really leaves 253. Basically it looks like this in

Binary
11111111111111111111111100000000

Hex
FFFFFF00

Octet
255.255.255.0 2⁸ /24 256

/#endKnowledgeShare/

 

 

Proprietary to Open Source: Giving Away Six Million Is Hard

I have the privilege of speaking at SXSW tomorrow morning at 9:30 AM. I first gave the talk on converting our software from proprietary to open source at SXSW V2V in 2014. While much of the message is the same, I’ve been through more, learned more, made even more mistakes and learned from them, and I’d love to help other leaders AVOID my mistakes.

Proprietary to OS: Giving Away Six Million Is Hard

http://schedule.sxsw.com/2015/events/event_IAP42324

GoingOs

The journey for Tendenci going to Open Source seemed like it was going to be simple. Nothing could be further from the truth. It was very hard, and a cost me a lot of relationships, friendships, employees whose potential I felt we hadn’t even begun to push yet. And as I type this Tendenci is emerging from a crisis with EOL (End of Life) for our old proprietary version – the last cord that needed to be cut. We just thought we would dictate the timeline when in fact that hasn’t been the case.

There is a huge gaping hole in the market for The Open Source Solution for Associations, non-profits and NGOs. Because internationally price is a very real issue and if we want to make change, there has to be a free option that is multi-lingual and multi-cultural and affordable. Yes there is still a TCO to FOSS software, but nothing like the costs of proprietary software. And in my opinion Linux is more secure than the competition which isn’t just a benefit, it is a crucial requirement if you are using the software open source in a different country that snoops on your communications.

You must control your data. And over the last several years we have seen our P&L dip negative for the first time and now slowly come back up into the black. And the trend continues as you simply can’t compete with passionate people working on a solution and sharing resources.

But my talk tomorrow is about the transition. What have I learned that I can help others with. That is my goal. To serve the audience. To help you be smarter than me when it comes to navigating through the transition. Because it isn’t “going open source”. It’s taking a “proprietary mindset” and changing it into an “open mindset” and that can, quite frankly, be terrifying to many of us.

And I’ll leave with a photo from Austin from last night as SXSW is many things, and one of them is beautiful. Hopefully my talk will add to everything that is sxsw as that is my goal. It’s corny, but I really do want to make the world a better place.

#peace

Apple’s switch to SMB2 with Maverick and Developing with VMWare and Ubuntu

On Tendenci development configuration…. Through one of the thousands of sources of input that hit me in a given week between websites, newsletters, other programmers, employees and random people I talk to, it finally clicked with me the significance of Apple switching to SMB.

OK, to back up for non-geeks. Computers talk to each other and devices like printers using common protocols. Microsoft, going back to modifications to DOS has used SMB. (skipping a bunch of history here.) Fast forward to a few weeks ago when Apple released OSX Maverick for free. In the release of Maverick everyone talked about how it was FREE. They are giving away the software counting on us to buy the hardware. OK, I get that.

Tendenci Open SourceWhat they also did was change from their own network protocol, called Apple Filing Protocol, and switched to Microsoft’s protocol SMB. Wait, what? Why?

Well, first Apple made their OSX Server software $50 in the app store. A comparable server software package from Microsoft is $2500. So I purchased a Mac Mini server. Sadly with even 35 users it wasn’t that fast. AFP is slower that SMB I’m told. But they could have improved AFP. Instead Apple made the switch to SMB. This not only speeds up their server but most importantly it allows MACs to connect to local area networks managed by Microsoft Servers without any extra software or tech support needed.

Apple is moving into corporate America folks.

Apple owns the home/consumer market in my opinion, even if I have an android phone our house is full of mostly Macs. 1 or 2 PCs or Linux but mostly Macs. Our company is already fully switched to Macs and Linux and the Cloud. But a lot of companies have not. I’ll leave predictions of Apple’s strategy to break into the Fortune 500 to reporters far more qualified than me.

What I do know as a programmer is that my life just got a LOT easier.

/back to geek speak/ We program on Linux but use Mac laptops. So we are always connecting back and forth which is a pain. And developing locally, on an airplane for example, I need virtual linux machines that run on my local computer. For that I used to use open source Virtual Box by Oracle, but it’s too slow on a Mac IMHO. I tried VMWare Fusion 6 and apparently they have a deal with Apple allowing direct access to the hardware. All is know is that VMware is MUCH faster than virtual box or vagrant. And I’m impatient so I’ll pay the $70 ish for VMWare Fusion.

Previously to share folders between my local computer (Mac) as the host computer running a virtual Linux computer on VMWare (Guest) required me to set up sharing through VMWare. This gets complicated. Your host folders are mapped to /mnt/hgfs/ inside of linux. If you symlink into a project and install software, given it is a symlink that means your files will still install in the /mnt/hgfs/ folder. For example:

Project folder path to virtualenv inside of Linux 12.04 LTS might be:
/var/www/projects/mydjangoproject/venv/
Linking from VMware Fusion you would create a share perhaps similar to
/mnt/hgfs/shares/projects/mydjangoproject/venv/
that pointed to your virtual environment folder.

Because this is a sym link, if you install a virtualenv for example the path maintains the linux path. So a “which python” gets you something in the /mnt/hgfs/shares/projects/ folder instead of the /var/www/projects/mydjangoproject/venv/. This makes portability a problem.

Samba to the rescue. The above method required configuration of the virtual machine through VMWare fusion, which slows down designers. And doesn’t easily port to VirtualBox or Vagrant. You can make magic happen by using Samba:
https://help.ubuntu.com/12.04/serverguide/samba-fileserver.html

Installed in the guest OS, for me 12.04 Ubuntu, and setting up your /etc/samba/smb.conf file with something similar to this:

[www]
path = /var/www
browsable =yes
writable = yes
guest ok = yes
read only = no

Restart you VM and magically in Apple’s Finder you will now see the local VM in your “shared” portion of finder.

Lastly for the programmers out there, do a bit more research before using anything other than NAT on your local for security. You have to configure file sharing security on the Mac host. Samba sharing security via smb.conf. And chmod/chown security on the folders and files inside the linux guest. While it might be tempting to just blow down the house with 755, remember that whoever takes that image might bridge the adapter and…. well, that would be your fault. So be careful out there kids.

Still, loving the fact that my directory structures can be identical, that I can pass off a vmware image to a colleague and it JUST WORKS. Dreamweaver edits, bash, git, whatever. Between SSH and the adobe suite you are now all powerful to make better looking applications using better software. Rock. On.

simplify, because I can see why Cal hates Django even if I love it

Yes I love Django and Tendenci has been rewritten fully on the Django framework. Open Source as well. (Go install it and tell us what you think.)

But there are days…. like right now…. like right this instant…. there are days when instead of doing big things I’m fighting inconsistent name spaces between apps for no reason. We have PEP. But nobody thought to go “ya, let’s just always call this one “title_block” in the base.html template? Or no hook to a global template on a site? Or standard theme definitions. For all the beauty I see in Django somedays I feel like I’m revisiting 2001 with setting up conventions. We don’t have to lock in like Rails, we don’t have to lose flexibility to gain efficiency.

You still can’t easily sequence the loading of installed apps for packages as well as your local apps. (better get ReportLab in the right spot or else!) So you roll your own. Days that I struggle with deployment even though those smarter than me have written scripts to help. New employees just deploy straight to databases on Heroku or use SQLLite locally, never getting the errors in South that a real user would get trying to set up their own server somewhere between the cloud and non-production.

And then there are the days I see 100+ queries go by on the debug toolbar on a page that used to only need 7. And everyone just says “cache” it as if the Calomine lotion will cover up the rash of inefficiency.

Don’t get me wrong, I’d rather walk on broken glass than convert to PHP. (yes let the flame war begin). But …. but …. I’m a big enough kid to find myself laughing out loud at this keynote called “Why I Hate Django” by Cal Henderson.

Oh yes I really do believe the future is Python and Django. I’ve bet the farm on it as they say. And if Facebook has to compile PHP basically into C++ then all of us will face these problems at Scale.

Yet can we all just admit that we can and should improve our conventions, our name spaces, our theme standards, remove the incentive for programmers to keep removing the local_settings.py file from the root of the /conf/ or site folder. Use manage.py runserver or foreman start? That’s kind of a big question if it changes the way you load your environment variables? We are creating a learning curve that will send all but the most stalwart young programmer back to PHP.

I don’t even consider myself a “real” Django programmer yet as I keep having to look up syntax. But having written one web framework that has stood the test of time, and now working with the team who is rewriting it, I see danger in them hills. The danger of not keeping things simple enough.

Technology and Crisis Communication Panel at SXSW. Vote?

SHORT VERSION:

Please vote for my panel at SXSW DON’T PANIC – The Geek’s Guide to the Next Big Crisis

LONG VERSION:

A little more than four years ago I wrote my first blog post. It was about the need for a form of Emergency RSS. We can share celebrity gossip headlines through feed readers faster than we could use technology to respond to a crisis. And this was an important point as I started blogging in 2005 right after and in response to a need to share after Hurricane Katrina. Katrina Lower 9th Ward PhotoCrisis response and crisis communication has always been a passion of mine, and seeing our government’s mostly failed response in New Orleans compelled me to start blogging and contributing where I could.

Running the company I chose to stay in town during the Hurricane Rita evacuation. While Rita did not hit Houston, instead crushing the gulf coast near Beaumont with little news coverage in the wake of Katrina, we did learn from the Rita evacuation. We used a wiki page on Tendenci (our software) to track down all employees. Employees on the road, which for some of them was 10 to 20 hours during the evacuation, would text their manager’s who then updated the wiki to account for everyone. We quickly knew everyone was OK.

Then last year we prepared for Hurricane Ike which went over our town. When the storm hit the ONLY thing that worked was SMS messaging. No power, no water, no data, no TV. Just radio and text messaging. Hurricane Ike hits at nightLuckily we had set up a product called Yammer, which is like Twitter for your company (and they have a business model) and we were able to keep in touch. Data services, which is what your cell phone depends on to get to web pages, went down. Voice went down. The only thing that allowed us to keep in touch with all of our employees and their families was text messaging sent directly and through Yammer.

We learned a lot about the role of tech in a crisis combined with human behavior. Example – an employee’s cell phone would die. They would use someone else’s cell to text a message to their manager saying “we are OK and staying near College Station”. Except that is ALL they would say. We didn’t recognize the number and had no idea WHO sent it! The solution was to train all of our people to put their NAMES at the end of each text message. Seems like a small thing. It is. But it makes it possible to do a head count!

Since 2005 our firm now does the web site for the Houston Red Cross and Reliant Park, both of which are key for Houston Emergency Response planning. We have the privilege of working with Firestorm Crisis Communications and Preparedness and long time clients like crisis communicator Dan Keeney. I have attended Netsquared Houston meetings when David Geilhufe taught us about People Finder Information Format. And I work with people like Jonti and Katie who have helped all of us set up our ICE cards for our families.

Now I need your help. I’d like to continue the dialog on Social Media and Emergency Response. What IS the role of twitter beyond updates? What are the alternatives for Yammer? Is there a cost effective solution for businesses and families? We have come a long way, so let’s talk about it.

PLEASE VOTE AND COMMENT on this SXSW Panel I hope to moderate. Without your vote and your comments the panel might not make. And I believe in this topic too much to see that happen. Spare a minute? Please VOTE!

DON’T PANIC – The Geek’s Guide to the Next Big Crisis

Are you and the people you care about prepared? Our panelists will share their crisis stories and tell you how to be ready, both online and offline. PFIF, Yammer, Facebook and iPhones – the technology and strategy is there and getting better, so let’s take it to the next level.

  1. How does emergency response and communication relate to the Web? Do developers and small business owners really need to care about Crisis Communication?
  2. How can our emergency teams (fire, ambulance, police, etc.) benefit from standardized data sharing? What can I do about it?
  3. What does the rise of Mobile Web mean for the next natural disaster or other catastrophe?
  4. What tools (Web, mobile and otherwise) are out there right now that my family, friends and company should be using now?
  5. As a geek, what are 5 things you should do TODAY to keep your family safe and your business running when disaster strikes?
  6. If practice makes perfect, what kind of drills and regular training should your business be doing right now that won’t break the bank or kill your billable hours?
  7. What are some of the technical lessons we learned from Hurricane Katrina?
  8. Tech and communication stories and lessons from Virginia Tech, Hurricane Ike and beyond…
  9. What is a crisis to you and how do you strategically and technologically deal with it internally and for the rest of the world to see?
  10. How can you best identify your strongest and most reliable communicators and rock stars during times of crisis? How do you deal with employees that book it and vendors that disappear?

Why am I doing this?

Well, it isn’t for business as I have no financial ties to yammer or twitter or any other messaging services. Tendenci is a content management system that powers associations and sites like the Houston Red Cross, but they are already customers. And ANY emergency response technology must be open source for maximum adoption long term. I just believe passionately in our need to share information and I think technology can help with crisis communication. Social media sites like Facebook and Twitter bring a lot to the table. If you, like me, are passionate about this, please vote for the panel “DON’T PANIC – The Geek’s Guide to the Next Big Crisis” and I hope to see you in Austin next March!

BMC Goes Open Source? – Whurley on board!


  IMG_0522.JPG 
  Originally uploaded by whurley.

I found out at SXSW that BMC may take portions of their systems management software open source in the future. From the press release:

“BMC really understands the value and benefits of open source,” said Hurley.  “The company is defining the future of systems management with BSM, eliminating complexity in the IT infrastructure, and aligning IT with business.  BMC’s leadership and clear BSM vision, combined with the company’s interest in doing open source correctly, is absolutely something I wanted to be a part of.” (more)

Link and emphasis added by me. A couple of thoughts on this. So far we have only the intent. But hiring Whurley is a big step for a company like BMC. So I will keep on the lookout for the official source code available for download. And I am not the only one surprised. From this post on 451.

I wouldn’t have guessed that it would be BMC to make the first move. IBM with
Tivoli seemed like the natural play due to IBM’s history with open source. HP
and CA were less clear, but BMC? This is an interesting move that wil have
repercussions in the software management sector.

Now – the press release clearly was written by a PR guy. Whurley
doesn’t talk like that. And they didn’t link to his blog so that looks like corporate speak. But, I did talk to him at Barcamp Austin and he
IS very excited about his role at BMC and the open source moves by BMC.

Now for the bad news. To play the devil’s advocate, this could also be a shrewd move on the
part of BMC to reduce the threat to their very profitable line of
software
against the Open Management Consortium where Whurley is very active. So only time will tell.

Last thought. That picture. Whurley with the shot lady at Barcamp. Because friends pick ridiculous photos of you to go with big announcements about open source software. <grin>